deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into mdatp

Browse Source
This commit is contained in:
Beth Levin 2019-05-14 15:05:37 -07:00
commit f9cf05f096
304 changed files with 8201 additions and 2643 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.acrolinx-config.edn Normal file
View File

@ -0,0 +1,2 @@
{:allowed-branchname-matches ["master"]
:allowed-filename-matches ["windows/"]}

2
.openpublishing.publish.config.json
View File

@ -104,7 +104,7 @@
"locale": "en-us",
"monikers": [],
"moniker_ranges": [],
"open_to_public_contributors": true,
"open_to_public_contributors": false,
"type_mapping": {
"Conceptual": "Content",
"ManagedReference": "Content",

10
.openpublishing.redirection.json
View File

@ -14674,6 +14674,16 @@
"source_path": "windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md",
"redirect_url": "/windows/security/threat-protection/windows-defender-atp/manage-indicators",
"redirect_document_id": true
},
{
"source_path": "windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md",
"redirect_url": "/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview",
"redirect_document_id": true
},
{
"source_path": "windows/hub/release-information.md",
"redirect_url": "/windows/release-information",
"redirect_document_id": true
}
]
}

5
browsers/edge/includes/allow-tab-preloading-include.md
View File

@ -35,8 +35,9 @@ ms:topic: include
- **Data type:** Integer
#### Registry settings
- **Path:** HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\TabPreloader
- **Value name:** AllowTabPreloading
- **Path:** HKCU\SOFTWARE\Policies\Microsoft\MicrosoftEdge\Main
- **Create Value name:** AllowPrelaunch
- **Value type:** REG_DWORD
- **DWORD Value:** 1
<hr>

4
browsers/internet-explorer/ie11-deploy-guide/net-framework-problems-with-ie11.md
View File

@ -16,9 +16,9 @@ If youre having problems launching your legacy apps while running Internet Ex
**To turn managed browser hosting controls back on**
1. **For x86 systems or for 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
1. **For x86 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
2. **For x64 systems or for 64-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
2. **For 32-bit processes on x64 systems:** Go to the `HKLM\SOFTWARE\Wow6432Node\MICROSOFT\.NETFramework` registry key and change the **EnableIEHosting** value to **1**.
For more information, see the [Web Applications](https://go.microsoft.com/fwlink/p/?LinkId=308903) section of the Application Compatibility in the .NET Framework 4.5 page.

5
devices/surface-hub/accessibility-surface-hub.md
View File

@ -5,10 +5,9 @@ ms.assetid: 1D44723B-1162-4DF6-99A2-8A3F24443442
keywords: Accessibility settings, Settings app, Ease of Access
ms.prod: surface-hub
ms.sitesec: library
author: jdeckerms
ms.author: jdecker
author: robmazz
ms.author: robmazz
ms.topic: article
ms.date: 08/16/2017
ms.localizationpriority: medium
---

2
devices/surface/assettag.md
View File

@ -27,7 +27,7 @@ for Surface devices. It works on Surface Pro 3 and all newer Surface devices.
To run Surface Asset Tag:
1. On the Surface device, download **Surface Pro 3 AssetTag.zip** from the [Microsoft Download
Center](http://www.microsoft.com/download/details.aspx?id=44076),
Center](https://www.microsoft.com/en-us/download/details.aspx?id=46703),
extract the zip file, and save AssetTag.exe in desired folder (in
this example, C:\\assets).

BIN
devices/surface/images/sdt-install.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 89 KiB

7
devices/surface/microsoft-surface-brightness-control.md
View File

@ -56,9 +56,14 @@ Full Brightness | Default: 100 <br>Option: Range of 0-100 percent of screen b
| Inactivity Timeout| Default: 30 seconds <br>Option: Any numeric value <br>Data Type: Integer <br> Type: REG_DWORD | This setting allows you to manage the period of inactivity before dimming the device. If you do not configure this setting, the inactivity timeout is 30 seconds.|
| Telemetry Enabled | Default: 01 <br>Option: 01, 00 <br> Type: REG_BINARY | This setting allows you to manage the sharing of app usage information to improve software and provide better user experience. To disable telemetry, set the value to 00. If you do not configure this setting, telemetry information is shared with Microsoft in accordance with the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement). |
## Changes and updates
### Version 1.12.239.0
*Release Date: 26 April 2019*<br>
This version of Surface Brightness Control adds support for the following:
- Touch delay fixes.
## Related topics
- [Battery limit setting](battery-limit.md)

60
devices/surface/surface-diagnostic-toolkit-business.md
View File

@ -27,13 +27,11 @@ Specifically, SDT for Business enables you to:
To run SDT for Business, download the components listed in the following table.
>[!NOTE]
>In contrast to the way you typically install MSI packages, the SDT distributable MSI package can only be created by running Windows Installer (msiexec.exe) at a command prompt and setting the custom flag `ADMINMODE = 1`. For details, see [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md).
Mode | Primary scenarios | Download | Learn more
--- | --- | --- | ---
Desktop mode | Assist users in running SDT on their Surface devices to troubleshoot issues.<br>Create a custom package to deploy on one or more Surface devices allowing users to select specific logs to collect and analyze. | SDT distributable MSI package:<br>Microsoft Surface Diagnostic Toolkit for Business Installer<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Use Surface Diagnostic Toolkit in desktop mode](surface-diagnostic-toolkit-desktop-mode.md)
Command line | Directly troubleshoot Surface devices remotely without user interaction, using standard tools such as Configuration Manager. It includes the following commands:<br>`-DataCollector` collects all log files<br>`-bpa` runs health diagnostics using Best Practice Analyzer.<br>`-windowsupdate` checks Windows update for missing firmware or driver updates.<br><br>**Note:** Support for the ability to confirm warranty information will be available via the command `-warranty` | SDT console app:<br>Microsoft Surface Diagnostics App Console<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md)
Command line | Directly troubleshoot Surface devices remotely without user interaction, using standard tools such as Configuration Manager. It includes the following commands:<br>`-DataCollector` collects all log files<br>`-bpa` runs health diagnostics using Best Practice Analyzer.<br>`-windowsupdate` checks Windows update for missing firmware or driver updates.<br>`-warranty` checks warranty information. <br><br>| SDT console app:<br>Microsoft Surface Diagnostics App Console<br>[Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703) | [Run Surface Diagnostic Toolkit using commands](surface-diagnostic-toolkit-command-line.md)
## Supported devices
@ -57,16 +55,40 @@ SDT for Business is supported on Surface 3 and later devices, including:
## Installing Surface Diagnostic Toolkit for Business
To create an SDT package that you can distribute to users in your organization, you first need to install SDT at a command prompt and set a custom flag to install the tool in admin mode. SDT contains the following install option flags:
To create an SDT package that you can distribute to users in your organization:
1. Sign in to your Surface device using the Administrator account.
2. Download SDT Windows Installer Package (.msi) from the [Surface Tools for IT download page](https://www.microsoft.com/download/details.aspx?id=46703) and copy it to a preferred location on your Surface device, such as Desktop.
3. The SDT setup wizard appears, as shown in figure 1. Click **Next**.
>[!NOTE]
>If the setup wizard does not appear, ensure that you are signed into the Administrator account on your computer.
![welcome to the Surface Diagnostic Toolkit setup wizard](images/sdt-1.png)
*Figure 1. Surface Diagnostic Toolkit setup wizard*
4. When the SDT setup wizard appears, click **Next**, accept the End User License Agreement (EULA)
5. On the Install Options screen, change the default install location if desired.
6. Under Setup Type, select **Advanced**.
>[!NOTE]
>The standard option allows users to run the diagnostic tool directly on their Surface device provided they are signed into their device using an Administrator account.
![Install Options: Advanced](images/sdt-install.png)
7. Click **Next** and then click **Install**.
## Installing using the command line
If desired, you can install SDT at a command prompt and set a custom flag to install the tool in admin mode. SDT contains the following install option flags:
- `SENDTELEMETRY` sends telemetry data to Microsoft. The flag accepts `0` for disabled or `1` for enabled. The default value is `1` to send telemetry.
- `ADMINMODE` configures the tool to be installed in admin mode. The flag accepts `0` for client mode or `1` for IT Administrator mode. The default value is `0`.
**To install SDT in ADMINMODE:**
### To install SDT from the command line:
1. Sign in to your Surface device using the Administrator account.
2. Download SDT Windows Installer Package (.msi) from the [Surface Tools for IT download page](https://www.microsoft.com/download/details.aspx?id=46703) and copy it to a preferred location on your Surface device, such as Desktop.
3. Open a command prompt and enter:
1. Open a command prompt and enter:
```
msiexec.exe /i <the path of installer> ADMINMODE=1.
@ -77,19 +99,6 @@ To create an SDT package that you can distribute to users in your organization,
C:\Users\Administrator> msiexec.exe/I"C:\Users\Administrator\Desktop\Microsoft_Surface_Diagnostic_Toolkit_for_Business_Installer.msi" ADMINMODE=1
```
4. The SDT setup wizard appears, as shown in figure 1. Click **Next**.
>[!NOTE]
>If the setup wizard does not appear, ensure that you are signed into the Administrator account on your computer.
![welcome to the Surface Diagnostic Toolkit setup wizard](images/sdt-1.png)
*Figure 1. Surface Diagnostic Toolkit setup wizard*
5. When the SDT setup wizard appears, click **Next**, accept the End User License Agreement (EULA), and select a location to install the package.
6. Click **Next** and then click **Install**.
## Locating SDT on your Surface device
Both SDT and the SDT app console are installed at `C:\Program Files\Microsoft\Surface\Microsoft Surface Diagnostic Toolkit for Business`.
@ -154,7 +163,14 @@ You can select to run a wide range of logs across applications, drivers, hardwar
- [Use Surface Diagnostic Toolkit for Business using commands](surface-diagnostic-toolkit-command-line.md)
## Changes and updates
### Version 2.36.139.0
*Release date: April 26, 2019*<br>
This version of Surface Diagnostic Toolkit for Business adds support for the following:
- Advanced Setup option to unlock admin capabilities through the installer UI, without requiring command line configuration.
- Accessibility improvements.
- Surface brightness control settings included in logs.
- External monitor compatibility support link in report generator.

2
devices/surface/surface-enterprise-management-mode.md
View File

@ -154,7 +154,7 @@ Packages created with the Microsoft Surface UEFI Configurator tool are signed wi
* **Key Length** 2048
* **Hash Algorithm** SHA-256
* **Type** SSL Server Authentication
* **Key Usage** Key Encipherment
* **Key Usage** Digital signature, Key Encipherment
* **Provider** Microsoft Enhanced RSA and AES Cryptographic Provider
* **Expiration Date** 15 Months from certificate creation
* **Key Export Policy** Exportable

12
devices/surface/windows-autopilot-and-surface-devices.md
View File

@ -7,7 +7,6 @@ ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: brecords
ms.date: 09/12/2018
ms.author: jdecker
ms.topic: article
---
@ -41,11 +40,16 @@ Support for broad deployments of Surface devices using Windows Autopilot, includ
### Surface device support
Surface devices with support for out-of-box deployment with Windows Autopilot, enrolled during the purchase process with a Surface partner, include the following devices, where the devices ship from the factory with Windows 10 Version 1709:
* Surface Pro (Model 1796)
* Surface Pro (5th gen)
* Surface Laptop(1st gen)
* Surface Studio (1st gen)
* Surface Pro 6
* Surface Book 2
* Surface Laptop
* Surface Studio
* Surface Laptop 2
* Surface Studio 2
* Surface Go
* Surface Go with LTE Advanced
## Surface partners enabled for Windows Autopilot
Enrolling Surface devices in Windows Autopilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organizations behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows Autopilot, Azure Active Directory, and Mobile Device Management.

8
education/get-started/get-started-with-microsoft-education.md
View File

@ -32,7 +32,7 @@ Hello, IT administrators! In this walkthrough, we'll show you how you can quickl
- **Microsoft Teams** to bring conversations, content, and apps together in one place and create collaborate classrooms, connect in professional learning communities, and communicate with school staff
- **Learning Tools** are moving beyond the OneNote desktop app and is now available in Office Lens, OneNote Online, Word Online, and Word desktop
- **Whiteboard** to create interactive lessons on the big screen, share and collaborate real-time by connecting to Class Notebook and Classroom
- **Windows 10, version 1703 (Creators Update)** which brings 3D for everyone and other new and updated Windows features
- **Windows 10, version 1703 or later** which brings 3D for everyone and other new and updated Windows features
- **Minecraft: Education Edition** which provides an open and immersive environment to promote creativity, collaboration, and problem-solving
With Microsoft Education, schools can:
@ -60,11 +60,11 @@ Click the link to watch the video or follow the step-by-step guidance for each.
## Prerequisites
Complete these tasks before you start the walkthrough:
- Make sure all the devices that you want to configure, such as student PCs, have the latest Windows 10, version 1703 image installed.
- Make sure all the devices that you want to configure, such as student PCs, have Windows 10 (version 1703 or later) image installed.
We recommend Windows 10, version 1703 to take advantage of all the new features and functionality that Windows supports. This version of Windows is also compatible with the latest version of the Set up School PCs app and the versions must match in order for Set up School PCs to provision the devices.
We recommend Windows 10, version 1703 or later, to take advantage of all the new features and functionality that Windows supports. This version of Windows is also compatible with the latest version of the Set up School PCs app and the versions must match in order for Set up School PCs to provision the devices.
If you don't have Windows 10, version 1703 installed on your devices, we recommend upgrading. This process takes a while so start this task before proceeding with this walkthrough.
If you don't have Windows 10, version 1703 or later, installed on your devices, we recommend upgrading. This process takes a while so start this task before proceeding with this walkthrough.
- Have an education-verified tenant to qualify for an Office 365 for Education subscription. You also need to be education-verified to use School Data Sync and Intune for Education.

1
it-client Submodule

@ -0,0 +1 @@
Subproject commit 61e0a21977430f3c0eef1c32e398999dc090c332

2
mdop/mbam-v25/client-event-logs.md
View File

@ -13,7 +13,7 @@ ms.date: 06/16/2016
# Client Event Logs
MBAM Client event logs are located in Event Viewer Applications and Services Logs Microsoft Windows MBAM - Operational path.
The following table contains event IDs that can occur on the MBAM Client.
<table>

4
mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md
View File

@ -311,7 +311,9 @@ If you already registered SPNs on the machine account rather than in an applicat
</tbody>
</table>
 
## Required Request Filtering Settings
'Allow unlisted file name extensions' is required for the application to operate as expected. This can be found by navigating to the 'Microsoft BitLocker Administration and Monitoring' -> Request Filtering -> Edit Feature Settings.
## Related topics

4
windows/application-management/app-v/appv-auto-provision-a-vm.md
View File

@ -95,12 +95,12 @@ If your apps require custom prerequisites, such as Microsoft SQL Server, we reco
2. Open PowerShell as an admin and run the **Connect-AppvSequencerVM** cmdlet, using the following parameters:
```ps1
Connect-AppvSequencerVM -VMName "<name_of_vm>" -ADKPath "<path_to_adk_install_folder>"
Connect-AppvSequencerVM -VMName "<name_of_vm>"
```
Where ```<name_of_vm>``` is the name of the VM as shown in the Hyper-V Manager tool.
This command creates a new Hyper-V VM file using the provided VHD file and also creates a "clean" checkpoint, from where all sequencing and updating will start.
This command connects to an existing Hyper-V VM using the provided VM name for auto-sequencing.
### Review the provisioning log files

10
windows/client-management/mdm/accounts-csp.md
View File

@ -26,9 +26,13 @@ Root node.
Interior node for the account domain information.
<a href="" id="domain-computername"></a>**Domain/ComputerName**
This node specifies the name for a device. This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution: %RAND:<# of digits>% and %SERIAL%.
This node specifies the DNS hostname for a device. This setting can be managed remotely, but note that this not supported for devices hybrid joined to Azure Active Directory and an on-premises Active directory. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 15 characters.
Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456"). (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. The server must explicitly reboot the device for this value to take effect.
Available naming macros:
|Macro|Description|Example|Generated Name|
|:---|:---|:---|:---|
|%RAND:<# of digits>|Generates the specified number of random digits.|Test%RAND:6%|Test123456|
|%SERIAL%|Generates the serial number derived from the device. If the serial number causes the new name to exceed the 15 character limit, the serial number will be truncated from the beginning of the sequence.|Test-Device-%SERIAL%|Test-Device-456|
Supported operation is Add.
@ -46,4 +50,4 @@ Supported operation is Add.
<a href="" id="users-username-localusergroup"></a>**Users/_UserName_/LocalUserGroup**
This optional node specifies the local user group that a local user account should be joined to. If the node is not set, the new local user account is joined just to the Standard Users group. Set the value to 2 for Administrators group. This setting can be managed remotely.
Supported operation is Add.
Supported operation is Add.

