February 28, 2020—update for Surface Hub 2S
diff --git a/devices/surface/TOC.md b/devices/surface/TOC.md index 7245176edd..92801e4289 100644 --- a/devices/surface/TOC.md +++ b/devices/surface/TOC.md @@ -4,6 +4,9 @@ ## Overview +### [What's new in Surface Dock 2](surface-dock-whats-new.md) +### [Surface Book 3 GPU technical overview](surface-book-GPU-overview.md) +### [Surface Book 3 Quadro RTX 3000 technical overview](surface-book-quadro.md) ### [Surface Pro 7 for Business](https://www.microsoft.com/surface/business/surface-pro-7) ### [Surface Pro X for Business](https://www.microsoft.com/surface/business/surface-pro-x) ### [Surface Laptop 3 for Business](https://www.microsoft.com/surface/business/surface-laptop-3) @@ -30,7 +33,6 @@ ### [Surface Pro X app compatibility](surface-pro-arm-app-performance.md) ### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) ### [Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md) -### [Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md) ### [Deploy Windows 10 to Surface devices with MDT](deploy-windows-10-to-surface-devices-with-mdt.md) ### [Enable the Surface Laptop keyboard during MDT deployment](enable-surface-keyboard-for-windows-pe-deployment.md) ### [Upgrade Surface devices to Windows 10 with MDT](upgrade-surface-devices-to-windows-10-with-mdt.md) diff --git a/devices/surface/battery-limit.md b/devices/surface/battery-limit.md index c260718254..0da0c326e7 100644 --- a/devices/surface/battery-limit.md +++ b/devices/surface/battery-limit.md @@ -6,12 +6,13 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.reviewer: -manager: laurawi -ms.author: v-jokai +ms.reviewer: jesko +ms.author: greglin ms.topic: article ms.localizationpriority: medium -ms.audience: itpro +manager: laurawi +audience: itpro +ms.date: 5/06/2020 --- # Battery Limit setting @@ -32,6 +33,11 @@ The Surface UEFI Battery Limit setting can be configured by booting into Surface  +## Enabling battery limit on Surface Go and Surface Go 2 +The Surface Battery Limit setting can be configured by booting into Surface UEFI (**Power + Vol Up** when turning on the device). Choose **boot configuration**, and then, under **Kiosk Mode**, move the slider to the right to set Battery Limit to **Enabled**. + + + ## Enabling Battery Limit in Surface UEFI (Surface Pro 3) The Surface UEFI Battery Limit setting can be configured by booting into Surface UEFI (**Power + Vol Up** when turning on the device). Choose **Kiosk Mode**, select **Battery Limit**, and then choose **Enabled**. diff --git a/devices/surface/enroll-and-configure-surface-devices-with-semm.md b/devices/surface/enroll-and-configure-surface-devices-with-semm.md index fd8f4626e5..56282326a4 100644 --- a/devices/surface/enroll-and-configure-surface-devices-with-semm.md +++ b/devices/surface/enroll-and-configure-surface-devices-with-semm.md @@ -57,8 +57,10 @@ To create a Surface UEFI configuration package, follow these steps: 6. Click **Password Protection** to add a password to Surface UEFI. This password will be required whenever you boot to UEFI. If this password is not entered, only the **PC information**, **About**, **Enterprise management**, and **Exit** pages will be displayed. This step is optional. 7. When you are prompted, enter and confirm your chosen password for Surface UEFI, and then click **OK**. If you want to clear an existing Surface UEFI password, leave the password field blank. 8. If you do not want the Surface UEFI package to apply to a particular device, on the **Choose which Surface type you want to target** page, click the slider beneath the corresponding Surface Book or Surface Pro 4 image so that it is in the **Off** position. (As shown in Figure 3.) + > [!NOTE] + > You must select a device as none are selected by default. -  +  *Figure 3. Choose the devices for package compatibility* diff --git a/devices/surface/ethernet-adapters-and-surface-device-deployment.md b/devices/surface/ethernet-adapters-and-surface-device-deployment.md index c35dbe0630..abc4672793 100644 --- a/devices/surface/ethernet-adapters-and-surface-device-deployment.md +++ b/devices/surface/ethernet-adapters-and-surface-device-deployment.md @@ -28,7 +28,7 @@ Network deployment to Surface devices can pose some unique challenges for system Before you can address the concerns of how you will boot to your deployment environment or how devices will be recognized by your deployment solution, you have to use a wired network adapter. -The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using Microsoft Endpoint Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. See the [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) section of this article for more information on potential conflicts with shared adapters. +The primary concern when selecting an Ethernet adapter is how that adapter will boot your Surface device from the network. If you are pre-staging clients with Windows Deployment Services (WDS) or if you are using Microsoft Endpoint Configuration Manager, you may also want to consider whether the removable Ethernet adapters will be dedicated to a specific Surface device or shared among multiple devices. For more information on potential conflicts with shared adapters, see [Manage MAC addresses with removable Ethernet adapters](#manage-mac-addresses) later in this article. Booting from the network (PXE boot) is only supported when you use an Ethernet adapter or docking station from Microsoft. To boot from the network, the chipset in the Ethernet adapter or dock must be detected and configured as a boot device in the firmware of the Surface device. Microsoft Ethernet adapters, such as the Surface Ethernet Adapter and the [Surface Dock](https://www.microsoft.com/surface/accessories/surface-dock) use a chipset that is compatible with the Surface firmware. @@ -67,7 +67,6 @@ For Windows 10, version 1511 and later – including the Windows Assessment and ## Manage MAC addresses with removable Ethernet adapters - Another consideration for administrators performing Windows deployment over the network is how you will identify computers when you use the same Ethernet adapter to deploy to more than one computer. A common identifier used by deployment technologies is the Media Access Control (MAC) address that is associated with each Ethernet adapter. However, when you use the same Ethernet adapter to deploy to multiple computers, you cannot use a deployment technology that inspects MAC addresses because there is no way to differentiate the MAC address of the removable adapter when used on the different computers. The simplest solution to avoid MAC address conflicts is to provide a dedicated removable Ethernet adapter for each Surface device. This can make sense in many scenarios where the Ethernet adapter or the additional functionality of the docking station will be used regularly. However, not all scenarios call for the additional connectivity of a docking station or support for wired networks. @@ -85,7 +84,7 @@ To access the firmware of a Surface device, follow these steps: When deploying with WDS, the MAC address is only used to identify a computer when the deployment server is configured to respond only to known, pre-staged clients. When pre-staging a client, an administrator creates a computer account in Active Directory and defines that computer by the MAC address or the System UUID. To avoid the identity conflicts caused by shared Ethernet adapters, you should use [System UUID to define pre-staged clients](https://technet.microsoft.com/library/cc742034). Alternatively, you can configure WDS to respond to unknown clients that do not require definition by either MAC address or System UUID by selecting the **Respond to all client computers (known and unknown)** option on the [**PXE Response** tab](https://technet.microsoft.com/library/cc732360) in **Windows Deployment Server Properties**. -The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in the [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://blogs.technet.microsoft.com/askpfeplat/2014/07/27/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm-osd/) blog post on the Ask Premier Field Engineering (PFE) Platforms TechNet blog. +The potential for conflicts with shared Ethernet adapters is much higher with Configuration Manager. Where WDS only uses MAC addresses to define individual systems when configured to do so, Configuration Manager uses the MAC address to define individual systems whenever performing a deployment to new or unknown computers. This can result in improperly configured devices or even the inability to deploy more than one system with a shared Ethernet adapter. There are several potential solutions for this situation that are described in detail in [How to Use The Same External Ethernet Adapter For Multiple SCCM OSD](https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-use-the-same-external-ethernet-adapter-for-multiple-sccm/ba-p/257374), a blog post on the Core Infrastructure and Security Blog. diff --git a/devices/surface/get-started.yml b/devices/surface/get-started.yml index edb22aac8c..a11e35c584 100644 --- a/devices/surface/get-started.yml +++ b/devices/surface/get-started.yml @@ -24,59 +24,51 @@ landingContent: linkLists: - linkListType: overview links: - - text: Surface Pro 7 for Business - url: https://www.microsoft.com/surface/business/surface-pro-7 - - text: Surface Pro X for Business - url: https://www.microsoft.com/surface/business/surface-pro-x - - text: Surface Laptop 3 for Business - url: https://www.microsoft.com/surface/business/surface-laptop-3 - - text: Surface Book 2 for Business - url: https://www.microsoft.com/surface/business/surface-book-2 - - text: Surface Studio 2 for Business - url: https://www.microsoft.com/surface/business/surface-studio-2 - - text: Surface Go - url: https://www.microsoft.com/surface/business/surface-go - - linkListType: video - links: - - text: Microsoft Mechanics Surface videos - url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ - + - text: Surface Go 2 for Business + url: https://www.microsoft.com/surface/business/surface-go-2 + - text: Surface Book 3 for Business + url: https://www.microsoft.com/surface/business/surface-book-3 + - text: Explore all Surface family products + url: https://www.microsoft.com/surface/business + # Card (optional) - title: Get started linkLists: - linkListType: get-started links: - - text: Surface and Endpoint Configuration Manager considerations - url: considerations-for-surface-and-system-center-configuration-manager.md - - text: Wake On LAN for Surface devices - url: wake-on-lan-for-surface-devices.md - + - text: Surface Book 3 GPU technical overview + url: surface-book-gpu-overview.md + - text: Surface Book 3 Quadro RTX 3000 technical overview + url: surface-book-quadro.md + - text: What’s new in Surface Dock 2 + url: surface-dock-whats-new.md + # Card - title: Deploy Surface devices linkLists: - linkListType: deploy links: - - text: Manage and deploy Surface driver and firmware updates - url: manage-surface-driver-and-firmware-updates.md + - text: Surface Deployment Accelerator tool + url: microsoft-surface-deployment-accelerator.md - text: Autopilot and Surface devices url: windows-autopilot-and-surface-devices.md - text: Deploying, managing, and servicing Surface Pro X url: surface-pro-arm-app-management.md - - # Card + + # Card - title: Manage Surface devices linkLists: - linkListType: how-to-guide links: - - text: Optimize Wi-Fi connectivity for Surface devices - url: surface-wireless-connect.md + - text: Manage and deploy Surface driver and firmware updates + url: manage-surface-driver-and-firmware-updates.md - text: Best practice power settings for Surface devices url: maintain-optimal-power-settings-on-Surface-devices.md - - text: Manage battery limit with UEFI - url: battery-limit.md + - text: Optimize Wi-Fi connectivity for Surface devices + url: surface-wireless-connect.md # Card - - title: Secure Surface devices + - title: Explore security guidance linkLists: - linkListType: how-to-guide links: @@ -86,37 +78,39 @@ landingContent: url: surface-enterprise-management-mode.md - text: Surface Data Eraser tool url: microsoft-surface-data-eraser.md - - # Card + + # Card - title: Discover Surface tools linkLists: - linkListType: how-to-guide links: - - text: Surface Dock Firmware Update - url: surface-dock-firmware-update.md - text: Surface Diagnostic Toolkit for Business url: surface-diagnostic-toolkit-for-business-intro.md - text: SEMM and UEFI url: surface-enterprise-management-mode.md - - text: Surface Brightness Control - url: microsoft-surface-brightness-control.md - text: Battery Limit setting url: battery-limit.md - # Card - - title: Support and community + # Card + - title: Browse support solutions linkLists: - linkListType: learn links: - text: Top support solutions url: support-solutions-surface.md - - text: Maximize your Surface battery life - url: https://support.microsoft.com/help/4483194/maximize-surface-battery-life + - text: Protecting your data during Surface repair or service + url: https://support.microsoft.com/help/4023508/surface-faq-protecting-your-data-service - text: Troubleshoot Surface Dock and docking stations url: https://support.microsoft.com/help/4023468/surface-troubleshoot-surface-dock-and-docking-stations - - linkListType: reference + +# Card + - title: Participate in Surface Community + linkLists: + - linkListType: learn links: - text: Surface IT Pro blog url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro - text: Surface Devices Tech Community url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices + - text: Microsoft Mechanics Surface videos + url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ diff --git a/devices/surface/images/enable-bl.png b/devices/surface/images/enable-bl.png index a99cb994fb..b1f7cff7f6 100644 Binary files a/devices/surface/images/enable-bl.png and b/devices/surface/images/enable-bl.png differ diff --git a/devices/surface/images/go-batterylimit.png b/devices/surface/images/go-batterylimit.png new file mode 100644 index 0000000000..893e78ea9f Binary files /dev/null and b/devices/surface/images/go-batterylimit.png differ diff --git a/devices/surface/images/graphics-settings2.png b/devices/surface/images/graphics-settings2.png new file mode 100644 index 0000000000..3ee5235962 Binary files /dev/null and b/devices/surface/images/graphics-settings2.png differ diff --git a/devices/surface/images/surface-deployment-accelerator.png b/devices/surface/images/surface-deployment-accelerator.png new file mode 100644 index 0000000000..1886a08227 Binary files /dev/null and b/devices/surface/images/surface-deployment-accelerator.png differ diff --git a/devices/surface/images/surface-dock2.png b/devices/surface/images/surface-dock2.png new file mode 100644 index 0000000000..410bcd1df7 Binary files /dev/null and b/devices/surface/images/surface-dock2.png differ diff --git a/devices/surface/images/surface-semm-enroll-fig3.jpg b/devices/surface/images/surface-semm-enroll-fig3.jpg new file mode 100644 index 0000000000..bdbc3dfd4f Binary files /dev/null and b/devices/surface/images/surface-semm-enroll-fig3.jpg differ diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index 0cbf9dac52..1ad32d8518 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -11,9 +11,10 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article -ms.audience: itpro +audience: itpro +ms.date: 05/11/2020 --- # Microsoft Surface Data Eraser @@ -28,6 +29,8 @@ Find out how the Microsoft Surface Data Eraser tool can help you securely wipe d Compatible Surface devices include: +* Surface Book 3 +* Surface Go 2 * Surface Pro 7 * Surface Pro X * Surface Laptop 3 @@ -164,6 +167,14 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following: +### 3.30.139 +*Release Date: 11 May 2020* + +This version of Surface Data Eraser adds support for: +- Surface Book 3 +- Surface Go 2 +- New SSD in Surface Go + ### 3.28.137 *Release Date: 11 Nov 2019* This version of Surface Data Eraser: diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md index 6c25746e2a..4a2b2a806c 100644 --- a/devices/surface/microsoft-surface-deployment-accelerator.md +++ b/devices/surface/microsoft-surface-deployment-accelerator.md @@ -11,134 +11,33 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.audience: itpro +ms.date: 5/08/2020 --- # Microsoft Surface Deployment Accelerator -Microsoft Surface Deployment Accelerator (SDA) automates the creation and configuration of a Microsoft recommended deployment experience by using free Microsoft deployment tools. +Microsoft Surface Deployment Accelerator (SDA) automates the creation and configuration of a Microsoft recommended deployment experience by using free Microsoft deployment tools. -> [!NOTE] -> SDA is not supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md). +Redesigned in April 2020 to simplify and automate deployment of Surface images in a corporate environment, the +SDA tool allows you to build a “factory-like” Windows image that you can customize to your organizational requirements. -SDA is built on the powerful suite of deployment tools available from Microsoft including the Windows Assessment and Deployment Kit (ADK), the Microsoft Deployment Toolkit (MDT), and Windows Deployment Services (WDS). The resulting deployment share encompasses the recommended best practices for managing drivers during deployment and automating image creation and can serve as a starting point upon which you build your own customized deployment solution. +The open source, script-driven SDA tool leverages the Windows Assessment and Deployment Kit (ADK) for Windows 10, facilitating the creation of Windows images (WIM) in test or production environments. If the latest ADK is not already installed, it will be downloaded and installed when running the SDA tool. -**Download Microsoft Surface Deployment Accelerator** +The resulting image closely matches the configuration of Bare Metal Recovery (BMR) images, without any pre-installed applications such as Microsoft Office or the Surface UWP application. -You can download the installation files for SDA from the Microsoft Download Center. To download the installation files: +**To run SDA:** -1. Go to the [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) page on the Microsoft Download Center. +1. Go to [SurfaceDeploymentAccelerator](https://github.com/microsoft/SurfaceDeploymentAccelerator) on GitHub. +2. Select **Clone or Download** and review the Readme file. +3. Edit the script with the appropriate variables for your environment, as documented in the Readme, and review before running it in your test environment. -2. Click the **Download** button, select the **Surface\_Deployment\_Accelerator\_xxxx.msi** file, and then click **Next**. +  -## Microsoft Surface Deployment Accelerator prerequisites - - -Before you install SDA, your environment must meet the following prerequisites: - -- SDA must be installed on Windows Server 2012 R2 or later - -- PowerShell Script Execution Policy must be set to **Unrestricted** - -- DHCP and DNS must be enabled on the network where the Windows Server 2012 R2 environment is connected - -- To download Surface drivers and apps automatically the Windows Server 2012 R2 environment must have Internet access and Internet Explorer Enhanced Security Configuration must be disabled - -- To support network boot, the Windows Server 2012 R2 environment must have Windows Deployment Services installed and configured to respond to PXE requests - -- Access to Windows source files or installation media is required when you prepare a deployment with SDA - -- At least 6 GB of free space for each version of Windows you intend to deploy - -## How Microsoft Surface Deployment Accelerator works - - -As you progress through the SDA wizard, you will be asked some basic questions about how your deployment solution should be configured. As you select the desired Surface models to be supported and apps to be installed (see Figure 1), the wizard will prepare scripts that download, install, and configure everything needed to perform a complete deployment and capture of a reference image. By using the network boot (PXE) capabilities of Windows Deployment Services (WDS), the resulting solution enables you to boot a Surface device from the network and perform a clean deployment of Windows. - - - -*Figure 1. Select desired apps and drivers* - -When the SDA completes, you can use the deployment share to deploy over the network immediately. Simply boot your Surface device from the network using a Surface Ethernet Adapter and select the Surface deployment share you created with the SDA wizard. Select the **1- Deploy Microsoft Surface** task sequence and the wizard will walk you through an automated deployment of Windows to your Surface device. - -You can modify the task sequence in the MDT Deployment Workbench to [include your own apps](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt#sec04), or to [pause the automated installation routine](https://blogs.technet.microsoft.com/mniehaus/2009/06/26/mdt-2010-new-feature-3-suspend-and-resume-a-lite-touch-task-sequence/). While the installation is paused, you can make changes to customize your reference image. After the image is captured, you can configure a deployment task sequence and distribute this custom configuration by using the same network boot capabilities as before. - ->[!NOTE] ->With SDA v1.9.0258, Surface Pro 3, Surface Pro 4, and Surface Book are supported for Windows 10 deployment, and Surface Pro 3 is supported for Windows 8.1 deployment. - - - -## Use Microsoft Surface Deployment Accelerator without an Internet connection - - -For environments where the SDA server will not be able to connect to the Internet, the required Surface files can be downloaded separately. To specify a local source for Surface driver and app files, select the **Copy from a local directory** option and specify the location of your downloaded files (see Figure 2). All of the driver and app files for your selected choices must be placed in the specified folder. - - - -*Figure 2. Specify a local source for Surface driver and app files* - -You can find a full list of available driver downloads at [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md) - ->[!NOTE] ->Downloaded files do not need to be extracted. The downloaded files can be left as .zip files as long as they are stored in one folder. - ->[!NOTE] ->Using files from a local directory is not supported when including Office 365 in your deployment share. To include Office 365 in your deployment share, select the **Download from the Internet** check box. - -## Changes and updates - -SDA is periodically updated by Microsoft. For instructions on how these features are used, see [Step-by-Step: Microsoft Surface Deployment Accelerator](https://technet.microsoft.com/itpro/surface/step-by-step-surface-deployment-accelerator). - ->[!NOTE] ->To install a newer version of SDA on a server with a previous version of SDA installed, you only need to run the installation file for the new version of SDA. The installer will handle the upgrade process automatically. If you used SDA to create a deployment share prior to the upgrade and want to use new features of the new version of SDA, you will need to create a new deployment share. SDA does not support upgrades of an existing deployment share. - -### Version 2.8.136.0 -This version of SDA supports deployment of the following: -* Surface Book 2 -* Surface Laptop -* Surface Pro LTE - -### Version 2.0.8.0 -This version of SDA supports deployment of the following: -* Surface Pro - ->[!NOTE] ->SDA version 2.0.8.0 includes support only for Surface Pro, and does not support other Surface devices such as Surface Pro 4 or Surface Book. To deploy these devices, please continue to use SDA version 1.96.0405. - -### Version 1.96.0405 -This version of SDA adds support for the following: -* Microsoft Deployment Toolkit (MDT) 2013 Update 2 -* Office 365 Click-to-Run -* Surface 3 and Surface 3 LTE -* Reduced Windows Assessment and Deployment Kit (Windows ADK) footprint, only the following Windows ADK components are installed: - * Deployment tools - * Windows Preinstallation Environment (WinPE) - * User State Migration Tool (USMT) - -### Version 1.90.0258 -This version of SDA adds support for the following: -* Surface Book -* Surface Pro 4 -* Windows 10 - -### Version 1.90.0000 -This version of SDA adds support for the following: -* Local driver and app files can be used to create a deployment share without access to the Internet - -### Version 1.70.0000 -This version is the original release of SDA. This version of SDA includes support for: -* MDT 2013 Update 1 -* Windows ADK -* Surface Pro 3 -* Windows 8.1 - - -## Related topics - -[Step by step: Surface Deployment Accelerator](step-by-step-surface-deployment-accelerator.md) - -[Using the Surface Deployment Accelerator deployment share](using-the-sda-deployment-share.md) +## Related links + - [Open source image deployment tool released on GitHub](https://techcommunity.microsoft.com/t5/surface-it-pro-blog/open-source-image-deployment-tool-released-on-github/ba-p/1314115) + - [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md deleted file mode 100644 index e10b8209c9..0000000000 --- a/devices/surface/step-by-step-surface-deployment-accelerator.md +++ /dev/null @@ -1,410 +0,0 @@ ---- -title: Step by step Surface Deployment Accelerator (Surface) -description: This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices. -ms.assetid: A944FB9C-4D81-4868-AFF6-B9D1F5CF1032 -ms.reviewer: -manager: laurawi -ms.localizationpriority: medium -keywords: deploy, configure -ms.prod: w10 -ms.mktglfcycl: deploy -ms.pagetype: surface, devices -ms.sitesec: library -author: coveminer -ms.author: v-jokai -ms.topic: article -ms.date: 10/31/2019 ---- - -# Step by step: Surface Deployment Accelerator - -This article shows you how to install Microsoft Surface Deployment Accelerator (SDA), configure a deployment share for the deployment of Windows to Surface devices, and perform a deployment to Surface devices. This article also contains instructions on how to perform these tasks without an Internet connection or without support for Windows Deployment Services network boot (PXE). - -> [!NOTE] -> SDA is not supported on Surface Pro 7, Surface Pro X, and Surface Laptop 3. For more information refer to [Deploy Surface devices](deploy.md). - -## How to install Surface Deployment Accelerator - -For information about prerequisites and instructions for how to download and install SDA, see [Microsoft Surface Deployment Accelerator](microsoft-surface-deployment-accelerator.md). - -1. Download SDA, which is included in [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) on the Microsoft Download Center. - -2. Run the SDA installation file, named **Surface\_Deployment\_Accelerator\_*xxxx*.msi**, where *xxxx* is the current version number. - -3. Accept the End User License Agreement (EULA) by selecting the check box, and then click **Install**, as shown in Figure 1. - -  - - *Figure 1. SDA setup* - -4. Click **Finish** to complete the installation of SDA. - -The tool installs in the SDA program group, as shown in Figure 2. - - - -*Figure 2. The SDA program group and icon* - ->[!NOTE] ->At this point, the tool has not yet prepared any deployment environment or downloaded any materials from the Internet. - -## Create a deployment share - -The following steps show you how to create a deployment share for Windows 10 that supports Surface 3, Surface Pro 3, Surface Pro 4, Surface Book, the Surface Firmware Tool, the Surface Asset Tag Tool, and Office 365. As you follow the steps below, make the selections that are applicable for your organization. For example, you could choose to deploy Windows 10 to Surface Book only, without any of the Surface apps. - ->[!NOTE] ->SDA lets you create deployment shares for both Windows 8.1 and Windows 10 deployments, but you can only create a single deployment share at a time. Therefore, to create both Windows 8.1 and Windows 10 deployment shares, you will need to run the tool twice. - -1. Open the SDA wizard by double-clicking the icon in the **Surface Deployment Accelerator** program group on the Start screen. - -2. On the **Welcome** page, click **Next** to continue. - -3. On the **Verify System** page, the SDA wizard verifies the prerequisites required for an SDA deployment share. This process also checks for the presence of the Windows Assessment and Deployment Kit (Windows ADK) for Windows 10 and the Microsoft Deployment Toolkit (MDT) 2013 Update 2. If these tools are not detected, they are downloaded and installed automatically. Click **Next** to continue. - - >[!NOTE] - >As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows: - > * Deployment tools - > * User State Migration Tool (USMT) - > * Windows Preinstallation Environment (WinPE) - - > [!NOTE] - > As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1. - -4. On the **Windows 8.1** page, to create a Windows 10 deployment share, do not select the **Would you like to support Windows 8.1** check box. Click **Next** to continue. - -5. On the **Windows 10** page, to create a Windows 10 deployment share, select the **Would you like to support Windows 10** check box. Supply the following information before you click **Next** to continue: - - - **Configure Deployment Share for Windows 10** - - - **Local Path** – Specify or browse to a location on the local storage device where you would like to store the deployment share files for the Windows 10 SDA deployment share. For example, **E:\\SDAWin10\\** is the location specified in Figure 3. - - - **Share Name** – Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**. - - - **Windows 10 Deployment Services** - - - Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot. - - - **Windows 10 Source Files** - - - **Local Path** – Specify or browse to the root directory of Windows 10 installation files. If you have an ISO file, mount it and browse to the root of the mounted drive. You must have a full set of source files, not just **Install.wim**. - -  - - *Figure 3. Specify Windows 10 deployment share options* - -6. On the **Configure** page, select the check box next to each device or app that you want to include in your deployment share. Note that Surface Pro 4 and Surface Book only support Windows 10 and are not available for the deployment of Windows 8.1. The Surface Firmware Tool is only applicable to Surface 3 and Surface Pro 3 and cannot be selected unless Surface 3 or Surface Pro 3 drivers are selected, as shown in Figure 4. Click **Next** to continue. - -  - - *Figure 4. Selecting Surface Firmware Tool requires Surface Pro 3 drivers* - - >[!NOTE] - >You cannot select both Surface 3 and Surface 3 LTE models at the same time. - -7. On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes: - - - Download of Windows ADK - - - Installation of Windows ADK - - - Download of MDT - - - Installation of MDT - - - Download of Surface apps and drivers - - - Creation of the deployment share - - - Import of Windows installation files into the deployment share - - - Import of the apps and drivers into the deployment share - - - Creation of rules and task sequences for Windows deployment - -  - - *Figure 5. The Installation Progress window* - - ### Optional: Workaround for Webclient exception - - You may see this error message while installing the latest version of ADK or MDT: _An exception occurred during a WebClient request._ This is due to incompatibility between the Surface Deployment Accelerator (SDA) and Background Intelligent Transfer Service (BITS). To work around this issue, do the following. - - In the two PowerShell scripts: - - ```PowerShell - %ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\Install-MDT.ps1 - %ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\INSTALL-WindowsADK.ps1 - ``` - - Edit the $BITSTransfer variable in the input parameters to $False as shown below: - - ```PowerShell - Param( - [Parameter( - Position=0, - Mandatory=$False, - HelpMessage="Download via BITS bool true/false" - )] - [string]$BITSTransfer = $False - ) - ``` - -8. When the SDA process completes the creation of your deployment share, a **Success** window is displayed. Click **Finish** to close the window. At this point your deployment share is now ready to perform a Windows deployment to Surface devices. - - ### Optional: Create a deployment share without an Internet connection - - If you are unable to connect to the Internet with your deployment server, or if you want to download the Surface drivers and apps separately, you can specify a local source for the driver and app files at the time of deployment share creation. On the **Configure** page of the SDA wizard, select the **Copy from a Local Directory** check box, as shown in Figure 6. The **Download from the Internet** check box will be automatically deselected. Enter the folder location where you have placed the driver and app files in the **Local Path** field, as shown in Figure 6. - - >[!NOTE] - >All of the downloaded driver and applications files must be located in the same folder. If a required driver or application file is missing from the selected folder when you click **Next**, a warning is displayed and the wizard will not proceed to the next step. - - >[!NOTE] - >The driver and app files do not need to be extracted from the downloaded .zip files. - - >[!NOTE] - >Including Office 365 in your deployment share requires an Internet connection and cannot be performed if you use local files. - -  - - *Figure 6. Specify the Surface driver and app files from a local path* - - >[!NOTE] - >The **Copy from a Local Directory** check box is only available in SDA version 1.90.0221 or later. - - ### Optional: Prepare offline USB media - - You can use USB media to perform an SDA deployment if your Surface device is unable to boot from the network. For example, if you do not have a Microsoft Surface Ethernet Adapter or Microsoft Surface dock to facilitate network boot (PXE boot). The USB drive produced by following these steps includes a complete copy of the SDA deployment share and can be run on a Surface device without a network connection. - - >[!NOTE] - >The offline media files for the complete SDA deployment share are approximately 9 GB in size. Your USB drive must be at least 9 GB in size. A 16 GB USB drive is recommended. - - Before you can create bootable media files within the MDT Deployment Workbench or copy those files to a USB drive, you must first configure that USB drive to be bootable. Using [DiskPart](https://go.microsoft.com/fwlink/p/?LinkId=761073), create a partition, format the partition as FAT32, and set the partition to be active. To run DiskPart, open an administrative PowerShell or Command Prompt window, and then run the following sequence of commands, as shown in Figure 7: - - 1. **diskpart** – Opens DiskPart to manage disks and partitions. - - 2. **list disk** – Displays a list of the disks available in your system; use this list to identify the disk number that corresponds with your USB drive. - - 3. **sel disk 2** – Selects your USB drive; use the number that corresponds with the disk in your system. - - 4. **clean** – Removes all configuration from your USB drive. - - >[!WARNING] - >This step will remove all information from your drive. Verify that your USB drive does not contain any needed data before you perform the **clean** command. - - 5. **create part pri** – Creates a primary partition on the USB drive. - - 6. **format fs=fat32 quick** – Formats the partition with the FAT32 file system, performing a quick format. FAT32 is required to boot the device from UEFI systems like Surface devices. - - 7. **assign** – Assigns the next available drive letter to the newly created FAT32 volume. - - 8. **active** – Sets the partition to be active, which is required to boot the volume. - - 9. **exit** – Exits DiskPart, after which you can close the PowerShell or Command Prompt window. - -  - - *Figure 7. Use DiskPart to prepare a USB drive for boot* - - >[!NOTE] - >You can format your USB drive with FAT32 from Disk Management, but you must still use DiskPart to set the partition as active for the drive to boot properly. - - After you have prepared the USB drive for boot, the next step is to generate offline media from the SDA deployment share. To create this media, follow these steps: - - 1. Open the **Deployment Workbench** from the **Microsoft Deployment Toolkit** group on your Start screen. - - 2. Expand the **Deployment Shares** node and the **Microsoft Surface Deployment Accelerator** deployment share. - - 3. Expand the folder **Advanced Configuration** and select the **Media** folder. - -4. Right-click the **Media** folder and click **New Media** as shown in Figure 8 to start the New Media Wizard. - -  - - *Figure 8. The Media folder of the SDA deployment share* - - 5. On the **General Settings** page in the **Media path** field, enter or browse to a folder where you will create the files for the new offline media. See the example **E:\\SDAMedia** in Figure 9. Leave the default profile **Everything** selected in the **Selection profile** drop-down menu, and then click **Next**. - -  - - *Figure 9. Specify a location and selection profile for your offline media* - - 6. On the **Summary** page verify your selections, and then click **Next** to begin creation of the media. - - 7. A **Progress** page is displayed while the media is created. - - 8. On the **Confirmation** page, click **Finish** to complete creation of the media. - - 9. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click **Properties**, and then click the **Rules** tab as shown in Figure 10. - -  - - *Figure 10. Rules of the SDA deployment share* - - 10. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press **Ctrl+C** to copy the text. - - 11. Click **OK** to close the **Microsoft Surface Deployment Accelerator** deployment share properties. - - 12. Right-click the newly created **MEDIA001** item in the **Media** folder, click **Properties**, and then click the **Rules** tab. - - 13. Use your mouse to highlight all of the text displayed in the text box of the **Rules** tab, and then press **Ctrl+V** to paste the text you copied from the **Microsoft Surface Deployment Accelerator** deployment share rules. - - 14. Right-click the **Microsoft Surface Deployment Accelerator** deployment share folder, click **Properties**, and then click the **Rules** tab again. Click the **Bootstrap.ini** button to open Bootstrap.ini in Notepad. - - 15. Press **Ctrl+A** to select all of the text in the window, and then press **Ctrl+C** to copy the text. - - 16. Close Bootstrap.ini and click **OK** in **Microsoft Surface Deployment Accelerator** deployment share properties to close the window. - - 17. Right-click the newly created **MEDIA001** item in the **Media** folder, click **Properties**, and then click the **Rules** tab again. Click the **Bootstrap.ini** button to open Bootstrap.ini in Notepad. - - 18. Press **Ctrl+A** to select all of the text in the window, then press **Ctrl+V** to paste the text from the SDA deployment share Bootstrap.ini file. - - 19. Delete the following lines from the Bootstrap.ini as shown in Figure 11, and then save the file: - - ```PowerShell - UserID= - UserDomain= - UserPassword= - DeployRoot=\\SDASERVER\SDAWin10 - UserID= - UserDomain= - UserPassword= - ``` - -  - - *Figure 11. The Bootstrap.ini file of MEDIA001* - - 20. Close Bootstrap.ini and click **OK** in **MEDIA001** deployment share properties to close the window. - - 21. In the **Deployment Workbench** under the **Media** folder, right-click the newly created **MEDIA001** and click **Update Media Content**, as shown in Figure 12. This will update the media files with the content of the **Microsoft Surface Deployment Accelerator** deployment share. - -  - - *Figure 12. Select the Update Media Content option* - - 22. The **Update Media Content** window is displayed and shows the progress as the media files are created. When the process completes, click **Finish.** - - The final step is to copy the offline media files to your USB drive. - - 1. In File Explorer, open the path you specified in Step 5, for example **E:\\SDAMedia**. - - 2. Copy all of the files from the Content folder to the root of the USB drive. - - Your USB drive is now configured as bootable offline media that contains all of the resources required to perform a deployment to a Surface device. - -## SDA task sequences - -The SDA deployment share is configured with all of the resources required to perform a Windows deployment to a Surface device. These resources include Windows source files, image, Surface drivers, and Surface apps. The deployment share also contains two pre-configured task sequences, as shown in Figure 13. These task sequences contain the steps required to perform a deployment to a Surface device using the default Windows image from the installation media or to create a reference image complete with Windows updates and applications. To learn more about task sequences, see [MDT 2013 Update 2 Lite Touch components](https://technet.microsoft.com/itpro/windows/deploy/mdt-2013-lite-touch-components). - - - -*Figure 13. Task sequences in the Deployment Workbench* - -### Deploy Microsoft Surface - -The **1 – Deploy Microsoft Surface** task sequence is used to perform a complete deployment of Windows to a Surface device. This task sequence is pre-configured by the SDA wizard and is ready to perform a deployment as soon as the wizard completes. Running this task sequence on a Surface device deploys the unaltered Windows image copied directly from the Windows installation media you specified in the SDA wizard, along with the Surface drivers for your device. The drivers for your Surface device will be automatically selected through the pre-configured deployment share rules. - -When you run the task sequence, you will be prompted to provide the following information: - -- A computer name - -- Your domain information and the credentials required to join the domain - -- A product key, if one is required - - >[!NOTE] - >If you are deploying the same version of Windows as the version that came on your device, no product key is required. - -- A time zone - -- An Administrator password - -The Surface apps you specified on the **Configure** page of the SDA wizard are automatically installed when you run this task sequence on a Surface device. - -### Create Windows reference image - -The **2 – Create Windows Reference Image** task sequence is used to perform a deployment to a virtual machine for the purpose of capturing an image complete with Windows Updates for use in a deployment to Surface devices. By installing Windows Updates in your reference image, you eliminate the need to download and install those updates on each deployed Surface device. The deployment process with an up-to-date image is significantly faster and more efficient than performing a deployment first and then installing Windows Updates on each device. - -Like the **1 – Deploy Microsoft Surface** task sequence, the **2 – Create Windows Reference Image** task sequence performs a deployment of the unaltered Windows image directly from the installation media. Creation of a reference image should always be performed on a virtual machine. Using a virtual machine as your reference system helps to ensure that the resulting image is compatible with different hardware configurations. - ->[!NOTE] ->Using a virtual machine when you create a reference image for Windows deployment is a recommended practice for performing Windows deployments with Microsoft deployment tools including the Microsoft Deployment Toolkit and Microsoft Endpoint Configuration Manager. These Microsoft deployment technologies use the hardware agnostic images produced from a virtual machine and a collection of managed drivers to deploy to different configurations of hardware. For more information, see [Deploy a Windows 10 image using MDT 2013 Update 2](https://technet.microsoft.com/itpro/windows/deploy/deploy-a-windows-10-image-using-mdt). - -In addition to the information required by the **1 – Deploy Microsoft Surface** task sequence, you will also be prompted to capture an image when you run this task sequence on your reference virtual machine. The **Location** and **File name** fields are automatically populated with the proper information for your deployment share. All that you need to do is select the **Capture an image of this reference computer** option when you are prompted on the **Capture Image** page of the Windows Deployment Wizard. - -## Deployment to Surface devices - - -To perform a deployment from the SDA deployment share, follow this process on the Surface device: - -1. Boot the Surface device to MDT boot media for the SDA deployment share. You can do this over the network by using PXE boot, or from a USB drive as described in the [Optional: Prepare offline USB media](#optional) section of this article. - -2. Select the deployment share for the version of Windows you intend to deploy and enter your credentials when you are prompted. - -3. Select the task sequence you want to run, usually the **1 – Deploy Microsoft Surface** task sequence. - -4. Address the task sequence prompts to pick applications, supply a password, and so on. - -5. The task sequence performs the automated deployment using the options specified. - -### Boot the Surface device from the network - -To boot the Surface device from the network, the Microsoft Surface Deployment Accelerator wizard must have been run on a Windows Server 2012 R2 or later environment that was configured with the Windows Deployment Services (WDS). WDS must have been configured to respond to network boot (PXE boot) requests and the boot files must have been imported into WDS. The SDA wizard will import these file automatically if the **Import boot media into the local Windows Deployment Service** check box was selected on the page for the version of Windows you intend to deploy. - -To boot the Surface device from the network, you must also use a Microsoft Surface Ethernet Adapter or the Ethernet port on a Microsoft Surface Dock. Third-party Ethernet adapters are not supported for network boot (PXE boot). A keyboard is also required. Both the Microsoft Surface Type Cover and keyboards connected via USB to the device or dock are supported. - -To instruct your Surface device to boot from the network, start with the device powered off and follow these steps: - -1. Press and hold the **Volume Down** button, press and release the **Power** button. Continue holding the **Volume Down** button until the device has begun to boot from the network. - -2. Press **Enter** when prompted by the dialog on the screen. This prompt indicates that your device has found the WDS PXE server over the network. - -3. If you have configured more than one deployment share on this device, you will be prompted to select between the boot images for each deployment share. For example, if you created both a Windows 10 and a Windows 8.1 deployment share, you will be prompted to choose between these two options. - -4. Enter the domain credentials that you use to log on to the server where SDA is installed when you are prompted, as shown in Figure 14. - -  - - *Figure 14. The prompt for credentials to the deployment share* - -5. The Windows Deployment Wizard will start from the deployment share to walk you through the deployment process. - -### Alternatively boot the devices from the USB stick - -To boot a device from the USB stick: - -1. Press and hold the **Volume Down** button, press and release the **Power** button. Continue holding the **Volume Down** button until the device has begun to boot from the USB drive. - -2. The Windows Deployment Wizard will start from the deployment share to walk you through the deployment process. - -### Run the Deploy Microsoft Surface task sequence - -To run the Deploy Microsoft Surface task sequence: - -1. On the **Task Sequence** page, select the **1 – Deploy Microsoft Surface** task sequence as shown in Figure 15, and then click **Next.** - -  - - *Figure 15. Select the 1 – Deploy Microsoft Surface task sequence* - -2. On the **Computer Details** page, type a name for the Surface device in the **Computer Name** box. In the **Join a domain** section, type your domain name and credentials as shown in Figure 16, and then click **Next**. - -  - - *Figure 16. Enter the computer name and domain information* - -3. On the **Product Key** page, keep the **No product key is required** check box selected if you are deploying the same version and edition of Windows to your Surface devices as they came with from the factory. If you are deploying a different version or edition of Windows to the device, such as Windows Enterprise, select the licensing option that is applicable to your scenario. - -4. On the **Locale and Time** page, select your desired **Language Settings** and **Time Zone**, and then click **Next.** - -5. On the **Administrator Password** page, type a password for the local Administrator account on the Surface device, and then click **Next.** - -6. On the **BitLocker** page, select the **Enable BitLocker** option along with your desired configuration of BitLocker protectors if you want to encrypt the device. Otherwise, keep the **Do not enable BitLocker for this computer** check box selected, and then click **Next.** - -7. On the **Ready** page, verify your selections and then click **Begin** to start the automated deployment to this device. The deployment will not require user interaction again. The Windows Deployment Wizard will close and an **Installation Progress** window is displayed to show progress of the task sequence as the image is applied and applications are installed (Figure 17). - -  - - *Figure 17. The Installation Progress window* - -8. When the deployment task sequence completes, a **Success** window is displayed. Click **Finish** to complete the deployment and begin using your Surface device. diff --git a/devices/surface/surface-book-gpu-overview.md b/devices/surface/surface-book-gpu-overview.md new file mode 100644 index 0000000000..337ae2daf6 --- /dev/null +++ b/devices/surface/surface-book-gpu-overview.md @@ -0,0 +1,166 @@ +--- +title: Surface Book 3 GPU technical overview +description: This article provides a technical evaluation of GPU capabilities across Surface Book 3 models. +ms.prod: w10 +ms.mktglfcycl: manage +ms.localizationpriority: medium +ms.sitesec: library +author: coveminer +ms.author: greglin +ms.topic: article +ms.date: 5/06/2020 +ms.reviewer: brrecord +manager: laurawi +audience: itpro +--- +# Surface Book 3 GPU technical overview + +## Introduction + +Surface Book 3, the most powerful Surface laptop yet released, integrates fully modernized compute and graphics capabilities into its famous detachable form factor. Led by the quad-core 10th Gen Intel® Core™ i7 and NVIDIA® Quadro RTX™ 3000 graphical processing unit (GPU) on the 15-inch model, Surface Book 3 comes in a wide range of configurations for consumers, creative professionals, architects, engineers, and data scientists. This article explains the major differences between the GPU configurations across 13-inch and 15-inch models of Surface Book 3. + +A significant differentiator across Surface Book 3 models is the GPU configuration. In addition to the integrated Intel GPU built into all models, all but the entry-level, 13.5-inch core i5 device also feature a discrete NVIDIA GPU with Max-Q Design, which incorporates features that optimize energy efficiency for mobile form factors. + +Built into the keyboard base, the additional NVIDIA GPU provides advanced graphics rendering capabilities and comes in two primary configurations: GeForce® GTX® 1650/1660 Ti for consumers or creative professionals and Quadro RTX 3000 for creative professionals, engineers, and other business professionals who need advanced graphics or deep learning capabilities. This article also describes how to optimize app utilization of GPUs by specifying which apps should use the integrated iGPU versus the discrete NVIDIA GPU. + +## Surface Book 3 GPUs + +This section describes the integrated and discrete GPUs across Surface Book 3 models. For configuration details of all models, refer to [Appendix A: Surface Book 3 SKUs](#). + +### Intel Iris™ Plus Graphics + +The integrated GPU (iGPU) included on all Surface Book 3 models incorporates a wider graphics engine and a redesigned memory controller with support for LPDDR4X. Installed as the secondary GPU on most Surface Book 3 models, Intel Iris Plus Graphics functions as the singular GPU in the core i5, 13.5-inch model. Although nominally the entry level device in the Surface Book 3 line, it delivers advanced graphics capabilities enabling consumers, hobbyists, and online creators to run the latest productivity software like Adobe Creative Cloud or enjoy gaming titles in 1080p. + +### NVIDIA GeForce GTX 1650 + +NVIDIA GeForce GTX 1650 with Max-Q design delivers a major upgrade of the core streaming multiprocessor to more efficiently handle the complex graphics of modern games. Its +concurrent execution of floating point and integer operations boosts performance in compute-heavy workloads of modern games. A new unified memory architecture with twice the cache of its predecessor allows for better performance on complex modern games. New shading advancements improve performance, enhance image quality, and deliver new levels of geometric complexity. + +### NVIDIA GeForce GTX 1660 Ti + +Compared with the GeForce GTX 1650, the faster GeForce GTX 1660 Ti provides Surface Book 3 with additional performance improvements and includes the new and upgraded NVIDIA Encoder, making it better for consumers, gamers, live streamers, and creative professionals. + +Thanks to 6 GB of GDDR6 graphics memory, Surface Book 3 models equipped with NVIDIA GeForce GTX 1660 TI provide superior speeds on advanced business productivity software and popular games especially when running the most modern titles or livestreaming. With an optional 2 TB SSD (available in U.S. only), the 15-inch model with GeForce GTX 1660 Ti delivers the most storage of any Surface Book 3 device. + +### NVIDIA Quadro RTX 3000 + +NVIDIA Quadro RTX 3000 unlocks several key features for professional users: ray tracing rendering and AI acceleration, and advanced graphics and compute performance. A combination of 30 RT cores, 240 tensor cores, and 6 GB of GDDR6 graphics memory enables multiple advanced workloads including Al-powered workflows, 3D content creation, advanced video editing, professional broadcasting, and multi-app workflows. Enterprise level hardware and software support integrate deployment tools to maximize uptime and minimize IT support requirements. Certified for the world’s most advanced software, Quadro drivers are optimized for professional applications, and are tuned, tested, and validated to provide app certification, enterprise level stability, reliability, availability, and support with extended product availability. + + +## Comparing GPUs across Surface Book 3 + +NVIDIA GPUs provide users with great performance for gaming, live streaming, and content creation. GeForce GTX products are great for gamers and content creators. Quadro RTX products are targeted at professional users, provide great performance in gaming and content creation, and also add the following features: + +- RTX acceleration for ray tracing and AI. This makes it possible to render film-quality, photorealistic objects and environments with physically accurate shadows, reflections and refractions. And its hardware accelerated AI capabilities means the advanced AI-based features in popular applications can run faster than ever before. +- Enterprise-level hardware, drivers and support, as well as ISV app certifications. +- IT management features including an additional layer of dedicated enterprise tools for remote management that help maximize uptime and minimize IT support requirements. + + Unless you count yourself among the ranks of advanced engineering, design, architecture, or data science professionals, Surface Book 3 equipped with NVIDIA GeForce graphics capabilities will likely meet your needs. Conversely, if you’re already in -- or aspiring to join -- a profession that requires highly advanced graphics capabilities in a portable form factor that lets you work from anywhere, Surface Book 3 with Quadro RTX 3000 deserves serious consideration. To learn more, refer to the Surface Book 3 Quadro RTX 3000 technical overview. + +**Table 1. Discrete GPUs on Surface Book 3** + +| | **GeForce GTX 1650** | **GeForce GTX 1660 Ti** | **Quadro RTX 3000** | +| -------------------- | -------------------------------------- | -------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | +| **Target users** | Gamers, hobbyists and online creators | Gamers, creative professionals and online creators | Creative professionals, architects, engineers, developers, data scientists | +| **Workflows** | Graphic designPhotography
