mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 18:33:43 +00:00
Merge branch 'main' of https://github.com/MicrosoftDocs/windows-docs-pr into cpw-ad-wam-8470699
This commit is contained in:
Meghan Stewart
@ -1,7 +1,7 @@
|
||||
---
|
||||
author: vinaypamnani-msft
|
||||
ms.author: vinpa
|
||||
ms.prod: windows
|
||||
ms.service: windows-client
|
||||
ms.topic: include
|
||||
ms.date: 04/06/2023
|
||||
---
|
||||
|
||||
@ -54,7 +54,7 @@ The following XML file contains the device description framework (DDF) for the A
|
||||
</AccessType>
|
||||
<Description>This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
|
||||
|
||||
Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}.
|
||||
Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}.
|
||||
|
||||
When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
|
||||
|
||||
|
||||
@ -142,7 +142,7 @@ The following XML file contains the device description framework (DDF) for the B
|
||||
If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.”
|
||||
The format is string.
|
||||
Sample value for this node to enable this policy and set the encryption methods is:
|
||||
|
||||
|
||||
|
||||
EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives.
|
||||
EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
|
||||
@ -194,7 +194,7 @@ The following XML file contains the device description framework (DDF) for the B
|
||||
Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
|
||||
The format is string.
|
||||
Sample value for this node to enable this policy is:
|
||||
|
||||
|
||||
|
||||
ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
|
||||
All of the below settings are for computers with a TPM.
|
||||
@ -250,7 +250,7 @@ The following XML file contains the device description framework (DDF) for the B
|
||||
NOTE: If minimum PIN length is set below 6 digits, Windows will attempt to update the TPM 2.0 lockout period to be greater than the default when a PIN is changed. If successful, Windows will only reset the TPM lockout period back to default if the TPM is reset.
|
||||
The format is string.
|
||||
Sample value for this node to enable this policy is:
|
||||
|
||||
|
||||
|
||||
Disabling the policy will let the system choose the default behaviors.
|
||||
If you want to disable this policy use the following SyncML:
|
||||
@ -291,7 +291,7 @@ The following XML file contains the device description framework (DDF) for the B
|
||||
Note: Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
|
||||
The format is string.
|
||||
Sample value for this node to enable this policy is:
|
||||
|
||||
|
||||
|
||||
The possible values for 'xx' are:
|
||||
0 = Empty
|
||||
@ -344,7 +344,7 @@ The following XML file contains the device description framework (DDF) for the B
|
||||
If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
|
||||
The format is string.
|
||||
Sample value for this node to enable this policy is:
|
||||
|
||||
|
||||
|
||||
The possible values for 'xx' are:
|
||||
true = Explicitly allow
|
||||
@ -402,7 +402,7 @@ The following XML file contains the device description framework (DDF) for the B
|
||||
If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
|
||||
The format is string.
|
||||
Sample value for this node to enable this policy is:
|
||||
|
||||
|
||||
|
||||
The possible values for 'xx' are:
|
||||
true = Explicitly allow
|
||||
@ -454,7 +454,7 @@ The following XML file contains the device description framework (DDF) for the B
|
||||
If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.
|
||||
The format is string.
|
||||
Sample value for this node to enable this policy is:
|
||||
|
||||
|
||||
|
||||
Disabling the policy will let the system choose the default behaviors.
|
||||
If you want to disable this policy use the following SyncML:
|
||||
@ -495,7 +495,7 @@ The following XML file contains the device description framework (DDF) for the B
|
||||
Note: This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
|
||||
The format is string.
|
||||
Sample value for this node to enable this policy is:
|
||||
|
||||
|
||||
|
||||
The possible values for 'xx' are:
|
||||
true = Explicitly allow
|
||||
@ -575,7 +575,7 @@ The following XML file contains the device description framework (DDF) for the B
|
||||
require reinstallation of Windows.
|
||||
Note: This policy takes effect only if "RequireDeviceEncryption" policy is set to 1.
|
||||
The format is integer.