3
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -22,6 +22,9 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u
> [!Warning]
> You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
> [!Note]
> If the application calls KeyCredentialManager.IsSupportedAsync when it is running in assigned access mode and it returns false on the first run, invoke the settings screen and select a convenience PIN to use with Windows Hello. This is the settings screen that is hidden by the application running in assigned access mode. You can only use Windows Hello if you first leave assigned access mode, select your convenience pin, and then go back into assigned access mode again.
> [!Note]
> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.

4
windows/client-management/mdm/bitlocker-csp.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 12/06/2018
ms.date: 05/02/2019
---
# BitLocker CSP
@ -136,7 +136,7 @@ The following diagram shows the BitLocker configuration service provider in tree
<p style="margin-left: 20px">Data type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**
<p style="margin-left: 20px">Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)".</p>
<p style="margin-left: 20px">Allows you to set the default encrytion method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)". </p>
<table>
<tr>
<th>Home</th>

14
windows/client-management/mdm/devicestatus-csp.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/26/2018
ms.date: 04/30/2019
---
# DeviceStatus CSP
@ -157,6 +157,12 @@ Valid values:
Supported operation is Get.
If more than one antivirus provider is active, this node returns:
- 1 If every active antivirus provider has a valid signature status.
- 0 If any of the active antivirus providers has an invalid signature status.
This node also returns 0 when no antivirus provider is active.
<a href="" id="devicestatus-antivirus-status"></a>**DeviceStatus/Antivirus/Status**
Added in Windows, version 1607. Integer that specifies the status of the antivirus.
@ -186,6 +192,12 @@ Valid values:
Supported operation is Get.
If more than one antispyware provider is active, this node returns:
- 1 If every active antispyware provider has a valid signature status.
- 0 If any of the active antispyware providers has an invalid signature status.
This node also returns 0 when no antispyware provider is active.
<a href="" id="devicestatus-antispyware-status"></a>**DeviceStatus/Antispyware/Status**
Added in Windows, version 1607. Integer that specifies the status of the antispyware.

4
windows/client-management/mdm/federated-authentication-device-enrollment.md
View File

@ -553,7 +553,7 @@ The following code shows sample provisioning XML (presented in the preceding pac
<characteristic type="CertificateStore">
<characteristic type="Root">
<characteristic type="System">
<characteristic type="031336C933CC7E228B88880D78824FB2909A0A2F">
<characteristic type="Encoded Root Cert Hash Inserted Here">
<parm name="EncodedCertificate" value="B64 encoded cert insert here" />
</characteristic>
</characteristic>
@ -562,7 +562,7 @@ The following code shows sample provisioning XML (presented in the preceding pac
<characteristic type="CertificateStore">
<characteristic type="My" >
<characteristic type="User">
<characteristic type="F9A4F20FC50D990FDD0E3DB9AFCBF401818D5462">
<characteristic type="Encoded Root Cert Hash Inserted Here">
<parm name="EncodedCertificate" value="B64EncodedCertInsertedHere" />
</characteristic>
<characteristic type="PrivateKeyContainer"/>

2
windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
View File

@ -296,7 +296,7 @@ The deep link used for connecting your device to work will always use the follow
| Parameter | Description | Supported Value for Windows 10|
|-----------|--------------------------------------------------------------|----------------------------------------------|
| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| “mdm”, "awa", "aadj" |
| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| MDM (Mobile Device Management), AWA (Adding Work Account), and AADJ (Azure Active Directory Joined). |
|username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string |
| servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string|
| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string |

8
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -1398,8 +1398,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<ul>
<li>ApplicationManagement/LaunchAppAfterLogOn</li>
<li>ApplicationManagement/ScheduleForceRestartForUpdateFailures </li>
<li>Authentication/EnableFastFirstSignIn</li>
<li>Authentication/EnableWebSignIn</li>
<li>Authentication/EnableFastFirstSignIn (Preview mode only)</li>
<li>Authentication/EnableWebSignIn (Preview mode only)</li>
<li>Authentication/PreferredAadTenantDomainName</li>
<li>Browser/AllowFullScreenMode</li>
<li>Browser/AllowPrelaunch</li>
@ -1943,8 +1943,8 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<ul>
<li>ApplicationManagement/LaunchAppAfterLogOn</li>
<li>ApplicationManagement/ScheduleForceRestartForUpdateFailures </li>
<li>Authentication/EnableFastFirstSignIn</li>
<li>Authentication/EnableWebSignIn</li>
<li>Authentication/EnableFastFirstSignIn (Preview mode only)</li>
<li>Authentication/EnableWebSignIn (Preview mode only)</li>
<li>Authentication/PreferredAadTenantDomainName</li>
<li>Defender/CheckForSignaturesBeforeRunningScan</li>
<li>Defender/DisableCatchupFullScan </li>

2
windows/client-management/mdm/nodecache-csp.md
View File

@ -30,7 +30,7 @@ The following diagram shows the NodeCache configuration service provider in tree
![nodecache csp](images/provisioning-csp-nodecache.png)
<a href="" id="--device-vendor-msft"></a>**./Device/Vendor/MSFT and ./User/Vendor/MSFT**
Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This is a predefined MIME type to identify this managed object in OMA DM syntax. Starting in Windows 10, version 1607 the value is com.microsoft/\<version\>/MDM/NodeCache.
Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This is a predefined MIME type to identify this managed object in OMA DM syntax.
<a href="" id="providerid"></a>***ProviderID***
Optional. Group settings per DM server. Each group of settings is distinguished by the servers Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one *ProviderID* node under **NodeCache**. Scope is dynamic.