Video | Graphic design
Photography
Video | Al-powered Workflows
App certifications
High-res video
Pro broadcasting
Multi-app workflows | +| **Key apps** | Adobe Creative Suite | Adobe Creative Suite | Adobe Creative Suite
Autodesk AutoCAD
Dassault Systemes SolidWorks | +| **GPU acceleration** | Video and image processing | Video and image processing | Ray tracing + AI + 6K video
Pro broadcasting features
Enterprise support | + + + +**Table 2. GPU tech specs on Surface Book 3** + +| | **GeForce GTX 1650** | **GeForce GTX 1660 Ti** | **Quadro RTX 3000** | +| -------------------------------------------------------- | -------------------- | ----------------------- | ------------------- | +| **NVIDIA CUDA processing cores** | 1024 | 1536 | 1920 | +| **NVIDIA Tensor Cores** | No | No | 240 | +| **NVIDIA RT Cores** | No | No | 30 | +| **GPU memory** | 4 GB | 6 GB | 6 GB | +| **Memory Bandwidth (GB/sec)** | Up to 112 | Up to 288 | Up to 288 | +| **Memory type** | GDDR5 | GDDR6 | GDDR6 | +| **Memory interface** | 128-bit | 192-bit | 192-bit | +| **Boost clock MHz** | 1245 | 1425 | 1305 | +| **Base clock (MHz)** | 1020 | 1245 | 765 | +| **Real-time ray tracing** | No | No | Yes | +| **AI hardware acceleration** | No | No | Yes | +| **Hardware Encoder** | Yes | Yes | Yes | +| **Game Ready Driver (GRD)** | Yes 1 | Yes 1 |Yes 2 +| **Studio Driver (SD)** | Yes 1 | Yes1 | Yes 1 | +| **Optimal Driver for Enterprise (ODE)** | No | No | Yes | +| **Quadro New Feature Driver (QNF)** | No | No | Yes | +| **Microsoft DirectX 12 API, Vulkan API, Open GL 4.6** | Yes | Yes | Yes | +| **High-bandwidth Digital Content Protection (HDCP) 2.2** | Yes | Yes | Yes | +| **NVIDIA GPU Boost** | Yes | Yes | Yes | + + + 1. *Recommended* + 2. *Supported* + +## Optimizing power and performance on Surface Book 3 + +Windows 10 includes a Battery Saver mode with a performance slider that lets you maximize app performance (by sliding it to the right) or preserve battery life (by sliding it to the left). Surface Book 3 implements this functionality algorithmically to optimize power and performance across the following components: + +- CPU Energy Efficiency Registers (Intel Speed Shift technology) and other SoC tuning parameters to maximize efficiency. +- Fan Maximum RPM with four modes: quiet, nominal, performance, and max. +- Processor Power Caps (PL1/PL2). +- Processor IA Turbo limitations. + +By default, when the battery drops below 20 percent, the Battery Saver adjusts settings to extend battery life. When connected to power, Surface Book 3 defaults to “Best Performance” settings to ensure apps run in high performance mode on the secondary NVIDIA GPU present on all i7 Surface Book 3 systems. + +Using default settings is recommended for optimal performance when used as a laptop or detached in tablet or studio mode. You can access Battery Saver by selecting the battery icon on the far right of the taskbar. + +### Game mode + +Surface Book 3 includes a new game mode that automatically selects maximum performance settings when launched. + +### Safe Detach + +New in Surface Book 3, apps enabled for Safe Detach let you disconnect while the app is using the GPU. For supported apps like *World of Warcraft*, your work is moved to the iGPU. + +### Modifying app settings to always use a specific GPU + +You can switch between the power-saving but still capable built-in Intel graphics and the more powerful discrete NVIDIA GPU and associate a GPU with a specific app. By default, Windows 10 automatically chooses the appropriate GPU, assigning graphically demanding apps to the discrete NVIDIA GPU. In most instances there is no need to manually adjust these settings. However, if you frequently detach and reattach the display from the keyboard base while using a graphically demanding app, you’ll typically need to close the app prior to detaching. To enable continuous use of the app without having to close it every time you detach or reattach the display, you can assign it to the integrated GPU, albeit with some loss of graphics performance. + +In some instances, Windows 10 may assign a graphically demanding app to be iGPU; for example, if the app is not fully optimized for hybrid graphics. To remedy this, you can manually assign the app to the discrete NVIDIA GPU. + +**To configure apps using custom per-GPU options:** + +1. Go to **Settings** > **System** > **Display** and select **Graphics Settings**. + + 1. For a Windows desktop program, choose **Classic App** > **Browse** and then locate the program. + 2. For a UWP app, choose **Universal App** and then select the app from the drop-down list. + +2. Select **Add** to create a new entry on the list for your selected program, select Options to open Graphics Specifications, and then select your desired option. + +  + +3. To verify which GPU are used for each app, open **Task Manager,** select **Performance,** and view the **GPU Engine** column. + + +## Appendix A: Surface Book 3 SKUs + +| **Display** | **Processor** | **GPU** | **RAM** | **Storage** | +| ------------- | --------------------------------- | ---------------------------------------------------------------------------------------------------- | ---------- | ----------- | +| **13.5-inch** | Quad-core 10th Gen Core i5-1035G7 | Intel Iris™ Plus Graphics | 16 LPDDR4x | 256 GB | +| **13.5-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1650. Max-Q Design with 4GB GDDR5 graphics memory | 16 LPDDR4x | 256 GB | +| **13.5-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1650. Max-Q Design with 4GB GDDR5 graphics memory | 32 LPDDR4x | 512 GB | +| **13.5-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1650. Max-Q Design with 4GB GDDR5 graphics memory | 32 LPDDR4x | 1 TB | +| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1660 Ti. Max-Q Design with 6GB GDDR6 graphics memory | 16 LPDDR4x | 256 GB | +| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1660 Ti. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 512 GB | +| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1660 Ti. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 1 TB | +| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA GeForce GTX 1660 Ti. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 2 TB | +| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA Quadro RTX 3000. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 512 GB | +| **15-inch** | Quad-core 10th Gen Core i7-1065G7 | Intel Iris Plus Graphics
NVIDIA Quadro RTX 3000. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 1 TB | + +> [!NOTE] +> 2TB SSD available in U.S. only: Surface Book 3 15” with NVIDIA GTX 1660Ti + +## Summary + +Built for performance, Surface Book 3 includes different GPU configurations optimized to meet specific workload and use requirements. An integrated Intel Iris graphics GPU functions as the sole GPU on the entry-level core i5 device and as a secondary GPU on all other models. GeForce GTX 1650 features a major upgrade of the core streaming multiprocessor to run complex graphics more efficiently. The faster GeForce GTX 1660 Ti provides Surface Book 3 with additional performance improvements making it better for consumers, gamers, live streamers, and creative professionals. Quadro RTX 3000 unlocks several key features for professional users: ray tracing rendering and AI acceleration, and advanced graphics and compute performance. + + +## Learn more + +- [Surface Book 3 Quadro RTX 3000 technical overview](surface-book-quadro.md) +- [Surface for Business](https://www.microsoft.com/surface/business) diff --git a/devices/surface/surface-book-quadro.md b/devices/surface/surface-book-quadro.md new file mode 100644 index 0000000000..eaf5870411 --- /dev/null +++ b/devices/surface/surface-book-quadro.md @@ -0,0 +1,136 @@ +--- +title: Surface Book 3 GPU technical overview +description: This article describes the advanced capabilities enabled by Nvidia Quadro RTX 3000 in select Surface Book 3 for Business 15-inch models. +ms.prod: w10 +ms.mktglfcycl: manage +ms.localizationpriority: medium +ms.sitesec: library +author: coveminer +ms.author: v-jokai +ms.topic: article +ms.date: 5/06/2020 +ms.reviewer: brrecord +manager: laurawi +audience: itpro +--- + +# Surface Book 3 Quadro RTX 3000 technical overview + +Surface Book 3 for Business powered by the NVIDIA® Quadro RTX™ 3000 GPU is built for professionals who need real-time rendering, AI acceleration, and advanced graphics and compute performance in a portable form factor. Quadro RTX 3000 fundamentally changes what you can do with the new Surface Book 3: + +- **Ray Tracing** - Produce stunning renders, designs and animations faster than ever before with 30 RT Cores for hardware-accelerated ray tracing. +- **Artificial Intelligence** - Remove redundant, tedious tasks and compute intensive work with 240 Tensor Cores for GPU-accelerated AI. +- **Advanced Graphics and Compute Technology** - Experience remarkable speed and interactivity during your most taxing graphics and compute workloads with 1,920 CUDA Cores and 6GB of GDDR6 memory. + +## Enterprise grade solution + +Of paramount importance to commercial customers, Quadro RTX 3000 brings a fully professional grade solution that combines accelerated ray tracing and deep learning capabilities with an integrated enterprise level management and support solution. Quadro drivers are tested and certified for more than 100 professional applications by leading ISVs providing an additional layer of quality assurance to validate stability, reliability, and performance. + +Quadro includes dedicated enterprise tools for remote management of Surface Book 3 devices with Quadro RTX 3000. IT admins can remotely configure graphics systems, save/restore configurations, continuously monitor graphics systems and perform remote troubleshooting if necessary. These capabilities along with deployment tools help maximize uptime and minimize IT support requirements. + +NVIDIA develops and maintains Quadro Optimal Drivers for Enterprise (ODE) that are tuned, tested, and validated to provide enterprise level stability, reliability, availability, and support with extended product availability. Each driver release involves more than 2,000 man days of testing with professional applications test suites and test cases, as well as WHQL certification. Security threats are continually monitored, and regular security updates are released to protect against newly discovered vulnerabilities. In addition, Quadro drivers undergo an additional layer of testing by Surface engineering prior to release via Windows Update. + + +## Built for compute-intensive workloads + +Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance of any Surface laptop, enabling advanced professionals to work from anywhere. + +- **Creative professionals such as designers and animators.** Quadro RTX enables real-time cinematic-quality rendering through Turing-optimized ray tracing APIs such as NVIDIA OptiX, Microsoft DXR, and Vulkan. +- **Architects and engineers using large, complex computer aided design (CAD) models and assemblies.** The RTX platform features the new NGX SDK to infuse powerful AI-enhanced capabilities into visual applications. This frees up time and resources through intelligent manipulation of images, automation of repetitive tasks, and optimization of compute-intensive processes. +- **Software developers across manufacturing, media & entertainment, medical, and other industries.** Quadro RTX speeds application development with ray tracing, deep learning, and rasterization capabilities through industry-leading software SDKs and APIs. +- **Data scientists using Tensor Cores and CUDA cores to accelerate computationally intensive tasks and other deep learning operations.** By using sensors, increased connectivity, and deep learning, researchers and developers can enable AI applications for everything from autonomous vehicles to scientific research. + + +**Table 1. Quadro RTX 3000 performance features** + +| **Component** | **Description** | +| --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| RT cores | Dedicated hardware-based ray-tracing technology allows the GPU to render film quality, photorealistic objects and environments with physically accurate shadows, reflections, and refractions. The real-time ray-tracing engine works with NVIDIA OptiX, Microsoft DXR, and Vulkan APIs to deliver a level of realism far beyond what is possible using traditional rendering techniques. RT cores accelerate the Bounding Volume Hierarchy (BVH) traversal and ray casting functions using low number of rays casted through a pixel. | +| Enhanced tensor cores | Mixed-precision cores purpose-built for deep learning matrix arithmetic, deliver 8x TFLOPS for training compared with previous generation. Quadro RTX 3000 utilizes 240 Tensor Cores; each Tensor Core performs 64 floating point fused multiply-add (FMA) operations per clock, and each streaming multiprocessor (SM) performs a total of 1,024 individual floating-point operations per clock. In addition to supporting FP16/FP32 matrix operations, new Tensor Cores added INT8 (2,048 integer operations per clock) and experimental INT4 and INT1 (binary) precision modes for matrix operations. | +| Turing optimized software | Deep learning frameworks such as the Microsoft Cognitive Toolkit (CNTK), Caffe2, MXNet, TensorFlow, and others deliver significantly faster training times and higher multi-node training performance. GPU accelerated libraries such as cuDNN, cuBLAS, and TensorRT deliver higher performance for both deep learning inference and High-Performance Computing (HPC) applications. | +| NVIDIA CUDA parallel computing platform | Natively execute standard programming languages like C/C++ and Fortran, and APIs such as OpenCL, OpenACC and Direct Compute to accelerate techniques such as ray tracing, video and image processing, and computation fluid dynamics. | +| Advanced streaming multiprocessor (SM) architecture | Combined shared memory and L1 cache improve performance significantly, while simplifying programming and reducing the tuning required to attain best application performance. | +| High performance GDDR6 Memory | Quadro RTX 3000 features 6GB of frame buffer making it the ideal platform for handling large datasets and latency-sensitive applications. | +| Single instruction, multiple thread (SIMT) | New independent thread scheduling capability enables finer-grain synchronization and cooperation between parallel threads by sharing resources among small jobs. | +| Mixed-precision computing | 16-bit floating-point precision computing enables the training and deployment of larger neural networks. With independent parallel integer and floating-point data paths, the Turing SM handles workloads more efficiently using a mix of computation and addressing calculations. | +| Dynamic load balancing | Provides dynamic allocation capabilities of GPU resources for graphics and compute tasks as needed to maximize resource utilization. | +| Compute preemption | Preemption at the instruction-level provides finer grain control over compute tasks to prevent long-running applications from either monopolizing system resources or timing out. | +| H.264, H.265 and HEVC encode/decode engines | Enables faster than real-time performance for transcoding, video editing, and other encoding applications with two dedicated H.264 and HEVC encode engines and a dedicated decode engine that are independent of 3D/compute pipeline. | +| NVIDIA GPU boost 4.0 | Maximizes application performance automatically without exceeding the power and thermal envelope of the GPU. Allows applications to stay within the boost clock state longer under higher temperature threshold before dropping to a secondary temperature setting base clock. | + + **Table 2. Quadro RTX tech specs** + +| **Component** | **Description** | +| ---------------------------------------------------------- | --------------- | +| NVIDIA CUDA processing cores | 1,920 | +| NVIDIA RT Cores | 30 | +| Tensor Cores | 240 | +| GPU memory | 6 GB | +| Memory bandwidth | 288 Gbps | +| Memory type | GDDR6 | +| Memory interface | 192-bit | +| TGP max power consumption | 65W | +| Display port | 1.4 | +| OpenGL | 4.6 | +| Shader model | 5.1 | +| DirectX | 12.1 | +| PCIe generation | 3 | +| Single precision floating point performance (TFLOPS, Peak) | 5.4 | +| Tensor performance (TOPS, Peak) | 42.9 | +| NVIDIA FXAA/TX AA antialiasing | Yes | +| GPU direct for video | Yes | +| Vulkan support | Yes | +| NVIDIA 3D vision Pro | Yes | +| NVIDIA Optimus | Yes | + + +## App acceleration + +The following table shows how Quadro RTX 3000 provides significantly faster acceleration across leading professional applications. It includes SPECview perf 13 benchmark test results comparing Surface Book 3 15-inch with NVIDIA Quadro RTX 3000 versus Surface Book 2 15-inch with NVIDIA GeForce GTX 1060 devices in market March 2020. + +**Table 3. App acceleration on Surface Book 3 with Quadro RTX 3000** + +| **App** | **Quadro RTX 3000 app acceleration capabilities**
| +| ------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| Adobe Dimension | - RTX-accelerated ray tracing delivers photorealistic 3D rendering to 2D artists and designers. | +| Adobe Substance Alchemist | - Create and blend materials with ease, featuring RTX-accelerated AI. | +| Adobe Substance Painter | - Paint materials onto 3d models, featuring RTX accelerated bakers, and Iray RTX rendering which generates photorealistic imagery for interactive and batch rendering workflows.
| +| Adobe Substance Designer | - Author procedural materials featuring RTX accelerated bakers
- Uses NVIDIA Iray rendering including textures/substances and bitmap texture export to render in any Iray powered compatible with MDL.
- DXR-accelerated light and ambient occlusion baking. | +| Adobe Photoshop | - CUDA core acceleration enables faster editing with 30+ GPU-accelerated features such as blur gallery, liquify, smart sharpen, & perspective warp enable photographers and designers to modify images smoothly and quickly. | +| Adobe Lightroom | - Faster editing high res images with GPU-accelerated viewport, which enables the modeling of larger 3D scenes, and the rigging of more complex animations.
- GPU-accelerated image processing enables dramatically more responsive adjustments, especially on 4K or higher resolution displays.
- GPU-accelerated AI-powered “Enhance Details” for refining fine color detail of RAW images. | +| Adobe Illustrator | - Pan and zoom with GPU-accelerated canvas faster, which enables graphic designers and illustrators to pan across and zoom in and out of complex vector graphics smoothly and interactively. | +| Adobe
Premiere Pro | - Significantly faster editing and rendering video with GPU-accelerated effects vs CPU:
- GPU-accelerated effects with NVIDIA CUDA technology for real-time video editing and faster final frame rendering.
- GPU-accelerated AI Auto Reframe feature for intelligently converting landscape video to dynamically tracked portrait or square video. | +| Autodesk
Revit | - GPU-accelerated viewport for a smoother, more interactive design experience.
- Supports 3rd party GPU-accelerated 3D renderers such as V-Ray and Enscape. | +| Autodesk
3ds Max | - GPU-accelerated viewport graphics for fast, interactive 3D modelling and design.
- RTX-accelerated ray tracing and AI denoising ****with the default Arnold renderer.
- More than 70 percent faster compared with Surface Book 2 15”. | +| Autodesk
Maya | - RTX-accelerated ray tracing and AI denoising with the default Arnold renderer.
- OpenGL Viewport Acceleration. | +| Dassault Systemes
Solidworks | - Solidworks Interactive Ray Tracer (Visualize) accelerated by both RT Cores and Tensor Cores; AI-accelerated denoiser.
- Runs more than 50% faster compared with Surface Book 2 15” | +| Dassault Systemes
3D Experience Platform | - CATIA Interactive Ray Tracer (Live Rendering) accelerated by RT Cores.
- Catia runs more than 100% faster compared with Surface Book 2 15. | +| ImageVis3D | - Runs more than 2x faster compared with Surface Book 2 15”.. | +| McNeel & Associates
Rhino 3D | - GPU-accelerated viewport for a smooth and interactive modelling and design experience.
- Supports Cycles for GPU-accelerated 3D rendering. | +| Siemens NX | - Siemens NX Interactive Ray Tracer (Ray Traced Studio) accelerated by RT Cores.
- Runs more than 10 x faster compared with Surface Book 2 15”.. | +| Esri ArcGIS | - Real-time results from what took days & weeks, due to DL inferencing leveraging tensor cores. | +| PTC Creo | - Creo's real-time engineering simulation tool (Creo Simulation Live) built on CUDA.
- Runs more than 15% faster compared with Surface Book 2 15”. | +| Luxion KeyShot | - 3rd party Interactive Ray Tracer used by Solidworks, Creo, and Rhino. Accelerated by RT Cores, OptiX™ AI-accelerated denoising. | +| ANSYS
Discovery Live | - ANSYS real-time engineering simulation tool (ANSYS Discovery Live) built on CUDA | +## SKUs + +**Table 4. Surface Book 3 with Quadro RTX 3000 SKUs** + +| **Display** | **Processor** | **GPU** | **RAM** | **Storage** | +| ----------- | --------------------------------- | ------------------------------------------------------------------------------------------------ | ---------- | ----------- | +| 15-inch | Quad-core 10th Gen Core i7-1065G7 | Intel Iris™ Plus Graphics
NVIDIA Quadro RTX 3000. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 512 GB | +| 15-inch | Quad-core 10th Gen Core i7-1065G7 | Intel Iris™ Plus Graphics
NVIDIA Quadro RTX 3000. Max-Q Design with 6GB GDDR6 graphics memory | 32 LPDDR4x | 1 TB | + +## Summary + +Surface Book 3 with Quadro RTX 3000 delivers the best graphics performance on any Surface laptop, providing architects, engineers, developers, and data scientists with the tools they need to work efficiently from anywhere: + +- RTX-acceleration across multiple workflows like design, animation, video production, and more. +- Desktop-grade performance in a mobile form factor. +- Enterprise-class features, reliability, and support for mission-critical projects. + +## Learn more + +- [Surface Book 3 GPU technical overview](surface-book-GPU-overview.md) +- [Surface for Business](https://www.microsoft.com/surface/business) +- [Microsoft Cognitive Toolkit (CNTK)](https://docs.microsoft.com/cognitive-toolkit/) \ No newline at end of file diff --git a/devices/surface/surface-diagnostic-toolkit-business.md b/devices/surface/surface-diagnostic-toolkit-business.md index 11a032fb45..ae9ddc100b 100644 --- a/devices/surface/surface-diagnostic-toolkit-business.md +++ b/devices/surface/surface-diagnostic-toolkit-business.md @@ -6,12 +6,12 @@ ms.mktglfcycl: manage ms.localizationpriority: medium ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article -ms.date: 10/31/2019 +ms.date: 05/11/2020 ms.reviewer: hachidan manager: laurawi -ms.audience: itpro +audience: itpro --- # Deploy Surface Diagnostic Toolkit for Business @@ -41,6 +41,9 @@ Command line | Directly troubleshoot Surface devices remotely without user inter SDT for Business is supported on Surface 3 and later devices, including: +- Surface Book 3 +- Surface Go 2 +- Surface Pro X - Surface Pro 7 - Surface Laptop 3 - Surface Pro 6 @@ -116,6 +119,7 @@ In addition to the .exe file, SDT installs a JSON file and an admin.dll file (mo *Figure 2. Files installed by SDT* + ## Preparing the SDT package for distribution Creating a custom package allows you to target the tool to specific known issues. @@ -170,6 +174,18 @@ You can select to run a wide range of logs across applications, drivers, hardwar - [Use Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md) ## Changes and updates + +### Version 2.94.139.0 +*Release date: May 11, 2020*
+This version of Surface Diagnostic Toolkit for Business adds support for the following: + +- Ability to skip Windows Update to perform hardware check. +- Ability to receive notifications for about the latest version update +- Surface Go 2 +- Surface Book 3 +- Show progress indicator + + ### Version 2.43.139.0 *Release date: October 21, 2019*
This version of Surface Diagnostic Toolkit for Business adds support for the following: diff --git a/devices/surface/surface-dock-whats-new.md b/devices/surface/surface-dock-whats-new.md new file mode 100644 index 0000000000..253a73b069 --- /dev/null +++ b/devices/surface/surface-dock-whats-new.md @@ -0,0 +1,124 @@ +--- +title: What’s new in Surface Dock 2 +description: This article highlights new features and functionality for the next generation Surface Dock. +ms.prod: w10 +ms.mktglfcycl: manage +ms.localizationpriority: medium +ms.sitesec: library +author: coveminer +ms.author: greglin +ms.topic: article +ms.date: 5/06/2020 +ms.reviewer: brrecord +manager: laurawi +audience: itpro +--- +# What’s new in Surface Dock 2 + +Surface Dock 2, the next generation Surface dock, lets users connect external monitors and multiple peripherals to obtain a fully modernized desktop experience from a Surface device. Built to maximize efficiency at the office, in a flexible workspace, or at home, Surface Dock 2 features seven ports, including two front-facing USB-C ports, with 15 watts of fast charging power for phone and accessories. Surface Dock 2 is designed to simplify IT management, enabling admins to automate firmware updates using Windows Update or centralize updates with internal software distribution tools. An extended set of management tools will be released via Windows update upon commercial distribution. + +## General system requirements + +- Windows 10 version 1809. There is no support for Windows 7, Windows 8, or non-Surface host devices. Surface Dock 2 works with the following Surface devices: + + - Surface Pro (5th Gen) + - Surface Pro (5th Gen) with LTE Advanced + - Surface Laptop (1st Gen) + - Surface Pro 6 + - Surface Book 2 + - Surface Laptop 2 + - Surface Go + - Surface Go with LTE Advanced + - Surface Studio 2 + - Surface Pro 7 + - Surface Laptop 3 + - Surface Book 3 + - Surface Go 2 + - Surface Go 2 with LTE Advanced + + +## Surface Dock 2 Components + + + +### USB + +- Two front facing USB-C ports. +- Two rear facing USB-C (gen 2) ports. +- Two rear facing USB-A ports. + +### Video + +- Dual 4K@60hz. Supports up to two displays on the following devices: + + - Surface Book 3 + - Surface Go 2 + - Surface Go 2 with LTE Advanced + - Surface Pro 7 + - Surface Pro X + - Surface Laptop 3 + +- Dual 4K@ 4K@30Hz. Supports up to two displays on the following devices: + + - Surface Pro 6 + - Surface Pro (5th Gen) + - Surface Pro (5th Gen) with LTE Advanced + - Surface Laptop 2 + - Surface Laptop (1st Gen) + - Surface Go + - Surface Book 2. + +### Ethernet + +- 1 gigabit Ethernet port. + +### External Power supply + +- 199 watts supporting 100V-240V. + + +## Comparing Surface Dock 2 + +### Table 1. Surface Dock 2 tech specs comparison + +|Component|Surface Dock|Surface Dock 2| +|---|---|---| +|Surflink|Yes|Yes| +|USB-A|2 front facing USB 3.1 Gen 1
2 rear facing USB 3.1 Gen 1|2 rear facing USB 3.2 Gen 2 (7.5W power)| +|Mini Display port|2 rear facing (DP1.2)|None| +|USB-C|None|2 front facing USB 3.2 Gen 2
[15W power]
2 rear facing USB 3.2 Gen 2 (DP1.4a)
[7.5W power]| +|3.5 mm Audio in/out|Yes|Yes| +|Ethernet|Yes, 1 gigabit|Yes 1 gigabit| +|DC power in|Yes|Yes| +|Kensington lock|Yes|Yes| +|Surflink cable length|65cm|80cm| +|Surflink host power|60W|120W| +|USB load power|30W|60W| +|USB bit rate|5 Gbps|10 Gbps| +|Monitor support|2 x 4k @30fps, or
1 x 4k @ 60fps|2 x 4K @ 60fps| +|Wake-on-LAN from Connected Standby1|Yes|Yes| +|Wake-on-LAN from S4/S5 sleep modes|No|Yes| +|Network PXE boot|Yes|Yes| +|SEMM host access control|No|Coming in Windows Update2| +|SEMM port access control3|No|Coming in Windows Update| +|Servicing support|MSI|Windows Update or MSI| +|||| + +1. *Devices must be configured for Wake on LAN via Surface Enterprise Management Mode (SEMM) or Device Firmware Control Interface (DFCI) to wake from Hibernation or Power-Off states. Wake from Hibernation or Power-Off is supported on Surface Pro 7, Surface Laptop 3, Surface Pro X, Surface Book 3, and Surface Go 2. Software license required for some features. Sold separately.* + +2. *Pending release via Windows Update.* + +3. *Software license required for some features. Sold separately.* + +## Streamlined device management + +Following the public announcement of Surface Dock 2, Surface will release streamlined management functionality via Windows Update enabling IT admins to utilize the following enterprise-grade features: + +- **Frictionless updates**. Update your docks silently and automatically, with Windows Update or Microsoft Endpoint Configuration Manager, (formerly System Center Configuration Manager - SCCM) or other MSI deployment tools. +- **Wake from the network**. Manage and access corporate devices without depending on users to keep their devices powered on. Even when a docked device is in sleep, hibernation, or power off mode, your team can wake from the network for service and management, using Endpoint Configuration Manager or other enterprise management tools. +- **Centralized IT control**. Control who can connect to Surface Dock 2 by turning ports on and off. Restrict which host devices can be used with Surface Dock 2. Limit dock access to a single user or configure docks so they can only be accessed by specific users in your team or across the entire company. + +## Next steps + +- [Surface Enterprise Management Mode](surface-enterprise-management-mode.md) +- [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md) diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index fc88993c64..4599e50712 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -7,12 +7,13 @@ ms.mktglfcycl: manage ms.pagetype: surface, devices, security ms.sitesec: library author: coveminer -ms.author: v-jokai +ms.author: greglin ms.topic: article ms.reviewer: scottmca manager: laurawi ms.localizationpriority: medium -ms.audience: itpro +audience: itpro +ms.date: 05/11/2020 --- # Microsoft Surface Enterprise Management Mode @@ -95,7 +96,7 @@ The following list shows all the available devices you can manage in SEMM: |Enable Battery limit| Allows you to manage Battery limit functionality. If you do not configure this setting, Battery limit is enabled | | Security | Displays the Surface UEFI **Security** page. If you do not configure this setting, the Security page is displayed. | | Devices | Displays the Surface UEFI **Devices** page. If you do not configure this setting, the Devices page is displayed. | -| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the DateTime page is displayed. | +| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the Boot page is displayed. | | DateTime | Displays the Surface UEFI **DateTime** page. If you do not configure this setting, the DateTime page is displayed. | @@ -227,6 +228,11 @@ create a reset package using PowerShell to reset SEMM. ## Version History +The latest version of SEMM released May 11, 2020 includes: +- Support for Surface Go 2 +- Support for Surface Book 3 +- Bug fixes + ### Version 2.59. * Support to Surface Pro 7, Surface Pro X, and Surface Laptop 3 13.5" and 15" models with Intel processor. Note: Surface Laptop 3 15" AMD processor is not supported. - Support to Wake on Power feature diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index 42c6d6f42f..21616dc89e 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -382,56 +382,11 @@ To configure Surface UEFI settings or permissions for Surface UEFI settings, you The computer where ShowSettingsOptions.ps1 is run must have Microsoft Surface UEFI Manager installed, but the script does not require a Surface device. -The following tables show the available settings for Surface Pro 4 and later including Surface Pro 7, Surface Book, Surface Laptop 3, and Surface Go. +The best way to view the most current Setting names and IDs for devices is to use the ConfigureSEMM.ps1 script or the ConfigureSEMM -
| Database | -Location of Readme.txt file to use | -
|---|---|
Management database |
- ManagementDatabase subfolder |
-
Reporting database |
- ReportingDatabase subfolder |
-
For third-party MDM providers or management servers, check your product documentation. diff --git a/store-for-business/index.md b/store-for-business/index.md index 71a8c271d1..9ec42cc879 100644 --- a/store-for-business/index.md +++ b/store-for-business/index.md @@ -2,6 +2,7 @@ title: Microsoft Store for Business and Education (Windows 10) description: Welcome to the Microsoft Store for Business and Education. You can use Microsoft Store, to find, acquire, distribute, and manage apps for your organization or school. ms.assetid: 527E611E-4D47-44F0-9422-DCC2D1ACBAB8 +manager: dansimp ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -10,7 +11,7 @@ author: TrudyHa ms.author: TrudyHa ms.topic: conceptual ms.localizationpriority: high -ms.date: 10/17/2017 +ms.date: 05/14/2020 --- # Microsoft Store for Business and Education diff --git a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md index 9ee527503b..728f4943a1 100644 --- a/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md +++ b/windows/application-management/app-v/appv-deploy-the-appv-server-with-a-script.md @@ -1,6 +1,6 @@ --- title: How to Deploy the App-V Server Using a Script (Windows 10) -description: How to Deploy the App-V Server Using a Script +description: Information, lists, and tables that can help you deploy the App-V server using a script author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-deploying-appv.md b/windows/application-management/app-v/appv-deploying-appv.md index d71a0f0476..14493f0b25 100644 --- a/windows/application-management/app-v/appv-deploying-appv.md +++ b/windows/application-management/app-v/appv-deploying-appv.md @@ -1,6 +1,6 @@ --- title: Deploying App-V (Windows 10) -description: Deploying App-V +description: App-V supports several different deployment options. Learn how to complete App-V deployment at different stages in your App-V deployment. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md index e90fc8be78..ba7107286e 100644 --- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md +++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md @@ -1,6 +1,6 @@ --- title: Deploying Microsoft Office 2016 by using App-V (Windows 10) -description: Deploying Microsoft Office 2016 by using App-V +description: Use Application Virtualization (App-V) to deliver Microsoft Office 2016 as a virtualized application to computers in your organization. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-evaluating-appv.md b/windows/application-management/app-v/appv-evaluating-appv.md index df7f76ca07..9eb57e8521 100644 --- a/windows/application-management/app-v/appv-evaluating-appv.md +++ b/windows/application-management/app-v/appv-evaluating-appv.md @@ -1,6 +1,6 @@ --- title: Evaluating App-V (Windows 10) -description: Evaluating App-V for Windows 10 +description: Learn how to evaluate App-V for Windows 10 in a lab environment before deploying into a production environment. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md index 3b54154537..e03e524b5a 100644 --- a/windows/application-management/app-v/appv-maintaining-appv.md +++ b/windows/application-management/app-v/appv-maintaining-appv.md @@ -1,6 +1,6 @@ --- title: Maintaining App-V (Windows 10) -description: Maintaining App-V +description: After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/app-v/appv-preparing-your-environment.md b/windows/application-management/app-v/appv-preparing-your-environment.md index 57989881e0..991209bd1b 100644 --- a/windows/application-management/app-v/appv-preparing-your-environment.md +++ b/windows/application-management/app-v/appv-preparing-your-environment.md @@ -1,13 +1,13 @@ --- title: Preparing Your Environment for App-V (Windows 10) -description: Preparing Your Environment for App-V -author: lomayor +description: Use this info to prepare for deployment configurations and prerequisites for Microsoft Application Virtualization (App-V). ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy ms.sitesec: library ms.prod: w10 ms.date: 04/18/2018 ms.reviewer: +author: dansimp manager: dansimp ms.author: dansimp ms.topic: article diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md index cd4469abe5..565f150699 100644 --- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md +++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md @@ -1,6 +1,6 @@ --- title: How to publish a package by using the Management console (Windows 10) -description: How to publish a package by using the Management console. +description: Learn how the Management console in App-V can help you enable admin controls as well as publish App-V packages. author: lomayor ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 7f0c586ed7..c27ad32063 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -2,7 +2,7 @@ title: Windows 10 - Apps ms.reviewer: manager: dansimp -description: What are Windows, UWP, and Win32 apps +description: Use this article to understand the different types of apps that run on Windows 10, such as UWP and Win32 apps. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/application-management/change-history-for-application-management.md b/windows/application-management/change-history-for-application-management.md index fdb6834a7a..e7e6041a1d 100644 --- a/windows/application-management/change-history-for-application-management.md +++ b/windows/application-management/change-history-for-application-management.md @@ -1,6 +1,6 @@ --- title: Change history for Application management in Windows 10 (Windows 10) -description: View changes to documentation for application management in Windows 10. +description: View new release information and updated topics in the documentation for application management in Windows 10. keywords: ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md index 1100a66787..4245e9fb23 100644 --- a/windows/application-management/per-user-services-in-windows.md +++ b/windows/application-management/per-user-services-in-windows.md @@ -1,6 +1,6 @@ --- title: Per-user services in Windows 10 and Windows Server -description: Learn about per-user services introduced in Windows 10. +description: Learn about per-user services, how to change the template service Startup Type, and manage per-user services through Group Policy and security templates. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index 124846eb32..4af9868736 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -2,7 +2,7 @@ title: Advanced Troubleshooting 802.1X Authentication ms.reviewer: manager: dansimp -description: Learn how 802.1X Authentication works +description: Troubleshoot authentication flow by learning how 802.1X Authentication works for wired and wireless clients. keywords: advanced troubleshooting, 802.1X authentication, troubleshooting, authentication, Wi-Fi ms.prod: w10 ms.mktglfcycl: @@ -73,7 +73,7 @@ The following article explains how to analyze CAPI2 event logs: When troubleshooting complex 802.1X authentication issues, it is important to understand the 802.1X authentication process. The following figure is an example of wireless connection process with 802.1X authentication: - + If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter in for a client side capture, and **EAP** for an NPS side capture. See the following examples: diff --git a/windows/client-management/data-collection-for-802-authentication.md b/windows/client-management/data-collection-for-802-authentication.md index e866b0d7c4..58f94bd27e 100644 --- a/windows/client-management/data-collection-for-802-authentication.md +++ b/windows/client-management/data-collection-for-802-authentication.md @@ -2,7 +2,7 @@ title: Data collection for troubleshooting 802.1X authentication ms.reviewer: manager: dansimp -description: Data needed for reviewing 802.1X Authentication issues +description: Use the steps in this article to collect data that can be used to troubleshoot 802.1X authentication issues. keywords: troubleshooting, data collection, data, 802.1X authentication, authentication, data ms.prod: w10 ms.mktglfcycl: diff --git a/windows/client-management/index.md b/windows/client-management/index.md index 3838366e1a..477c88252a 100644 --- a/windows/client-management/index.md +++ b/windows/client-management/index.md @@ -1,6 +1,6 @@ --- title: Client management (Windows 10) -description: Windows 10 client management +description: Learn about the administrative tools, tasks and best practices for managing Windows 10 and Windows 10 Mobile clients across your enterprise. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 9d7b5546ff..35227e3c16 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -15,23 +15,18 @@ ms.topic: article # Create mandatory user profiles - **Applies to** -- Windows 10 +- Windows 10 +A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. +Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles. -A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned. - -Mandatory user profiles are useful when standardization is important, such as on a kiosk device or in educational settings. Only system administrators can make changes to mandatory user profiles. - -When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile. +When the server that stores the mandatory profile is unavailable, such as when the user is not connected to the corporate network, users with mandatory profiles can sign in with the locally cached copy of the mandatory profile, if one exists. Otherwise, the user will be signed in with a temporary profile. User profiles become mandatory profiles when the administrator renames the NTuser.dat file (the registry hive) of each user's profile in the file system of the profile server from `NTuser.dat` to `NTuser.man`. The `.man` extension causes the user profile to be a read-only profile. - - ## Profile extension for each Windows version The name of the folder in which you store the mandatory profile must use the correct extension for the operating system it will be applied to. The following table lists the correct extension for each operating system version. @@ -45,121 +40,112 @@ The name of the folder in which you store the mandatory profile must use the cor | Windows 10, versions 1507 and 1511 | N/A | v5 | | Windows 10, versions 1607, 1703, 1709, 1803, 1809 and 1903 | Windows Server 2016 and Windows Server 2019 | v6 | -For more information, see [Deploy Roaming User Profiles, Appendix B](https://technet.microsoft.com/library/jj649079.aspx) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198). +For more information, see [Deploy Roaming User Profiles, Appendix B](https://docs.microsoft.com/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#appendix-b-profile-version-reference-information) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198). -## How to create a mandatory user profile +## Mandatory user profile First, you create a default user profile with the customizations that you want, run Sysprep with CopyProfile set to **True** in the answer file, copy the customized default user profile to a network share, and then you rename the profile to make it mandatory. -**To create a default user profile** +### How to create a default user profile 1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account. > [!NOTE] > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. -2. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. +1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. - >[!NOTE] - >Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics). + > [!NOTE] + > Unlike previous versions of Windows, you cannot apply a Start and taskbar layout using a mandatory profile. For alternative methods for customizing the Start menu and taskbar, see [Related topics](#related-topics). -3. [Create an answer file (Unattend.xml)](https://msdn.microsoft.com/library/windows/hardware/dn915085.aspx) that sets the [CopyProfile](https://msdn.microsoft.com/library/windows/hardware/dn922656.aspx) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://msdn.microsoft.com/library/windows/hardware/dn922445.aspx), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. +1. [Create an answer file (Unattend.xml)](https://docs.microsoft.com/windows-hardware/customize/desktop/wsim/create-or-open-an-answer-file) that sets the [CopyProfile](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-copyprofile) parameter to **True**. The CopyProfile parameter causes Sysprep to copy the currently signed-on user’s profile folder to the default user profile. You can use [Windows System Image Manager](https://docs.microsoft.com/windows-hardware/customize/desktop/wsim/windows-system-image-manager-technical-reference), which is part of the Windows Assessment and Deployment Kit (ADK) to create the Unattend.xml file. -3. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=winserver2012-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10). +1. Uninstall any application you do not need or want from the PC. For examples on how to uninstall Windows 10 Application see [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps). For a list of uninstallable applications, see [Understand the different apps included in Windows 10](https://docs.microsoft.com/windows/application-management/apps-in-windows-10). + > [!NOTE] + > It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times. - >[!NOTE] - >It is highly recommended to uninstall unwanted or unneeded apps as it will speed up user sign-in times. +1. At a command prompt, type the following command and press **ENTER**. -3. At a command prompt, type the following command and press **ENTER**. + ```dos + sysprep /oobe /reboot /generalize /unattend:unattend.xml + ``` - `sysprep /oobe /reboot /generalize /unattend:unattend.xml` - - (Sysprep.exe is located at: C:\Windows\System32\sysprep. By default, Sysprep looks for unattend.xml in this same folder.) + (Sysprep.exe is located at: C:\\Windows\\System32\\sysprep. By default, Sysprep looks for unattend.xml in this same folder.) > [!TIP] - > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\System32\Sysprep\Panther\setupact.log and look for an entry like the following: - > + > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following: + > >  - > - > Use the [Remove-AppxProvisionedPackage](https://technet.microsoft.com/library/dn376476%28v=wps.620%29.aspx) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. + > + > Use the [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log. -4. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges. +1. The sysprep process reboots the PC and starts at the first-run experience screen. Complete the set up, and then sign in to the computer using an account that has local administrator privileges. -5. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section. +1. Right-click Start, go to **Control Panel** (view by large or small icons) > **System** > **Advanced system settings**, and click **Settings** in the **User Profiles** section. -6. In **User Profiles**, click **Default Profile**, and then click **Copy To**. +1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.  -7. In **Copy To**, under **Permitted to use**, click **Change**. +1. In **Copy To**, under **Permitted to use**, click **Change**.  -8. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**. +1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**. -9. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#extension) for the operating system version. For example, the folder name must end with “.v6” to identify it as a user profile folder for Windows 10, version 1607. +1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607. - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. - - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. + - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. -  +  -10. Click **OK** to copy the default user profile. +1. Click **OK** to copy the default user profile. +### How to make the user profile mandatory -**To make the user profile mandatory** +1. In File Explorer, open the folder where you stored the copy of the profile. + > [!NOTE] + > If the folder is not displayed, click **View** > **Options** > **Change folder and search options**. On the **View** tab, select **Show hidden files and folders**, clear **Hide protected operating system files**, click **Yes** to confirm that you want to show operating system files, and then click **OK** to save your changes. -3. In File Explorer, open the folder where you stored the copy of the profile. +1. Rename `Ntuser.dat` to `Ntuser.man`. - >[!NOTE] - >If the folder is not displayed, click **View** > **Options** > **Change folder and search options**. On the **View** tab, select **Show hidden files and folders**, clear **Hide protected operating system files**, click **Yes** to confirm that you want to show operating system files, and then click **OK** to save your changes. - -4. Rename `Ntuser.dat` to `Ntuser.man`. - -## How to apply a mandatory user profile to users +## Apply a mandatory user profile to users In a domain, you modify properties for the user account to point to the mandatory profile in a shared folder residing on the server. -**To apply a mandatory user profile to users** +### How to apply a mandatory user profile to users 1. Open **Active Directory Users and Computers** (dsa.msc). -2. Navigate to the user account that you will assign the mandatory profile to. +1. Navigate to the user account that you will assign the mandatory profile to. -3. Right-click the user name and open **Properties**. +1. Right-click the user name and open **Properties**. -4. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\profile.v6, you would enter \\\\*server*\profile. +1. On the **Profile** tab, in the **Profile path** field, enter the path to the shared folder without the extension. For example, if the folder name is \\\\*server*\\profile.v6, you would enter \\\\*server*\\profile. -5. Click **OK**. +1. Click **OK**. It may take some time for this change to replicate to all domain controllers. - - ## Apply policies to improve sign-in time When a user is configured with a mandatory profile, Windows 10 starts as though it was the first sign-in each time the user signs in. To improve sign-in performance for users with mandatory user profiles, apply the Group Policy settings shown in the following table. (The table shows which operating system versions each policy setting can apply to.) - | Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 | | --- | --- | --- | --- | --- | | Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled |  |  |  |  | | Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled |  |  |  |  | | Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled |  |  |  |  | -> [!Note] +> [!NOTE] > The Group Policy settings above can be applied in Windows 10 Professional edition. - - - - ## Related topics - [Manage Windows 10 Start layout and taskbar options](/windows/configuration/windows-10-start-layout-options-and-policies) - [Lock down Windows 10 to specific apps](/windows/configuration/lock-down-windows-10-to-specific-apps) - [Windows Spotlight on the lock screen](/windows/configuration/windows-spotlight) - [Configure devices without MDM](/windows/configuration/configure-devices-without-mdm) - diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 9241a7fdf7..476d73c694 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -159,15 +159,15 @@ #### [Personalization DDF file](personalization-ddf.md) ### [Policy CSP](policy-configuration-service-provider.md) #### [Policy DDF file](policy-ddf-file.md) -#### [Policies supported by Group Policy](policies-supported-by-group-policy.md) -#### [ADMX-backed policies](policies-admx-backed.md) -#### [Policies supported by HoloLens 2](policies-supported-by-hololens2.md) -#### [Policies supported by HoloLens (1st gen) Commercial Suite](policies-supported-by-hololens-1st-gen-commercial-suite.md) -#### [Policies supported by HoloLens (1st gen) Development Edition](policies-supported-by-hololens-1st-gen-development-edition.md) -#### [Policies supported by Windows 10 IoT Enterprise](policies-supported-by-iot-enterprise.md) -#### [Policies supported by Windows 10 IoT Core](policies-supported-by-iot-core.md) -#### [Policies supported by Microsoft Surface Hub](policies-supported-by-surface-hub.md) -#### [Policies that can be set using Exchange Active Sync (EAS)](policies-that-can-be-set-using-eas.md) +#### [Policy CSPs supported by Group Policy](policy-csps-supported-by-group-policy.md) +#### [ADMX-backed policy CSPs](policy-csps-admx-backed.md) +#### [Policy CSPs supported by HoloLens 2](policy-csps-supported-by-hololens2.md) +#### [Policy CSPs supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md) +#### [Policy CSPs supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) +#### [Policy CSPs supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md) +#### [Policy CSPs supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md) +#### [Policy CSPs supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md) +#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md) #### [AboveLock](policy-csp-abovelock.md) #### [Accounts](policy-csp-accounts.md) #### [ActiveXControls](policy-csp-activexcontrols.md) diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md index 1a79f57833..2c8cfbc647 100644 --- a/windows/client-management/mdm/alljoynmanagement-ddf.md +++ b/windows/client-management/mdm/alljoynmanagement-ddf.md @@ -1,6 +1,6 @@ --- title: AllJoynManagement DDF -description: AllJoynManagement DDF +description: Learn the OMA DM device description framework (DDF) for the **AllJoynManagement** configuration service provider. ms.assetid: 540C2E60-A041-4749-A027-BBAF0BB046E4 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md index 121f28dad6..4293995ef5 100644 --- a/windows/client-management/mdm/applicationcontrol-csp.md +++ b/windows/client-management/mdm/applicationcontrol-csp.md @@ -13,17 +13,15 @@ ms.date: 05/21/2019 # ApplicationControl CSP -Windows Defender Application Control (WDAC) policies can be managed from an MDM server through ApplicationControl configuration service provider (CSP). This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike [AppLocker CSP](applocker-csp.md), ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. -Existing WDAC policies deployed using AppLocker CSP’s CodeIntegrity node can now be deployed using ApplicationControl CSP URI. Although WDAC policy deployment via AppLocker CSP will continue to be supported, all new feature work will be done in ApplicationControl CSP only. +Windows Defender Application Control (WDAC) policies can be managed from an MDM server or locally using PowerShell via the WMI Bridge through the ApplicationControl configuration service provider (CSP). The ApplicationControl CSP was added in Windows 10, version 1903. This CSP provides expanded diagnostic capabilities and support for [multiple policies](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) (introduced in Windows 10, version 1903). It also provides support for rebootless policy deployment (introduced in Windows 10, version 1709). Unlike the [AppLocker CSP](applocker-csp.md), the ApplicationControl CSP correctly detects the presence of no-reboot option and consequently does not schedule a reboot. +Existing WDAC policies deployed using the AppLocker CSP's CodeIntegrity node can now be deployed using the ApplicationControl CSP URI. Although WDAC policy deployment via the AppLocker CSP will continue to be supported, all new feature work will be done in the ApplicationControl CSP only. -ApplicationControl CSP was added in Windows 10, version 1903. - -The following diagram shows ApplicationControl CSP in tree format. +The following diagram shows the ApplicationControl CSP in tree format.  **./Vendor/MSFT/ApplicationControl** -Defines the root node for ApplicationControl CSP. +Defines the root node for the ApplicationControl CSP. Scope is permanent. Supported operation is Get. @@ -33,7 +31,7 @@ An interior node that contains all the policies, each identified by their global Scope is permanent. Supported operation is Get. **ApplicationControl/Policies/_Policy GUID_** -ApplicationControl CSP enforces that the “ID” segment of a given policy URI is the same GUID as the policy ID in the policy blob. Each *Policy GUID* node contains a Policy node and a corresponding PolicyInfo node. +The ApplicationControl CSP enforces that the "ID" segment of a given policy URI is the same GUID as the policy ID in the policy blob. Each *Policy GUID* node contains a Policy node and a corresponding PolicyInfo node. Scope is dynamic. Supported operation is Get. @@ -121,11 +119,11 @@ Value type is char. For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) -## Non-Intune Usage Guidance +## Generic MDM Server Usage Guidance In order to leverage the ApplicationControl CSP without using Intune, you must: -1. Know a generated policy’s GUID, which can be found in the policy xml as