|
||||
The expected values for this policy are:
|
||||
The expected values for this policy are:
|
||||
|
||||
1 = This is the default, when the policy is not set. Warning prompt and encryption notification is allowed.
|
||||
0 = Disables the warning prompt and encryption notification. Starting in Windows 10, next major update,
|
||||
@ -623,7 +623,7 @@ The following XML file contains the device description framework (DDF) for the B
|
||||
If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user
|
||||
is the current logged on user in the system.
|
||||
|
||||
The expected values for this policy are:
|
||||
The expected values for this policy are:
|
||||
|
||||
1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
|
||||
0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy
|
||||
@ -741,7 +741,7 @@ The policy only comes into effect when Active Directory backup for a recovery pa
|
||||
|
||||
* status\RotateRecoveryPasswordsStatus
|
||||
* status\RotateRecoveryPasswordsRequestID
|
||||
|
||||
|
||||
|
||||
|
||||
Supported Values: String form of request ID. Example format of request ID is GUID. Server can choose the format as needed according to the management tools.\
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
author: vinaypamnani-msft
|
||||
ms.author: vinpa
|
||||
ms.prod: windows
|
||||
ms.service: windows-client
|
||||
ms.topic: include
|
||||
ms.date: 05/09/2023
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
author: vinaypamnani-msft
|
||||
ms.author: vinpa
|
||||
ms.prod: windows
|
||||
ms.service: windows-client
|
||||
ms.topic: include
|
||||
ms.date: 05/09/2023
|
||||
---
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
author: vinaypamnani-msft
|
||||
ms.author: vinpa
|
||||
ms.prod: windows
|
||||
ms.service: windows-client
|
||||
ms.topic: include
|
||||
ms.date: 05/09/2023
|
||||
---
|
||||
|
||||
@ -934,7 +934,7 @@ If you disable or do not configure this policy setting, the PIN recovery secret
|
||||
<Replace />
|
||||
</AccessType>
|
||||
<DefaultValue>False</DefaultValue>
|
||||
<Description>Windows Hello for Business can use certificates to authenticate to on-premise resources.
|
||||
<Description>Windows Hello for Business can use certificates to authenticate to on-premise resources.
|
||||
|
||||
If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
|
||||
|
||||
|
||||
@ -37,7 +37,7 @@ If set to 1 then any MDM policy that's set that has an equivalent GP policy will
|
||||
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
|
||||
|
||||
> [!NOTE]
|
||||
> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). Nor does it apply to the [Update Policy CSP](policy-csp-update.md) for managing Windows updates.
|
||||
> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs such as the [Defender CSP](defender-csp.md). Nor does it apply to the [Update Policy CSP](policy-csp-update.md) for managing Windows updates.
|
||||
|
||||
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
|
||||
|
||||
|
||||
@ -267,7 +267,7 @@ Resource URI for which access is being requested by the Mopria discovery client
|
||||
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
|
||||
This policy must target ./User, otherwise it fails.
|
||||
|
||||
The default value is an empty string. Otherwise, the value should contain a URL.
|
||||
The default value is an empty string. Otherwise, the value should contain a URL.
|
||||
|
||||
**Example**:
|
||||
|
||||
|
||||
@ -34,11 +34,11 @@ ms.date: 01/18/2024
|
||||
<!-- Description-Source-ADMX -->
|
||||
This policy setting controls whether a device will automatically sign in and lock the last interactive user after the system restarts or after a shutdown and cold boot.
|
||||
|
||||
This only occurs if the last interactive user didn't sign out before the restart or shutdown.
|
||||
This only occurs if the last interactive user didn't sign out before the restart or shutdown.
|
||||
|
||||
If the device is joined to Active Directory or Microsoft Entra ID, this policy only applies to Windows Update restarts. Otherwise, this will apply to both Windows Update restarts and user-initiated restarts and shutdowns.
|
||||
|
||||
- If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.
|
||||
- If you don't configure this policy setting, it's enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.
|
||||
|
||||
After enabling this policy, you can configure its settings through the ConfigAutomaticRestartSignOn policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot .
|
||||
|
||||
|
||||
Reference in New Issue
Block a user