diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md
index 74cd9636c7..8c67ec3d78 100644
--- a/windows/client-management/mdm/cleanpc-csp.md
+++ b/windows/client-management/mdm/cleanpc-csp.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 06/26/2017
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -35,16 +35,16 @@ CleanPC
----CleanPCRetainingUserData
```
-**./Device/Vendor/MSFT/CleanPC**
+**./Device/Vendor/MSFT/CleanPC**
The root node for the CleanPC configuration service provider.
-**CleanPCWithoutRetainingUserData**
+**CleanPCWithoutRetainingUserData**
An integer specifying a CleanPC operation without any retention of user data.
The only supported operation is Execute.
-**CleanPCRetainingUserData**
-
An integer specifying a CleanPC operation with retention of user data.
+**CleanPCRetainingUserData**
+
An integer specifying a CleanPC operation with retention of user data.
The only supported operation is Execute.
diff --git a/windows/client-management/mdm/cleanpc-ddf.md b/windows/client-management/mdm/cleanpc-ddf.md
index 9677737584..800c2ce4d1 100644
--- a/windows/client-management/mdm/cleanpc-ddf.md
+++ b/windows/client-management/mdm/cleanpc-ddf.md
@@ -1,7 +1,7 @@
---
title: CleanPC DDF
description: Learn about the OMA DM device description framework (DDF) for the CleanPC configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -50,7 +50,7 @@ The XML below is the current version for this CSP.
CleanPCWithoutRetainingUserData
-
+
CleanPC operation without any retention of User data.
@@ -62,7 +62,7 @@ The XML below is the current version for this CSP.
-
+
text/plain
diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index faff015660..ac21c5e870 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -1,7 +1,7 @@
---
title: ClientCertificateInstall CSP
description: The ClientCertificateInstall configuration service provider (CSP) enables the enterprise to install client certificates.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -77,18 +77,18 @@ ClientCertificateInstall
------------RespondentServerUrl
```
-**Device or User**
+**Device or User**
For device certificates, use ./Device/Vendor/MSFT path and for user certificates use ./User/Vendor/MSFT path.
-**ClientCertificateInstall**
+**ClientCertificateInstall**
The root node for the ClientCertificateInstaller configuration service provider.
-**ClientCertificateInstall/PFXCertInstall**
+**ClientCertificateInstall/PFXCertInstall**
Required for PFX certificate installation. The parent node grouping the PFX certificate related settings.
Supported operation is Get.
-**ClientCertificateInstall/PFXCertInstall/***UniqueID*
+**ClientCertificateInstall/PFXCertInstall/***UniqueID*
Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
The data type format is node.
@@ -97,12 +97,12 @@ Supported operations are Get, Add, and Replace.
Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob.
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation**
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation**
Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.
Supported operations are Get, Add, and Replace.
-The data type is an integer corresponding to one of the following values:
+The data type is an integer corresponding to one of the following values:
| Value | Description |
|-------|---------------------------------------------------------------------------------------------------------------|
@@ -111,14 +111,14 @@ The data type is an integer corresponding to one of the following values:
| 3 | Install to software. |
| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified. |
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node isn't specified when Windows Hello for Business KSP is chosen, enrollment will fail.
Date type is string.
Supported operations are Get, Add, Delete, and Replace.
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**
CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This Add operation requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before the Add operation is called. This trigger for addition also sets the Status node to the current Status of the operation.
The data type format is binary.
@@ -131,14 +131,14 @@ If Add is called on this node for a new PFX, the certificate will be added. When
In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT_DATA_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](/previous-versions/windows/desktop/legacy/aa381414(v=vs.85)).
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**
Password that protects the PFX blob. This is required if the PFX is password protected.
Data Type is a string.
Supported operations are Get, Add, and Replace.
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType**
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType**
Optional. Used to specify whether the PFX certificate password is encrypted with the MDM certificate by the MDM server.
The data type is int. Valid values:
@@ -151,7 +151,7 @@ When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCer
Supported operations are Get, Add, and Replace.
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX isn't exportable when it's installed to TPM.
> [!Note]
@@ -161,37 +161,37 @@ The data type bool.
Supported operations are Get, Add, and Replace.
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint**
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint**
Returns the thumbprint of the installed PFX certificate.
The datatype is a string.
Supported operation is Get.
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status**
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status**
Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
Data type is an integer.
Supported operation is Get.
-**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore**
+**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore**
Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword.
Data type is string.
Supported operations are Add, Get, and Replace.
-**ClientCertificateInstall/SCEP**
+**ClientCertificateInstall/SCEP**
Node for SCEP.
> [!Note]
> An alert is sent after the SCEP certificate is installed.
-**ClientCertificateInstall/SCEP/***UniqueID*
+**ClientCertificateInstall/SCEP/***UniqueID*
A unique ID to differentiate different certificate installation requests.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install**
A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.
Supported operations are Get, Add, Replace, and Delete.
@@ -199,29 +199,29 @@ Supported operations are Get, Add, Replace, and Delete.
> [!Note]
> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and ensure the device isn't at an unknown state before changing child node values.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**
Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
Data type is string.
Supported operations are Get, Add, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge**
Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted.
Data type is string.
Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**
Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs is separated by a plus +. For example, OID1+OID2+OID3.
Data type is string.
Supported operations are Get, Add, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
-Required. Specifies the subject name.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
+Required. Specifies the subject name.
The SubjectName value is quoted if it contains leading or trailing white space or one of the following characters: (“,” “=” “+” “;”).
@@ -231,13 +231,13 @@ Data type is string.
Supported operations are Add, Get, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**
Optional. Specifies where to keep the private key.
> [!Note]
> Even if the private key is protected by TPM, it isn't protected with a TPM PIN.
-The data type is an integer corresponding to one of the following values:
+The data type is an integer corresponding to one of the following values:
| Value | Description |
|---|---|
@@ -248,14 +248,14 @@ The data type is an integer corresponding to one of the following values:
Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail.
Data type is int.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
Data type format is an integer.
@@ -266,7 +266,7 @@ The minimum value is 1.
Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount**
Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status.
Data type is integer.
@@ -279,7 +279,7 @@ Minimum value is 0, which indicates no retry.
Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
Optional. OID of certificate template name.
> [!Note]
@@ -289,7 +289,7 @@ Data type is string.
Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength**
Required for enrollment. Specify private key length (RSA).
Data type is integer.
@@ -300,7 +300,7 @@ For Windows Hello for Business (formerly known as Microsoft Passport for Work) ,
Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm**
Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with +.
For Windows Hello for Business, only SHA256 is the supported algorithm.
@@ -309,14 +309,14 @@ Data type is string.
Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**
Required. Specifies Root CA thumbprint. This thumbprint is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it isn't a match, the authentication will fail.
Data type is string.
Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. For more information, see the name type definitions in MSDN.
Each pair is separated by semicolon. For example, multiple SANs are presented in the format of [name format1]+[actual name1];[name format 2]+[actual name2].
@@ -325,7 +325,7 @@ Data type is string.
Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod**
Optional. Specifies the units for the valid certificate period.
Data type is string.
@@ -341,8 +341,8 @@ Valid values are:
Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
-Optional. Specifies the desired number of units used in the validity period. This number is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) is defined in the ValidPeriod node.
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
+Optional. Specifies the desired number of units used in the validity period. This number is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) is defined in the ValidPeriod node.
> [!Note]
> The valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
@@ -354,35 +354,35 @@ Data type is string.
Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node isn't specified when Windows Hello for Business KSP is chosen, the enrollment will fail.
Data type is string.
Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt**
Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.
Data type is string.
Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**
Required. Triggers the device to start the certificate enrollment. The device won't notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.
The date type format is Null, meaning this node doesn’t contain a value.
The only supported operation is Execute.
-**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**
+**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**
Optional. Specify the Azure Active Directory Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the Azure AD Key present on the device. If no match is found, enrollment will fail.
Data type is string.
Supported operations are Add, Get, Delete, and Replace.
-**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint**
+**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint**
Optional. Specifies the current certificate’s thumbprint if certificate enrollment succeeds. It's a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
If the certificate on the device becomes invalid (Cert expired, Cert chain isn't valid, private key deleted) then it will return an empty string.
@@ -391,7 +391,7 @@ Data type is string.
The only supported operation is Get.
-**ClientCertificateInstall/SCEP/*UniqueID*/Status**
+**ClientCertificateInstall/SCEP/*UniqueID*/Status**
Required. Specifies latest status of the certificated during the enrollment request.
Data type is string. Valid values:
@@ -405,7 +405,7 @@ The only supported operation is Get.
| 16 | Action failed |
| 32 | Unknown |
-**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**
+**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**
Optional. An integer value that indicates the HRESULT of the last enrollment error code.
The only supported operation is Get.
diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
index 716eff3eef..4c2f31d38d 100644
--- a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
+++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md
@@ -1,7 +1,7 @@
---
title: ClientCertificateInstall DDF file
description: Learn about the OMA DM device description framework (DDF) for the ClientCertificateInstall configuration service provider.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -78,9 +78,9 @@ The XML below is the current version for this CSP.
- Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
-Format is node.
-Supported operations are Get, Add, Delete
+ Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
+Format is node.
+Supported operations are Get, Add, Delete
Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob.
@@ -134,7 +134,7 @@ Calling Delete on the this node, should delete the certificates and the keys tha
- Optional.
+ Optional.
Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
Format is chr.
Supported operations are Get, Add, Delete and Replace.
@@ -161,7 +161,7 @@ Supported operations are Get, Add, Delete and Replace.
- Required.
+ Required.
CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation.
Format is Binary64.
Supported operations are Get, Add, Replace.
@@ -194,7 +194,7 @@ CRYPT_DATA_BLOB on MSDN can be found at https://msdn.microsoft.com/library/windo
Required if PFX is password protected.
-Password that protects the PFX blob.
+Password that protects the PFX blob.
Format is chr. Supported operations are Add, Get.
@@ -221,7 +221,7 @@ Format is chr. Supported operations are Add, Get.
0
Optional. Used to specify if the PFX certificate password is encrypted with a certificate.
-If the value is
+If the value is
0 - Password is not encrypted
1- Password is encrypted using the MDM certificate by the MDM server
2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node.
@@ -271,7 +271,7 @@ Supported operations are Add, Get.
Thumbprint
-
+
Returns the thumbprint of the PFX certificate installed. Format is string.Supported operations are Get.
@@ -321,8 +321,8 @@ Support operations are Get.
- Optional.
-When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
+ Optional.
+When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored.
Datatype is string,
Support operation are Add, Get and Replace.
@@ -370,8 +370,8 @@ Support operation are Add, Get and Replace.
- Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
-Format is node.
+ Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests.
+Format is node.
Supported operations are Get, Add, Delete.
Calling Delete on the this node, should delete the corresponding SCEP certificate
@@ -422,8 +422,8 @@ NOTE: Though the children nodes under Install support Replace commands, once the
- Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon.
-Format is string.
+ Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon.
+Format is string.
Supported operations are Get, Add, Delete, Replace.
@@ -474,7 +474,7 @@ Supported operations are Get, Add, Delete, Replace.
Required. Specify extended key usages. Subjected to SCEP server configuration. The list of OIDs are separated by plus “+”. Sample format: OID1+OID2+OID3.
-Format is chr.
+Format is chr.
Supported operations are Get, Add, Delete, Replace.
@@ -502,7 +502,7 @@ Supported operations are Get, Add, Delete, Replace.
Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail.
-Format is int.
+Format is int.
Supported operations are Get, Add, Delete, Replace.
@@ -553,20 +553,20 @@ Supported operations are Get, Add, Delete, Replace.
3
- Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
+ Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN.
-SCEP enrolled cert doesn’t support TPM PIN protection. Supported values:
+SCEP enrolled cert doesn’t support TPM PIN protection. Supported values:
-1 – private key protected by TPM,
+1 – private key protected by TPM,
-2 – private key protected by phone TPM if the device supports TPM.
+2 – private key protected by phone TPM if the device supports TPM.
-3 (default) – private key saved in software KSP
+3 (default) – private key saved in software KSP
4 – private key protected by NGC. If this option is specified, container name should be specified, if not enrollment will fail.
-Format is int.
+Format is int.
Supported operations are Get, Add, Delete, Replace.
@@ -595,12 +595,12 @@ Supported operations are Get, Add, Delete, Replace.
5
- Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
+ Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes.
Default value is: 5
-The min value is 1.
+The min value is 1.
-Format is int.
+Format is int.
Supported operations are Get, Add, Delete noreplace.
@@ -676,7 +676,7 @@ The min value is 0 which means no retry. Supported operations are Get, Add, Dele
- Required for enrollment. Specify private key length (RSA). Format is int.
+ Required for enrollment. Specify private key length (RSA). Format is int.
Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength.
@@ -704,11 +704,11 @@ Supported operations are Get, Add, Delete, Replace.
- Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
+ Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.
For NGC, only SHA256 is supported as the supported algorithm
-Format is chr.
+Format is chr.
Supported operations are Get, Add, Delete, Replace.
@@ -733,8 +733,8 @@ Supported operations are Get, Add, Delete, Replace.
- Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If not match, fail the authentication.
-Format is chr.
+ Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If not match, fail the authentication.
+Format is chr.
Supported operations are Get, Add, Delete, Replace.
@@ -759,9 +759,9 @@ Supported operations are Get, Add, Delete, Replace.
- Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2].
+ Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2].
-Format is chr.
+Format is chr.
Supported operations are Get, Add, Delete, Replace.
@@ -788,8 +788,8 @@ Supported operations are Get, Add, Delete, Replace.
Days
- Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
-Format is chr.
+ Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years.
+Format is chr.
Supported operations are Get, Add, Delete, Replace.
NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate.
@@ -817,9 +817,9 @@ NOTE: The device only sends the MDM server expected certificate validation perio
0
- Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note that the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
+ Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note that the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
-Format is int.
+Format is int.
Supported operations are Get, Add, Delete, Replace.
@@ -847,7 +847,7 @@ NOTE: The device only sends the MDM server expected certificate validation perio
- Optional.
+ Optional.
Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail.
Format is chr.
@@ -901,9 +901,9 @@ Supported operations are Get, Add, Delete and Replace.
- Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added.
+ Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added.
-Format is null, e.g. this node doesn’t contain a value.
+Format is null, e.g. this node doesn’t contain a value.
Supported operation is Exec.
@@ -974,9 +974,9 @@ Supported operation is Exec.
Required. Specify the latest status for the certificate due to enroll request.
-Format is chr.
+Format is chr.
-Supported operation is Get.
+Supported operation is Get.
Valid values are:
1 – finished successfully
@@ -1003,7 +1003,7 @@ Valid values are:
- Optional. The integer value that indicates the HRESULT of the last enrollment error code.
+ Optional. The integer value that indicates the HRESULT of the last enrollment error code.
Supported operation is Get.
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index 910c3b6c31..b92b626c4f 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -1,7 +1,7 @@
---
title: CM\_CellularEntries CSP
description: Learn how to configure the General Packet Radio Service (GPRS) entries using the CM\_CellularEntries CSP.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -58,12 +58,12 @@ CM_CellularEntries
--------PurposeGroups
```
-***entryname***
+***entryname***
Defines the name of the connection.
The [CMPolicy configuration service provider](cmpolicy-csp.md) uses the value of *entryname* to identify the connection that is associated with a policy and [CM\_ProxyEntries configuration service provider](cm-proxyentries-csp.md) uses the value of *entryname* to identify the connection that is associated with a proxy.
-**AlwaysOn**
+**AlwaysOn**
Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available.
A value of "0" specifies that AlwaysOn isn't supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally. For example, an APN that only controls MMS.
@@ -72,12 +72,12 @@ A value of "1" specifies that AlwaysOn is supported, and the Connection Manager
There must be at least one AlwaysOn Internet connection provisioned for the mobile operator.
-**AuthType**
+**AuthType**
Optional. Type: String. Specifies the method of authentication used for a connection.
A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None".
-**ConnectionType**
+**ConnectionType**
Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available:
|Connection type|Usage|
@@ -89,48 +89,48 @@ Optional. Type: String. Specifies the type of connection used for the APN. The f
|Lte_iwlan|Used for GPRS type connections that may be offloaded over WiFi.|
|Iwlan|Used for connections that are implemented over WiFi offload only.|
-**Desc.langid**
+**Desc.langid**
Optional. Specifies the UI display string used by the defined language ID.
A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as `Desc.0409` with a value of `"GPRS Connection"` will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no **Desc** parameter is provisioned for a given language, the system will default to the name used to create the entry.
-**Enabled**
+**Enabled**
Specifies if the connection is enabled.
A value of "0" specifies that the connection is disabled. A value of "1" specifies that the connection is enabled.
-**IpHeaderCompression**
+**IpHeaderCompression**
Optional. Specifies if IP header compression is enabled.
A value of "0" specifies that IP header compression for the connection is disabled. A value of "1" specifies that IP header compression for the connection is enabled.
-**Password**
+**Password**
Required if AuthType is set to a value other than "None". Specifies the password used to connect to the APN.
-**SwCompression**
+**SwCompression**
Optional. Specifies if software compression is enabled.
A value of "0" specifies that software compression for the connection is disabled. A value of "1" specifies that software compression for the connection is enabled.
-**UserName**
+**UserName**
Required if AuthType is set to a value other than "None". Specifies the user name used to connect to the APN.
-**UseRequiresMappingsPolicy**
+**UseRequiresMappingsPolicy**
Optional. Specifies if the connection requires a corresponding mappings policy.
A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present.
For example, if the multimedia messaging service (MMS) APN shouldn't have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose internet traffic.
-**Version**
+**Version**
Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider.
This value must be "1" if included.
-**GPRSInfoAccessPointName**
+**GPRSInfoAccessPointName**
Specifies the logical name to select the GPRS gateway. For more information about allowable values, see GSM specification 07.07 "10.1.1 Define PDP Context +CGDCONT".
-**Roaming**
+**Roaming**
Optional. Type: Int. This parameter specifies the roaming conditions under which the connection should be activated. The following conditions are available:
- 0 - Home network only.
@@ -140,22 +140,22 @@ Optional. Type: Int. This parameter specifies the roaming conditions under which
- 4 - Non-domestic roaming only.
- 5 - Roaming only.
-**OEMConnectionID**
+**OEMConnectionID**
Optional. Type: GUID. Specifies a GUID that is used to identify a specific connection in the modem. If a value isn't specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
-**ApnId**
+**ApnId**
Optional. Type: Int. Specifies the purpose of the APN. If a value isn't specified, the default value is "0" (none). This parameter is only used on LTE devices.
-**IPType**
+**IPType**
Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value isn't specified, the default value is "IPv4".
> [!WARNING]
> Do not use IPv6 or IPv4v6xlat on a device or network that does not support IPv6. Data functionality will not work. In addition, the device will not be able to connect to a roaming network that does not support IPv6 unless you configure roaming connections with an IPType of IPv4v6.
-**ExemptFromDisablePolicy**
+**ExemptFromDisablePolicy**
Added back in Windows 10, version 1511. Optional. Type: Int. This value should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value isn't specified, the default value is "0" (not exempt).
-To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". These settings indicate that the connection is a dedicated MMS connection and that it shouldn't be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF.
+To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". These settings indicate that the connection is a dedicated MMS connection and that it shouldn't be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF.
> [!Note]
> Sending MMS while roaming is still not allowed.
@@ -168,13 +168,13 @@ To avoid UX inconsistency with certain value combinations of ExemptFromDisablePo
- Hide the toggle for AllowMmsIfDataIsOff by setting AllowMmsIfDataIsOffEnabled to 0 (default is 1)
- Set AllowMMSIfDataIsOff to 1 (default is 0)
-**ExemptFromRoaming**
+**ExemptFromRoaming**
Added back in Windows 10, version 1511. Optional. Type: Int. This value should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value isn't specified, the default value is "0" (not exempt).
-**TetheringNAI**
+**TetheringNAI**
Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection is not a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value isn't specified, the default value is "0".
-**IdleDisconnectTimeout**
+**IdleDisconnectTimeout**
Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds.
> [!IMPORTANT]
@@ -183,10 +183,10 @@ Optional. Type: Int. Specifies how long an on-demand connection can be unused be
> [!NOTE]
> If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds.
-**SimIccId**
+**SimIccId**
For single SIM phones, this parm is Optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
-**PurposeGroups**
+**PurposeGroups**
Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
- Internet - 3E5545D2-1137-4DC8-A198-33F1C657515F
@@ -194,8 +194,8 @@ Required. Type: String. Specifies the purposes of the connection by a comma-sepa
- MMS - 53E2C5D3-D13C-4068-AA38-9C48FF2E55A8
- IMS - 474D66ED-0E4B-476B-A455-19BB1239ED13
- SUPL - 6D42669F-52A9-408E-9493-1071DCC437BD
-- Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB
-- Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364
+- Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB
+- Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364
- Application - 52D7654A-00A8-4140-806C-087D66705306
- eSIM provisioning - A36E171F-2377-4965-88FE-1F53EB4B47C0
@@ -207,7 +207,7 @@ To delete a connection, you must first delete any associated proxies and then de
-
+
@@ -247,7 +247,7 @@ Configuring an LTE connection:
-
+
```
diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md
index 38d7d17625..ab3a1fac43 100644
--- a/windows/client-management/mdm/cmpolicy-csp.md
+++ b/windows/client-management/mdm/cmpolicy-csp.md
@@ -1,7 +1,7 @@
---
title: CMPolicy CSP
description: Learn how the CMPolicy configuration service provider (CSP) is used to define rules that the Connection Manager uses to identify correct connections.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -51,10 +51,10 @@ CMPolicy
----------------Type
```
-***policyName***
+***policyName***
Defines the name of the policy.
-**SID**
+**SID**
The value of SID depends on the ClientType.
For Universal Windows Platform (UWP) app-based mapping policies, SID is the Package family name without curly brackets {}, not the application.
@@ -63,7 +63,7 @@ For non-UWP application-based mapping policies, SID is the application product I
For host-based mapping policies, SID must be set to `*`.
-**ClientType**
+**ClientType**
Specifies the mapping policy type.
The following list describes the available mapping policy types:
@@ -72,20 +72,20 @@ The following list describes the available mapping policy types:
- Host-based mapping policies are applied to all types of clients requesting connections to specified host(s). To specify this mapping type, use the value `*`.
-**Host**
+**Host**
Specifies the name of a host pattern. The host name is matched to the connection request to select the right policy to use.
The host pattern can have two wild cards, `*` and `+`. The host pattern isn't a URL pattern and there's no concept of transport or paths on the specific host. For example, the host pattern might be `*.host_name.com` to match any prefix to the `host_name.com` domains. The host pattern will match `www.host_name.com` and `mail.host_name.com`, but it won't match `host_name.com`.
-**OrderedConnections**
+**OrderedConnections**
Specifies whether the list of connections is in preference order.
A value of "0" specifies that the connections aren't listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
-**Conn***XXX*
+**Conn***XXX*
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits, which increment starting from "000". For example, a policy, which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
-**ConnectionID**
+**ConnectionID**
Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter.
For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you have a connection configured by using the CM\_CellularEntries configuration service provider, the connection name could be the name of the connection. If you have a NAP configured with the NAPID set to “GPRS1”, the connection name could be “GPRS1@WAP”.
@@ -129,7 +129,7 @@ For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type.
|Bluetooth|{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}|
|Virtual|{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}|
-**Type**
+**Type**
Specifies the type of connection being referenced. The following list describes the available connection types:
- `CMST_CONNECTION_NAME` – A connection specified by name.
@@ -166,20 +166,20 @@ Adding an application-based mapping policy. In this example, the ConnectionId fo
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
@@ -213,20 +213,20 @@ In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
@@ -298,7 +298,7 @@ Adding an application-based mapping policy:
CMST_CONNECTION_DEVICE_TYPE
-
+
@@ -383,9 +383,9 @@ Adding a host-based mapping policy:
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
+
+
+
diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md
index 8515da3881..aa36ea8892 100644
--- a/windows/client-management/mdm/cmpolicyenterprise-csp.md
+++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md
@@ -1,7 +1,7 @@
---
title: CMPolicyEnterprise CSP
description: Learn how the CMPolicyEnterprise CSP is used to define rules that the Connection Manager uses to identify the correct connection for a connection request.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -53,10 +53,10 @@ CMPolicy
----------------ConnectionID
----------------Type
```
-***policyName***
+***policyName***
Defines the name of the policy.
-**SID**
+**SID**
The value of SID depends on the ClientType.
For Universal Windows Platform (UWP) app-based mapping policies, SID is the Package family name without curly brackets {}, not the application.
@@ -65,7 +65,7 @@ For non-UWP application-based mapping policies, SID is the application product I
For host-based mapping policies, SID must be set to `*`.