The root node for the CSP. +The root node for the CSP. **Settings** -
The root node for the Windows Information Protection (WIP) configuration settings. +The root node for the Windows Information Protection (WIP) configuration settings. **Settings/EDPEnforcementLevel** -
Set the WIP enforcement level. Note that setting this value is not sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running. +Set the WIP enforcement level. Note that setting this value is not sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running. -
The following list shows the supported values: +The following list shows the supported values: - 0 (default) – Off / No protection (decrypts previously protected data). - 1 – Silent mode (encrypt and audit only). - 2 – Allow override mode (encrypt, prompt and allow overrides, and audit). - 3 – Hides overrides (encrypt, prompt but hide overrides, and audit). -
Supported operations are Add, Get, Replace and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/EnterpriseProtectedDomainNames** -
A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. +A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. -
Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client. +Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client. -> **Note** The client requires domain name to be canonical, otherwise the setting will be rejected by the client. +> [!Note] +> The client requires domain name to be canonical, otherwise the setting will be rejected by the client. -
Here are the steps to create canonical domain names: +Here are the steps to create canonical domain names: -1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com. +1. Transform the ASCII characters (A-Z only) to lowercase. For example, Microsoft.COM -> microsoft.com. 2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. 3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0). -
Supported operations are Add, Get, Replace and Delete. Value type is string. +Supported operations are Add, Get, Replace, and Delete. Value type is string. **Settings/AllowUserDecryption** -
Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences. +Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences. > [!IMPORTANT] > Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. -
The following list shows the supported values: +The following list shows the supported values: - 0 – Not allowed. - 1 (default) – Allowed. -
Most restricted value is 0. +Most restricted value is 0. -
Supported operations are Add, Get, Replace and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RequireProtectionUnderLockConfig** -
Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. A PIN must be configured on the device before you can apply this policy. +Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. A PIN must be configured on the device before you can apply this policy. -
The following list shows the supported values: +The following list shows the supported values: - 0 (default) – Not required. - 1 – Required. -
Most restricted value is 1. +Most restricted value is 1. -
The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware. +The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware. -> **Note** This setting is only supported in Windows 10 Mobile. +> [!Note] +> This setting is only supported in Windows 10 Mobile. -
Supported operations are Add, Get, Replace and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/DataRecoveryCertificate** -
Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through MDM instead of Group Policy. +Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy. -> **Note** If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced. +> [!Note] +> If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced. -
DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP. +DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP. The binary blob is the serialized version of following structure: ``` syntax @@ -231,60 +234,59 @@ typedef enum _PUBLIC_KEY_SOURCE_TAG { ``` -
For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate. +For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate. -
Supported operations are Add, Get, Replace and Delete. Value type is base-64 encoded certificate. +Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate. **Settings/RevokeOnUnenroll** -
This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1. +This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1. -
The following list shows the supported values: +The following list shows the supported values: - 0 – Don't revoke keys. - 1 (default) – Revoke keys. -
Supported operations are Add, Get, Replace and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RevokeOnMDMHandoff** -
Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from MAM to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. +Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. - 0 - Don't revoke keys - 1 (default) - Revoke keys -
Supported operations are Add, Get, Replace and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/RMSTemplateIDForEDP** -
TemplateID GUID to use for RMS encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access. +TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access. -
Supported operations are Add, Get, Replace and Delete. Value type is string (GUID). +Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID). **Settings/AllowAzureRMSForEDP** -
Specifies whether to allow Azure RMS encryption for WIP. +Specifies whether to allow Azure RMS encryption for WIP. - 0 (default) – Don't use RMS. - 1 – Use RMS. -
Supported operations are Add, Get, Replace and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Settings/SMBAutoEncryptedFileExtensions** -
Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an SMB share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list. -
When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. -
Supported operations are Add, Get, Replace and Delete. Value type is string. +Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. Use semicolon (;) delimiter in the list. +When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. +Supported operations are Add, Get, Replace and Delete. Value type is string. **Settings/EDPShowIcons** -
Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles in the Start menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app. - -
The following list shows the supported values: +Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app. +The following list shows the supported values: - 0 (default) - No WIP overlays on icons or tiles. - 1 - Show WIP overlays on protected files and apps that can only create enterprise content. -
Supported operations are Add, Get, Replace and Delete. Value type is integer. +Supported operations are Add, Get, Replace, and Delete. Value type is integer. **Status** -
A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured. +A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured. -
Suggested values: +Suggested values:
Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709. |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| ADMX-backed policies in Policy CSP | +ADMX-backed policies in Policy CSP | Added new policies. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | + 4 |
+
| Business | +4 |
+
| Enterprise | +4 |
+
| Education | +4 |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Network security: Minimum session security for NTLM SSP based (including secure RPC) clients. + +This security setting allows a client device to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value. The options are: + +- Require NTLMv2 session security: The connection will fail if message integrity is not negotiated. +- Require 128-bit encryption: The connection will fail if strong encryption (128-bit) is not negotiated. + +Default: + +Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. + +Windows 7 and Windows Server 2008 R2: Require 128-bit encryption. + + + +GP Info: +- GP English name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + + + +
+ **LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers** diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md index aefb521407..b96fcd749d 100644 --- a/windows/client-management/mdm/policy-csp-messaging.md +++ b/windows/client-management/mdm/policy-csp-messaging.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Messaging -description: Policy CSP - Messaging +description: Enable, and disable, text message back up and restore as well as Messaging Everywhere by using the Policy CSP for messaging. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md index 8433af94b3..2d4e4b33d0 100644 --- a/windows/client-management/mdm/policy-csp-notifications.md +++ b/windows/client-management/mdm/policy-csp-notifications.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Notifications -description: Policy CSP - Notifications +description: Block applications from using the network to send tile, badge, toast, and raw notifications for Policy CSP - Notifications. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-power.md b/windows/client-management/mdm/policy-csp-power.md index e5adaec521..f0f51bdb9f 100644 --- a/windows/client-management/mdm/policy-csp-power.md +++ b/windows/client-management/mdm/policy-csp-power.md @@ -1,6 +1,6 @@ --- title: Policy CSP - Power -description: Policy CSP - Power +description: Learn the ins and outs of various Policy CSP - Power settings, including SyncML, for Windows 10. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 8053b57d73..3b7a445092 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -8,14 +8,14 @@ ms.technology: windows author: manikadhiman ms.localizationpriority: medium ms.date: 04/07/2020 - ms.reviewer: manager: dansimp --- # Policy CSP - RestrictedGroups - +> [!WARNING] +> Some information in this article relates to prereleased products, which may be substantially modified before they are commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -86,7 +86,7 @@ For example, you can create a Restricted Groups policy to allow only specified u > |----------|----------|----------|----------| > | 0x55b (Hex)
1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h | -Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. +Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of zero members when applying the policy implies clearing the access group and should be used with caution. ```xml
XML accepts group and member only by name.
Supports configuring the administrators group using the group name.
Expects member name to be in the account name format. | +| Windows 10, version 1809
Windows 10, version 1903
Windows 10, version 1909 | Supports configuring any local group.
`
`
This is useful when you want to ensure a certain local group always has a well-known SID as member. | +| The latest release of Windows 10 | Behaves as described in this topic.
Accepts name or SID for group and members and translates as appropriate. | + +
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 52098ee14c..9949285fca 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -7,13 +7,16 @@ ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 10/04/2019 +ms.date: 02/10/2020 ms.reviewer: manager: dansimp --- # Policy CSP - Update +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + > [!NOTE] > If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are). @@ -194,6 +197,9 @@ manager: dansimp
+ +**Update/TargetReleaseVersion** + + +
| Windows Edition | +Supported? | +
|---|---|
| Home | + |
+
| Pro | +4 |
+
| Business | +4 |
+
| Enterprise | +4 |
+
| Education | +4 |
+
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10, version 1803 and later. Enables IT administrators to specify which version they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy. For details about different Windows 10 versions, see [Windows 10 release information](https://docs.microsoft.com/windows/release-information/). + + +ADMX Info: +- GP English name: *Select the target Feature Update version* +- GP name: *TargetReleaseVersion* +- GP element: *TargetReleaseVersionId* +- GP path: *Windows Components/Windows Update/Windows Update for Business* +- GP ADMX file name: *WindowsUpdate.admx* + + + +Value type is a string containing Windows 10 version number. For example, 1809, 1903. + + + + + + + + + +
+ **Update/UpdateNotificationLevel** @@ -4371,11 +4445,13 @@ ADMX Info: Footnotes: -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in Windows 10, version 1809. -- 6 - Added in Windows 10, version 1903. +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. + diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md index 25159c3271..ef56c8dd9a 100644 --- a/windows/client-management/mdm/policy-csp-userrights.md +++ b/windows/client-management/mdm/policy-csp-userrights.md @@ -1260,6 +1260,11 @@ GP Info: - GP English name: *Increase scheduling priority* - GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment* +> [!Warning] +> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver. +> +> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission. + diff --git a/windows/client-management/mdm/policy-csps-admx-backed.md b/windows/client-management/mdm/policy-csps-admx-backed.md new file mode 100644 index 0000000000..f79f85154e --- /dev/null +++ b/windows/client-management/mdm/policy-csps-admx-backed.md @@ -0,0 +1,421 @@ +--- +title: ADMX-backed policy CSPs +description: ADMX-backed policy CSPs +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 07/18/2019 +--- + +# ADMX-backed policy CSPs + +> [!div class="op_single_selector"] +> +> - [Policy CSPs supported by Group Policy](policy-csps-supported-by-group-policy.md) +> - [ADMX-backed policy-CSPs](policy-csps-admx-backed.md) +> + +- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) +- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) +- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) +- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) +- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup) +- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts) +- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux) +- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver) +- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions) +- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions) +- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload) +- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode) +- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal) +- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser) +- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1) +- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2) +- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3) +- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4) +- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5) +- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl) +- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch) +- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider) +- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot) +- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot) +- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval) +- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries) +- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode) +- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache) +- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist) +- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist) +- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation) +- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism) +- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms) +- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices) +- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior) +- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay) +- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui) +- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp) +- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp) +- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) +- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths) +- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge) +- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) +- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) +- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials) +- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal) +- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators) +- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g) +- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) +- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) +- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses) +- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork) +- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses) +- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) +- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) +- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) +- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting) +- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification) +- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata) +- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay) +- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior) +- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) +- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) +- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) +- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) +- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) +- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) +- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering) +- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist) +- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete) +- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning) +- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit) +- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode) +- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar) +- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu) +- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist) +- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3) +- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist) +- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode) +- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate) +- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate) +- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate) +- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate) +- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate) +- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate) +- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate) +- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry) +- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist) +- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid) +- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites) +- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate) +- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate) +- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate) +- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation) +- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms) +- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses) +- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) +- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash) +- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings) +- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles) +- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview) +- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory) +- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection) +- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation) +- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites) +- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading) +- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport) +- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync) +- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard) +- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature) +- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) +- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange) +- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors) +- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing) +- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode) +- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange) +- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange) +- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange) +- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck) +- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck) +- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete) +- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode) +- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites) +- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies) +- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols) +- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains) +- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites) +- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths) +- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources) +- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript) +- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles) +- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads) +- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites) +- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles) +- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols) +- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol) +- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows) +- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols) +- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets) +- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie) +- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript) +- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence) +- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer) +- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols) +- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols) +- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter) +- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows) +- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows) +- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing) +- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode) +- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver) +- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions) +- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe) +- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions) +- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes) +- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode) +- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles) +- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker) +- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources) +- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads) +- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites) +- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets) +- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie) +- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence) +- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions) +- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes) +- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources) +- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads) +- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites) +- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents) +- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets) +- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie) +- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence) +- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions) +- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes) +- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources) +- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads) +- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets) +- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie) +- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence) +- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions) +- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes) +- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions) +- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources) +- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads) +- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets) +- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie) +- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence) +- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads) +- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets) +- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie) +- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence) +- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions) +- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence) +- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions) +- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence) +- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions) +- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes) +- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses) +- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses) +- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage) +- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses) +- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter) +- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols) +- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses) +- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols) +- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses) +- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses) +- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources) +- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting) +- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors) +- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript) +- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles) +- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads) +- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads) +- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles) +- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh) +- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol) +- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows) +- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols) +- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets) +- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie) +- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript) +- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence) +- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer) +- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter) +- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows) +- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows) +- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing) +- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver) +- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions) +- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe) +- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions) +- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes) +- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins) +- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode) +- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting) +- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets) +- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles) +- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode) +- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker) +- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses) +- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist) +- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings) +- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice) +- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources) +- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads) +- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets) +- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie) +- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence) +- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions) +- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes) +- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder) +- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor) +- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring) +- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation) +- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize) +- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes) +- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) +- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel) +- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel) +- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon) +- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver) +- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server) +- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection) +- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications) +- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication) +- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery) +- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) +- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) +- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) +- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) +- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) +- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) +- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) +- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) +- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) +- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) +- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) +- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) +- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages) +- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging) +- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance) +- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance) +- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely) +- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel) +- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection) +- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving) +- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection) +- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication) +- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client) +- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service) +- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient) +- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice) +- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement) +- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client) +- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service) +- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication) +- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient) +- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice) +- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials) +- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel) +- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts) +- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener) +- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener) +- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication) +- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients) +- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess) +- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers) +- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout) +- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory) +- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses) +- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) +- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) +- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) +- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) +- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) +- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) +- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) +- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) +- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) +- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) +- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) +- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) +- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) + +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csps-supported-by-group-policy.md b/windows/client-management/mdm/policy-csps-supported-by-group-policy.md new file mode 100644 index 0000000000..328dfe2238 --- /dev/null +++ b/windows/client-management/mdm/policy-csps-supported-by-group-policy.md @@ -0,0 +1,913 @@ +--- +title: Policy CSPs supported by Group Policy +description: Policy CSPs supported by Group Policy +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 07/18/2019 +--- + +# Policy CSPs supported by Group Policy + +> [!div class="op_single_selector"] +> +> - [Policy CSPs supported by Group Policy](policy-csps-supported-by-group-policy.md) +> - [ADMX-backed policy CSPs](policy-csps-admx-backed.md) +> + +- [AboveLock/AllowCortanaAboveLock](./policy-csp-abovelock.md#abovelock-allowcortanaabovelock) +- [ActiveXControls/ApprovedInstallationSites](./policy-csp-activexcontrols.md#activexcontrols-approvedinstallationsites) +- [AppRuntime/AllowMicrosoftAccountsToBeOptional](./policy-csp-appruntime.md#appruntime-allowmicrosoftaccountstobeoptional) +- [AppVirtualization/AllowAppVClient](./policy-csp-appvirtualization.md#appvirtualization-allowappvclient) +- [AppVirtualization/AllowDynamicVirtualization](./policy-csp-appvirtualization.md#appvirtualization-allowdynamicvirtualization) +- [AppVirtualization/AllowPackageCleanup](./policy-csp-appvirtualization.md#appvirtualization-allowpackagecleanup) +- [AppVirtualization/AllowPackageScripts](./policy-csp-appvirtualization.md#appvirtualization-allowpackagescripts) +- [AppVirtualization/AllowPublishingRefreshUX](./policy-csp-appvirtualization.md#appvirtualization-allowpublishingrefreshux) +- [AppVirtualization/AllowReportingServer](./policy-csp-appvirtualization.md#appvirtualization-allowreportingserver) +- [AppVirtualization/AllowRoamingFileExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingfileexclusions) +- [AppVirtualization/AllowRoamingRegistryExclusions](./policy-csp-appvirtualization.md#appvirtualization-allowroamingregistryexclusions) +- [AppVirtualization/AllowStreamingAutoload](./policy-csp-appvirtualization.md#appvirtualization-allowstreamingautoload) +- [AppVirtualization/ClientCoexistenceAllowMigrationmode](./policy-csp-appvirtualization.md#appvirtualization-clientcoexistenceallowmigrationmode) +- [AppVirtualization/IntegrationAllowRootGlobal](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootglobal) +- [AppVirtualization/IntegrationAllowRootUser](./policy-csp-appvirtualization.md#appvirtualization-integrationallowrootuser) +- [AppVirtualization/PublishingAllowServer1](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver1) +- [AppVirtualization/PublishingAllowServer2](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver2) +- [AppVirtualization/PublishingAllowServer3](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver3) +- [AppVirtualization/PublishingAllowServer4](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver4) +- [AppVirtualization/PublishingAllowServer5](./policy-csp-appvirtualization.md#appvirtualization-publishingallowserver5) +- [AppVirtualization/StreamingAllowCertificateFilterForClient_SSL](./policy-csp-appvirtualization.md#appvirtualization-streamingallowcertificatefilterforclient-ssl) +- [AppVirtualization/StreamingAllowHighCostLaunch](./policy-csp-appvirtualization.md#appvirtualization-streamingallowhighcostlaunch) +- [AppVirtualization/StreamingAllowLocationProvider](./policy-csp-appvirtualization.md#appvirtualization-streamingallowlocationprovider) +- [AppVirtualization/StreamingAllowPackageInstallationRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackageinstallationroot) +- [AppVirtualization/StreamingAllowPackageSourceRoot](./policy-csp-appvirtualization.md#appvirtualization-streamingallowpackagesourceroot) +- [AppVirtualization/StreamingAllowReestablishmentInterval](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentinterval) +- [AppVirtualization/StreamingAllowReestablishmentRetries](./policy-csp-appvirtualization.md#appvirtualization-streamingallowreestablishmentretries) +- [AppVirtualization/StreamingSharedContentStoreMode](./policy-csp-appvirtualization.md#appvirtualization-streamingsharedcontentstoremode) +- [AppVirtualization/StreamingSupportBranchCache](./policy-csp-appvirtualization.md#appvirtualization-streamingsupportbranchcache) +- [AppVirtualization/StreamingVerifyCertificateRevocationList](./policy-csp-appvirtualization.md#appvirtualization-streamingverifycertificaterevocationlist) +- [AppVirtualization/VirtualComponentsAllowList](./policy-csp-appvirtualization.md#appvirtualization-virtualcomponentsallowlist) +- [ApplicationDefaults/DefaultAssociationsConfiguration](./policy-csp-applicationdefaults.md#applicationdefaults-defaultassociationsconfiguration) +- [ApplicationDefaults/EnableAppUriHandlers](./policy-csp-applicationdefaults.md#applicationdefaults-enableappurihandlers) +- [ApplicationManagement/AllowAllTrustedApps](./policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) +- [ApplicationManagement/AllowAppStoreAutoUpdate](./policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](./policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) +- [ApplicationManagement/AllowGameDVR](./policy-csp-applicationmanagement.md#applicationmanagement-allowgamedvr) +- [ApplicationManagement/AllowSharedUserAppData](./policy-csp-applicationmanagement.md#applicationmanagement-allowshareduserappdata) +- [ApplicationManagement/DisableStoreOriginatedApps](./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps) +- [ApplicationManagement/MSIAllowUserControlOverInstall](./policy-csp-applicationmanagement.md#applicationmanagement-msiallowusercontroloverinstall) +- [ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges](./policy-csp-applicationmanagement.md#applicationmanagement-msialwaysinstallwithelevatedprivileges) +- [ApplicationManagement/RequirePrivateStoreOnly](./policy-csp-applicationmanagement.md#applicationmanagement-requireprivatestoreonly) +- [ApplicationManagement/RestrictAppDataToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictappdatatosystemvolume) +- [ApplicationManagement/RestrictAppToSystemVolume](./policy-csp-applicationmanagement.md#applicationmanagement-restrictapptosystemvolume) +- [AttachmentManager/DoNotPreserveZoneInformation](./policy-csp-attachmentmanager.md#attachmentmanager-donotpreservezoneinformation) +- [AttachmentManager/HideZoneInfoMechanism](./policy-csp-attachmentmanager.md#attachmentmanager-hidezoneinfomechanism) +- [AttachmentManager/NotifyAntivirusPrograms](./policy-csp-attachmentmanager.md#attachmentmanager-notifyantivirusprograms) +- [Authentication/AllowSecondaryAuthenticationDevice](./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice) +- [Autoplay/DisallowAutoplayForNonVolumeDevices](./policy-csp-autoplay.md#autoplay-disallowautoplayfornonvolumedevices) +- [Autoplay/SetDefaultAutoRunBehavior](./policy-csp-autoplay.md#autoplay-setdefaultautorunbehavior) +- [Autoplay/TurnOffAutoPlay](./policy-csp-autoplay.md#autoplay-turnoffautoplay) +- [BITS/BandwidthThrottlingEndTime](./policy-csp-bits.md#bits-bandwidththrottlingendtime) +- [BITS/BandwidthThrottlingStartTime](./policy-csp-bits.md#bits-bandwidththrottlingstarttime) +- [BITS/BandwidthThrottlingTransferRate](./policy-csp-bits.md#bits-bandwidththrottlingtransferrate) +- [BITS/CostedNetworkBehaviorBackgroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorbackgroundpriority) +- [BITS/CostedNetworkBehaviorForegroundPriority](./policy-csp-bits.md#bits-costednetworkbehaviorforegroundpriority) +- [BITS/JobInactivityTimeout](./policy-csp-bits.md#bits-jobinactivitytimeout) +- [Browser/AllowAddressBarDropdown](./policy-csp-browser.md#browser-allowaddressbardropdown) +- [Browser/AllowAutofill](./policy-csp-browser.md#browser-allowautofill) +- [Browser/AllowCookies](./policy-csp-browser.md#browser-allowcookies) +- [Browser/AllowDeveloperTools](./policy-csp-browser.md#browser-allowdevelopertools) +- [Browser/AllowDoNotTrack](./policy-csp-browser.md#browser-allowdonottrack) +- [Browser/AllowExtensions](./policy-csp-browser.md#browser-allowextensions) +- [Browser/AllowFlash](./policy-csp-browser.md#browser-allowflash) +- [Browser/AllowFlashClickToRun](./policy-csp-browser.md#browser-allowflashclicktorun) +- [Browser/AllowFullScreenMode](./policy-csp-browser.md#browser-allowfullscreenmode) +- [Browser/AllowInPrivate](./policy-csp-browser.md#browser-allowinprivate) +- [Browser/AllowMicrosoftCompatibilityList](./policy-csp-browser.md#browser-allowmicrosoftcompatibilitylist) +- [Browser/AllowPasswordManager](./policy-csp-browser.md#browser-allowpasswordmanager) +- [Browser/AllowPopups](./policy-csp-browser.md#browser-allowpopups) +- [Browser/AllowPrelaunch](./policy-csp-browser.md#browser-allowprelaunch) +- [Browser/AllowPrinting](./policy-csp-browser.md#browser-allowprinting) +- [Browser/AllowSavingHistory](./policy-csp-browser.md#browser-allowsavinghistory) +- [Browser/AllowSearchEngineCustomization](./policy-csp-browser.md#browser-allowsearchenginecustomization) +- [Browser/AllowSearchSuggestionsinAddressBar](./policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSideloadingOfExtensions](./policy-csp-browser.md#browser-allowsideloadingofextensions) +- [Browser/AllowSmartScreen](./policy-csp-browser.md#browser-allowsmartscreen) +- [Browser/AllowTabPreloading](./policy-csp-browser.md#browser-allowtabpreloading) +- [Browser/AllowWebContentOnNewTabPage](./policy-csp-browser.md#browser-allowwebcontentonnewtabpage) +- [Browser/AlwaysEnableBooksLibrary](./policy-csp-browser.md#browser-alwaysenablebookslibrary) +- [Browser/ClearBrowsingDataOnExit](./policy-csp-browser.md#browser-clearbrowsingdataonexit) +- [Browser/ConfigureAdditionalSearchEngines](./policy-csp-browser.md#browser-configureadditionalsearchengines) +- [Browser/ConfigureFavoritesBar](./policy-csp-browser.md#browser-configurefavoritesbar) +- [Browser/ConfigureHomeButton](./policy-csp-browser.md#browser-configurehomebutton) +- [Browser/ConfigureKioskMode](./policy-csp-browser.md#browser-configurekioskmode) +- [Browser/ConfigureKioskResetAfterIdleTimeout](./policy-csp-browser.md#browser-configurekioskresetafteridletimeout) +- [Browser/ConfigureOpenMicrosoftEdgeWith](./policy-csp-browser.md#browser-configureopenmicrosoftedgewith) +- [Browser/ConfigureTelemetryForMicrosoft365Analytics](./policy-csp-browser.md#browser-configuretelemetryformicrosoft365analytics) +- [Browser/DisableLockdownOfStartPages](./policy-csp-browser.md#browser-disablelockdownofstartpages) +- [Browser/EnableExtendedBooksTelemetry](./policy-csp-browser.md#browser-enableextendedbookstelemetry) +- [Browser/EnterpriseModeSiteList](./policy-csp-browser.md#browser-enterprisemodesitelist) +- [Browser/HomePages](./policy-csp-browser.md#browser-homepages) +- [Browser/LockdownFavorites](./policy-csp-browser.md#browser-lockdownfavorites) +- [Browser/PreventAccessToAboutFlagsInMicrosoftEdge](./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge) +- [Browser/PreventCertErrorOverrides](./policy-csp-browser.md#browser-preventcerterroroverrides) +- [Browser/PreventFirstRunPage](./policy-csp-browser.md#browser-preventfirstrunpage) +- [Browser/PreventLiveTileDataCollection](./policy-csp-browser.md#browser-preventlivetiledatacollection) +- [Browser/PreventSmartScreenPromptOverride](./policy-csp-browser.md#browser-preventsmartscreenpromptoverride) +- [Browser/PreventSmartScreenPromptOverrideForFiles](./policy-csp-browser.md#browser-preventsmartscreenpromptoverrideforfiles) +- [Browser/PreventUsingLocalHostIPAddressForWebRTC](./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc) +- [Browser/ProvisionFavorites](./policy-csp-browser.md#browser-provisionfavorites) +- [Browser/SendIntranetTraffictoInternetExplorer](./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer) +- [Browser/SetDefaultSearchEngine](./policy-csp-browser.md#browser-setdefaultsearchengine) +- [Browser/SetHomeButtonURL](./policy-csp-browser.md#browser-sethomebuttonurl) +- [Browser/SetNewTabPageURL](./policy-csp-browser.md#browser-setnewtabpageurl) +- [Browser/ShowMessageWhenOpeningSitesInInternetExplorer](./policy-csp-browser.md#browser-showmessagewhenopeningsitesininternetexplorer) +- [Browser/SyncFavoritesBetweenIEAndMicrosoftEdge](./policy-csp-browser.md#browser-syncfavoritesbetweenieandmicrosoftedge) +- [Browser/UnlockHomeButton](./policy-csp-browser.md#browser-unlockhomebutton) +- [Browser/UseSharedFolderForBooks](./policy-csp-browser.md#browser-usesharedfolderforbooks) +- [Camera/AllowCamera](./policy-csp-camera.md#camera-allowcamera) +- [Cellular/LetAppsAccessCellularData](./policy-csp-cellular.md#cellular-letappsaccesscellulardata) +- [Cellular/LetAppsAccessCellularData_ForceAllowTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forceallowtheseapps) +- [Cellular/LetAppsAccessCellularData_ForceDenyTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-forcedenytheseapps) +- [Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps](./policy-csp-cellular.md#cellular-letappsaccesscellulardata-userincontroloftheseapps) +- [Cellular/ShowAppCellularAccessUI](./policy-csp-cellular.md#cellular-showappcellularaccessui) +- [Connectivity/AllowCellularDataRoaming](./policy-csp-connectivity.md#connectivity-allowcellulardataroaming) +- [Connectivity/AllowPhonePCLinking](./policy-csp-connectivity.md#connectivity-allowphonepclinking) +- [Connectivity/DiablePrintingOverHTTP](./policy-csp-connectivity.md#connectivity-diableprintingoverhttp) +- [Connectivity/DisableDownloadingOfPrintDriversOverHTTP](./policy-csp-connectivity.md#connectivity-disabledownloadingofprintdriversoverhttp) +- [Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards](./policy-csp-connectivity.md#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards) +- [Connectivity/DisallowNetworkConnectivityActiveTests](./policy-csp-connectivity.md#connectivity-disallownetworkconnectivityactivetests) +- [Connectivity/HardenedUNCPaths](./policy-csp-connectivity.md#connectivity-hardeneduncpaths) +- [Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge](./policy-csp-connectivity.md#connectivity-prohibitinstallationandconfigurationofnetworkbridge) +- [CredentialProviders/AllowPINLogon](./policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) +- [CredentialProviders/BlockPicturePassword](./policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) +- [CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials](./policy-csp-credentialsdelegation.md#credentialsdelegation-remotehostallowsdelegationofnonexportablecredentials) +- [CredentialsUI/DisablePasswordReveal](./policy-csp-credentialsui.md#credentialsui-disablepasswordreveal) +- [CredentialsUI/EnumerateAdministrators](./policy-csp-credentialsui.md#credentialsui-enumerateadministrators) +- [Cryptography/AllowFipsAlgorithmPolicy](./policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy) +- [DataUsage/SetCost4G](./policy-csp-datausage.md#datausage-setcost4g) +- [Defender/AllowArchiveScanning](./policy-csp-defender.md#defender-allowarchivescanning) +- [Defender/AllowBehaviorMonitoring](./policy-csp-defender.md#defender-allowbehaviormonitoring) +- [Defender/AllowCloudProtection](./policy-csp-defender.md#defender-allowcloudprotection) +- [Defender/AllowEmailScanning](./policy-csp-defender.md#defender-allowemailscanning) +- [Defender/AllowFullScanOnMappedNetworkDrives](./policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives) +- [Defender/AllowFullScanRemovableDriveScanning](./policy-csp-defender.md#defender-allowfullscanremovabledrivescanning) +- [Defender/AllowIOAVProtection](./policy-csp-defender.md#defender-allowioavprotection) +- [Defender/AllowOnAccessProtection](./policy-csp-defender.md#defender-allowonaccessprotection) +- [Defender/AllowRealtimeMonitoring](./policy-csp-defender.md#defender-allowrealtimemonitoring) +- [Defender/AllowScanningNetworkFiles](./policy-csp-defender.md#defender-allowscanningnetworkfiles) +- [Defender/AllowUserUIAccess](./policy-csp-defender.md#defender-allowuseruiaccess) +- [Defender/AttackSurfaceReductionOnlyExclusions](./policy-csp-defender.md#defender-attacksurfacereductiononlyexclusions) +- [Defender/AttackSurfaceReductionRules](./policy-csp-defender.md#defender-attacksurfacereductionrules) +- [Defender/AvgCPULoadFactor](./policy-csp-defender.md#defender-avgcpuloadfactor) +- [Defender/CheckForSignaturesBeforeRunningScan](./policy-csp-defender.md#defender-checkforsignaturesbeforerunningscan) +- [Defender/CloudBlockLevel](./policy-csp-defender.md#defender-cloudblocklevel) +- [Defender/CloudExtendedTimeout](./policy-csp-defender.md#defender-cloudextendedtimeout) +- [Defender/ControlledFolderAccessAllowedApplications](./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications) +- [Defender/ControlledFolderAccessProtectedFolders](./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders) +- [Defender/DaysToRetainCleanedMalware](./policy-csp-defender.md#defender-daystoretaincleanedmalware) +- [Defender/DisableCatchupFullScan](./policy-csp-defender.md#defender-disablecatchupfullscan) +- [Defender/DisableCatchupQuickScan](./policy-csp-defender.md#defender-disablecatchupquickscan) +- [Defender/EnableControlledFolderAccess](./policy-csp-defender.md#defender-enablecontrolledfolderaccess) +- [Defender/EnableLowCPUPriority](./policy-csp-defender.md#defender-enablelowcpupriority) +- [Defender/EnableNetworkProtection](./policy-csp-defender.md#defender-enablenetworkprotection) +- [Defender/ExcludedExtensions](./policy-csp-defender.md#defender-excludedextensions) +- [Defender/ExcludedPaths](./policy-csp-defender.md#defender-excludedpaths) +- [Defender/ExcludedProcesses](./policy-csp-defender.md#defender-excludedprocesses) +- [Defender/RealTimeScanDirection](./policy-csp-defender.md#defender-realtimescandirection) +- [Defender/ScanParameter](./policy-csp-defender.md#defender-scanparameter) +- [Defender/ScheduleQuickScanTime](./policy-csp-defender.md#defender-schedulequickscantime) +- [Defender/ScheduleScanDay](./policy-csp-defender.md#defender-schedulescanday) +- [Defender/ScheduleScanTime](./policy-csp-defender.md#defender-schedulescantime) +- [Defender/SignatureUpdateFallbackOrder](./policy-csp-defender.md#defender-signatureupdatefallbackorder) +- [Defender/SignatureUpdateFileSharesSources](./policy-csp-defender.md#defender-signatureupdatefilesharessources) +- [Defender/SignatureUpdateInterval](./policy-csp-defender.md#defender-signatureupdateinterval) +- [Defender/SubmitSamplesConsent](./policy-csp-defender.md#defender-submitsamplesconsent) +- [Defender/ThreatSeverityDefaultAction](./policy-csp-defender.md#defender-threatseveritydefaultaction) +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](./policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) +- [DeliveryOptimization/DOCacheHost](./policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) +- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) +- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) +- [DeliveryOptimization/DODelayCacheServerFallbackBackground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) +- [DeliveryOptimization/DODelayCacheServerFallbackForeground](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground) +- [DeliveryOptimization/DODownloadMode](./policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) +- [DeliveryOptimization/DOGroupId](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) +- [DeliveryOptimization/DOGroupIdSource](./policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) +- [DeliveryOptimization/DOMaxCacheAge](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) +- [DeliveryOptimization/DOMinBackgroundQos](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) +- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](./policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](./policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](./policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) +- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) +- [DeliveryOptimization/DORestrictPeerSelectionBy](./policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) +- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) +- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) +- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) +- [DeviceGuard/ConfigureSystemGuardLaunch](./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch) +- [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity) +- [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags) +- [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdeviceids) +- [DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-allowinstallationofmatchingdevicesetupclasses) +- [DeviceInstallation/PreventDeviceMetadataFromNetwork](./policy-csp-deviceinstallation.md#deviceinstallation-preventdevicemetadatafromnetwork) +- [DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofdevicesnotdescribedbyotherpolicysettings) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdeviceids) +- [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses](./policy-csp-deviceinstallation.md#deviceinstallation-preventinstallationofmatchingdevicesetupclasses) +- [DeviceLock/MinimumPasswordAge](./policy-csp-devicelock.md#devicelock-minimumpasswordage) +- [DeviceLock/PreventEnablingLockScreenCamera](./policy-csp-devicelock.md#devicelock-preventenablinglockscreencamera) +- [DeviceLock/PreventLockScreenSlideShow](./policy-csp-devicelock.md#devicelock-preventlockscreenslideshow) +- [Display/DisablePerProcessDpiForApps](./policy-csp-display.md#display-disableperprocessdpiforapps) +- [Display/EnablePerProcessDpi](./policy-csp-display.md#display-enableperprocessdpi) +- [Display/EnablePerProcessDpiForApps](./policy-csp-display.md#display-enableperprocessdpiforapps) +- [Display/TurnOffGdiDPIScalingForApps](./policy-csp-display.md#display-turnoffgdidpiscalingforapps) +- [Display/TurnOnGdiDPIScalingForApps](./policy-csp-display.md#display-turnongdidpiscalingforapps) +- [DmaGuard/DeviceEnumerationPolicy](./policy-csp-dmaguard.md#dmaguard-deviceenumerationpolicy) +- [Education/PreventAddingNewPrinters](./policy-csp-education.md#education-preventaddingnewprinters) +- [ErrorReporting/CustomizeConsentSettings](./policy-csp-errorreporting.md#errorreporting-customizeconsentsettings) +- [ErrorReporting/DisableWindowsErrorReporting](./policy-csp-errorreporting.md#errorreporting-disablewindowserrorreporting) +- [ErrorReporting/DisplayErrorNotification](./policy-csp-errorreporting.md#errorreporting-displayerrornotification) +- [ErrorReporting/DoNotSendAdditionalData](./policy-csp-errorreporting.md#errorreporting-donotsendadditionaldata) +- [ErrorReporting/PreventCriticalErrorDisplay](./policy-csp-errorreporting.md#errorreporting-preventcriticalerrordisplay) +- [EventLogService/ControlEventLogBehavior](./policy-csp-eventlogservice.md#eventlogservice-controleventlogbehavior) +- [EventLogService/SpecifyMaximumFileSizeApplicationLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizeapplicationlog) +- [EventLogService/SpecifyMaximumFileSizeSecurityLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesecuritylog) +- [EventLogService/SpecifyMaximumFileSizeSystemLog](./policy-csp-eventlogservice.md#eventlogservice-specifymaximumfilesizesystemlog) +- [Experience/AllowClipboardHistory](./policy-csp-experience.md#experience-allowclipboardhistory) +- [Experience/AllowCortana](./policy-csp-experience.md#experience-allowcortana) +- [Experience/AllowFindMyDevice](./policy-csp-experience.md#experience-allowfindmydevice) +- [Experience/AllowTailoredExperiencesWithDiagnosticData](./policy-csp-experience.md#experience-allowtailoredexperienceswithdiagnosticdata) +- [Experience/AllowThirdPartySuggestionsInWindowsSpotlight](./policy-csp-experience.md#experience-allowthirdpartysuggestionsinwindowsspotlight) +- [Experience/AllowWindowsConsumerFeatures](./policy-csp-experience.md#experience-allowwindowsconsumerfeatures) +- [Experience/AllowWindowsSpotlight](./policy-csp-experience.md#experience-allowwindowsspotlight) +- [Experience/AllowWindowsSpotlightOnActionCenter](./policy-csp-experience.md#experience-allowwindowsspotlightonactioncenter) +- [Experience/AllowWindowsSpotlightOnSettings](./policy-csp-experience.md#experience-allowwindowsspotlightonsettings) +- [Experience/AllowWindowsSpotlightWindowsWelcomeExperience](./policy-csp-experience.md#experience-allowwindowsspotlightwindowswelcomeexperience) +- [Experience/AllowWindowsTips](./policy-csp-experience.md#experience-allowwindowstips) +- [Experience/ConfigureWindowsSpotlightOnLockScreen](./policy-csp-experience.md#experience-configurewindowsspotlightonlockscreen) +- [Experience/DoNotShowFeedbackNotifications](./policy-csp-experience.md#experience-donotshowfeedbacknotifications) +- [Experience/DoNotSyncBrowserSettings](./policy-csp-experience.md#experience-donotsyncbrowsersetting) +- [Experience/PreventUsersFromTurningOnBrowserSyncing](./policy-csp-experience.md#experience-preventusersfromturningonbrowsersyncing) +- [Experience/ShowLockOnUserTile](policy-csp-experience.md#experience-showlockonusertile) +- [ExploitGuard/ExploitProtectionSettings](./policy-csp-exploitguard.md#exploitguard-exploitprotectionsettings) +- [FileExplorer/TurnOffDataExecutionPreventionForExplorer](./policy-csp-fileexplorer.md#fileexplorer-turnoffdataexecutionpreventionforexplorer) +- [FileExplorer/TurnOffHeapTerminationOnCorruption](./policy-csp-fileexplorer.md#fileexplorer-turnoffheapterminationoncorruption) +- [Handwriting/PanelDefaultModeDocked](./policy-csp-handwriting.md#handwriting-paneldefaultmodedocked) +- [InternetExplorer/AddSearchProvider](./policy-csp-internetexplorer.md#internetexplorer-addsearchprovider) +- [InternetExplorer/AllowActiveXFiltering](./policy-csp-internetexplorer.md#internetexplorer-allowactivexfiltering) +- [InternetExplorer/AllowAddOnList](./policy-csp-internetexplorer.md#internetexplorer-allowaddonlist) +- [InternetExplorer/AllowAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-allowautocomplete) +- [InternetExplorer/AllowCertificateAddressMismatchWarning](./policy-csp-internetexplorer.md#internetexplorer-allowcertificateaddressmismatchwarning) +- [InternetExplorer/AllowDeletingBrowsingHistoryOnExit](./policy-csp-internetexplorer.md#internetexplorer-allowdeletingbrowsinghistoryonexit) +- [InternetExplorer/AllowEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedprotectedmode) +- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](./policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar) +- [InternetExplorer/AllowEnterpriseModeFromToolsMenu](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodefromtoolsmenu) +- [InternetExplorer/AllowEnterpriseModeSiteList](./policy-csp-internetexplorer.md#internetexplorer-allowenterprisemodesitelist) +- [InternetExplorer/AllowFallbackToSSL3](./policy-csp-internetexplorer.md#internetexplorer-allowfallbacktossl3) +- [InternetExplorer/AllowInternetExplorer7PolicyList](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorer7policylist) +- [InternetExplorer/AllowInternetExplorerStandardsMode](./policy-csp-internetexplorer.md#internetexplorer-allowinternetexplorerstandardsmode) +- [InternetExplorer/AllowInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowinternetzonetemplate) +- [InternetExplorer/AllowIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowintranetzonetemplate) +- [InternetExplorer/AllowLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlocalmachinezonetemplate) +- [InternetExplorer/AllowLockedDownInternetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddowninternetzonetemplate) +- [InternetExplorer/AllowLockedDownIntranetZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownintranetzonetemplate) +- [InternetExplorer/AllowLockedDownLocalMachineZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownlocalmachinezonetemplate) +- [InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowlockeddownrestrictedsiteszonetemplate) +- [InternetExplorer/AllowOneWordEntry](./policy-csp-internetexplorer.md#internetexplorer-allowonewordentry) +- [InternetExplorer/AllowSiteToZoneAssignmentList](./policy-csp-internetexplorer.md#internetexplorer-allowsitetozoneassignmentlist) +- [InternetExplorer/AllowSoftwareWhenSignatureIsInvalid](./policy-csp-internetexplorer.md#internetexplorer-allowsoftwarewhensignatureisinvalid) +- [InternetExplorer/AllowSuggestedSites](./policy-csp-internetexplorer.md#internetexplorer-allowsuggestedsites) +- [InternetExplorer/AllowTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowtrustedsiteszonetemplate) +- [InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowslockeddowntrustedsiteszonetemplate) +- [InternetExplorer/AllowsRestrictedSitesZoneTemplate](./policy-csp-internetexplorer.md#internetexplorer-allowsrestrictedsiteszonetemplate) +- [InternetExplorer/CheckServerCertificateRevocation](./policy-csp-internetexplorer.md#internetexplorer-checkservercertificaterevocation) +- [InternetExplorer/CheckSignaturesOnDownloadedPrograms](./policy-csp-internetexplorer.md#internetexplorer-checksignaturesondownloadedprograms) +- [InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-consistentmimehandlinginternetexplorerprocesses) +- [InternetExplorer/DisableActiveXVersionListAutoDownload](./policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) +- [InternetExplorer/DisableAdobeFlash](./policy-csp-internetexplorer.md#internetexplorer-disableadobeflash) +- [InternetExplorer/DisableBypassOfSmartScreenWarnings](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarnings) +- [InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles](./policy-csp-internetexplorer.md#internetexplorer-disablebypassofsmartscreenwarningsaboutuncommonfiles) +- [InternetExplorer/DisableCompatView](./policy-csp-internetexplorer.md#internetexplorer-disablecompatview) +- [InternetExplorer/DisableConfiguringHistory](./policy-csp-internetexplorer.md#internetexplorer-disableconfiguringhistory) +- [InternetExplorer/DisableCrashDetection](./policy-csp-internetexplorer.md#internetexplorer-disablecrashdetection) +- [InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation](./policy-csp-internetexplorer.md#internetexplorer-disablecustomerexperienceimprovementprogramparticipation) +- [InternetExplorer/DisableDeletingUserVisitedWebsites](./policy-csp-internetexplorer.md#internetexplorer-disabledeletinguservisitedwebsites) +- [InternetExplorer/DisableEnclosureDownloading](./policy-csp-internetexplorer.md#internetexplorer-disableenclosuredownloading) +- [InternetExplorer/DisableEncryptionSupport](./policy-csp-internetexplorer.md#internetexplorer-disableencryptionsupport) +- [InternetExplorer/DisableFeedsBackgroundSync](./policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync) +- [InternetExplorer/DisableFirstRunWizard](./policy-csp-internetexplorer.md#internetexplorer-disablefirstrunwizard) +- [InternetExplorer/DisableFlipAheadFeature](./policy-csp-internetexplorer.md#internetexplorer-disableflipaheadfeature) +- [InternetExplorer/DisableGeolocation](./policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) +- [InternetExplorer/DisableHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablehomepagechange) +- [InternetExplorer/DisableIgnoringCertificateErrors](./policy-csp-internetexplorer.md#internetexplorer-disableignoringcertificateerrors) +- [InternetExplorer/DisableInPrivateBrowsing](./policy-csp-internetexplorer.md#internetexplorer-disableinprivatebrowsing) +- [InternetExplorer/DisableProcessesInEnhancedProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-disableprocessesinenhancedprotectedmode) +- [InternetExplorer/DisableProxyChange](./policy-csp-internetexplorer.md#internetexplorer-disableproxychange) +- [InternetExplorer/DisableSearchProviderChange](./policy-csp-internetexplorer.md#internetexplorer-disablesearchproviderchange) +- [InternetExplorer/DisableSecondaryHomePageChange](./policy-csp-internetexplorer.md#internetexplorer-disablesecondaryhomepagechange) +- [InternetExplorer/DisableSecuritySettingsCheck](./policy-csp-internetexplorer.md#internetexplorer-disablesecuritysettingscheck) +- [InternetExplorer/DisableUpdateCheck](./policy-csp-internetexplorer.md#internetexplorer-disableupdatecheck) +- [InternetExplorer/DisableWebAddressAutoComplete](./policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete) +- [InternetExplorer/DoNotAllowActiveXControlsInProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-donotallowactivexcontrolsinprotectedmode) +- [InternetExplorer/DoNotAllowUsersToAddSites](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstoaddsites) +- [InternetExplorer/DoNotAllowUsersToChangePolicies](./policy-csp-internetexplorer.md#internetexplorer-donotallowuserstochangepolicies) +- [InternetExplorer/DoNotBlockOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrols) +- [InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains](./policy-csp-internetexplorer.md#internetexplorer-donotblockoutdatedactivexcontrolsonspecificdomains) +- [InternetExplorer/IncludeAllLocalSites](./policy-csp-internetexplorer.md#internetexplorer-includealllocalsites) +- [InternetExplorer/IncludeAllNetworkPaths](./policy-csp-internetexplorer.md#internetexplorer-includeallnetworkpaths) +- [InternetExplorer/InternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowaccesstodatasources) +- [InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/InternetZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowcopypasteviascript) +- [InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowdraganddropcopyandpastefiles) +- [InternetExplorer/InternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowfontdownloads) +- [InternetExplorer/InternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowlessprivilegedsites) +- [InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowloadingofxamlfiles) +- [InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstouseactivexcontrols) +- [InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowonlyapproveddomainstousetdcactivexcontrol) +- [InternetExplorer/InternetZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptinitiatedwindows) +- [InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptingofinternetexplorerwebbrowsercontrols) +- [InternetExplorer/InternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowscriptlets) +- [InternetExplorer/InternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowsmartscreenie) +- [InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowupdatestostatusbarviascript) +- [InternetExplorer/InternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowuserdatapersistence) +- [InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneallowvbscripttorunininternetexplorer) +- [InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/InternetZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadsignedactivexcontrols) +- [InternetExplorer/InternetZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzonedownloadunsignedactivexcontrols) +- [InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablecrosssitescriptingfilter) +- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainsacrosswindows) +- [InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenabledraggingofcontentfromdifferentdomainswithinwindows) +- [InternetExplorer/InternetZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenablemimesniffing) +- [InternetExplorer/InternetZoneEnableProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-internetzoneenableprotectedmode) +- [InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-internetzoneincludelocalpathwhenuploadingfilestoserver) +- [InternetExplorer/InternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-internetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/InternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-internetzonejavapermissions) +- [InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-internetzonelaunchingapplicationsandfilesiniframe) +- [InternetExplorer/InternetZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-internetzonelogonoptions) +- [InternetExplorer/InternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-internetzonenavigatewindowsandframes) +- [InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-internetzonerunnetframeworkreliantcomponentssignedwithauthenticode) +- [InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-internetzoneshowsecuritywarningforpotentiallyunsafefiles) +- [InternetExplorer/InternetZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-internetzoneusepopupblocker) +- [InternetExplorer/IntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowaccesstodatasources) +- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/IntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowfontdownloads) +- [InternetExplorer/IntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowlessprivilegedsites) +- [InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/IntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowscriptlets) +- [InternetExplorer/IntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowsmartscreenie) +- [InternetExplorer/IntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneallowuserdatapersistence) +- [InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-intranetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/IntranetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-intranetzonejavapermissions) +- [InternetExplorer/IntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-intranetzonenavigatewindowsandframes) +- [InternetExplorer/LocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowaccesstodatasources) +- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowfontdownloads) +- [InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowlessprivilegedsites) +- [InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallownetframeworkreliantcomponents) +- [InternetExplorer/LocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowscriptlets) +- [InternetExplorer/LocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowsmartscreenie) +- [InternetExplorer/LocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneallowuserdatapersistence) +- [InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-localmachinezoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonejavapermissions) +- [InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-localmachinezonenavigatewindowsandframes) +- [InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowaccesstodatasources) +- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownInternetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowfontdownloads) +- [InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownInternetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowscriptlets) +- [InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowsmartscreenie) +- [InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneallowuserdatapersistence) +- [InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownInternetZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonejavapermissions) +- [InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowninternetzonenavigatewindowsandframes) +- [InternetExplorer/LockedDownIntranetJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetjavapermissions) +- [InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowaccesstodatasources) +- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownIntranetZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowfontdownloads) +- [InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownIntranetZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowscriptlets) +- [InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowsmartscreenie) +- [InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneallowuserdatapersistence) +- [InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownintranetzonenavigatewindowsandframes) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowaccesstodatasources) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowfontdownloads) +- [InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowscriptlets) +- [InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowsmartscreenie) +- [InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneallowuserdatapersistence) +- [InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownLocalMachineZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonejavapermissions) +- [InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownlocalmachinezonenavigatewindowsandframes) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowaccesstodatasources) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowfontdownloads) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowscriptlets) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowsmartscreenie) +- [InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneallowuserdatapersistence) +- [InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonejavapermissions) +- [InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddownrestrictedsiteszonenavigatewindowsandframes) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowaccesstodatasources) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowfontdownloads) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowscriptlets) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowsmartscreenie) +- [InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneallowuserdatapersistence) +- [InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonejavapermissions) +- [InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-lockeddowntrustedsiteszonenavigatewindowsandframes) +- [InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mkprotocolsecurityrestrictioninternetexplorerprocesses) +- [InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-mimesniffingsafetyfeatureinternetexplorerprocesses) +- [InternetExplorer/NewTabDefaultPage](./policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage) +- [InternetExplorer/NotificationBarInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-notificationbarinternetexplorerprocesses) +- [InternetExplorer/PreventManagingSmartScreenFilter](./policy-csp-internetexplorer.md#internetexplorer-preventmanagingsmartscreenfilter) +- [InternetExplorer/PreventPerUserInstallationOfActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-preventperuserinstallationofactivexcontrols) +- [InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-protectionfromzoneelevationinternetexplorerprocesses) +- [InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-removerunthistimebuttonforoutdatedactivexcontrols) +- [InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictactivexinstallinternetexplorerprocesses) +- [InternetExplorer/RestrictFileDownloadInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-restrictfiledownloadinternetexplorerprocesses) +- [InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowaccesstodatasources) +- [InternetExplorer/RestrictedSitesZoneAllowActiveScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowactivescripting) +- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowbinaryandscriptbehaviors) +- [InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowcopypasteviascript) +- [InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowdraganddropcopyandpastefiles) +- [InternetExplorer/RestrictedSitesZoneAllowFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfiledownloads) +- [InternetExplorer/RestrictedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowfontdownloads) +- [InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowloadingofxamlfiles) +- [InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowmetarefresh) +- [InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstouseactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowonlyapproveddomainstousetdcactivexcontrol) +- [InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptinitiatedwindows) +- [InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptingofinternetexplorerwebbrowsercontrols) +- [InternetExplorer/RestrictedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowscriptlets) +- [InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowsmartscreenie) +- [InternetExplorer/RestrictedSitesZoneAllowUpdatesToStatusBarViaScript](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowupdatestostatusbarviascript) +- [InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowuserdatapersistence) +- [InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneallowvbscripttorunininternetexplorer) +- [InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadsignedactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonedownloadunsignedactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablecrosssitescriptingfilter) +- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainsacrosswindows) +- [InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenabledraggingofcontentfromdifferentdomainswithinwindows) +- [InternetExplorer/RestrictedSitesZoneEnableMIMESniffing](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneenablemimesniffing) +- [InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneincludelocalpathwhenuploadingfilestoserver) +- [InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/RestrictedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonejavapermissions) +- [InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelaunchingapplicationsandfilesiniframe) +- [InternetExplorer/RestrictedSitesZoneLogonOptions](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonelogonoptions) +- [InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonenavigatewindowsandframes) +- [InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunactivexcontrolsandplugins) +- [InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonerunnetframeworkreliantcomponentssignedwithauthenticode) +- [InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptactivexcontrolsmarkedsafeforscripting) +- [InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszonescriptingofjavaapplets) +- [InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneshowsecuritywarningforpotentiallyunsafefiles) +- [InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneturnonprotectedmode) +- [InternetExplorer/RestrictedSitesZoneUsePopupBlocker](./policy-csp-internetexplorer.md#internetexplorer-restrictedsiteszoneusepopupblocker) +- [InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses](./policy-csp-internetexplorer.md#internetexplorer-scriptedwindowsecurityrestrictionsinternetexplorerprocesses) +- [InternetExplorer/SearchProviderList](./policy-csp-internetexplorer.md#internetexplorer-searchproviderlist) +- [InternetExplorer/SecurityZonesUseOnlyMachineSettings](./policy-csp-internetexplorer.md#internetexplorer-securityzonesuseonlymachinesettings) +- [InternetExplorer/SpecifyUseOfActiveXInstallerService](./policy-csp-internetexplorer.md#internetexplorer-specifyuseofactivexinstallerservice) +- [InternetExplorer/TrustedSitesZoneAllowAccessToDataSources](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowaccesstodatasources) +- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforactivexcontrols) +- [InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowautomaticpromptingforfiledownloads) +- [InternetExplorer/TrustedSitesZoneAllowFontDownloads](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowfontdownloads) +- [InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowlessprivilegedsites) +- [InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallownetframeworkreliantcomponents) +- [InternetExplorer/TrustedSitesZoneAllowScriptlets](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowscriptlets) +- [InternetExplorer/TrustedSitesZoneAllowSmartScreenIE](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowsmartscreenie) +- [InternetExplorer/TrustedSitesZoneAllowUserDataPersistence](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneallowuserdatapersistence) +- [InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonedonotrunantimalwareagainstactivexcontrols) +- [InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszoneinitializeandscriptactivexcontrols) +- [InternetExplorer/TrustedSitesZoneJavaPermissions](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonejavapermissions) +- [InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames](./policy-csp-internetexplorer.md#internetexplorer-trustedsiteszonenavigatewindowsandframes) +- [Kerberos/AllowForestSearchOrder](./policy-csp-kerberos.md#kerberos-allowforestsearchorder) +- [Kerberos/KerberosClientSupportsClaimsCompoundArmor](./policy-csp-kerberos.md#kerberos-kerberosclientsupportsclaimscompoundarmor) +- [Kerberos/RequireKerberosArmoring](./policy-csp-kerberos.md#kerberos-requirekerberosarmoring) +- [Kerberos/RequireStrictKDCValidation](./policy-csp-kerberos.md#kerberos-requirestrictkdcvalidation) +- [Kerberos/SetMaximumContextTokenSize](./policy-csp-kerberos.md#kerberos-setmaximumcontexttokensize) +- [LanmanWorkstation/EnableInsecureGuestLogons](./policy-csp-lanmanworkstation.md#lanmanworkstation-enableinsecureguestlogons) +- [Licensing/AllowWindowsEntitlementReactivation](./policy-csp-licensing.md#licensing-allowwindowsentitlementreactivation) +- [Licensing/DisallowKMSClientOnlineAVSValidation](./policy-csp-licensing.md#licensing-disallowkmsclientonlineavsvalidation) +- [LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts) +- [LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly) +- [LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameadministratoraccount) +- [LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-accounts-renameguestaccount) +- [LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowundockwithouthavingtologon) +- [LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-allowedtoformatandejectremovablemedia) +- [LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-preventusersfrominstallingprinterdriverswhenconnectingtosharedprinters) +- [LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-devices-restrictcdromaccesstolocallyloggedonuseronly) +- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptorsignsecurechanneldataalways) +- [LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-digitallyencryptsecurechanneldatawhenpossible) +- [LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-domainmember-disablemachineaccountpasswordchanges) +- [LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked) +- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin) +- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin) +- [LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel) +- [LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit) +- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon) +- [LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon) +- [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior) +- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees) +- [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers) +- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways) +- [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees) +- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts) +- [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccountsandshares) +- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictanonymousaccesstonamedpipesandshares) +- [LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-restrictclientsallowedtomakeremotecallstosam) +- [LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests) +- [LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-donotstorelanmanagerhashvalueonnextpasswordchange) +- [LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-lanmanagerauthenticationlevel) +- [LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-minimumsessionsecurityforntlmsspbasedservers) +- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-addremoteserverexceptionsforntlmauthentication) +- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-auditincomingntlmtraffic) +- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-incomingntlmtraffic) +- [LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networksecurity-restrictntlm-outgoingntlmtraffictoremoteservers) +- [LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon) +- [LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-clearvirtualmemorypagefile) +- [LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation) +- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators) +- [LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers) +- [LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-detectapplicationinstallationsandpromptforelevation) +- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated) +- [LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations) +- [LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode) +- [LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation) +- [LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-useadminapprovalmode) +- [LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations) +- [LockDown/AllowEdgeSwipe](./policy-csp-lockdown.md#lockdown-allowedgeswipe) +- [MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes](./policy-csp-msslegacy.md#msslegacy-allowicmpredirectstooverrideospfgeneratedroutes) +- [MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers](./policy-csp-msslegacy.md#msslegacy-allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) +- [MSSLegacy/IPSourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipsourceroutingprotectionlevel) +- [MSSLegacy/IPv6SourceRoutingProtectionLevel](./policy-csp-msslegacy.md#msslegacy-ipv6sourceroutingprotectionlevel) +- [MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon](./policy-csp-mssecurityguide.md#mssecurityguide-applyuacrestrictionstolocalaccountsonnetworklogon) +- [MSSecurityGuide/ConfigureSMBV1ClientDriver](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1clientdriver) +- [MSSecurityGuide/ConfigureSMBV1Server](./policy-csp-mssecurityguide.md#mssecurityguide-configuresmbv1server) +- [MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection](./policy-csp-mssecurityguide.md#mssecurityguide-enablestructuredexceptionhandlingoverwriteprotection) +- [MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications](./policy-csp-mssecurityguide.md#mssecurityguide-turnonwindowsdefenderprotectionagainstpotentiallyunwantedapplications) +- [MSSecurityGuide/WDigestAuthentication](./policy-csp-mssecurityguide.md#mssecurityguide-wdigestauthentication) +- [Maps/EnableOfflineMapsAutoUpdate](./policy-csp-maps.md#maps-enableofflinemapsautoupdate) +- [Messaging/AllowMessageSync](./policy-csp-messaging.md#messaging-allowmessagesync) +- [NetworkIsolation/EnterpriseCloudResources](./policy-csp-networkisolation.md#networkisolation-enterprisecloudresources) +- [NetworkIsolation/EnterpriseIPRange](./policy-csp-networkisolation.md#networkisolation-enterpriseiprange) +- [NetworkIsolation/EnterpriseIPRangesAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseiprangesareauthoritative) +- [NetworkIsolation/EnterpriseInternalProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseinternalproxyservers) +- [NetworkIsolation/EnterpriseProxyServers](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyservers) +- [NetworkIsolation/EnterpriseProxyServersAreAuthoritative](./policy-csp-networkisolation.md#networkisolation-enterpriseproxyserversareauthoritative) +- [NetworkIsolation/NeutralResources](./policy-csp-networkisolation.md#networkisolation-neutralresources) +- [Notifications/DisallowCloudNotification](./policy-csp-notifications.md#notifications-disallowcloudnotification) +- [Notifications/DisallowNotificationMirroring](./policy-csp-notifications.md#notifications-disallownotificationmirroring) +- [Notifications/DisallowTileNotification](./policy-csp-notifications.md#notifications-disallowtilenotification) +- [Power/AllowStandbyStatesWhenSleepingOnBattery](./policy-csp-power.md#power-allowstandbystateswhensleepingonbattery) +- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin) +- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery) +- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin) +- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery) +- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin) +- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery) +- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin) +- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery) +- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin) +- [Power/SelectLidCloseActionOnBattery](./policy-csp-power.md#power-selectlidcloseactiononbattery) +- [Power/SelectLidCloseActionPluggedIn](./policy-csp-power.md#power-selectlidcloseactionpluggedin) +- [Power/SelectPowerButtonActionOnBattery](./policy-csp-power.md#power-selectpowerbuttonactiononbattery) +- [Power/SelectPowerButtonActionPluggedIn](./policy-csp-power.md#power-selectpowerbuttonactionpluggedin) +- [Power/SelectSleepButtonActionOnBattery](./policy-csp-power.md#power-selectsleepbuttonactiononbattery) +- [Power/SelectSleepButtonActionPluggedIn](./policy-csp-power.md#power-selectsleepbuttonactionpluggedin) +- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery) +- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin) +- [Power/TurnOffHybridSleepOnBattery](./policy-csp-power.md#power-turnoffhybridsleeponbattery) +- [Power/TurnOffHybridSleepPluggedIn](./policy-csp-power.md#power-turnoffhybridsleeppluggedin) +- [Power/UnattendedSleepTimeoutOnBattery](./policy-csp-power.md#power-unattendedsleeptimeoutonbattery) +- [Power/UnattendedSleepTimeoutPluggedIn](./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin) +- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions) +- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user) +- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters) +- [Privacy/AllowCrossDeviceClipboard](./policy-csp-privacy.md#privacy-allowcrossdeviceclipboard) +- [Privacy/AllowInputPersonalization](./policy-csp-privacy.md#privacy-allowinputpersonalization) +- [Privacy/DisableAdvertisingId](./policy-csp-privacy.md#privacy-disableadvertisingid) +- [Privacy/DisablePrivacyExperience](./policy-csp-privacy.md#privacy-disableprivacyexperience) +- [Privacy/EnableActivityFeed](./policy-csp-privacy.md#privacy-enableactivityfeed) +- [Privacy/LetAppsAccessAccountInfo](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo) +- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) +- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps) +- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps) +- [Privacy/LetAppsAccessCalendar](./policy-csp-privacy.md#privacy-letappsaccesscalendar) +- [Privacy/LetAppsAccessCalendar_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forceallowtheseapps) +- [Privacy/LetAppsAccessCalendar_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-forcedenytheseapps) +- [Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscalendar-userincontroloftheseapps) +- [Privacy/LetAppsAccessCallHistory](./policy-csp-privacy.md#privacy-letappsaccesscallhistory) +- [Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forceallowtheseapps) +- [Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-forcedenytheseapps) +- [Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscallhistory-userincontroloftheseapps) +- [Privacy/LetAppsAccessCamera](./policy-csp-privacy.md#privacy-letappsaccesscamera) +- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps) +- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps) +- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps) +- [Privacy/LetAppsAccessContacts](./policy-csp-privacy.md#privacy-letappsaccesscontacts) +- [Privacy/LetAppsAccessContacts_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forceallowtheseapps) +- [Privacy/LetAppsAccessContacts_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-forcedenytheseapps) +- [Privacy/LetAppsAccessContacts_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesscontacts-userincontroloftheseapps) +- [Privacy/LetAppsAccessEmail](./policy-csp-privacy.md#privacy-letappsaccessemail) +- [Privacy/LetAppsAccessEmail_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forceallowtheseapps) +- [Privacy/LetAppsAccessEmail_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-forcedenytheseapps) +- [Privacy/LetAppsAccessEmail_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessemail-userincontroloftheseapps) +- [Privacy/LetAppsAccessLocation](./policy-csp-privacy.md#privacy-letappsaccesslocation) +- [Privacy/LetAppsAccessLocation_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forceallowtheseapps) +- [Privacy/LetAppsAccessLocation_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-forcedenytheseapps) +- [Privacy/LetAppsAccessLocation_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesslocation-userincontroloftheseapps) +- [Privacy/LetAppsAccessMessaging](./policy-csp-privacy.md#privacy-letappsaccessmessaging) +- [Privacy/LetAppsAccessMessaging_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forceallowtheseapps) +- [Privacy/LetAppsAccessMessaging_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-forcedenytheseapps) +- [Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmessaging-userincontroloftheseapps) +- [Privacy/LetAppsAccessMicrophone](./policy-csp-privacy.md#privacy-letappsaccessmicrophone) +- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) +- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) +- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) +- [Privacy/LetAppsAccessMotion](./policy-csp-privacy.md#privacy-letappsaccessmotion) +- [Privacy/LetAppsAccessMotion_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forceallowtheseapps) +- [Privacy/LetAppsAccessMotion_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-forcedenytheseapps) +- [Privacy/LetAppsAccessMotion_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessmotion-userincontroloftheseapps) +- [Privacy/LetAppsAccessNotifications](./policy-csp-privacy.md#privacy-letappsaccessnotifications) +- [Privacy/LetAppsAccessNotifications_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forceallowtheseapps) +- [Privacy/LetAppsAccessNotifications_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-forcedenytheseapps) +- [Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessnotifications-userincontroloftheseapps) +- [Privacy/LetAppsAccessPhone](./policy-csp-privacy.md#privacy-letappsaccessphone) +- [Privacy/LetAppsAccessPhone_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forceallowtheseapps) +- [Privacy/LetAppsAccessPhone_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-forcedenytheseapps) +- [Privacy/LetAppsAccessPhone_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessphone-userincontroloftheseapps) +- [Privacy/LetAppsAccessRadios](./policy-csp-privacy.md#privacy-letappsaccessradios) +- [Privacy/LetAppsAccessRadios_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forceallowtheseapps) +- [Privacy/LetAppsAccessRadios_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-forcedenytheseapps) +- [Privacy/LetAppsAccessRadios_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccessradios-userincontroloftheseapps) +- [Privacy/LetAppsAccessTasks](./policy-csp-privacy.md#privacy-letappsaccesstasks) +- [Privacy/LetAppsAccessTasks_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forceallowtheseapps) +- [Privacy/LetAppsAccessTasks_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-forcedenytheseapps) +- [Privacy/LetAppsAccessTasks_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstasks-userincontroloftheseapps) +- [Privacy/LetAppsAccessTrustedDevices](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices) +- [Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forceallowtheseapps) +- [Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-forcedenytheseapps) +- [Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsaccesstrusteddevices-userincontroloftheseapps) +- [Privacy/LetAppsGetDiagnosticInfo](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo) +- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forceallowtheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-forcedenytheseapps) +- [Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsgetdiagnosticinfo-userincontroloftheseapps) +- [Privacy/LetAppsRunInBackground](./policy-csp-privacy.md#privacy-letappsruninbackground) +- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forceallowtheseapps) +- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-forcedenytheseapps) +- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappsruninbackground-userincontroloftheseapps) +- [Privacy/LetAppsSyncWithDevices](./policy-csp-privacy.md#privacy-letappssyncwithdevices) +- [Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forceallowtheseapps) +- [Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-forcedenytheseapps) +- [Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps](./policy-csp-privacy.md#privacy-letappssyncwithdevices-userincontroloftheseapps) +- [Privacy/PublishUserActivities](./policy-csp-privacy.md#privacy-publishuseractivities) +- [Privacy/UploadUserActivities](./policy-csp-privacy.md#privacy-uploaduseractivities) +- [RemoteAssistance/CustomizeWarningMessages](./policy-csp-remoteassistance.md#remoteassistance-customizewarningmessages) +- [RemoteAssistance/SessionLogging](./policy-csp-remoteassistance.md#remoteassistance-sessionlogging) +- [RemoteAssistance/SolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-solicitedremoteassistance) +- [RemoteAssistance/UnsolicitedRemoteAssistance](./policy-csp-remoteassistance.md#remoteassistance-unsolicitedremoteassistance) +- [RemoteDesktopServices/AllowUsersToConnectRemotely](./policy-csp-remotedesktopservices.md#remotedesktopservices-allowuserstoconnectremotely) +- [RemoteDesktopServices/ClientConnectionEncryptionLevel](./policy-csp-remotedesktopservices.md#remotedesktopservices-clientconnectionencryptionlevel) +- [RemoteDesktopServices/DoNotAllowDriveRedirection](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowdriveredirection) +- [RemoteDesktopServices/DoNotAllowPasswordSaving](./policy-csp-remotedesktopservices.md#remotedesktopservices-donotallowpasswordsaving) +- [RemoteDesktopServices/PromptForPasswordUponConnection](./policy-csp-remotedesktopservices.md#remotedesktopservices-promptforpassworduponconnection) +- [RemoteDesktopServices/RequireSecureRPCCommunication](./policy-csp-remotedesktopservices.md#remotedesktopservices-requiresecurerpccommunication) +- [RemoteManagement/AllowBasicAuthentication_Client](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-client) +- [RemoteManagement/AllowBasicAuthentication_Service](./policy-csp-remotemanagement.md#remotemanagement-allowbasicauthentication-service) +- [RemoteManagement/AllowCredSSPAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationclient) +- [RemoteManagement/AllowCredSSPAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-allowcredsspauthenticationservice) +- [RemoteManagement/AllowRemoteServerManagement](./policy-csp-remotemanagement.md#remotemanagement-allowremoteservermanagement) +- [RemoteManagement/AllowUnencryptedTraffic_Client](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-client) +- [RemoteManagement/AllowUnencryptedTraffic_Service](./policy-csp-remotemanagement.md#remotemanagement-allowunencryptedtraffic-service) +- [RemoteManagement/DisallowDigestAuthentication](./policy-csp-remotemanagement.md#remotemanagement-disallowdigestauthentication) +- [RemoteManagement/DisallowNegotiateAuthenticationClient](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationclient) +- [RemoteManagement/DisallowNegotiateAuthenticationService](./policy-csp-remotemanagement.md#remotemanagement-disallownegotiateauthenticationservice) +- [RemoteManagement/DisallowStoringOfRunAsCredentials](./policy-csp-remotemanagement.md#remotemanagement-disallowstoringofrunascredentials) +- [RemoteManagement/SpecifyChannelBindingTokenHardeningLevel](./policy-csp-remotemanagement.md#remotemanagement-specifychannelbindingtokenhardeninglevel) +- [RemoteManagement/TrustedHosts](./policy-csp-remotemanagement.md#remotemanagement-trustedhosts) +- [RemoteManagement/TurnOnCompatibilityHTTPListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttplistener) +- [RemoteManagement/TurnOnCompatibilityHTTPSListener](./policy-csp-remotemanagement.md#remotemanagement-turnoncompatibilityhttpslistener) +- [RemoteProcedureCall/RPCEndpointMapperClientAuthentication](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-rpcendpointmapperclientauthentication) +- [RemoteProcedureCall/RestrictUnauthenticatedRPCClients](./policy-csp-remoteprocedurecall.md#remoteprocedurecall-restrictunauthenticatedrpcclients) +- [RemoteShell/AllowRemoteShellAccess](./policy-csp-remoteshell.md#remoteshell-allowremoteshellaccess) +- [RemoteShell/MaxConcurrentUsers](./policy-csp-remoteshell.md#remoteshell-maxconcurrentusers) +- [RemoteShell/SpecifyIdleTimeout](./policy-csp-remoteshell.md#remoteshell-specifyidletimeout) +- [RemoteShell/SpecifyMaxMemory](./policy-csp-remoteshell.md#remoteshell-specifymaxmemory) +- [RemoteShell/SpecifyMaxProcesses](./policy-csp-remoteshell.md#remoteshell-specifymaxprocesses) +- [RemoteShell/SpecifyMaxRemoteShells](./policy-csp-remoteshell.md#remoteshell-specifymaxremoteshells) +- [RemoteShell/SpecifyShellTimeout](./policy-csp-remoteshell.md#remoteshell-specifyshelltimeout) +- [Search/AllowCloudSearch](./policy-csp-search.md#search-allowcloudsearch) +- [Search/AllowCortanaInAAD](./policy-csp-search.md#search-allowcortanainaad) +- [Search/AllowFindMyFiles](./policy-csp-search.md#search-allowfindmyfiles) +- [Search/AllowIndexingEncryptedStoresOrItems](./policy-csp-search.md#search-allowindexingencryptedstoresoritems) +- [Search/AllowSearchToUseLocation](./policy-csp-search.md#search-allowsearchtouselocation) +- [Search/AllowUsingDiacritics](./policy-csp-search.md#search-allowusingdiacritics) +- [Search/AlwaysUseAutoLangDetection](./policy-csp-search.md#search-alwaysuseautolangdetection) +- [Search/DisableBackoff](./policy-csp-search.md#search-disablebackoff) +- [Search/DisableRemovableDriveIndexing](./policy-csp-search.md#search-disableremovabledriveindexing) +- [Search/DoNotUseWebResults](./policy-csp-search.md#search-donotusewebresults) +- [Search/PreventIndexingLowDiskSpaceMB](./policy-csp-search.md#search-preventindexinglowdiskspacemb) +- [Search/PreventRemoteQueries](./policy-csp-search.md#search-preventremotequeries) +- [Security/ClearTPMIfNotReady](./policy-csp-security.md#security-cleartpmifnotready) +- [ServiceControlManager/SvchostProcessMitigation](./policy-csp-servicecontrolmanager.md#servicecontrolmanager-svchostprocessmitigation) +- [Settings/AllowOnlineTips](./policy-csp-settings.md#settings-allowonlinetips) +- [Settings/ConfigureTaskbarCalendar](./policy-csp-settings.md#settings-configuretaskbarcalendar) +- [Settings/PageVisibilityList](./policy-csp-settings.md#settings-pagevisibilitylist) +- [SmartScreen/EnableAppInstallControl](./policy-csp-smartscreen.md#smartscreen-enableappinstallcontrol) +- [SmartScreen/EnableSmartScreenInShell](./policy-csp-smartscreen.md#smartscreen-enablesmartscreeninshell) +- [SmartScreen/PreventOverrideForFilesInShell](./policy-csp-smartscreen.md#smartscreen-preventoverrideforfilesinshell) +- [Speech/AllowSpeechModelUpdate](./policy-csp-speech.md#speech-allowspeechmodelupdate) +- [Start/DisableContextMenus](./policy-csp-start.md#start-disablecontextmenus) +- [Start/HidePeopleBar](./policy-csp-start.md#start-hidepeoplebar) +- [Start/HideRecentlyAddedApps](./policy-csp-start.md#start-hiderecentlyaddedapps) +- [Start/StartLayout](./policy-csp-start.md#start-startlayout) +- [Storage/AllowDiskHealthModelUpdates](./policy-csp-storage.md#storage-allowdiskhealthmodelupdates) +- [Storage/EnhancedStorageDevices](./policy-csp-storage.md#storage-enhancedstoragedevices) +- [System/AllowBuildPreview](./policy-csp-system.md#system-allowbuildpreview) +- [System/AllowCommercialDataPipeline](./policy-csp-system.md#system-allowcommercialdatapipeline) +- [System/AllowDeviceNameInDiagnosticData](./policy-csp-system.md#system-allowdevicenameindiagnosticdata) +- [System/AllowFontProviders](./policy-csp-system.md#system-allowfontproviders) +- [System/AllowLocation](./policy-csp-system.md#system-allowlocation) +- [System/AllowTelemetry](./policy-csp-system.md#system-allowtelemetry) +- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization) +- [System/ConfigureMicrosoft365UploadEndpoint](./policy-csp-system.md#system-configuremicrosoft365uploadendpoint) +- [System/ConfigureTelemetryOptInChangeNotification](./policy-csp-system.md#system-configuretelemetryoptinchangenotification) +- [System/ConfigureTelemetryOptInSettingsUx](./policy-csp-system.md#system-configuretelemetryoptinsettingsux) +- [System/DisableDeviceDelete](./policy-csp-system.md#system-disabledevicedelete) +- [System/DisableDiagnosticDataViewer](./policy-csp-system.md#system-disablediagnosticdataviewer) +- [System/DisableEnterpriseAuthProxy](./policy-csp-system.md#system-disableenterpriseauthproxy) +- [System/DisableOneDriveFileSync](./policy-csp-system.md#system-disableonedrivefilesync) +- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore) +- [System/LimitEnhancedDiagnosticDataWindowsAnalytics](./policy-csp-system.md#system-limitenhanceddiagnosticdatawindowsanalytics) +- [System/TelemetryProxy](./policy-csp-system.md#system-telemetryproxy) +- [System/TurnOffFileHistory](./policy-csp-system.md#system-turnofffilehistory) +- [SystemServices/ConfigureHomeGroupListenerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegrouplistenerservicestartupmode) +- [SystemServices/ConfigureHomeGroupProviderServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurehomegroupproviderservicestartupmode) +- [SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxaccessorymanagementservicestartupmode) +- [SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxliveauthmanagerservicestartupmode) +- [SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivegamesaveservicestartupmode) +- [SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode](./policy-csp-systemservices.md#systemservices-configurexboxlivenetworkingservicestartupmode) +- [TextInput/AllowLanguageFeaturesUninstall](./policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall) +- [TextInput/AllowLinguisticDataCollection](./policy-csp-textinput.md#textinput-allowlinguisticdatacollection) +- [Troubleshooting/AllowRecommendations](./policy-csp-troubleshooting.md#troubleshooting-allowrecommendations) +- [Update/ActiveHoursEnd](./policy-csp-update.md#update-activehoursend) +- [Update/ActiveHoursMaxRange](./policy-csp-update.md#update-activehoursmaxrange) +- [Update/ActiveHoursStart](./policy-csp-update.md#update-activehoursstart) +- [Update/AllowAutoUpdate](./policy-csp-update.md#update-allowautoupdate) +- [Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork](./policy-csp-update.md#update-allowautowindowsupdatedownloadovermeterednetwork) +- [Update/AllowMUUpdateService](./policy-csp-update.md#update-allowmuupdateservice) +- [Update/AllowUpdateService](./policy-csp-update.md#update-allowupdateservice) +- [Update/AutoRestartDeadlinePeriodInDays](./policy-csp-update.md#update-autorestartdeadlineperiodindays) +- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates) +- [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule) +- [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal) +- [Update/AutomaticMaintenanceWakeUp](./policy-csp-update.md#update-automaticmaintenancewakeup) +- [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel) +- [Update/ConfigureDeadlineForFeatureUpdates](./policy-csp-update.md#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](./policy-csp-update.md#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](./policy-csp-update.md#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](./policy-csp-update.md#update-configuredeadlinenoautoreboot) +- [Update/DeferFeatureUpdatesPeriodInDays](./policy-csp-update.md#update-deferfeatureupdatesperiodindays) +- [Update/DeferQualityUpdatesPeriodInDays](./policy-csp-update.md#update-deferqualityupdatesperiodindays) +- [Update/DeferUpdatePeriod](./policy-csp-update.md#update-deferupdateperiod) +- [Update/DeferUpgradePeriod](./policy-csp-update.md#update-deferupgradeperiod) +- [Update/DetectionFrequency](./policy-csp-update.md#update-detectionfrequency) +- [Update/DisableDualScan](./policy-csp-update.md#update-disabledualscan) +- [Update/EngagedRestartDeadline](./policy-csp-update.md#update-engagedrestartdeadline) +- [Update/EngagedRestartDeadlineForFeatureUpdates](./policy-csp-update.md#update-engagedrestartdeadlineforfeatureupdates) +- [Update/EngagedRestartSnoozeSchedule](./policy-csp-update.md#update-engagedrestartsnoozeschedule) +- [Update/EngagedRestartSnoozeScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestartsnoozescheduleforfeatureupdates) +- [Update/EngagedRestartTransitionSchedule](./policy-csp-update.md#update-engagedrestarttransitionschedule) +- [Update/EngagedRestartTransitionScheduleForFeatureUpdates](./policy-csp-update.md#update-engagedrestarttransitionscheduleforfeatureupdates) +- [Update/ExcludeWUDriversInQualityUpdate](./policy-csp-update.md#update-excludewudriversinqualityupdate) +- [Update/FillEmptyContentUrls](./policy-csp-update.md#update-fillemptycontenturls) +- [Update/ManagePreviewBuilds](./policy-csp-update.md#update-managepreviewbuilds) +- [Update/PauseDeferrals](./policy-csp-update.md#update-pausedeferrals) +- [Update/PauseFeatureUpdates](./policy-csp-update.md#update-pausefeatureupdates) +- [Update/PauseFeatureUpdatesStartTime](./policy-csp-update.md#update-pausefeatureupdatesstarttime) +- [Update/PauseQualityUpdates](./policy-csp-update.md#update-pausequalityupdates) +- [Update/PauseQualityUpdatesStartTime](./policy-csp-update.md#update-pausequalityupdatesstarttime) +- [Update/RequireDeferUpgrade](./policy-csp-update.md#update-requiredeferupgrade) +- [Update/ScheduleImminentRestartWarning](./policy-csp-update.md#update-scheduleimminentrestartwarning) +- [Update/ScheduleRestartWarning](./policy-csp-update.md#update-schedulerestartwarning) +- [Update/ScheduledInstallDay](./policy-csp-update.md#update-scheduledinstallday) +- [Update/ScheduledInstallEveryWeek](./policy-csp-update.md#update-scheduledinstalleveryweek) +- [Update/ScheduledInstallFirstWeek](./policy-csp-update.md#update-scheduledinstallfirstweek) +- [Update/ScheduledInstallFourthWeek](./policy-csp-update.md#update-scheduledinstallfourthweek) +- [Update/ScheduledInstallSecondWeek](./policy-csp-update.md#update-scheduledinstallsecondweek) +- [Update/ScheduledInstallThirdWeek](./policy-csp-update.md#update-scheduledinstallthirdweek) +- [Update/ScheduledInstallTime](./policy-csp-update.md#update-scheduledinstalltime) +- [Update/SetAutoRestartNotificationDisable](./policy-csp-update.md#update-setautorestartnotificationdisable) +- [Update/SetDisablePauseUXAccess](./policy-csp-update.md#update-setdisablepauseuxaccess) +- [Update/SetDisableUXWUAccess](./policy-csp-update.md#update-setdisableuxwuaccess) +- [Update/SetEDURestart](./policy-csp-update.md#update-setedurestart) +- [Update/UpdateNotificationLevel](./policy-csp-update.md#update-updatenotificationlevel) +- [Update/UpdateServiceUrl](./policy-csp-update.md#update-updateserviceurl) +- [Update/UpdateServiceUrlAlternate](./policy-csp-update.md#update-updateserviceurlalternate) +- [UserRights/AccessCredentialManagerAsTrustedCaller](./policy-csp-userrights.md#userrights-accesscredentialmanagerastrustedcaller) +- [UserRights/AccessFromNetwork](./policy-csp-userrights.md#userrights-accessfromnetwork) +- [UserRights/ActAsPartOfTheOperatingSystem](./policy-csp-userrights.md#userrights-actaspartoftheoperatingsystem) +- [UserRights/AllowLocalLogOn](./policy-csp-userrights.md#userrights-allowlocallogon) +- [UserRights/BackupFilesAndDirectories](./policy-csp-userrights.md#userrights-backupfilesanddirectories) +- [UserRights/ChangeSystemTime](./policy-csp-userrights.md#userrights-changesystemtime) +- [UserRights/CreateGlobalObjects](./policy-csp-userrights.md#userrights-createglobalobjects) +- [UserRights/CreatePageFile](./policy-csp-userrights.md#userrights-createpagefile) +- [UserRights/CreatePermanentSharedObjects](./policy-csp-userrights.md#userrights-createpermanentsharedobjects) +- [UserRights/CreateSymbolicLinks](./policy-csp-userrights.md#userrights-createsymboliclinks) +- [UserRights/CreateToken](./policy-csp-userrights.md#userrights-createtoken) +- [UserRights/DebugPrograms](./policy-csp-userrights.md#userrights-debugprograms) +- [UserRights/DenyAccessFromNetwork](./policy-csp-userrights.md#userrights-denyaccessfromnetwork) +- [UserRights/DenyLocalLogOn](./policy-csp-userrights.md#userrights-denylocallogon) +- [UserRights/DenyRemoteDesktopServicesLogOn](./policy-csp-userrights.md#userrights-denyremotedesktopserviceslogon) +- [UserRights/EnableDelegation](./policy-csp-userrights.md#userrights-enabledelegation) +- [UserRights/GenerateSecurityAudits](./policy-csp-userrights.md#userrights-generatesecurityaudits) +- [UserRights/ImpersonateClient](./policy-csp-userrights.md#userrights-impersonateclient) +- [UserRights/IncreaseSchedulingPriority](./policy-csp-userrights.md#userrights-increaseschedulingpriority) +- [UserRights/LoadUnloadDeviceDrivers](./policy-csp-userrights.md#userrights-loadunloaddevicedrivers) +- [UserRights/LockMemory](./policy-csp-userrights.md#userrights-lockmemory) +- [UserRights/ManageAuditingAndSecurityLog](./policy-csp-userrights.md#userrights-manageauditingandsecuritylog) +- [UserRights/ManageVolume](./policy-csp-userrights.md#userrights-managevolume) +- [UserRights/ModifyFirmwareEnvironment](./policy-csp-userrights.md#userrights-modifyfirmwareenvironment) +- [UserRights/ModifyObjectLabel](./policy-csp-userrights.md#userrights-modifyobjectlabel) +- [UserRights/ProfileSingleProcess](./policy-csp-userrights.md#userrights-profilesingleprocess) +- [UserRights/RemoteShutdown](./policy-csp-userrights.md#userrights-remoteshutdown) +- [UserRights/RestoreFilesAndDirectories](./policy-csp-userrights.md#userrights-restorefilesanddirectories) +- [UserRights/TakeOwnership](./policy-csp-userrights.md#userrights-takeownership) +- [Wifi/AllowAutoConnectToWiFiSenseHotspots](./policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots) +- [Wifi/AllowInternetSharing](./policy-csp-wifi.md#wifi-allowinternetsharing) +- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) +- [WindowsDefenderSecurityCenter/CompanyName](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-companyname) +- [WindowsDefenderSecurityCenter/DisableAccountProtectionUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableaccountprotectionui) +- [WindowsDefenderSecurityCenter/DisableAppBrowserUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableappbrowserui) +- [WindowsDefenderSecurityCenter/DisableClearTpmButton](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablecleartpmbutton) +- [WindowsDefenderSecurityCenter/DisableDeviceSecurityUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabledevicesecurityui) +- [WindowsDefenderSecurityCenter/DisableEnhancedNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disableenhancednotifications) +- [WindowsDefenderSecurityCenter/DisableFamilyUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablefamilyui) +- [WindowsDefenderSecurityCenter/DisableHealthUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablehealthui) +- [WindowsDefenderSecurityCenter/DisableNetworkUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenetworkui) +- [WindowsDefenderSecurityCenter/DisableNotifications](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablenotifications) +- [WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disabletpmfirmwareupdatewarning) +- [WindowsDefenderSecurityCenter/DisableVirusUI](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disablevirusui) +- [WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-disallowexploitprotectionoverride) +- [WindowsDefenderSecurityCenter/Email](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-email) +- [WindowsDefenderSecurityCenter/EnableCustomizedToasts](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enablecustomizedtoasts) +- [WindowsDefenderSecurityCenter/EnableInAppCustomization](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-enableinappcustomization) +- [WindowsDefenderSecurityCenter/HideRansomwareDataRecovery](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hideransomwaredatarecovery) +- [WindowsDefenderSecurityCenter/HideSecureBoot](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidesecureboot) +- [WindowsDefenderSecurityCenter/HideTPMTroubleshooting](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidetpmtroubleshooting) +- [WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-hidewindowssecuritynotificationareacontrol) +- [WindowsDefenderSecurityCenter/Phone](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-phone) +- [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url) +- [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) +- [WindowsInkWorkspace/AllowWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace) +- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon) +- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon) +- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications) +- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui) +- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation) +- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers) +- [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching) +- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging) +- [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc) +- [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing) + +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-commercial-suite.md new file mode 100644 index 0000000000..f77d3c1308 --- /dev/null +++ b/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-commercial-suite.md @@ -0,0 +1,71 @@ +--- +title: Policy CSPs supported by HoloLens (1st gen) Commercial Suite +description: Policy CSPs supported by HoloLens (1st gen) Commercial Suite +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 09/17/2019 +--- + +# Policy CSPs supported by HoloLens (1st gen) Commercial Suite + +> [!div class="op_single_selector"] +> +> - [HoloLens 2](policy-csps-supported-by-hololens2.md) +> - [HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md) +> - [HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) +> + +- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) +- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) +- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) +- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect) +- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#authentication-preferredaadtenantdomainname) +- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#bluetooth-allowadvertising) +- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename) +- [Browser/AllowAutofill](policy-csp-browser.md#browser-allowautofill) +- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies) +- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack) +- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager) +- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen) +- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth) +- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection) +- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword) +- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword) +- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired) +- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled) +- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory) +- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters) +- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) +- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) +- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) +- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) +- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption) +- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) +- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) +- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) +- [System/AllowLocation](policy-csp-system.md#system-allowlocation) +- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry) +- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) +- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) +- [Update/RequireDeferUpgrade](policy-csp-update.md#update-requiredeferupgrade) +- [Update/RequireUpdateApproval](policy-csp-update.md#update-requireupdateapproval) +- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday) +- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) +- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl) +- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) + +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-development-edition.md new file mode 100644 index 0000000000..2dec2fdb8b --- /dev/null +++ b/windows/client-management/mdm/policy-csps-supported-by-hololens-1st-gen-development-edition.md @@ -0,0 +1,69 @@ +--- +title: Policy CSPs supported by HoloLens (1st gen) Development Edition +description: Policy CSPs supported by HoloLens (1st gen) Development Edition +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 07/18/2019 +--- + +# Policy CSPs supported by HoloLens (1st gen) Development Edition + +> [!div class="op_single_selector"] +> +> - [HoloLens 2](policy-csps-supported-by-hololens2.md) +> - [HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md) +> - [HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) +> + +- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) +- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) +- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) +- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect) +- [Bluetooth/AllowAdvertising](policy-csp-bluetooth.md#bluetooth-allowadvertising) +- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename) +- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack) +- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager) +- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen) +- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies) +- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth) +- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection) +- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword) +- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) +- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory) +- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired) +- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters) +- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword) +- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled) +- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) +- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) +- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) +- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption) +- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) +- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) +- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) +- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry) +- [System/AllowLocation](policy-csp-system.md#system-allowlocation) +- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) +- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) +- [Update/RequireUpdateApproval](policy-csp-update.md#update-requireupdateapproval) +- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday) +- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) +- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl) +- [Update/RequireDeferUpgrade](policy-csp-update.md#update-requiredeferupgrade) +- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) + +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csps-supported-by-hololens2.md b/windows/client-management/mdm/policy-csps-supported-by-hololens2.md new file mode 100644 index 0000000000..5e31cf4abc --- /dev/null +++ b/windows/client-management/mdm/policy-csps-supported-by-hololens2.md @@ -0,0 +1,111 @@ +--- +title: Policy CSPs supported by HoloLens 2 +description: Policy CSPs supported by HoloLens 2 +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 05/11/2020 +--- + +# Policy CSPs supported by HoloLens 2 + +> [!div class="op_single_selector"] +> +> - [HoloLens 2](policy-csps-supported-by-hololens2.md) +> - [HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md) +> - [HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md) +> + +- [Accounts/AllowMicrosoftAccountConnection](policy-csp-accounts.md#accounts-allowmicrosoftaccountconnection) +- [ApplicationManagement/AllowAllTrustedApps](policy-csp-applicationmanagement.md#applicationmanagement-allowalltrustedapps) +- [ApplicationManagement/AllowAppStoreAutoUpdate](policy-csp-applicationmanagement.md#applicationmanagement-allowappstoreautoupdate) +- [ApplicationManagement/AllowDeveloperUnlock](policy-csp-applicationmanagement.md#applicationmanagement-allowdeveloperunlock) +- [Authentication/AllowFastReconnect](policy-csp-authentication.md#authentication-allowfastreconnect) +- [Authentication/PreferredAadTenantDomainName](policy-csp-authentication.md#authentication-preferredaadtenantdomainname) +- [Bluetooth/AllowDiscoverableMode](policy-csp-bluetooth.md#bluetooth-allowdiscoverablemode) +- [Bluetooth/LocalDeviceName](policy-csp-bluetooth.md#bluetooth-localdevicename) +- [Browser/AllowAutofill](policy-csp-browser.md#browser-allowautofill) +- [Browser/AllowCookies](policy-csp-browser.md#browser-allowcookies) +- [Browser/AllowDoNotTrack](policy-csp-browser.md#browser-allowdonottrack) +- [Browser/AllowPasswordManager](policy-csp-browser.md#browser-allowpasswordmanager) +- [Browser/AllowPopups](policy-csp-browser.md#browser-allowpopups) +- [Browser/AllowSearchSuggestionsinAddressBar](policy-csp-browser.md#browser-allowsearchsuggestionsinaddressbar) +- [Browser/AllowSmartScreen](policy-csp-browser.md#browser-allowsmartscreen) +- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth) +- [Connectivity/AllowUSBConnection](policy-csp-connectivity.md#connectivity-allowusbconnection) +- [DeviceLock/AllowIdleReturnWithoutPassword](policy-csp-devicelock.md#devicelock-allowidlereturnwithoutpassword) +- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword) +- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired) +- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled) +- [DeviceLock/DevicePasswordExpiration](policy-csp-devicelock.md#devicelock-devicepasswordexpiration) +- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory) +- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts) +- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock) +- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters) +- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength) +- [Experience/AllowCortana](policy-csp-experience.md#experience-allowcortana) +- [Experience/AllowManualMDMUnenrollment](policy-csp-experience.md#experience-allowmanualmdmunenrollment) +- [Privacy/AllowInputPersonalization](policy-csp-privacy.md#privacy-allowinputpersonalization) +- [Privacy/LetAppsAccessAccountInfo](policy-csp-privacy.md#privacy-letappsaccessaccountinfo) +- [Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forceallowtheseapps) +- [Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-forcedenytheseapps) +- [Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessaccountinfo-userincontroloftheseapps) +- [Privacy/LetAppsAccessBackgroundSpatialPerception](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception) +- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forceallowtheseapps) +- [Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-forcedenytheseapps) +- [Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessbackgroundspatialperception-userincontroloftheseapps) +- [Privacy/LetAppsAccessCamera_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-forceallowtheseapps) 8 +- [Privacy/LetAppsAccessCamera_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-forcedenytheseapps) 8 +- [Privacy/LetAppsAccessCamera_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccesscamera-userincontroloftheseapps) 8 +- [Privacy/LetAppsAccessGazeInput](policy-csp-privacy.md#privacy-letappsaccessgazeinput) 8 +- [Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-forceallowtheseapps) 8 +- [Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-forcedenytheseapps) 8 +- [Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessgazeinput-userincontroloftheseapps) 8 +- [Privacy/LetAppsAccessCamera](policy-csp-privacy.md#privacy-letappsaccesscamera) +- [Privacy/LetAppsAccessLocation](policy-csp-privacy.md#privacy-letappsaccesslocation) +- [Privacy/LetAppsAccessMicrophone](policy-csp-privacy.md#privacy-letappsaccessmicrophone) +- [Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forceallowtheseapps) 8 +- [Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-forcedenytheseapps) 8 +- [Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps](policy-csp-privacy.md#privacy-letappsaccessmicrophone-userincontroloftheseapps) 8 +- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation) +- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption) +- [Settings/AllowDateTime](policy-csp-settings.md#settings-allowdatetime) +- [Settings/AllowVPN](policy-csp-settings.md#settings-allowvpn) +- [Speech/AllowSpeechModelUpdate](policy-csp-speech.md#speech-allowspeechmodelupdate) +- [System/AllowCommercialDataPipeline](policy-csp-system.md#system-allowcommercialdatapipeline) +- [System/AllowLocation](policy-csp-system.md#system-allowlocation) +- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard) +- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry) +- [Update/AllowAutoUpdate](policy-csp-update.md#update-allowautoupdate) +- [Update/AllowUpdateService](policy-csp-update.md#update-allowupdateservice) +- [Update/BranchReadinessLevel](policy-csp-update.md#update-branchreadinesslevel) +- [Update/DeferFeatureUpdatesPeriodInDays](policy-csp-update.md#update-deferfeatureupdatesperiodindays) +- [Update/DeferQualityUpdatesPeriodInDays](policy-csp-update.md#update-deferqualityupdatesperiodindays) +- [Update/ManagePreviewBuilds](policy-csp-update.md#update-managepreviewbuilds) +- [Update/PauseFeatureUpdates](policy-csp-update.md#update-pausefeatureupdates) +- [Update/PauseQualityUpdates](policy-csp-update.md#update-pausequalityupdates) +- [Update/ScheduledInstallDay](policy-csp-update.md#update-scheduledinstallday) +- [Update/ScheduledInstallTime](policy-csp-update.md#update-scheduledinstalltime) +- [Update/UpdateServiceUrl](policy-csp-update.md#update-updateserviceurl) +- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration) +- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) 8 + +Footnotes: + +- 1 - Added in Windows 10, version 1607. +- 2 - Added in Windows 10, version 1703. +- 3 - Added in Windows 10, version 1709. +- 4 - Added in Windows 10, version 1803. +- 5 - Added in Windows 10, version 1809. +- 6 - Added in Windows 10, version 1903. +- 7 - Added in Windows 10, version 1909. +- 8 - Added in the next major release of Windows 10. + +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csps-supported-by-iot-core.md b/windows/client-management/mdm/policy-csps-supported-by-iot-core.md new file mode 100644 index 0000000000..c37cdb1b86 --- /dev/null +++ b/windows/client-management/mdm/policy-csps-supported-by-iot-core.md @@ -0,0 +1,74 @@ +--- +title: Policy CSPs supported by Windows 10 IoT Core +description: Policy CSPs supported by Windows 10 IoT Core +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 09/16/2019 +--- + +# Policy CSPs supported by Windows 10 IoT Core + +> [!div class="op_single_selector"] +> +> - [IoT Enterprise](policy-csps-supported-by-iot-enterprise.md) +> - [IoT Core](policy-csps-supported-by-iot-core.md) +> + +- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera) +- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) +- [CredentialProviders/AllowPINLogon](policy-csp-credentialproviders.md#credentialproviders-allowpinlogon) +- [CredentialProviders/BlockPicturePassword](policy-csp-credentialproviders.md#credentialproviders-blockpicturepassword) +- [DataProtection/AllowDirectMemoryAccess](policy-csp-dataprotection.md#dataprotection-allowdirectmemoryaccess) +- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) +- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview) +- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) +- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) +- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) +- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) +- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) +- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground) +- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) +- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) +- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) +- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) +- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) +- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) +- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) +- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) +- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) +- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) +- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring) +- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope) +- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination) +- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice) +- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock) +- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) +- [Wifi/AllowAutoConnectToWiFiSenseHotspots](policy-csp-wifi.md#wifi-allowautoconnecttowifisensehotspots) +- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing) +- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) +- [Wifi/WLANScanMode](policy-csp-wifi.md#wifi-wlanscanmode) + +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md new file mode 100644 index 0000000000..f0837806da --- /dev/null +++ b/windows/client-management/mdm/policy-csps-supported-by-iot-enterprise.md @@ -0,0 +1,69 @@ +--- +title: Policy CSPs supported by Windows 10 IoT Enterprise +description: Policy CSPs supported by Windows 10 IoT Enterprise +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 07/18/2019 +--- + +# Policy CSPs supported by Windows 10 IoT Enterprise + +> [!div class="op_single_selector"] +> +> - [IoT Enterprise](policy-csps-supported-by-iot-enterprise.md) +> - [IoT Core](policy-csps-supported-by-iot-core.md) +> + +- [InternetExplorer/AllowEnhancedSuggestionsInAddressBar](policy-csp-internetexplorer.md#internetexplorer-allowenhancedsuggestionsinaddressbar) +- [InternetExplorer/DisableActiveXVersionListAutoDownload](policy-csp-internetexplorer.md#internetexplorer-disableactivexversionlistautodownload) +- [InternetExplorer/DisableCompatView](policy-csp-internetexplorer.md#internetexplorer-disablecompatview) +- [InternetExplorer/DisableFeedsBackgroundSync](policy-csp-internetexplorer.md#internetexplorer-disablefeedsbackgroundsync) +- [InternetExplorer/DisableGeolocation](policy-csp-internetexplorer.md#internetexplorer-disablegeolocation) +- [InternetExplorer/DisableWebAddressAutoComplete](policy-csp-internetexplorer.md#internetexplorer-disablewebaddressautocomplete) +- [InternetExplorer/NewTabDefaultPage](policy-csp-internetexplorer.md#internetexplorer-newtabdefaultpage) +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) +- [DeliveryOptimization/DOCacheHost](policy-csp-deliveryoptimization.md#deliveryoptimization-docachehost) +- [DeliveryOptimization/DODelayBackgroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaybackgrounddownloadfromhttp) +- [DeliveryOptimization/DODelayForegroundDownloadFromHttp](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelayforegrounddownloadfromhttp) +- [DeliveryOptimization/DODelayCacheServerFallbackBackground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackbackground) +- [DeliveryOptimization/DODelayCacheServerFallbackForeground](policy-csp-deliveryoptimization.md#deliveryoptimization-dodelaycacheserverfallbackforeground) +- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) +- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) +- [DeliveryOptimization/DOGroupIdSource](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupidsource) +- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) +- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) +- [DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbatterypercentageallowedtoupload) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxBackgroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxbackgroundbandwidth) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) +- [DeliveryOptimization/DOPercentageMaxForegroundBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxforegroundbandwidth) +- [DeliveryOptimization/DORestrictPeerSelectionBy](policy-csp-deliveryoptimization.md#deliveryoptimization-dorestrictpeerselectionby) +- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) +- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) +- [DeviceHealthMonitoring/AllowDeviceHealthMonitoring](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-allowdevicehealthmonitoring) +- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringscope) +- [DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination](policy-csp-devicehealthmonitoring.md#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination) +- [Privacy/LetAppsActivateWithVoice](policy-csp-privacy.md#privacy-letappsactivatewithvoice) +- [Privacy/LetAppsActivateWithVoiceAboveLock](policy-csp-privacy.md#privacy-letappsactivatewithvoiceabovelock) +- [Update/ConfigureDeadlineForFeatureUpdates](policy-csp-update.md#update-configuredeadlineforfeatureupdates) +- [Update/ConfigureDeadlineForQualityUpdates](policy-csp-update.md#update-configuredeadlineforqualityupdates) +- [Update/ConfigureDeadlineGracePeriod](policy-csp-update.md#update-configuredeadlinegraceperiod) +- [Update/ConfigureDeadlineNoAutoReboot](policy-csp-update.md#update-configuredeadlinenoautoreboot) + +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md b/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md new file mode 100644 index 0000000000..ec48042286 --- /dev/null +++ b/windows/client-management/mdm/policy-csps-supported-by-surface-hub.md @@ -0,0 +1,79 @@ +--- +title: Policy CSPs supported by Microsoft Surface Hub +description: Policy CSPs supported by Microsoft Surface Hub +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 07/18/2019 +--- + +# Policy CSPs supported by Microsoft Surface Hub + +- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera) +- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) +- [Cryptography/AllowFipsAlgorithmPolicy](policy-csp-cryptography.md#cryptography-allowfipsalgorithmpolicy) +- [Cryptography/TLSCipherSuites](policy-csp-cryptography.md#cryptography-tlsciphersuites) +- [Defender/AllowArchiveScanning](policy-csp-defender.md#defender-allowarchivescanning) +- [Defender/AllowBehaviorMonitoring](policy-csp-defender.md#defender-allowbehaviormonitoring) +- [Defender/AllowCloudProtection](policy-csp-defender.md#defender-allowcloudprotection) +- [Defender/AllowEmailScanning](policy-csp-defender.md#defender-allowemailscanning) +- [Defender/AllowFullScanOnMappedNetworkDrives](policy-csp-defender.md#defender-allowfullscanonmappednetworkdrives) +- [Defender/AllowFullScanRemovableDriveScanning](policy-csp-defender.md#defender-allowfullscanremovabledrivescanning) +- [Defender/AllowIOAVProtection](policy-csp-defender.md#defender-allowioavprotection) +- [Defender/AllowIntrusionPreventionSystem](policy-csp-defender.md#defender-allowintrusionpreventionsystem) +- [Defender/AllowOnAccessProtection](policy-csp-defender.md#defender-allowonaccessprotection) +- [Defender/AllowRealtimeMonitoring](policy-csp-defender.md#defender-allowrealtimemonitoring) +- [Defender/AllowScanningNetworkFiles](policy-csp-defender.md#defender-allowscanningnetworkfiles) +- [Defender/AllowScriptScanning](policy-csp-defender.md#defender-allowscriptscanning) +- [Defender/AllowUserUIAccess](policy-csp-defender.md#defender-allowuseruiaccess) +- [Defender/AvgCPULoadFactor](policy-csp-defender.md#defender-avgcpuloadfactor) +- [Defender/DaysToRetainCleanedMalware](policy-csp-defender.md#defender-daystoretaincleanedmalware) +- [Defender/ExcludedExtensions](policy-csp-defender.md#defender-excludedextensions) +- [Defender/ExcludedPaths](policy-csp-defender.md#defender-excludedpaths) +- [Defender/ExcludedProcesses](policy-csp-defender.md#defender-excludedprocesses) +- [Defender/PUAProtection](policy-csp-defender.md#defender-puaprotection) +- [Defender/RealTimeScanDirection](policy-csp-defender.md#defender-realtimescandirection) +- [Defender/ScanParameter](policy-csp-defender.md#defender-scanparameter) +- [Defender/ScheduleQuickScanTime](policy-csp-defender.md#defender-schedulequickscantime) +- [Defender/ScheduleScanDay](policy-csp-defender.md#defender-schedulescanday) +- [Defender/ScheduleScanTime](policy-csp-defender.md#defender-schedulescantime) +- [Defender/SignatureUpdateInterval](policy-csp-defender.md#defender-signatureupdateinterval) +- [Defender/SubmitSamplesConsent](policy-csp-defender.md#defender-submitsamplesconsent) +- [Defender/ThreatSeverityDefaultAction](policy-csp-defender.md#defender-threatseveritydefaultaction) +- [DeliveryOptimization/DOAbsoluteMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-doabsolutemaxcachesize) +- [DeliveryOptimization/DOAllowVPNPeerCaching](policy-csp-deliveryoptimization.md#deliveryoptimization-doallowvpnpeercaching) +- [DeliveryOptimization/DODownloadMode](policy-csp-deliveryoptimization.md#deliveryoptimization-dodownloadmode) +- [DeliveryOptimization/DOGroupId](policy-csp-deliveryoptimization.md#deliveryoptimization-dogroupid) +- [DeliveryOptimization/DOMaxCacheAge](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcacheage) +- [DeliveryOptimization/DOMaxCacheSize](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxcachesize) +- [DeliveryOptimization/DOMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxdownloadbandwidth) +- [DeliveryOptimization/DOMaxUploadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-domaxuploadbandwidth) +- [DeliveryOptimization/DOMinBackgroundQos](policy-csp-deliveryoptimization.md#deliveryoptimization-dominbackgroundqos) +- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-domindisksizeallowedtopeer) +- [DeliveryOptimization/DOMinFileSizeToCache](policy-csp-deliveryoptimization.md#deliveryoptimization-dominfilesizetocache) +- [DeliveryOptimization/DOMinRAMAllowedToPeer](policy-csp-deliveryoptimization.md#deliveryoptimization-dominramallowedtopeer) +- [DeliveryOptimization/DOModifyCacheDrive](policy-csp-deliveryoptimization.md#deliveryoptimization-domodifycachedrive) +- [DeliveryOptimization/DOMonthlyUploadDataCap](policy-csp-deliveryoptimization.md#deliveryoptimization-domonthlyuploaddatacap) +- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth) +- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders) +- [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging) +- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess) +- [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel) +- [TextInput/AllowJapaneseIMESurrogatePairCharacters](policy-csp-textinput.md#textinput-allowjapaneseimesurrogatepaircharacters) +- [TextInput/AllowJapaneseIVSCharacters](policy-csp-textinput.md#textinput-allowjapaneseivscharacters) +- [TextInput/AllowJapaneseNonPublishingStandardGlyph](policy-csp-textinput.md#textinput-allowjapanesenonpublishingstandardglyph) +- [TextInput/AllowJapaneseUserDictionary](policy-csp-textinput.md#textinput-allowjapaneseuserdictionary) +- [TextInput/AllowLanguageFeaturesUninstall](policy-csp-textinput.md#textinput-allowlanguagefeaturesuninstall) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208) +- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](policy-csp-textinput.md#textinput-excludejapaneseimeexceptjis0208andeudc) +- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](policy-csp-textinput.md#textinput-excludejapaneseimeexceptshiftjis) +- [WiFi/AllowWiFiHotSpotReporting](policy-csp-wifi.md#wifi-allowwifihotspotreporting) + +## Related topics + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policies-that-can-be-set-using-eas.md b/windows/client-management/mdm/policy-csps-that-can-be-set-using-eas.md similarity index 89% rename from windows/client-management/mdm/policies-that-can-be-set-using-eas.md rename to windows/client-management/mdm/policy-csps-that-can-be-set-using-eas.md index 3c0303c2c0..171652aa2b 100644 --- a/windows/client-management/mdm/policies-that-can-be-set-using-eas.md +++ b/windows/client-management/mdm/policy-csps-that-can-be-set-using-eas.md @@ -1,6 +1,6 @@ --- -title: Policies that can be set using Exchange Active Sync (EAS) -description: Policies that can be set using Exchange Active Sync (EAS) +title: Policy CSPs that can be set using Exchange Active Sync (EAS) +description: Policy CSPs that can be set using Exchange Active Sync (EAS) ms.reviewer: manager: dansimp ms.author: dansimp @@ -12,7 +12,7 @@ ms.localizationpriority: medium ms.date: 07/18/2019 --- -# Policies that can be set using Exchange Active Sync (EAS) +# Policy CSPs that can be set using Exchange Active Sync (EAS) - [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera) - [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui) @@ -36,4 +36,5 @@ ms.date: 07/18/2019 - [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi) ## Related topics -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file + +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md index 5e0bc0b2d9..48baff3fe8 100644 --- a/windows/client-management/mdm/pxlogical-csp.md +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -1,6 +1,6 @@ --- title: PXLOGICAL configuration service provider -description: PXLOGICAL configuration service provider +description: The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques. ms.assetid: b5fc84d4-aa32-4edd-95f1-a6a9c0feb459 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md index ae536fae17..3beb6993e3 100644 --- a/windows/client-management/mdm/reclaim-seat-from-user.md +++ b/windows/client-management/mdm/reclaim-seat-from-user.md @@ -1,6 +1,6 @@ --- title: Reclaim seat from user -description: The Reclaim seat from user operation returns reclaimed seats for a user in the Micosoft Store for Business. +description: The Reclaim seat from user operation returns reclaimed seats for a user in the Microsoft Store for Business. ms.assetid: E2C3C899-D0AD-469A-A319-31A420472A4C ms.reviewer: manager: dansimp @@ -9,12 +9,12 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 09/18/2017 +ms.date: 05/05/2020 --- # Reclaim seat from user -The **Reclaim seat from user** operation returns reclaimed seats for a user in the Micosoft Store for Business. +The **Reclaim seat from user** operation returns reclaimed seats for a user in the Microsoft Store for Business. ## Request diff --git a/windows/client-management/mdm/remotelock-csp.md b/windows/client-management/mdm/remotelock-csp.md index 3ea4ca8ee0..57368cb103 100644 --- a/windows/client-management/mdm/remotelock-csp.md +++ b/windows/client-management/mdm/remotelock-csp.md @@ -1,6 +1,6 @@ --- title: RemoteLock CSP -description: RemoteLock CSP +description: Learn how RemoteLock CSP supports the ability to lock a device that has a PIN set on the device or reset the PIN on a device that may or may not have a PIN set. ms.assetid: c7889331-5aa3-4efe-9a7e-20d3f433659b ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md index efafe7ae2f..1b4f1ec6bc 100644 --- a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md +++ b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md @@ -1,6 +1,6 @@ --- title: REST API reference for Microsoft Store for Business -description: REST API reference for Microsoft Store for Business +description: REST API reference for Microsoft Store for Business--includes available operations and data structures. MS-HAID: - 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference' - 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business' diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md index eaae458518..cf00680823 100644 --- a/windows/client-management/mdm/sharedpc-csp.md +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -1,6 +1,6 @@ --- title: SharedPC CSP -description: SharedPC CSP +description: Learn how the SharedPC configuration service provider is used to configure settings for Shared PC usage. ms.assetid: 31273166-1A1E-4F96-B176-CB42ECB80957 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/storage-ddf-file.md b/windows/client-management/mdm/storage-ddf-file.md index ee4f4c5e68..9d9be94f93 100644 --- a/windows/client-management/mdm/storage-ddf-file.md +++ b/windows/client-management/mdm/storage-ddf-file.md @@ -1,6 +1,6 @@ --- title: Storage DDF file -description: Storage DDF file +description: See how storage configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.assetid: 247062A3-4DFB-4B14-A3D1-68D02C27703C ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 79992abc08..70f5a31c7c 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -1,6 +1,6 @@ --- title: WiFi CSP -description: WiFi CSP +description: The WiFi configuration service provider provides the functionality to add or delete Wi-Fi networks on a Windows device. ms.assetid: f927cb5f-9555-4029-838b-03fb68937f06 ms.reviewer: manager: dansimp @@ -102,7 +102,7 @@ Added in Windows 10, version 1607. Optional. When set to true it enables Web Pr Value type is bool. **WiFiCost** -Added in Windows 10, version 1809. Optional. This policy sets the cost of WLAN connection for the Wi-Fi profile. Default behaviour: Unrestricted. +Added in Windows 10, version 1809. Optional. This policy sets the cost of WLAN connection for the Wi-Fi profile. Default behavior: Unrestricted. Supported values: diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md index 8757e65d3b..b22b7284fa 100644 --- a/windows/client-management/mdm/win32appinventory-ddf-file.md +++ b/windows/client-management/mdm/win32appinventory-ddf-file.md @@ -1,6 +1,6 @@ --- title: Win32AppInventory DDF file -description: Win32AppInventory DDF file +description: See the OMA DM device description framework (DDF) for the **Win32AppInventory** configuration service provider. DDF files are used only with OMA DM provisioning XML. ms.assetid: F6BCC10B-BFE4-40AB-AEEE-34679A4E15B0 ms.reviewer: manager: dansimp diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 7831cfbce6..28421dc466 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -1,6 +1,6 @@ --- title: WindowsDefenderApplicationGuard CSP -description: WindowsDefenderApplicationGuard CSP +description: Configure the settings in Windows Defender Application Guard by using the WindowsDefenderApplicationGuard configuration service provider (CSP). ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md index 6b319f1404..e519d6dcd8 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md @@ -1,6 +1,6 @@ --- title: WindowsDefenderApplicationGuard DDF file -description: WindowsDefenderApplicationGuard DDF file +description: See the OMA DM device description framework (DDF) for the WindowsDefenderApplicationGuard DDF file configuration service provider. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index 92f6496c2d..d4f5426134 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -34,3 +34,23 @@ Supported operations are Add, Get, Replace, and Delete. Value type is string. Optional. Enable block period (minutes), used to specify the duration for which automatic authentication attempts will be blocked from occurring after a failed authentication attempt. Supported operations are Add, Get, Replace, and Delete. Value type is integer. + +The following example shows how to add a wired network profile: +```xml +
When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.
Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10:
- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10)
- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) | 1803 | diff --git a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md index 77f7cfe31a..d888468cfe 100644 --- a/windows/deployment/planning/windows-to-go-frequently-asked-questions.md +++ b/windows/deployment/planning/windows-to-go-frequently-asked-questions.md @@ -1,6 +1,6 @@ --- title: Windows To Go frequently asked questions (Windows 10) -description: Windows To Go frequently asked questions +description: Though Windows To Go is no longer being developed, these frequently asked questions (FAQ) can provide answers about the feature. ms.assetid: bfdfb824-4a19-4401-b369-22c5e6ca9d6e ms.reviewer: manager: laurawi diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md index 3d5adb42f4..e8a3556632 100644 --- a/windows/deployment/s-mode.md +++ b/windows/deployment/s-mode.md @@ -1,6 +1,6 @@ --- title: Windows 10 Pro in S mode -description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers? +description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers? keywords: Windows 10 S, S mode, Windows S mode, Windows 10 S mode, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Enterprise in S mode, Windows 10 Pro/Enterprise in S mode ms.mktglfcycl: deploy ms.localizationpriority: medium @@ -18,33 +18,35 @@ ms.topic: article --- # Windows 10 in S mode - What is it? -S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS. + +S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS.  ## S mode key features + **Microsoft-verified security** -With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware. +With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially engineered malware. **Performance that lasts** -Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you’ll enjoy a smooth, responsive experience, whether you’re streaming HD video, opening apps, or being productive on the go. +Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you’ll enjoy a smooth, responsive experience, whether you’re streaming HD video, opening apps, or being productive on the go. **Choice and flexibility** -Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below. +Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/windows/deployment/windows-10-pro-in-s-mode) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.  ## Deployment -Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired. +Windows 10 in S mode is built for [modern management](https://docs.microsoft.com/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot). Windows Autopilot lets you deploy the device directly to a user without IT having to touch the physical device. Instead of manually deploying a custom image, Windows Autopilot will start with a generic PC that can only be used to join the company domain; policies are then deployed automatically through mobile device management to customize the device to the user and the desired environment. Devices are shipped in S mode; you can either keep them in S mode or use Windows Autopilot to switch the device out of S mode during the first run process or later using mobile device management, if desired. ## Keep line of business apps functioning with Desktop Bridge -Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode. +Worried about your line of business apps not working in S mode? [Desktop Bridge](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-root) enables you to convert your line of business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Microsoft Store, making it ideal for Windows 10 in S mode. ## Repackage Win32 apps into the MSIX format @@ -54,6 +56,6 @@ The [MSIX Packaging Tool](https://docs.microsoft.com/windows/application-managem ## Related links - [Consumer applications for S mode](https://www.microsoft.com/windows/s-mode) -- [S mode devices](https://www.microsoft.com/windows/view-all-devices) +- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices) - [Windows Defender Application Control deployment guide](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide) - [Windows Defender Advanced Threat Protection](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md index c981469bef..8af36e4df1 100644 --- a/windows/deployment/update/media-dynamic-update.md +++ b/windows/deployment/update/media-dynamic-update.md @@ -42,7 +42,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https  -The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the s. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in bold the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results. +The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in bold the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results. |To find this Dynamic Update packages, search for or check the results here--> |Title |Product |Description (select the **Title** link to see **Details**) | diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md index 1fc602e081..5953fcc349 100644 --- a/windows/deployment/update/update-compliance-feature-update-status.md +++ b/windows/deployment/update/update-compliance-feature-update-status.md @@ -2,7 +2,7 @@ title: Update Compliance - Feature Update Status report ms.reviewer: manager: laurawi -description: an overview of the Feature Update Status report +description: Find the latest status of feature updates with an overview of the Feature Update Status report. ms.prod: w10 ms.mktglfcycl: deploy ms.pagetype: deploy diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md index b3a4ca35a7..f17250eec3 100644 --- a/windows/deployment/update/update-compliance-need-attention.md +++ b/windows/deployment/update/update-compliance-need-attention.md @@ -35,7 +35,7 @@ The different issues are broken down by Device Issues and Update Issues: * **Cancelled**: This issue occurs when a user cancels the update process. * **Rollback**: This issue occurs when a fatal error occurs during a feature update, and the device is rolled back to the previous version. * **Uninstalled**: This issue occurs when a feature update is uninstalled from a device by a user or an administrator. Note that this might not be a problem if the uninstallation was intentional, but is highlighted as it might need attention. -* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 10 days. +* **Progress stalled:** This issue occurs when an update is in progress, but has not completed over a period of 7 days. Selecting any of the issues will take you to a [Log Analytics](https://docs.microsoft.com/azure/log-analytics/query-language/get-started-analytics-portal) view with all devices that have the given issue. diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index cd447823e3..0f27e47a7e 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -46,7 +46,7 @@ Application compatibility testing has historically been a burden when approachin Most Windows 7–compatible desktop applications will be compatible with Windows 10 straight out of the box. Windows 10 achieved such high compatibility because the changes in the existing Win32 application programming interfaces were minimal. Combined with valuable feedback via the Windows Insider Program and diagnostic data, this level of compatibility can be maintained through each feature update. As for websites, Windows 10 includes Internet Explorer 11 and its backward-compatibility modes for legacy websites. Finally, UWP apps follow a compatibility story similar to desktop applications, so most of them will be compatible with Windows 10. -For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. If it’s unclear whether an application is compatible with Windows 10, IT pros can either consult with the ISV or check the supported software directory at [http://www.readyforwindows.com](http://www.readyforwindows.com). +For the most important business-critical applications, organizations should still perform testing on a regular basis to validate compatibility with new builds. For remaining applications, consider validating them as part of a pilot deployment process to reduce the time spent on compatibility testing. Desktop Analytics s a cloud-based service that integrates with Configuration Manager. The service provides insight and intelligence for you to make more informed decisions about the update readiness of your Windows endpoints, including assessment of your existing applications. For more, see [Ready for modern desktop retirement FAQ](https://docs.microsoft.com/mem/configmgr/desktop-analytics/ready-for-windows). ### Device compatibility diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md index e82f2eebde..ae0773920a 100644 --- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md +++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md @@ -28,17 +28,17 @@ In the past, traditional Windows deployments tended to be large, lengthy, and ex Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like: -- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-releas builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device. +- **Configure test devices.** Configure test devices in the Windows Insider Program so that Insiders can test feature updates before they’re available to the Semi-Annual Channel. Typically, this would be a small number of test devices that IT staff members use to evaluate pre-release builds of Windows. Microsoft provides current development builds to Windows Insider members approximately every week so that interested users can see the functionality Microsoft is adding. See the section Windows Insider for details on how to enroll in the Windows Insider Program on a Windows 10 device. - **Identify excluded devices.** For some organizations, special-purpose devices such as those used to control factory or medical equipment or run ATMs require a stricter, less frequent feature update cycle than the Semi-annual Channel can offer. For those machines, you must install Windows 10 Enterprise LTSB to avoid feature updates for up to 10 years. Identify these devices, and separate them from the phased deployment and servicing cycles to help remove confusion for your administrators and ensure that devices are handled correctly. - **Recruit volunteers.** The purpose of testing a deployment is to receive feedback. One effective way to recruit pilot users is to request volunteers. When doing so, clearly state that you’re looking for feedback rather than people to just “try it out” and that there could be occasional issues involved with accepting feature updates right away. With Windows as a service, the expectation is that there should be few issues, but if an issue does arise, you want testers to let you know as soon as possible. When considering whom to recruit for pilot groups, be sure to include members who provide the broadest set of applications and devices to validate the largest number of apps and devices possible. - **Update Group Policy.** Each feature update includes new group policies to manage new features. If you use Group Policy to manage devices, the Group Policy Admin for the Active Directory domain will need to download a .admx package and copy it to their [Central Store](https://support.microsoft.com/help/929841/how-to-create-the-central-store-for-group-policy-administrative-templa) (or to the [PolicyDefinitions](https://msdn.microsoft.com/library/bb530196.aspx) directory in the SYSVOL of a domain controller if not using a Central Store). Always manage new group polices from the version of Windows 10 they shipped with by using the Remote Server Administration Tools. The ADMX download package is created at the end of each development cycle and then posted for download. To find the ADMX download package for a given Windows build, search for “ADMX download for Windows build xxxx”. For details about Group Policy management, see [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) - **Choose a servicing tool.** Decide which product you’ll use to manage the Windows updates in your environment. If you’re currently using Windows Server Update Services (WSUS) or Microsoft Endpoint Configuration Manager to manage your Windows updates, you can continue using those products to manage Windows 10 updates. Alternatively, you can use Windows Update for Business. In addition to which product you’ll use, consider how you’ll deliver the updates. With Windows 10, multiple peer-to-peer options are available to make update distribution faster. For a comparison of tools, see [Servicing tools](waas-overview.md#servicing-tools). - **Prioritize applications.** First, create an application portfolio. This list should include everything installed in your organization and any webpages your organization hosts. Next, prioritize this list to identify those that are the most business critical. Because the expectation is that application compatibility with Windows 10 will be high, only the most business critical applications should be tested before the pilot phase; everything else can be tested afterwards. For more information about identifying compatibility issues withe applications, see [Manage Windows upgrades with Upgrade Analytics](../upgrade/manage-windows-upgrades-with-upgrade-readiness.md). ->[!NOTE] ->This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md). +> [!NOTE] +> This strategy is applicable to approaching an environment in which Windows 10 already exists. For information about how to deploy or upgrade to Windows 10 where another version of Windows exists, see [Plan for Windows 10 deployment](../planning/index.md). > ->>Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version. +> Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version. Each time Microsoft releases a Windows 10 feature update, the IT department should use the following high-level process to help ensure that the broad deployment is successful: diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md index e571a94f62..96ae56c6f7 100644 --- a/windows/deployment/update/waas-wufb-group-policy.md +++ b/windows/deployment/update/waas-wufb-group-policy.md @@ -1,6 +1,6 @@ --- title: Configure Windows Update for Business via Group Policy (Windows 10) -description: Walkthrough demonstrating how to configure Windows Update for Business settings, using Group Policy. +description: Walk-through demonstration of how to configure Windows Update for Business settings using Group Policy. ms.prod: w10 ms.mktglfcycl: manage author: jaimeo diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index 0a503b2010..81c17409db 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -3,7 +3,7 @@ title: SetupDiag ms.reviewer: manager: laurawi ms.author: greglin -description: How to use the SetupDiag tool to diagnose Windows Setup errors +description: SetupDiag works by examining Windows Setup log files. This article shows how to use the SetupDiag tool to diagnose Windows Setup errors. keywords: deploy, troubleshoot, windows, 10, upgrade, update, setup, diagnose ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md index 64716a73e7..4703c12558 100644 --- a/windows/deployment/upgrade/submit-errors.md +++ b/windows/deployment/upgrade/submit-errors.md @@ -1,76 +1,77 @@ ---- -title: Submit Windows 10 upgrade errors using Feedback Hub -ms.reviewer: -manager: laurawi -ms.author: greglin -description: Submit Windows 10 upgrade errors for diagnosis using feedback hub -keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, feedback -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.localizationpriority: medium -ms.topic: article ---- - -# Submit Windows 10 upgrade errors using Feedback Hub - -**Applies to** -- Windows 10 - ->[!NOTE] ->This is a 100 level topic (basic).
->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. - -## In this topic - -This topic describes how to submit problems with a Windows 10 upgrade to Microsoft using the Windows 10 Feedback Hub. - -## About the Feedback Hub - -The Feedback Hub app lets you tell Microsoft about any problems you run in to while using Windows 10 and send suggestions to help us improve your Windows experience. Previously, you could only use the Feedback Hub if you were in the Windows Insider Program. Now anyone can use this tool. You can download the Feedback Hub app from the Microsoft Store [here](https://www.microsoft.com/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0). - -The Feedback Hub requires Windows 10 or Windows 10 mobile. If you are having problems upgrading from an older version of Windows to Windows 10, you can use the Feedback Hub to submit this information, but you must collect the log files from the legacy operating system and then attach these files to your feedback using a device that is running Windows 10. If you are upgrading to Windows 10 from a previous verion of Windows 10, the Feedback Hub will collect log files automatically. - -## Submit feedback - -To submit feedback about a failed Windows 10 upgrade, click the following link: [Feedback Hub](feedback-hub://?referrer=resolveUpgradeErrorsPage&tabid=2&contextid=81&newFeedback=true&feedbackType=2&topic=submit-errors.md) - -The Feedback Hub will open. - -- Under **Tell us about it**, and then under **Summarize your issue**, type **Upgrade failing**. -- Under **Give us more detail**, provide additional information about the failed upgrade, such as: - - When did the failure occur? - - Were there any reboots? - - How many times did the system reboot? - - How did the upgrade fail? - - Were any error codes visible? - - Did the computer fail to a blue screen? - - Did the computer automatically roll back or did it hang, requiring you to power cycle it before it rolled back? -- Additional details - - What type of security software is installed? - - Is the computer up to date with latest drivers and firmware? - - Are there any external devices connected? -- If you used the link above, the category and subcategory will be automatically selected. If it is not selected, choose **Install and Update** and **Windows Installation**. - -You can attach a screenshot or file if desired. This is optional, but can be extremely helpful when diagnosing your upgrade issue. The location of these files is described here: [Windows Setup log files and event logs](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs). - -Click **Submit** to send your feedback. - -See the following example: - - - -After you click Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue. You can check on your feedback periodically to see what solutions have been provided. - -## Link to your feedback - -After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed. - - - -## Related topics - -[Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx) - +--- +title: Submit Windows 10 upgrade errors using Feedback Hub +ms.reviewer: +manager: laurawi +ms.author: greglin +description: Download the Feedback Hub app, and then submit Windows 10 upgrade errors for diagnosis using feedback hub. +keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, feedback +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: deploy +audience: itpro +author: greg-lindsay +ms.localizationpriority: medium +ms.topic: article +--- + +# Submit Windows 10 upgrade errors using Feedback Hub + +**Applies to** +- Windows 10 + +>[!NOTE] +>This is a 100 level topic (basic).
+>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article. + +## In this topic + +This topic describes how to submit problems with a Windows 10 upgrade to Microsoft using the Windows 10 Feedback Hub. + +## About the Feedback Hub + +The Feedback Hub app lets you tell Microsoft about any problems you run in to while using Windows 10 and send suggestions to help us improve your Windows experience. Previously, you could only use the Feedback Hub if you were in the Windows Insider Program. Now anyone can use this tool. You can download the Feedback Hub app from the Microsoft Store [here](https://www.microsoft.com/store/p/feedback-hub/9nblggh4r32n?SilentAuth=1&wa=wsignin1.0). + +The Feedback Hub requires Windows 10 or Windows 10 mobile. If you are having problems upgrading from an older version of Windows to Windows 10, you can use the Feedback Hub to submit this information, but you must collect the log files from the legacy operating system and then attach these files to your feedback using a device that is running Windows 10. If you are upgrading to Windows 10 from a previous verion of Windows 10, the Feedback Hub will collect log files automatically. + +## Submit feedback + +To submit feedback about a failed Windows 10 upgrade, click the following link: [Feedback Hub](feedback-hub://?referrer=resolveUpgradeErrorsPage&tabid=2&contextid=81&newFeedback=true&feedbackType=2&topic=submit-errors.md) + +The Feedback Hub will open. + +- Under **Tell us about it**, and then under **Summarize your issue**, type **Upgrade failing**. +- Under **Give us more detail**, provide additional information about the failed upgrade, such as: + - When did the failure occur? + - Were there any reboots? + - How many times did the system reboot? + - How did the upgrade fail? + - Were any error codes visible? + - Did the computer fail to a blue screen? + - Did the computer automatically roll back or did it hang, requiring you to power cycle it before it rolled back? +- Additional details + - What type of security software is installed? + - Is the computer up to date with latest drivers and firmware? + - Are there any external devices connected? +- If you used the link above, the category and subcategory will be automatically selected. If it is not selected, choose **Install and Update** and **Windows Installation**. + +You can attach a screenshot or file if desired. This is optional, but can be extremely helpful when diagnosing your upgrade issue. The location of these files is described here: [Windows Setup log files and event logs](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-log-files-and-event-logs). + +Click **Submit** to send your feedback. + +See the following example: + + + +After you click Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue. You can check on your feedback periodically to see what solutions have been provided. + +## Link to your feedback + +After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed. + + + +## Related topics + +[Windows 10 release information](https://technet.microsoft.com/windows/release-info.aspx) + diff --git a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md index b0cf117686..b248875782 100644 --- a/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md +++ b/windows/deployment/usmt/getting-started-with-the-user-state-migration-tool.md @@ -1,6 +1,6 @@ --- title: User State Migration Tool (USMT) - Getting Started (Windows 10) -description: Getting Started with the User State Migration Tool (USMT) +description: Plan, collect, and prepare your source computer for migration using the User State Migration Tool (USMT). ms.assetid: 506ff1d2-94b8-4460-8672-56aad963504b ms.reviewer: manager: laurawi diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md index bc484bd496..d21fac244a 100644 --- a/windows/deployment/usmt/understanding-migration-xml-files.md +++ b/windows/deployment/usmt/understanding-migration-xml-files.md @@ -1,6 +1,6 @@ --- title: Understanding Migration XML Files (Windows 10) -description: Understanding Migration XML Files +description: Modify the behavior of a basic User State Migration Tool (USMT) 10.0 migration by using XML files. ms.assetid: d3d1fe89-085c-4da8-9657-fd54b8bfc4b7 ms.reviewer: manager: laurawi diff --git a/windows/deployment/usmt/usmt-estimate-migration-store-size.md b/windows/deployment/usmt/usmt-estimate-migration-store-size.md index 34eeb23adc..51ea6051cb 100644 --- a/windows/deployment/usmt/usmt-estimate-migration-store-size.md +++ b/windows/deployment/usmt/usmt-estimate-migration-store-size.md @@ -1,139 +1,140 @@ ---- -title: Estimate Migration Store Size (Windows 10) -description: Estimate Migration Store Size -ms.assetid: cfb9062b-7a2a-467a-a24e-0b31ce830093 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Estimate Migration Store Size - - -The disk space requirements for a migration are dependent on the size of the migration store and the type of migration. You can estimate the amount of disk space needed for computers in your organization based on information about your organization's infrastructure. You can also calculate the disk space requirements using the ScanState tool. - -## In This Topic - - -- [Hard Disk Space Requirements](#bkmk-spacereqs). Describes the disk space requirements for the migration store and other considerations on the source and destination computers. - -- [Calculate Disk Space Requirements Using the ScanState Tool](#bkmk-calcdiskspace). Describes how to use the ScanState tool to determine how big the migration store will be on a particular computer. - -- [Estimate Migration Store Size](#bkmk-estmigstoresize). Describes how to estimate the average size of migration stores for the computers in your organization, based on your infrastructure. - -## Hard Disk Space Requirements - - -- **Store.** For non-hard-link migrations, you should ensure that there is enough available disk space at the location where you will save your store to contain the data being migrated. You can save your store to another partition, an external storage device such as a USB flash drive or a server. For more information, see [Choose a Migration Store Type](usmt-choose-migration-store-type.md). - -- **Source Computer.** The source computer needs enough available space for the following: - - - [E250 megabytes (MB) minimum of hard disk space.](#bkmk-estmigstoresize) Space is needed to support the User State Migration Tool (USMT) 10.0 operations, for example, growth in the page file. Provided that every volume involved in the migration is formatted as NTFS, 250 MB should be enough space to ensure success for almost every hard-link migration, regardless of the size of the migration. The USMT tools will not create the migration store if 250 MB of disk space is not available. - - - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. This does not include the minimum 250 MB needed to create the migration store. The amount of temporary space required can be calculated using the ScanState tool. - - - [Hard-link migration store.](#bkmk-estmigstoresize) It is not necessary to estimate the size of a hard-link migration store. The only case where the hard-link store can be quite large is when non-NTFS file systems exist on the system and contain data being migrated. - -- [Destination computer.](#bkmk-estmigstoresize) The destination computer needs enough available space for the following: - - - [Operating system.](#bkmk-estmigstoresize) - - - [Applications.](#bkmk-estmigstoresize) - - - [Data being migrated.](#bkmk-estmigstoresize) It is important to consider that in addition to the files being migrated, registry information will also require hard disk space for storage. - - - [Temporary space for USMT to run.](#bkmk-estmigstoresize) Additional disk space for the USMT tools to operate is required. The amount of temporary space required can be calculated using the ScanState tool. - -## Calculate Disk Space Requirements using the ScanState Tool - - -You can use the ScanState tool to calculate the disk space requirements for a particular compressed or uncompressed migration. It is not necessary to estimate the migration store size for a hard-link migration since this method does not create a separate migration store. The ScanState tool provides disk space requirements for the state of the computer at the time the tool is run. The state of the computer may change during day to day use so it is recommended that you use the calculations as an estimate when planning your migration. - -**To run the ScanState tool on the source computer with USMT installed,** - -1. Open a command prompt with administrator privileges. - -2. Navigate to the USMT tools. For example, type - - ``` syntax - cd /d "C:\Program Files (x86)\Windows Kits\8.0\Assessment and Deployment Kit\User State Migration Tool\
| Component | -Option | -Description | -
|---|---|---|
ScanState |
-/encrypt<AES, AES_128, AES_192, AES_256, 3DES, 3DES_112> |
-This option and argument specify that the migration store is encrypted and which algorithm to use. When the algorithm argument is not provided, the ScanState tool employs the 3DES algorithm. |
-
LoadState |
-/decrypt<AES, AES_128, AES_192, AES_256, 3DES, 3DES_112> |
-This option and argument specify that the store must be decrypted and which algorithm to use. When the algorithm argument is not provided, the LoadState tool employs the 3DES algorithm. |
-
| Component | +Option | +Description | +
|---|---|---|
ScanState |
+/encrypt<AES, AES_128, AES_192, AES_256, 3DES, 3DES_112> |
+This option and argument specify that the migration store is encrypted and which algorithm to use. When the algorithm argument is not provided, the ScanState tool employs the 3DES algorithm. |
+
LoadState |
+/decrypt<AES, AES_128, AES_192, AES_256, 3DES, 3DES_112> |
+This option and argument specify that the store must be decrypted and which algorithm to use. When the algorithm argument is not provided, the LoadState tool employs the 3DES algorithm. |
+
| Operating Systems | -ScanState (source computer) | -LoadState (destination computer) | -
|---|---|---|
32-bit versions of Windows 7 |
-X |
-X |
-
64-bit versions of Windows 7 |
-X |
-X |
-
32-bit versions of Windows 8 |
-X |
-X |
-
64-bit versions of Windows 8 |
-X |
-X |
-
32-bit versions of Windows 10 |
-X |
-X |
-
64-bit versions of Windows 10 |
-X |
-X |
-
-You must run USMT using an account with full administrative permissions, including the following privileges: - -- SeBackupPrivilege (Back up files and directories) -- SeDebugPrivilege (Debug programs) -- SeRestorePrivilege (Restore files and directories) -- SeSecurityPrivilege (Manage auditing and security log) -- SeTakeOwnership Privilege (Take ownership of files or other objects) - - -## Config.xml - -- **Specify the /c option and <ErrorControl> settings in the Config.xml file.**
- USMT will fail if it cannot migrate a file or setting, unless you specify the **/c** option. When you specify the **/c** option, USMT logs an error each time it encounters a file that is in use that did not migrate, but the migration will not be interrupted. In USMT, you can specify in the Config.xml file which types of errors should allow the migration to continue, and which should cause the migration to fail. For more information about error reporting, and the **<ErrorControl>** element, see [Config.xml File](usmt-configxml-file.md), [Log Files](usmt-log-files.md), and [XML Elements Library](usmt-xml-elements-library.md). - -## LoadState - -- **Install applications before running the LoadState command.**
- Install all applications on the destination computer before restoring the user state. This ensures that migrated settings are preserved. - -## Hard-Disk Requirements - - -Ensure that there is enough available space in the migration-store location and on the source and destination computers. For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). - -## User Prerequisites - - -This documentation assumes that IT professionals using USMT understand command-line tools. The documentation also assumes that IT professionals using USMT to author MigXML rules understand the following: - -- The navigation and hierarchy of the Windows registry. -- The files and file types that applications use. -- The methods to extract application and setting information manually from applications created by internal software-development groups and non-Microsoft software vendors. -- XML-authoring basics. - -## Related topics - - -[Plan Your Migration](usmt-plan-your-migration.md)
-[Estimate Migration Store Size](usmt-estimate-migration-store-size.md)
-[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
- - - - - - - - - +--- +title: USMT Requirements (Windows 10) +description: While the User State Migration Tool (USMT) doesn't have many requirements, these tips and tricks can help smooth the migration process. +ms.assetid: 2b0cf3a3-9032-433f-9622-1f9df59d6806 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 05/03/2017 +ms.topic: article +--- + +# USMT Requirements + + +## In This Topic + + +- [Supported Operating Systems](#bkmk-1) +- [Windows PE](#windows-pe) +- [Credentials](#credentials) +- [Config.xml](#configxml) +- [LoadState](#loadstate) +- [Hard Disk Requirements](#bkmk-3) +- [User Prerequisites](#bkmk-userprereqs) + +## Supported Operating Systems + + +The User State Migration Tool (USMT) 10.0 does not have any explicit RAM or CPU speed requirements for either the source or destination computers. If your computer complies with the system requirements of the operating system, it also complies with the requirements for USMT. You need an intermediate store location large enough to hold all of the migrated data and settings, and the same amount of hard disk space on the destination computer for the migrated files and settings. + +The following table lists the operating systems supported in USMT. + +
| Operating Systems | +ScanState (source computer) | +LoadState (destination computer) | +
|---|---|---|
32-bit versions of Windows 7 |
+X |
+X |
+
64-bit versions of Windows 7 |
+X |
+X |
+
32-bit versions of Windows 8 |
+X |
+X |
+
64-bit versions of Windows 8 |
+X |
+X |
+
32-bit versions of Windows 10 |
+X |
+X |
+
64-bit versions of Windows 10 |
+X |
+X |
+
+You must run USMT using an account with full administrative permissions, including the following privileges: + +- SeBackupPrivilege (Back up files and directories) +- SeDebugPrivilege (Debug programs) +- SeRestorePrivilege (Restore files and directories) +- SeSecurityPrivilege (Manage auditing and security log) +- SeTakeOwnership Privilege (Take ownership of files or other objects) + + +## Config.xml + +- **Specify the /c option and <ErrorControl> settings in the Config.xml file.**
+ USMT will fail if it cannot migrate a file or setting, unless you specify the **/c** option. When you specify the **/c** option, USMT logs an error each time it encounters a file that is in use that did not migrate, but the migration will not be interrupted. In USMT, you can specify in the Config.xml file which types of errors should allow the migration to continue, and which should cause the migration to fail. For more information about error reporting, and the **<ErrorControl>** element, see [Config.xml File](usmt-configxml-file.md), [Log Files](usmt-log-files.md), and [XML Elements Library](usmt-xml-elements-library.md). + +## LoadState + +- **Install applications before running the LoadState command.**
+ Install all applications on the destination computer before restoring the user state. This ensures that migrated settings are preserved. + +## Hard-Disk Requirements + + +Ensure that there is enough available space in the migration-store location and on the source and destination computers. For more information, see [Estimate Migration Store Size](usmt-estimate-migration-store-size.md). + +## User Prerequisites + + +This documentation assumes that IT professionals using USMT understand command-line tools. The documentation also assumes that IT professionals using USMT to author MigXML rules understand the following: + +- The navigation and hierarchy of the Windows registry. +- The files and file types that applications use. +- The methods to extract application and setting information manually from applications created by internal software-development groups and non-Microsoft software vendors. +- XML-authoring basics. + +## Related topics + + +[Plan Your Migration](usmt-plan-your-migration.md)
+[Estimate Migration Store Size](usmt-estimate-migration-store-size.md)
+[User State Migration Tool (USMT) Overview Topics](usmt-topics.md)
+ + + + + + + + + diff --git a/windows/deployment/usmt/usmt-xml-reference.md b/windows/deployment/usmt/usmt-xml-reference.md index e69e94db8f..ba0467192f 100644 --- a/windows/deployment/usmt/usmt-xml-reference.md +++ b/windows/deployment/usmt/usmt-xml-reference.md @@ -1,78 +1,79 @@ ---- -title: USMT XML Reference (Windows 10) -description: USMT XML Reference -ms.assetid: fb946975-0fee-4ec0-b3ef-7c34945ee96f -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# USMT XML Reference - - -This section contains topics that you can use to work with and to customize the migration XML files. - -## In This Section - - -
| - | Provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file. |
-
| - | Describes the Config.xml file and policies concerning its configuration. |
-
| - | Describes how to customize USMT XML files. |
-
| - | Gives examples of XML files for various migration scenarios. |
-
| - | Describes the precedence of migration rules and how conflicts are handled. |
-
| - | Describes the XML helper functions. |
-
| - | Describes the requirements for custom XML files. |
-
| - | Describes environment variables recognized by USMT. |
-
| - | Describes the XML elements and helper functions for authoring migration XML files to use with USMT. |
-
| + | Provides an overview of the default and custom migration XML files and includes guidelines for creating and editing a customized version of the MigDocs.xml file. |
+
| + | Describes the Config.xml file and policies concerning its configuration. |
+
| + | Describes how to customize USMT XML files. |
+
| + | Gives examples of XML files for various migration scenarios. |
+
| + | Describes the precedence of migration rules and how conflicts are handled. |
+
| + | Describes the XML helper functions. |
+
| + | Describes the requirements for custom XML files. |
+
| + | Describes environment variables recognized by USMT. |
+
| + | Describes the XML elements and helper functions for authoring migration XML files to use with USMT. |
+
-- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after). This was a lot easier than wipe-and-load, but it was still time-consuming.
-- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU. This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
-- **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise. In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
-- **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
-- **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
-- **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
-- **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription. - -## Requirements - -### Windows 10 Enterprise requirements - -> [!NOTE] -> The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). - -For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: - -- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. -- Azure Active Directory (Azure AD) available for identity management. -- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. - -For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). - -If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) - -#### Multi-factor authentication - -An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. - -To resolve this issue: - -If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal. - -If the device is running Windows 10, version 1809 or later: -1. Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch. -2. When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below: - -
-
- - -### Windows 10 Education requirements - -1. Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. -2. A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security> Activation. -3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription. -4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. - ->If Windows 10 Pro is converted to Windows 10 Pro Education [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition. - - -## Benefits - -With Windows 10 Enterprise or Windows 10 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Education or Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it is available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following: - -- [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare) -- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-pricing) - -You can benefit by moving to Windows as an online service in the following ways: - -1. Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization. -2. User logon triggers a silent edition upgrade, with no reboot required -3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys. -4. Compliance support via seat assignment. -5. Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs. - -## How it works - -The device is AAD joined from Settings > Accounts > Access work or school. - -The IT administrator assigns Windows 10 Enterprise to a user. See the following figure. - - - -When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires. - -Devices running Windows 10 Pro, version 1703 or Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education Semi-Annual Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel. - -The following figures summarize how the Subscription Activation model works: - -Before Windows 10, version 1903:
- - -After Windows 10, version 1903:
- - -Note: -1. A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). -2. A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). - -### Scenarios - -**Scenario #1**: You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). - -All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device. - -**Scenario #2**: You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). - -To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer: - -
-cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43- -The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate. This key comes from [Appendix A: KMS Client Setup Keys](https://technet.microsoft.com/library/jj612867.aspx) in the Volume Activation guide. It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro. - -**Scenario #3**: Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts. The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in. - -In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it’s really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above. - -If you’re running Windows 7, it can be more work. A wipe-and-load approach works, but it is likely to be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise. This is a supported path, and completes the move in one step. This method also works if you are running Windows 8.1 Pro. - -### Licenses - -The following policies apply to acquisition and renewal of licenses on devices: -- Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license. -- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10 Pro or Windows 10 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew. -- Up to five devices can be upgraded for each user license. -- If a device meets the requirements and a licensed user signs in on that device, it will be upgraded. - -Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. - -When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal). - -### Existing Enterprise deployments - -If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. - -Caution: Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE(Out Of Box Experience) - -If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key. - -If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt: - -
-@echo off
-FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO (
-SET "ProductKey=%%A"
-goto InstallKey
-)
-
-:InstallKey
-IF [%ProductKey%]==[] (
-echo No key present
-) ELSE (
-echo Installing %ProductKey%
-changepk.exe /ProductKey %ProductKey%
-)
-
-
-### Obtaining an Azure AD license
-
-Enterprise Agreement/Software Assurance (EA/SA):
-- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea).
-- The license administrator can assign seats to Azure AD users with the same process that is used for O365.
-- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
-
-Microsoft Products & Services Agreements (MPSA):
-- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions.
-- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service.
-- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method.
-
-### Deploying licenses
-
-See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
-
-## Virtual Desktop Access (VDA)
-
-Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/CloudandHosting/licensing_sca.aspx).
-
-Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
-
-## Related topics
-
-[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/)-[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
+--- +title: Windows 10 Subscription Activation +description: How to dynamically enable Windows 10 Enterprise or Education subscriptions +keywords: upgrade, update, task sequence, deploy +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: mdt +audience: itpro +author: greg-lindsay +manager: laurawi +ms.collection: M365-modern-desktop +search.appverid: +- MET150 +ms.topic: article +--- + +# Windows 10 Subscription Activation + +Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to **Windows 10 Enterprise** automatically if they are subscribed to Windows 10 Enterprise E3 or E5. + +With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions – **Windows 10 Education**. + +The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices. + +## Subscription Activation for Windows 10 Enterprise + +With Windows 10, version 1703 both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise](planning/windows-10-enterprise-faq-itpro.md) in your organization can now be accomplished with no keys and no reboots. + + If you are running Windows 10, version 1703 or later: + +- Devices with a current Windows 10 Pro license can be seamlessly upgraded to Windows 10 Enterprise. +- Product key-based Windows 10 Enterprise software licenses can be transitioned to Windows 10 Enterprise subscriptions. + +Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-whatis). + +## Subscription Activation for Windows 10 Education + +Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise license. For more information, see the [requirements](#windows-10-education-requirements) section. + +## In this article + +- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later. +- [The evolution of Windows 10 deployment](#the-evolution-of-deployment): A short history of Windows deployment. +- [Requirements](#requirements): Prerequisites to use the Windows 10 Subscription Activation model. +- [Benefits](#benefits): Advantages of Windows 10 subscription-based licensing. +- [How it works](#how-it-works): A summary of the subscription-based licensing option. +- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Subscription Activation for VMs in the cloud. + +For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md). + +## Inherited Activation + +Inherited Activation is a new feature available in Windows 10, version 1803 that allows Windows 10 virtual machines to inherit activation state from their Windows 10 host. + +When a user with Windows 10 E3/E5 or A3/A5 license assigned creates a new Windows 10 virtual machine (VM) using a Windows 10 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM. + +To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later. + +## The evolution of deployment + +> [!NOTE] +> The original version of this section can be found at [Changing between Windows SKUs](https://blogs.technet.microsoft.com/mniehaus/2017/10/09/changing-between-windows-skus/). + +The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic. + + + +- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
+- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after). This was a lot easier than wipe-and-load, but it was still time-consuming.
+- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU. This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
+- **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise. In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
+- **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
+- **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
+- **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
+- **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription. + +## Requirements + +### Windows 10 Enterprise requirements + +> [!NOTE] +> The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](https://docs.microsoft.com/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines). + +For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following: + +- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. +- Azure Active Directory (Azure AD) available for identity management. +- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. + +For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). + +If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) + +#### Multi-factor authentication + +An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. + +To resolve this issue: + +If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal. + +If the device is running Windows 10, version 1809 or later: +1. Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch. +2. When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below: + + 
+ 
+  + +### Windows 10 Education requirements + +1. Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded. +2. A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security > Activation. +3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription. +4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported. + +> [!IMPORTANT] +> If Windows 10 Pro is converted to Windows 10 Pro Education [by using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device by using a Windows 10 Pro Education edition. + +## Benefits + +With Windows 10 Enterprise or Windows 10 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Education or Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it is available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following: + +- [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare) +- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-pricing) + +You can benefit by moving to Windows as an online service in the following ways: + +1. Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization. +2. User logon triggers a silent edition upgrade, with no reboot required +3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys. +4. Compliance support via seat assignment. +5. Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs. + +## How it works + +The device is AAD joined from Settings > Accounts > Access work or school. + +The IT administrator assigns Windows 10 Enterprise to a user. See the following figure. + + + +When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires. + +Devices running Windows 10 Pro, version 1703 or Windows 10 Pro Education, version 1903 or later can get Windows 10 Enterprise or Education Semi-Annual Channel on up to five devices for each user covered by the license. This benefit does not include Long Term Servicing Channel. + +The following figures summarize how the Subscription Activation model works: + +Before Windows 10, version 1903:
+ + +After Windows 10, version 1903:
+ + +> [!NOTE] +> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). +> +> - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019). + +### Scenarios + +**Scenario #1**: You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). + +All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device. + +**Scenario #2**: You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise). + +To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer: + +
+cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43+ +The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate. This key comes from [Appendix A: KMS Client Setup Keys](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide. It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro. + +**Scenario #3**: Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts. The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in. + +In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it’s really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above. + +If you’re running Windows 7, it can be more work. A wipe-and-load approach works, but it is likely to be easier to upgrade from Windows 7 Pro directly to Windows 10 Enterprise. This is a supported path, and completes the move in one step. This method also works if you are running Windows 8.1 Pro. + +### Licenses + +The following policies apply to acquisition and renewal of licenses on devices: +- Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license. +- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10 Pro or Windows 10 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew. +- Up to five devices can be upgraded for each user license. +- If a device meets the requirements and a licensed user signs in on that device, it will be upgraded. + +Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs. + +When you have the required Azure AD subscription, group-based licensing is the preferred method to assign Enterprise E3 and E5 licenses to users. For more information, see [Group-based licensing basics in Azure AD](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-whatis-azure-portal). + +### Existing Enterprise deployments + +If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. + +> [!CAUTION] +> Firmware-embedded Windows 10 activation happens automatically only when we go through the Out-of-Box Experience (OOBE). + +If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key. + +If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt: + +
+@echo off
+FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO (
+SET "ProductKey=%%A"
+goto InstallKey
+)
+
+:InstallKey
+IF [%ProductKey%]==[] (
+echo No key present
+) ELSE (
+echo Installing %ProductKey%
+changepk.exe /ProductKey %ProductKey%
+)
+
+
+### Obtaining an Azure AD license
+
+Enterprise Agreement/Software Assurance (EA/SA):
+- Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea).
+- The license administrator can assign seats to Azure AD users with the same process that is used for O365.
+- New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
+
+Microsoft Products & Services Agreements (MPSA):
+- Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions.
+- Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service.
+- New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method.
+
+### Deploying licenses
+
+See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
+
+## Virtual Desktop Access (VDA)
+
+Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
+
+Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
+
+## Related topics
+
+[Connect domain-joined devices to Azure AD for Windows 10 experiences](https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-devices-group-policy/)+[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
+[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index 45520df78e..1a9d30eb2e 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -22,22 +22,33 @@ ms.topic: article Windows Autopilot user-driven mode is designed to enable new Windows 10 devices to be transformed from their initial state, directly from the factory, into a ready-to-use state without requiring that IT personnel ever touch the device. The process is designed to be simple so that anyone can complete it, enabling devices to be shipped or distributed to the end user directly with simple instructions: - Unbox the device, plug it in, and turn it on. -- Choose a language, locale and keyboard. -- Connect it to a wireless or wired network with internet access. +- Choose a language (only required when multiple languages are installed), locale and keyboard. +- Connect it to a wireless or wired network with internet access. If using wireless, the user must establish the Wi-Fi link. - Specify your e-mail address and password for your organization account. After completing those simple steps, the remainder of the process is completely automated, with the device being joined to the organization, enrolled in Intune (or another MDM service), and fully configured as defined by the organization. Any additional prompts during the Out-of-Box Experience (OOBE) can be suppressed; see [Configuring Autopilot Profiles](profiles.md) for options that are available. -Today, Windows Autopilot user-driven mode supports Azure Active Directory and Hybrid Azure Active Directory joined devices. See [What is a device identity](https://docs.microsoft.com/azure/active-directory/devices/overview) for more information about these two join options. +Windows Autopilot user-driven mode supports Azure Active Directory and Hybrid Azure Active Directory joined devices. See [What is a device identity](https://docs.microsoft.com/azure/active-directory/devices/overview) for more information about these two join options. -## Available user-driven modes +From a process flow perspective, the tasks performed during the user-driven process are as follows: -The following options are available for user-driven deployment: +- Once connected to a network, the device will download a Windows Autopilot profile specifying the settings that should be used (e.g. the prompts during OOBE that should be suppressed). +- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required). +- The user will be prompted for Azure Active Directory credentials, with a customized user experience showing the Azure AD tenant name, logo, and sign-in text. +- The device will join Azure Active Directory or Active Directory, based on the Windows Autopilot profile settings. +- The device will enroll in Intune (or other configured MDM services). (This occurs as part of the Azure Active Directory join process via MDM auto-enrollment, or before the Active Directory join process, as needed.) +- If configured, the [enrollment status page](enrollment-status.md) (ESP) will be displayed. +- Once the device configuration tasks have completed, the user will be signed into Windows 10 using the credentials they previously provided. (Note that if the device reboots during the device ESP process, the user will need to re-enter their credentials as these are not persisted across reboots.) +- Once signed in, the enrollment status page will again be displayed for user-targeted configuration tasks. + +If any issues are encountered during this process, see the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. + +For more information on the available join options, see the following sections: - [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain. - [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. -### User-driven mode for Azure Active Directory join +## User-driven mode for Azure Active Directory join In order to perform a user-driven deployment using Windows Autopilot, the following preparation steps need to be completed: @@ -53,18 +64,14 @@ For each device that will be deployed using user-driven deployment, these additi - If using Intune and Azure Active Directory static device groups, manually add the device to the device group. - If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device. -Also see the [Validation](#validation) section below. ->[!NOTE] ->If the device reboots during the device enrollment status page (ESP) in the user-driven Azure Active Directoy join scenario, the user will not automatically sign on because the user's credentials cannot be saved across reboots. In this scenario, the user will need to sign in manually after the device ESP completes. +## User-driven mode for hybrid Azure Active Directory join -### User-driven mode for hybrid Azure Active Directory join +Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid-joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan). -Windows Autopilot requires that devices be Azure Active Directory joined. If you have an on-premises Active Directory environment and want to also join devices to your on-premises domain, you can accomplish this by configuring Autopilot devices to be [hybrid Azure Active Directory (AAD) joined](https://docs.microsoft.com/azure/active-directory/devices/hybrid-azuread-join-plan). +### Requirements -#### Requirements - -To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: +To perform a user-driven hybrid Azure AD joined deployment using Windows Autopilot: - A Windows Autopilot profile for user-driven mode must be created and - **Hybrid Azure AD joined** must be specified as the selected option under **Join to Azure AD as** in the Autopilot profile. @@ -76,28 +83,11 @@ To perform a user-driven hybrid AAD joined deployment using Windows Autopilot: - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. - If using Proxy, WPAD Proxy settings option must be enabled and configured. -**AAD device join**: The hybrid AAD join process uses the system context to perform device AAD join, therefore it is not affected by user based AAD join permission settings. In addition, all users are enabled to join devices to AAD by default. +**Azure AD device join**: The hybrid Azure AD join process uses the system context to perform device Azure AD join, therefore it is not affected by user based Azure AD join permission settings. In addition, all users are enabled to join devices to Azure AD by default. -#### Step by step instructions +### Step by step instructions See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid). -Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. -## Validation -When performing a user-driven deployment using Windows Autopilot, the following end-user experience should be observed: - -- If multiple languages are preinstalled in Windows 10, the user must pick a language. -- The user must pick a locale and a keyboard layout, and optionally a second keyboard layout. -- If connected via Ethernet, no network prompt is expected. If no Ethernet connection is available and Wi-fi is built in, the user needs to connect to a wireless network. -- Once connected to a network, the Autopilot profile will be downloaded. -- Windows 10 will check for critical OOBE updates, and if any are available they will be automatically installed (rebooting if required). -- The user will be prompted for Azure Active Directory credentials, with a customized user experience showing the Azure AD tenant name, logo, and sign-in text. -- Once correct credentials have been entered, the device will join Azure Active Directory. -- After joining Azure Active Directory, the device will enroll in Intune (or other configured MDM services). -- If configured, the [enrollment status page](enrollment-status.md) will be displayed. -- Once the device configuration tasks have completed, the user will be signed into Windows 10 using the credentials they previously provided. -- Once signed in, the enrollment status page will again be displayed for user-targeted configuration tasks. - -If your results do not match these expectations, see the [Windows Autopilot Troubleshooting](troubleshooting.md) documentation. diff --git a/windows/hub/windows-10.yml b/windows/hub/windows-10.yml index 1504e2cae3..c4bba2a64d 100644 --- a/windows/hub/windows-10.yml +++ b/windows/hub/windows-10.yml @@ -24,7 +24,7 @@ sections: - items: - type: markdown text: " - Get started with Windows 10. Evaluate free for 90 days, and set up virtual labs to test a proof of concept.