393
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -7,13 +7,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 03/01/2019
ms.date: 05/01/2019
---
# Policy CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies.
@ -364,10 +364,10 @@ The following diagram shows the Policy configuration service provider in tree fo
<a href="./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice" id="authentication-allowsecondaryauthenticationdevice">Authentication/AllowSecondaryAuthenticationDevice</a>
</dd>
<dd>
<a href="./policy-csp-authentication.md#authentication-enablefastfirstsignin" id="authentication-enablefastfirstsignin">Authentication/EnableFastFirstSignIn</a>
<a href="./policy-csp-authentication.md#authentication-enablefastfirstsignin" id="authentication-enablefastfirstsignin">Authentication/EnableFastFirstSignIn</a> (Preview mode only)
</dd>
<dd>
<a href="./policy-csp-authentication.md#authentication-enablewebsignin" id="authentication-enablewebsignin">Authentication/EnableWebSignIn</a>
<a href="./policy-csp-authentication.md#authentication-enablewebsignin" id="authentication-enablewebsignin">Authentication/EnableWebSignIn</a> (Preview mode only)
</dd>
<dd>
<a href="./policy-csp-authentication.md#authentication-preferredaadtenantdomainname" id="authentication-preferredaadtenantdomainname">Authentication/PreferredAadTenantDomainName</a>
@ -2413,6 +2413,14 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-power.md#power-displayofftimeoutpluggedin" id="power-displayofftimeoutpluggedin">Power/DisplayOffTimeoutPluggedIn</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-energysaverbatterythresholdonbattery"
id="power-energysaverbatterythresholdonbattery">Power/EnergySaverBatteryThresholdOnBattery</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-energysaverbatterythresholdpluggedin"
id="power-energysaverbatterythresholdpluggedin">Power/EnergySaverBatteryThresholdPluggedIn</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-hibernatetimeoutonbattery" id="power-hibernatetimeoutonbattery">Power/HibernateTimeoutOnBattery</a>
</dd>
@ -2425,12 +2433,52 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin" id="power-requirepasswordwhencomputerwakespluggedin">Power/RequirePasswordWhenComputerWakesPluggedIn</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-selectlidcloseactiononbattery"
id="power-selectlidcloseactiononbattery">Power/SelectLidCloseActionOnBattery</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-selectlidcloseactionpluggedin"
id="power-selectlidcloseactionpluggedin">Power/SelectLidCloseActionPluggedIn</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-selectpowerbuttonactiononbattery"
id="power-selectpowerbuttonactiononbattery">Power/SelectPowerButtonActionOnBattery</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-selectpowerbuttonactionpluggedin"
id="power-selectpowerbuttonactionpluggedin">Power/SelectPowerButtonActionPluggedIn</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-selectsleepbuttonactiononbattery"
id="power-selectsleepbuttonactiononbattery">Power/SelectSleepButtonActionOnBattery</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-selectsleepbuttonactionpluggedin"
id="power-selectsleepbuttonactionpluggedin">Power/SelectSleepButtonActionPluggedIn</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-standbytimeoutonbattery" id="power-standbytimeoutonbattery">Power/StandbyTimeoutOnBattery</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-standbytimeoutpluggedin" id="power-standbytimeoutpluggedin">Power/StandbyTimeoutPluggedIn</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-turnoffhybridsleeponbattery"
id="power-turnoffhybridsleeponbattery">Power/TurnOffHybridSleepOnBattery</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-turnoffhybridsleeppluggedin"
id="power-turnoffhybridsleeppluggedin">Power/TurnOffHybridSleepPluggedIn</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-unattendedsleeptimeoutonbattery"
id="power-unattendedsleeptimeoutonbattery">Power/UnattendedSleepTimeoutOnBattery</a>
</dd>
<dd>
<a href="./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin"
id="power-unattendedsleeptimeoutpluggedin">Power/UnattendedSleepTimeoutPluggedIn</a>
</dd>
</dl>
### Printers policies
@ -3101,7 +3149,7 @@ The following diagram shows the Policy configuration service provider in tree fo
<a href="./policy-csp-storage.md#storage-enhancedstoragedevices" id="storage-enhancedstoragedevices">Storage/EnhancedStorageDevices</a>
</dd>
<dd>
<a href="#./policy-csp-storage.mdstorage-removablediskdenywriteaccess" id="storage-removablediskdenywriteaccess">Storage/RemovableDiskDenyWriteAccess</a>
<a href="./policy-csp-storage.md#storage-removablediskdenywriteaccess" id="storage-removablediskdenywriteaccess">Storage/RemovableDiskDenyWriteAccess</a>
</dd>
</dl>
@ -3336,9 +3384,24 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-update.md#update-autorestartrequirednotificationdismissal" id="update-autorestartrequirednotificationdismissal">Update/AutoRestartRequiredNotificationDismissal</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-automaticmaintenancewakeup" id="update-automaticmaintenancewakeup">Update/AutomaticMaintenanceWakeUp</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-branchreadinesslevel" id="update-branchreadinesslevel">Update/BranchReadinessLevel</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-configuredeadlineforfeatureupdates" id="update-configuredeadlineforfeatureupdates">Update/ConfigureDeadlineForFeatureUpdates</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-configuredeadlineforqualityupdates" id="update-configuredeadlineforqualityupdates">Update/ConfigureDeadlineForQualityUpdates</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-configuredeadlinegraceperiod" id="update-configuredeadlinegraceperiod">Update/ConfigureDeadlineGracePeriod</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-configuredeadlinenoautoreboot" id="update-configuredeadlinenoautoreboot">Update/ConfigureDeadlineNoAutoReboot</a>
</dd>
<dd>
<a href="./policy-csp-update.md#update-configurefeatureupdateuninstallperiod" id="update-configurefeatureupdateuninstallperiod">Update/ConfigureFeatureUpdateUninstallPeriod</a>
</dd>
@ -3678,22 +3741,28 @@ The following diagram shows the Policy configuration service provider in tree fo
### WindowsLogon policies
<dl>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon" id="windowslogon-allowautomaticrestartsignon">WindowsLogon/AllowAutomaticRestartSignOn</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon" id="windowslogon-configautomaticrestartsignon">WindowsLogon/ConfigAutomaticRestartSignOn</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications" id="windowslogon-disablelockscreenappnotifications">WindowsLogon/DisableLockScreenAppNotifications</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui" id="windowslogon-dontdisplaynetworkselectionui">WindowsLogon/DontDisplayNetworkSelectionUI</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation" id="#windowslogon-enablefirstlogonanimation">WindowsLogon/EnableFirstLogonAnimation</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers" id="windowslogon-enumeratelocalusersondomainjoinedcomputers">WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching" id="windowslogon-hidefastuserswitching">WindowsLogon/HideFastUserSwitching</a>
</dd>
<dd>
<a href="./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart" id="windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart">WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart</a>
</dd>
</dl>
</dl>
### WindowsPowerShell policies
@ -4116,10 +4185,11 @@ The following diagram shows the Policy configuration service provider in tree fo
- [System/BootStartDriverInitialization](./policy-csp-system.md#system-bootstartdriverinitialization)
- [System/DisableSystemRestore](./policy-csp-system.md#system-disablesystemrestore)
- [WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork](./policy-csp-windowsconnectionmanager.md#windowsconnectionmanager-prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork)
- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications)
- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui)
- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers)
- [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart)
- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging)
@ -4699,12 +4769,24 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Power/AllowStandbyWhenSleepingPluggedIn](./policy-csp-power.md#power-allowstandbywhensleepingpluggedin)
- [Power/DisplayOffTimeoutOnBattery](./policy-csp-power.md#power-displayofftimeoutonbattery)
- [Power/DisplayOffTimeoutPluggedIn](./policy-csp-power.md#power-displayofftimeoutpluggedin)
- [Power/EnergySaverBatteryThresholdOnBattery](./policy-csp-power.md#power-energysaverbatterythresholdonbattery)
- [Power/EnergySaverBatteryThresholdPluggedIn](./policy-csp-power.md#power-energysaverbatterythresholdpluggedin)
- [Power/HibernateTimeoutOnBattery](./policy-csp-power.md#power-hibernatetimeoutonbattery)
- [Power/HibernateTimeoutPluggedIn](./policy-csp-power.md#power-hibernatetimeoutpluggedin)
- [Power/RequirePasswordWhenComputerWakesOnBattery](./policy-csp-power.md#power-requirepasswordwhencomputerwakesonbattery)
- [Power/RequirePasswordWhenComputerWakesPluggedIn](./policy-csp-power.md#power-requirepasswordwhencomputerwakespluggedin)
- [Power/SelectLidCloseActionOnBattery](./policy-csp-power.md#power-selectlidcloseactiononbattery)
- [Power/SelectLidCloseActionPluggedIn](./policy-csp-power.md#power-selectlidcloseactionpluggedin)
- [Power/SelectPowerButtonActionOnBattery](./policy-csp-power.md#power-selectpowerbuttonactiononbattery)
- [Power/SelectPowerButtonActionPluggedIn](./policy-csp-power.md#power-selectpowerbuttonactionpluggedin)
- [Power/SelectSleepButtonActionOnBattery](./policy-csp-power.md#power-selectsleepbuttonactiononbattery)
- [Power/SelectSleepButtonActionPluggedIn](./policy-csp-power.md#power-selectsleepbuttonactionpluggedin)
- [Power/StandbyTimeoutOnBattery](./policy-csp-power.md#power-standbytimeoutonbattery)
- [Power/StandbyTimeoutPluggedIn](./policy-csp-power.md#power-standbytimeoutpluggedin)
- [Power/TurnOffHybridSleepOnBattery](./policy-csp-power.md#power-turnoffhybridsleeponbattery)
- [Power/TurnOffHybridSleepPluggedIn](./policy-csp-power.md#power-turnoffhybridsleeppluggedin)
- [Power/UnattendedSleepTimeoutOnBattery](./policy-csp-power.md#power-unattendedsleeptimeoutonbattery)
- [Power/UnattendedSleepTimeoutPluggedIn](./policy-csp-power.md#power-unattendedsleeptimeoutpluggedin)
- [Printers/PointAndPrintRestrictions](./policy-csp-printers.md#printers-pointandprintrestrictions)
- [Printers/PointAndPrintRestrictions_User](./policy-csp-printers.md#printers-pointandprintrestrictions-user)
- [Printers/PublishPrinters](./policy-csp-printers.md#printers-publishprinters)
@ -4881,7 +4963,12 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates](./policy-csp-update.md#update-autorestartdeadlineperiodindaysforfeatureupdates)
- [Update/AutoRestartNotificationSchedule](./policy-csp-update.md#update-autorestartnotificationschedule)
- [Update/AutoRestartRequiredNotificationDismissal](./policy-csp-update.md#update-autorestartrequirednotificationdismissal)
- [Update/AutomaticMaintenanceWakeUp](./policy-csp-update.md#update-automaticmaintenancewakeup)
- [Update/BranchReadinessLevel](./policy-csp-update.md#update-branchreadinesslevel)
- [Update/ConfigureDeadlineForFeatureUpdates](./policy-csp-update.md#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](./policy-csp-update.md#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](./policy-csp-update.md#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineNoAutoReboot](./policy-csp-update.md#update-configuredeadlinenoautoreboot)
- [Update/DeferFeatureUpdatesPeriodInDays](./policy-csp-update.md#update-deferfeatureupdatesperiodindays)
- [Update/DeferQualityUpdatesPeriodInDays](./policy-csp-update.md#update-deferqualityupdatesperiodindays)
- [Update/DeferUpdatePeriod](./policy-csp-update.md#update-deferupdateperiod)
@ -4975,111 +5062,213 @@ The following diagram shows the Policy configuration service provider in tree fo
- [WindowsDefenderSecurityCenter/URL](./policy-csp-windowsdefendersecuritycenter.md#windowsdefendersecuritycenter-url)
- [WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace)
- [WindowsInkWorkspace/AllowWindowsInkWorkspace](./policy-csp-windowsinkworkspace.md#windowsinkworkspace-allowwindowsinkworkspace)
- [WindowsLogon/AllowAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-allowautomaticrestartsignon)
- [WindowsLogon/ConfigAutomaticRestartSignOn](./policy-csp-windowslogon.md#windowslogon-configautomaticrestartsignon)
- [WindowsLogon/DisableLockScreenAppNotifications](./policy-csp-windowslogon.md#windowslogon-disablelockscreenappnotifications)
- [WindowsLogon/DontDisplayNetworkSelectionUI](./policy-csp-windowslogon.md#windowslogon-dontdisplaynetworkselectionui)
- [WindowsLogon/EnableFirstLogonAnimation](./policy-csp-windowslogon.md#windowslogon-enablefirstlogonanimation)
- [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers](./policy-csp-windowslogon.md#windowslogon-enumeratelocalusersondomainjoinedcomputers)
- [WindowsLogon/HideFastUserSwitching](./policy-csp-windowslogon.md#windowslogon-hidefastuserswitching)
- [WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart](./policy-csp-windowslogon.md#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart)
- [WindowsPowerShell/TurnOnPowerShellScriptBlockLogging](./policy-csp-windowspowershell.md#windowspowershell-turnonpowershellscriptblocklogging)
- [WirelessDisplay/AllowProjectionToPC](./policy-csp-wirelessdisplay.md#wirelessdisplay-allowprojectiontopc)
- [WirelessDisplay/RequirePinForPairing](./policy-csp-wirelessdisplay.md#wirelessdisplay-requirepinforpairing)
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>Policies supported by Windows Holographic for Business
- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
- [Authentication/PreferredAadTenantDomainName](#authentication-preferredaadtenantdomainname)
- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
- [Browser/AllowAutofill](#browser-allowautofill)
- [Browser/AllowCookies](#browser-allowcookies)
- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
- [Browser/AllowPopups](#browser-allowpopups)
- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
- [Experience/AllowCortana](#experience-allowcortana)
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
- [Settings/AllowDateTime](#settings-allowdatetime)
- [Settings/AllowVPN](#settings-allowvpn)
- [Speech/AllowSpeechModelUpdate](#speech-allowspeechmodelupdate)
- [System/AllowLocation](#system-allowlocation)
- [System/AllowTelemetry](#system-allowtelemetry)
- [Update/AllowAutoUpdate](#update-allowautoupdate)
- [Update/AllowUpdateService](#update-allowupdateservice)
- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot)
- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
- [Update/RequireUpdateApproval](#update-requireupdateapproval)
- [Update/ScheduledInstallDay](#update-scheduledinstallday)
- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
- [Update/UpdateServiceUrl](#update-updateserviceurl)
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
<!--EndHoloLensBusiness-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Policies supported by Windows Holographic for Business
- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
- [Authentication/PreferredAadTenantDomainName](#authentication-preferredaadtenantdomainname)
- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
- [Browser/AllowAutofill](#browser-allowautofill)
- [Browser/AllowCookies](#browser-allowcookies)
- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
- [Browser/AllowPopups](#browser-allowpopups)
- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
- [Experience/AllowCortana](#experience-allowcortana)
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
- [Settings/AllowDateTime](#settings-allowdatetime)
- [Settings/AllowVPN](#settings-allowvpn)
- [Speech/AllowSpeechModelUpdate](#speech-allowspeechmodelupdate)
- [System/AllowLocation](#system-allowlocation)
- [System/AllowTelemetry](#system-allowtelemetry)
- [Update/AllowAutoUpdate](#update-allowautoupdate)
- [Update/AllowUpdateService](#update-allowupdateservice)
- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
- [Update/RequireUpdateApproval](#update-requireupdateapproval)
- [Update/ScheduledInstallDay](#update-scheduledinstallday)
- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
- [Update/UpdateServiceUrl](#update-updateserviceurl)
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
## <a href="" id="hololenspolicies"></a>Policies supported by Windows Holographic
- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
- [Browser/AllowPopups](#browser-allowpopups)
- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
- [Browser/AllowCookies](#browser-allowcookies)
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
- [Experience/AllowCortana](#experience-allowcortana)
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
- [Settings/AllowDateTime](#settings-allowdatetime)
- [Settings/AllowVPN](#settings-allowvpn)
- [Speech/AllowSpeechModelUpdate](#speech-allowspeechmodelupdate)
- [System/AllowTelemetry](#system-allowtelemetry)
- [System/AllowLocation](#system-allowlocation)
- [Update/AllowAutoUpdate](#update-allowautoupdate)
- [Update/AllowUpdateService](#update-allowupdateservice)
- [Update/RequireUpdateApproval](#update-requireupdateapproval)
- [Update/ScheduledInstallDay](#update-scheduledinstallday)
- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
- [Update/UpdateServiceUrl](#update-updateserviceurl)
- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
- [Browser/AllowPopups](#browser-allowpopups)
- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
- [Browser/AllowCookies](#browser-allowcookies)
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
- [Experience/AllowCortana](#experience-allowcortana)
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
- [Settings/AllowDateTime](#settings-allowdatetime)
- [Settings/AllowVPN](#settings-allowvpn)
- [Speech/AllowSpeechModelUpdate](#speech-allowspeechmodelupdate)
- [System/AllowTelemetry](#system-allowtelemetry)
- [System/AllowLocation](#system-allowlocation)
- [Update/AllowAutoUpdate](#update-allowautoupdate)
- [Update/AllowUpdateService](#update-allowupdateservice)
- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot)
- [Update/RequireUpdateApproval](#update-requireupdateapproval)
- [Update/ScheduledInstallDay](#update-scheduledinstallday)
- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
- [Update/UpdateServiceUrl](#update-updateserviceurl)
- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
- [Wifi/AllowManualWiFiConfiguration](policy-csp-wifi.md#wifi-allowmanualwificonfiguration)
<!--EndHoloLens-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>Policies supported by Microsoft Surface Hub
- [Camera/AllowCamera](#camera-allowcamera)
- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
- [Cryptography/AllowFipsAlgorithmPolicy](#cryptography-allowfipsalgorithmpolicy)
- [Cryptography/TLSCipherSuites](#cryptography-tlsciphersuites)
- [Defender/AllowArchiveScanning](#defender-allowarchivescanning)
- [Defender/AllowBehaviorMonitoring](#defender-allowbehaviormonitoring)
- [Defender/AllowCloudProtection](#defender-allowcloudprotection)
- [Defender/AllowEmailScanning](#defender-allowemailscanning)
- [Defender/AllowFullScanOnMappedNetworkDrives](#defender-allowfullscanonmappednetworkdrives)
- [Defender/AllowFullScanRemovableDriveScanning](#defender-allowfullscanremovabledrivescanning)
- [Defender/AllowIOAVProtection](#defender-allowioavprotection)
- [Defender/AllowIntrusionPreventionSystem](#defender-allowintrusionpreventionsystem)
- [Defender/AllowOnAccessProtection](#defender-allowonaccessprotection)
- [Defender/AllowRealtimeMonitoring](#defender-allowrealtimemonitoring)
- [Defender/AllowScanningNetworkFiles](#defender-allowscanningnetworkfiles)
- [Defender/AllowScriptScanning](#defender-allowscriptscanning)
- [Defender/AllowUserUIAccess](#defender-allowuseruiaccess)
- [Defender/AvgCPULoadFactor](#defender-avgcpuloadfactor)
- [Defender/DaysToRetainCleanedMalware](#defender-daystoretaincleanedmalware)
- [Defender/ExcludedExtensions](#defender-excludedextensions)
- [Defender/ExcludedPaths](#defender-excludedpaths)
- [Defender/ExcludedProcesses](#defender-excludedprocesses)
- [Defender/PUAProtection](#defender-puaprotection)
- [Defender/RealTimeScanDirection](#defender-realtimescandirection)
- [Defender/ScanParameter](#defender-scanparameter)
- [Defender/ScheduleQuickScanTime](#defender-schedulequickscantime)
- [Defender/ScheduleScanDay](#defender-schedulescanday)
- [Defender/ScheduleScanTime](#defender-schedulescantime)
- [Defender/SignatureUpdateInterval](#defender-signatureupdateinterval)
- [Defender/SubmitSamplesConsent](#defender-submitsamplesconsent)
- [Defender/ThreatSeverityDefaultAction](#defender-threatseveritydefaultaction)
- [DeliveryOptimization/DOAbsoluteMaxCacheSize](#deliveryoptimization-doabsolutemaxcachesize)
- [DeliveryOptimization/DOAllowVPNPeerCaching](#deliveryoptimization-doallowvpnpeercaching)
- [DeliveryOptimization/DODownloadMode](#deliveryoptimization-dodownloadmode)
- [DeliveryOptimization/DOGroupId](#deliveryoptimization-dogroupid)
- [DeliveryOptimization/DOMaxCacheAge](#deliveryoptimization-domaxcacheage)
- [DeliveryOptimization/DOMaxCacheSize](#deliveryoptimization-domaxcachesize)
- [DeliveryOptimization/DOMaxDownloadBandwidth](#deliveryoptimization-domaxdownloadbandwidth)
- [DeliveryOptimization/DOMaxUploadBandwidth](#deliveryoptimization-domaxuploadbandwidth)
- [DeliveryOptimization/DOMinBackgroundQos](#deliveryoptimization-dominbackgroundqos)
- [DeliveryOptimization/DOMinDiskSizeAllowedToPeer](#deliveryoptimization-domindisksizeallowedtopeer)
- [DeliveryOptimization/DOMinFileSizeToCache](#deliveryoptimization-dominfilesizetocache)
- [DeliveryOptimization/DOMinRAMAllowedToPeer](#deliveryoptimization-dominramallowedtopeer)
- [DeliveryOptimization/DOModifyCacheDrive](#deliveryoptimization-domodifycachedrive)
- [DeliveryOptimization/DOMonthlyUploadDataCap](#deliveryoptimization-domonthlyuploaddatacap)
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)
- [TextInput/AllowIMELogging](#textinput-allowimelogging)
- [TextInput/AllowIMENetworkAccess](#textinput-allowimenetworkaccess)
- [TextInput/AllowInputPanel](#textinput-allowinputpanel)
- [TextInput/AllowJapaneseIMESurrogatePairCharacters](#textinput-allowjapaneseimesurrogatepaircharacters)
- [TextInput/AllowJapaneseIVSCharacters](#textinput-allowjapaneseivscharacters)
- [TextInput/AllowJapaneseNonPublishingStandardGlyph](#textinput-allowjapanesenonpublishingstandardglyph)
- [TextInput/AllowJapaneseUserDictionary](#textinput-allowjapaneseuserdictionary)
- [TextInput/AllowLanguageFeaturesUninstall](#textinput-allowlanguagefeaturesuninstall)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208](#textinput-excludejapaneseimeexceptjis0208)
- [TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC](#textinput-excludejapaneseimeexceptjis0208andeudc)
- [TextInput/ExcludeJapaneseIMEExceptShiftJIS](#textinput-excludejapaneseimeexceptshiftjis)
- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting)
<!--EndSurfaceHub-->
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>Policies supported by Windows 10 IoT Core
- [Camera/AllowCamera](#camera-allowcamera)
- [Cellular/ShowAppCellularAccessUI](#cellular-showappcellularaccessui)
- [CredentialProviders/AllowPINLogon](#credentialproviders-allowpinlogon)
- [CredentialProviders/BlockPicturePassword](#credentialproviders-blockpicturepassword)
- [DataProtection/AllowDirectMemoryAccess](#dataprotection-allowdirectmemoryaccess)
- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot)
- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots)
- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
- [Wifi/AllowWiFi](#wifi-allowwifi)
- [Wifi/WLANScanMode](#wifi-wlanscanmode)
<!--EndIoTCore-->
<!--StartIoTEnterprise-->
## <a href="" id="iotcore"></a>Policies supported by Windows 10 IoT Enterprise
- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot)
<!--EndIoTCoreEnterprise-->
<!--StartEAS-->
## <a href="" id="eas"></a>Policies that can be set using Exchange Active Sync (EAS)

31
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/30/2018
ms.date: 05/01/2019
---
# Policy CSP - Accounts
@ -240,15 +240,28 @@ The default value is an empty string, which allows all email accounts on the dev
<!--/Description-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
<!--/Policies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Accounts policies supported by Windows Holographic
- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>Accounts policies supported by Windows Holographic for Business
- [Accounts/AllowMicrosoftAccountConnection](#accounts-allowmicrosoftaccountconnection)
<!--EndHoloLensBusiness-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.

39
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -6,13 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/08/2018
ms.date: 05/01/2019
---
# Policy CSP - ApplicationManagement
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -1038,16 +1038,31 @@ XSD:
<!--/Validation-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.
<!--/Policies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>ApplicationManagement policies supported by Windows Holographic
- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>ApplicationManagement policies supported by Windows Holographic for Business
- [ApplicationManagement/AllowAppStoreAutoUpdate](#applicationmanagement-allowappstoreautoupdate)
- [ApplicationManagement/AllowDeveloperUnlock](#applicationmanagement-allowdeveloperunlock)
- [ApplicationManagement/AllowAllTrustedApps](#applicationmanagement-allowalltrustedapps)
<!--EndHoloLensBusiness-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.

44
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -6,13 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/30/2018
ms.date: 05/01/2019
---
# Policy CSP - Authentication
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -354,6 +354,9 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!Warning]
> This policy is only in preview mode and therefore not meant or recommended for production purposes.
This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
Value type is integer. Supported values:
@ -412,9 +415,12 @@ Value type is integer. Supported values:
<!--/Scope-->
<!--Description-->
> [!Warning]
> This policy is only in preview mode and therefore not meant or recommended for production purposes.
"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML).
> [!Note]
> [!Note]
> Web Sign-in is only supported on Azure AD Joined PCs.
Value type is integer. Supported values:
@ -491,15 +497,27 @@ Value type is string.
<!--/Validation-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.
<!--/Policies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Authentication policies supported by Windows Holographic
- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>Authentication policies supported by Windows Holographic for Business
- [Authentication/AllowFastReconnect](#authentication-allowfastreconnect)
- [Authentication/PreferredAadTenantDomainName](#authentication-preferredaadtenantdomainname)
<!--EndHoloLensBusiness-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.

35
windows/client-management/mdm/policy-csp-bluetooth.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 11/15/2018
ms.date: 05/01/2019
---
# Policy CSP - Bluetooth
@ -339,17 +339,34 @@ The default value is an empty string. For more information, see [ServicesAllowed
<!--/Description-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
<!--/Policies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Bluetooth policies supported by Windows Holographic
- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>Bluetooth policies supported by Windows Holographic for Business
- [Bluetooth/AllowAdvertising](#bluetooth-allowadvertising)
- [Bluetooth/AllowDiscoverableMode](#bluetooth-allowdiscoverablemode)
- [Bluetooth/LocalDeviceName](#bluetooth-localdevicename)
<!--EndHoloLensBusiness-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
## ServicesAllowedList usage guide
When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow pairing and connections of Windows PCs and phones to explicitly defined Bluetooth profiles and services. It is an allowed list, enabling admins to still allow custom Bluetooth profiles that are not defined by the Bluetooth Special Interests Group (SIG).

45
windows/client-management/mdm/policy-csp-browser.md
View File

@ -6,13 +6,13 @@ ms.prod: w10
ms.technology: windows
author: shortpatti
ms.author: pashort
ms.date: 10/02/2018
ms.date: 05/01/2019
---
# Policy CSP - Browser
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -3963,15 +3963,38 @@ Supported values:
Most restricted value: 0
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Supported versions, version 1607.
- 2 - Supported versions, version 1703.
- 3 - Supported versions, version 1709.
- 4 - Supported versions, version 1803.
- 5 - Supported versions, version 1809.
<!--/Policies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Browser policies supported by Windows Holographic
- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
- [Browser/AllowPopups](#browser-allowpopups)
- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
- [Browser/AllowCookies](#browser-allowcookies)
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>Browser policies supported by Windows Holographic for Business
- [Browser/AllowAutofill](#browser-allowautofill)
- [Browser/AllowDoNotTrack](#browser-allowdonottrack)
- [Browser/AllowPasswordManager](#browser-allowpasswordmanager)
- [Browser/AllowPopups](#browser-allowpopups)
- [Browser/AllowSearchSuggestionsinAddressBar](#browser-allowsearchsuggestionsinaddressbar)
- [Browser/AllowSmartScreen](#browser-allowsmartscreen)
- [Browser/AllowCookies](#browser-allowcookies)
<!--EndHoloLensBusiness-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.