-**ClientType**
+**ClientType**
Specifies the mapping policy type.
The following list describes the available mapping policy types:
@@ -74,21 +74,21 @@ The following list describes the available mapping policy types:
- Host-based mapping policies are applied to all types of clients requesting connections to specified host(s). To specify this mapping type, use the value `*`.
-**Host**
+**Host**
Specifies the name of a host pattern. The host name is matched to the connection request to select the right policy to use.
The host pattern can have two wild cards, "\*" and "+". The host pattern isn't a URL pattern and there's no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com".
-**OrderedConnections**
+**OrderedConnections**
Specifies whether the list of connections is in preference order.
A value of "0" specifies that the connections aren't listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
-**Conn***XXX*
+**Conn***XXX*
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three-digits, which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
-**ConnectionID**
+**ConnectionID**
Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter.
For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you have a connection configured by using the CM\_CellularEntries configuration service provider, the connection name could be the name of the connection. If you have a NAP configured with the NAPID set to “GPRS1”, the connection name could be “GPRS1@WAP”.
@@ -133,7 +133,7 @@ For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type.
|Bluetooth|{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}|
|Virtual|{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}|
-**Type**
+**Type**
Specifies the type of connection being referenced. The following list describes the available connection types:
- `CMST_CONNECTION_NAME` – A connection specified by name.
@@ -170,20 +170,20 @@ Adding an application-based mapping policy. In this example, the ConnectionId fo
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
@@ -215,20 +215,20 @@ Adding a host-based mapping policy. In this example, the ConnectionId for type C
-
-
+
+
-
-
+
+
-
-
+
+
-
-
+
+
@@ -300,7 +300,7 @@ Adding an application-based mapping policy:
CMST_CONNECTION_DEVICE_TYPE
-
+
@@ -385,9 +385,9 @@ Adding a host-based mapping policy:
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
+
+
+
diff --git a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md
index 47fd1ec39d..5bfd351bcf 100644
--- a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md
+++ b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md
@@ -1,7 +1,7 @@
---
title: CMPolicyEnterprise DDF file
description: Learn about the OMA DM device description framework (DDF) for the CMPolicyEnterprise configuration service provider.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index b67e4c78ef..cdbd14d704 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -1,7 +1,7 @@
---
title: Configuration service provider reference
description: A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -1056,10 +1056,10 @@ The following list shows the CSPs supported in HoloLens devices:
| [WiFi CSP](wifi-csp.md) | No | Yes | Yes |
| [WindowsLicensing CSP](windowslicensing-csp.md) | Yes | Yes | No |
-
+
## CSPs supported in Microsoft Surface Hub
-- [Accounts CSP](accounts-csp.md)
+- [Accounts CSP](accounts-csp.md)
> [!NOTE]
> Support in Surface Hub is limited to **Domain\ComputerName**.
- [AccountManagement CSP](accountmanagement-csp.md)
@@ -1075,7 +1075,7 @@ The following list shows the CSPs supported in HoloLens devices:
- [DMAcc CSP](dmacc-csp.md)
- [DMClient CSP](dmclient-csp.md)
- [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
-- [Firewall-CSP](firewall-csp.md)
+- [Firewall-CSP](firewall-csp.md)
- [HealthAttestation CSP](healthattestation-csp.md)
- [NetworkProxy CSP](networkproxy-csp.md)
- [NetworkQoSPolicy CSP](networkqospolicy-csp.md)
@@ -1083,14 +1083,14 @@ The following list shows the CSPs supported in HoloLens devices:
- [PassportForWork CSP](passportforwork-csp.md)
- [Policy CSP](policy-configuration-service-provider.md)
- [Reboot CSP](reboot-csp.md)
-- [RemoteWipe CSP](remotewipe-csp.md)
+- [RemoteWipe CSP](remotewipe-csp.md)
- [Reporting CSP](reporting-csp.md)
- [RootCATrustedCertificates CSP](rootcacertificates-csp.md)
- [SurfaceHub CSP](surfacehub-csp.md)
- [UEFI CSP](uefi-csp.md)
-- [Wifi-CSP](wifi-csp.md)
+- [Wifi-CSP](wifi-csp.md)
- [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)
-- [Wirednetwork-CSP](wirednetwork-csp.md)
+- [Wirednetwork-CSP](wirednetwork-csp.md)
## CSPs supported in Windows 10 IoT Core
diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md
index 759f17f26a..53b1ab435d 100644
--- a/windows/client-management/mdm/customdeviceui-csp.md
+++ b/windows/client-management/mdm/customdeviceui-csp.md
@@ -1,7 +1,7 @@
---
title: CustomDeviceUI CSP
description: Learn how the CustomDeviceUI configuration service provider (CSP) allows OEMs to implement their custom foreground application.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -27,16 +27,16 @@ CustomDeviceUI
--------BackgroundTaskPackageName
```
-**./Vendor/MSFT/CustomDeviceUI**
+**./Vendor/MSFT/CustomDeviceUI**
The root node for the CustomDeviceUI configuration service provider. The supported operation is Get.
-**StartupAppID**
+**StartupAppID**
AppID string value is the default appid/AUMID to launch during startup. The supported operations are Get and Replace.
-**BackgroundTasksToLaunch**
+**BackgroundTasksToLaunch**
List of package names of background tasks that need to be launched on device startup. The supported operation is Get.
-**BackgroundTasksToLaunch/***BackgroundTaskPackageName*
+**BackgroundTasksToLaunch/***BackgroundTaskPackageName*
Package Full Name of the application that needs to be launched in the background. This application can contain no entry points, a single entry point, or multiple entry points. The supported operations are Add, Delete, Get, and Replace.
## SyncML examples
@@ -45,19 +45,19 @@ Package Full Name of the application that needs to be launched in the background
```xml
-
+
1
-
./Vendor/MSFT/CustomDeviceUI/StartupAppID
-
+
chr
DefaultApp_cw5n1h2txyewy!App
-
+
@@ -67,7 +67,7 @@ Package Full Name of the application that needs to be launched in the background
```xml
-
+
1
-
@@ -75,7 +75,7 @@ Package Full Name of the application that needs to be launched in the background
./Vendor/MSFT/CustomDeviceUI/BackgroundTaskstoLaunch?list=Struct
-
+
@@ -85,7 +85,7 @@ Package Full Name of the application that needs to be launched in the background
```xml
-
+
1
-
@@ -97,15 +97,15 @@ Package Full Name of the application that needs to be launched in the background
0
-
+
```
-
-
-
+
+
+
diff --git a/windows/client-management/mdm/customdeviceui-ddf.md b/windows/client-management/mdm/customdeviceui-ddf.md
index f847a4ba95..eb20517b45 100644
--- a/windows/client-management/mdm/customdeviceui-ddf.md
+++ b/windows/client-management/mdm/customdeviceui-ddf.md
@@ -1,7 +1,7 @@
---
title: CustomDeviceUI DDF
description: Learn about the OMA DM device description framework (DDF) for the CustomDeviceUI configuration service provider.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index ca3b7ea096..45a23dd058 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -1,7 +1,7 @@
---
title: Defender CSP
description: Learn how the Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -88,31 +88,31 @@ Defender
----UpdateSignature
----OfflineScan (Added in Windows 10 version 1803)
```
-**Detections**
+**Detections**
An interior node to group all threats detected by Windows Defender.
Supported operation is Get.
-**Detections/***ThreatId*
+**Detections/***ThreatId*
The ID of a threat that has been detected by Windows Defender.
Supported operation is Get.
-**Detections/*ThreatId*/Name**
+**Detections/*ThreatId*/Name**
The name of the specific threat.
The data type is a string.
Supported operation is Get.
-**Detections/*ThreatId*/URL**
+**Detections/*ThreatId*/URL**
URL link for more threat information.
The data type is a string.
Supported operation is Get.
-**Detections/*ThreatId*/Severity**
+**Detections/*ThreatId*/Severity**
Threat severity ID.
The data type is integer.
@@ -127,7 +127,7 @@ The following list shows the supported values:
Supported operation is Get.
-**Detections/*ThreatId*/Category**
+**Detections/*ThreatId*/Category**
Threat category ID.
The data type is integer.
@@ -190,7 +190,7 @@ The following table describes the supported values:
Supported operation is Get.
-**Detections/*ThreatId*/CurrentStatus**
+**Detections/*ThreatId*/CurrentStatus**
Information about the current status of the threat.
The data type is integer.
@@ -211,7 +211,7 @@ The following list shows the supported values:
Supported operation is Get.
-**Detections/*ThreatId*/CurrentStatus**
+**Detections/*ThreatId*/CurrentStatus**
Information about the current status of the threat.
The data type is integer.
@@ -232,7 +232,7 @@ The following list shows the supported values:
Supported operation is Get.
-**Detections/*ThreatId*/ExecutionStatus**
+**Detections/*ThreatId*/ExecutionStatus**
Information about the execution status of the threat.
The data type is integer.
@@ -247,34 +247,34 @@ The following list shows the supported values:
Supported operation is Get.
-**Detections/*ThreatId*/InitialDetectionTime**
+**Detections/*ThreatId*/InitialDetectionTime**
The first time this particular threat was detected.
The data type is a string.
Supported operation is Get.
-**Detections/*ThreatId*/LastThreatStatusChangeTime**
+**Detections/*ThreatId*/LastThreatStatusChangeTime**
The last time this particular threat was changed.
The data type is a string.
Supported operation is Get.
-**Detections/*ThreatId*/NumberOfDetections**
+**Detections/*ThreatId*/NumberOfDetections**
Number of times this threat has been detected on a particular client.
The data type is integer.
Supported operation is Get.
-**EnableNetworkProtection**
+**EnableNetworkProtection**
-The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources.
+The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources.
The acceptable values for this parameter are:
- 0: Disabled. The Network Protection service won't block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections.
- 1: Enabled. The Network Protection service will block connections to malicious websites based on URL Reputation from the SmartScreen URL reputation service.
-- 2: AuditMode. As above, but the Network Protection service won't block connections to malicious websites, but will instead log the access to the event log.
+- 2: AuditMode. As above, but the Network Protection service won't block connections to malicious websites, but will instead log the access to the event log.
Accepted values: Disabled, Enabled, and AuditMode
Position: Named
@@ -284,7 +284,7 @@ Accept wildcard characters: False
**EnableNetworkProtection/AllowNetworkProtectionDownLevel**
-By default, network protection isn't allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
+By default, network protection isn't allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
- Type: Boolean
- Position: Named
- Default value: False
@@ -401,17 +401,17 @@ Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if
- Accept pipeline input: False
- Accept wildcard characters: False
-**Health**
+**Health**
An interior node to group information about Windows Defender health status.
Supported operation is Get.
-**Health/ProductStatus**
+**Health/ProductStatus**
Added in Windows 10, version 1809. Provide the current state of the product. This value is a bitmask flag value that can represent one or multiple product states from below list.
The data type is integer. Supported operation is Get.
-Supported product status values:
+Supported product status values:
- No status = 0
- Service not running = 1 << 0
- Service started without any malware protection engine = 1 << 1
@@ -457,7 +457,7 @@ Example:
```
-**Health/ComputerState**
+**Health/ComputerState**
Provide the current state of the device.
The data type is integer.
@@ -473,28 +473,28 @@ The following list shows the supported values:
Supported operation is Get.
-**Health/DefenderEnabled**
+**Health/DefenderEnabled**
Indicates whether the Windows Defender service is running.
The data type is a Boolean.
Supported operation is Get.
-**Health/RtpEnabled**
+**Health/RtpEnabled**
Indicates whether real-time protection is running.
The data type is a Boolean.
Supported operation is Get.
-**Health/NisEnabled**
+**Health/NisEnabled**
Indicates whether network protection is running.
The data type is a Boolean.
Supported operation is Get.
-**Health/QuickScanOverdue**
+**Health/QuickScanOverdue**
Indicates whether a Windows Defender quick scan is overdue for the device.
A Quick scan is overdue when a scheduled Quick scan didn't complete successfully for 2 weeks and [catchup Quick scans](./policy-csp-defender.md#defender-disablecatchupquickscan) are disabled (default).
@@ -503,7 +503,7 @@ The data type is a Boolean.
Supported operation is Get.
-**Health/FullScanOverdue**
+**Health/FullScanOverdue**
Indicates whether a Windows Defender full scan is overdue for the device.
A Full scan is overdue when a scheduled Full scan didn't complete successfully for 2 weeks and [catchup Full scans](./policy-csp-defender.md#defender-disablecatchupfullscan) are disabled (default).
@@ -512,96 +512,96 @@ The data type is a Boolean.
Supported operation is Get.
-**Health/SignatureOutOfDate**
+**Health/SignatureOutOfDate**
Indicates whether the Windows Defender signature is outdated.
The data type is a Boolean.
Supported operation is Get.
-**Health/RebootRequired**
+**Health/RebootRequired**
Indicates whether a device reboot is needed.
The data type is a Boolean.
Supported operation is Get.
-**Health/FullScanRequired**
+**Health/FullScanRequired**
Indicates whether a Windows Defender full scan is required.
The data type is a Boolean.
Supported operation is Get.
-**Health/EngineVersion**
+**Health/EngineVersion**
Version number of the current Windows Defender engine on the device.
The data type is a string.
Supported operation is Get.
-**Health/SignatureVersion**
+**Health/SignatureVersion**
Version number of the current Windows Defender signatures on the device.
The data type is a string.
Supported operation is Get.
-**Health/DefenderVersion**
+**Health/DefenderVersion**
Version number of Windows Defender on the device.
The data type is a string.
Supported operation is Get.
-**Health/QuickScanTime**
+**Health/QuickScanTime**
Time of the last Windows Defender quick scan of the device.
The data type is a string.
Supported operation is Get.
-**Health/FullScanTime**
+**Health/FullScanTime**
Time of the last Windows Defender full scan of the device.
The data type is a string.
Supported operation is Get.
-**Health/QuickScanSigVersion**
+**Health/QuickScanSigVersion**
Signature version used for the last quick scan of the device.
The data type is a string.
Supported operation is Get.
-**Health/FullScanSigVersion**
+**Health/FullScanSigVersion**
Signature version used for the last full scan of the device.
The data type is a string.
Supported operation is Get.
-**Health/TamperProtectionEnabled**
+**Health/TamperProtectionEnabled**
Indicates whether the Windows Defender tamper protection feature is enabled.
The data type is a Boolean.
Supported operation is Get.
-**Health/IsVirtualMachine**
+**Health/IsVirtualMachine**
Indicates whether the device is a virtual machine.
The data type is a string.
Supported operation is Get.
-**Configuration**
+**Configuration**
An interior node to group Windows Defender configuration information.
Supported operation is Get.
-**Configuration/TamperProtection**
+**Configuration/TamperProtection**
Tamper protection helps protect important security features from unwanted changes and interference. This protection includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions.
@@ -612,7 +612,7 @@ The data type is a Signed BLOB.
Supported operations are Add, Delete, Get, Replace.
-Intune tamper protection setting UX supports three states:
+Intune tamper protection setting UX supports three states:
- Not configured (default): Doesn't have any impact on the default state of the device.
- Enabled: Enables the tamper protection feature.
- Disabled: Turns off the tamper protection feature.
@@ -635,7 +635,7 @@ The data type is integer.
Supported operations are Add, Delete, Get, Replace.
-Valid values are:
+Valid values are:
- 1 – Enable.
- 0 (default) – Disable.
@@ -656,20 +656,20 @@ The data type is integer.
Supported operations are Add, Delete, Get, and Replace.
-Valid values are:
+Valid values are:
- 1 – Enable.
- 0 (default) – Disable.
-**Configuration/DisableCpuThrottleOnIdleScans**
+**Configuration/DisableCpuThrottleOnIdleScans**
-Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag will have no impact and normal throttling will occur.
+Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans, this flag will have no impact and normal throttling will occur.
-The data type is integer.
+The data type is integer.
-Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
-Valid values are:
-- 1 (default) – Enable.
+Valid values are:
+- 1 (default) – Enable.
- 0 – Disable.
**Configuration/MeteredConnectionUpdates**
@@ -701,7 +701,7 @@ The data type is string.
Supported operations are Add, Delete, Get, and Replace.
-**Configuration/EnableFileHashComputation**
+**Configuration/EnableFileHashComputation**
Enables or disables file hash computation feature.
When this feature is enabled, Windows Defender will compute hashes for files it scans.
@@ -709,29 +709,29 @@ The data type is integer.
Supported operations are Add, Delete, Get, and Replace.
-Valid values are:
+Valid values are:
- 1 – Enable.
- 0 (default) – Disable.
-**Configuration/SupportLogLocation**
-The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (**MpCmdRun.exe**) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.
+**Configuration/SupportLogLocation**
+The support log location setting allows the administrator to specify where the Microsoft Defender Antivirus diagnostic data collection tool (**MpCmdRun.exe**) will save the resulting log files. This setting is configured with an MDM solution, such as Intune, and is available for Windows 10 Enterprise.
Data type is string.
Supported operations are Add, Delete, Get, and Replace.
-Intune Support log location setting UX supports three states:
+Intune Support log location setting UX supports three states:
-- Not configured (default) - Doesn't have any impact on the default state of the device.
+- Not configured (default) - Doesn't have any impact on the default state of the device.
- 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path.
-- 0 - Disabled. Turns off the Support log location feature.
+- 0 - Disabled. Turns off the Support log location feature.
-When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
+When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly.
-More details:
+More details:
-- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)
-- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
+- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)
+- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
**Configuration/PlatformUpdatesChannel**
Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
@@ -744,7 +744,7 @@ Current Channel (Staged): Devices will be offered updates after the monthly grad
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
-Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only
+Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only
If you disable or don't configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices.
@@ -761,10 +761,10 @@ Valid values are:
- 6: Critical- Time Delay
-More details:
+More details:
-- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
-- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
+- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
+- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
**Configuration/EngineUpdatesChannel**
Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
@@ -793,12 +793,12 @@ Valid values are:
- 5: Current Channel (Broad)
- 6: Critical- Time Delay
-More details:
+More details:
-- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
-- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
+- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
+- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
-**Configuration/SecurityIntelligenceUpdatesChannel**
+**Configuration/SecurityIntelligenceUpdatesChannel**
Enable this policy to specify when devices receive daily Microsoft Defender security intelligence (definition) updates during the daily gradual rollout.
Current Channel (Staged): Devices will be offered updates after the release cycle. Suggested to apply to a small, representative part of production population (~10%).
@@ -815,10 +815,10 @@ Valid Values are:
- 4: Current Channel (Staged)
- 5: Current Channel (Broad)
-More details:
+More details:
-- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
-- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
+- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
+- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
**Configuration/DisableGradualRelease**
Enable this policy to disable gradual rollout of monthly and daily Microsoft Defender updates.
@@ -837,10 +837,10 @@ Valid values are:
- 1 – Enabled.
- 0 (default) – Not Configured.
-More details:
+More details:
-- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
-- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
+- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
+- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
**Configuration/PassiveRemediation**
This policy setting enables or disables EDR in block mode (recommended for devices running Microsoft Defender Antivirus in passive mode). For more information, see Endpoint detection and response in block mode | Microsoft Docs. Available with platform release: 4.18.2202.X
@@ -852,7 +852,7 @@ Supported values:
- 0: Turn EDR in block mode off
-**Scan**
+**Scan**
Node that can be used to start a Windows Defender scan on a device.
Valid values are:
@@ -861,12 +861,12 @@ Valid values are:
Supported operations are Get and Execute.
-**UpdateSignature**
+**UpdateSignature**
Node that can be used to perform signature updates for Windows Defender.
Supported operations are Get and Execute.
-**OfflineScan**
+**OfflineScan**
Added in Windows 10, version 1803. OfflineScan action starts a Microsoft Defender Offline scan on the computer where you run the command. After the next OS reboot, the device will start in Microsoft Defender Offline mode to begin the scan.
Supported operations are Get and Execute.
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index 1a99f5c85b..f10d4459ca 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -1,7 +1,7 @@
---
title: Defender DDF file
description: Learn how the OMA DM device description framework (DDF) for the Defender configuration service provider is used.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index a1b368c716..17420c6aac 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -1,7 +1,7 @@
---
title: DevDetail CSP
description: Learn how the DevDetail configuration service provider handles the management object. This CSP provides device-specific parameters to the OMA DM server.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -68,55 +68,55 @@ DevDetail
--------WlanSubnetMask
--------DeviceHardwareData (Added in Windows 10, version 1703)
```
-**DevTyp**
+**DevTyp**
Required. Returns the device model name /SystemProductName as a string.
Supported operation is Get.
-**OEM**
+**OEM**
Required. Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2.
Supported operation is Get.
-**FwV**
+**FwV**
Required. Returns the firmware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneFirmwareRevision.
For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
Supported operation is Get.
-**SwV**
+**SwV**
Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the client device. In the future, the build numbers may converge.
Supported operation is Get.
-**HwV**
+**HwV**
Required. Returns the hardware version, as defined in the registry key HKEY_LOCAL_MACHINE\System\Platform\DeviceTargetingInfo\PhoneRadioHardwareRevision.
For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVersion.
Supported operation is Get.
-**LrgObj**
+**LrgObj**
Required. Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2.
Supported operation is Get.
-**URI/MaxDepth**
+**URI/MaxDepth**
Required. Returns the maximum depth of the management tree that the device supports. The default is zero (0).
Supported operation is Get.
This value is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth.
-**URI/MaxTotLen**
+**URI/MaxTotLen**
Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0).
Supported operation is Get.
This value is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length.
-**URI/MaxSegLen**
+**URI/MaxSegLen**
Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0).
Supported operation is Get.
@@ -125,7 +125,7 @@ This value is the largest number of characters that the device can support in a
-**Ext/Microsoft/RadioSwV**
+**Ext/Microsoft/RadioSwV**
Required. Returns the radio stack software version number.
Supported operation is Get.
-**Ext/Microsoft/Resolution**
+**Ext/Microsoft/Resolution**
Required. Returns the UI screen resolution of the device (example: "480x800").
Supported operation is Get.
-**Ext/Microsoft/CommercializationOperator**
+**Ext/Microsoft/CommercializationOperator**
Required. Returns the name of the mobile operator if it exists. Otherwise, it returns 404.
Supported operation is Get.
-**Ext/Microsoft/ProcessorArchitecture**
+**Ext/Microsoft/ProcessorArchitecture**
Required. Returns the processor architecture of the device as "arm" or "x86".
Supported operation is Get.
-**Ext/Microsoft/ProcessorType**
+**Ext/Microsoft/ProcessorType**
Required. Returns the processor type of the device as documented in SYSTEM_INFO.
Supported operation is Get.
-**Ext/Microsoft/OSPlatform**
+**Ext/Microsoft/OSPlatform**
Required. Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductName.
Supported operation is Get.
-**Ext/Microsoft/LocalTime**
+**Ext/Microsoft/LocalTime**
Required. Returns the client local time in ISO 8601 format.
Supported operation is Get.
-**Ext/Microsoft/DeviceName**
+**Ext/Microsoft/DeviceName**
Required. Contains the user-specified device name.
Replace operation isn't supported in Windows client or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name doesn't take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs.
@@ -178,10 +178,10 @@ Value type is string.
Supported operations are Get and Replace.
-**Ext/Microsoft/DNSComputerName**
+**Ext/Microsoft/DNSComputerName**
Added in Windows 10, version 2004. This node specifies the DNS computer name for a device. The server must explicitly reboot the device for this value to take effect. A couple of macros can be embedded within the value for dynamic substitution. Using any of these macros will limit the new name to 63 characters. This node replaces the **Domain/ComputerName** node in [Accounts CSP](accounts-csp.md).
-The following are the available naming macros:
+The following are the available naming macros:
| Macro | Description | Example | Generated Name |
| -------| -------| -------| -------|
@@ -190,22 +190,22 @@ The following are the available naming macros:
Value type is string. Supported operations are Get and Replace.
-> [!NOTE]
+> [!NOTE]
> We recommend using `%SERIAL%` or `%RAND:x%` with a high character limit to reduce the chance of name collision when generating a random name. This feature doesn't check if a particular name is already present in the environment.
On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the computer's serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit doesn't count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
-**Ext/Microsoft/TotalRAM**
+**Ext/Microsoft/TotalRAM**
Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory).
Supported operation is Get.
-**Ext/Microsoft/SMBIOSSerialNumber**
+**Ext/Microsoft/SMBIOSSerialNumber**
Added in Windows 10, version 1809. SMBIOS Serial Number of the device.
Value type is string. Supported operation is Get.
-**Ext/WLANMACAddress**
+**Ext/WLANMACAddress**
The MAC address of the active WLAN connection, as a 12-digit hexadecimal number.