+ Get started with Windows 10. Evaluate free for 90 days and set up virtual labs to test a proof of concept.
 **Download a free 90-day evaluation** Try the latest features. Test your apps, hardware, and deployment strategies. Start evaluation |  **Get started with virtual labs** Try setup, deployment, and management scenarios in a virtual environment, with no additional software or setup required. See Windows 10 labs |  **Conduct a proof of concept** Download a lab environment with MDT, Configuration Manager, Windows 10, and more. Get deployment kit |
-
 **In-place upgrade** The simplest way to upgrade PCs that are currently running WIndows 7, Windows 8, or Windows 8.1 is to do an in-place upgrade. Upgrade to Windows 10 with Configuration Manager Upgrade to Windows 10 with MDT |  **Traditional deployment** Some organizations may still need to opt for an image-based deployment of Windows 10. Deploy Windows 10 with Configuration Manager Deploy Windows 10 with MDT | ||
 **Dynamic provisioning** With Windows 10 you can create provisioning packages that let you quickly configure a device without having to install a new image. Provisioning packages for Windows 10 Build and apply a provisioning package Customize Windows 10 start and the taskbar |  Windows deployment for education environmentsSet up a shared or guest PC with Windows 10 Sideload apps in Windows 10 |
**In-place upgrade** The simplest way to upgrade PCs that are currently running WIndows 7, Windows 8, or Windows 8.1 is to do an in-place upgrade. Upgrade to Windows 10 with Configuration Manager Upgrade to Windows 10 with MDT | **Traditional deployment** Some organizations may still need to opt for an image-based deployment of Windows 10. Deploy Windows 10 with Configuration Manager Deploy Windows 10 with MDT |
**Dynamic provisioning** With Windows 10 you can create provisioning packages that let you quickly configure a device without having to install a new image. Provisioning packages for Windows 10 Build and apply a provisioning package Customize Windows 10 start and the taskbar |  **Other deployment scenarios** Get guidance on how to deploy Windows 10 for students, faculty, and guest users - and how to deploy line-of-business apps. Windows deployment for education environments Set up a shared or guest PC with Windows 10 Sideload apps in Windows 10 |
 **Sign up for the Windows IT Pro Insider** Find out about new resources and get expert tips and tricks on deployment, management, security, and more. Learn more |  **Follow us on Twitter** Keep up with the latest desktop and device trends, Windows news, and events for IT pros. Visit Twitter |  **Join the Windows Insider Program for Business** Get early access to new builds and provide feedback on the latest features and functionalities. Get started |
- Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
- Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Back to top
May 29, 2019
KB4497935
KB4512941
August 30, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PT
- Client: Windows 10, version 1903
- Server: Windows Server, version 1903
Back to top
May 29, 2019
KB4497935
KB4512941
August 30, 2019
10:00 AM PT
Opened:
July 25, 2019
06:10 PM PT
- Client: Windows 10, version 1903
- Server: Windows Server, version 1903
Back to top
May 29, 2019
KB4497935
KB4512941
August 30, 2019
10:00 AM PT
Opened:
July 12, 2019
04:42 PM PT
- Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Back to top
June 11, 2019
KB4503293
KB4512941
August 30, 2019
10:00 AM PT
Opened:
July 10, 2019
02:51 PM PT
- Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Back to top
June 11, 2019
KB4503293
KB4512941
August 30, 2019
10:00 AM PT
Opened:
July 10, 2019
02:51 PM PT
Well-Known SID/RID
S-1-5-21-<domain>-1103
S-1-5-21-<domain>-<variable RID>
Type
Well-Known SID/RID
S-1-5-21-<domain>-1102
S-1-5-21-<domain>-<variable RID>
Type
[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. | | Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. | +| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT EnterpriseImportant:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only Windows Defender Device Guard is supported in this configuration.
|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. | > [!IMPORTANT] > The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide. diff --git a/windows/security/identity-protection/credential-guard/credential-guard.md b/windows/security/identity-protection/credential-guard/credential-guard.md index 38bbbfc5cd..7f2c136802 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard.md +++ b/windows/security/identity-protection/credential-guard/credential-guard.md @@ -29,7 +29,7 @@ By enabling Windows Defender Credential Guard, the following features and soluti - **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials. - **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. -- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Windows Defender Device Guard and other security strategies and architectures. +- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate other security strategies and architectures. ## Related topics diff --git a/windows/security/identity-protection/credential-guard/images/credguard-gp-2.png b/windows/security/identity-protection/credential-guard/images/credguard-gp-2.png new file mode 100644 index 0000000000..ead9410405 Binary files /dev/null and b/windows/security/identity-protection/credential-guard/images/credguard-gp-2.png differ diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md index a1810a0b03..c2c8040070 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-conditional-access.md @@ -1,6 +1,6 @@ --- title: Conditional Access -description: Learn more about conditional access in Azure Active Directory. +description: Ensure that only approved users can access your devices, applications, and services from anywhere by enabling single sign-on with Azure Active Directory. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md index 4cbec54f34..e91ce1f65c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md @@ -63,11 +63,11 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning | Phase | Description | | :----: | :----------- | -| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.| +| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task. Note: the Automatic Device Join tasks is triggered on domain join as well as retried every hour. It does not solely depend on the user sign-in.| |B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.| |C | For the managed environment, the task creates an initial authentication credential in the form of a self-signed certificate. The task write the certificate to the userCertificate attribute on the computer object in Active Directory using LDAP. |D |The computer cannot authenticate to Azure DRS until a device object representing the computer that includes the certificate on the userCertificate attribute is created in Azure Active Directory. Azure AD Connect detects an attribute change. On the next synchronization cycle, Azure AD Connect sends the userCertificate, object GUID, and computer SID to Azure DRS. Azure DRS uses the attribute information to create a device object in Azure Active Directory.| -|E | The Automatic Device Join task triggers with each user sign-in and tries to authenticate the computer to Azure Active Directory using the corresponding private key of the public key in the userCertificate attribute. Azure Active Directory authenticates the computer and issues a ID token to the computer.| +|E | The Automatic Device Join task triggers with each user sign-in or every hour, and tries to authenticate the computer to Azure Active Directory using the corresponding private key of the public key in the userCertificate attribute. Azure Active Directory authenticates the computer and issues a ID token to the computer.| |F | The task creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).| |G | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then updates the device object in Azure Active Directory and sends the device ID and the device certificate to the client.| |H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.| @@ -78,7 +78,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning | Phase | Description | | :----: | :----------- | -| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.| +| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task. Note: the Automatic Device Join tasks is triggered on domain join as well as retried every hour. It does not solely depend on the user sign-in. | |B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.| |C | For the federated environments, the computer authenticates the enterprise device registration endpoint using Windows integrated authentication. The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated. Azure Active Directory returns an ID token to the running task. |D | The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).| diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 4a5e2492fe..ce973a2827 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -33,6 +33,7 @@ Before adding Azure Active Directory (Azure AD) joined devices to your existing - Certificate Revocation List (CRL) Distribution Point (CDP) - 2016 Domain Controllers - Domain Controller certificate +- Network infrastructure in place to reach your on-premises domain controller. If the machines are external, this can be achieved using any VPN solution. ### Azure Active Directory Connect synchronization Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md index 9c4dba47c8..3cb290695f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md @@ -1,6 +1,6 @@ --- title: Windows Hello for Business Key Trust New Installation -description: Learn how to perform a hybrid key trust deployment of Windows Hello for Business, for systems with no previous installations. +description: Learn how to configure a hybrid key trust deployment of Windows Hello for Business, for systems with no previous installations. keywords: identity, PIN, biometric, Hello, passport, WHFB ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 97c87a6d14..20e50b5d3a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -66,7 +66,7 @@ Key trust deployments do not need client issued certificates for on-premises aut The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below. * The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL. -* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name). +* The certificate Subject section should contain the directory path of the server object (the distinguished name). * The certificate Key Usage section must contain Digital Signature and Key Encipherment. * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None]. * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5). diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md index bbe8176263..87b70bbd2c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md @@ -80,8 +80,8 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. ->[!NOTE] ->The Domain Controller Certificate must be present in the NTAuth store. By default, Microsoft Enterprise CAs are added to the NTAuth store. If you are using a 3rd party CA, this may not be done by default. If the Domain Controller Certificate is not present in the NTAuth store, user authentication will fail. +> [!NOTE] +> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail. ### Publish Certificate Templates to a Certificate Authority diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index a4029266dd..4e95da0531 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -143,13 +143,14 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C  3. Under **Use the following restricted mode**: - - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Windows Defender Remote Credential Guard, choose **Prefer Windows Defender Remote Credential Guard**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used. + - If you want to require either [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx) or Windows Defender Remote Credential Guard, choose **Restrict Credential Delegation**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used. - > **Note:** Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. + > [!NOTE] + > Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server. - - If you want to require Windows Defender Remote Credential Guard, choose **Require Windows Defender Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic. + - If you want to require Windows Defender Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [requirements](#reqs) listed earlier in this topic. - - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic. + - If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options](#comparing-remote-credential-guard-with-other-remote-desktop-connection-options), earlier in this topic. 4. Click **OK**. diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md index b6fab222d1..92c4d2b8c5 100644 --- a/windows/security/identity-protection/vpn/vpn-connection-type.md +++ b/windows/security/identity-protection/vpn/vpn-connection-type.md @@ -1,6 +1,6 @@ --- title: VPN connection types (Windows 10) -description: tbd +description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md index 66699d9e0b..d067b5a21d 100644 --- a/windows/security/identity-protection/vpn/vpn-office-365-optimization.md +++ b/windows/security/identity-protection/vpn/vpn-office-365-optimization.md @@ -239,12 +239,12 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1") # Extract the Profile XML from the ps1 file # - $regex = '(?sm).*^*.Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.
This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index dc96de376a..771169d40b 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -1,6 +1,6 @@ --- title: Guide to removing Microsoft Baseline Security Analyzer (MBSA) -description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions +description: This article documents the removal of Microsoft Baseline Security Analyzer (MBSA) and provides alternative solutions. keywords: MBSA, security, removal ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md index c27bcf9d6b..c093fcacb7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md @@ -1,7 +1,7 @@ --- title: Microsoft Defender ATP Flow connector ms.reviewer: -description: Microsoft Defender ATP Flow connector +description: Use Microsoft Defender ATP Flow connector to automate security and create a flow that will be triggered any time a new alert occurs on your tenant. keywords: flow, supported apis, api, Microsoft flow, query, automation search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md index b05666bfbf..cb5955d6d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-power-bi.md @@ -1,7 +1,7 @@ --- title: Microsoft Defender ATP APIs connection to Power BI ms.reviewer: -description: Create custom reports using Power BI +description: Create a Power Business Intelligence (BI) report on top of Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) APIs. keywords: apis, supported apis, Power BI, reports search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -25,7 +25,7 @@ ms.topic: article In this section you will learn create a Power BI report on top of Microsoft Defender ATP APIs. -The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs (e.g. Machine Actions, Alerts, etc..) +The first example demonstrates how to connect Power BI to Advanced Hunting API and the second example demonstrates a connection to our OData APIs, such as Machine Actions or Alerts. ## Connect Power BI to Advanced Hunting API diff --git a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md b/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md deleted file mode 100644 index 7dfd283a11..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction-rules-in-windows-10-enterprise-e3.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: Use attack surface reduction rules in Windows 10 Enterprise E3 -description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware -keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: security -ms.localizationpriority: medium -author: denisebmsft -ms.author: deniseb -ms.reviewer: -manager: dansimp -ms.custom: asr ---- - -# Use attack surface reduction rules in Windows 10 Enterprise E3 - -**Applies to:** - -- Windows 10 Enterprise E3 - -Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. This feature area includes the rules, monitoring, reporting, and analytics necessary for deployment that are included in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), and require the Windows 10 Enterprise E5 license. - -A limited subset of basic attack surface reduction rules can technically be used with Windows 10 Enterprise E3. They can be used without the benefits of reporting, monitoring, and analytics, which provide the ease of deployment and management capabilities necessary for enterprises. - -Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients. - -The limited subset of rules that can be used in Windows 10 Enterprise E3 include: - -- Block executable content from email client and webmail -- Block all Office applications from creating child processes -- Block Office applications from creating executable content -- Block Office applications from injecting code into other processes -- Block JavaScript or VBScript from launching downloaded executable content -- Block execution of potentially obfuscated scripts -- Block Win32 API calls from Office macro -- Use advanced protection against ransomware -- Block credential stealing from the Windows local security authority subsystem (lsass.exe) -- Block process creations originating from PSExec and WMI commands -- Block untrusted and unsigned processes that run from USB - -For more information about these rules, see [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md). - - ## Related topics - -Topic | Description ----|--- -[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created. -[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network. -[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file. diff --git a/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md new file mode 100644 index 0000000000..4084d8b928 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/behavioral-blocking-containment.md @@ -0,0 +1,49 @@ +--- +title: Behavioral blocking and containment +description: Learn about behavioral blocking and containment capabilities in Microsoft Defender ATP +keywords: Microsoft Defender ATP, EDR in block mode, passive mode blocking +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +author: denisebmsft +ms.author: deniseb +manager: dansimp +ms.reviewer: shwetaj +audience: ITPro +ms.topic: article +ms.prod: w10 +ms.localizationpriority: medium +ms.custom: +- next-gen +- edr +ms.collection: +--- + +# Behavioral blocking and containment + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## Behavioral blocking and containment overview + +Not all cyberattacks involve a simple piece of malware that's found and removed. Some attacks, such as fileless attacks, are much more difficult to identify, let alone contain. Microsoft Defender ATP includes behavioral blocking and containment capabilities that can help identify and stop threats with machine learning, pre- and post-breach. In almost real time, when a suspicious behavior or artifact is detected and determined to be malicious, the threat is blocked. Pre-execution models learn about that threat, and prevent it from running on other endpoints. + +## Behavioral blocking and containment capabilities + +Behavioral blocking and containment capabilities include the following: + +- **On-client, policy-driven [attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction)**. Predefined common attack behaviors are prevented from executing, according to your attack surface reduction rules. When such behaviors attempt to execute, they can be seen in the Microsoft Defender Security Center (https://securitycenter.windows.com) as informational alerts. (Attack surface reduction rules are not enabled by default; you configure your policies in the Microsoft Defender Security Center.) + +- **Client behavioral blocking**. Threats on endpoints are detected through machine learning, and then are blocked and remediated automatically. (Client behavioral blocking is enabled by default.) + +- **Feedback-loop blocking** (also referred to as rapid protection). Threat detections that are assumed to be false negatives are observed through behavioral intelligence. Threats are stopped and prevented from running on other endpoints. (Feedback-loop blocking is enabled by default.) + +- **[Endpoint detection and response (EDR) in block mode](edr-in-block-mode.md)**. Malicious artifacts or behaviors that are observed through post-breach protection are blocked and contained. EDR in block mode works even if Windows Defender Antivirus is not the primary antivirus solution. (EDR in block mode, currently in preview, is not enabled by default; you turn it on in the Microsoft Defender Security Center.) + +As Microsoft continues to improve threat protection features and capabilities, you can expect more to come in the area of behavioral blocking and containment. Visit the [Microsoft 365 roadmap](https://www.microsoft.com/microsoft-365/roadmap) to see what's rolling out now and what's in development. + +## Next steps + +- [Configure your attack surface reduction rules](attack-surface-reduction.md) + +- [Enable EDR in block mode](edr-in-block-mode.md) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md index 2cdb364929..e959cf1bbf 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-attack-surface-reduction.md @@ -1,6 +1,6 @@ --- title: Configure attack surface reduction -description: Configure attack surface reduction +description: Use Microsoft Intune, Microsoft Endpoint Configuration Manager, Powershell cmdlets, and Group Policy to configure attack surface reduction. keywords: asr, attack surface reduction, windows defender, microsoft defender, antivirus, av search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md index 1f672b58a6..d3f378cce2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md @@ -52,6 +52,9 @@ From the **Onboarding** card, select **Onboard more machines** to create and ass >[!TIP] >Alternatively, you can navigate to the Microsoft Defender ATP onboarding compliance page in the [Microsoft Azure portal](https://portal.azure.com/) from **All services > Intune > Device compliance > Microsoft Defender ATP**. +>[!NOTE] +> If you want to view the most up-to-date device data, click on **List of devices without ATP sensor**. + From the device compliance page, create a configuration profile specifically for the deployment of the Microsoft Defender ATP sensor and assign that profile to the machines you want to onboard. To do this, you can either: - Select **Create a device configuration profile to configure ATP sensor** to start with a predefined device configuration profile. diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 66efa55144..90ad7896eb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -111,7 +111,7 @@ If a proxy or firewall has HTTPS scanning (SSL inspection) enabled, exclude the Service location | Microsoft.com DNS record -|- -Common URLs for all locations | ```crl.microsoft.com```
```ctldl.windowsupdate.com```
```events.data.microsoft.com```
```notify.windows.com```
```settings-win.data.microsoft.com``` +Common URLs for all locations | ```crl.microsoft.com/pki/crl/*```
```ctldl.windowsupdate.com```
```www.microsoft.com/pkiops/*```
```events.data.microsoft.com```
```notify.windows.com```
```settings-win.data.microsoft.com``` European Union | ```eu.vortex-win.data.microsoft.com```
```eu-v20.events.data.microsoft.com```
```usseu1northprod.blob.core.windows.net```
```usseu1westprod.blob.core.windows.net```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
```wseu1northprod.blob.core.windows.net```
```wseu1westprod.blob.core.windows.net```
```automatedirstrprdweu.blob.core.windows.net```
```automatedirstrprdneu.blob.core.windows.net``` United Kingdom | ```uk.vortex-win.data.microsoft.com```
```uk-v20.events.data.microsoft.com```
```ussuk1southprod.blob.core.windows.net```
```ussuk1westprod.blob.core.windows.net```
```winatp-gw-uks.microsoft.com```
```winatp-gw-ukw.microsoft.com```
```wsuk1southprod.blob.core.windows.net```
```wsuk1westprod.blob.core.windows.net```
```automatedirstrprduks.blob.core.windows.net```
```automatedirstrprdukw.blob.core.windows.net``` United States | ```us.vortex-win.data.microsoft.com```
```ussus1eastprod.blob.core.windows.net```
```ussus1westprod.blob.core.windows.net```
```ussus2eastprod.blob.core.windows.net```
```ussus2westprod.blob.core.windows.net```
```ussus3eastprod.blob.core.windows.net```
```ussus3westprod.blob.core.windows.net```
```ussus4eastprod.blob.core.windows.net```
```ussus4westprod.blob.core.windows.net```
```us-v20.events.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com```
```wsus1eastprod.blob.core.windows.net```
```wsus1westprod.blob.core.windows.net```
```wsus2eastprod.blob.core.windows.net```
```wsus2westprod.blob.core.windows.net```
```automatedirstrprdcus.blob.core.windows.net```
```automatedirstrprdeus.blob.core.windows.net``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md index c0c8157b48..b7e90ca3be 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md @@ -58,12 +58,13 @@ There are two options to onboard Windows Server 2008 R2 SP1, Windows Server 2012 ### Option 1: Onboard servers through Microsoft Defender Security Center You'll need to take the following steps if you choose to onboard servers through Microsoft Defender Security Center. -- For Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements: +- For Windows Server 2008 R2 SP1 or Windows Server 2012 R2, ensure that you install the following hotfix: + - [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) + +- In addition, for Windows Server 2008 R2 SP1, ensure that you fulfill the following requirements: - Install the [February monthly update rollup](https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598) - - Install the [Update for customer experience and diagnostic telemetry](https://support.microsoft.com/en-us/help/3080149/update-for-customer-experience-and-diagnostic-telemetry) - Install either [.NET framework 4.5](https://www.microsoft.com/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework) - - For Windows Server 2008 R2 SP1 and Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients. > [!NOTE] diff --git a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md index 20a35409f5..2d543f5b2d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md +++ b/windows/security/threat-protection/microsoft-defender-atp/connected-applications.md @@ -1,7 +1,7 @@ --- title: Connected applications in Microsoft Defender ATP ms.reviewer: -description: View connected partner applications to Microsoft Defender ATP +description: View connected partner applications that use standard OAuth 2.0 protocol to authenticate and provide tokens for use with Microsoft Defender ATP APIs. keywords: partners, applications, third-party, connections, sentinelone, lookout, bitdefender, corrata, morphisec, paloalto, ziften, better mobile search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md new file mode 100644 index 0000000000..942f37ced7 --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md @@ -0,0 +1,91 @@ +--- +title: Endpoint detection and response in block mode +description: Learn about endpoint detection and response in block mode +keywords: Microsoft Defender ATP, EDR in block mode, passive mode blocking +search.product: eADQiWindows 10XVcnh +ms.pagetype: security +author: denisebmsft +ms.author: deniseb +manager: dansimp +ms.reviewer: shwetaj +audience: ITPro +ms.topic: article +ms.prod: w10 +ms.localizationpriority: medium +ms.custom: +- next-gen +- edr +ms.collection: +--- + +# Endpoint detection and response (EDR) in block mode + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) + +## What is EDR in block mode? + +When [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) (EDR) in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach. + +> [!NOTE] +> EDR in block mode is currently in preview. To get the best protection, make sure to **[deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline)**. + +## What happens when something is detected? + +When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center). + +The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode: + +:::image type="content" source="images/edr-in-block-mode.jpg" alt-text="EDR in block mode detected something"::: + + +## Enable EDR in block mode + +> [!IMPORTANT] +> Make sure the [requirements](#requirements-for-edr-in-block-mode) are met before turning on EDR in block mode. + +1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. + +2. Choose **Settings** > **Advanced features**. + +3. Turn on **EDR in block mode**. + +> [!NOTE] +> EDR in block mode can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to enable or disable EDR in block mode. + +## Requirements for EDR in block mode + +|Requirement |Details | +|---------|---------| +|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | +|Operating system |One of the following versions:
- Windows 10 (all releases)
- Windows Server 2016 or later | +|Windows E5 enrollment |Windows E5 is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering
See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | +|Cloud-delivered protection |Make sure Windows Defender Antivirus is configured such that cloud-delivered protection is enabled.
See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus). | +|Windows Defender Antivirus antimalware client |Make sure your client is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | +|Windows Defender Antivirus engine |Make sure your engine is up to date. Using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator.
In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | + +> [!IMPORTANT] +> To get the best protection value, make sure your antivirus solution is configured to receive regular updates and essential features. + + +## Frequently asked questions + +### Will EDR in block mode have any impact on a user's antivirus protection? + +No. EDR in block mode does not affect third-party antivirus protection running on users' machines. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Windows Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected. + +### Why do I need to keep Windows Defender Antivirus up to date? + +Because Windows Defender Antivirus detects and remediates malicious items, it's important to keep it up to date to leverage the latest machine learning models, behavioral detections, and heuristics for EDR in block mode to be most effective. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities works in an integrated manner, and to get best protection value, you should keep Windows Defender Antivirus up to date. + +### Why do we need cloud protection on? + +Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on our breadth and depth of security intelligence, along with behavioral and machine learning models. + +## Related articles + +[Behavioral blocking and containment](behavioral-blocking-containment.md) + +[Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus) + diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md index 9b5990bdb7..9115bc352e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md @@ -1,5 +1,5 @@ --- -title: Enable ASR rules individually to protect your organization +title: Enable attack surface reduction rules individually to protect your organization description: Enable attack surface reduction (ASR) rules to protect your devices from attacks that use macros, scripts, and common injection techniques. keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, enable, turn on search.product: eADQiWindows 10XVcnh @@ -12,7 +12,7 @@ ms.localizationpriority: medium audience: ITPro author: levinec ms.author: ellevin -ms.date: 05/13/2019 +ms.date: 05/05/2020 ms.reviewer: manager: dansimp --- @@ -43,16 +43,10 @@ Enterprise-level management such as Intune or Microsoft Endpoint Configuration M You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices. -> [!WARNING] +> [!IMPORTANT] > Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded. -> > If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md). -> [!IMPORTANT] -> File and folder exclusions do not apply to the following ASR rules: -> -> * Block process creations originating from PSExec and WMI commands -> * Block JavaScript or VBScript from launching downloaded executable content You can specify individual files or folders (using folder paths or fully qualified resource names), but you can't specify which rules the exclusions apply to. An exclusion is applied only when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted. diff --git a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md index 8513635c3a..2322ed9300 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/enable-network-protection.md @@ -17,14 +17,29 @@ audience: ITPro manager: dansimp --- -# Enable network protection +# Turning on network protection **Applies to:** * [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) [Network protection](network-protection.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. -You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. +You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it. + +## Check if network protection is enabled + +You can see if network protection has been enabled on a local device by using Registry editor. + +1. Select the **Start** button in the task bar and type **regedit** to open Registry editor +1. Choose **HKEY_LOCAL_MACHINE** from the side menu +1. Navigate through the nested menus to **SOFTWARE** > **Policies** > **Microsoft** **Windows Defender** > **Policy Manager** +1. Select **EnableNetworkProtection** to see the current state of network protection on the device + + * 0, or **Off** + * 1, or **On** + * 2, or **Audit** mode + +## Enable network protection You can enable network protection by using any of these methods: @@ -34,7 +49,7 @@ You can enable network protection by using any of these methods: * [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager) * [Group Policy](#group-policy) -## PowerShell +### PowerShell 1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator** 2. Enter the following cmdlet: @@ -51,10 +66,7 @@ Set-MpPreference -EnableNetworkProtection AuditMode Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off. - - - -## Intune +### Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. 1. Click **Device configuration** > **Profiles** > **Create profile**. @@ -65,7 +77,7 @@ Use `Disabled` instead of `AuditMode` or `Enabled` to turn the feature off. 1. Click **OK** to save each open blade and click **Create**. 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**. -## MDM +### MDM Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable or disable network protection or enable audit mode. @@ -78,13 +90,13 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://d 1. Review the settings and click **Next** to create the policy. 1. After the policy is created, click **Close**. -## Group Policy +### Group Policy You can use the following procedure to enable network protection on domain-joined computers or on a standalone computer. 1. On a standalone computer, click **Start**, type and then click **Edit group policy**. - -Or- + *-Or-* On a domain-joined Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -109,7 +121,6 @@ You can confirm network protection is enabled on a local computer by using Regis * 1=On * 2=Audit - ## Related topics * [Network protection](network-protection.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md index cb90cee7fe..4b26c6d836 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-odata-samples.md @@ -1,7 +1,7 @@ --- title: OData queries with Microsoft Defender ATP ms.reviewer: -description: OData queries with Microsoft Defender ATP +description: Use these examples of Open Data Protocol (OData) queries to help with data access protocols in Microsoft Defender ATP keywords: apis, supported apis, odata, query search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -35,7 +35,7 @@ Not all properties are filterable. ### Example 1 -- Get all the machines with the tag 'ExampleTag' +Get all the machines with the tag 'ExampleTag' ``` HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=machineTags/any(tag: tag eq 'ExampleTag') @@ -76,7 +76,7 @@ Content-type: application/json ### Example 2 -- Get all the alerts that created after 2018-10-20 00:00:00 +Get all the alerts that created after 2018-10-20 00:00:00 ``` HTTP GET https://api.securitycenter.windows.com/api/alerts?$filter=alertCreationTime+gt+2018-11-22T00:00:00Z @@ -126,7 +126,7 @@ Content-type: application/json ### Example 3 -- Get all the machines with 'High' 'RiskScore' +Get all the machines with 'High' 'RiskScore' ``` HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=riskScore+eq+'High' @@ -167,7 +167,7 @@ Content-type: application/json ### Example 4 -- Get top 100 machines with 'HealthStatus' not equals to 'Active' +Get top 100 machines with 'HealthStatus' not equals to 'Active' ``` HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=healthStatus+ne+'Active'&$top=100 @@ -208,7 +208,7 @@ Content-type: application/json ### Example 5 -- Get all the machines that last seen after 2018-10-20 +Get all the machines that last seen after 2018-10-20 ``` HTTP GET https://api.securitycenter.windows.com/api/machines?$filter=lastSeen gt 2018-08-01Z @@ -249,7 +249,7 @@ Content-type: application/json ### Example 6 -- Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP +Get all the Anti-Virus scans that the user Analyst@examples.onmicrosoft.com created using Microsoft Defender ATP ``` HTTP GET https://api.securitycenter.windows.com/api/machineactions?$filter=requestor eq 'Analyst@contoso.com' and type eq 'RunAntiVirusScan' @@ -283,7 +283,7 @@ Content-type: application/json ### Example 7 -- Get the count of open alerts for a specific machine: +Get the count of open alerts for a specific machine: ``` HTTP GET https://api.securitycenter.windows.com/api/machines/123321d0c675eaa415b8e5f383c6388bff446c62/alerts/$count?$filter=status ne 'Resolved' diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md index bfafa218ea..6546ddbb9b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-domain-info.md @@ -1,6 +1,6 @@ --- title: Get alert related domains information -description: Retrieves all domains related to a specific alert. +description: Retrieve all domains related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get alert information, alert information, related domain search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md index 89838eb90d..eb293e3f1c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-files-info.md @@ -1,6 +1,6 @@ --- title: Get alert related files information -description: Retrieves all files related to a specific alert. +description: Retrieve all files related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get alert information, alert information, related files search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -97,7 +97,7 @@ Content-type: application/json "fileType": null, "isPeFile": true, "filePublisher": "Microsoft Corporation", - "fileProductName": "Microsoft Windows Operating System", + "fileProductName": "Microsoft� Windows� Operating System", "signer": "Microsoft Corporation", "issuer": "Microsoft Code Signing PCA", "signerHash": "9dc17888b5cfad98b3cb35c1994e96227f061675", diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md index f012975e19..76f0026262 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-ip-info.md @@ -1,6 +1,6 @@ --- title: Get alert related IPs information -description: Retrieves all IPs related to a specific alert. +description: Retrieve all IPs related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get alert information, alert information, related ip search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md index be84e2c9ca..b9deda47b1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-alert-related-machine-info.md @@ -1,6 +1,6 @@ --- title: Get alert related machine information -description: Retrieves all machines related to a specific alert. +description: Retrieve all machines related to a specific alert using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get alert information, alert information, related machine search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md index c0088b91f6..3313e63989 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-related-alerts.md @@ -1,6 +1,6 @@ --- title: Get IP related alerts API -description: Retrieves a collection of alerts related to a given IP address. +description: Retrieve a collection of alerts related to a given IP address using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, ip, related, alerts search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md index 9bc08c2680..5d0c64e02c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-ip-statistics.md @@ -1,6 +1,6 @@ --- title: Get IP statistics API -description: Retrieves the prevalence for the given IP. +description: Get the latest stats for your IP using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, ip, statistics, prevalence search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md index 55e74662e6..f922b6a35e 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-kbinfo-collection.md @@ -1,6 +1,6 @@ --- title: Get KB collection API -description: Retrieves a collection of KB's. +description: Retrieve a collection of knowledge bases (KB's) and KB details with Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, kb search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md index 59e1357d2e..6c8f358205 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machine-log-on-users.md @@ -1,6 +1,6 @@ --- title: Get machine log on users API -description: Retrieves a collection of logged on users. +description: Retrieve a collection of logged on users on a specific machine using Microsoft Defender ATP APIs. keywords: apis, graph api, supported apis, get, machine, log on, users search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -73,7 +73,7 @@ Here is an example of the request. [!include[Improve request performance](../../includes/improve-request-performance.md)] ``` -GET https://api.securitycenter.windows.com/api/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers +GET https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/logonusers ``` **Response** diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md index c9883c2e4a..08f5fff7d0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machineactions-collection.md @@ -1,6 +1,6 @@ --- title: List machineActions API -description: Use this API to create calls related to get machineactions collection +description: Use the Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) API to create calls related to get machineactions collection. keywords: apis, graph api, supported apis, machineaction collection search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md index f5630c46c0..4fa6891d4f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-machinesecuritystates-collection.md @@ -1,6 +1,6 @@ --- title: Get machines security states collection API -description: Retrieves a collection of machines security states. +description: Retrieve a collection of machine security states using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP. keywords: apis, graph api, supported apis, get, machine, security, state search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index 0eaec5311d..b2e2bce19f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -1,6 +1,6 @@ --- title: Get user related alerts API -description: Retrieves a collection of alerts related to a given user ID. +description: Retrieve a collection of alerts related to a given user ID using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, graph api, supported apis, get, user, related, alerts search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/shadow-protection-detection.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode.jpg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/shadow-protection-detection.jpg rename to windows/security/threat-protection/microsoft-defender-atp/images/edr-in-block-mode.jpg diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png index ef831f2c25..6118910639 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-download-package.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png index ef12c4002b..9a84e73ad0 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png and b/windows/security/threat-protection/microsoft-defender-atp/images/mdatp-onboarding-wizard.png differ diff --git a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png index 4b1576ec23..bcfd6506d9 100644 Binary files a/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png and b/windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png differ diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/turn-shadow-protection-on.jpg b/windows/security/threat-protection/microsoft-defender-atp/images/turn-edr-in-block-mode-on.jpg similarity index 100% rename from windows/security/threat-protection/windows-defender-antivirus/images/turn-shadow-protection-on.jpg rename to windows/security/threat-protection/microsoft-defender-atp/images/turn-edr-in-block-mode-on.jpg diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index c2d0882195..250093e512 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -213,6 +213,8 @@ Download the onboarding package from Microsoft Defender Security Center: ```bash unzip WindowsDefenderATPOnboardingPackage.zip + Archive: WindowsDefenderATPOnboardingPackage.zip + inflating: MicrosoftDefenderATPOnboardingLinuxServer.py ``` `Archive: WindowsDefenderATPOnboardingPackage.zip` @@ -220,7 +222,7 @@ Download the onboarding package from Microsoft Defender Security Center: ## Client configuration -1. Copy WindowsDefenderATPOnboarding.py to the target machine. +1. Copy MicrosoftDefenderATPOnboardingLinuxServer.py to the target machine. Initially the client machine is not associated with an organization. Note that the *orgId* attribute is blank: @@ -228,10 +230,10 @@ Download the onboarding package from Microsoft Defender Security Center: mdatp --health orgId ``` -2. Run WindowsDefenderATPOnboarding.py, and note that, in order to run this command, you must have `python` installed on the device: +2. Run MicrosoftDefenderATPOnboardingLinuxServer.py, and note that, in order to run this command, you must have `python` installed on the device: ```bash - sudo python WindowsDefenderATPOnboarding.py + python MicrosoftDefenderATPOnboardingLinuxServer.py ``` 3. Verify that the machine is now associated with your organization and reports a valid organization identifier: diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md index 89649bba47..33a756f573 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response-command-examples.md @@ -1,6 +1,6 @@ --- title: Live response command examples -description: Learn about common commands and see examples on how it's used +description: Learn to run basic or advanced live response commands for Microsoft Defender Advanced Threat Protection (ATP) and see examples on how it's used keywords: example, command, cli, remote, shell, connection, live, response, real-time, command, script, remediate, hunt, export, log, drop, download, file search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md index a3c0a5a7a2..e633d8184f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-manually.md @@ -53,7 +53,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi -rw-r--r-- 1 test staff 354531845 Mar 13 08:57 wdav.pkg $ unzip WindowsDefenderATPOnboardingPackage.zip Archive: WindowsDefenderATPOnboardingPackage.zip - inflating: WindowsDefenderATPOnboarding.py + inflating: MicrosoftDefenderATPOnboardingMacOs.py ``` ## Application installation @@ -87,7 +87,7 @@ The installation proceeds. ## Client configuration -1. Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac. +1. Copy wdav.pkg and MicrosoftDefenderATPOnboardingMacOs.py to the machine where you deploy Microsoft Defender ATP for Mac. The client machine is not associated with orgId. Note that the *orgId* attribute is blank. @@ -98,7 +98,7 @@ The installation proceeds. 2. Run the Python script to install the configuration file: ```bash - $ /usr/bin/python WindowsDefenderATPOnboarding.py + $ /usr/bin/python MicrosoftDefenderATPOnboardingMacOs.py Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) ``` diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md index 3a6c85369b..77c330a95d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-support-license.md @@ -41,6 +41,6 @@ You deployed and/or installed the MDATP for macOS package ("Download installatio **Solution:** -Follow the WindowsDefenderATPOnboarding.py instructions documented here: +Follow the MicrosoftDefenderATPOnboardingMacOs.py instructions documented here: [Client configuration](mac-install-manually.md#client-configuration) diff --git a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md index daf8b70f1e..23a14e3ccd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machine-tags.md @@ -26,8 +26,8 @@ You can add tags on machines using the following ways: - Using the portal - Setting a registry key value ->[!NOTE] ->There may be some latency between the time a tag is added to a machine and its availability in the machines list and machine page. +> [!NOTE] +> There may be some latency between the time a tag is added to a machine and its availability in the machines list and machine page. To add machine tags using API, see [Add or remove machine tags API](add-or-remove-machine-tags.md). @@ -71,6 +71,9 @@ You can also delete tags from this view. >- Windows 8.1 >- Windows 7 SP1 +> [!NOTE] +> The maximum number of characters that can be set in a tag from the registry is 30. + Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. Use the following registry key entry to add a tag on a machine: @@ -81,4 +84,5 @@ Use the following registry key entry to add a tag on a machine: >[!NOTE] >The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report. - +> +> If you need to remove a tag that was added using the above Registry key, clear the contents of the Registry key data instead of removing the 'Group' key. diff --git a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md index fdd4146f99..930d43341f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/machineaction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/machineaction.md @@ -1,6 +1,6 @@ --- title: machineAction resource type -description: Retrieves top recent machineActions. +description: Quickly respond to detected attacks by isolating machines or collecting an investigation package. keywords: apis, supported apis, get, machineaction, recent search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md index c66fbce85b..3c7b1fa724 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md @@ -79,7 +79,8 @@ Create custom rules to control when alerts are suppressed, or resolved. You can 3. Select the **Trigerring IOC**. 4. Specify the action and scope on the alert.
- You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue. Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard. You can also specify to suppress the alert on a specific machine group. + You can automatically resolve an alert or hide it from the portal. Alerts that are automatically resolved will appear in the resolved section of the alerts queue, alert page, and machine timeline and will appear as resolved across Microsoft Defender ATP APIs.