34
windows/client-management/mdm/policy-csp-connectivity.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/30/2018
ms.date: 05/01/2019
---
# Policy CSP - Connectivity
@ -961,16 +961,32 @@ ADMX Info:
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
<!--/Policies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Connectivity policies supported by Windows Holographic
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>Connectivity policies supported by Windows Holographic for Business
- [Connectivity/AllowBluetooth](#connectivity-allowbluetooth)
- [Connectivity/AllowUSBConnection](#connectivity-allowusbconnection)
<!--EndHoloLensBusiness-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.

2
windows/client-management/mdm/policy-csp-controlpolicyconflict.md
View File

@ -67,7 +67,7 @@ Added in Windows 10, version 1803. This policy allows the IT admin to control wh
> [!Note]
> MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers.
This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
Note: This policy doesnt support the Delete command and doesnt support setting the value to 0 again after it was previously set to 1. Windows 10 version 1809 will support using the Delete command to set the value to 0 again, if it was previously set to 1.
The following list shows the supported values:

47
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/08/2018
ms.date: 05/01/2019
---
# Policy CSP - DeviceLock
@ -1205,14 +1205,43 @@ Most restricted value is 0.
<!--/Description-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
<!--/Policies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>DeviceLock policies supported by Windows Holographic
- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>DeviceLock policies supported by Windows Holographic for Business
- [DeviceLock/AllowSimpleDevicePassword](#devicelock-allowsimpledevicepassword)
- [DeviceLock/MaxDevicePasswordFailedAttempts](#devicelock-maxdevicepasswordfailedattempts)
- [DeviceLock/MaxInactivityTimeDeviceLock](#devicelock-maxinactivitytimedevicelock)
- [DeviceLock/MinDevicePasswordLength](#devicelock-mindevicepasswordlength)
- [DeviceLock/DevicePasswordHistory](#devicelock-devicepasswordhistory)
- [DeviceLock/AlphanumericDevicePasswordRequired](#devicelock-alphanumericdevicepasswordrequired)
- [DeviceLock/MinDevicePasswordComplexCharacters](#devicelock-mindevicepasswordcomplexcharacters)
- [DeviceLock/AllowIdleReturnWithoutPassword](#devicelock-allowidlereturnwithoutpassword)
- [DeviceLock/DevicePasswordEnabled](#devicelock-devicepasswordenabled)
<!--EndHoloLensBusiness-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.

36
windows/client-management/mdm/policy-csp-experience.md
View File

@ -6,13 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/30/2018
ms.date: 05/01/2019
---
# Policy CSP - Experience
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -1569,17 +1569,27 @@ Validation procedure:
<!--/Validation-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.
<!--/Policies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Experience policies supported by Windows Holographic
- [Experience/AllowCortana](#experience-allowcortana)
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>Experience policies supported by Windows Holographic for Business
- [Experience/AllowCortana](#experience-allowcortana)
<!--EndHoloLensBusiness-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.

891
windows/client-management/mdm/policy-csp-power.md
View File

@ -6,12 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 04/16/2018
ms.date: 05/03/2019
---
# Policy CSP - Power
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -31,6 +32,12 @@ ms.date: 04/16/2018
<dd>
<a href="#power-displayofftimeoutpluggedin">Power/DisplayOffTimeoutPluggedIn</a>
</dd>
<dd>
<a href="#power-energysaverbatterythresholdonbattery">Power/EnergySaverBatteryThresholdOnBattery</a>
</dd>
<dd>
<a href="#power-energysaverbatterythresholdpluggedin">Power/EnergySaverBatteryThresholdPluggedIn</a>
</dd>
<dd>
<a href="#power-hibernatetimeoutonbattery">Power/HibernateTimeoutOnBattery</a>
</dd>
@ -43,12 +50,42 @@ ms.date: 04/16/2018
<dd>
<a href="#power-requirepasswordwhencomputerwakespluggedin">Power/RequirePasswordWhenComputerWakesPluggedIn</a>
</dd>
<dd>
<a href="#power-selectlidcloseactiononbattery">Power/SelectLidCloseActionOnBattery</a>
</dd>
<dd>
<a href="#power-selectlidcloseactionpluggedin">Power/SelectLidCloseActionPluggedIn</a>
</dd>
<dd>
<a href="#power-selectpowerbuttonactiononbattery">Power/SelectPowerButtonActionOnBattery</a>
</dd>
<dd>
<a href="#power-selectpowerbuttonactionpluggedin">Power/SelectPowerButtonActionPluggedIn</a>
</dd>
<dd>
<a href="#power-selectsleepbuttonactiononbattery">Power/SelectSleepButtonActionOnBattery</a>
</dd>
<dd>
<a href="#power-selectsleepbuttonactionpluggedin">Power/SelectSleepButtonActionPluggedIn</a>
</dd>
<dd>
<a href="#power-standbytimeoutonbattery">Power/StandbyTimeoutOnBattery</a>
</dd>
<dd>
<a href="#power-standbytimeoutpluggedin">Power/StandbyTimeoutPluggedIn</a>
</dd>
<dd>
<a href="#power-turnoffhybridsleeponbattery">Power/TurnOffHybridSleepOnBattery</a>
</dd>
<dd>
<a href="#power-turnoffhybridsleeppluggedin">Power/TurnOffHybridSleepPluggedIn</a>
</dd>
<dd>
<a href="#power-unattendedsleeptimeoutonbattery">Power/UnattendedSleepTimeoutOnBattery</a>
</dd>
<dd>
<a href="#power-unattendedsleeptimeoutpluggedin">Power/UnattendedSleepTimeoutPluggedIn</a>
</dd>
</dl>
@ -306,6 +343,139 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="power-energysaverbatterythresholdonbattery"></a>**Power/EnergySaverBatteryThresholdOnBattery**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting allows you to specify battery charge level at which Energy Saver is turned on.
If you enable this policy setting, you must specify a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level.
If you disable or do not configure this policy setting, users control this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Energy Saver Battery Threshold (on battery)*
- GP name: *EsBattThresholdDC*
- GP element: *EnterEsBattThreshold*
- GP path: *System/Power Management/Energy Saver Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values: 0-100. The default is 70.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-energysaverbatterythresholdpluggedin"></a>**Power/EnergySaverBatteryThresholdPluggedIn**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting allows you to specify battery charge level at which Energy Saver is turned on.
If you enable this policy setting, you must provide a percentage value that indicates the battery charge level. Energy Saver is automatically turned on at (and below) the specified battery charge level.
If you disable or do not configure this policy setting, users control this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Energy Saver Battery Threshold (plugged in)*
- GP name: *EsBattThresholdAC*
- GP element: *EnterEsBattThreshold*
- GP path: *System/Power Management/Energy Saver Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values: 0-100. The default is 70.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-hibernatetimeoutonbattery"></a>**Power/HibernateTimeoutOnBattery**
@ -558,6 +728,438 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="power-selectlidcloseactiononbattery"></a>**Power/SelectLidCloseActionOnBattery**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC.
If you enable this policy setting, you must select the desired action.
If you disable this policy setting or do not configure it, users can see and change this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Select the lid switch action (on battery)*
- GP name: *DCSystemLidAction_2*
- GP element: *SelectDCSystemLidAction*
- GP path: *System/Power Management/Button Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported lid close switch actions (on battery):
- 0 - Take no action
- 1 - Sleep
- 2 - System hibernate sleep state
- 3 - System shutdown
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-selectlidcloseactionpluggedin"></a>**Power/SelectLidCloseActionPluggedIn**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC.
If you enable this policy setting, you must select the desired action.
If you disable this policy setting or do not configure it, users can see and change this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Select the lid switch action (plugged in)*
- GP name: *ACSystemLidAction_2*
- GP element: *SelectACSystemLidAction*
- GP path: *System/Power Management/Button Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported lid close switch actions (plugged in):
- 0 - Take no action
- 1 - Sleep
- 2 - System hibernate sleep state
- 3 - System shutdown
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-selectpowerbuttonactiononbattery"></a>**Power/SelectPowerButtonActionOnBattery**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Power button.
If you enable this policy setting, you must select the desired action.
If you disable this policy setting or do not configure it, users can see and change this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Select the Power button action (on battery)*
- GP name: *DCPowerButtonAction_2*
- GP element: *SelectDCPowerButtonAction*
- GP path: *System/Power Management/Button Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported Power button actions (on battery):
- 0 - Take no action
- 1 - Sleep
- 2 - System hibernate sleep state
- 3 - System shutdown
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-selectpowerbuttonactionpluggedin"></a>**Power/SelectPowerButtonActionPluggedIn**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Power button.
If you enable this policy setting, you must select the desired action.
If you disable this policy setting or do not configure it, users can see and change this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Select the Power button action (plugged in)*
- GP name: *ACPowerButtonAction_2*
- GP element: *SelectACPowerButtonAction*
- GP path: *System/Power Management/Button Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported Power button actions (plugged in):
- 0 - Take no action
- 1 - Sleep
- 2 - System hibernate sleep state
- 3 - System shutdown
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-selectsleepbuttonactiononbattery"></a>**Power/SelectSleepButtonActionOnBattery**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Sleep button.
If you enable this policy setting, you must select the desired action.
If you disable this policy setting or do not configure it, users can see and change this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Select the Sleep button action (on battery)*
- GP name: *DCSleepButtonAction_2*
- GP element: *SelectDCSleepButtonAction*
- GP path: *System/Power Management/Button Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported Sleep button actions (on battery):
- 0 - Take no action
- 1 - Sleep
- 2 - System hibernate sleep state
- 3 - System shutdown
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-selectsleepbuttonactionpluggedin"></a>**Power/SelectSleepButtonActionPluggedIn**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting specifies the action that Windows takes when a user presses the Sleep button.
If you enable this policy setting, you must select the desired action.
If you disable this policy setting or do not configure it, users can see and change this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Select the Sleep button action (plugged in)*
- GP name: *ACSleepButtonAction_2*
- GP element: *SelectACSleepButtonAction*
- GP path: *System/Power Management/Button Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported Sleep button actions (plugged in):
- 0 - Take no action
- 1 - Sleep
- 2 - System hibernate sleep state
- 3 - System shutdown
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-standbytimeoutonbattery"></a>**Power/StandbyTimeoutOnBattery**
@ -683,14 +1285,291 @@ ADMX Info:
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnote:
<!--Policy-->
<a href="" id="power-turnoffhybridsleeponbattery"></a>**Power/TurnOffHybridSleepOnBattery**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting allows you to turn off hybrid sleep.
If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By).
If you set this policy setting to 1 or do not configure this policy setting, users control this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Turn off hybrid sleep (on battery)*
- GP name: *DCStandbyWithHiberfileEnable_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported values for Hybrid sleep (on battery):
- 0 - no hibernation file for sleep (default)
- 1 - hybrid sleep
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-turnoffhybridsleeppluggedin"></a>**Power/TurnOffHybridSleepPluggedIn**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting allows you to turn off hybrid sleep.
If you set this policy setting to 0, a hiberfile is not generated when the system transitions to sleep (Stand By).
If you set this policy setting to 1 or do not configure this policy setting, users control this setting.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Turn off hybrid sleep (plugged in)*
- GP name: *ACStandbyWithHiberfileEnable_2*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following are the supported values for Hybrid sleep (plugged in):
- 0 - no hibernation file for sleep (default)
- 1 - hybrid sleep
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-unattendedsleeptimeoutonbattery"></a>**Power/UnattendedSleepTimeoutOnBattery**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep.
If you disable or do not configure this policy setting, users control this setting.
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Specify the unattended sleep timeout (on battery)*
- GP name: *UnattendedSleepTimeOutDC*
- GP element: *EnterUnattendedSleepTimeOut*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Default value for unattended sleep timeout (on battery):
300
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="power-unattendedsleeptimeoutpluggedin"></a>**Power/UnattendedSleepTimeoutPluggedIn**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows&nbsp;10, version 1903. This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer.
If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you specify 0 seconds, Windows does not automatically transition to sleep.
If you disable or do not configure this policy setting, users control this setting.
If the user has configured a slide show to run on the lock screen when the machine is locked, this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Specify the unattended sleep timeout (plugged in)*
- GP name: *UnattendedSleepTimeOutAC*
- GP element: *EnterUnattendedSleepTimeOut*
- GP path: *System/Power Management/Sleep Settings*
- GP ADMX file name: *power.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Default value for unattended sleep timeout (plugged in):
300
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<!--/Policies-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
<!--/Policies-->
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.

36
windows/client-management/mdm/policy-csp-privacy.md
View File

@ -6,13 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/14/2018
ms.date: 05/01/2019
---
# Policy CSP - Privacy
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -4851,16 +4851,28 @@ ADMX Info:
<!--/ADMXMapped-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.
<!--/Policies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Privacy policies supported by Windows Holographic
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>Privacy policies supported by Windows Holographic for Business
- [Privacy/AllowInputPersonalization](#privacy-allowinputpersonalization)
<!--EndHoloLensBusiness-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.

29
windows/client-management/mdm/policy-csp-search.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/30/2018
ms.date: 05/01/2019
---
# Policy CSP - Search
@ -849,16 +849,27 @@ The following list shows the supported values:
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
<!--/Policies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Search policies supported by Windows Holographic
- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>Search policies supported by Windows Holographic for Business
- [Search/AllowSearchToUseLocation](#search-allowsearchtouselocation)
<!--EndHoloLensBusiness-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.

34
windows/client-management/mdm/policy-csp-security.md
View File

@ -6,13 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/09/2018
ms.date: 05/01/2019
---
# Policy CSP - Security
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -739,18 +739,28 @@ The following list shows the supported values:
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.
<!--/Policies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Security policies supported by Windows Holographic
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>Security policies supported by Windows Holographic for Business
- [Security/RequireDeviceEncryption](#security-requiredeviceencryption)
<!--EndHoloLensBusiness-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.

31
windows/client-management/mdm/policy-csp-settings.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/09/2018
ms.date: 05/01/2019
---
# Policy CSP - Settings
@ -839,16 +839,29 @@ To validate on Desktop, do the following:
<!--/Validation-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
<!--/Policies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Settings policies supported by Windows Holographic
- [Settings/AllowDateTime](#settings-allowdatetime)
- [Settings/AllowVPN](#settings-allowvpn)
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>Settings policies supported by Windows Holographic for Business
- [Settings/AllowDateTime](#settings-allowdatetime)
- [Settings/AllowVPN](#settings-allowvpn)
<!--EndHoloLensBusiness-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.

31
windows/client-management/mdm/policy-csp-speech.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/09/2018
ms.date: 05/01/2019
---
# Policy CSP - Speech
@ -82,14 +82,27 @@ The following list shows the supported values:
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
<!--/Policies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Speech policies supported by Windows Holographic
- [Speech/AllowSpeechModelUpdate](#speech-allowspeechmodelupdate)
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>Speech policies supported by Windows Holographic for Business
- [Speech/AllowSpeechModelUpdate](#speech-allowspeechmodelupdate)
<!--EndHoloLensBusiness-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.

38
windows/client-management/mdm/policy-csp-system.md
View File

@ -6,13 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/24/2018
ms.date: 05/01/2019
---
# Policy CSP - System
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -1433,16 +1433,30 @@ ADMX Info:
<!--/ADMXMapped-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.
<!--/Policies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>System policies supported by Windows Holographic
- [System/AllowTelemetry](#system-allowtelemetry)
- [System/AllowLocation](#system-allowlocation)
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>System policies supported by Windows Holographic for Business
- [System/AllowTelemetry](#system-allowtelemetry)
- [System/AllowLocation](#system-allowlocation)
<!--EndHoloLensBusiness-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.