Supported operation is Get.
@@ -213,32 +213,32 @@ Supported operation is Get.
> [!NOTE]
> This isn't supported in Windows 10 for desktop editions.
-**Ext/VoLTEServiceSetting**
+**Ext/VoLTEServiceSetting**
Returns the VoLTE service to on or off. This setting is only exposed to mobile operator OMA-DM servers.
Supported operation is Get.
-**Ext/WlanIPv4Address**
+**Ext/WlanIPv4Address**
Returns the IPv4 address of the active Wi-Fi connection. This address is only exposed to enterprise OMA DM servers.
Supported operation is Get.
-**Ext/WlanIPv6Address**
+**Ext/WlanIPv6Address**
Returns the IPv6 address of the active Wi-Fi connection. This address is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
-**Ext/WlanDnsSuffix**
+**Ext/WlanDnsSuffix**
Returns the DNS suffix of the active Wi-Fi connection. This suffix is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
-**Ext/WlanSubnetMask**
+**Ext/WlanSubnetMask**
Returns the subnet mask for the active Wi-Fi connection. This subnet mask is only exposed to enterprise OMA-DM servers.
Supported operation is Get.
-**Ext/DeviceHardwareData**
+**Ext/DeviceHardwareData**
Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
> [!NOTE]
diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md
index 957eb5558f..11ea24b9ea 100644
--- a/windows/client-management/mdm/devdetail-ddf-file.md
+++ b/windows/client-management/mdm/devdetail-ddf-file.md
@@ -1,7 +1,7 @@
---
title: DevDetail DDF file
description: Learn about the OMA DM device description framework (DDF) for the DevDetail configuration service provider.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md
index 592432a187..033ace2ec0 100644
--- a/windows/client-management/mdm/developersetup-csp.md
+++ b/windows/client-management/mdm/developersetup-csp.md
@@ -1,7 +1,7 @@
---
title: DeveloperSetup CSP
description: The DeveloperSetup configuration service provider (CSP) is used to configure developer mode on the device. This CSP was added in the Windows 10, version 1703.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -33,49 +33,49 @@ DeveloperSetup
------------HttpPort
------------HttpsPort
```
-**DeveloperSetup**
+**DeveloperSetup**
The root node for the DeveloperSetup configuration service provider.
-**EnableDeveloperMode**
+**EnableDeveloperMode**
A Boolean value that is used to enable Developer Mode on the device. The default value is false.
The only supported operation is Replace.
-**DevicePortal**
-
The node for the Windows Device Portal.
+**DevicePortal**
+
The node for the Windows Device Portal.
-**DevicePortal/Authentication**
-
The node that describes the characteristics of the authentication mechanism that is used for the Windows Device Portal.
+**DevicePortal/Authentication**
+
The node that describes the characteristics of the authentication mechanism that is used for the Windows Device Portal.
-**DevicePortal/Authentication/Mode**
-
An integer value that specifies the mode of authentication that is used when making requests to the Windows Device Portal.
+**DevicePortal/Authentication/Mode**
+
An integer value that specifies the mode of authentication that is used when making requests to the Windows Device Portal.
The only supported operation is Replace.
-**DevicePortal/Authentication/BasicAuth**
-
The node that describes the credentials that are used for basic authentication with the Windows Device Portal.
+**DevicePortal/Authentication/BasicAuth**
+
The node that describes the credentials that are used for basic authentication with the Windows Device Portal.
-**DevicePortal/Authentication/BasicAuth/Username**
-
A string value that specifies the user name to use when performing basic authentication with the Windows Device Portal.
+**DevicePortal/Authentication/BasicAuth/Username**
+
A string value that specifies the user name to use when performing basic authentication with the Windows Device Portal.
The user name must contain only ASCII characters and cannot contain a colon (:).
The only supported operation is Replace.
-**DevicePortal/Authentication/BasicAuth/Password**
-
A string value that specifies the password to use when authenticating requests against the Windows Device Portal.
+**DevicePortal/Authentication/BasicAuth/Password**
+
A string value that specifies the password to use when authenticating requests against the Windows Device Portal.
The only supported operation is Replace.
-**DevicePortal/Connection**
-
The node for configuring connections to the Windows Device Portal service.
+**DevicePortal/Connection**
+
The node for configuring connections to the Windows Device Portal service.
-**DevicePortal/Connection/HttpPort**
-
An integer value that is used to configure the HTTP port for incoming connections to the Windows Device Portal service.
-If authentication is enabled, HttpPort will redirect the user to the (required) HttpsPort.
+**DevicePortal/Connection/HttpPort**
+
An integer value that is used to configure the HTTP port for incoming connections to the Windows Device Portal service.
+If authentication is enabled, HttpPort will redirect the user to the (required) HttpsPort.
The only supported operation is Replace.
-**DevicePortal/Connection/HttpsPort**
-
An integer value that is used to configure the HTTPS port for incoming connections to the Windows Device Portal service.
+**DevicePortal/Connection/HttpsPort**
+
An integer value that is used to configure the HTTPS port for incoming connections to the Windows Device Portal service.
The only supported operation is Replace.
\ No newline at end of file
diff --git a/windows/client-management/mdm/developersetup-ddf.md b/windows/client-management/mdm/developersetup-ddf.md
index ae96fa64df..06629722db 100644
--- a/windows/client-management/mdm/developersetup-ddf.md
+++ b/windows/client-management/mdm/developersetup-ddf.md
@@ -1,7 +1,7 @@
---
title: DeveloperSetup DDF file
description: This topic shows the OMA DM device description framework (DDF) for the DeveloperSetup configuration service provider. This CSP was added in Windows 10, version 1703.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md
index 29938e34dc..1f5bc01095 100644
--- a/windows/client-management/mdm/devicelock-csp.md
+++ b/windows/client-management/mdm/devicelock-csp.md
@@ -1,7 +1,7 @@
---
title: DeviceLock CSP
description: Learn how the DeviceLock configuration service provider (CSP) is used by the enterprise management server to configure device lock related policies.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -61,10 +61,10 @@ DeviceLock
-------------MinDevicePasswordComplexCharacters
```
-**Provider**
+**Provider**
Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get.
- ***ProviderID***
+ ***ProviderID***
Optional. The node that contains the configured management server's ProviderID. Exchange ActiveSync policies set by Exchange are saved by the Sync client separately. Scope is dynamic. The following operations are supported:
- **Add** - Add the management account to the configuration service provider tree.
@@ -76,7 +76,7 @@ Optional. The node that contains the configured management server's ProviderID.
-***ProviderID*/DevicePasswordEnabled**
+***ProviderID*/DevicePasswordEnabled**
Optional. An integer value that specifies whether device lock is enabled. Possible values include:
- 0 - Device lock is enabled.
@@ -86,7 +86,7 @@ The scope is dynamic.
Supported operations are Get, Add, and Replace.
-***ProviderID*/AllowSimpleDevicePassword**
+***ProviderID*/AllowSimpleDevicePassword**
Optional. An integer value that specifies whether simple passwords, such as "1111" or "1234", are allowed. Possible values include:
- 0 - Not allowed.
@@ -96,12 +96,12 @@ Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
-***ProviderID*/MinDevicePasswordLength**
+***ProviderID*/MinDevicePasswordLength**
Optional. An integer value that specifies the minimum number of characters required in the PIN. Valid values are 4 to 18 inclusive. The default value is 4. Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
-***ProviderID*/AlphanumericDevicePasswordRequired**
+***ProviderID*/AlphanumericDevicePasswordRequired**
Optional. An integer value that specifies the complexity of the password or PIN allowed.
Possible values include:
@@ -114,39 +114,39 @@ Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
-***ProviderID*/DevicePasswordExpiration**
+***ProviderID*/DevicePasswordExpiration**
Deprecated in Windows 10.
-***ProviderID*/DevicePasswordHistory**
+***ProviderID*/DevicePasswordHistory**
Deprecated in Windows 10.
-***ProviderID*/MaxDevicePasswordFailedAttempts**
+***ProviderID*/MaxDevicePasswordFailedAttempts**
Optional. An integer value that specifies the number of authentication failures allowed before the device will be wiped. Valid values are 0 to 999. The default value is 0, which indicates the device won't be wiped, whatever the number of authentication failures.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
-***ProviderID*/MaxInactivityTimeDeviceLock**
+***ProviderID*/MaxInactivityTimeDeviceLock**
Optional. An integer value that specifies the amount of time (in minutes) that the device can remain idle before it's password locked. Valid values are 0 to 999. A value of 0 indicates no time-out is specified. In this case, the maximum screen time-out allowed by the UI applies.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
-***ProviderID*/MinDevicePasswordComplexCharacters**
+***ProviderID*/MinDevicePasswordComplexCharacters**
Optional. An integer value that specifies the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password. Valid values are 1 to 3 for Windows client. The default value is 1.
Invalid values are treated as a configuration failure. The scope is dynamic.
Supported operations are Get, Add, and Replace.
-**DeviceValue**
+**DeviceValue**
Required. A permanent node that groups the policy values applied to the device. The server can query this node to discover what policy values are applied to the device. The scope is permanent.
Supported operation is Get.
-**DeviceValue/DevicePasswordEnable, …, MinDevicePasswordComplexCharacters**
+**DeviceValue/DevicePasswordEnable, …, MinDevicePasswordComplexCharacters**
Required. This node has the same set of policy nodes as the **ProviderID** node. All nodes under **DeviceValue** are read-only permanent nodes. Each node represents the current device lock policy. For detailed descriptions of each policy, see the ***ProviderID*** subnode descriptions.
## OMA DM examples
diff --git a/windows/client-management/mdm/devicelock-ddf-file.md b/windows/client-management/mdm/devicelock-ddf-file.md
index 974d878b01..e206a5b29e 100644
--- a/windows/client-management/mdm/devicelock-ddf-file.md
+++ b/windows/client-management/mdm/devicelock-ddf-file.md
@@ -1,7 +1,7 @@
---
title: DeviceLock DDF file
description: Learn about the OMA DM device description framework (DDF) for the DeviceLock configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md
index b650e3c405..60af6c7b5d 100644
--- a/windows/client-management/mdm/devicemanageability-csp.md
+++ b/windows/client-management/mdm/devicemanageability-csp.md
@@ -1,7 +1,7 @@
---
title: DeviceManageability CSP
description: Learn how the DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -26,7 +26,7 @@ The table below shows the applicability of Windows:
The DeviceManageability configuration service provider (CSP) is used to retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
-For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that both the paths return the same information.
+For performance reasons, DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that both the paths return the same information.
The following example shows the DeviceManageability configuration service provider in a tree format.
```
@@ -40,34 +40,34 @@ DeviceManageability
------------EnrollmentInfo (Added in Windows 10, version 1709)
```
-**./Device/Vendor/MSFT/DeviceManageability**
+**./Device/Vendor/MSFT/DeviceManageability**
Root node to group information about runtime MDM configuration capability on the target device.
-**Capabilities**
+**Capabilities**
Interior node.
-**Capabilities/CSPVersions**
+**Capabilities/CSPVersions**
Returns the versions of all configuration service providers supported on the device for the MDM service.
-**Provider**
+**Provider**
Added in Windows 10, version 1709. Interior node.
-**Provider/_ProviderID_**
+**Provider/_ProviderID_**
Added in Windows 10, version 1709. Provider ID of the configuration source. ProviderID should be unique among the different config sources.
-**Provider/_ProviderID_/ConfigInfo**
+**Provider/_ProviderID_/ConfigInfo**
Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to use during sync session.
ConfigInfo value can only be set by the provider that owns the ProviderID. The value is readable by other config sources.
-Data type is string.
+Data type is string.
Supported operations are Add, Get, Delete, and Replace.
-**Provider/_ProviderID_/EnrollmentInfo**
+**Provider/_ProviderID_/EnrollmentInfo**
Added in Windows 10, version 1709. Enrollment information string value set by the configuration source and sent during MDM enrollment. It's readable by MDM server during sync session.
-Data type is string.
+Data type is string.
Supported operations are Add, Get, Delete, and Replace.
diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md
index 23dd9b8cf6..a983c19012 100644
--- a/windows/client-management/mdm/devicemanageability-ddf.md
+++ b/windows/client-management/mdm/devicemanageability-ddf.md
@@ -1,7 +1,7 @@
---
title: DeviceManageability DDF
description: This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md
index fe9309086b..7fff2b73c3 100644
--- a/windows/client-management/mdm/devinfo-csp.md
+++ b/windows/client-management/mdm/devinfo-csp.md
@@ -1,7 +1,7 @@
---
title: DevInfo CSP
description: Learn how the DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -43,7 +43,7 @@ DevInfo
----Lang
```
-**DevId**
+**DevId**
Required. Returns an application-specific global unique device identifier by default.
Supported operation is Get.
@@ -55,26 +55,26 @@ The **UseHWDevID** parm of the [DMAcc configuration service provider](dmacc-csp.
- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns an application specific global unique identifier (GUID) irrespective of the value of UseHWDevID.
-**Man**
+**Man**
Required. Returns the name of the OEM. For Windows 10 for desktop editions, it returns the SystemManufacturer as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemManufacturer.
If no name is found, this returns to "Unknown".
Supported operation is Get.
-**Mod**
+**Mod**
Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10/Windows 11 desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName.
If no name is found, this returns to "Unknown".
Supported operation is Get.
-**DmV**
+**DmV**
Required. Returns the current management client revision of the device.
Supported operation is Get.
-**Lang**
+**Lang**
Required. Returns the current user interface (UI) language setting of the device as defined by RFC1766.
Supported operation is Get.
diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md
index ae70ac7ba1..831fc75b81 100644
--- a/windows/client-management/mdm/devinfo-ddf-file.md
+++ b/windows/client-management/mdm/devinfo-ddf-file.md
@@ -1,7 +1,7 @@
---
title: DevInfo DDF file
description: Learn about the OMA DM device description framework (DDF) for the DevInfo configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index aea55b2259..631460d250 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -1,7 +1,7 @@
---
title: DiagnosticLog CSP
description: Learn about the feature areas of the DiagnosticLog configuration service provider (CSP), including the DiagnosticLog area and Policy area.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -102,7 +102,7 @@ The data type is string.
Expected value:
Set and Execute are functionality equivalent, and each accepts a `Collection` XML snippet (as a string) describing what data to gather and where to upload it. The results are zipped and uploaded to the specified SasUrl. The zipped filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip".
-With Windows 10 KB5011543, Windows 11 KB5011563, we have added support for an extra element that will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML.
+With Windows 10 KB5011543, Windows 11 KB5011563, we have added support for an extra element that will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML.
The following example shows a `Collection` XML:
@@ -195,7 +195,7 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- **OutputFileFormat**
- Flattens folder structure, instead of having individual folders for each directive in the XML.
- - The value “Flattened” is the only supported value for the OutputFileFormat. If the OutputFileFormat is absent in the XML, or if explicitly set to something other than Flattened, it will leave the file structure in old structure.
+ - The value “Flattened” is the only supported value for the OutputFileFormat. If the OutputFileFormat is absent in the XML, or if explicitly set to something other than Flattened, it will leave the file structure in old structure.
**DiagnosticArchive/ArchiveResults**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run.
@@ -268,7 +268,7 @@ la--- 1/4/2021 2:45 PM 2
la--- 12/2/2020 6:27 PM 2701 results.xml
```
-Each data gathering directive from the original `Collection` XML corresponds to a folder in the output.
+Each data gathering directive from the original `Collection` XML corresponds to a folder in the output.
For example, the first directive was:
```xml
diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md
index 30dddf70ca..8fb25f9385 100644
--- a/windows/client-management/mdm/diagnosticlog-ddf.md
+++ b/windows/client-management/mdm/diagnosticlog-ddf.md
@@ -1,7 +1,7 @@
---
title: DiagnosticLog DDF
description: Learn about the the OMA DM device description framework (DDF) for the DiagnosticLog configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md
index ad9d6ccc76..79824d7960 100644
--- a/windows/client-management/mdm/dmacc-csp.md
+++ b/windows/client-management/mdm/dmacc-csp.md
@@ -1,7 +1,7 @@
---
title: DMAcc CSP
description: Learn how the DMAcc configuration service provider (CSP) allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -71,76 +71,76 @@ DMAcc
----------------DisableOnRoaming
----------------SSLCLIENTCERTSEARCHCRITERIA
```
-**DMAcc**
+**DMAcc**
Required. Defines the root node of all OMA DM server accounts that use the OMA DM version 1.2 protocol.
-***AccountUID***
+***AccountUID***
Optional. Defines the unique identifier for an OMA DM server account that uses the OMA DM version 1.2 protocol.
For a [w7 APPLICATION configuration service provider](w7-application-csp.md) bootstrapped account, this element is assigned a unique name by the OMA DM Client. The unique name is the hexadecimal representation of the 256-bit SHA-2 hash of the provider ID. The OMA DM server can change this node name in subsequent OMA DM sessions.
-***AccountUID*/AppID**
+***AccountUID*/AppID**
Required. Specifies the application identifier for the OMA DM account.
This value must be set to "w7".
Value type is string. Supported operations are Add, Get, and Replace.
-***AccountUID*/ServerID**
+***AccountUID*/ServerID**
Required. Specifies the OMA DM server's unique identifier for the current OMA DM account. This value is case-sensitive.
Value type is string. Supported operations are Add, Get, and Replace.
-***AccountUID*/Name**
+***AccountUID*/Name**
Optional. Specifies the display name of the application.
Value type is string. Supported operations are Add, Get, and Replace.
-***AccountUID*/PrefConRef**
+***AccountUID*/PrefConRef**
Optional. Specifies the preferred connectivity for the OMA DM account.
This element contains either a URI to a NAP management object or a connection GUID used by Connection Manager. If this element is missing, the device uses the default connection that is provided by Connection Manager.
Value type is string. Supported operations are Add, Get, and Replace.
-***AccountUID*/AppAddr**
+***AccountUID*/AppAddr**
Interior node for DM server address.
Required.
-**AppAddr/***ObjectName*
+**AppAddr/***ObjectName*
Required. Defines the OMA DM server address. Only one server address can be configured.
When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is "1". This DM address is the first one encountered in the w7 APPLICATION configuration service provider; other DM accounts are ignored.
-***ObjectName*/Addr**
+***ObjectName*/Addr**
Required. Specifies the address of the OMA DM account. The type of address stored is specified by the AddrType element.
Value type is string. Supported operations are Add, Get, and Replace.
-***ObjectName*/AddrType**
+***ObjectName*/AddrType**
Required. Specifies the format and interpretation of the Addr node value. The default is "URI".
The default value of "URI" specifies that the OMA DM account address in **Addr** is a URI address. A value of "IPv4" specifies that the OMA DM account address in **Addr** is an IP address.
Value type is string. Supported operations are Add, Get, and Replace.
-***ObjectName*/Port**
+***ObjectName*/Port**
Interior node for port information.
Optional.
-**Port/***ObjectName*
+**Port/***ObjectName*
Required. Only one port number can be configured.
When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is "1".
-***ObjectName*/PortNbr**
+***ObjectName*/PortNbr**
Required. Specifies the port number of the OMA MD account address. This number must be a decimal number that fits within the range of a 16-bit unsigned integer.
Value type is string. Supported operations are Add, Get, and Replace.
-***AccountUID*/AAuthPref**
+***AccountUID*/AAuthPref**
Optional. Specifies the application authentication preference.
A value of "BASIC" specifies that the client attempts BASIC authentication. A value of "DIGEST' specifies that the client attempts MD5 authentication.
@@ -149,98 +149,98 @@ If this value is empty, the client attempts to use the authentication mechanism
Value type is string. Supported operations are Add, Get, and Replace.
-***AccountUID*/AppAuth**
+***AccountUID*/AppAuth**
Optional. Defines authentication settings.
-**AppAuth/***ObjectName*
+**AppAuth/***ObjectName*
Required. Defines one set of authentication settings.
When the [w7 APPLICATION configuration service provider](w7-application-csp.md) is being mapped to the DMAcc Configuration Service Provider, the name of this element is same name as the AAuthLevel value ("CLRED" or "SRVCRED").
-***ObjectName*/AAuthlevel**
+***ObjectName*/AAuthlevel**
Required. Specifies the application authentication level.
A value of "CLCRED" indicates that the credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level. A value of "SRVCRED" indicates that the credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level.
Value type is string. Supported operations are Add and Replace.
-***ObjectName*/AAuthType**
+***ObjectName*/AAuthType**
Required. Specifies the authentication type.
If the AAuthlevel is "CLCRED", the supported values are "BASIC" and "DIGEST". If the AAuthlevel is "SRVCRED", the supported value is "DIGEST".
Value type is string. Supported operations are Add, Get, and Replace.
-***ObjectName*/AAuthName**
+***ObjectName*/AAuthName**
Optional. Specifies the authentication name.
Value type is string. Supported operations are Add, Get, and Replace.
-***ObjectName*/AAuthSecret**
+***ObjectName*/AAuthSecret**
Optional. Specifies the password or secret used for authentication.
Value type is string. Supported operations are Add and Replace.
-***ObjectName*/AAuthData**
+***ObjectName*/AAuthData**
Optional. Specifies the next nonce used for authentication.
"Nonce" refers to a number used once. It's often a random or pseudo-random number issued in an authentication protocol to ensure that old communications can't be reused in repeat attacks.
Value type is binary. Supported operations are Add and Replace.
-***AccountUID*/Ext**
+***AccountUID*/Ext**
Required. Defines a set of extended parameters.
This element holds vendor-specific information about the OMA DM account and is created automatically when the OMA DM account is created.
-**Ext/Microsoft**
+**Ext/Microsoft**
Required. Defines a set of Microsoft-specific extended parameters.
This element is created automatically when the OMA DM account is created.
-**Microsoft/BackCompatRetryDisabled**
+**Microsoft/BackCompatRetryDisabled**
Optional. Specifies whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr on subsequent attempts (not including the first time). The default is "FALSE".
The default value of "FALSE" indicates that backward-compatible retries are enabled. A value of "TRUE" indicates that backward-compatible retries are disabled.
Value type is bool. Supported operations are Add, Get, and Replace.
-**Microsoft/ConnRetryFreq**
+**Microsoft/ConnRetryFreq**
Optional. Specifies the number of retries the DM client performs when there are Connection Manager level or wininet level errors.
The default value is 3.
Value type is integer. Supported operations are Add, Get, and Replace.
-**Microsoft/DefaultEncoding**
+**Microsoft/DefaultEncoding**
Optional. Specifies whether the OMA DM client will use WBXML or XML for the DM package when communicating with the server. The default is "application/vnd.syncml.dm+xml".
The default value of "application/vnd.syncml.dm+xml" specifies that XML is used. A value of "application/vnd.syncml.dm+wbxml" specifies that WBXML is used.
Value type is string. Supported operations are Add, Get, and Replace.
-**Microsoft/InitialBackOffTime**
+**Microsoft/InitialBackOffTime**
Optional. Specifies the initial wait time in milliseconds when the OMA DM client retries for the first time. The wait time grows exponentially.
The default value is 16000.
Value type is integer. Supported operations are Add, Get, and Replace.
-**Microsoft/MaxBackOffTime**
+**Microsoft/MaxBackOffTime**
Optional. This node specifies the maximum number of milliseconds to wait before attempting a connection retry.
The default value is 86400000.
Value type is integer. Supported operations are Add, Get, and Replace.
-**Microsoft/ProtoVer**
+**Microsoft/ProtoVer**
Optional. Specifies the OMA DM Protocol version that the server supports. There's no default value.
Valid values are "1.1" and "1.2". The protocol version set by this element will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this element isn't specified when adding a DM server account, the latest DM protocol version that the client supports is used. Windows 10 clients support version 1.2.
Value type is string. Supported operations are Add, Get, and Replace.
-**Microsoft/Role**
+**Microsoft/Role**
Required. Specifies the role mask that the OMA DM session runs with when it communicates with the server.
If this parameter isn't present, the DM session is given the role mask of the OMA DM session that the server created. The following list shows the valid security role masks and their values.
@@ -254,7 +254,7 @@ The acceptable access roles for this node can't be more than the roles assigned
Value type is integer. Supported operations are Get and Replace.
-**Microsoft/UseHWDevID**
+**Microsoft/UseHWDevID**
Optional. Specifies whether to use the hardware ID for the ./DevInfo/DevID element in the DM account to identify the device. The default is "FALSE".
The default value of "FALSE" specifies that an application-specific GUID is returned for the ./DevInfo/DevID rather than the hardware device ID.
@@ -267,7 +267,7 @@ A value is "TRUE" specifies that the hardware device ID will be provided for the
Value type is bool. Supported operations are Add, Get, and Replace.