Alerts that are marked as hidden will be suppressed from the entire system, both on the machine's associated alerts and from the dashboard and will not be streamed across Microsoft Defender ATP APIs. + 5. Enter a rule name and a comment. diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md index b2176faf1d..6c323a4a7a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-indicators.md @@ -82,7 +82,7 @@ It's important to understand the following prerequisites prior to creating indic >[!NOTE] ->There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked. +>Typically, file blocks are enforced within a couple of minutes, but can take upwards of 30 minutes. ### Create an indicator for files from the settings page @@ -131,7 +131,7 @@ It's important to understand the following prerequisites prior to creating indic >- Full URL path blocks can be applied on the domain level and all unencrypted URLs >[!NOTE] ->There may be up to 2 hours latency (usually less) between the time the action is taken, and the URL and IP being blocked. +>There may be up to 2 hours of latency (usually less) between the time the action is taken, and the URL and IP being blocked. ### Create an indicator for IPs, URLs, or domains from the settings page diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index a4991649d4..8f19799fd0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -26,7 +26,7 @@ ms.topic: conceptual Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats. -> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq] +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4wDob] Microsoft Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: @@ -67,6 +67,9 @@ Microsoft Defender ATP uses the following combination of technology built into W
+ + +>[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4vnC4?rel=0] > [!TIP] > - Learn about the latest enhancements in Microsoft Defender ATP: [What's new in Microsoft Defender ATP](https://cloudblogs.microsoft.com/microsoftsecure/2018/11/15/whats-new-in-windows-defender-atp/). diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md index b84dce1ebe..0a57598987 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md @@ -83,7 +83,7 @@ If you experience any installation failures, refer to [Troubleshooting installat - SUSE Linux Enterprise Server 12 or higher - Oracle Linux 7.2 or higher -- Minimum kernel version 2.6.38 +- Minimum kernel version 3.10.0-327 - The `fanotify` kernel option must be enabled > [!CAUTION] > Running Microsoft Defender ATP for Linux side by side with other `fanotify`-based security solutions is not supported. It can lead to unpredictable results, including hanging the operating system. diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md index e3d22ad134..d5613256d1 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboarding.md @@ -119,7 +119,7 @@ Manager and deploy that policy to Windows 10 devices. -2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager **. +2. Under Deployment method select the supported version of **Microsoft Endpoint Configuration Manager**.  diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md index 4fda24160f..967d14b25f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction.md @@ -27,6 +27,10 @@ ms.topic: conceptual Help reduce your attack surfaces, by minimizing the places where your organization is vulnerable to cyberthreats and attacks. Use the following resources to configure protection for the devices and applications in your organization. + +> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4woug] + + Article | Description -|- [Attack surface reduction](./attack-surface-reduction.md) | Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware. (Requires Windows Defender Antivirus). diff --git a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md index 8e4d732734..8342b664ed 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md +++ b/windows/security/threat-protection/microsoft-defender-atp/ti-indicator.md @@ -1,6 +1,6 @@ --- title: Indicator resource type -description: Indicator entity description. +description: Specify the entity details and define the expiration of the indicator using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP). keywords: apis, supported apis, get, TiIndicator, Indicator, recent search.product: eADQiWindows 10XVcnh ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md index 34dcdcc230..cce2177013 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/time-settings.md +++ b/windows/security/threat-protection/microsoft-defender-atp/time-settings.md @@ -1,7 +1,7 @@ --- title: Microsoft Defender Security Center time zone settings -description: Use the menu to configure the time zone and view license information. -keywords: settings, Windows Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license +description: Use the info contained here to configure the Microsoft Defender Security Center time zone settings and view license information. +keywords: settings, Microsoft Defender, cybersecurity threat intelligence, advanced threat protection, time zone, utc, local time, license search.product: eADQiWindows 10XVcnh search.appverid: met150 ms.prod: w10 diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index 317cac63d6..7d6e7647cc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -42,6 +42,7 @@ If the script completes successfully, see [Troubleshoot onboarding issues on the ### Troubleshoot onboarding issues when deploying with Microsoft Endpoint Configuration Manager When onboarding machines using the following versions of Configuration Manager: +- Microsoft Endpoint Configuration Manager - System Center 2012 Configuration Manager - System Center 2012 R2 Configuration Manager @@ -302,10 +303,10 @@ The steps below provide guidance for the following scenario: - In this scenario, the SENSE service will not start automatically even though onboarding package was deployed >[!NOTE] ->The following steps are only relevant when using Microsoft Endpoint Configuration Manager (current branch) +>The following steps are only relevant when using Microsoft Endpoint Configuration Manager -1. Create an application in Microsoft Endpoint Configuration Manager current branch. +1. Create an application in Microsoft Endpoint Configuration Manager.  diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 2d474782f2..394a8eb887 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -1,6 +1,6 @@ --- title: What's new in Microsoft Defender ATP -description: Lists the new features and functionality in Microsoft Defender ATP +description: See what features are generally available (GA) in the latest release of Microsoft Defender ATP, as well as security features in Windows 10 and Windows Server. keywords: what's new in microsoft defender atp, ga, generally available, capabilities, available, new search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index ee51de1614..3f0c5a6304 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -229,7 +229,7 @@ Windows 10 has several important improvements to the security of the heap: ### Kernel pool protections -The operating system kernel in Windows sets aside two pools of memory, one that remains in physical memory (“nonpaged pool”) and one that can be paged in and out of physical memory (“paged pool”). There are many types of attacks that have been attempted against these pools, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 has multiple “pool hardening” protections, such as integrity checks, that help protect the kernel pool against such attacks. +The operating system kernel in Windows sets aside two pools of memory, one that remains in physical memory (“nonpaged pool”) and one that can be paged in and out of physical memory (“paged pool”). There are many mitigations that have been added over time, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 adds multiple “pool hardening” protections, such as integrity checks, that help protect the kernel pool against more advanced attacks. In addition to pool hardening, Windows 10 includes other kernel hardening features: diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md index ad211f1718..5e75ce5325 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md @@ -92,7 +92,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Accounts that have the **Deny log on as a batch job** user right could be used to schedule jobs that could consume excessive computer resources and cause a denial-of-service condition. +Accounts that have the **Log on as a batch job** user right could be used to schedule jobs that could consume excessive computer resources and cause a denial-of-service condition. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md index 300344160d..b98d74a6bb 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md @@ -37,7 +37,7 @@ This policy setting determines when users are warned that their passwords are ab - Configure user passwords to expire periodically. Users need warning that their password is going to expire, or they might get locked out of the system. - Set **Interactive logon: Prompt user to change password before expiration** to five days. When their password expiration date is five or fewer days away, users will see a dialog box each time that they log on to the domain. -- Don't set the value to zero, which displays the password expiration warning every time the user logs on. +- When you set the policy to zero, there is no password expiration warning when the user logs on. During a long-running logon session, you would get the warning on the day the password expires or when it already has expired. ### Location diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 4870151b22..9fef84e4b2 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -40,7 +40,7 @@ This policy isn't configured by default on domain-joined devices. This would dis - **Enabled**: This setting allows authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use of online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. > [!NOTE] - > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server. + > KU2U is disabled by default on Windows Server. Remote Desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device or a Hybrid Azure AD-joined domain member Windows 10 device fail. To resolve this, enable PKU2U on the server and the client. - **Disabled**: This setting prevents online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md index af838d196f..d74cf4da9a 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md @@ -22,7 +22,7 @@ ms.custom: nextgen - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Block at first sight is a feature of next-generation protection that provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention. +Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention. You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL. @@ -117,14 +117,28 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered. -### Confirm block at first sight is enabled with the Windows Security app +### Confirm block at first sight is enabled with Registry editor -You can confirm that block at first sight is enabled in your Windows security settings. +1. Start Registry Editor. -Block at first sight is automatically enabled as long as **Cloud-delivered protection** and **Automatic sample submission** are both turned on. +2. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet**, and make sure that + + 1. **SpynetReporting** key is set to **1** + + 2. **SubmitSamplesConsent** key is set to either **1** (Send safe samples) or **3** (Send all samples) + +3. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection**, and make sure that + + 1. **DisableIOAVProtection** key is set to **0** + + 2. **DisableRealtimeMonitoring** key is set to **0** ### Confirm Block at First Sight is enabled on individual clients +You can confirm that block at first sight is enabled on individual clients using Windows security settings. + +Block at first sight is automatically enabled as long as **Cloud-delivered protection** and **Automatic sample submission** are both turned on. + 1. Open the Windows Security app. 2. Select **Virus & threat protection**, and then, under **Virus & threat protection settings**, select **Manage Settings**. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md index 97a45e8794..78f6412fd9 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md @@ -284,8 +284,6 @@ The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\ - %windir%\Ntds\Ntds*.pat -- %windir%\Ntds\EDB*.log - - %windir%\Ntds\TEMP.edb #### The NTDS working folder diff --git a/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md b/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md deleted file mode 100644 index e7573d32c1..0000000000 --- a/windows/security/threat-protection/windows-defender-antivirus/shadow-protection.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: Shadow protection -description: Learn about shadow protection -keywords: Windows Defender Antivirus, shadow protection, passive mode -search.product: eADQiWindows 10XVcnh -ms.pagetype: security -author: denisebmsft -ms.author: deniseb -manager: dansimp -ms.reviewer: shwetaj -audience: ITPro -ms.topic: article -ms.prod: w10 -ms.localizationpriority: medium -ms.custom: next-gen -ms.collection: ---- - -# Shadow protection - -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - -## What is shadow protection? - -When enabled, shadow protection extends behavioral-based blocking and containment capabilities by blocking malicious artifacts or behaviors observed through post-breach protection. This is the case even if [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) is not your active antivirus protection. Shadow protection is useful if your organization has not fully transitioned to Windows Defender Antivirus and you are presently using a third-party antivirus solution. Shadow protection works behind the scenes by remediating malicious entities identified in post-breach protection that the existing third-party antivirus solution missed. - -> [!NOTE] -> Shadow protection is currently in [limited private preview](#can-i-participate-in-the-private-preview-of-shadow-protection). - -To get the best protection, [deploy Microsoft Defender ATP baselines](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-machines-security-baseline). And see [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus). - -## What happens when something is detected? - -When shadow protection is turned on, and a malicious artifact is detected, the detection results in blocking and remediation actions. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-auto-investigation#review-completed-actions). - -The following images shows an instance of unwanted software that was detected and blocked through shadow protection: - -:::image type="content" source="images/shadow-protection-detection.jpg" alt-text="Malware detected by shadow protection"::: - -## Turn on shadow protection - -> [!IMPORTANT] -> Make sure the [requirements](#requirements-for-shadow-protection) are met before turning shadow protection on. - -1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in. - -2. Choose **Settings** > **Advanced features**. - - :::image type="content" source="images/turn-shadow-protection-on.jpg" alt-text="Turn shadow protection on"::: - -3. Turn shadow protection on. - -> [!NOTE] -> Shadow protection can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to turn shadow protection on or off. - -## Requirements for shadow protection - -|Requirement |Details | -|---------|---------| -|Permissions |Global Administrator or Security Administrator role assigned in [Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). See [Basic permissions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/basic-permissions). | -|Operating system |One of the following:
- Windows 10 (all releases)
- Windows Server 2016 or later | -|Windows E5 enrollment |This is included in the following subscriptions:
- Microsoft 365 E5
- Microsoft 365 E3 together with the Identity & Threat Protection offering
See [Components](https://docs.microsoft.com/microsoft-365/enterprise/microsoft-365-overview?view=o365-worldwide#components) and [Features and capabilities for each plan](https://www.microsoft.com/microsoft-365/compare-all-microsoft-365-plans). | -|Cloud-delivered protection |Make sure Windows Defender Antivirus is configured such that cloud-delivered protection is enabled.
See [Enable cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus). | -|Windows Defender Antivirus antimalware client |To make sure your client is up to date, using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMProductVersion** line, you should see **4.18.2001.10** or above. | -|Windows Defender Antivirus engine |To make sure your engine is up to date, using PowerShell, run the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) cmdlet as an administrator. In the **AMEngineVersion** line, you should see **1.1.16700.2** or above. | - -> [!IMPORTANT] -> To get the best protection value, make sure Windows Defender Antivirus is configured to receive regular updates and other essential features, such as behavioral monitoring, IOfficeAV, tamper protection, and more. See [Protect security settings with tamper protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection). - - -## Frequently asked questions - -### Will shadow protection have any impact on a user's antivirus protection? - -No. Shadow protection does not affect third-party antivirus protection running on users' machines. Shadow protection kicks in if the primary antivirus solution misses something, or if there is post-breach detection. Shadow protection works just like Windows Defender Antivirus in passive mode with the additional steps of blocking and remediating malicious items detected. - -### Why do I need to keep Windows Defender Antivirus up to date? - -Because Windows Defender Antivirus detects and remediates malicious items, it’s important to keep it up to date to leverage the latest machine learning models, behavioral detections, and heuristics for best results. The [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) stack of capabilities work in an integrated manner, and to get best protection value, you should keep Windows Defender Antivirus up to date. - -### Why do we need cloud protection on? - -Cloud protection is needed to turn on the feature on the device. Cloud protection allows [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) to deliver the latest and greatest protection based on the optics received, along with behavioral and machine learning models. - -### Can I participate in the private preview of shadow protection? - -If you would like to participate in our private preview program, please send email to `shwjha@microsoft.com`. - -## See also - -- [Better together: Windows Defender Antivirus and Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus) - diff --git a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md index 68f8c4587a..4bf7025062 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md @@ -1,7 +1,7 @@ --- -title: Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection -description: Next-gen technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection. -keywords: windows defender antivirus, next-gen technologies, next-gen av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection +title: Use next-generation technologies in Windows Defender Antivirus through cloud-delivered protection +description: next-generation technologies in cloud-delivered protection provide an advanced level of fast, robust antivirus detection. +keywords: windows defender antivirus, next-generation technologies, next-generation av, machine learning, antimalware, security, defender, cloud, cloud-delivered protection search.product: eADQiWindows 10XVcnh ms.pagetype: security ms.prod: w10 @@ -11,12 +11,12 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.reviewer: +ms.reviewer: shwjha manager: dansimp ms.custom: nextgen --- -# Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection +# Use next-generation technologies in Windows Defender Antivirus through cloud-delivered protection **Applies to:** @@ -27,17 +27,17 @@ Microsoft next-generation technologies in Windows Defender Antivirus provide nea Windows Defender Antivirus uses multiple detection and prevention technologies to deliver accurate, real-time, and intelligent protection. [Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection](https://www.microsoft.com/security/blog/2019/06/24/inside-out-get-to-know-the-advanced-technologies-at-the-core-of-microsoft-defender-atp-next-generation-protection/).  -To take advantage of the power and speed of these next-gen technologies, Windows Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense. +To take advantage of the power and speed of these next-generation technologies, Windows Defender Antivirus works seamlessly with Microsoft cloud services. These cloud protection services, also referred to as Microsoft Advanced Protection Service (MAPS), enhances standard real-time protection, providing arguably the best antivirus defense. >[!NOTE] >The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates. -With cloud-delivered protection, next-gen technologies provide rapid identification of new threats, sometimes even before a single machine is infected. Watch the following video about Microsoft AI and Windows Defender Antivirus in action: +With cloud-delivered protection, next-generation technologies provide rapid identification of new threats, sometimes even before a single machine is infected. Watch the following video about Microsoft AI and Windows Defender Antivirus in action: -To understand how next-gen technologies shorten protection delivery time through the cloud, watch the following video: +To understand how next-generation technologies shorten protection delivery time through the cloud, watch the following video: @@ -54,28 +54,33 @@ Read the following blog posts for detailed protection stories involving cloud-pr Cloud-delivered protection is enabled by default. However, you may need to re-enable it if it has been disabled as part of previous organizational policies. -Organizations running Windows 10 E5, version 1803 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn cloud-delivered protection on, we can deliver a fix for a malware issue via the cloud within minutes instead of waiting for the next update. +Organizations running Windows 10 E5 can also take advantage of emergency dynamic intelligence updates, which provide near real-time protection from emerging threats. When you turn on cloud-delivered protection, fixes for malware issues can be delivered via the cloud within minutes, instead of waiting for the next update. >[!TIP] >You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works. The following table describes the differences in cloud-delivered protection between recent versions of Windows and Configuration Manager. -Feature | Windows 8.1 (Group Policy) | Windows 10, version 1607 (Group Policy) | Windows 10, version 1703 (Group Policy) | System Center 2012 Configuration Manager | Microsoft Endpoint Configuration Manager (Current Branch) | Microsoft Intune ----|---|---|---|---|---|--- -Cloud-protection service label | Microsoft Advanced Protection Service | Microsoft Advanced Protection Service | Cloud-based Protection | NA | Cloud protection service | Microsoft Advanced Protection Service -Reporting level (MAPS membership level) | Basic, Advanced | Advanced | Advanced | Dependent on Windows version | Dependent on Windows version | Dependent on Windows version -Cloud block timeout period | No | No | Configurable | Not configurable | Configurable | Configurable - -You can also [configure Windows Defender AV to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-windows-defender-antivirus.md#cloud-report-updates). +|OS version or service application |Cloud-protection service label |Reporting level (MAPS membership level) |Cloud block timeout period | +|---------|---------|---------|---------| +|Windows 8.1 (Group Policy) |Microsoft Advanced Protection Service |Basic, Advanced |No | +|Windows 10, version 1607 (Group Policy) |Microsoft Advanced Protection Service |Advanced |No | +|Windows 10, version 1703 or greater (Group Policy) |Cloud-based Protection |Advanced |Configurable | +|System Center 2012 Configuration Manager | N/A |Dependent on Windows version |Not configurable | +|Microsoft Endpoint Configuration Manager (Current Branch) |Cloud protection service |Dependent on Windows version |Configurable | +|Microsoft Intune |Microsoft Advanced Protection Service |Dependent on Windows version |Configurable | + +You can also [configure Windows Defender Antivirus to automatically receive new protection updates based on reports from our cloud service](manage-event-based-updates-windows-defender-antivirus.md#cloud-report-updates). -## In this section +## Tasks - Topic | Description ----|--- -[Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) | You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets. -[Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md) | You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked. -[Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md) | There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This topic lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection. -[Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) | The Block at First Sight feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy. -[Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md) | Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy. +- [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md). You can enable cloud-delivered protection with Microsoft Endpoint Configuration Manager, Group Policy, Microsoft Intune, and PowerShell cmdlets. + +- [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md). You can specify the level of protection offered by the cloud with Group Policy and Microsoft Endpoint Configuration Manager. The protection level will affect the amount of information shared with the cloud and how aggressively new files are blocked. + +- [Configure and validate network connections for Windows Defender Antivirus](configure-network-connections-windows-defender-antivirus.md). There are certain Microsoft URLs that your network and endpoints must be able to connect to for cloud-delivered protection to work effectively. This article lists the URLs that should be allowed via firewall or network filtering rules, and instructions for confirming your network is properly enrolled in cloud-delivered protection. + +- [Configure the block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md). The "block at first sight" feature can block new malware within seconds, without having to wait hours for traditional Security intelligence. You can enable and configure it with Microsoft Endpoint Configuration Manager and Group Policy. + +- [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md). Windows Defender Antivirus can block suspicious files from running while it queries our cloud-delivered protection service. You can configure the amount of time the file will be prevented from running with Microsoft Endpoint Configuration Manager and Group Policy. diff --git a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md index 9c284e75a0..bfca4b0430 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/why-use-microsoft-antivirus.md @@ -14,7 +14,6 @@ ms.topic: article author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 01/07/2020 ms.reviewer: manager: dansimp --- @@ -29,7 +28,7 @@ Windows Defender Antivirus is the next-generation protection component of [Micro Although you can use a non-Microsoft antivirus solution with Microsoft Defender ATP, there are advantages to using Windows Defender Antivirus together with Microsoft Defender ATP. Not only is Windows Defender Antivirus an excellent next-generation antivirus solution, but combined with other Microsoft Defender ATP capabilities, such as [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [automated investigation and remediation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/automated-investigations), you get better protection that's coordinated across products and services. -## 10 reasons to use Windows Defender Antivirus together with Microsoft Defender ATP +## 11 reasons to use Windows Defender Antivirus together with Microsoft Defender ATP | |Advantage |Why it matters | |--|--|--| @@ -39,10 +38,11 @@ Although you can use a non-Microsoft antivirus solution with Microsoft Defender |4|Details about blocked malware |More details and actions for blocked malware are available with Windows Defender Antivirus and Microsoft Defender ATP. [Understand malware & other threats](../intelligence/understanding-malware.md).| |5|Network protection |Your organization's security team can protect your network by blocking specific URLs and IP addresses. [Protect your network](../microsoft-defender-atp/network-protection.md).| |6|File blocking |Your organization's security team can block specific files. [Stop and quarantine files in your network](../microsoft-defender-atp/respond-file-alerts.md#stop-and-quarantine-files-in-your-network).| -|7|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) | -|8|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). | -|9|File recovery via OneDrive |If you are using Windows Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).| -|10|Technical support |By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Windows Defender Antivirus](troubleshoot-windows-defender-antivirus.md). | +|7|Attack Surface Reduction |Your organization's security team can reduce your vulnerabilities (attack surfaces), giving attackers fewer ways to perform attacks. Attack surface reduction uses cloud protection for a number of rules. [Reduce attack surfaces with attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-attack-surface-reduction).| +|8|Auditing events |Auditing event signals are available in [endpoint detection and response capabilities](../microsoft-defender-atp/overview-endpoint-detection-response.md). (These signals are not available with non-Microsoft antivirus solutions.) | +|9|Geographic data |Compliant with ISO 270001 and data retention, geographic data is provided according to your organization's selected geographic sovereignty. See [Compliance offerings: ISO/IEC 27001:2013 Information Security Management Standards](https://docs.microsoft.com/microsoft-365/compliance/offering-iso-27001). | +|10|File recovery via OneDrive |If you are using Windows Defender Antivirus together with [Office 365](https://docs.microsoft.com/Office365/Enterprise), and your device is attacked by ransomware, your files are protected and recoverable. [OneDrive Files Restore and Windows Defender take ransomware protection one step further](https://techcommunity.microsoft.com/t5/Microsoft-OneDrive-Blog/OneDrive-Files-Restore-and-Windows-Defender-takes-ransomware/ba-p/188001).| +|11|Technical support |By using Microsoft Defender ATP together with Windows Defender Antivirus, you have one company to call for technical support. [Troubleshoot service issues](../microsoft-defender-atp/troubleshoot-mdatp.md) and [review event logs and error codes with Windows Defender Antivirus](troubleshoot-windows-defender-antivirus.md). | ## Learn more diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md index e09392cea5..c758cea607 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md @@ -25,9 +25,9 @@ manager: dansimp ## Overview Windows Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection. -- When endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, Windows Defender Antivirus automatically goes into disabled mode. -- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real time protection and threats are not remediated by Windows Defender Antivirus.) -- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [shadow protection (currently in private preview)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection), then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack. +- If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Windows Defender Antivirus automatically goes into disabled mode. +- If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Windows Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Windows Defender Antivirus.) +- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/shadow-protection) (currently in private preview) enabled, then Windows Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack. ## Antivirus and Microsoft Defender ATP @@ -69,12 +69,12 @@ The following table summarizes the functionality and features that are available |--|--|--|--|--|--| |Active mode
|Yes |No |Yes |Yes |Yes | |Passive mode |No |No |Yes |No |Yes | -|[Shadow protection enabled](shadow-protection.md) |No |No |Yes |Yes |Yes | +|[EDR in block mode enabled](shadow-protection.md) |No |No |Yes |Yes |Yes | |Automatic disabled mode |No |Yes |No |No |No | - In Active mode, Windows Defender Antivirus is used as the antivirus app on the machine. All configuration made with Configuration Manager, Group Policy, Intune, or other management products will apply. Files are scanned and threats remediated, and detection information are reported in your configuration tool (such as Configuration Manager or the Windows Defender Antivirus app on the machine itself). - In Passive mode, Windows Defender Antivirus is not used as the antivirus app, and threats are not remediated by Windows Defender Antivirus. Files are scanned and reports are provided for threat detections which are shared with the Microsoft Defender ATP service. -- When [shadow protection (currently in private preview)](shadow-protection.md) is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items. +- When [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) (currently in private preview) is turned on, Windows Defender Antivirus is not used as the primary antivirus solution, but can still detect and remediate malicious items. - In Automatic disabled mode, Windows Defender Antivirus is not used as the antivirus app. Files are not scanned and threats are not remediated. ## Keep the following points in mind @@ -95,4 +95,4 @@ If you uninstall the other product, and choose to use Windows Defender Antivirus - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) - [Windows Defender Antivirus on Windows Server 2016 and 2019](windows-defender-antivirus-on-windows-server-2016.md) -- [Shadow protection in next-generation protection](shadow-protection.md) +- [EDR in block mode](../microsoft-defender-atp/edr-in-block-mode.md) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md index 75d23d70dd..77eca7df65 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md @@ -1,6 +1,6 @@ --- title: Windows Defender Antivirus in the Windows Security app -description: Windows Defender AV is now included in the Windows Security app. +description: With Windows Defender AV now included in the Windows Security app, you can review, compare, and perform common tasks. keywords: wdav, antivirus, firewall, security, windows search.product: eADQiWindows 10XVcnh ms.pagetype: security diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 5ade5917e6..1a4b279e16 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -1,20 +1,23 @@ -# [Windows Defender Application Control](windows-defender-application-control.md) +# [Application Control for Windows](windows-defender-application-control.md) +## [WDAC and AppLocker Overview](wdac-and-applocker-overview.md) +### [WDAC and AppLocker Feature Availability](feature-availability.md) -## [Windows Defender Application Control design guide](windows-defender-application-control-design-guide.md) + +## [WDAC design guide](windows-defender-application-control-design-guide.md) ### [Plan for WDAC policy lifecycle management](plan-windows-defender-application-control-management.md) -### Design and create your WDAC policy +### Design your initial WDAC policy #### [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) #### [Understand WDAC policy rules and file rules](select-types-of-rules-to-create.md) -##### [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md) -##### [Authorize reputable apps with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md) -#### [Example WDAC base policies](example-wdac-base-policies.md) +#### [Authorize apps deployed with a WDAC managed installer](use-windows-defender-application-control-with-managed-installer.md) +#### [Authorize reputable apps with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md) #### [Use multiple WDAC policies](deploy-multiple-windows-defender-application-control-policies.md) -#### [Common WDAC deployment scenarios](types-of-devices.md) +#### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) +### Create your initial WDAC policy +#### [Example WDAC base policies](example-wdac-base-policies.md) +#### [Policy creation for common WDAC usage scenarios](types-of-devices.md) ##### [Create a WDAC policy for lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) ##### [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md) ##### [Create a WDAC policy for fixed-workload devices](create-initial-default-policy.md) -##### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) - ## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md) @@ -28,7 +31,7 @@ ### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md) ### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md) ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) -#### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) +#### [Optional: Use the WDAC Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) #### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) #### [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-windows-defender-application-control.md) ### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index f707f7a7bb..1a27567a27 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -21,8 +21,8 @@ ms.date: 05/03/2018 **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows Server 2016 and above This section outlines the process to create a WDAC policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc... diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 93758237b0..9957c0ae10 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -22,8 +22,8 @@ ms.date: 11/20/2019 **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows Server 2016 and above This section outlines the process to create a WDAC policy for **fully-managed devices** within an organization. The key difference between this scenario and [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully-managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully-managed devices should ideally run as standard user and only authorized IT pros have administrative access. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index d25131d06d..fbee02749f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -22,8 +22,8 @@ ms.date: 11/15/2019 **Applies to:** -- Windows 10 -- Windows Server 2016 and above +- Windows 10 +- Windows Server 2016 and above This section outlines the process to create a WDAC policy for **lightly-managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC managed devices as described in later topics. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 13547435c1..0fc1b53db9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -14,15 +14,15 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 05/17/2019 +ms.date: 04/15/2020 --- # Use multiple Windows Defender Application Control Policies **Applies to:** -- Windows 10 -- Windows Server 2016 +- Windows 10 +- Windows Server 2016 The restriction of only having a single code integrity policy active on a system at any given time has felt limiting for customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports multiple simultaneous code integrity policies for one device in order to enable the following scenarios: @@ -36,16 +36,17 @@ The restriction of only having a single code integrity policy active on a system - A supplemental policy expands a single base policy, and multiple supplemental policies can expand the same base policy - For supplemental policies, applications that are allowed by either the base policy or its supplemental policy/policies are allowed to run -## How do Base and Supplemental Policies Interact? +> [!NOTE] +> Pre-1903 systems do not support the use of Multiple Policy Format WDAC policies. + +## Base and supplemental policy interaction - Multiple base policies: intersection - Only applications allowed by both policies run without generating block events - Base + supplemental policy: union - Files that are allowed by the base policy or the supplemental policy are not blocked -Note that multiple policies will not work on pre-1903 systems. - -### Allow Multiple Policies +## Creating WDAC policies in Multiple Policy Format In order to allow multiple policies to exist and take effect on a single system, policies must be created using the new Multiple Policy Format. The "MultiplePolicyFormat" switch in [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) results in 1) random GUIDs being generated for the policy ID and 2) the policy type being specified as base. The below is an example of creating a new policy in the multiple policy format. @@ -65,9 +66,10 @@ For signed base policies that are being made supplementable, you need to ensure Add-SignerRule -FilePath
For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
Policies deployed through MDM are effective on all SKUs. | +| Management solutions |
- [Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) (limited built-in policies or custom policy deployment via OMA-URI)
- [Microsoft Endpoint Manager Configuration Manager (MEMCM)](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy)
- PowerShell
- [Intune](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
- MEMCM (custom policy deployment via Software Distribution only)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement)
- PowerShell
- Driver files: .sys
- Executable files: .exe and .com
- DLLs: .dll and .ocx
- Windows Installer files: .msi, .mst, and .msp
- Scripts: .ps1, .vbs, and .js
- Packaged apps and packaged app installers: .appx
- Executable files: .exe and .com
- [Optional] DLLs: .dll and .ocx
- Windows Installer files: .msi, .mst, and .msp
- Scripts: .ps1, .bat, .cmd, .vbs, and .js
- Packaged apps and packaged app installers: .appx
- [Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune) (limited built-in policies or custom policy deployment via OMA-URI)
- [Microsoft Endpoint Manager Configuration Manager (MEMCM)](https://docs.microsoft.com/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy)
- PowerShell
- [Intune](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)
- MEMCM (custom policy deployment via Software Distribution only)
- [Group Policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement)
- PowerShell
- Driver files: .sys
- Executable files: .exe and .com
- DLLs: .dll and .ocx
- Windows Installer files: .msi, .mst, and .msp
- Scripts: .ps1, .vbs, and .js
- Packaged apps and packaged app installers: .appx
- Executable files: .exe and .com
- [Optional] DLLs: .dll and .ocx
- Windows Installer files: .msi, .mst, and .msp
- Scripts: .ps1, .bat, .cmd, .vbs, and .js
- Packaged apps and packaged app installers: .appx
- |
+| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
+| Kernel mode policies | Available on all Windows 10 versions | Not available |
+| Per-app rules | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules) | Not available |
+| Managed Installer (MI) | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) | Not available |
+| Reputation-Based intelligence | [Available on 1709+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph) | Not available |
+| Multiple policy support | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) | Not available |
+| Path-based rules | [Available on 1903+.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
+| COM object configurability | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy) | Not available |
+| Packaged app rules | [Available on RS5+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) | Available on Windows 8+ |
+| Enforceable file types |
-- **Windows Defender Application Control**; and -- **AppLocker** +Windows 10 includes two technologies that can be used for application control depending on your organization's specific scenarios and requirements: -## Windows Defender Application Control +- **Windows Defender Application Control**; and +- **AppLocker** -Windows Defender Application Control (WDAC) was introduced with Windows 10 and allows organizations to control what drivers and applications are allowed to run on their Windows 10 clients. WDAC was designed as a security feature under the [servicing criteria](https://www.microsoft.com/msrc/windows-security-servicing-criteria) defined by the Microsoft Security Response Center (MSRC). +## In this section -> [!NOTE] -> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity (CCI) policies. - -WDAC policies apply to the managed computer as a whole and affects all users of the device. WDAC rules can be defined based on: -- Attributes of the codesigning certificate(s) used to sign an app and its binaries; -- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file; -- The reputation of the app as determined by Microsoft's Intelligent Security Graph; -- The identity of the process that initiated the installation of the app and its binaries (managed installer); -- The path from which the app or file is launched (beginning with Windows 10 version 1903); -- The process that launched the app or binary. - -### WDAC System Requirements - -WDAC policies can only be created on computers running Windows 10 build 1903+ on any SKU, pre-1903 Windows 10 Enterprise, or Windows Server 2016 and above. -WDAC policies can be applied to computers running any edition of Windows 10 or Windows Server 2016 via a Mobile Device Management (MDM) solution like Intune, a management interface like Configuration Manager, or a script host like PowerShell. Group Policy can also be used to deploy WDAC policies to Windows 10 Enterprise edition or Windows Server 2016 and above, but cannot deploy policies to machines running non-Enterprise SKUs of Windows 10. - -## AppLocker - -AppLocker was introduced with Windows 7 and allows organizations to control what applications their users are allowed to run on their Windows clients. AppLocker provides security value as a defense in depth feature and helps end users avoid running unapproved software on their computers. - -AppLocker policies can apply to all users on a computer or to individual users and groups. AppLocker rules can be defined based on: -- Attributes of the codesigning certificate(s) used to sign an app and its binaries; -- Attributes of the app's binaries that come from the signed metadata for the files, such as Original Filename and version, or the hash of the file; -- The path from which the app or file is launched (beginning with Windows 10 version 1903). - -### AppLocker System Requirements - -AppLocker policies can only be configured on and applied to computers that are running on the supported versions and editions of the Windows operating system. For more info, see [Requirements to Use AppLocker](applocker/requirements-to-use-applocker.md). -AppLocker policies can be deployed using Group Policy or MDM. - -## Choose when to use WDAC or AppLocker - -Although either AppLocker or WDAC can be used to control application execution on Windows 10 clients, the following factors can help you decide when to use each of the technologies. - -### WDAC is best when: - -- You are adopting application control primarily for security reasons. -- Your application control policy can be applied to all users on the managed computers. -- All of the devices you wish to manage are running Windows 10. - -### AppLocker is best when: - -- You have a mixed Windows operating system (OS) environment and need to apply the same policy controls to Windows 10 and earlier versions of the OS. -- You need to apply different policies for different users or groups on a shared computer. -- You are using application control to help users avoid running unapproved software, but you do not require a solution designed as a security feature. -- You do not wish to enforce application control on application files such as DLLs or drivers. - -## When to use both WDAC and AppLocker together - -AppLocker can also be deployed as a complement to WDAC to add user- or group-specific rules for shared device scenarios where its important to prevent some users from running specific apps. -As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level. - -## WDAC and AppLocker Feature Availability -| Capability | WDAC | AppLocker | -|-----------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Platform support | Available on Windows 10 | Available on Windows 8+ | -| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.
For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.
Policies deployed through MDM are effective on all SKUs. | -| Management solutions |
- |
-| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
-| Kernel mode policies | Available on all Windows 10 versions | Not available |
-| Per-app rules | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules) | Not available |
-| Managed Installer (MI) | [Available on 1703+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer) | Not available |
-| Reputation-Based intelligence | [Available on 1709+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph) | Not available |
-| Multiple policy support | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies) | Not available |
-| Path-based rules | [Available on 1903+.](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability check enforced by default. | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
-| COM object configurability | [Available on 1903+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy) | Not available |
-| Packaged app rules | [Available on RS5+](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control) | Available on Windows 8+ |
-| Enforceable file types |
+1. Choose **Devices** > **Configuration profiles** > **+ Create profile**, and do the following:
- a. In the **Platform** list, select **Windows 10 and later**. + 1. In the **Platform** list, select **Windows 10 and later**. - b. In the **Profile** list, select **Endpoint protection**. + 1. In the **Profile** list, select **Endpoint protection**. - c. Choose **Create**. + 1. Choose **Create**. -4. Specify the following settings for the profile: +1. Specify the following settings for the profile: - **Name** and **Description** @@ -109,17 +107,17 @@ Application Guard functionality is turned off by default. However, you can quick - Choose your preferences for **Clipboard behavior**, **External content**, and the remaining settings. -5. Choose **OK**, and then choose **OK** again. +1. Choose **OK**, and then choose **OK** again. -6. Review your settings, and then choose **Create**. +1. Review your settings, and then choose **Create**. -7. Choose **Assignments**, and then do the following: +1. Choose **Assignments**, and then do the following: - a. On the **Include** tab, in the **Assign to** list, choose an option. + 1. On the **Include** tab, in the **Assign to** list, choose an option. - b. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the **Exclude** tab. + 1. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the **Exclude** tab. - c. Click **Save**. + 1. Click **Save**. After the profile is created, any devices to which the policy should apply will have Windows Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place. diff --git a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md index 2ddbd8ddd4..f8bce090ea 100644 --- a/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md @@ -1,6 +1,6 @@ --- title: Basic Firewall Policy Design (Windows 10) -description: Basic Firewall Policy Design +description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design. ms.assetid: 6f7af99e-6850-4522-b7f5-db98e6941418 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md index 1be717ce49..71775ab476 100644 --- a/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md @@ -1,6 +1,6 @@ --- title: Certificate-based Isolation Policy Design (Windows 10) -description: Certificate-based Isolation Policy Design +description: Explore the methodology behind Certificate-based Isolation Policy Design and how it defers from Domain Isolation and Server Isolation Policy Design. ms.assetid: 63e01a60-9daa-4701-9472-096c85e0f862 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md index 11af4131b4..d953de0a48 100644 --- a/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md +++ b/windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md @@ -1,6 +1,6 @@ --- title: Change Rules from Request to Require Mode (Windows 10) -description: Change Rules from Request to Require Mode +description: Learn how to convert a rule from request to require mode and apply the modified GPOs to the client devices. ms.assetid: ad969eda-c681-48cb-a2c4-0b6cae5f4cff ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md index fa8377de0d..8d1a5f6710 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md +++ b/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md @@ -1,6 +1,6 @@ --- title: Checklist Configuring Basic Firewall Settings (Windows 10) -description: Checklist Configuring Basic Firewall Settings +description: Configure Windows Firewall to set inbound and outbound behavior, display notifications, record log files and more of the necessary function for Firewall. ms.assetid: 0d10cdae-da3d-4a33-b8a4-6b6656b6d1f9 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md index 6d74ea9356..2fec691406 100644 --- a/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md +++ b/windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md @@ -1,6 +1,6 @@ --- title: Checklist Implementing a Basic Firewall Policy Design (Windows 10) -description: Checklist Implementing a Basic Firewall Policy Design +description: Follow this parent checklist for implementing a basic firewall policy design to ensure successful implementation. ms.assetid: 6caf0c1e-ac72-4f9d-a986-978b77fbbaa3 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md index 2c12d1140a..873ee01d4f 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md @@ -1,6 +1,6 @@ --- title: Create an Authentication Request Rule (Windows 10) -description: Create an Authentication Request Rule +description: Create a new rule for Windows Defender Firewall with Advanced Security so devices on the network use IPsec protocols and methods before they can communicate. ms.assetid: 1296e048-039f-4d1a-aaf2-8472ad05e359 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md index 354ed24f32..d1211abf11 100644 --- a/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md +++ b/windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md @@ -1,6 +1,6 @@ --- title: Create an Outbound Program or Service Rule (Windows 10) -description: Create an Outbound Program or Service Rule +description: Use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. ms.assetid: f71db4fb-0228-4df2-a95d-b9c056aa9311 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 15c54f8ada..e7201d21c3 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -74,8 +74,8 @@ Comma separated list of local addresses covered by the rule. Valid tokens includ - \* indicates any local address. If present, this must be the only token included. - A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask default is 255.255.255.255. - A valid IPv6 address. -- An IPv4 address range in the format of "start address - end address" with no spaces included. -- An IPv6 address range in the format of "start address - end address" with no spaces included. Default is Any address. +- An IPv4 address range in the format of "start address-end address" with no spaces included. +- An IPv6 address range in the format of "start address-end address" with no spaces included. Default is Any address. [Learn more](https://aka.ms/intunefirewalllocaladdressrule) @@ -93,8 +93,8 @@ List of comma separated tokens specifying the remote addresses covered by the ru - LocalSubnet indicates any local address on the local subnet. - A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255. - A valid IPv6 address. -- An IPv4 address range in the format of "start address - end address" with no spaces included. -- An IPv6 address range in the format of "start address - end address" with no spaces included. +- An IPv4 address range in the format of "start address-end address" with no spaces included. +- An IPv6 address range in the format of "start address-end address" with no spaces included. Default is Any address. diff --git a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md index d67461d012..95428bb9b0 100644 --- a/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md +++ b/windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md @@ -1,6 +1,6 @@ --- title: Designing a Windows Defender Firewall Strategy (Windows 10) -description: Designing a Windows Defender Firewall with Advanced Security Strategy +description: Answer the question in this article to design an effective Windows Defender Firewall with Advanced Security Strategy. ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/exemption-list.md b/windows/security/threat-protection/windows-firewall/exemption-list.md index 5911a0bedc..f66bc68daa 100644 --- a/windows/security/threat-protection/windows-firewall/exemption-list.md +++ b/windows/security/threat-protection/windows-firewall/exemption-list.md @@ -1,6 +1,6 @@ --- title: Exemption List (Windows 10) -description: Exemption List +description: Learn the ins and outs of exemption lists on a secured network using Windows 10. ms.assetid: a05e65b4-b48d-44b1-a7f1-3a8ea9c19ed8 ms.reviewer: ms.author: dansimp @@ -23,7 +23,7 @@ ms.date: 04/19/2017 - Windows 10 - Windows Server 2016 -When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devicess on the internal network, yet secured from network attacks. However, if they must remain available to all devicess on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. +When you implement a server and domain isolation security model in your organization, you are likely to find some additional challenges. Key infrastructure servers such as DNS servers and DHCP servers typically must be available to all devices on the internal network, yet secured from network attacks. However, if they must remain available to all devices on the network, not just to isolated domain members, then these servers cannot require IPsec for inbound access, nor can they use IPsec transport mode for outbound traffic. In addition to the infrastructure servers mentioned earlier, there might also be other servers on the network that trusted devices cannot use IPsec to access, which would be added to the exemption list. diff --git a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md index 0c27975e1b..dc11219314 100644 --- a/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md +++ b/windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md @@ -1,6 +1,6 @@ --- title: Gathering Info about Your Network Infrastructure (Windows 10) -description: Gathering Information about Your Current Network Infrastructure +description: Learn how to gather info about your network infrastructure so that you can effectively plan for Windows Defender Firewall with Advanced Security deployment. ms.assetid: f98d2b17-e71d-4ffc-b076-118b4d4782f9 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md index eda2c2ccc5..bc1c471475 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md @@ -1,6 +1,6 @@ --- title: GPO\_DOMISO\_IsolatedDomain\_Clients (Windows 10) -description: GPO\_DOMISO\_IsolatedDomain\_Clients +description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. ms.assetid: 73cd9e25-f2f1-4ef6-b0d1-d36209518cd9 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md index bfe618f15f..de34b9c3ad 100644 --- a/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md +++ b/windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md @@ -1,6 +1,6 @@ --- title: GPO\_DOMISO\_IsolatedDomain\_Servers (Windows 10) -description: GPO\_DOMISO\_IsolatedDomain\_Servers +description: Author this GPO by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. ms.assetid: 33aed8f3-fdc3-4f96-985c-e9d2720015d3 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md index 0798ba72d5..2183c3f911 100644 --- a/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md +++ b/windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md @@ -1,6 +1,6 @@ --- title: Planning Isolation Groups for the Zones (Windows 10) -description: Planning Isolation Groups for the Zones +description: Learn about planning isolation groups for the zones in Microsoft Firewall, including information on universal groups and GPOs ms.assetid: be4b662d-c1ce-441e-b462-b140469a5695 ms.reviewer: ms.author: dansimp @@ -25,7 +25,8 @@ ms.date: 04/19/2017 Isolation groups in Active Directory are how you implement the various domain and server isolation zones. A device is assigned to a zone by adding its device account to the group which represents that zone. ->**Caution:** Do not add devices to your groups yet. If a device is in a group when the GPO is activated then that GPO is applied to the device. If the GPO is one that requires authentication, and the other devices have not yet received their GPOs, the device that uses the new GPO might not be able to communicate with the others. +> [!CAUTION] +> Do not add devices to your groups yet. If a device is in a group when the GPO is activated then that GPO is applied to the device. If the GPO is one that requires authentication, and the other devices have not yet received their GPOs, the device that uses the new GPO might not be able to communicate with the others. Universal groups are the best option to use for GPO assignment because they apply to the whole forest and reduce the number of groups that must be managed. However, if universal groups are unavailable, you can use domain global groups instead. diff --git a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md index e8ec3acdbe..ba9cedf313 100644 --- a/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md +++ b/windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md @@ -1,6 +1,6 @@ --- title: Plan to Deploy Windows Defender Firewall with Advanced Security (Windows 10) -description: Planning to Deploy Windows Defender Firewall with Advanced Security +description: Use the design information in this article to plan for the deployment of Windows Defender Firewall with Advanced Security in your organization. ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md index b34c8d48ea..117070ef88 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md +++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md @@ -1,6 +1,6 @@ --- title: Restrict Access to Only Specified Users or Devices (Windows 10) -description: Restrict Access to Only Specified Users or Devices +description: Restrict access to devices and users that are members of domain groups authorized to access that device using Windows Defender Firewall with Advanced Security. ms.assetid: a6106a07-f9e5-430f-8dbd-06d3bf7406df ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md index 223595ed41..92f54d794a 100644 --- a/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md +++ b/windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md @@ -1,6 +1,6 @@ --- title: Restrict Server Access to Members of a Group Only (Windows 10) -description: Restrict Server Access to Members of a Group Only +description: Create a firewall rule to access isolated servers running Windows Server 2008 or later and restrict server access to members of a group. ms.assetid: ea51c55b-e1ed-44b4-82e3-3c4287a8628b ms.reviewer: ms.author: dansimp diff --git a/windows/whats-new/whats-new-windows-10-version-1909.md b/windows/whats-new/whats-new-windows-10-version-1909.md index 5d019f5d03..6d20ec5fa7 100644 --- a/windows/whats-new/whats-new-windows-10-version-1909.md +++ b/windows/whats-new/whats-new-windows-10-version-1909.md @@ -78,7 +78,7 @@ Windows Virtual Desktop is a comprehensive desktop and app virtualization servic #### Microsoft Endpoint Manager -Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now are [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797). +Configuration Manager, Intune, Desktop Analytics, Co-Management, and Device Management Admin Console are now [Microsoft Endpoint Manager](https://docs.microsoft.com/configmgr/). See the Nov. 4 2019 [announcement](https://www.microsoft.com/microsoft-365/blog/2019/11/04/use-the-power-of-cloud-intelligence-to-simplify-and-accelerate-it-and-the-move-to-a-modern-workplace/). Also see [Modern management and security principles driving our Microsoft Endpoint Manager vision](https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797). ### Windows 10 Pro and Enterprise in S mode