460
windows/client-management/mdm/policy-csp-update.md
View File

@ -6,13 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 08/29/2018
ms.date: 05/08/2019
---
# Policy CSP - Update
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -57,9 +57,24 @@ ms.date: 08/29/2018
<dd>
<a href="#update-autorestartrequirednotificationdismissal">Update/AutoRestartRequiredNotificationDismissal</a>
</dd>
<dd>
<a href="#update-automaticmaintenancewakeup">Update/AutomaticMaintenanceWakeUp</a>
</dd>
<dd>
<a href="#update-branchreadinesslevel">Update/BranchReadinessLevel</a>
</dd>
<dd>
<a href="#update-configuredeadlineforfeatureupdates">Update/ConfigureDeadlineForFeatureUpdates</a>
</dd>
<dd>
<a href="#update-configuredeadlineforqualityupdates">Update/ConfigureDeadlineForQualityUpdates</a>
</dd>
<dd>
<a href="#update-configuredeadlinegraceperiod">Update/ConfigureDeadlineGracePeriod</a>
</dd>
<dd>
<a href="#update-configuredeadlinenoautoreboot">Update/ConfigureDeadlineNoAutoReboot</a>
</dd>
<dd>
<a href="#update-configurefeatureupdateuninstallperiod">Update/ConfigureFeatureUpdateUninstallPeriod</a>
</dd>
@ -189,6 +204,7 @@ ms.date: 08/29/2018
</dl>
<hr/>
> [!NOTE]
> If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
@ -933,6 +949,76 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="update-automaticmaintenancewakeup"></a>**Update/AutomaticMaintenanceWakeUp**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance.
> [!Note]
> If the OS power wake policy is explicitly disabled, then this setting has no effect.
If you enable this policy setting, Automatic Maintenance attempts to set OS wake policy and make a wake request for the daily scheduled time, if required.
If you disable or do not configure this policy setting, the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel applies.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Automatic Maintenance WakeUp Policy*
- GP category English path: *Windows Components/Maintenance Scheduler*
- GP name: *WakeUpPolicy*
- GP path: *Windows Components/Maintenance Scheduler*
- GP ADMX file name: *msched.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- true - Enable
- false - Disable (Default)
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-branchreadinesslevel"></a>**Update/BranchReadinessLevel**
@ -995,6 +1081,306 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="update-configuredeadlineforfeatureupdates"></a>**Update/ConfigureDeadlineForFeatureUpdates**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before feature updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
<!--/Description-->
<!--SupportedValues-->
Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required feature update.
Default value is 7.
<!--/SupportedValues-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Specify deadlines for automatic updates and restarts*
- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate*
- GP name: *ConfigureDeadlineForFeatureUpdates*
- GP element: *ConfigureDeadlineForFeatureUpdates*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-configuredeadlineforqualityupdates"></a>**Update/ConfigureDeadlineForQualityUpdates**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1903. Allows IT admins to specify the number of days a user has before quality updates are installed on their devices automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Specify deadlines for automatic updates and restarts*
- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate*
- GP name: *ConfigureDeadlineForQualityUpdates*
- GP element: *ConfigureDeadlineForQualityUpdates*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supports a numeric value from 2 - 30, which indicates the number of days a device will wait until performing an aggressive installation of a required quality update.
Default value is 7.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-configuredeadlinegraceperiod"></a>**Update/ConfigureDeadlineGracePeriod**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1903. Allows the IT admin (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)) to specify a minimum number of days until restarts occur automatically. Setting the grace period may extend the effective deadline set by the deadline policies.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Specify deadlines for automatic updates and restarts*
- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate*
- GP name: *ConfigureDeadlineGracePeriod*
- GP element: *ConfigureDeadlineGracePeriod*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supports a numeric value from 0 - 7, which indicates the minimum number of days a device will wait until performing an aggressive installation of a required update once deadline has been reached.
Default value is 2.
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-configuredeadlinenoautoreboot"></a>**Update/ConfigureDeadlineNoAutoReboot**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1903. If enabled (when used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates) or [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)), devices will not automatically restart outside of active hours until the deadline is reached, even if applicable updates are already installed and pending a restart.
When disabled, if the device has installed the required updates and is outside of active hours, it may attempt an automatic restart before the deadline.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Specify deadlines for automatic updates and restarts*
- GP category English path: *Administrative Templates\Windows Components\WindowsUpdate*
- GP name: *ConfigureDeadlineNoAutoReboot*
- GP element: *ConfigureDeadlineNoAutoReboot*
- GP ADMX file name: *WindowsUpdate.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- 1 - Enabled
- 0 (default) - Disabled
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-configurefeatureupdateuninstallperiod"></a>**Update/ConfigureFeatureUpdateUninstallPeriod**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1803. Enable IT admin to configure feature update uninstall period. Values range 2 - 60 days. Default is 10 days.
<!--/Description-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="update-configurefeatureupdateuninstallperiod"></a>**Update/ConfigureFeatureUpdateUninstallPeriod**
@ -3571,15 +3957,65 @@ ADMX Info:
<!--/ADMXMapped-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.
<!--/Policies-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Update policies supported by Windows Holographic
- [Update/AllowAutoUpdate](#update-allowautoupdate)
- [Update/AllowUpdateService](#update-allowupdateservice)
- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot)
- [Update/RequireUpdateApproval](#update-requireupdateapproval)
- [Update/ScheduledInstallDay](#update-scheduledinstallday)
- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
- [Update/UpdateServiceUrl](#update-updateserviceurl)
- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>Update policies supported by Windows Holographic for Business
- [Update/AllowAutoUpdate](#update-allowautoupdate)
- [Update/AllowUpdateService](#update-allowupdateservice)
- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot)
- [Update/RequireUpdateApproval](#update-requireupdateapproval)
- [Update/ScheduledInstallDay](#update-scheduledinstallday)
- [Update/ScheduledInstallTime](#update-scheduledinstalltime)
- [Update/UpdateServiceUrl](#update-updateserviceurl)
- [Update/RequireDeferUpgrade](#update-requiredeferupgrade)
<!--EndHoloLensBusiness-->
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>Update policies supported by IoT Core
- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot)
<!--EndIoTCore-->
<!--StartIoTEnterprise-->
## <a href="" id="iotcore"></a>Update policies supported by IoT Enterprise
- [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredeadlineforfeatureupdates)
- [Update/ConfigureDeadlineForQualityUpdates](#update-configuredeadlineforqualityupdates)
- [Update/ConfigureDeadlineGracePeriod](#update-configuredeadlinegraceperiod)
- [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot)
<!--EndIoTEnterprise-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.

45
windows/client-management/mdm/policy-csp-wifi.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 05/14/2018
ms.date: 05/01/2019
---
# Policy CSP - Wifi
@ -379,36 +379,49 @@ Supported operations are Add, Delete, Get, and Replace.
<!--/Description-->
<!--/Policy-->
<hr/>
Footnote:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
<!--/Policies-->
<!--StartEAS-->
## <a href="" id="eas"></a>Wifi policies that can be set using Exchange Active Sync (EAS)
- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
- [Wifi/AllowWiFi](#wifi-allowwifi)
- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
- [Wifi/AllowWiFi](#wifi-allowwifi)
<!--EndEAS-->
<!--StartHoloLens-->
## <a href="" id="hololenspolicies"></a>Wifi policies supported by Windows Holographic
- [Wifi/AllowManualWiFiConfiguration](#wifi-allowmanualwificonfiguration)
<!--EndHoloLens-->
<!--StartHoloLensBusiness-->
## <a href="" id="hololenbusinessspolicies"></a>Wifi policies supported by Windows Holographic for Business
- [Wifi/AllowManualWiFiConfiguration](#wifi-allowmanualwificonfiguration)
<!--EndHoloLensBusiness-->
<!--StartIoTCore-->
## <a href="" id="iotcore"></a>Wifi policies supported by IoT Core
- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots)
- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
- [Wifi/AllowWiFi](#wifi-allowwifi)
- [Wifi/WLANScanMode](#wifi-wlanscanmode)
- [Wifi/AllowAutoConnectToWiFiSenseHotspots](#wifi-allowautoconnecttowifisensehotspots)
- [Wifi/AllowInternetSharing](#wifi-allowinternetsharing)
- [Wifi/AllowWiFi](#wifi-allowwifi)
- [Wifi/WLANScanMode](#wifi-wlanscanmode)
<!--EndIoTCore-->
<!--StartSurfaceHub-->
## <a href="" id="surfacehubpolicies"></a>Wifi policies supported by Microsoft Surface Hub
- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting)
- [WiFi/AllowWiFiHotSpotReporting](#wifi-allowwifihotspotreporting)
<!--EndSurfaceHub-->
<hr/>
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
- 5 - Added in Windows 10, version 1809.

310
windows/client-management/mdm/policy-csp-windowslogon.md
View File

@ -6,12 +6,13 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
ms.date: 07/12/2018
ms.date: 05/07/2019
---
# Policy CSP - WindowsLogon
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
@ -19,23 +20,182 @@ ms.date: 07/12/2018
## WindowsLogon policies
<dl>
<dd>
<a href="#windowslogon-allowautomaticrestartsignon">WindowsLogon/AllowAutomaticRestartSignOn</a>
</dd>
<dd>
<a href="#windowslogon-configautomaticrestartsignon">WindowsLogon/ConfigAutomaticRestartSignOn</a>
</dd>
<dd>
<a href="#windowslogon-disablelockscreenappnotifications">WindowsLogon/DisableLockScreenAppNotifications</a>
</dd>
<dd>
<a href="#windowslogon-dontdisplaynetworkselectionui">WindowsLogon/DontDisplayNetworkSelectionUI</a>
</dd>
<dd>
<a href="#windowslogon-enablefirstlogonanimation">WindowsLogon/EnableFirstLogonAnimation</a>
</dd>
<dd>
<a href="#windowslogon-enumeratelocalusersondomainjoinedcomputers">WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers</a>
</dd>
<dd>
<a href="#windowslogon-hidefastuserswitching">WindowsLogon/HideFastUserSwitching</a>
</dd>
<dd>
<a href="#windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart">WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="windowslogon-allowautomaticrestartsignon"></a>**WindowsLogon/AllowAutomaticRestartSignOn**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether a device automatically signs in and locks the last interactive user after the system restarts or after a shutdown and cold boot.
This occurs only if the last interactive user did not sign out before the restart or shutdown.
If the device is joined to Active Directory or Azure Active Directory, this policy applies only to Windows Update restarts. Otherwise, this policy applies to both Windows Update restarts and user-initiated restarts and shutdowns.
If you do not configure this policy setting, it is enabled by default. When the policy is enabled, the user is automatically signed in and the session is automatically locked with all lock screen apps configured for that user after the device boots.
After enabling this policy, you can configure its settings through the [ConfigAutomaticRestartSignOn](#windowslogon-configautomaticrestartsignon) policy, which configures the mode of automatically signing in and locking the last interactive user after a restart or cold boot.
If you disable this policy setting, the device does not configure automatic sign in. The users lock screen apps are not restarted after the system restarts.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Sign-in and lock last interactive user automatically after a restart*
- GP name: *AutomaticRestartSignOn*
- GP path: *Windows Components/Windows Logon Options*
- GP ADMX file name: *WinLogon.admx*
<!--/ADMXBacked-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="windowslogon-configautomaticrestartsignon"></a>**WindowsLogon/ConfigAutomaticRestartSignOn**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls the configuration under which an automatic restart, sign on, and lock occurs after a restart or cold boot. If you chose “Disabled” in the [AllowAutomaticRestartSignOn](#windowslogon-allowautomaticrestartsignon) policy, then automatic sign on does not occur and this policy need not be configured.
If you enable this policy setting, you can choose one of the following two options:
- Enabled if BitLocker is on and not suspended: Specifies that automatic sign on and lock occurs only if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the devices hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components.
BitLocker is suspended during updates if:
- The device does not have TPM 2.0 and PCR7
- The device does not use a TPM-only protector
- Always Enabled: Specifies that automatic sign on happens even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled, personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location.
If you disable or do not configure this setting, automatic sign on defaults to the “Enabled if BitLocker is on and not suspended” behavior.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot*
- GP name: *ConfigAutomaticRestartSignOn*
- GP path: *Windows Components/Windows Logon Options*
- GP ADMX file name: *WinLogon.admx*
<!--/ADMXBacked-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
@ -188,6 +348,78 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="windowslogon-enablefirstlogonanimation"></a>**WindowsLogon/EnableFirstLogonAnimation**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>6</sup></td>
<td></td>
<td></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users are offered the opt-in prompt for services during their first sign-in.
If you enable this policy setting, Microsoft account users see the opt-in prompt for services, and users with other accounts see the sign-in animation.
If you disable this policy setting, users do not see the animation and Microsoft account users do not see the opt-in prompt for services.
If you do not configure this policy setting, the user who completes the initial Windows setup see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured, users new to this computer do not see the animation.
> [!NOTE]
> The first sign-in animation is not displayed on Server, so this policy has no effect.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP English name: *Show first sign-in animation*
- GP name: *EnableFirstLogonAnimation*
- GP path: *System/Logon*
- GP ADMX file name: *Logon.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
- false - disabled
- true - enabled
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="windowslogon-enumeratelocalusersondomainjoinedcomputers"></a>**WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers**
@ -313,75 +545,15 @@ To validate on Desktop, do the following:
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="windowslogon-signinlastinteractiveuserautomaticallyafterasysteminitiatedrestart"></a>**WindowsLogon/SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart**
<!--SupportedSKUs-->
<table>
<tr>
<th>Home</th>
<th>Pro</th>
<th>Business</th>
<th>Enterprise</th>
<th>Education</th>
<th>Mobile</th>
<th>Mobile Enterprise</th>
</tr>
<tr>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<!--/Policies-->
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system.
If you enable or do not configure this policy setting, the device securely saves the user's credentials (including the user name, domain and encrypted password) to configure automatic sign-in after a Windows Update restart. After the Windows Update restart, the user is automatically signed-in and the session is automatically locked with all the lock screen apps configured for that user.
If you disable this policy setting, the device does not store the user's credentials for automatic sign-in after a Windows Update restart. The users' lock screen apps are not restarted after the system restarts.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Sign-in last interactive user automatically after a system-initiated restart*
- GP name: *AutomaticRestartSignOn*
- GP path: *Windows Components/Windows Logon Options*
- GP ADMX file name: *WinLogon.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnote:
Footnotes:
- 1 - Added in Windows 10, version 1607.
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
- 4 - Added in Windows 10, version 1803.
<!--/Policies-->
- 5 - Added in Windows 10, version 1809.
- 6 - Added in Windows 10, version 1903.

2
windows/client-management/mdm/reboot-csp.md
View File

@ -30,7 +30,7 @@ The following diagram shows the Reboot configuration service provider management
> [!Note]  
> If this node is set to execute during a sync session, the device will reboot at the end of the sync session.
<p style="margin-left: 20px">The supported operations are Execute and Get.
<p style="margin-left: 20px">The supported operations are Execute and Get.</p>
<a href="" id="schedule"></a>**Schedule**
<p style="margin-left: 20px">The supported operation is Get.</p>

2
windows/client-management/mdm/reclaim-seat-from-user.md
View File

@ -29,7 +29,7 @@ The **Reclaim seat from user** operation returns reclaimed seats for a user in t
</thead>
<tbody>
<tr class="odd">
<td><p>POST</p></td>
<td><p>DELETE</p></td>
<td><p>https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}</p></td>
</tr>
</tbody>

3
windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md
View File

@ -50,6 +50,9 @@ When the ADMX policies are imported, the registry keys to which each policy is w
> [!Warning]
> Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined.
> [!NOTE]
> Settings that cannot be configured using custom policy ingestion have to be set by pushing the appropriate registry keys directly (for example, by using PowerShell script).
## <a href="" id="ingesting-an-app-admx-file"></a>Ingesting an app ADMX file
The following ADMX file example shows how to ingest a Win32 or Desktop Bridge app ADMX file and set policies from the file. The ADMX file defines eight policies.

3
windows/configuration/kiosk-prepare.md
View File

@ -57,6 +57,9 @@ Logs can help you [troubleshoot issues](multi-app-kiosk-troubleshoot.md) kiosk i
In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in.
>[!NOTE]
>If you are using a Windows 10 and later device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
>[!TIP]
>If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML.