-**Microsoft/UseNonceResync**
+**Microsoft/UseNonceResync**
Optional. Specifies whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication. The default is "FALSE".
If the authentication fails because the server nonce doesn't match the server nonce that is stored on the device, then the device can use the backup nonce as the server nonce. For this procedure to be successful, if the device didn't authenticate with the preconfigured nonce value, the server must then use the backup nonce when sending the signed server notification message.
@@ -276,17 +276,17 @@ The default value of "FALSE" specifies that the client doesn't try to authentica
Value type is bool. Supported operations are Add, Get, and Replace.
-**CRLCheck**
+**CRLCheck**
Optional. Allows connection to the DM server to check the Certificate Revocation List (CRL). Set to true to enable SSL revocation.
Value type is bool. Supported operations are Add, Get, and Replace.
-**DisableOnRoaming**
+**DisableOnRoaming**
Optional. Determines whether the OMA DM client should be launched when roaming.
Value type is bool. Supported operations are Add, Get, and Replace.
-**SSLCLIENTCERTSEARCHCRITERIA**
+**SSLCLIENTCERTSEARCHCRITERIA**
Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter is used to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it's ignored.
The string is a concatenation of name/value pairs, each member of the pair delimited by the "&" character. The name and values are delimited by the "=" character. If there are multiple values, each value is delimited by the Unicode character "U+F000". If the name or value contains characters not in the UNRESERVED set (as specified in RFC2396), then those characters are URI-escaped per the RFC.
@@ -301,13 +301,13 @@ Stores specifies which certificate stores the DM client will search to find the
Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following schema:
```xml
-
```
Value type is string. Supported operations are Add, Get, and Replace.
-**InitiateSession**
+**InitiateSession**
Optional. When this node is added, a session is started with the MDM server.
Supported operations are Add, and Replace.
diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md
index 4ba6320269..736d4b459c 100644
--- a/windows/client-management/mdm/dmacc-ddf-file.md
+++ b/windows/client-management/mdm/dmacc-ddf-file.md
@@ -1,7 +1,7 @@
---
title: DMAcc DDF file
description: Learn about the OMA DM device description framework (DDF) for the DMAcc configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index dbaec53d02..a0caeb384a 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -1,7 +1,7 @@
---
title: DMClient CSP
description: Understand how the DMClient configuration service provider (CSP) is used to specify enterprise-specific mobile device management (MDM) configuration settings.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -93,36 +93,36 @@ DMClient
----UpdateManagementServiceAddress
```
-**./Vendor/MSFT**
+**./Vendor/MSFT**
All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path.
-**DMClient**
+**DMClient**
Root node for the CSP.
-**UpdateManagementServiceAddress**
+**UpdateManagementServiceAddress**
For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You can't add new servers to the list using this node.
-**HWDevID**
+**HWDevID**
Added in Windows 10, version 1703. Returns the hardware device ID.
Supported operation is Get. Value type is string.
-**Provider**
+**Provider**
Required. The root node for all settings that belong to a single management server. Scope is permanent.
Supported operation is Get.
-**Provider/***ProviderID*
+**Provider/***ProviderID*
Required. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. This value is set and controlled by the MDM provider. As a best practice, use text that doesn’t require XML/URI escaping.
Supported operations are Get and Add.
-**Provider/*ProviderID*/EntDeviceName**
+**Provider/*ProviderID*/EntDeviceName**
Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
-**Provider/*ProviderID*/EntDMID**
+**Provider/*ProviderID*/EntDMID**
Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process using the DMClient CSP. You can retrieve it later during an OMA DM session.
Supported operations are Get and Add.
@@ -131,7 +131,7 @@ Supported operations are Get and Add.
> Although hardware device IDs are guaranteed to be unique, there's a concern that this isn't ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSP’s **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
This node is required and must be set by the server before the client certificate renewal is triggered.
-**Provider/*ProviderID*/ExchangeID**
+**Provider/*ProviderID*/ExchangeID**
Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. The enterprise management server can correlate and merge records for:
- A device that's managed by Exchange.
@@ -155,17 +155,17 @@ The following XML is a Get command example:
```
-**Provider/*ProviderID*/SignedEntDMID**
+**Provider/*ProviderID*/SignedEntDMID**
Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the MDM provider to verify client identity to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally.
Supported operation is Get.
-**Provider/*ProviderID*/CertRenewTimeStamp**
+**Provider/*ProviderID*/CertRenewTimeStamp**
Optional. The time in OMA DM standard time format. This node is designed to reduce the risk of the certificate being used by another device. The device records the time that the new certificate was created.
Supported operation is Get.
-**Provider/*ProviderID*/ManagementServiceAddress**
+**Provider/*ProviderID*/ManagementServiceAddress**
Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server. It allows the server to load balance to another server when too many devices are connected to the server.
> [!NOTE]
@@ -179,27 +179,27 @@ During a DM session, the device will use the first address on the list and then
Supported operations are Add, Get, and Replace.
-**Provider/*ProviderID*/UPN**
+**Provider/*ProviderID*/UPN**
Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This information is useful when the user's email address changes in the identity system. Or, when the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
Supported operations are Get and Replace.
-**Provider/*ProviderID*/HelpPhoneNumber**
+**Provider/*ProviderID*/HelpPhoneNumber**
Optional. The character string that allows the user experience to include a customized help phone number. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete.
-**Provider/*ProviderID*/HelpWebsite**
+**Provider/*ProviderID*/HelpWebsite**
Optional. The character string that allows the user experience to include a customized help website. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete
-**Provider/*ProviderID*/HelpEmailAddress**
+**Provider/*ProviderID*/HelpEmailAddress**
Optional. The character string that allows the user experience to include a customized help email address. Users can see this information if they need help or support.
Supported operations are Get, Replace, and Delete.
-**Provider/*ProviderID*/RequireMessageSigning**
+**Provider/*ProviderID*/RequireMessageSigning**
Boolean type. Primarily used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included in the authenticated attributes in the signature.
Default value is false, where the device management client doesn't include authentication information in the management session HTTP header. Optionally set to true, where the client authentication information is provided in the management session HTTP header.
@@ -212,7 +212,7 @@ When enabled, the MDM provider should:
Supported operations are Get, Replace, and Delete.
-**Provider/*ProviderID*/SyncApplicationVersion**
+**Provider/*ProviderID*/SyncApplicationVersion**
Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there's a client behavior change between 1.0 and 2.0.
> [!NOTE]
@@ -222,19 +222,19 @@ Once you set the value to 2.0, it won't go back to 1.0.
Supported operations are Get, Replace, and Delete.
-**Provider/*ProviderID*/MaxSyncApplicationVersion**
+**Provider/*ProviderID*/MaxSyncApplicationVersion**
Optional. Used by the client to indicate the latest DM session version that it supports. Default is 2.0.
When you query this node, a Windows 10 client will return 2.0 and a Windows 8.1 client will return an error code (404 node not found).
Supported operation is Get.
-**Provider/*ProviderID*/AADResourceID**
+**Provider/*ProviderID*/AADResourceID**
Optional. This ResourceID is used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you're trying to access.
For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
-**Provider/*ProviderID*/EnableOmaDmKeepAliveMessage**
+**Provider/*ProviderID*/EnableOmaDmKeepAliveMessage**
Added in Windows 10, version 1511. A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow.
When the server sends a configuration request, the client can take longer than the HTTP timeout to get all information together. The session might end unexpectedly because of the timeout. By default, the MDM client doesn't send an alert that a DM request is pending.
@@ -260,7 +260,7 @@ Here's an example of DM message sent by the device when it's in pending state:
2
- 1224
+ 1224
-
Reversed-Domain-Name:com.microsoft.mdm.requestpending
@@ -272,27 +272,27 @@ Here's an example of DM message sent by the device when it's in pending state:
```
-**Provider/*ProviderID*/AADDeviceID**
+**Provider/*ProviderID*/AADDeviceID**
Added in Windows 10, version 1607. Returns the device ID for the Azure AD device registration.
Supported operation is Get.
-**Provider/*ProviderID*/EnrollmentType**
+**Provider/*ProviderID*/EnrollmentType**
Added in Windows 10, version 1607. Returns the enrollment type (Device or Full).
Supported operation is Get.
-**Provider/*ProviderID*/HWDevID**
+**Provider/*ProviderID*/HWDevID**
Added in Windows 10, version 1607. Returns the hardware device ID.
Supported operation is Get.
-**Provider/*ProviderID*/CommercialID**
+**Provider/*ProviderID*/CommercialID**
Added in Windows 10, version 1607. It configures the identifier that uniquely associates the device's diagnostic data belonging to the organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization, then use this setting to provide that identification. The value for this setting is provided by Microsoft in the onboarding process for the program. If you disable or don't configure this policy setting, then Microsoft can't use this identifier to associate this machine and its diagnostic data with your organization.
Supported operations are Add, Get, Replace, and Delete.
-**Provider/*ProviderID*/ManagementServerAddressList**
+**Provider/*ProviderID*/ManagementServerAddressList**
Added in Windows 10, version 1607. The list of management server URLs in the format <URL1><URL2><URL3>, and so on. If there's only one, the angle brackets (<>) aren't required.
> [!NOTE]
@@ -320,25 +320,25 @@ Supported operations are Get and Replace.
Value type is string.
-**Provider/*ProviderID*/ManagementServerToUpgradeTo**
+**Provider/*ProviderID*/ManagementServerToUpgradeTo**
Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM provider to upgrade to for a Mobile Application Management (MAM) enrolled device.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
-**Provider/*ProviderID*/NumberOfDaysAfterLostContactToUnenroll**
+**Provider/*ProviderID*/NumberOfDaysAfterLostContactToUnenroll**
Optional. Number of days after last successful sync to unenroll.
-Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
Value type is integer.
-**Provider/*ProviderID*/AADSendDeviceToken**
+**Provider/*ProviderID*/AADSendDeviceToken**
Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this feature will cause the client to send a Device Token if the User Token can't be obtained.
-Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
Value type is bool.
@@ -347,7 +347,7 @@ The value type is integer/enum.
The value is "1" and it means client should always send Azure Active Directory device token during check-in/sync.
-**Provider/*ProviderID*/Poll**
+**Provider/*ProviderID*/Poll**
Optional. Polling schedules must use the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
Supported operations are Get and Add.
@@ -391,7 +391,7 @@ If there's no infinite schedule set, then a 24-hour schedule is created and sche
|NumberOfSecondRetries|0|0|
|IntervalForRemainingScheduledRetries|0|0|
|NumberOfRemainingScheduledRetries|0|0|
-
+
**Invalid poll schedule: two infinite schedules**
|Schedule name|Schedule set by server|Actual schedule set on device|Actual experience|
@@ -407,14 +407,14 @@ If the device was previously enrolled in MDM with polling schedule configured us
When using the DMClient CSP to configure polling schedule parameters, the server must not set all six polling parameters to 0, or set all three number of retry nodes to 0. It will cause a configuration failure.
-**Provider/*ProviderID*/Poll/IntervalForFirstSetOfRetries**
+**Provider/*ProviderID*/Poll/IntervalForFirstSetOfRetries**
Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `//Poll/NumberOfFirstRetries`. If IntervalForFirstSetOfRetries isn't set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled.
Supported operations are Get and Replace.
The IntervalForFirstSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxRetryInterval path that previously used the Registry CSP.
-**Provider/*ProviderID*/Poll/NumberOfFirstRetries**
+**Provider/*ProviderID*/Poll/NumberOfFirstRetries**
Optional. The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value isn't 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule won't set in this case. The default value is 10.
Supported operations are Get and Replace.
@@ -423,14 +423,14 @@ The NumberOfFirstRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enro
The first set of retries gives the management server some buffered time to be ready to send policy and setting configurations to the device. The total time for first set of retries shouldn't be more than a few hours. The server shouldn't set NumberOfFirstRetries to 0. RemainingScheduledRetries is used for the long run device polling schedule.
-**Provider/*ProviderID*/Poll/IntervalForSecondSetOfRetries**
+**Provider/*ProviderID*/Poll/IntervalForSecondSetOfRetries**
Optional. The waiting time (in minutes) for the second set of retries, which is the number of retries in `//Poll/NumberOfSecondRetries`. Default value is 0. If this value is set to zero, then this schedule is disabled.
Supported operations are Get and Replace.
The IntervalForSecondSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\RetryInterval path that previously used the Registry CSP.
-**Provider/*ProviderID*/Poll/NumberOfSecondRetries**
+**Provider/*ProviderID*/Poll/NumberOfSecondRetries**
Optional. The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries isn't set to 0 AND the first set of retries isn't set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled.
Supported operations are Get and Replace.
@@ -439,28 +439,28 @@ The NumberOfSecondRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enr
The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule.
-**Provider/*ProviderID*/Poll/IntervalForRemainingScheduledRetries**
+**Provider/*ProviderID*/Poll/IntervalForRemainingScheduledRetries**
Optional. The waiting time (in minutes) for the initial set of retries, which is the number of retries in `//Poll/NumberOfRemainingScheduledRetries`. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled.
Supported operations are Get and Replace.
The IntervalForRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2RetryInterval path that previously used the Registry CSP.
-**Provider/*ProviderID*/Poll/NumberOfRemainingScheduledRetries**
+**Provider/*ProviderID*/Poll/NumberOfRemainingScheduledRetries**
Optional. The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries aren't set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled.
Supported operations are Get and Replace.
The NumberOfRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2NumRetries path that previously used the Registry CSP.
-The RemainingScheduledRetries is used for the long run device polling schedule.
+The RemainingScheduledRetries is used for the long run device polling schedule.
-**Provider/*ProviderID*/Poll/PollOnLogin**
+**Provider/*ProviderID*/Poll/PollOnLogin**
Optional. Boolean value that allows the IT admin to require the device to start a management session on any user login, even if the user has previously logged in. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Supported operations are Add, Get, and Replace.
-**Provider/*ProviderID*/Poll/AllUsersPollOnFirstLogin**
+**Provider/*ProviderID*/Poll/AllUsersPollOnFirstLogin**
Optional. Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system. Later sign-ins won't trigger an MDM session. Login isn't the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false.
Supported operations are Add, Get, and Replace.
@@ -512,31 +512,31 @@ The supported values for this node are 1-true (allow) and 0-false(not allow). De
This node tracks the status of a Recovery request from the InitiateRecovery node. The values are as follows:
-0 - No Recovery request has been processed.
-1 - Recovery is in Process.
-2 - Recovery has finished successfully.
-3 - Recovery has failed to start because TPM is not available.
-4 - Recovery has failed to start because Azure Active Directory keys are not protected by the TPM.
-5 - Recovery has failed to start because the MDM keys are already protected by the TPM.
-6 - Recovery has failed to start because the TPM is not ready for attestation.
-7 - Recovery has failed because the client cannot authenticate to the server.
+0 - No Recovery request has been processed.
+1 - Recovery is in Process.
+2 - Recovery has finished successfully.
+3 - Recovery has failed to start because TPM is not available.
+4 - Recovery has failed to start because Azure Active Directory keys are not protected by the TPM.
+5 - Recovery has failed to start because the MDM keys are already protected by the TPM.
+6 - Recovery has failed to start because the TPM is not ready for attestation.
+7 - Recovery has failed because the client cannot authenticate to the server.
8 - Recovery has failed because the server has rejected the client's request.
Supported operation is Get only.
**Provider/*ProviderID*/Recovery/InitiateRecovery**
-This node initiates an MDM Recovery operation on the client.
+This node initiates an MDM Recovery operation on the client.
If initiated with argument 0, it triggers MDM Recovery, no matter the state of the device.
-If initiated with argument 1, it triggers only if the MDM certificate’s private key isn’t already protected by the TPM, if there is a TPM to put the private key into, and if the TPM is ready for attestation.
+If initiated with argument 1, it triggers only if the MDM certificate’s private key isn’t already protected by the TPM, if there is a TPM to put the private key into, and if the TPM is ready for attestation.
Supported operation is Exec only.
**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionForBackgroundSync**
-Optional. This node specifies maximum number of concurrent user sync sessions in background.
+Optional. This node specifies maximum number of concurrent user sync sessions in background.
The default value is dynamically decided by the client based on CPU usage.
@@ -548,18 +548,18 @@ Value type is integer. Only applicable for Windows Enterprise multi-session.
**Provider/*ProviderID*/MultipleSession/NumAllowedConcurrentUserSessionAtUserLogonSync**
-Optional. This node specifies maximum number of concurrent user sync sessions at User Login.
+Optional. This node specifies maximum number of concurrent user sync sessions at User Login.
The default value is dynamically decided by the client based on CPU usage.
The values are : 0= none, 1= sequential, anything else= parallel.
-Supported operations are Get, Add, Replace and Delete.
+Supported operations are Get, Add, Replace and Delete.
-Value type is integer. Only applicable for Windows Enterprise multi-session.
+Value type is integer. Only applicable for Windows Enterprise multi-session.
**Provider/*ProviderID*/MultipleSession/IntervalForScheduledRetriesForUserSession**
-Optional. This node specifies the waiting time (in minutes) for the initial set of retries as specified by the number of retries in `//Poll/NumberOfScheduledRetriesForUserSession`.
+Optional. This node specifies the waiting time (in minutes) for the initial set of retries as specified by the number of retries in `//Poll/NumberOfScheduledRetriesForUserSession`.
If IntervalForScheduledRetriesForUserSession is not set, then the default value is used. The default value is 0. If the value is set to 0, this schedule is disabled.
@@ -568,9 +568,9 @@ This configuration is only applicable for Windows Multi-session Editions.
Supported operations are Get and Replace.
**Provider/*ProviderID*/MultipleSession/NumberOfScheduledRetriesForUserSession**
-Optional. This node specifies the number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server.
+Optional. This node specifies the number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server.
-If the value is set to 0 and the IntervalForScheduledRetriesForUserSession value is not 0, then the schedule will be set to repeat an infinite number of times.
+If the value is set to 0 and the IntervalForScheduledRetriesForUserSession value is not 0, then the schedule will be set to repeat an infinite number of times.
The default value is 0. This configuration is only applicable for Windows Multi-session Editions.
@@ -603,22 +603,22 @@ The supported values for this node are false or true.
Supported operation is Get only.
-**Provider/*ProviderID*/Push**
+**Provider/*ProviderID*/Push**
Optional. Not configurable during WAP Provisioning XML. If removed, DM sessions triggered by Push will no longer be supported.
Supported operations are Add and Delete.
-**Provider/*ProviderID*/Push/PFN**
+**Provider/*ProviderID*/Push/PFN**
Required. A string provided by the Windows 10 ecosystem for an MDM solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it's managing.
Supported operations are Add, Get, and Replace.
-**Provider/*ProviderID*/Push/ChannelURI**
+**Provider/*ProviderID*/Push/ChannelURI**
Required. A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device, based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null.
Supported operation is Get.
-**Provider/*ProviderID*/Push/Status**
+**Provider/*ProviderID*/Push/Status**
Required. An integer that maps to a known error state or condition on the system.
Supported operation is Get.
@@ -637,188 +637,188 @@ The status error mapping is listed below.
|7|Failure: push notification received, but unable to establish an OMA-DM session due to power or connectivity limitations.|
|8|Unknown error|
-**Provider/*ProviderID*/CustomEnrollmentCompletePage**
+**Provider/*ProviderID*/CustomEnrollmentCompletePage**
Optional. Added in Windows 10, version 1703.
Supported operations are Add, Delete, and Get.
-**Provider/*ProviderID*/CustomEnrollmentCompletePage/Title**
+**Provider/*ProviderID*/CustomEnrollmentCompletePage/Title**
Optional. Added in Windows 10, version 1703. Specifies the title of the all done page that appears at the end of the MDM enrollment flow.
-Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
Value type is string.
-**Provider/*ProviderID*/CustomEnrollmentCompletePage/BodyText**
+**Provider/*ProviderID*/CustomEnrollmentCompletePage/BodyText**
Optional. Added in Windows 10, version 1703. Specifies the body text of the all done page that appears at the end of the MDM enrollment flow.
-Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
Value type is string.
-**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkHref**
+**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkHref**
Optional. Added in Windows 10, version 1703. Specifies the URL that's shown at the end of the MDM enrollment flow.
-Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
Value type is string.
-**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkText**
+**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkText**
Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that's shown at the end of the MDM enrollment flow.
-Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
Value type is string.
-**Provider/*ProviderID*/FirstSyncStatus**
+**Provider/*ProviderID*/FirstSyncStatus**
Optional node. Added in Windows 10, version 1709.
-**Provider/*ProviderID*/FirstSyncStatus/ExpectedPolicies**
+**Provider/*ProviderID*/FirstSyncStatus/ExpectedPolicies**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to configure, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
-Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
Value type is string.
-**Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles**
+**Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to configure, delimited by the character L"\xF000".
-Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
Value type is string.
-**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages**
+**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
-Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
Value type is string.
-**Provider/*ProviderID*/FirstSyncStatus/ExpectedModernAppPackages**
-Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example,
+**Provider/*ProviderID*/FirstSyncStatus/ExpectedModernAppPackages**
+Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example,
``` syntax
-./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000"
+./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName/Name;4"\xF000"
./Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/PackageFullName2/Name;2
```
This syntax represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
-Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
Value type is string.
-**Provider/*ProviderID*/FirstSyncStatus/ExpectedPFXCerts**
+**Provider/*ProviderID*/FirstSyncStatus/ExpectedPFXCerts**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
-Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
Value type is string.
-**Provider/*ProviderID*/FirstSyncStatus/ExpectedSCEPCerts**
+**Provider/*ProviderID*/FirstSyncStatus/ExpectedSCEPCerts**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
-Supported operations are Add, Delete, Get, and Replace.
+Supported operations are Add, Delete, Get, and Replace.
Value type is string.
-**Provider/*ProviderID*/FirstSyncStatus/TimeOutUntilSyncFailure**
-Required. Added in Windows 10, version 1709. This node determines how long we'll poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day).
+**Provider/*ProviderID*/FirstSyncStatus/TimeOutUntilSyncFailure**
+Required. Added in Windows 10, version 1709. This node determines how long we'll poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day).
-Supported operations are Get and Replace.
+Supported operations are Get and Replace.
Value type is integer.
-**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning**
+**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning**
Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished configuring the device. It was added so that the server can “change its mind" about what it needs to configure on the device. When this node is set, many other DM Client nodes can't be changed. If this node isn't True, the UX will consider the configuration a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
-Supported operations are Get and Replace.
+Supported operations are Get and Replace.
Value type is boolean.
-**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**
+**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**
Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully configured. `Set` triggers the UX to override whatever state it's in, and tell the user that the device is configured. It can't be set from True to False (it won't change its mind if the sync is done), and it can't be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
-Supported operations are Get and Replace.
+Supported operations are Get and Replace.
Value type is boolean.
-**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned**
+**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned**
Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully configured. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value can't be changed again. The client will change the value of success or failure and update the node. The server can force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
-Supported operations are Get and Replace.
+Supported operations are Get and Replace.
Value type is integer.
-**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage**
+**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage**
Required. Device Only. Added in Windows 10, version 1803. This node determines if the MDM progress page is blocking in the Azure AD joined or DJ++ case, and which remediation options are available.
-Supported operations are Get and Replace.
+Supported operations are Get and Replace.
Value type is integer.
-**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton**
-Required. Added in Windows 10, version 1803. This node decides if the MDM progress page displays the Collect Logs button.
+**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton**
+Required. Added in Windows 10, version 1803. This node decides if the MDM progress page displays the Collect Logs button.
-Supported operations are Get and Replace.
+Supported operations are Get and Replace.
Value type is bool.
-**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText**
-Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do if there's an error.
+**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText**
+Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do if there's an error.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
Value type is string.
-**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage**
+**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage**
Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
-Supported operations are Get and Replace.
+Supported operations are Get and Replace.
Value type is bool.
-**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage**
+**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage**
Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM user progress page skips after Azure AD joined or DJ++ after user login.
-Supported operations are Get and Replace.
+Supported operations are Get and Replace.
Value type is bool.
-**Provider/*ProviderID*/EnhancedAppLayerSecurity**
+**Provider/*ProviderID*/EnhancedAppLayerSecurity**
Required node. Added in Windows 10, version 1709.
Supported operation is Get.
-**Provider/*ProviderID*/EnhancedAppLayerSecurity/SecurityMode**
+**Provider/*ProviderID*/EnhancedAppLayerSecurity/SecurityMode**
Required. Added in Windows 10, version 1709. This node specifies how the client will do the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
-Supported operations are Add, Get, Replace, and Delete.
+Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
-**Provider/*ProviderID*/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline**
+**Provider/*ProviderID*/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline**
Required. Added in Windows 10, version 1709. When this node is set, it tells the client to use the certificate even when the client can't check the certificate's revocation status because the device is offline. The default value is set.
-Supported operations are Add, Get, Replace, and Delete.
+Supported operations are Add, Get, Replace, and Delete.
Value type is boolean.
-**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert0**
+**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert0**
Required. Added in Windows 10, version 1709. The node contains the primary certificate - the public key to use.
-Supported operations are Add, Get, Replace, and Delete.
+Supported operations are Add, Get, Replace, and Delete.
Value type is string.
-**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert1**
+**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert1**
Required. Added in Windows 10, version 1709. The node contains the secondary certificate - the public key to use.
-Supported operations are Add, Get, Replace, and Delete.
+Supported operations are Add, Get, Replace, and Delete.
Value type is string.
-**Provider/*ProviderID*/Unenroll**
+**Provider/*ProviderID*/Unenroll**
Required. The node accepts unenrollment requests using the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `
- ` element. Scope is permanent.
Supported operations are Get and Exec.
@@ -837,7 +837,7 @@ The following SyncML shows how to remotely unenroll the device. This command sho
chr
- TestMDMServer
+ TestMDMServer
diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md
index 2f7ca1fb7e..d93bf2ebc2 100644
--- a/windows/client-management/mdm/dmclient-ddf-file.md
+++ b/windows/client-management/mdm/dmclient-ddf-file.md
@@ -1,7 +1,7 @@
---
title: DMClient DDF file
description: Learn about the OMA DM device description framework (DDF) for the DMClient configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md
index e9c3080fba..fec5b71962 100644
--- a/windows/client-management/mdm/dmsessionactions-csp.md
+++ b/windows/client-management/mdm/dmsessionactions-csp.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 06/26/2017
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -24,7 +24,7 @@ The table below shows the applicability of Windows:
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
-The DMSessionActions configuration service provider (CSP) is used to manage:
+The DMSessionActions configuration service provider (CSP) is used to manage:
- the number of sessions the client skips if the device is in a low-power state.
- which CSP nodes should send an alert back to the server if there were any changes.
@@ -73,55 +73,55 @@ DMSessionActions
------------MaxTimeSessionsSkippedInLowPowerState
```
-**./Device/Vendor/MSFT/DMSessionActions or ./User/Vendor/MSFT/DMSessionActions**
+**./Device/Vendor/MSFT/DMSessionActions or ./User/Vendor/MSFT/DMSessionActions**
Defines the root node for the DMSessionActions configuration service provider.
-***ProviderID***
-Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.
+***ProviderID***
+Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.
Scope is dynamic. Supported operations are Get, Add, and Delete.
-***ProviderID*/CheckinAlertConfiguration**
+***ProviderID*/CheckinAlertConfiguration**
Node for the custom configuration of alerts to be sent during MDM sync session.
-***ProviderID*/CheckinAlertConfiguration/Nodes**
+***ProviderID*/CheckinAlertConfiguration/Nodes**
Required. Root node for URIs to be queried. Scope is dynamic.
Supported operation is Get.
-***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID***
+***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID***
Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.
Supported operations are Get, Add, and Delete.
-***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID*/NodeURI**
+***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID*/NodeURI**
Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.
-Value type is string.
+Value type is string.
Supported operations are Add, Get, Replace, and Delete.
-**AlertData**
+**AlertData**
Node to query the custom alert per server configuration
-Value type is string.
+Value type is string.
Supported operation is Get.
-**PowerSettings**
+**PowerSettings**
Node for power-related configurations.
-**PowerSettings/MaxSkippedSessionsInLowPowerState**
+**PowerSettings/MaxSkippedSessionsInLowPowerState**
Maximum number of continuous skipped sync sessions when the device is in low-power state.
-Value type is integer.
+Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
-**PowerSettings/MaxTimeSessionsSkippedInLowPowerState**
+**PowerSettings/MaxTimeSessionsSkippedInLowPowerState**
Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.
-Value type is integer.
+Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md
index fcb5cb106e..4592a7b5ad 100644
--- a/windows/client-management/mdm/dmsessionactions-ddf.md
+++ b/windows/client-management/mdm/dmsessionactions-ddf.md
@@ -7,14 +7,14 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 12/05/2017
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
# DMSessionActions DDF file
-This topic shows the OMA DM device description framework (DDF) for the **DMSessionActions** configuration service provider.
+This topic shows the OMA DM device description framework (DDF) for the **DMSessionActions** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md
index 3e4e54c181..0896f7553f 100644
--- a/windows/client-management/mdm/dynamicmanagement-csp.md
+++ b/windows/client-management/mdm/dynamicmanagement-csp.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 06/26/2017
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.collection: highpri
---
@@ -25,7 +25,7 @@ The table below shows the applicability of Windows:
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
-Windows 10 or Windows 11 allows you to manage devices differently depending on location, network, or time. Added in Windows 10, version 1703, the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
+Windows 10 or Windows 11 allows you to manage devices differently depending on location, network, or time. Added in Windows 10, version 1703, the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
This CSP was added in Windows 10, version 1703.
@@ -45,13 +45,13 @@ DynamicManagement
----AlertsEnabled
```
-**DynamicManagement**
+**DynamicManagement**
The root node for the DynamicManagement configuration service provider.
-**NotificationsEnabled**
+**NotificationsEnabled**
Boolean value for sending notification to the user of a context change.
-Default value is False.
+Default value is False.
Supported operations are Get and Replace.
@@ -68,62 +68,62 @@ Example to turn on NotificationsEnabled:
text/plain
bool
- true
+ true
```
-**ActiveList**
+**ActiveList**
A string containing the list of all active ContextIDs on the device. Delimiter is unicode character 0xF000.
-Supported operation is Get.
+Supported operation is Get.
-**Contexts**
+**Contexts**
Node for context information.
Supported operation is Get.
-***ContextID***
+***ContextID***
Node created by the server to define a context. Maximum number of characters allowed is 38.
Supported operations are Add, Get, and Delete.
-**SignalDefinition**
+**SignalDefinition**
Signal Definition XML.
Value type is string.
Supported operations are Add, Get, Delete, and Replace.
-**SettingsPack**
+**SettingsPack**
Settings that get applied when the Context is active.
Value type is string.
Supported operations are Add, Get, Delete, and Replace.
-**SettingsPackResponse**
+**SettingsPackResponse**
Response from applying a Settings Pack that contains information on each individual action.
Value type is string.
Supported operation is Get.
-**ContextStatus**
+**ContextStatus**
Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly is failed.
-Value type is integer.
+Value type is integer.
Supported operation is Get.
-**Altitude**
+**Altitude**
A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.
-Value type is integer.
+Value type is integer.
Supported operations are Add, Get, Delete, and Replace.
-**AlertsEnabled**
+**AlertsEnabled**
A Boolean value for sending an alert to the server when a context fails.
Supported operations are Get and Replace.
@@ -158,12 +158,12 @@ Disable Cortana based on Geo location and time, from 9am-5pm, when in the 100-me
-
+
-
+
-
+
@@ -211,14 +211,14 @@ Disable camera using network trigger with time trigger, from 9-5, when ip4 gatew
chr
-
+
-
- 192.168.0.1
-
+
+ 192.168.0.1
+
-
+
diff --git a/windows/client-management/mdm/dynamicmanagement-ddf.md b/windows/client-management/mdm/dynamicmanagement-ddf.md
index 0e2a6dd191..440e67082c 100644
--- a/windows/client-management/mdm/dynamicmanagement-ddf.md
+++ b/windows/client-management/mdm/dynamicmanagement-ddf.md
@@ -1,7 +1,7 @@
---
title: DynamicManagement DDF file
description: Learn about the OMA DM device description framework (DDF) for the DynamicManagement configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -13,7 +13,7 @@ ms.date: 12/05/2017
# DynamicManagement DDF file
-This topic shows the OMA DM device description framework (DDF) for the **DynamicManagement** configuration service provider.
+This topic shows the OMA DM device description framework (DDF) for the **DynamicManagement** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md
index 1298e152d0..2182f4d282 100644
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@@ -1,7 +1,7 @@
---
title: EAP configuration
description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows 10.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -140,7 +140,7 @@ The following list describes the prerequisites for a certificate to be used with
- Client Authentication: As defined by RFC 5280, this property is a well-defined OID with value 1.3.6.1.5.5.7.3.2.
- Any Purpose: This property is an EKU-defined one and is published by Microsoft. It is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that other non-critical or custom EKUs can still be added to the certificate for effective filtering.
- All Purpose: As defined by RFC 5280, if a CA includes EKUs to satisfy some application needs, but doesn't want to restrict usage of the key, the CA can add an EKU value of 0. A certificate with such an EKU can be used for all purposes.
-
+
- The user or the computer certificate on the client must chain to a trusted root CA.
- The user or the computer certificate doesn't fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
- The user or the computer certificate doesn't fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
@@ -162,15 +162,15 @@ The following XML sample explains the properties for the EAP TLS XML, including
0
0
-
+
-
+
13
-
+
true
@@ -193,7 +193,7 @@ The following XML sample explains the properties for the EAP TLS XML, including
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
-
+
@@ -201,15 +201,15 @@ The following XML sample explains the properties for the EAP TLS XML, including
- ContostoITEKU
+ ContostoITEKU
- 1.3.6.1.4.1.311.42.1.15
+ 1.3.6.1.4.1.311.42.1.15
- ContostoITEKU
+ ContostoITEKU
@@ -231,16 +231,16 @@ The following XML sample explains the properties for the EAP TLS XML, including
true
-
+
-
+
-
diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md
index a88665101f..c2b3a3d165 100644
--- a/windows/client-management/mdm/email2-csp.md
+++ b/windows/client-management/mdm/email2-csp.md
@@ -1,7 +1,7 @@
---
title: EMAIL2 CSP
description: Learn how the EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -78,12 +78,12 @@ Configuration data isn't encrypted when sent over the air (OTA). This is a poten
> [!IMPORTANT]
> All Add and Replace commands need to be wrapped in an Atomic section.
-**EMAIL2**
+**EMAIL2**
The configuration service provider root node.
Supported operation is Get.
-***GUID***
+***GUID***
Defines a specific email account. A globally unique identifier (GUID) must be generated for each email account on the device. Provisioning with an account that has the same GUID as an existing one doesn't create the new account and Add command will fail in this case.
Supported operations are Get, Add, and Delete.
@@ -93,14 +93,14 @@ The braces {} around the GUID are required in the EMAIL2 configuration service p
- For OMA Client Provisioning, the braces can be sent literally. For example, ``
- For OMA DM, the braces must be sent using ASCII values of 0x7B and 0x7D respectively. For example, `./Vendor/MSFT/EMAIL2/0x7BC556E16F-56C4-4edb-9C64-D9469EE1FBE0x7D`
-**ACCOUNTICON**
+**ACCOUNTICON**
Optional. Returns the location of the icon associated with the account.
Supported operations are Get, Add, Replace, and Delete.
The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings, email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added.
-**ACCOUNTTYPE**
+**ACCOUNTTYPE**
Required. Specifies the type of account.
Supported operations are Get, Add, Replace, and Delete.
@@ -110,12 +110,12 @@ Valid values are:
- Email: Normal email
- VVM: Visual voice mail
-**AUTHNAME**
+**AUTHNAME**
Required. Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name).
Supported operations are Get, Add, Replace, and Delete.
-**AUTHREQUIRED**
+**AUTHREQUIRED**
Optional. Character string that specifies whether the outgoing server requires authentication.
Supported operations are Get, Add, Replace, and Delete.
@@ -128,17 +128,17 @@ Value options are:
> [!NOTE]
> If this value isn't specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED.
-**AUTHSECRET**
+**AUTHSECRET**
Optional. Character string that specifies the user's password. The same password is used for SMTP authentication.
Supported operations are Get, Add, Replace, and Delete.
-**DOMAIN**
+**DOMAIN**
Optional. Character string that specifies the incoming server credentials domain. Limited to 255 characters.
Supported operations are Get, Add, Replace, and Delete.
-**DWNDAY**
+**DWNDAY**
Optional. Character string that specifies how many days' worth of email should be downloaded from the server.
Supported operations are Get, Add, Replace, and Delete.
@@ -150,14 +150,14 @@ Value options:
- 14: Specifies that 14 days’ worth of email should be downloaded.
- 30: Specifies that 30 days’ worth of email should be downloaded.
-**INSERVER**
+**INSERVER**
Required. Character string that specifies the name of the incoming server name and port number. This string is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is:
- server name:port number
Supported operations are Get, Add, and Replace.
-**LINGER**
+**LINGER**
Optional. Character string that specifies the length of time between email send/receive updates in minutes.
Supported operations are Get, Add, Replace, and Delete.
@@ -170,7 +170,7 @@ Value options:
- 60 - Wait for 60 minutes between updates
- 120 - Wait for 120 minutes between updates.
-**KEEPMAX**
+**KEEPMAX**
Optional. Specifies the maximum size for a message attachment. Attachments beyond this size will not be downloaded but it will remain on the server. The message itself will be downloaded. This value can be set only for IMAP4 accounts.
The limit is specified in KB.
@@ -181,24 +181,24 @@ A value of 0 meaning that no limit will be enforced.
Supported operations are Get, Add, Replace, and Delete.
-**NAME**
+**NAME**
Optional. Character string that specifies the name of the sender displayed on a sent email. It should be set to the user’s name. Limited to 255 characters.
Supported operations are Get, Add, Replace, and Delete.
-**OUTSERVER**
+**OUTSERVER**
Required. Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is:
- server name:port number
Supported operations are Get, Add, Delete, and Replace.
-**REPLYADDR**
+**REPLYADDR**
Required. Character string that specifies the reply email address of the user (usually the same as the user email address). Sending email will fail without it. Limited to 255 characters.
Supported operations are Get, Add, Delete, and Replace.
-**SERVICENAME**
+**SERVICENAME**
Required. Character string that specifies the name of the email service to create or edit (32 characters maximum).
Supported operations are Get, Add, Replace, and Delete.
@@ -206,21 +206,21 @@ Supported operations are Get, Add, Replace, and Delete.
> [!NOTE]
> The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
-**SERVICETYPE**
+**SERVICETYPE**
Required. Character string that specifies the type of email service to create or edit (for example, "IMAP4" or "POP3").
Supported operations are Get, Add, Replace, and Delete.
> **Note** The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
-**RETRIEVE**
+**RETRIEVE**
Optional. Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated.
Value options are 512, 1024, 2048, 5120, 20480, and 51200.
Supported operations are Get, Add, Replace, and Delete.
-**SERVERDELETEACTION**
+**SERVERDELETEACTION**
Optional. Character string that specifies how message is deleted on server. Value options are:
- 1 - Delete message on the server.
@@ -230,12 +230,12 @@ Any other value results in default action, which depends on the transport.
Supported operations are Get, Add, Replace, and Delete.
-**CELLULARONLY**
+**CELLULARONLY**
Optional. If this flag is set, the account only uses the cellular network and not Wi-Fi.
Value type is string. Supported operations are Get, Add, Replace, and Delete.
-**SYNCINGCONTENTTYPES**
+**SYNCINGCONTENTTYPES**
Required. Specifies a bitmask for which content types are supported for syncing, like Mail, Contacts, and Calendar.
- No data (0x0)
@@ -254,64 +254,64 @@ Required. Specifies a bitmask for which content types are supported for syncing,
Supported operations are Get, Add, Replace, and Delete.
-**CONTACTSSERVER**
+**CONTACTSSERVER**
Optional. Server for contact sync if it's different from the email server.
Supported operations are Get, Add, Replace, and Delete.
-**CALENDARSERVER**
+**CALENDARSERVER**
Optional. Server for calendar sync if it's different from the email server.
Supported operations are Get, Add, Replace, and Delete.
-**CONTACTSSERVERREQUIRESSL**
+**CONTACTSSERVERREQUIRESSL**
Optional. Indicates if the connection to the contact server requires SSL.
Supported operations are Get, Add, Replace, and Delete.
-**CALENDARSERVERREQUIRESSL**
+**CALENDARSERVERREQUIRESSL**
Optional. Indicates if the connection to the calendar server requires SSL.
Supported operations are Get, Add, Replace, and Delete.
-**CONTACTSSYNCSCHEDULE**
+**CONTACTSSYNCSCHEDULE**
Optional. Sets the schedule for syncing contact items.
Supported operations are Get, Add, Replace, and Delete.
-**CALENDARSYNCSCHEDULE**
+**CALENDARSYNCSCHEDULE**
Optional. Sets the schedule for syncing calendar items.
Supported operations are Get, Add, Replace, and Delete.
-**SMTPALTAUTHNAME**
+**SMTPALTAUTHNAME**
Optional. Character string that specifies the display name associated with the user's alternative SMTP email account.
Supported operations are Get, Add, Replace, and Delete.
-**SMTPALTDOMAIN**
+**SMTPALTDOMAIN**
Optional. Character string that specifies the domain name for the user's alternative SMTP account.
Supported operations are Get, Add, Replace, and Delete.
-**SMTPALTENABLED**
+**SMTPALTENABLED**
Optional. Character string that specifies if the user's alternate SMTP account is enabled.
Supported operations are Get, Add, Replace, and Delete.
A value of "FALSE" means the user's alternate SMTP email account is disabled. A value of "TRUE" means that the user's alternate SMTP email account is enabled.
-**SMTPALTPASSWORD**
+**SMTPALTPASSWORD**
Optional. Character string that specifies the password for the user's alternate SMTP account.
Supported operations are Get, Add, Replace, and Delete.
-**TAGPROPS**
+**TAGPROPS**
Optional. Defines a group of properties with non-standard element names.
Supported operations are Get, Add, Replace, and Delete.
-**TAGPROPS/8128000B**
+**TAGPROPS/8128000B**
Optional. Character string that specifies if the incoming email server requires SSL.
Supported operations are Get, Add, Replace, and Delete.
@@ -321,7 +321,7 @@ Value options are:
- 0 - SSL isn't required.
- 1 - SSL is required.
-**TAGPROPS/812C000B**
+**TAGPROPS/812C000B**
Optional. Character string that specifies if the outgoing email server requires SSL.
Supported operations are Get and Replace.
diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md
index ec7d604849..195a369eec 100644
--- a/windows/client-management/mdm/email2-ddf-file.md
+++ b/windows/client-management/mdm/email2-ddf-file.md
@@ -1,7 +1,7 @@
---
title: EMAIL2 DDF file
description: Learn how the OMA DM device description framework (DDF) for the EMAIL2 configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -814,7 +814,7 @@ The XML below is the current version for this CSP.
- Specify whether incoming server requires SSL connection.
+ Specify whether incoming server requires SSL connection.
1- Require SSL connection
0- Doesn't require SSL connection (default)
@@ -840,7 +840,7 @@ The XML below is the current version for this CSP.
- Specify whether outgoing server requires SSL connection.
+ Specify whether outgoing server requires SSL connection.
1- Require SSL connection
0- Doesn't require SSL connection (default)
diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md
index 3ad33fa688..f7b7555ddd 100644
--- a/windows/client-management/mdm/enrollmentstatustracking-csp.md
+++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md
@@ -70,35 +70,35 @@ EnrollmentStatusTracking
--------HasProvisioningCompleted
```
-**./Vendor/MSFT**
+**./Vendor/MSFT**
For device context, use **./Device/Vendor/MSFT** path and for user context, use **./User/Vendor/MSFT** path.
-**EnrollmentStatusTracking**
-Required. Root node for the CSP. This node is supported in both user context and device context.
+**EnrollmentStatusTracking**
+Required. Root node for the CSP. This node is supported in both user context and device context.
Provides the settings to communicate what policies the ESP must block on. Using these settings, policy providers register themselves and the set of policies that must be tracked. The ESP includes the counts of these policy settings in the status message that is displayed to the user. It also blocks ESP until all the policies are provisioned. The policy provider is expected to drive the status updates by updating the appropriate node values, which are then reflected in the ESP status message.
Scope is permanent. Supported operation is Get.
-**EnrollmentStatusTracking/DevicePreparation**
-Required. This node is supported only in device context.
+**EnrollmentStatusTracking/DevicePreparation**
+Required. This node is supported only in device context.
Specifies the settings that ESP reads during the device preparation phase. These settings are used to orchestrate any setup activities prior to provisioning the device in the device setup phase of the ESP.
Scope is permanent. Supported operation is Get.
-**EnrollmentStatusTracking/DevicePreparation/PolicyProviders**
-Required. This node is supported only in device context.
+**EnrollmentStatusTracking/DevicePreparation/PolicyProviders**
+Required. This node is supported only in device context.
Indicates to the ESP that it should wait in the device preparation phase until all the policy providers have their InstallationState node set as 2 (NotRequired) or 3 (Completed).
Scope is permanent. Supported operation is Get.
-**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/_ProviderName_**
-Optional. This node is supported only in device context.
+**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/_ProviderName_**
+Optional. This node is supported only in device context.
Represents a policy provider for the ESP. The node should be given a unique name for the policy provider. Registration of a policy provider indicates to ESP that it should block in the device preparation phase until the provider sets its InstallationState node to 2 (NotRequired) or 3 (Completed). Once all the registered policy providers are marked as Completed or NotRequired, the ESP progresses to the device setup phase.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
-**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/InstallationState**
-Required. This node is supported only in device context.
+**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/InstallationState**
+Required. This node is supported only in device context.
Communicates the policy provider installation state back to ESP.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
@@ -110,30 +110,30 @@ Value type is integer. Expected values are as follows:
- 3—Completed
- 4—Error
-**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/LastError**
-Required. This node is supported only in device context.
+**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/LastError**
+Required. This node is supported only in device context.
Represents the last error code during the application installation process. If a policy provider fails to install, it can optionally set an HRESULT error code that the ESP can display in an error message to the user. ESP reads this node only when the provider's InstallationState node is set to 4 (Error). This node must be set only by the policy provider, and not by the MDM server.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer.
-**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/Timeout**
-Optional. This node is supported only in device context.
+**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/Timeout**
+Optional. This node is supported only in device context.
Represents the amount of time, in minutes, that the provider installation process can run before the ESP shows an error. Provider installation is complete when the InstallationState node is set to 2 (NotRequired) or 3 (Completed). If no timeout value is specified, ESP selects the default timeout value of 15 minutes.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
Value type is integer. The default is 15 minutes.
-**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/TrackedResourceTypes**
-Required. This node is supported only in device context.
+**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/TrackedResourceTypes**
+Required. This node is supported only in device context.
This node's children register which resource types the policy provider supports for provisioning. Only registered providers for a particular resource type will have their policies incorporated with ESP tracking message.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
-**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/TrackedResourceTypes/Apps**
-Required. This node is supported only in device context.
+**EnrollmentStatusTracking/DevicePreparation/PolicyProviders/*ProviderName*/TrackedResourceTypes/Apps**
+Required. This node is supported only in device context.
This node specifies if the policy provider is registered for app provisioning.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
@@ -143,32 +143,32 @@ Value type is boolean. Expected values are as follows:
- false—Indicates that the policy provider isn't registered for app provisioning. This is the default.
- true—Indicates that the policy provider is registered for app provisioning.
-**EnrollmentStatusTracking/Setup**
-Required. This node is supported in both user context and device context.
+**EnrollmentStatusTracking/Setup**
+Required. This node is supported in both user context and device context.
Provides the settings that ESP reads during the account setup phase in the user context and device setup phase in the device context. Policy providers use this node to communicate progress status back to the ESP, which is then displayed to the user through progress messages.
Scope is permanent. Supported operation is Get.
-**EnrollmentStatusTracking/Setup/Apps**
-Required. This node is supported in both user context and device context.
+**EnrollmentStatusTracking/Setup/Apps**
+Required. This node is supported in both user context and device context.
Provides the settings to communicate to the ESP which app installations it should block on and provide progress in the status message to the user.
Scope is permanent. Supported operation is Get.
-**EnrollmentStatusTracking/Setup/Apps/PolicyProviders**
-Required. This node is supported in both user context and device context.
+**EnrollmentStatusTracking/Setup/Apps/PolicyProviders**
+Required. This node is supported in both user context and device context.
Specifies the app policy providers for this CSP. These are the policy providers the ESP should wait on before showing the tracking message with the status to the user.
Scope is permanent. Supported operation is Get.
-**EnrollmentStatusTracking/Setup/Apps/PolicyProviders**/***ProviderName***
-Optional. This node is supported in both user context and device context.
+**EnrollmentStatusTracking/Setup/Apps/PolicyProviders**/***ProviderName***
+Optional. This node is supported in both user context and device context.
Represents an app policy provider for the ESP. Existence of this node indicates to the ESP that it shouldn't show the tracking status message until the TrackingPoliciesCreated node has been set to true.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
-**EnrollmentStatusTracking/Setup/Apps/PolicyProviders/*ProviderName*/TrackingPoliciesCreated**
-Required. This node is supported in both user context and device context.
+**EnrollmentStatusTracking/Setup/Apps/PolicyProviders/*ProviderName*/TrackingPoliciesCreated**
+Required. This node is supported in both user context and device context.
Indicates if the provider has created the required policies for the ESP to use for tracking app installation progress. The policy provider itself is expected to set the value of this node, not the MDM server.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
@@ -178,26 +178,26 @@ Value type is boolean. The expected values are as follows:
- true—Indicates that the provider has created the required policies.
- false—Indicates that the provider hasn't created the required policies. This is the default.
-**EnrollmentStatusTracking/Setup/Apps/Tracking**
-Required. This node is supported in both user context and device context.
+**EnrollmentStatusTracking/Setup/Apps/Tracking**
+Required. This node is supported in both user context and device context.
Root node for the app installations being tracked by the ESP.
Scope is permanent. Supported operation is Get.
-**EnrollmentStatusTracking/Setup/Apps/Tracking/_ProviderName_**
-Optional. This node is supported in both user context and device context.
+**EnrollmentStatusTracking/Setup/Apps/Tracking/_ProviderName_**
+Optional. This node is supported in both user context and device context.
Indicates the provider name responsible for installing the apps and providing status back to ESP.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
-**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/_AppName_**
-Optional. This node is supported in both user context and device context.
+**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/_AppName_**
+Optional. This node is supported in both user context and device context.
Represents a unique name for the app whose progress should be tracked by the ESP. The policy provider can define any arbitrary app name as ESP doesn't use the app name directly.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
-**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/*AppName*/InstallationState**
-Optional. This node is supported in both user context and device context.
+**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/*AppName*/InstallationState**
+Optional. This node is supported in both user context and device context.
Represents the installation state for the app. The policy providers (not the MDM server) must update this node for the ESP to track the installation progress and update the status message.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
@@ -209,8 +209,8 @@ Value type is integer. Expected values are as follows:
- 3—Completed
- 4—Error
-**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/*AppName*/RebootRequired**
-Optional. This node is supported in both user context and device context.
+**EnrollmentStatusTracking/Setup/Apps/Tracking/*ProviderName*/*AppName*/RebootRequired**
+Optional. This node is supported in both user context and device context.
Indicates if the app installation requires ESP to issue a reboot. The policy providers installing the app (not the MDM server) must set this node. If the policy providers don't set this node, the ESP won't reboot the device for the app installation.
Scope is dynamic. Supported operations are Get, Add, Delete, and Replace.
@@ -221,8 +221,8 @@ Value type is integer. Expected values are as follows:
- 2—SoftReboot
- 3—HardReboot
-**EnrollmentStatusTracking/Setup/HasProvisioningCompleted**
-Required. This node is supported in both user context and device context.
+**EnrollmentStatusTracking/Setup/HasProvisioningCompleted**
+Required. This node is supported in both user context and device context.
ESP sets this node when it completes. Providers can query this node to determine if the ESP is showing, which allows them to determine if they still need to provide status updates for the ESP through this CSP.
Scope is permanent. Supported operation is Get.
diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md
index 7988975af6..aa4e10d11b 100644
--- a/windows/client-management/mdm/enterpriseapn-csp.md
+++ b/windows/client-management/mdm/enterpriseapn-csp.md
@@ -1,7 +1,7 @@
---
title: EnterpriseAPN CSP
description: The EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -45,20 +45,20 @@ EnterpriseAPN
--------AllowUserControl
--------HideView
```
-**EnterpriseAPN**
+**EnterpriseAPN**
The root node for the EnterpriseAPN configuration service provider.
-**EnterpriseAPN/***ConnectionName*
+**EnterpriseAPN/***ConnectionName*
Name of the connection as seen by Windows Connection Manager.
Supported operations are Add, Get, Delete, and Replace.
-**EnterpriseAPN/*ConnectionName*/APNName**
+**EnterpriseAPN/*ConnectionName*/APNName**
Enterprise APN name.
Supported operations are Add, Get, Delete, and Replace.
-**EnterpriseAPN/*ConnectionName*/IPType**
+**EnterpriseAPN/*ConnectionName*/IPType**
This value can be one of the following:
- IPv4 - only IPV4 connection type.
@@ -68,19 +68,19 @@ This value can be one of the following:
Supported operations are Add, Get, Delete, and Replace.
-**EnterpriseAPN/*ConnectionName*/IsAttachAPN**
-Boolean value that indicates whether this APN should be requested as part of an LTE Attach.
+**EnterpriseAPN/*ConnectionName*/IsAttachAPN**
+Boolean value that indicates whether this APN should be requested as part of an LTE Attach.
Default value is false.
Supported operations are Add, Get, Delete, and Replace.
-**EnterpriseAPN/*ConnectionName*/ClassId**
+**EnterpriseAPN/*ConnectionName*/ClassId**
GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting isn't present. It's only required when IsAttachAPN is true and the attach APN isn't only used as the Internet APN.
Supported operations are Add, Get, Delete, and Replace.
-**EnterpriseAPN/*ConnectionName*/AuthType**
+**EnterpriseAPN/*ConnectionName*/AuthType**
Authentication type. This value can be one of the following:
- None (default)
@@ -91,36 +91,36 @@ Authentication type. This value can be one of the following:
Supported operations are Add, Get, Delete, and Replace.
-**EnterpriseAPN/*ConnectionName*/UserName**
+**EnterpriseAPN/*ConnectionName*/UserName**
User name for use with PAP, CHAP, or MSCHAPv2 authentication.
Supported operations are Add, Get, Delete, and Replace.
-**EnterpriseAPN/*ConnectionName*/Password**
+**EnterpriseAPN/*ConnectionName*/Password**
Password corresponding to the username.
Supported operations are Add, Get, Delete, and Replace.
-**EnterpriseAPN/*ConnectionName*/IccId**
+**EnterpriseAPN/*ConnectionName*/IccId**
Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node isn't present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.
Supported operations are Add, Get, Delete, and Replace.
-**EnterpriseAPN/*ConnectionName*/AlwaysOn**
+**EnterpriseAPN/*ConnectionName*/AlwaysOn**
Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.
The default value is true.
Supported operations are Add, Get, Delete, and Replace.
-**EnterpriseAPN/*ConnectionName*/Enabled**
+**EnterpriseAPN/*ConnectionName*/Enabled**
Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.
The default value is true.
Supported operations are Add, Get, Delete, and Replace.
-**EnterpriseAPN/*ConnectionName*/Roaming**
+**EnterpriseAPN/*ConnectionName*/Roaming**
Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values are:
- 0 - Disallowed
@@ -132,21 +132,21 @@ Added in Windows 10, version 1703. Specifies whether the connection should be a
Default is 1 (all roaming allowed).
-Value type is string.
+Value type is string.
Supported operations are Add, Get, Delete, and Replace.
-**EnterpriseAPN/Settings**
+**EnterpriseAPN/Settings**
Added in Windows 10, version 1607. Node that contains global settings.
-**EnterpriseAPN/Settings/AllowUserControl**
+**EnterpriseAPN/Settings/AllowUserControl**
Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.
The default value is false.
Supported operations are Get and Replace.
-**EnterpriseAPN/Settings/HideView**
+**EnterpriseAPN/Settings/HideView**
Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.
The default value is false.
diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md
index e83aef75e3..b7e050b24e 100644
--- a/windows/client-management/mdm/enterpriseapn-ddf.md
+++ b/windows/client-management/mdm/enterpriseapn-ddf.md
@@ -1,7 +1,7 @@
---
title: EnterpriseAPN DDF
description: Learn about the OMA DM device description framework (DDF) for the EnterpriseAPN configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
index 23d45c61be..bea9a44514 100644
--- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 06/26/2017
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -55,98 +55,98 @@ EnterpriseAppVManagement
--------ConfigurationId
------------Policy
```
-**./Vendor/MSFT/EnterpriseAppVManagement**
+**./Vendor/MSFT/EnterpriseAppVManagement**
Root node for the EnterpriseAppVManagement configuration service provider.
-**AppVPackageManagement**
-Used to query App-V package information (post-publish).
+**AppVPackageManagement**
+Used to query App-V package information (post-publish).
-**AppVPackageManagement/EnterpriseID**
+**AppVPackageManagement/EnterpriseID**
Used to query package information. Value is always "HostedInstall".
-**AppVPackageManagement/EnterpriseID/PackageFamilyName**
+**AppVPackageManagement/EnterpriseID/PackageFamilyName**
Package ID of the published App-V package.
-**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName***
+**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName***
Version ID of the published App-V package.
-**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Name**
+**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Name**
Name specified in the published AppV package.
-Value type is string.
+Value type is string.
Supported operation is Get.
-**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Version**
+**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Version**
Version specified in the published AppV package.
-Value type is string.
+Value type is string.
Supported operation is Get.
-**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Publisher**
+**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Publisher**
Publisher as specified in the published asset information of the AppV package.
-Value type is string.
+Value type is string.
Supported operation is Get.
-**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallLocation**
+**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallLocation**
Local package path specified in the published asset information of the AppV package.
-Value type is string.
+Value type is string.
Supported operation is Get.
-**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallDate**
+**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallDate**
Date the app was installed, as specified in the published asset information of the AppV package.
-Value type is string.
+Value type is string.
Supported operation is Get.
-**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Users**
+**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Users**
Registered users for app, as specified in the published asset information of the AppV package.
-Value type is string.
+Value type is string.
Supported operation is Get.
-**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageId**
+**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageId**
Package ID of the published App-V package.
-Value type is string.
+Value type is string.
Supported operation is Get.
-**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVVersionId**
+**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVVersionId**
Version ID of the published App-V package.
-Value type is string.
+Value type is string.
Supported operation is Get.
-**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageUri**
+**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageUri**
Package URI of the published App-V package.
-Value type is string.
+Value type is string.
Supported operation is Get.
-**AppVPublishing**
+**AppVPublishing**
Used to monitor publishing operations on App-V.
-**AppVPublishing/LastSync**
+**AppVPublishing/LastSync**
Used to monitor publishing status of last sync operation.
-**AppVPublishing/LastSync/LastError**
+**AppVPublishing/LastSync/LastError**
Error code and error description of last sync operation.
-Value type is string.
+Value type is string.
Supported operation is Get.
-**AppVPublishing/LastSync/LastErrorDescription**
+**AppVPublishing/LastSync/LastErrorDescription**
Last sync error status. One of the following values may be returned:
- SYNC\_ERR_NONE (0) - No errors during publish.
@@ -161,7 +161,7 @@ Value type is string.
Supported operation is Get.
-**AppVPublishing/LastSync/SyncStatusDescription**
+**AppVPublishing/LastSync/SyncStatusDescription**
Latest sync in-progress stage. One of the following values may be returned:
- SYNC\_PROGRESS_IDLE (0) - App-V publishing is idle.
@@ -170,7 +170,7 @@ Latest sync in-progress stage. One of the following values may be returned:
- SYNC\_PROGRESS\_PUBLISH\_GROUP_PACKAGES (3) - App-V packages (connection group) publish in progress.
- SYN\C_PROGRESS_UNPUBLISH_PACKAGES (4) - App-V packages unpublish in progress.
-Value type is string.
+Value type is string.
Supported operation is Get.
@@ -183,27 +183,27 @@ Latest sync state. One of the following values may be returned:
- SYNC\_STATUS\_PUBLISH\_COMPLETED (3) - App-V Sync is complete.
- SYNC\_STATUS\_PUBLISH\_REBOOT_REQUIRED (4) - App-V Sync requires device reboot.
-Value type is string.
+Value type is string.
Supported operation is Get.
-**AppVPublishing/Sync**
+**AppVPublishing/Sync**
Used to perform App-V synchronization.
-**AppVPublishing/Sync/PublishXML**
+**AppVPublishing/Sync/PublishXML**
Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol,, see [[MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol](/openspecs/windows_protocols/ms-vapr/a05e030d-4fb9-4c8d-984b-971253b62be8).
Supported operations are Get, Delete, and Execute.
-**AppVDynamicPolicy**
+**AppVDynamicPolicy**
Used to set App-V Policy Configuration documents for publishing packages.
-**AppVDynamicPolicy/*ConfigurationId***
+**AppVDynamicPolicy/*ConfigurationId***
ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).
-**AppVDynamicPolicy/*ConfigurationId*/Policy**
+**AppVDynamicPolicy/*ConfigurationId*/Policy**
XML for App-V Policy Configuration documents for publishing packages.
-Value type is xml.
+Value type is xml.
Supported operations are Add, Get, Delete, and Replace.
diff --git a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md
index 0572ef9f96..73e6ec393a 100644
--- a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md
+++ b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md
@@ -7,13 +7,13 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 12/05/2017
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
# EnterpriseAppVManagement DDF file
-This topic shows the OMA DM device description framework (DDF) for the **EnterpriseAppVManagement** configuration service provider.
+This topic shows the OMA DM device description framework (DDF) for the **EnterpriseAppVManagement** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md
index bf660969d6..8b5eba6645 100644
--- a/windows/client-management/mdm/enterprisedataprotection-csp.md
+++ b/windows/client-management/mdm/enterprisedataprotection-csp.md
@@ -2,7 +2,7 @@
title: EnterpriseDataProtection CSP
description: Learn how the EnterpriseDataProtection configuration service provider (CSP) configures Windows Information Protection (formerly, Enterprise Data Protection) settings.
ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -59,14 +59,14 @@ EnterpriseDataProtection
----Status
```
-**./Device/Vendor/MSFT/EnterpriseDataProtection**
+**./Device/Vendor/MSFT/EnterpriseDataProtection**
The root node for the CSP.
-**Settings**
+**Settings**
The root node for the Windows Information Protection (WIP) configuration settings.
-**Settings/EDPEnforcementLevel**
-Set the WIP enforcement level.
+**Settings/EDPEnforcementLevel**
+Set the WIP enforcement level.
> [!NOTE]
> Setting this value isn't sufficient to enable Windows Information Protection on the device. Attempts to change this value will fail when the WIP cleanup is running.
@@ -80,7 +80,7 @@ The following list shows the supported values:
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
-**Settings/EnterpriseProtectedDomainNames**
+**Settings/EnterpriseProtectedDomainNames**
A list of domains used by the enterprise for its user identities separated by pipes ("|"). The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for Windows Information Protection. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running.
Changing the primary enterprise ID isn't supported and may cause unexpected behavior on the client.
@@ -96,7 +96,7 @@ Here are the steps to create canonical domain names:
Supported operations are Add, Get, Replace, and Delete. Value type is string.
-**Settings/AllowUserDecryption**
+**Settings/AllowUserDecryption**
Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user won't be able to remove protection from enterprise content through the operating system or the application user experiences.
> [!IMPORTANT]
@@ -111,7 +111,7 @@ Most restricted value is 0.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
-**Settings/DataRecoveryCertificate**
+**Settings/DataRecoveryCertificate**
Specifies a recovery certificate that can be used for data recovery of encrypted files. This certificate is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy.
> [!Note]
@@ -124,116 +124,116 @@ The binary blob is the serialized version of following structure:
//
// Recovery Policy Data Structures
//
-
+
typedef struct _RECOVERY_POLICY_HEADER {
USHORT MajorRevision;
USHORT MinorRevision;
ULONG RecoveryKeyCount;
} RECOVERY_POLICY_HEADER, *PRECOVERY_POLICY_HEADER;
-
+
typedef struct _RECOVERY_POLICY_1_1 {
RECOVERY_POLICY_HEADER RecoveryPolicyHeader;
RECOVERY_KEY_1_1 RecoveryKeyList[1];
} RECOVERY_POLICY_1_1, *PRECOVERY_POLICY_1_1;
-
+
#define EFS_RECOVERY_POLICY_MAJOR_REVISION_1 (1)
#define EFS_RECOVERY_POLICY_MINOR_REVISION_0 (0)
-
+
#define EFS_RECOVERY_POLICY_MINOR_REVISION_1 (1)
-
+
///////////////////////////////////////////////////////////////////////////////
// /
// RECOVERY_KEY Data Structure /
// /
///////////////////////////////////////////////////////////////////////////////
-
+
//
// Current format of recovery data.
//
-
+
typedef struct _RECOVERY_KEY_1_1 {
ULONG TotalLength;
EFS_PUBLIC_KEY_INFO PublicKeyInfo;
} RECOVERY_KEY_1_1, *PRECOVERY_KEY_1_1;
-
-
+
+
typedef struct _EFS_PUBLIC_KEY_INFO {
-
+
//
// The length of this entire structure, including string data
// appended to the end. The length should be a multiple of 8 for
// 64 bit alignment
//
-
+
ULONG Length;
-
+
//
// Sid of owner of the public key (regardless of format).
// This field is to be treated as a hint only.
//
-
+
ULONG PossibleKeyOwner;
-
+
//
// Contains information describing how to interpret
// the public key information
//
-
+
ULONG KeySourceTag;
-
+
union {
-
+
struct {
-
+
//
// The following fields contain offsets based at the
// beginning of the structure. Each offset is to
// a NULL terminated WCHAR string.
//
-
+
ULONG ContainerName;
ULONG ProviderName;
-
+
//
// The exported public key used to encrypt the FEK.
// This field contains an offset from the beginning of the
// structure.
//
-
+
ULONG PublicKeyBlob;
-
+
//
// Length of the PublicKeyBlob in bytes
//
-
+
ULONG PublicKeyBlobLength;
-
+
} ContainerInfo;
-
+
struct {
-
+
ULONG CertificateLength; // in bytes
ULONG Certificate; // offset from start of structure
-
+
} CertificateInfo;
-
-
+
+
struct {
-
+
ULONG ThumbprintLength; // in bytes
ULONG CertHashData; // offset from start of structure
-
+
} CertificateThumbprint;
};
-
-
-
+
+
+
} EFS_PUBLIC_KEY_INFO, *PEFS_PUBLIC_KEY_INFO;
-
+
//
// Possible KeyTag values
//
-
+
typedef enum _PUBLIC_KEY_SOURCE_TAG {
EfsCryptoAPIContainer = 1,
EfsCertificate,
@@ -245,7 +245,7 @@ For EFSCertificate KeyTag, it's expected to be a DER ENCODED binary certificate.
Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate.
-**Settings/RevokeOnUnenroll**
+**Settings/RevokeOnUnenroll**
This policy controls whether to revoke the Windows Information Protection keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after unenrollment. If the keys aren't revoked, there will be no revoked file cleanup, later. Prior to sending the unenroll command, when you want a device to do a selective wipe when it's unenrolled, then you should explicitly set this policy to 1.
The following list shows the supported values:
@@ -255,7 +255,7 @@ The following list shows the supported values:
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
-**Settings/RevokeOnMDMHandoff**
+**Settings/RevokeOnMDMHandoff**
Added in Windows 10, version 1703. This policy controls whether to revoke the Windows Information Protection keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys won't be revoked and the user will continue to have access to protected files after upgrade. This setting is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
- 0 - Don't revoke keys.
@@ -263,12 +263,12 @@ Added in Windows 10, version 1703. This policy controls whether to revoke the Wi
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
-**Settings/RMSTemplateIDForEDP**
+**Settings/RMSTemplateIDForEDP**
TemplateID GUID to use for Rights Management Service (RMS) encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access.
Supported operations are Add, Get, Replace, and Delete. Value type is string (GUID).
-**Settings/AllowAzureRMSForEDP**
+**Settings/AllowAzureRMSForEDP**
Specifies whether to allow Azure RMS encryption for Windows Information Protection.
- 0 (default) – Don't use RMS.
@@ -276,12 +276,12 @@ Specifies whether to allow Azure RMS encryption for Windows Information Protecti
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
-**Settings/SMBAutoEncryptedFileExtensions**
+**Settings/SMBAutoEncryptedFileExtensions**
Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from a Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-configuration-service-provider.md#networkisolation-enterpriseiprange) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames). Use semicolon (;) delimiter in the list.
When this policy isn't specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted.
Supported operations are Add, Get, Replace and Delete. Value type is string.
-**Settings/EDPShowIcons**
+**Settings/EDPShowIcons**
Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the **Start** menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the Windows Information Protection icon in the title bar of a WIP-protected app.
The following list shows the supported values:
@@ -290,7 +290,7 @@ The following list shows the supported values:
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
-**Status**
+**Status**
A read-only bit mask that indicates the current state of Windows Information Protection on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.
Suggested values:
diff --git a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md
index f8be987381..f636d7d3af 100644
--- a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md
+++ b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md
@@ -1,7 +1,7 @@
---
title: EnterpriseDataProtection DDF file
description: The following topic shows the OMA DM device description framework (DDF) for the EnterpriseDataProtection configuration service provider.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
index d06146f5a0..0b72e40b4d 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
@@ -2,7 +2,7 @@
title: EnterpriseDesktopAppManagement CSP
description: Learn how the EnterpriseDesktopAppManagement CSP handles enterprise desktop application management tasks, such as installing or removing applications.
ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -76,7 +76,7 @@ Installation date of the application. Value type is string. Supported operation
**MSI/*ProductID*/DownloadInstall**
Executes the download and installation of the application. Value type is string. Supported operations are Execute and Get.
-In Windows 10, version 1703 service release, a new tag \ was added to the \ section of the XML. The default value is 0 (don't send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken. `` 0 will set the timeout to infinite.
+In Windows 10, version 1703 service release, a new tag \ was added to the \ section of the XML. The default value is 0 (don't send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken. `` 0 will set the timeout to infinite.
Here's an example:
@@ -178,7 +178,7 @@ The following table describes the fields in the previous sample:
| CmdID | Input value used to reference the request. Responses will include this value that can be used to match request and response. |
| LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. |
-
+
**SyncML to perform MSI operations for application status reporting**
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md
index dcf0663717..23261b8b07 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md
@@ -1,7 +1,7 @@
---
title: EnterpriseDesktopAppManagement DDF
description: This topic shows the OMA DM device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md
index 4117208a89..e03181b4e0 100644
--- a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md
+++ b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md
@@ -1,7 +1,7 @@
---
title: EnterpriseDesktopAppManagement XSD
description: This topic contains the XSD schema file for the EnterpriseDesktopAppManagement configuration service provider’s DownloadInstall parameter.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index 6aed81068c..328d75b558 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -1,7 +1,7 @@
---
title: EnterpriseModernAppManagement CSP
description: Learn how the EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -76,26 +76,26 @@ EnterpriseModernAppManagement
----------------GetLicenseFromStore
```
-**Device or User context**
+**Device or User context**
For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path.
> [!Note]
> Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP.
-**AppManagement**
+**AppManagement**
Required. Used for inventory and app management (post-install).
-**AppManagement/UpdateScan**
+**AppManagement/UpdateScan**
Required. Used to start the Windows Update scan.
Supported operation is Execute.
-**AppManagement/LastScanError**
+**AppManagement/LastScanError**
Required. Reports the last error code returned by the update scan.
Supported operation is Get.
-**AppManagement/AppInventoryResults**
+**AppManagement/AppInventoryResults**
Added in Windows 10, version 1511. Required. Returns the results for app inventory that was created after the AppInventoryQuery operation.
Supported operation is Get.
@@ -113,7 +113,7 @@ Here's an example of AppInventoryResults operation.
```
-**AppManagement/AppInventoryQuery**
+**AppManagement/AppInventoryQuery**
Added in Windows 10, version 1511. Required. Specifies the query for app inventory.
Query parameters:
@@ -162,7 +162,7 @@ The following example sets the inventory query for the package names and checks
```
-**AppManagement/RemovePackage**
+**AppManagement/RemovePackage**
Added in Windows 10, version 1703. Used to remove packages. Not supported for ./User/Vendor/MSFT.
Parameters:
@@ -170,7 +170,7 @@ Parameters:
Package
- Name: Specifies the PackageFullName of the particular package to remove.
- - RemoveForAllUsers:
+
- RemoveForAllUsers:
- 0 (default) – Package will be unprovisioned so that new users don't receive the package. The package will remain installed for current users. This option isn't currently supported.
- 1 – Package will be removed for all users only if it's a provisioned package.
@@ -199,62 +199,62 @@ The following example removes a package for all users:
````
-**AppManagement/nonStore**
+**AppManagement/nonStore**
Used to manage enterprise apps or developer apps that weren't acquired from the Microsoft Store.
Supported operation is Get.
-**AppManagement/System**
+**AppManagement/System**
Reports apps installed as part of the operating system.