2
windows/configuration/set-up-shared-or-guest-pc.md
View File

@ -109,7 +109,7 @@ $sharedPC.KioskModeAUMID = ""
$sharedPC.KioskModeUserTileDisplayText = ""
$sharedPC.InactiveThreshold = 0
Set-CimInstance -CimInstance $sharedPC
Get-CimInstance -Namespace $namespaceName -ClassName MDM_SharedPC
Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC
```
### Create a provisioning package for shared use

41
windows/deployment/deploy-enterprise-licenses.md
View File

@ -14,12 +14,15 @@ ms.topic: article
# Deploy Windows 10 Enterprise licenses
>[!IMPORTANT]
>Office 365 Enterprise E3 and Office 365 Enterprise E5 include a Windows 10 Enterprise license. This article is about the use and implementation of these licenses in a on-premises Active Directory environment.
This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md) or [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md) and Azure Active Directory (Azure AD).
>[!NOTE]
>Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.<BR>
>Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.<BR>
>Automatic, non-KMS activation requires Windows 10, version 1803 or later on a device with a firmware-embedded activation key.<BR>
>* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later.
>* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later.
>* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key.
## Firmware-embedded activation key
@ -35,9 +38,9 @@ If the device has a firmware-embedded activation key, it will be displayed in th
If you are an EA customer with an existing Office 365 tenant, use the following steps to enable Windows 10 Subscription licenses on your existing tenant:
1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:<BR>
a. **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3<BR>
b. **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5<BR>
1. Work with your reseller to place an order for one $0 SKU per user. There are two SKUs available, depending on their current Windows Enterprise SA license:
- **AAA-51069** - Win10UsrOLSActv Alng MonthlySub Addon E3
- **AAA-51068** - Win10UsrOLSActv Alng MonthlySub Addon E5
2. After placing an order, the OLS admin on the agreement will receive a service activation email, indicating their subscription licenses have been provisioned on the tenant.
3. The admin can now assign subscription licenses to users.
@ -59,7 +62,7 @@ Also in this article:
You probably have on-premises Active Directory Domain Services (AD DS) domains. Users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Enterprise E3 or E5 licenses to users, you need to synchronize the identities in the on-premises ADDS domain with Azure AD.
You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
You might ask why you need to synchronize these identities. The answer is so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Enterprise E3 or E5). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
**Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
@ -72,6 +75,9 @@ For more information about integrating on-premises AD DS domains with Azure AD,
- [Integrating your on-premises identities with Azure Active Directory](https://azure.microsoft.com/documentation/articles/active-directory-aadconnect/)
- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
>[!NOTE]
>If you are implementing Azure AD, and you already have an on-premises domain, you don't need to integrate with Azure AD, since your main authentication method is your internal AD. If you want to manage all your infrastructure in the cloud, you can safely configure your domain controller remotely to integrate your computers with Azure AD, but you won't be able to apply fine controls using GPO. Azure AD is best suited for the global administration of devices when you don't have any on-premises servers.
## Preparing for deployment: reviewing requirements
Devices must be running Windows 10 Pro, version 1703, and be Azure Active Directory joined, or hybrid domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices), later in this topic.
@ -151,12 +157,12 @@ Now the device is Azure AD joined to the companys subscription.
### Step 2: Pro edition activation
>[!IMPORTANT]
>If the device is running Windows 10, version 1803 or later, this step is no longer necessary when there is a firmware-embedded activation key on the device. Starting with Windows 10, version 1803 the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.<br>
>If your device is running Windows 10, version 1803 or later, this step is not needed. From Windows 10, version 1803, the device will automatically activate Windows 10 Enterprise using the firmware-embedded activation key.
>If the device is running Windows 10, version 1703 or 1709, then Windows 10 Pro must be successfully activated in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 7a**.
<span id="win-10-pro-activated"/>
<img src="images/sa-pro-activation.png" alt="Windows 10 Pro activated" width="710" height="440" />
<BR>**Figure 7a - Windows 10 Pro activation in Settings** <BR>
**Figure 7a - Windows 10 Pro activation in Settings**
Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only).
@ -176,11 +182,17 @@ You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings &g
<span id="win-10-activated-subscription-active"/>
<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-active.png" alt="Windows 10 activated and subscription active" width="624" height="407" />
<BR>**Figure 9 - Windows 10 Enterprise subscription in Settings** <BR>
**Figure 9 - Windows 10 Enterprise subscription in Settings**
If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
>[!NOTE]
>If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
>Name: Windows(R), Professional edition
>Description: Windows(R) Operating System, RETAIL channel
>Partial Product Key: 3V66T
## Virtual Desktop Access (VDA)
Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
@ -205,23 +217,20 @@ Use the following figures to help you troubleshoot when users experience these c
- [Figure 12](#win-10-not-activated-subscription-not-active) (below) illustrates a device on which Windows 10 Pro license is not activated and the Windows 10 Enterprise subscription is lapsed or removed.
<BR>
<span id="win-10-not-activated"/>
<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-active.png" alt="Windows 10 not activated and subscription active" width="624" height="407" />
<BR>**Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings**<BR>
**Figure 10 - Windows 10 Pro, version 1703 edition not activated in Settings**
<BR>
<span id="subscription-not-active"/>
<img src="images/enterprise-e3-win-10-activated-enterprise-subscription-not-active.png" alt="Windows 10 activated and subscription not active" width="624" height="407" />
<BR>**Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings**<BR>
**Figure 11 - Windows 10 Enterprise subscription lapsed or removed in Settings**
<BR>
<span id="win-10-not-activated-subscription-not-active"/>
<img src="images/enterprise-e3-win-10-not-activated-enterprise-subscription-not-active.png" alt="Windows 10 not activated and subscription not active" width="624" height="407" />
<BR>**Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings**<BR>
**Figure 12 - Windows 10 Pro, version 1703 edition not activated and Windows 10 Enterprise subscription lapsed or removed in Settings**
### Review requirements on devices

8
windows/deployment/deploy-m365.md
View File

@ -32,6 +32,14 @@ For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor
## Free trial account
**If you already have a Microsoft services subscription account and access to the Microsoft 365 Admin Center**
From the [Microsoft 365 Admin Center](https://portal.office.com), go to Billing and then Purchase services.
In the Enterprise Suites section of the service offerings, you will find Microsoft 365 E3 and Microsoft 365 E5 tiles.
There are "Start Free Trial" options available for your selection by hovering your mouse over the tiles.
**If you do not already have a Microsoft services subscription**
You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below.
>[!NOTE]

2
windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
View File

@ -606,7 +606,7 @@ In these steps, you generate offline media from the MDT Production deployment sh
Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini files. These files are stored in the Control folder of the offline media; they also can be accessed via properties of the offline media in the Deployment Workbench.
1. On MDT01, using File Explorer, copy the CustomSettings.ini file from the **E:\\MDTBuildLab\\Control** folder to **E:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files.
1. On MDT01, using File Explorer, copy the CustomSettings.ini file from the **E:\MDTProduction\Control** folder to **E:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files.
2. Using Deployment Workbench, in the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**.
3. In the **General** tab, configure the following:
1. Clear the Generate x86 boot image check box.

12
windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
View File

@ -26,8 +26,8 @@ To configure your environment for BitLocker, you will need to do the following:
3. Configure the operating system deployment task sequence for BitLocker.
4. Configure the rules (CustomSettings.ini) for BitLocker.
**Note**  
Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
>[!NOTE]
>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
 
For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
@ -35,8 +35,8 @@ For the purposes of this topic, we will use DC01, a domain controller that is a
To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.
**Note**  
Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
>[!NOTE]
>Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
 
In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.
@ -79,8 +79,8 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor
Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services
4. Enable the **Turn on TPM backup to Active Directory Domain Services** policy.
**Note**  
If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
>[!NOTE]
>If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
 
### Set permissions in Active Directory for BitLocker

8
windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
View File

@ -21,15 +21,15 @@ This topic is designed to teach you how to use the MDT database to pre-stage inf
MDT can use either SQL Server Express or full SQL Server, but since the deployment database isn't big, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment.
**Note**  
Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database.
>[!NOTE]
>Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database.
 
## <a href="" id="sec02"></a>Create the deployment database
The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01.
**Note**  
Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01.
>[!NOTE]
>Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01.
 
1. On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**.
2. In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and click **Next**:

47
windows/deployment/planning/using-the-sdbinstexe-command-line-tool.md
View File

@ -20,6 +20,7 @@ ms.topic: article
- Windows 8.1
- Windows 8
- Windows 7
- Windows Server 2016
- Windows Server 2012
- Windows Server 2008 R2
@ -29,10 +30,28 @@ After you deploy and store the customized databases on each of your local comput
## Command-Line Options for Deploying Customized Database Files
Sample output from the command `Sdbinst.exe /?` in an elevated CMD window:
The command-line options use the following conventions.
```
Microsoft Windows [Version 10.0.14393]
(c) 2016 Microsoft Corporation. All rights reserved.
Sdbinst.exe \[-q\] \[-?\] \[-u\] \[-g\] \[-p\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\]
C:\Windows\system32>Sdbinst.exe /?
Usage: Sdbinst.exe [-?] [-q] [-u] [-g] [-p] [-n[:WIN32|WIN64]] myfile.sdb | {guid} | "name"
-? - print this help text.
-p - Allow SDBs containing patches.
-q - Quiet mode: prompts are auto-accepted.
-u - Uninstall.
-g {guid} - GUID of file (uninstall only).
-n "name" - Internal name of file (uninstall only).
C:\Windows\system32>_
```
The command-line options use the following conventions:
Sdbinst.exe \[-?\] \[-p\] \[-q\] \[-u\] \[-g\] \[-u filepath\] \[-g *GUID*\] \[-n *"name"*\]
The following table describes the available command-line options.
@ -49,6 +68,18 @@ The following table describes the available command-line options.
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>-?</p></td>
<td align="left"><p>Displays the Help for the Sdbinst.exe tool.</p>
<p>For example,</p>
<p><code>sdbinst.exe -?</code></p></td>
</tr>
<tr class="even">
<td align="left"><p>-p</p></td>
<td align="left"><p>Allows SDBs installation with Patches</p>
<p>For example,</p>
<p><code>sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb</code></p></td>
</tr>
<tr class="odd">
<td align="left"><p>-q</p></td>
<td align="left"><p>Performs a silent installation with no visible window, status, or warning information. Fatal errors appear only in Event Viewer (Eventvwr.exe).</p>
<p>For example,</p>
@ -72,18 +103,6 @@ The following table describes the available command-line options.
<p>For example,</p>
<p><code>sdbinst.exe -n &quot;My_Database&quot;</code></p></td>
</tr>
<tr class="odd">
<td align="left"><p>-?</p></td>
<td align="left"><p>Displays the Help for the Sdbinst.exe tool.</p>
<p>For example,</p>
<p><code>sdbinst.exe -?</code></p></td>
</tr>
<tr class="even">
<td align="left"><p>-p</p></td>
<td align="left"><p>Allows SDBs installation with Patches</p>
<p>For example,</p>
<p><code>sdbinst.exe -p C:\Windows\AppPatch\Myapp.sdb</code></p></td>
</tr>
</tbody>
</table>

2
windows/deployment/planning/windows-10-1803-removed-features.md
View File

@ -33,7 +33,7 @@ We've removed the following features and functionalities from the installed prod
|Language control in the Control Panel| Use the Settings app to change your language settings.|
|HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.<br><br>When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.<br><br>Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10: <br>- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10) <br>- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) |
|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).|
|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer. <br><br>However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.|
|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. <br><br>However, if you install Windows 10, version 1803, you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.|
## Features were no longer developing

7
windows/deployment/update/update-compliance-delivery-optimization.md
View File

@ -18,6 +18,13 @@ The Update Compliance solution of Windows Analytics provides you with informatio
![DO status](images/UC_workspace_DO_status.png)
> [!IMPORTANT]
> There are currently two known issues affecting the Delivery Optimization status displayed in these blades:
>- Devices running Windows 10, version 1803 or older versions are not sending the correct configuration profile. As a result, the information in the Device Configuration blade might not accurately reflect the settings in your environment.
>- Some devices running Windows 10, version 1809 report the Delivery Optimization DownloadMode configuration value as the sequential value in the list of possible configurations rather than the actual configured value. For example, a device that is configured as HTTP + Group (2), will be shown as HTTP + Internet (3) in Update Compliance.
>
>Look for fixes for both of these issues in a forthcoming update.
## Delivery Optimization Status
The Delivery Optimization Status section includes three blades:

12
windows/deployment/update/waas-delivery-optimization-reference.md
View File

@ -5,9 +5,9 @@ keywords: oms, operations management suite, wdav, updates, downloads, log analyt
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: JaimeO
author: greg-lindsay
ms.localizationpriority: medium
ms.author: jaimeo
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---
@ -37,7 +37,7 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
| --- | --- | --- |
| [Download mode](#download-mode) | DODownloadMode | 1511 |
| [Group ID](#group-id) | DOGroupID | 1511 |
| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 |
| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 |
| [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 |
| [Max Cache Age](#max-cache-age) | DOMaxCacheAge | 1511 |
| [Max Cache Size](#max-cache-size) | DOMaxCacheSize | 1511 |
@ -70,7 +70,7 @@ Delivery Optimization uses locally cached updates. In cases where devices have a
- The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location.
>[!NOTE]
>It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices).
>It is possible to configure preferred cache devices. For more information, see [Group ID](#group-id).
All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services, but when local storage is sufficient and the network isn't strained or congested, administrators might choose to change it to obtain increased performance. You can set the minimum size of files to cache by adjusting [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size).
@ -79,7 +79,7 @@ Additional options available that control the impact Delivery Optimization has o
- [Max Upload Bandwidth](#max-upload-bandwidth) controls the Delivery Optimization upload bandwidth usage.
- [Monthly Upload Data Cap](#monthly-upload-data-cap) controls the amount of data a client can upload to peers each month.
- [Minimum Background QoS](#minimum-background-qos) lets administrators guarantee a minimum download speed for Windows updates. This is achieved by adjusting the amount of data downloaded directly from Windows Update or WSUS servers, rather than other peers in the network.
- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
- [Maximum Foreground Download Bandwidth](#maximum-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
- [Maximum Background Download Bandwidth](#maximum-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
- [Set Business Hours to Limit Background Download Bandwidth](#set-business-hours-to-limit-background-download-bandwidth) specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
- [Set Business Hours to Limit Foreground Download Bandwidth](#set-business-hours-to-limit-foreground-download-bandwidth) specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth.
@ -89,7 +89,7 @@ Additional options available that control the impact Delivery Optimization has o
- [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P.
Administrators can further customize scenarios where Delivery Optimization will be used with the following settings:
- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled.
- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled.
- [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) sets the minimum disk size required for peer caching to be enabled.
- [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) allows clients connected through VPN to use peer caching.
- [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) controls the minimum battery level required for uploads to occur. You must enable this policy to allow upload while on battery.

4
windows/deployment/update/waas-delivery-optimization.md
View File

@ -5,9 +5,9 @@ keywords: oms, operations management suite, wdav, updates, downloads, log analyt
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: JaimeO
author: greg-lindsay
ms.localizationpriority: medium
ms.author: jaimeo
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
---

4
windows/deployment/update/waas-quick-start.md
View File

@ -69,8 +69,8 @@ Click the following Microsoft Mechanics video for an overview of the updated rel
## Learn more
[Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft)
- [Adopting Windows as a service at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/851/Adopting-Windows-as-a-service-at-Microsoft)
- [Windows lifecycle fact sheet](https://support.microsoft.com/help/13853/windows-lifecycle-fact-sheet)
## Related topics

6
windows/deployment/update/waas-restart.md
View File

@ -42,6 +42,9 @@ When **Configure Automatic Updates** is enabled in Group Policy, you can enable
- **Turn off auto-restart for updates during active hours** prevents automatic restart during active hours.
- **No auto-restart with logged on users for scheduled automatic updates installations** prevents automatic restart when a user is signed in. If a user schedules the restart in the update notification, the device will restart at the time the user specifies even if a user is signed in at the time. This policy only applies when **Configure Automatic Updates** is set to option **4-Auto download and schedule the install**.
> [!NOTE]
> When using Remote Desktop Protocol connections, only active RDP sessions are considered as logged on users. Devices that do not have locally logged on users, or active RDP sessions, will be restarted.
You can also use Registry, to prevent automatic restarts when a user is signed in. Under **HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU**, set **AuOptions** to **4** and enable **NoAutoRebootWithLoggedOnUsers**. As with Group Policy, if a user schedules the restart in the update notification, it will override this setting.
For a detailed description of these registry keys, see [Registry keys used to manage restart](#registry-keys-used-to-manage-restart).
@ -159,8 +162,9 @@ In the Group Policy editor, you will see a number of policy settings that pertai
>[!NOTE]
>You can only choose one path for restart behavior.
>
>If you set conflicting restart policies, the actual restart behavior may not be what you expected.
>When using RDP, only active RDP sessions are considered as logged on users.
## Registry keys used to manage restart
The following tables list registry values that correspond to the Group Policy settings for controlling restarts after updates in Windows 10.

5
windows/deployment/update/waas-servicing-channels-windows-10-updates.md
View File

@ -26,7 +26,7 @@ ms.topic: article
>
>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB, CBB and LTSB may still be displayed in some of our products.
Semi-Annual Channel (Targeted) is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each edition of Windows 10.
Semi-Annual Channel is the default servicing channel for all Windows 10 devices except those with the LTSB edition installed. The following table shows the servicing channels available to each Windows 10 edition.
| Windows 10 edition | Semi-Annual Channel (Targeted) | Semi-Annual Channel | Long-Term Servicing Channel | Insider Program |
| --- | --- | --- | --- | --- |
@ -44,6 +44,9 @@ Semi-Annual Channel (Targeted) is the default servicing channel for all Windows
>[!NOTE]
>The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
>[!NOTE]
>Semi-Annual Channel (Targeted) should be used only by the customers that are using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). For those, who don't use Windows Update for Business, Semi-Annual Channel (Targeted) would be the same as Semi-Annual Channel.
## Assign devices to Semi-Annual Channel
>[!IMPORTANT]

7
windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
View File

@ -86,7 +86,7 @@ If you have devices that appear in other solutions, but not Device Health (the D
3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551).
4. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set).
5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information.
6. Remove the Device Health (appears as DeviceHealthProd on some pages) from your Log Analytics workspace
6. Add the Device Health solution back to your Log Analytics workspace.
7. Wait 48 hours for activity to appear in the reports.
8. If you need additional troubleshooting, contact Microsoft Support.
@ -195,6 +195,11 @@ Upgrade Readiness only collects app inventory on devices that are not yet upgrad
Double-check that IE site discovery opt-in has been configured in the deployment script. (See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.)
Also, on Windows 10 devices remember that IE site discovery requires data diagnostics set to the Enhanced level.
There are two additional configurations to check:
1. Make sure Flip Ahead with Page Prediction is enabled. It can be configured at Internet Options -> Advanced -> Browsing -> Enable flip ahead with page prediction.
2. Make sure IE is not running in InPrivate mode.
Finally, Upgrade Readiness only collects IE site discovery data on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded).
>[!NOTE]

2
windows/deployment/update/windows-update-logs.md
View File

@ -141,3 +141,5 @@ There are different identifiers for the same update in different contexts. It
- Small integers (especially in Datastore) can be local IDs
![Windows Update inconsisten terminology](images/update-inconsistent.png)
## Windows Setup log files analysis using SetupDiag tool
SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For detailed information, see [SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag).

3
windows/deployment/update/windows-update-troubleshooting.md
View File

@ -20,7 +20,8 @@ If you run into problems when using Windows Update, start with the following ste
1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**.
2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from theMicrosoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU.
3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system:
- [Windows 10, version 1809 and Windows Server 2019](https://support.microsoft.com/help/4464619/windows-10-update-history)
- [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history)
- [Windows 10, version 1709](https://support.microsoft.com/help/4043454)
- [Windows 10, version 1703](https://support.microsoft.com/help/4018124)

17
windows/deployment/upgrade/upgrade-readiness-data-sharing.md
View File

@ -12,16 +12,7 @@ ms.collection: M365-analytics
# Upgrade Readiness data sharing
To enable data sharing with the Upgrade Readiness solution, the following endpoints must be accessible:
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|
| `https://v10.vortex-win.data.microsoft.com/collect/v1`<br>`https://Vortex-win.data.microsoft.com/health/keepalive` | Connected User Experiences and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. |
| `https://settings.data.microsoft.com/qos` | Enables the compatibility update KB to send data to Microsoft. |
| `https://go.microsoft.com/fwlink/?LinkID=544713`<br>`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. |
Whitelist these endpoints on your network. This might require working with your organizations's network security group.
To enable data sharing with the Upgrade Readiness solution, double-check the endpoints list in [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md#enable-data-sharing) to be sure they are whitelisted.
## Connectivity to the Internet
@ -38,10 +29,10 @@ In order to use the direct connection scenario, set the parameter **ClientProxy=
This is the first and most simple proxy scenario. The WinHTTP stack was designed for use in services and does not support proxy autodetection, PAC scripts or authentication.
In order to set the WinHTTP proxy system-wide on your computers, you need to
Use the command netsh winhttp set proxy \<server\>:\<port\>
Set ClientProxy=System in runconfig.bat
- Use the command netsh winhttp set proxy \<server\>:\<port\>
- Set ClientProxy=System in runconfig.bat
The WinHTTP scenario is most appropriate for customers who use a single proxy or f. If you have more advanced proxy requirements, refer to Scenario 3.
The WinHTTP scenario is most appropriate for customers who use a single proxy. If you have more advanced proxy requirements, refer to Scenario 3.
If you want to learn more about proxy considerations on Windows, see [Understanding Web Proxy Configuration](https://blogs.msdn.microsoft.com/ieinternals/2013/10/11/understanding-web-proxy-configuration/).

3
windows/deployment/upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md
View File

@ -12,6 +12,9 @@ ms.topic: article
# Use Upgrade Readiness to manage Windows upgrades
>[!IMPORTANT]
>>**The OMS portal has been deprecated, so you need to switch to the [Azure portal](https://portal.azure.com) now.** The two portals offer the same experience, with some key differences. Learn how to use [Windows Analytics in the Azure Portal](../update/windows-analytics-azure-portal.md). Find out more about the [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition), or jump right in and [Get started with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-get-started).
You can use Upgrade Readiness to prioritize and work through application and driver issues, assign and track issue resolution status, and identify computers that are ready to upgrade. Upgrade Readiness enables you to deploy Windows with confidence, knowing that youve addressed potential blocking issues.
- Based on diagnostic data from user computers, Upgrade Readiness identifies application and driver compatibility issues that may block Windows upgrades, allowing you to make data-driven decisions about your organizations upgrade readiness.

3
windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md
View File

@ -28,6 +28,9 @@ Windows Easy Transfer is a software wizard for transferring files and settings
With Windows Easy Transfer, files and settings can be transferred using a network share, a USB flash drive (UFD), or the Easy Transfer cable. However, you cannot use a regular universal serial bus (USB) cable to transfer files and settings with Windows Easy Transfer. An Easy Transfer cable can be purchased on the Web, from your computer manufacturer, or at an electronics store.
> [!NOTE]
> Windows Easy Transfer [is not available in Windows 10](https://support.microsoft.com/help/4026265/windows-windows-easy-transfer-is-not-available-in-windows-10).
### Migrate with the User State Migration Tool
You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded.

2
windows/deployment/usmt/usmt-scanstate-syntax.md
View File

@ -89,7 +89,7 @@ To create an encrypted store using the Config.xml file and the default migration
<tbody>
<tr class="odd">
<td align="left"><p><em>StorePath</em></p></td>
<td align="left"><p>Indicates a folder where files and settings will be saved. Note that <em>StorePath</em> cannot be <strong>c:\</strong>. You must specify the <em>StorePath</em> option in the <strong>ScanState</strong> command, except when using the <strong>/genconfig</strong> option. You cannot specify more than one <em>StorePath</em> location.</p></td>
<td align="left"><p>Indicates a folder where files and settings will be saved. Note that <em>StorePath</em> cannot be <strong>C:&#92;</strong>. You must specify the <em>StorePath</em> option in the <strong>ScanState</strong> command, except when using the <strong>/genconfig</strong> option. You cannot specify more than one <em>StorePath</em> location.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>/apps</strong></p></td>

1
windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
View File

@ -20,6 +20,7 @@ ms.topic: article
- Windows 8
- Windows Server 2012 R2
- Windows Server 2012
- Windows Server 2016
**Looking for retail activation?**
- [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)

4
windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
View File

@ -133,11 +133,9 @@ If you have already established a KMS infrastructure in your organization for an
1. Download and install the correct update for your current KMS host operating system. Restart the computer as directed.
2. Request a new KMS host key from the Volume Licensing Service Center.
3. Install the new KMS host key on your KMS host.
4. Activate the new KMS host key by running the slmrg.vbs script.
4. Activate the new KMS host key by running the slmgr.vbs script.
For detailed instructions, see [Update that enables Windows 8.1 and Windows 8 KMS hosts to activate a later version of Windows](https://go.microsoft.com/fwlink/p/?LinkId=618265) and [Update that enables Windows 7 and Windows Server 2008 R2 KMS hosts to activate Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=626590).
## See also
- [Volume Activation for Windows 10](volume-activation-windows-10.md)
 

15
windows/deployment/volume-activation/volume-activation-management-tool.md
View File

@ -15,17 +15,12 @@ ms.topic: article
The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process.
VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS). VAMT is a standard Microsoft Management Console (MMC) snap-in that requires the Microsoft Management Console (MMC) 3.0. VAMT can be installed on any computer that has one of the following Windows operating systems:
- Windows® 7
- Windows 8
- Windows 8.1
- Windows 10
- Windows Server 2008 R2
- Windows Server® 2012
- Windows Server 2012 R2
- Windows® 7 or above
- Windows Server 2008 R2 or above
**Important**  
VAMT is designed to manage volume activation for: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Microsoft Office 2010, and Microsoft Office 2013. Computers installed with volume editions of
**Windows XP** or **Windows Server 2003** cannot be managed using VAMT. However, Office 2010 and Office 2013 products installed on these two operating systems can still be managed.
VAMT is designed to manage volume activation for: Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008 (or obove), Microsoft Office 2010 (or above).
VAMT is only available in an EN-US (x86) package.
@ -42,4 +37,4 @@ VAMT is only available in an EN-US (x86) package.
|[Manage VAMT Data](manage-vamt-data.md) |Describes how to save, import, export, and merge a Computer Information List (CILX) file using VAMT. |
|[VAMT Step-by-Step Scenarios](vamt-step-by-step.md) |Provides step-by-step instructions for using VAMT in typical environments. |
|[VAMT Known Issues](vamt-known-issues.md) |Lists known issues in VAMT. |
 
 

4
windows/deployment/windows-10-enterprise-subscription-activation.md
View File

@ -63,9 +63,9 @@ The following figure illustrates how deploying Windows 10 has evolved with each
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following:
- Windows 10 (Pro or Enterprise) version 1703 or later installed and **activated** on the devices to be upgraded.
- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded.
- Azure Active Directory (Azure AD) available for identity management.
- Devices must be Azure AD-joined or Active Directory joined with Azure AD Connect. Workgroup-joined devices are not supported.
- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
>[!NOTE]
>An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. To resolve this issue, the user must either sign in with an Azure Active Directory account, or you must disable MFA for this user during the 30-day polling period and renewal.

839
windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
View File

@ -1,7 +1,7 @@
---
title: Demonstrate Autopilot deployment on a VM
description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
@ -11,6 +11,7 @@ author: greg-lindsay
ms.author: greg-lindsay
ms.collection: M365-modern-desktop
ms.topic: article
ms.custom: autopilot
---
@ -20,194 +21,824 @@ ms.topic: article
- Windows 10
In this topic you'll learn how to set-up a Windows Autopilot deployment for a Virtual Machine using Hyper-V. Watch the following video to see an overview of the process:
In this topic you'll learn how to set-up a Windows Autopilot deployment for a virtual machine (VM) using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune.
The following video provides an overview of the process:
</br>
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/KYVptkpsOqs" frameborder="0" allow="autoplay; encrypted-media" allowfullscreen></iframe>
>For a list of terms used in this guide, see the [Glossary](#glossary) section.
## Prerequisites
These are the thing you'll need on your device to get started:
* Installation media for the [latest version of Windows 10 Professional or Enterprise (ISO file)](https://www.microsoft.com/software-download/windows10)
* Internet access (see [Network connectivity requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot#network-connectivity-requirements))
* Hypervisor needs to be unoccupied, or used by Hyper-V, as we will be using Hyper-V to create the Virtual Machine
These are the things you'll need to complete this lab:
<table><tr><td>Windows 10 installation media</td><td>Windows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an [evaluation version of Windows 10 Enterprise](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).</td></tr>
<tr><td>Internet access</td><td>If you are behind a firewall, see the detailed [networking requirements](windows-autopilot-requirements-network.md). Otherwise, just ensure that you have a connection to the Internet.</td></tr>
<tr><td>Hyper-V or a physical device running Windows 10</td><td>The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.</td></tr>
<tr><td>A Premium Intune account</td><td>This guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.</td></tr></table>
See additional prerequisites in the [Windows Autopilot overview topic](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot#prerequisites).
## Procedures
## Create your Virtual Machine
A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix.
### Enable Hyper-V
The first thing to do, is to enable the Hyper-V feature on your device.
>[!IMPORTANT]
>If you already have Hyper-V enabled, skip this step.
[Verify support for Hyper-V](#verify-support-for-hyper-v)
<br>[Enable Hyper-V](#enable-hyper-v)
<br>[Create a demo VM](#create-a-demo-vm)
<br>&nbsp;&nbsp;&nbsp; [Set ISO file location](#set-iso-file-location)
<br>&nbsp;&nbsp;&nbsp; [Determine network adapter name](#determine-network-adapter-name)
<br>&nbsp;&nbsp;&nbsp; [Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm)
<br>&nbsp;&nbsp;&nbsp; [Install Windows 10](#install-windows-10)
<br>[Capture the hardware ID](#capture-the-hardware-id)
<br>[Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe)
<br>[Verify subscription level](#verify-subscription-level)
<br>[Configure company branding](#configure-company-branding)
<br>[Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment)
<br>[Register your VM](#register-your-vm)
<br>&nbsp;&nbsp;&nbsp; [Autopilot registration using Intune](#autopilot-registration-using-intune)
<br>&nbsp;&nbsp;&nbsp; [Autopilot registration using MSfB](#autopilot-registration-using-msfb)
<br>[Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile)
<br>&nbsp;&nbsp;&nbsp; [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Assign the profile](#assign-the-profile)
<br>&nbsp;&nbsp;&nbsp; [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
<br>[See Windows Autopilot in action](#see-windows-autopilot-in-action)
<br>[Remove devices from Autopilot](#remove-devices-from-autopilot)
<br>&nbsp;&nbsp;&nbsp; [Delete (deregister) Autopilot device](#delete-deregister-autopilot-device)
<br>[Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v)
<br>[Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile)
<br>&nbsp;&nbsp;&nbsp; [Add a Win32 app](#add-a-win32-app)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Prepare the app for Intune](#prepare-the-app-for-intune)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Create app in Intune](#create-app-in-intune)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
<br>&nbsp;&nbsp;&nbsp; [Add Office 365](#add-office-365)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Create app in Intune](#create-app-in-intune)
<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
<br>[Glossary](#glossary)
## Verify support for Hyper-V
If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later).
>If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10).
If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed.
## Enable Hyper-V
To enable Hyper-V, open an elevated Windows PowerShell prompt and run the following command:
Open a PowerShell prompt **as an administrator** and run the following:
```powershell
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
```
You will be prompted to restart your device, so save all your work and restart it before you continue.
This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed, so if you're using Windows Server, you can just type the following command instead of using the Enable-WindowsOptionalFeature command:
### Create and start your demo Virtual Machine
Now that Hyper-V is enabled, proceed to create your Virtual Machine.
Open a PowerShell prompt **as an administrator** and run the following:
```powershell
New-VMSwitch -Name AutopilotExternal -NetAdapterName <Name of Network Adapter with internet access> -AllowManagementOS $true
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
```
When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once.
>Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
![hyper-v feature](../images/hyper-v-feature.png)
![hyper-v](../images/svr_mgr2.png)
<P>If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under **Role Administration Tools\Hyper-V Management Tools**.
After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box.
To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server).
## Create a demo VM
Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell.
To use Windows Powershell we just need to know two things:
1. The location of the Windows 10 ISO file.
- In the example, we assume the location is **c:\iso\win10-eval.iso**.
2. The name of the network interface that connects to the Internet.
- In the example, we use a Windows PowerShell command to determine this automatically.
After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10.
### Set ISO file location
You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise).
- When asked to select a platform, choose **64 bit**.
After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory.
### Determine network adapter name
The Get-NetAdaper cmdlet is used below to automatically find the network adapter that is most likely to be the one you use to connect to the Internet. You should test this command first by running the following at an elevated Windows PowerShell prompt:
```powershell
(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
```
The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name.
For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**.
### Use Windows PowerShell to create the demo VM
All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands.
>[!IMPORTANT]
>**VM switch**: a VM switch is how Hyper-V connects VMs to a network. <br><br>If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."<br><br>If you have never created an external VM switch before, then just run the commands below.
```powershell
New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
Add-VMDvdDrive -Path <Path to Windows 10 ISO> -VMName WindowsAutopilot
Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
Start-VM -VMName WindowsAutopilot
```
>[!IMPORTANT]
>Make sure to replace <*Name of Network Adapter with internet access*> and <*Path to Windows 10 ISO*> with the appropriate values.
>Additionally, note that all Virtual Machine related data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the above.
After entering these commands, connect to the VM that you just created and wait for a prompt to press a key and boot from the DVD. You can connect to the VM by double-clicking it in Hyper-V Manager.
See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the vmconnect.exe command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM.
<pre style="overflow-y: visible">
PS C:\autopilot> dir c:\iso
Directory: C:\iso
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/12/2019 2:46 PM 4627343360 win10-eval.iso
PS C:\autopilot> (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
Ethernet
PS C:\autopilot> New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
Name SwitchType NetAdapterInterfaceDescription
---- ---------- ------------------------------
AutopilotExternal External Intel(R) Ethernet Connection (2) I218-LM
PS C:\autopilot> New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
Name State CPUUsage(%) MemoryAssigned(M) Uptime Status Version
---- ----- ----------- ----------------- ------ ------ -------
WindowsAutopilot Off 0 0 00:00:00 Operating normally 8.0
PS C:\autopilot> Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
PS C:\autopilot> Start-VM -VMName WindowsAutopilot
PS C:\autopilot> vmconnect.exe localhost WindowsAutopilot
PS C:\autopilot> dir
Directory: C:\autopilot
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/12/2019 3:15 PM VMData
d----- 3/12/2019 3:42 PM VMs
PS C:\autopilot>
</pre>
### Install Windows 10
Now that the Virtual Machine was created and started, open **Hyper-V Manager** and connect to the **WindowsAutopilot** Virtual Machine.
Make sure the Virtual Machine booted from the installation media you've provided and complete the Windows installation process.
Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
Once the installation is complete, create a checkpoint. You will create multiple checkpoints throughout this process, which you can later use to go through the process again.
![Windows setup](images/winsetup1.png)
![Windows setup](images/winsetup2.png)
![Windows setup](images/winsetup3.png)
![Windows setup](images/winsetup4.png)
![Windows setup](images/winsetup5.png)
![Windows setup](images/winsetup6.png)
>After the VM restarts, during OOBE, its fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
![Windows setup](images/winsetup7.png)
Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again.
![Windows setup](images/winsetup8.png)
To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
To create the checkpoint, open a PowerShell prompt **as an administrator** and run the following:
```powershell
Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
```
## Capture your Virtual Machine's hardware ID
Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane.
On the newly created Virtual Machine, open a PowerShell prompt **as an administrator** and run the following:
```powershell
md c:\HWID
Set-Location c:\HWID
Set-ExecutionPolicy Unrestricted
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
```