Supported operation is Get.
-**AppManagement/AppStore**
+**AppManagement/AppStore**
Required. Used for managing apps from the Microsoft Store.
Supported operations are Get and Delete.
-**AppManagement/AppStore/ReleaseManagement**
+**AppManagement/AppStore/ReleaseManagement**
Added in Windows 10, version 1809. Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
> [!NOTE]
> ReleaseManagement settings only apply to updates through the Microsoft Store.
-**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_**
+**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_**
Added in Windows 10, version 1809. Identifier for the app or set of apps. If there's only one app, it's the PackageFamilyName. If it's for a set of apps, it's the PackageFamilyName of the main app.
-**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ChannelId**
+**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ChannelId**
Added in Windows 10, version 1809. Specifies the app channel ID.
-Value type is string.
+Value type is string.
Supported operations are Add, Get, Replace, and Delete.
-**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ReleaseManagementId**
+**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ReleaseManagementId**
Added in Windows 10, version 1809. The IT admin can specify a release ID to indicate a specific release that they would like the user or device to be on.
-Value type is string.
+Value type is string.
Supported operations are Add, Get, Replace, and Delete.
-**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease**
+**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease**
Added in Windows 10, version 1809. Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
-**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ChannelId**
+**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ChannelId**
Added in Windows 10, version 1809. Returns the last user channel ID on the device.
-Value type is string.
+Value type is string.
Supported operation is Get.
-**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ReleaseManagementId**
+**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ReleaseManagementId**
Added in Windows 10, version 1809. Returns the last user release ID on the device.
-Value type is string.
+Value type is string.
Supported operation is Get.
-**.../***PackageFamilyName*
+**.../***PackageFamilyName*
Optional. Package family name (PFN) of the app. There's one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
Supported operations are Get and Delete.
@@ -281,7 +281,7 @@ Here's an example for uninstalling an app:
```
-**.../*PackageFamilyName*/***PackageFullName*
+**.../*PackageFamilyName*/***PackageFullName*
Optional. Full name of the package installed.
Supported operations are Get and Delete.
@@ -290,29 +290,29 @@ Supported operations are Get and Delete.
> XAP files use a product ID in place of PackageFullName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
-**.../*PackageFamilyName*/*PackageFullName*/Name**
-Required. Name of the app.
+**.../*PackageFamilyName*/*PackageFullName*/Name**
+Required. Name of the app.
Value type is string.
Supported operation is Get.
-**.../*PackageFamilyName*/*PackageFullName*/Version**
-Required. Version of the app.
+**.../*PackageFamilyName*/*PackageFullName*/Version**
+Required. Version of the app.
Value type is string.
Supported operation is Get.
-**.../*PackageFamilyName*/*PackageFullName*/Publisher**
-Required. Publisher name of the app.
+**.../*PackageFamilyName*/*PackageFullName*/Publisher**
+Required. Publisher name of the app.
Value type is string.
Supported operation is Get.
-**.../*PackageFamilyName*/*PackageFullName*/Architecture**
-Required. Architecture of installed package.
+**.../*PackageFamilyName*/*PackageFullName*/Architecture**
+Required. Architecture of installed package.
Value type is string.
@@ -321,8 +321,8 @@ Value type is string.
Supported operation is Get.
-**.../*PackageFamilyName*/*PackageFullName*/InstallLocation**
-Required. Install location of the app on the device.
+**.../*PackageFamilyName*/*PackageFullName*/InstallLocation**
+Required. Install location of the app on the device.
Value type is string.
@@ -331,7 +331,7 @@ Value type is string.
Supported operation is Get.
-**.../*PackageFamilyName*/*PackageFullName*/IsFramework**
+**.../*PackageFamilyName*/*PackageFullName*/IsFramework**
Required. Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases.
> [!Note]
@@ -339,21 +339,21 @@ Required. Whether or not the app is a framework package. Value type is int. The
Supported operation is Get.
-**.../*PackageFamilyName*/*PackageFullName*/IsBundle**
-Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases.
+**.../*PackageFamilyName*/*PackageFullName*/IsBundle**
+Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases.
Value type is int.
Supported operation is Get.
-**.../*PackageFamilyName*/*PackageFullName*/InstallDate**
-Required. Date the app was installed.
+**.../*PackageFamilyName*/*PackageFullName*/InstallDate**
+Required. Date the app was installed.
Value type is string.
Supported operation is Get.
-**.../*PackageFamilyName*/*PackageFullName*/ResourceID**
+**.../*PackageFamilyName*/*PackageFullName*/ResourceID**
Required. Resource ID of the app. This value is null for the main app, ~ for a bundle, and contains resource information for resources packages. Value type is string.
> [!Note]
@@ -361,8 +361,8 @@ Required. Resource ID of the app. This value is null for the main app, ~ for a b
Supported operation is Get.
-**.../*PackageFamilyName*/*PackageFullName*/PackageStatus**
-Required. Provides information about the status of the package.
+**.../*PackageFamilyName*/*PackageFullName*/PackageStatus**
+Required. Provides information about the status of the package.
Value type is int. Valid values are:
@@ -377,7 +377,7 @@ Value type is int. Valid values are:
Supported operation is Get.
-**.../*PackageFamilyName*/*PackageFullName*/RequiresReinstall**
+**.../*PackageFamilyName*/*PackageFullName*/RequiresReinstall**
Required. Specifies whether the package state has changed and requires a reinstallation of the app. This change of status can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. Value type is int.
> [!Note]
@@ -385,7 +385,7 @@ Required. Specifies whether the package state has changed and requires a reinsta
Supported operation is Get.
-**.../*PackageFamilyName*/*PackageFullName*/Users**
+**.../*PackageFamilyName*/*PackageFullName*/Users**
Required. Registered users of the app and the package install state. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string.
- Not Installed = 0
@@ -395,37 +395,37 @@ Required. Registered users of the app and the package install state. If the quer
Supported operation is Get.
-**.../*PackageFamilyName*/*PackageFullName*/IsProvisioned**
-Required. The value is 0 or 1 that indicates if the app is provisioned on the device.
+**.../*PackageFamilyName*/*PackageFullName*/IsProvisioned**
+Required. The value is 0 or 1 that indicates if the app is provisioned on the device.
The value type is int.
Supported operation is Get.
-**.../*PackageFamilyName*/*PackageFullName*/IsStub**
-Added in Windows 10, version 2004.
+**.../*PackageFamilyName*/*PackageFullName*/IsStub**
+Added in Windows 10, version 2004.
Required. This node is used to identify whether the package is a stub package. A stub package is a version of the package with minimal functionality that will reduce the size of the app.
-The value is 1 if the package is a stub package and 0 (zero) for all other cases.
+The value is 1 if the package is a stub package and 0 (zero) for all other cases.
Value type is int.
Supported operation is Get.
-**.../*PackageFamilyName*/DoNotUpdate**
+**.../*PackageFamilyName*/DoNotUpdate**
Required. Specifies whether you want to block a specific app from being updated via auto-updates.
Supported operations are Add, Get, Delete, and Replace.
-**.../*PackageFamilyName*/AppSettingPolicy** (only for ./User/Vendor/MSFT)
+**.../*PackageFamilyName*/AppSettingPolicy** (only for ./User/Vendor/MSFT)
Added in Windows 10, version 1511. Interior node for all managed app setting values. This node is only supported in the user context.
-**.../*PackageFamilyName*/AppSettingPolicy/***SettingValue* (only for ./User/Vendor/MSFT)
+**.../*PackageFamilyName*/AppSettingPolicy/***SettingValue* (only for ./User/Vendor/MSFT)
Added in Windows 10, version 1511. The *SettingValue* and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container.
This setting only works for apps that support the feature and it's only supported in the user context.
-Value type is string.
+Value type is string.
Supported operations are Add, Get, Replace, and Delete.
@@ -461,10 +461,10 @@ The following example gets all managed app settings for a specific app.
```
-**.../_PackageFamilyName_/MaintainProcessorArchitectureOnUpdate**
+**.../_PackageFamilyName_/MaintainProcessorArchitectureOnUpdate**
Added in Windows 10, version 1803. Specify whether on an AMD64 device, across an app update, the architecture of the installed app must not change. For example if you have the x86 flavor of a Windows app installed, with this setting enabled, across an update, the x86 flavor will be installed even when x64 flavor is available.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
Value type is integer.
@@ -477,92 +477,92 @@ Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (M
|True |Disabled |X86 flavor is picked |
|False (not set) |Not configured |X64 flavor is picked |
-**.../_PackageFamilyName_/NonRemovable**
-Added in Windows 10, version 1809. Specifies if an app is nonremovable by the user.
+**.../_PackageFamilyName_/NonRemovable**
+Added in Windows 10, version 1809. Specifies if an app is nonremovable by the user.
-This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This setting is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This setting is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users.
+This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This setting is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This setting is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users.
NonRemovable requires admin permission. This setting can only be defined per device, not per user. You can query the setting using AppInventoryQuery or AppInventoryResults.
-Value type is integer.
+Value type is integer.
Supported operations are Add, Get, and Replace.
-Valid values:
+Valid values:
- 0 – app isn't in the nonremovable app policy list
- 1 – app is included in the nonremovable app policy list
**Examples:**
-Add an app to the nonremovable app policy list
+Add an app to the nonremovable app policy list
```xml
-
-
-
- 1
- -
-
- ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
-
-
- int
-
- 1
-
-
-
-
-
+
+
+
+ 1
+ -
+
+ ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
+
+
+ int
+
+ 1
+
+
+
+
+
```
-Get the status for a particular app
+Get the status for a particular app
```xml
-
-
-
- 1
- -
-
- ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
-
-
-
-
-
-
+
+
+
+ 1
+ -
+
+ ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
+
+
+
+
+
+
```
-Replace an app in the nonremovable app policy list
-Data 0 = app isn't in the app policy list
+Replace an app in the nonremovable app policy list
+Data 0 = app isn't in the app policy list
Data 1 = app is in the app policy list
```xml
-
-
-
- 1
- -
-
- ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
-
-
- int
-
- 0
-
-
-
-
-
+
+
+
+ 1
+ -
+
+ ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/NonRemovable
+
+
+ int
+
+ 0
+
+
+
+
+
```
-**AppInstallation**
+**AppInstallation**
Required node. Used to perform app installation.
-**AppInstallation/***PackageFamilyName*
+**AppInstallation/***PackageFamilyName*
Optional node. Package family name (PFN) of the app. There's one for each PFN on the device when reporting inventory. These items are rooted under their signing origin.
Supported operations are Get and Add.
@@ -570,12 +570,12 @@ Supported operations are Get and Add.
> [!Note]
> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}.
-**AppInstallation/*PackageFamilyName*/StoreInstall**
+**AppInstallation/*PackageFamilyName*/StoreInstall**
Required. Command to perform an install of an app and a license from the Microsoft Store.
Supported operation is Execute, Add, Delete, and Get.
-**AppInstallation/*PackageFamilyName*/HostedInstall**
+**AppInstallation/*PackageFamilyName*/HostedInstall**
Required. Command to perform an install of an app package from a hosted location (this location can be a local drive, a UNC, or https data source).
The following list shows the supported deployment options:
@@ -587,13 +587,13 @@ The following list shows the supported deployment options:
- ForceUpdateToAnyVersion
- DeferRegistration="1". If the app is in use at the time of installation. This option stages the files for an app update and completes the registration of the app update after the app closes. Available in the latest insider flight of 20H1.
- StageOnly="1". Stages the files for an app installation or update without installing the app. Available in 1803.
-- LicenseUri="\\server\license.lic". Deploys an offline license from the Microsoft Store for Business. Available in 1607.
+- LicenseUri="\\server\license.lic". Deploys an offline license from the Microsoft Store for Business. Available in 1607.
- ValidateDependencies="1". This option is used at provisioning/staging time. If it's set to 1, deployment will perform the same dependency validation during staging that we would normally do at registration time, failing and rejecting the provision request if the dependencies aren't present. Available in the latest insider flight of 20H1.
- ExcludeAppFromLayoutModification="1". Sets that the app will be provisioned on all devices and will be able to retain the apps provisioned without pinning them to start layout. Available in 1809.
Supported operation is Execute, Add, Delete, and Get.
-**AppInstallation/*PackageFamilyName*/LastError**
+**AppInstallation/*PackageFamilyName*/LastError**
Required. Last error relating to the app installation.
Supported operation is Get.
@@ -601,7 +601,7 @@ Supported operation is Get.
> [!Note]
> This element isn't present after the app is installed.
-**AppInstallation/*PackageFamilyName*/LastErrorDesc**
+**AppInstallation/*PackageFamilyName*/LastErrorDesc**
Required. Description of last error relating to the app installation.
Supported operation is Get.
@@ -609,7 +609,7 @@ Supported operation is Get.
> [!Note]
> This element isn't present after the app is installed.
-**AppInstallation/*PackageFamilyName*/Status**
+**AppInstallation/*PackageFamilyName*/Status**
Required. Status of app installation. The following values are returned:
- NOT\_INSTALLED (0) - The node was added, but the execution hasn't completed.
@@ -623,7 +623,7 @@ Supported operation is Get.
> This element isn't present after the app is installed.
-**AppInstallation/*PackageFamilyName*/ProgessStatus**
+**AppInstallation/*PackageFamilyName*/ProgessStatus**
Required. An integer that indicates the progress of the app installation. For https locations, this integer indicates the download progress. ProgressStatus isn't available for provisioning and it's only for user-based installations. ProgressStatus value is always 0 (zero) in provisioning.
Supported operation is Get.
@@ -631,18 +631,18 @@ Supported operation is Get.
> [!Note]
> This element isn't present after the app is installed.
-**AppLicenses**
+**AppLicenses**
Required node. Used to manage licenses for app scenarios.
-**AppLicenses/StoreLicenses**
+**AppLicenses/StoreLicenses**
Required node. Used to manage licenses for store apps.
-**AppLicenses/StoreLicenses/***LicenseID*
+**AppLicenses/StoreLicenses/***LicenseID*
Optional node. License ID for a store installed app. The license ID is generally the PFN of the app.
Supported operations are Add, Get, and Delete.
-**AppLicenses/StoreLicenses/*LicenseID*/LicenseCategory**
+**AppLicenses/StoreLicenses/*LicenseID*/LicenseCategory**
Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid values are:
- Unknown - unknown license category
@@ -653,7 +653,7 @@ Added in Windows 10, version 1511. Required. Category of license that is used to
Supported operation is Get.
-**AppLicenses/StoreLicenses/*LicenseID*/LicenseUsage**
+**AppLicenses/StoreLicenses/*LicenseID*/LicenseUsage**
Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values are:
- Unknown - usage is unknown.
@@ -663,17 +663,17 @@ Added in Windows 10, version 1511. Required. Indicates the allowed usage for the
Supported operation is Get.
-**AppLicenses/StoreLicenses/*LicenseID*/RequesterID**
+**AppLicenses/StoreLicenses/*LicenseID*/RequesterID**
Added in Windows 10, version 1511. Required. Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID.
Supported operation is Get.
-**AppLicenses/StoreLicenses/*LicenseID*/AddLicense**
+**AppLicenses/StoreLicenses/*LicenseID*/AddLicense**
Required. Command to add license.
Supported operation is Execute.
-**AppLicenses/StoreLicenses/*LicenseID*/GetLicenseFromStore**
+**AppLicenses/StoreLicenses/*LicenseID*/GetLicenseFromStore**
Added in Windows 10, version 1511. Required. Command to get license from the store.
Supported operation is Execute.
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
index 3a270aad3c..ca184a8c77 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
@@ -1,7 +1,7 @@
---
title: EnterpriseModernAppManagement DDF
description: Learn about the OMA DM device description framework (DDF) for the EnterpriseModernAppManagement configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
index 95016ab8fc..c323934254 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md
@@ -1,7 +1,7 @@
---
title: EnterpriseModernAppManagement XSD
description: In this article, view the EnterpriseModernAppManagement XSD example so you can set application parameters.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md
index 607ecdeb20..b253767502 100644
--- a/windows/client-management/mdm/euiccs-csp.md
+++ b/windows/client-management/mdm/euiccs-csp.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 03/02/2018
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -57,135 +57,135 @@ eUICCs
------------Status
```
-**./Vendor/MSFT/eUICCs**
+**./Vendor/MSFT/eUICCs**
Root node for the eUICCs CSP.
-**_eUICC_**
+**_eUICC_**
Interior node. Represents information associated with an eUICC. There's one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, for example, this association could be an SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC.
Supported operation is Get.
-**_eUICC_/Identifier**
+**_eUICC_/Identifier**
Required. Identifies an eUICC in an implementation-specific manner, for example, this identification could be an SHA-256 hash of the EID.
Supported operation is Get. Value type is string.
-**_eUICC_/IsActive**
+**_eUICC_/IsActive**
Required. Indicates whether this eUICC is physically present and active. Updated only by the LPA.
Supported operation is Get. Value type is boolean.
-**_eUICC_/PPR1Allowed**
+**_eUICC_/PPR1Allowed**
Profile Policy Rule 1 (PPR1) is required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 isn't allowed.
-Supported operation is Get.
+Supported operation is Get.
Value type is boolean.
-**_eUICC_/PPR1AlreadySet**
+**_eUICC_/PPR1AlreadySet**
Required. Indicates whether the eUICC already has a profile with PPR1.
-Supported operation is Get.
+Supported operation is Get.
Value type is boolean.
-**_eUICC_/DownloadServers**
+**_eUICC_/DownloadServers**
Interior node. Represents default SM-DP+ discovery requests.
Supported operation is Get.
-**_eUICC_/DownloadServers/_ServerName_**
+**_eUICC_/DownloadServers/_ServerName_**
Interior node. Optional. Node specifying the server name for a discovery operation. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request.
Supported operations are Add, Get, and Delete.
-**_eUICC_/DownloadServers/_ServerName_/DiscoveryState**
+**_eUICC_/DownloadServers/_ServerName_/DiscoveryState**
Required. Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.
-Supported operation is Get.
+Supported operation is Get.
Value type is integer. Default value is 1.
-**_eUICC_/DownloadServers/_ServerName_/AutoEnable**
+**_eUICC_/DownloadServers/_ServerName_/AutoEnable**
Required. Indicates whether the discovered profile must be enabled automatically after install. This setting must be defined by the MDM when the ServerName subtree is created.
-Supported operations are Add, Get, and Replace.
+Supported operations are Add, Get, and Replace.
Value type is bool.
-**_eUICC_/DownloadServers/_ServerName_/IsDiscoveryServer**
+**_eUICC_/DownloadServers/_ServerName_/IsDiscoveryServer**
Optional. Indicates whether the server is a discovery server. This setting must be defined by the MDM when the ServerName subtree is created.
-Supported operations are Add, Get, and Replace.
+Supported operations are Add, Get, and Replace.
Value type is bool. Default value is false.
-**_eUICC_/Profiles**
+**_eUICC_/Profiles**
Interior node. Required. Represents all enterprise-owned profiles.
Supported operation is Get.
-**_eUICC_/Profiles/_ICCID_**
+**_eUICC_/Profiles/_ICCID_**
Interior node. Optional. Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).
Supported operations are Add, Get, and Delete.
-**_eUICC_/Profiles/_ICCID_/ServerName**
+**_eUICC_/Profiles/_ICCID_/ServerName**
Required. Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created.
-Supported operations are Add and Get.
+Supported operations are Add and Get.
Value type is string.
-**_eUICC_/Profiles/_ICCID_/MatchingID**
+**_eUICC_/Profiles/_ICCID_/MatchingID**
Required. Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created.
-Supported operations are Add and Get.
+Supported operations are Add and Get.
Value type is string.
-**_eUICC_/Profiles/_ICCID_/State**
+**_eUICC_/Profiles/_ICCID_/State**
Required. Current state of the profile (Installing = 1, Installed = 2, Deleting = 3, Error = 4). Queried by the CSP and only updated by the LPA.
-Supported operation is Get.
+Supported operation is Get.
Value type is integer. Default value is 1.
-**_eUICC_/Profiles/_ICCID_/IsEnabled**
+**_eUICC_/Profiles/_ICCID_/IsEnabled**
Added in Windows 10, version 1803. Indicates whether this profile is enabled. Can be set by the MDM when the ICCID subtree is created to enable the profile once it’s successfully downloaded and installed on the device. Can also be queried and updated by the CSP.
-Supported operations are Add, Get, and Replace.
+Supported operations are Add, Get, and Replace.
Value type is bool.
-**_eUICC_/Policies**
+**_eUICC_/Policies**
Interior node. Required. Device policies associated with the eUICC as a whole (not per-profile).
-Supported operation is Get.
+Supported operation is Get.
-**_eUICC_/Policies/LocalUIEnabled**
+**_eUICC_/Policies/LocalUIEnabled**
Required. Determines whether the local user interface of the LUI is available (true if available, false otherwise). Initially populated by the LPA when the eUICC tree is created, can be queried and changed by the MDM server.
-Supported operations are Get and Replace.
+Supported operations are Get and Replace.
Value type is boolean. Default value is true.
-**_eUICC_/Actions**
+**_eUICC_/Actions**
Interior node. Required. Actions that can be performed on the eUICC as a whole (when it's active).
Supported operation is Get.
-**_eUICC_/Actions/ResetToFactoryState**
+**_eUICC_/Actions/ResetToFactoryState**
Required. An EXECUTE on this node triggers the LPA to perform an eUICC Memory Reset.
-Supported operation is Execute.
+Supported operation is Execute.
Value type is string.
-**_eUICC_/Actions/Status**
+**_eUICC_/Actions/Status**
Required. Status of most recent operation, as an HRESULT. S_OK indicates success, S_FALSE indicates operation is in progress, other values represent specific errors.
-Supported value is Get.
+Supported value is Get.
Value type is integer. Default is 0.
diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md
index 62bced8f33..790bc359a2 100644
--- a/windows/client-management/mdm/euiccs-ddf-file.md
+++ b/windows/client-management/mdm/euiccs-ddf-file.md
@@ -1,7 +1,7 @@
---
title: eUICCs DDF file
description: Learn about the OMA DM device description framework (DDF) for the eUICCs configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index af9202d9ca..2b2571fd05 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -26,12 +26,12 @@ The table below shows the applicability of Windows:
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709.
The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, and the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP was added Windows 10, version 1709.
-
+
Firewall rules in the FirewallRules section must be wrapped in an Atomic block in SyncML, either individually or collectively.
For detailed information on some of the fields below, see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](/openspecs/windows_protocols/ms-winerrata/6521c5c4-1f76-4003-9ade-5cccfc27c8ac).
-The following example shows the Firewall configuration service provider in tree format.
+The following example shows the Firewall configuration service provider in tree format.
```
./Vendor/MSFT
Firewall
@@ -130,7 +130,7 @@ Supported operation is Get.
**MdmStore/Global**
Interior node.
-Supported operations are Get.
+Supported operations are Get.
**MdmStore/Global/PolicyVersionSupported**
Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value isn't merged and is always a fixed value for a particular firewall and advanced security components software build.
@@ -144,7 +144,7 @@ Value type in integer. Supported operation is Get.
Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.
Default value is false.
-Data type is bool. Supported operations are Add, Get, Replace, and Delete.
+Data type is bool. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/SaIdleTime**
This value configures the security association idle time, in seconds. Security associations are deleted after network traffic isn't seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it's configured; otherwise, use the local store value.
@@ -351,7 +351,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes**
ICMP types and codes applicable to the firewall rule. To specify all ICMP types and codes, use the “\*” character. For specific ICMP types and codes, use the “:” character to separate the type and code, for example, 3:4, 1:\*. The “\*” character can be used to represent any code. The “\*” character cannot be used to specify any type; examples such as “\*:4” or “\*:\*” are invalid.
-If not specified, the default is All.
+If not specified, the default is All.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/*FirewallRuleName*/LocalAddressRanges**
@@ -455,16 +455,16 @@ Name of the rule.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/RemoteAddressDynamicKeywords**
-Comma separated list of Dynamic Keyword Address Ids (GUID strings) specifying the remote addresses covered by the rule.
+Comma separated list of Dynamic Keyword Address Ids (GUID strings) specifying the remote addresses covered by the rule.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/DynamicKeywords**
-Interior node.
+Interior node.
Supported operation is Get.
**MdmStore/DynamicKeywords/Addresses**
-Interior node.
+Interior node.
Supported operation is Get.
**MdmStore/DynamicKeywords/Addresses/Id**
@@ -487,7 +487,7 @@ Valid tokens include:
Supported operations are Add, Delete, Replace, and Get.