## Capture the hardware ID
>NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but youre not going to use the OA3 Tool to capture the full 4K HH for various reasons (youd have to install the OA3 tool, your device couldnt have a volume license version of Windows, its a more complicated process than using a PS script, etc.). Instead, youll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
Follow these steps to run the PS script:
1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
```powershell
md c:\HWID
Set-Location c:\HWID
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
Install-Script -Name Get-WindowsAutopilotInfo -Force
$env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
```
When you are prompted to install the NuGet package, choose **Yes**.
See the sample output below.
<pre>
PS C:\> md c:\HWID
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/14/2019 11:33 AM HWID
PS C:\> Set-Location c:\HWID
PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
NuGet provider is required to continue
PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
import the NuGet provider now?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
PS C:\HWID> dir
Directory: C:\HWID
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/14/2019 11:33 AM 8184 AutopilotHWID.csv
PS C:\HWID>
</pre>
Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
![Serial number and hardware hash](images/hwid.png)
You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If youre using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
>[!NOTE]
>Accept all prompts while running the above cmdlets.
>When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
### Mount the Virtual Hard Drive (VHD)
## Reset the VM back to Out-Of-Box-Experience (OOBE)
To gain access to the AutopilotHWID.csv that contains the hardware ID, stop the Virtual Machine to unlock the Virtual Hard Drive.
To do that, on your device (**not** on the Virtual Machine), open a PowerShell prompt **as an administrator** and run the following:
```powershell
Stop-VM -VMName WindowsAutopilot
```
Once the Virtual Machine has stopped, create a checkpoint:
```powershell
Checkpoint-VM -Name WindowsAutopilot -SnapshotName "HWID captured"
```
With the checkpoint created, continue to mount the VHD:
```powershell
Mount-VHD -path (Get-VMHardDiskDrive -VMName WindowsAutopilot).Path
```
Once mounted, navigate to the new drive and copy **AutopilotHWID.csv** to a location on your device.
Before you proceed, unmount the VHD to unlock it and start the Virtual Machine:
```powershell
Dismount-VHD -path (Get-VMHardDiskDrive -VMName WindowsAutopilot).Path
Start-VM -VMName WindowsAutopilot
```
## Reset Virtual Machine back to Out-Of-Box-Experience (OOBE)
With the hardware ID captured, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**.
![Reset this PC final prompt](images/autopilot-reset-prompt.jpg)
Resetting your Virtual Machine can take a while. Proceed to the next steps while your Virtual Machine is resetting.
Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process.
![Reset this PC screen capture](images/autopilot-reset-progress.jpg)
## Verify subscription level
For this lab, you need an AAD Premium subscription. You can tell if you have a Premium subscription by navigating to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example:
**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
![MDM and Intune](images/mdm-intune2.png)
If the configuration blade shown above does not appear, its likely that you dont have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
![Reset this PC final prompt](images/aad-lic1.png)
## Configure company branding
>[!IMPORTANT]
>If you already have company branding configured in Azure Active Directory, you can skip this step.
Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding).
If you already have company branding configured in Azure Active Directory, you can skip this step.
>[!IMPORTANT]
>Make sure to sign-in with a Global Administrator account.
Click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
![Configure button in Company branding](images/autopilot-aad-configure.jpg)
![Configure company branding](images/branding.png)
Once finished, click **Save**.
When you are finished, click **Save**.
>[!NOTE]
>Changes to company branding can take up to 30 minutes to apply.
## Configure Microsoft Intune auto-enrollment
>[!IMPORTANT]
>If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step.
If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step.
Navigate to [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**.
Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you do not see Microsoft Intune, click **Add application** and choose **Intune**.
For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**.
![MDM user scope in the Mobility blade](images/autopilot-aad-mdm.jpg)
![MDM user scope in the Mobility blade](images/autopilot-aad-mdm.png)
## Register your Virtual Machine to your organization
## Register your VM
Navigate to [Microsoft Store for Business device management](https://businessstore.microsoft.com/en-us/manage/devices). Click on **Add devices** and select the **AutopilotHWID.csv** you've saved earlier. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your Virtual Machine added.
Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but <u>only pick one</u> for purposes of this lab. We highly recommend using Intune rather than MSfB.
![Add devices through Microsoft Store for Business](images/autopilot-devices-add.jpg)
### Autopilot registration using Intune
1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**.
![Intune device import](images/device-import.png)
>[!NOTE]
>If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). Its okay if other fields (Windows Product ID) are left blank.
![HWID CSV](images/hwid-csv.png)
You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example.
![Import HWID](images/import-vm.png)
### Autopilot registration using MSfB
>[!IMPORTANT]
>If you've already registered your VM (or device) using Intune, then skip this step.
Optional: see the following video for an overview of the process.
&nbsp;
> [!video https://www.youtube.com/embed/IpLIZU_j7Z0]
First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/en-us/microsoft-store/windows-store-for-business-overview) to create a new one.
Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page.
Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
![Microsoft Store for Business](images/msfb.png)
Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
![Devices](images/msfb-device.png)
## Create and assign a Windows Autopilot deployment profile
Navigate to [Windows enrollment in Microsoft Intune](https://portal.azure.com/#blade/Microsoft_Intune_Enrollment/OverviewBlade/windowsEnrollment).
>[!IMPORTANT]
>Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only <U>pick one for purposes of this lab</U>:
Make sure to sync the device you've just registered, by clicking on **Devices** under **Windows Autopilot Deployment Program (Preview)** and selecting **Sync**. Wait a few moments before refreshing to see your Virtual Machine added.
Pick one:
- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
![Microsoft Intune sync Windows devices](images/autopilot-intune-sync.jpg)
### Create a Windows Autopilot deployment profile using Intune
### Create a Windows Autopilot deployment profile
>[!NOTE]
>Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first:
Click on **Deployment profiles** under **Windows Autopilot Deployment Program (Preview)** and select **Create profile**.
![Devices](images/intune-devices.png)
![Microsoft Intune create deployment profile](images/autopilot-intune-profile-add.jpg)
>The example above lists both a physical device and a VM. Your list should only include only one of these.
In the **Create profile** blade, set the name to **Autopilot Intune Demo**, click on **Out-of-box experience (OOBE)** and configure the following:
| Setting name | Value |
To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles**
![Deployment profiles](images/deployment-profiles.png)
Click on **Create profile**.
![Create deployment profile](images/create-profile.png)
On the **Create profile** blade, use the following values:
| Setting | Value |
|---|---|
|Privacy Settings|Hide|
|End user license agreement (EULA)|Hide|
|User account type|Standard|
| Name | Autopilot Lab profile |
| Description | blank |
| Convert all targeted devices to Autopilot | No |
| Deployment mode | User-driven |
| Join to Azure AD as | Azure AD joined |
Click on **Save** and **Create**.
Click on **Out-of-box experience (OOBE)** and configure the following settings:
![Create a new deployment profile in Microsoft Intune](images/autopilot-intune-profile-configure.jpg)
| Setting | Value |
|---|---|
| EULA | Hide |
| Privacy Settings | Hide |
| Hide change account options | Hide |
| User account type | Standard |
| Apply device name template | No |
### Assign a Windows Autopilot deployment profile
See the following example:
With the deployment profile created, go back to **Devices** under **Windows Autopilot Deployment Program (Preview)** and select your Virtual Machine. Click on **Assign profile** and in the **Assign Profile** blade select **Autopilot Intune Demo** under the **Autopilot profile**. Click on **Assign**.
![Deployment profile](images/profile.png)
![Assign Autopilot Profile in Microsoft Intune](images/autopilot-intune-profile-assign.jpg)
Click on **OK** and then click on **Create**.
Wait a few minutes for all changes to apply.
>If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
#### Assign the profile
Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading.
To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**:
![All groups](images/all-groups.png)
Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type:
Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group.
![New group](images/new-group.png)
Now click **Create** to finish creating the new group.
Click on **All groups** and click **Refresh** to verify that your new group has been successfully created.
With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results).
From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade. Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile:
![Lab profile](images/deployment-profiles2.png)
Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**).
![Include group](images/include-group.png)
Click **Select** and then click **Save**.
![Include group](images/include-group2.png)
Its also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot).
### Create a Windows Autopilot deployment profile using MSfB
If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section.
A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below.
First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab.
Click **Manage** from the top menu, then click **Devices** from the left navigation tree.
![MSfB manage](images/msfb-manage.png)
Click the **Windows Autopilot Deployment Program** link in the **Devices** tile.
To CREATE the profile:
Select your device from the **Devices** list:
![MSfB create](images/msfb-create1.png)
On the Autopilot deployment dropdown menu, select **Create new profile**:
![MSfB create](images/msfb-create2.png)
Name the profile, choose your desired settings, and then click **Create**:
![MSfB create](images/msfb-create3.png)
The new profile is added to the Autopilot deployment list.
To ASSIGN the profile:
To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
![MSfB assign](images/msfb-assign1.png)
Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
![MSfB assign](images/msfb-assign2.png)
>[!IMPORTANT]
>The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
## See Windows Autopilot in action
By now, your Virtual Machine should be back to OOBE. Make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding)
, otherwise those changes might not show up.
If you shut down your VM after the last reset, its time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
![Device status](images/device-status.png)
Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
>[!TIP]
>If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience youre expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
- Ensure your device has an internet connection.
- Turn on the device
- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
![OOBE sign-in page](images/autopilot-oobe.jpg)
Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
![Device enabled](images/enabled-device.png)
Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
![OOBE sign-in page](images/autopilot-oobe.jpg)
Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
Windows Autopilot will now take over to automatically join your Virtual Machine into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings.
## Remove devices from Autopilot
To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/en-us/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
### Delete (deregister) Autopilot device
You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu.
![Delete device](images/delete-device1.png)
Click **X** when challenged to complete the operation:
![Delete device](images/delete-device2.png)
This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
![Delete device](images/delete-device3.png)
The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
To remove the device from the Autopilot program, select the device and click Delete.
![Delete device](images/delete-device4.png)
A warning message appears reminding you to first remove the device from Intune, which we previously did.
![Delete device](images/delete-device5.png)
At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
![Delete device](images/delete-device6.png)
Once the device no longer appears, you are free to reuse it for other purposes.
If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
![Delete device](images/delete-device7.png)
## Appendix A: Verify support for Hyper-V
Starting with Windows 8, the host computers microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
<pre style="overflow-y: visible">
C:\>systeminfo
...
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
Virtualization Enabled In Firmware: Yes
Second Level Address Translation: Yes
Data Execution Prevention Available: Yes
</pre>
In this example, the computer supports SLAT and Hyper-V.
>If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example:
<pre style="overflow-y: visible">
C:\>coreinfo -v
Coreinfo v3.31 - Dump information on system CPU and memory topology
Copyright (C) 2008-2014 Mark Russinovich
Sysinternals - www.sysinternals.com
Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
Microcode signature: 0000001B
HYPERVISOR - Hypervisor is present
VMX * Supports Intel hardware-assisted virtualization
EPT * Supports Intel extended page tables (SLAT)
</pre>
Note: A 64-bit operating system is required to run Hyper-V.
## Appendix B: Adding apps to your profile
### Add a Win32 app
#### Prepare the app for Intune
Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool:
1. The source folder for your application
2. The name of the setup executable file
3. The output folder for the new file
For the purposes of this lab, well use the Notepad++ tool as our Win32 app.
Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then opy the file to a known location, such as C:\Notepad++msi.
Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
![Add app](images/app01.png)
After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
#### Create app in Intune
Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
![Add app](images/app02.png)
Under **App Type**, select **Windows app (Win32)**:
![Add app](images/app03.png)
On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
![Add app](images/app04.png)
On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
![Add app](images/app05.png)
On the **Program Configuration** blade, supply the install and uninstall commands:
Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q
Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
![Add app](images/app06.png)
Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesnt actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
Click **OK** to save your input and activate the **Requirements** blade.
On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
![Add app](images/app07.png)
Next, configure the **Detection rules**. For our purposes, we will select manual format:
![Add app](images/app08.png)
Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
![Add app](images/app09.png)
Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
**Return codes**: For our purposes, leave the return codes at their default values:
![Add app](images/app10.png)
Click **OK** to exit.
You may skip configuring the final **Scope (Tags)** blade.
Click the **Add** button to finalize and save your app package.
Once the indicator message says the addition has completed.
![Add app](images/app11.png)
You will be able to find your app in your app list:
![Add app](images/app12.png)
#### Assign the app to your Intune profile
**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
![Add app](images/app13.png)
Select **Add Group** to open the **Add group** pane that is related to the app.
For our purposes, select *8Required** from the **Assignment type** dropdown menu:
>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
Select **Included Groups** and assign the groups you previously created that will use this app:
![Add app](images/app14.png)
![Add app](images/app15.png)
In the **Select groups** pane, click the **Select** button.
In the **Assign group** pane, select **OK**.
In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
![Add app](images/app16.png)
At this point, you have completed steps to add a Win32 app to Intune.
For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/en-us/intune/apps-win32-app-management).
### Add Office 365
#### Create app in Intune
Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
![Add app](images/app17.png)
Under **App Type**, select **Office 365 Suite > Windows 10**:
![Add app](images/app18.png)
Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
![Add app](images/app19.png)
Click **OK**.
In the **App Suite Information** pane, enter a <i>unique</i> suite name, and a suitable description.
>Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
![Add app](images/app20.png)
Click **OK**.
In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
![Add app](images/app21.png)
Click **OK** and then click **Add**.
#### Assign the app to your Intune profile
**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
![Add app](images/app22.png)
Select **Add Group** to open the **Add group** pane that is related to the app.
For our purposes, select **Required** from the **Assignment type** dropdown menu:
>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
Select **Included Groups** and assign the groups you previously created that will use this app:
![Add app](images/app23.png)
![Add app](images/app24.png)
In the **Select groups** pane, click the **Select** button.
In the **Assign group** pane, select **OK**.
In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
![Add app](images/app25.png)
At this point, you have completed steps to add Office to Intune.
For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-add-office365).
If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
![Add app](images/app26.png)
## Glossary
<table border="1">
<tr><td>OEM</td><td>Original Equipment Manufacturer</td></tr>
<tr><td>CSV</td><td>Comma Separated Values</td></tr>
<tr><td>MPC</td><td>Microsoft Partner Center</td></tr>
<tr><td>CSP</td><td>Cloud Solution Provider</td></tr>
<tr><td>MSfB</td><td>Microsoft Store for Business</td></tr>
<tr><td>AAD</td><td>Azure Active Directory</td></tr>
<tr><td>4K HH</td><td>4K Hardware Hash</td></tr>
<tr><td>CBR</td><td>Computer Build Report</td></tr>
<tr><td>EC</td><td>Enterprise Commerce (server)</td></tr>
<tr><td>DDS</td><td>Device Directory Service</td></tr>
<tr><td>OOBE</td><td>Out of the Box Experience</td></tr>
<tr><td>VM</td><td>Virtual Machine</td></tr>
</table>

2
windows/deployment/windows-autopilot/enrollment-status.md
View File

@ -20,6 +20,8 @@ ms.topic: article
The Windows Autopilot Enrollment Status page displaying the status of the complete device configuration process. Incorporating feedback from customers, this provides information to the user to show that the device is being set up and can be configured to prevent access to the desktop until the configuration is complete.
![Enrollment status page](images/enrollment-status-page.png)
From Windows 10 version 1803 onwards, you can opt out of the account setup phase. If it is skipped, settings will be applied for users when they access their desktop for the first time.
## Available settings

BIN
windows/deployment/windows-autopilot/images/aad-lic1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/deployment/windows-autopilot/images/all-groups.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 109 KiB

BIN
windows/deployment/windows-autopilot/images/app01.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.2 KiB

BIN
windows/deployment/windows-autopilot/images/app02.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 117 KiB

BIN
windows/deployment/windows-autopilot/images/app03.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
windows/deployment/windows-autopilot/images/app04.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 102 KiB

BIN
windows/deployment/windows-autopilot/images/app05.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 41 KiB

BIN
windows/deployment/windows-autopilot/images/app06.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
windows/deployment/windows-autopilot/images/app07.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/deployment/windows-autopilot/images/app08.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
windows/deployment/windows-autopilot/images/app09.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 12 KiB

BIN
windows/deployment/windows-autopilot/images/app10.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
windows/deployment/windows-autopilot/images/app11.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/deployment/windows-autopilot/images/app12.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

BIN
windows/deployment/windows-autopilot/images/app13.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

BIN
windows/deployment/windows-autopilot/images/app14.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 95 KiB

BIN
windows/deployment/windows-autopilot/images/app15.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
windows/deployment/windows-autopilot/images/app16.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
windows/deployment/windows-autopilot/images/app17.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 117 KiB

BIN
windows/deployment/windows-autopilot/images/app18.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 39 KiB

BIN
windows/deployment/windows-autopilot/images/app19.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/deployment/windows-autopilot/images/app20.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
windows/deployment/windows-autopilot/images/app21.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/deployment/windows-autopilot/images/app22.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

Some files were not shown because too many files have changed in this diff Show More