**MdmStore/DynamicKeywords/Addresses/Id/AutoResolve**
-Boolean value. If this flag is set to TRUE, then the 'keyword' field of this object is expected to be a Fully Qualified Domain Name, and the addresses will be automatically resolved. This flag should only be set if the Microsoft Defender Advanced Threat Protection Service is present.
+Boolean value. If this flag is set to TRUE, then the 'keyword' field of this object is expected to be a Fully Qualified Domain Name, and the addresses will be automatically resolved. This flag should only be set if the Microsoft Defender Advanced Threat Protection Service is present.
Value type is string. Supported operations are Add, Delete, and Get.
Value type is string. Supported operations are Add, Delete, and Get.
diff --git a/windows/client-management/mdm/firewall-ddf-file.md b/windows/client-management/mdm/firewall-ddf-file.md
index 50b8729198..0b525ef8b4 100644
--- a/windows/client-management/mdm/firewall-ddf-file.md
+++ b/windows/client-management/mdm/firewall-ddf-file.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 12/05/2017
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -1512,7 +1512,7 @@ ServiceName
- Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.
+ Consists of one or more comma-delimited tokens specifying the local addresses covered by the rule. "*" is the default value.
Valid tokens include:
"*" indicates any local address. If present, this must be the only token included.
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index 9c85e6205e..6a9dd2e4c7 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -1,14 +1,14 @@
---
title: Device HealthAttestation CSP
description: Learn how the DHA-CSP enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
-ms.date:
+ms.date:
---
# Device HealthAttestation CSP
@@ -97,11 +97,11 @@ HealthAttestation
----MaxSupportedProtocolVersion
```
-**./Vendor/MSFT/HealthAttestation**
+**./Vendor/MSFT/HealthAttestation**
The root node for the device HealthAttestation configuration service provider.
-**TriggerAttestation** (Required)
+**TriggerAttestation** (Required)
Node type: EXECUTE
@@ -124,7 +124,7 @@ Templated SyncML Call:
{
rpID : "rpID", serviceEndpoint : "MAA endpoint",
nonce : "nonce", aadToken : "aadToken", "cv" : "CorrelationVector"
- }
+ }
@@ -145,12 +145,12 @@ Sample Data:
```json
-{
+{
"rpid" : "https://www.contoso.com/attestation",
"endpoint" : "https://contoso.eus.attest.azure.net/attest/tpm?api-version=2020-10-01",
"nonce" : "5468697320697320612054657374204e6f6e6365",
"aadToken" : "dummytokenstring",
-"cv" : "testonboarded"
+"cv" : "testonboarded"
}
```
@@ -176,7 +176,7 @@ Templated SyncML Call:
-
+
```
@@ -209,7 +209,7 @@ Templated SyncML Call:
-
+
```
@@ -244,7 +244,7 @@ Templated SyncML Call:
-
+
```
@@ -255,7 +255,7 @@ Sample data:
If success:
GUID returned by the attestation service: 1k9+vQOn00S8ZK33;CMc969r1JEuHwDpM
If Trigger Attestation call failed and no previous data is present. The field remains empty.
-Otherwise, the last service correlation id will be returned. In a successful attestation there are two
+Otherwise, the last service correlation id will be returned. In a successful attestation there are two
calls between client and MAA and for each call the GUID is separated by semicolon.
```
@@ -277,13 +277,13 @@ calls between client and MAA and for each call the GUID is separated by semicolo
configurationrules{
};
- authorizationrules {
+ authorizationrules {
=> permit();
};
issuancerules{
- // SecureBoot enabled
+ // SecureBoot enabled
c:[type == "events", issuer=="AttestationService"] => add(type = "efiConfigVariables", value = JmesPath(c.value, "Events[?EventTypeString == 'EV_EFI_VARIABLE_DRIVER_CONFIG' && ProcessedData.VariableGuid == '8BE4DF61-93CA-11D2-AA0D-00E098032B8C']"));
c:[type == "efiConfigVariables", issuer=="AttestationPolicy"]=> issue(type = "secureBootEnabled", value = JsonToClaimValue(JmesPath(c.value, "[?ProcessedData.UnicodeName == 'SecureBoot'] | length(@) == `1` && @[0].ProcessedData.VariableData == 'AQ'")));
![type=="secureBootEnabled", issuer=="AttestationPolicy"] => issue(type="secureBootEnabled", value=false);
@@ -351,9 +351,9 @@ calls between client and MAA and for each call the GUID is separated by semicolo
// Find the first EV_SEPARATOR in PCR 12, 13, Or 14
c:[type=="events", issuer=="AttestationService"] => add(type="evSeparatorSeq", value=JmesPath(c.value, "Events[? EventTypeString == 'EV_SEPARATOR' && (PcrIndex == `12` || PcrIndex == `13` || PcrIndex == `14`)] | @[0].EventSeq"));
c:[type=="evSeparatorSeq", value != "null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value=AppendString(AppendString("Events[? EventSeq < `", c.value), "`"));
- [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` ");
+ [type=="evSeparatorSeq", value=="null", issuer=="AttestationPolicy"] => add(type="beforeEvSepClause", value="Events[? `true` ");
- // Find the first EVENT_APPLICATION_SVN.
+ // Find the first EVENT_APPLICATION_SVN.
c:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] => add(type="bootMgrSvnSeqQuery", value=AppendString(c.value, " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12` && ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN] | @[0].EventSeq"));
c1:[type=="bootMgrSvnSeqQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="bootMgrSvnSeq", value=JmesPath(c2.value, c1.value));
c:[type=="bootMgrSvnSeq", value!="null", issuer=="AttestationPolicy"] => add(type="bootMgrSvnQuery", value=AppendString(AppendString("Events[? EventSeq == `", c.value), "`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]"));
@@ -396,7 +396,7 @@ calls between client and MAA and for each call the GUID is separated by semicolo
c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="afterTransferCtrlClause", issuer=="AttestationPolicy"] => add(type="moduleQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `13` && ((ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]) || (ProcessedData.EVENT_LOADEDMODULE_AGGREGATION[].EVENT_MODULE_SVN | @[0]))].EventSeq | @[0]"));
c1:[type=="moduleQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => add(type="moduleSeq", value=JmesPath(c2.value, c1.value));
- // Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12.
+ // Find the first EVENT_APPLICATION_SVN after EV_EVENT_TAG in PCR 12.
c:[type=="moduleSeq", value!="null", issuer=="AttestationPolicy"] => add(type="applicationSvnAfterModuleClause", value=AppendString(AppendString(" && EventSeq > `", c.value), "`"));
c1:[type=="beforeEvSepClause", issuer=="AttestationPolicy"] && c2:[type=="applicationSvnAfterModuleClause", issuer=="AttestationPolicy"] => add(type="bootAppSvnQuery", value=AppendString(AppendString(c1.value, c2.value), " && EventTypeString == 'EV_EVENT_TAG' && PcrIndex == `12`].ProcessedData.EVENT_TRUSTBOUNDARY.EVENT_APPLICATION_SVN | @[0]"));
c1:[type=="bootAppSvnQuery", issuer=="AttestationPolicy"] && c2:[type=="events", issuer=="AttestationService"] => issue(type="bootAppSvn", value=JsonToClaimValue(JmesPath(c2.value, c1.value)));
@@ -464,7 +464,7 @@ calls between client and MAA and for each call the GUID is separated by semicolo
}.[Signature]
```
-### Learn More
+### Learn More
More information about TPM attestation can be found here: [Microsoft Azure Attestation](/azure/attestation/).
@@ -487,7 +487,7 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes
- DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service
- DHA-Service replies with an encrypted data blob (DHA-EncBlob)
- - DHA-CSP and MDM-Server communication:
+ - DHA-CSP and MDM-Server communication:
- MDM-Server sends a device health verification request to DHA-CSP
- DHA-CSP replies with a payload called DHA-Data that includes an encrypted (DHA-EncBlob) and a signed (DHA-SignedBlob) data blob
@@ -549,10 +549,10 @@ More information about TPM attestation can be found here: [Microsoft Azure Attes
|Device Health Attestation – On Premise(DHA-OnPrem)|DHA-OnPrem refers to DHA-Service that is running on premises:
Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service) Hosted on an enterprise owned and managed server device/hardwareSupported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenariosAccessible to all enterprise-managed devices via following settings:- FQDN = (enterprise assigned)
- Port = (enterprise assigned)
- Protocol = TCP|The operation cost of running one or more instances of Server 2016 on-premises.
|
|Device Health Attestation - Enterprise-Managed Cloud(DHA-EMC)|DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.Offered to Windows Server 2016 customers with no extra licensing cost (no added licensing cost for enabling/running DHA-Service)Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios Accessible to all enterprise-managed devices via following settings: - FQDN = (enterprise assigned)
- Port = (enterprise assigned)
- Protocol = TCP|The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure.
|
-### CSP diagram and node descriptions
+### CSP diagram and node descriptions
+
+The following shows the Device HealthAttestation configuration service provider in tree format.
-The following shows the Device HealthAttestation configuration service provider in tree format.
-
```console
./Vendor/MSFT
HealthAttestation
@@ -569,17 +569,17 @@ HealthAttestation
----MaxSupportedProtocolVersion
```
-**./Vendor/MSFT/HealthAttestation**
+**./Vendor/MSFT/HealthAttestation**
The root node for the device HealthAttestation configuration service provider.
-**VerifyHealth** (Required)
+**VerifyHealth** (Required)
Notifies the device to prepare a device health verification request.
The supported operation is Execute.
-**Status** (Required)
+**Status** (Required)
Provides the current status of the device health request.
@@ -592,19 +592,19 @@ The following list shows some examples of supported values. For the complete lis
- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob couldn't be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes
- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pickup
-**ForceRetrieve** (Optional)
+**ForceRetrieve** (Optional)
Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
Boolean value. The supported operation is Replace.
-**Certificate** (Required)
+**Certificate** (Required)
Instructs the DHA-CSP to forward DHA-Data to the MDM server.
Value type is b64. The supported operation is Get.
-**Nonce** (Required)
+**Nonce** (Required)
Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.
@@ -612,7 +612,7 @@ The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size o
The supported operations are Get and Replace.
-**CorrelationId** (Required)
+**CorrelationId** (Required)
Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
@@ -685,7 +685,7 @@ SSL-Session:
Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES256-SHA384
Session-ID: B22300009621370F84A4A3A7D9FC40D584E047C090604E5226083A02ED239C93
- Session-ID-ctx:
+ Session-ID-ctx:
Master-Key: 9E3F6BE5B3D3B55C070470CA2B62EF59CC1D5ED9187EF5B3D1BBF4C101EE90BEB04F34FFD748A13C92A387104B8D1DE7
Key-Arg: None
PSK identity: None
@@ -706,7 +706,7 @@ There are three types of DHA-Service:
DHA-Cloud is the default setting. No further action is required if an enterprise is planning to use Microsoft DHA-Cloud as the trusted DHA-Service provider.
-For DHA-OnPrem & DHA-EMC scenarios, send a SyncML command to the HASEndpoint node to instruct a managed device to communicate with the enterprise trusted DHA-Service.
+For DHA-OnPrem & DHA-EMC scenarios, send a SyncML command to the HASEndpoint node to instruct a managed device to communicate with the enterprise trusted DHA-Service.
The following example shows a sample call that instructs a managed device to communicate with an enterprise-managed DHA-Service.
@@ -854,7 +854,7 @@ After the MDM server receives the verified data, the information can be used to
The following list of data points is verified by the DHA-Service in DHA-Report version 3:
-- [Issued](#issued )
+- [Issued](#issued )
- [AIKPresent](#aikpresent)
- [ResetCount](#resetcount) *
- [RestartCount](#restartcount) *
@@ -882,8 +882,8 @@ The following list of data points is verified by the DHA-Service in DHA-Report v
- [OSRevListInfo](#osrevlistinfo)
- [HealthStatusMismatchFlags](#healthstatusmismatchflags)
-\* TPM 2.0 only
-\*\* Reports if BitLocker was enabled during initial boot.
+\* TPM 2.0 only
+\*\* Reports if BitLocker was enabled during initial boot.
\*\*\* The "Hybrid Resume" must be disabled on the device. Reports first-party ELAM "Defender" was loaded during boot.
Each of these data points is described in further detail in the following sections, along with the recommended actions to take.
@@ -892,7 +892,7 @@ Each of these data points is described in further detail in the following sectio
The date and time DHA-report was evaluated or issued to MDM.
-**AIKPresent**
+**AIKPresent**
When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.
@@ -913,7 +913,7 @@ This attribute reports the number of times a PC device has hibernated or resumed
This attribute reports the number of times a PC device has rebooted.
-**DEPPolicy**
+**DEPPolicy**
A device can be trusted more if the DEP Policy is enabled on the device.
@@ -933,7 +933,7 @@ If DEPPolicy = 0 (Off), then take one of the following actions that align with y
- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a device's past activities and trust history.
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
-**BitLockerStatus** (at boot time)
+**BitLockerStatus** (at boot time)
When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
@@ -976,7 +976,7 @@ If `CodeIntegrityRevListVersion !`= [CurrentVersion], then take one of the follo
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
-**SecureBootEnabled**
+**SecureBootEnabled**
When Secure Boot is enabled, the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this requirement before it lets the machine start. If any files have been tampered with, breaking their signature, the system won't boot.
@@ -1005,7 +1005,7 @@ If BootDebuggingEnabled = 1 (True), then take one of the following actions that
- Disallow all access.
- Disallow access to HBI assets.
- Place the device in a watch list to monitor the device more closely for potential risks.
-- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script.
+- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script.
**OSKernelDebuggingEnabled**
@@ -1020,7 +1020,7 @@ If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions t
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
-**CodeIntegrityEnabled**
+**CodeIntegrityEnabled**
When code integrity is enabled, code execution is restricted to integrity verified code.
@@ -1055,7 +1055,7 @@ If TestSigningEnabled = 1 (True), then take one of the following actions that al
- Place the device in a watch list to monitor the device more closely for potential risks.
- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script.
-**SafeMode**
+**SafeMode**
Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.
@@ -1067,7 +1067,7 @@ If SafeMode = 1 (True), then take one of the following actions that align with y
- Disallow access to HBI assets.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
-**WinPE**
+**WinPE**
Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.
@@ -1101,7 +1101,7 @@ If ELAMDriverLoaded = 0 (False), then take one of the following actions that ali
- Disallow access to HBI assets.
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
-**VSMEnabled**
+**VSMEnabled**
Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1 GB of memory – it has enough capability to run the LSA service that is used for all authentication brokering.
@@ -1212,7 +1212,7 @@ If reported OSRevListInfo version equals an accepted value, then allow access.
If reported OSRevListInfo version doesn't equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access.
-- Direct the device to an enterprise honeypot, to further monitor the device's activities.
+- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**HealthStatusMismatchFlags**
@@ -1222,70 +1222,70 @@ If an issue is detected, a list of impacted DHA-report elements will be listed u
### Device HealthAttestation CSP status and error codes
-Error code: 0 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED
+Error code: 0 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED
Error description: This state is the initial state for devices that have never participated in a DHA-Session.
-Error code: 1 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED
+Error code: 1 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED
Error description: This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server.
-Error code: 2 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED
+Error code: 2 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED
Error description: This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.
-Error code: 3 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE
+Error code: 3 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE
Error description: This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server.
-Error code: 4 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL
+Error code: 4 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL
Error description: Deprecated in Windows 10, version 1607.
-Error code: 5 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL
+Error code: 5 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL
Error description: DHA-CSP failed to get a claim quote.
-Error code: 6 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY
+Error code: 6 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY
Error description: DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider.
-Error code: 7 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL
+Error code: 7 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL
Error description: DHA-CSP failed in retrieving Windows AIK
-Error code: 8 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL
+Error code: 8 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL
Error description: Deprecated in Windows 10, version 1607.
-Error code: 9 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION
+Error code: 9 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION
Error description: Invalid TPM version (TPM version isn't 1.2 or 2.0)
-Error code: 10 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL
+Error code: 10 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL
Error description: Nonce wasn't found in the registry.
-Error code: 11 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL
+Error code: 11 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL
Error description: Correlation ID wasn't found in the registry.
-Error code: 12 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL
+Error code: 12 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL
Error description: Deprecated in Windows 10, version 1607.
-Error code: 13 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL
+Error code: 13 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL
Error description: Deprecated in Windows 10, version 1607.
-Error code: 14 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL
+Error code: 14 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL
Error description: Failure in Encoding functions. (Extremely unlikely scenario)
-Error code: 15 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL
+Error code: 15 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL
Error description: Deprecated in Windows 10, version 1607.
-Error code: 16 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML
+Error code: 16 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML
Error description: DHA-CSP failed to load the payload it received from DHA-Service
-Error code: 17 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML
+Error code: 17 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML
Error description: DHA-CSP received a corrupted response from DHA-Service.
-Error code: 18 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML
+Error code: 18 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML
Error description: DHA-CSP received an empty response from DHA-Service.
-Error code: 19 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK
+Error code: 19 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK
Error description: DHA-CSP failed in decrypting the AES key from the EK challenge.
-Error code: 20 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK
+Error code: 20 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK
Error description: DHA-CSP failed in decrypting the health cert with the AES key.
-Error code: 21 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB
+Error code: 21 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB
Error description: DHA-CSP failed in exporting the AIK Public Key.
Error code: 22 | Error name: HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY
@@ -1413,7 +1413,7 @@ Error description: DHA-Service isn't reachable by DHA-CSP
-
+
@@ -1430,7 +1430,7 @@ Error description: DHA-Service isn't reachable by DHA-CSP
-
@@ -1474,7 +1474,7 @@ xmlns="http://schemas.microsoft.com/windows/security/healthcertificate/validatio
1
1
2
- 4ACCBE0ADB9627FFD6285C2E06EC5AC59ABF62C7
+ 4ACCBE0ADB9627FFD6285C2E06EC5AC59ABF62C7
00000000000001001A000B00200000005300690050006F006C006900630079002E007000370062000000A4BF7EF05585876A61CBFF7CAE8123BE756D58B1BBE04F9719D15D6271514CF5
005D447A7CC6D101200000000B00CBB56E8B19267E24A2986C4A616CCB58B4D53F6020AC8FD5FC205C20F2AB00BC
8073EEA7F8FAD001200000000B00A8285B04DE618ACF4174C59F07AECC002D11DD7D97FA5D464F190C9D9E3479BA
diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md
index ccc7b8a660..84efc29453 100644
--- a/windows/client-management/mdm/healthattestation-ddf.md
+++ b/windows/client-management/mdm/healthattestation-ddf.md
@@ -1,7 +1,7 @@
---
title: HealthAttestation DDF
description: Learn about the OMA DM device description framework (DDF) for the HealthAttestation configuration service provider.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md
index 0042735b48..27e3cb817b 100644
--- a/windows/client-management/mdm/multisim-csp.md
+++ b/windows/client-management/mdm/multisim-csp.md
@@ -7,11 +7,11 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 03/22/2018
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
-# MultiSIM CSP
+# MultiSIM CSP
The table below shows the applicability of Windows:
@@ -43,52 +43,52 @@ MultiSIM
--------Policies
------------SlotSelectionEnabled
```
-**./Device/Vendor/MSFT/MultiSIM**
+**./Device/Vendor/MSFT/MultiSIM**
Root node.
-**_ModemID_**
+**_ModemID_**
Node representing a Mobile Broadband Modem. The node name is the modem ID. Modem ID is a GUID without curly braces, with exception of "Embedded" which represents the embedded modem.
-**_ModemID_/Identifier**
+**_ModemID_/Identifier**
Modem ID.
Supported operation is Get. Value type is string.
-**_ModemID_/IsEmbedded**
+**_ModemID_/IsEmbedded**
Indicates whether this modem is embedded or external.
Supported operation is Get. Value type is bool.
-**_ModemID_/Slots**
+**_ModemID_/Slots**
Represents all SIM slots in the Modem.
-**_ModemID_/Slots/_SlotID_**
+**_ModemID_/Slots/_SlotID_**
Node representing a SIM Slot. The node name is the Slot ID. SIM Slot ID format is "0", "1", etc., with exception of "Embedded" which represents the embedded Slot.
-**_ModemID_/Slots/_SlotID_/Identifier**
+**_ModemID_/Slots/_SlotID_/Identifier**
Slot ID.
Supported operation is Get. Value type is integer.
-**_ModemID_/Slots/_SlotID_/IsEmbedded**
+**_ModemID_/Slots/_SlotID_/IsEmbedded**
Indicates whether this Slot is embedded or a physical SIM slot.
Supported operation is Get. Value type is bool.
-**_ModemID_/Slots/_SlotID_/IsSelected**
+**_ModemID_/Slots/_SlotID_/IsSelected**
Indicates whether this Slot is selected or not.
Supported operation is Get and Replace. Value type is bool.
-**_ModemID_/Slots/_SlotID_/State**
+**_ModemID_/Slots/_SlotID_/State**
Slot state (Unknown = 0, OffEmpty = 1, Off = 2, Empty = 3, NotReady = 4, Active = 5, Error = 6, ActiveEsim = 7, ActiveEsimNoProfile = 8)
Supported operation is Get. Value type is integer.
-**_ModemID_/Policies**
+**_ModemID_/Policies**
Policies associated with the Modem.
-**_ModemID_/Policies/SlotSelectionEnabled**
+**_ModemID_/Policies/SlotSelectionEnabled**
Determines whether the user is allowed to change slots in the Cellular settings UI. Default is true.
Supported operation is Get and Replace. Value type is bool.
@@ -109,7 +109,7 @@ Get modem
-
+
```
@@ -128,7 +128,7 @@ Get slots
-
+
```
@@ -147,7 +147,7 @@ Get slot state
-
+
```
@@ -171,7 +171,7 @@ Select slot
true
-
+
```
diff --git a/windows/client-management/mdm/multisim-ddf.md b/windows/client-management/mdm/multisim-ddf.md
index 662c3e0384..29365184f1 100644
--- a/windows/client-management/mdm/multisim-ddf.md
+++ b/windows/client-management/mdm/multisim-ddf.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 02/27/2018
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md
index 2a4d93d58f..5143e1861e 100644
--- a/windows/client-management/mdm/nap-csp.md
+++ b/windows/client-management/mdm/nap-csp.md
@@ -1,7 +1,7 @@
---
title: NAP CSP
description: Learn how the Network Access Point (NAP) configuration service provider (CSP) is used to manage and query GPRS and CDMA connections.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -71,28 +71,28 @@ NAP
----------------SecureLevel
```
-**./Vendor/MSFT/NAP**
+**./Vendor/MSFT/NAP**
Root node.
-***NAPX***
+***NAPX***
Required. Defines the name of the network access point.
It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), however, no spaces may appear in the name (use %20 instead).
-***NAPX*/NAPID**
+***NAPX*/NAPID**
Required. Specifies the identifier of the destination network.
The NAPID value must not include a "@" character. If the NAPDEF configuration service provider defines it as “connectionID@WAP”, this value should be set to “connectionID”.
-***NAPX*/NAME**
+***NAPX*/NAME**
Optional. Specifies the user-friendly name of the connection.
-***NAPX*/ADDR**
+***NAPX*/ADDR**
Required. Specifies the address of the destination network.
The ADDR may be the URL of an access point, the APN name for a GPRS access point, the telephone number of an answering modem, or any other string used to uniquely identify the address of the destination network.
-***NAPX*/ADDRTYPE**
+***NAPX*/ADDRTYPE**
Required. Specifies the type of address used to identify the destination network.
The following table shows some commonly used ADDRTYPE values and the types of connection that corresponds with each value.
@@ -103,24 +103,24 @@ The following table shows some commonly used ADDRTYPE values and the types of co
|APN|GPRS connections|
|ALPHA|Wi-Fi-based connections|
-***NAPX*/AuthInfo**
+***NAPX*/AuthInfo**
Optional node. Specifies the authentication information, including the protocol, user name, and password.
-***NAPX*/AuthInfo/AuthType**
+***NAPX*/AuthInfo/AuthType**
Optional. Specifies the method of authentication. Some supported protocols are PAP, CHAP, HTTP-BASIC, HTTP-DIGEST, WTLS-SS, and MD5.
-***NAPX*/AuthInfo/AuthName**
+***NAPX*/AuthInfo/AuthName**
Optional. Specifies the user name and domain to be used during authentication. This field is in the form *Domain*\\*UserName*.
-***NAPX*/AuthInfo/AuthSecret**
+***NAPX*/AuthInfo/AuthSecret**
Optional. Specifies the password used during authentication.
Queries of this field will return a string composed of 16 asterisks (\*).
-***NAPX*/Bearer**
+***NAPX*/Bearer**
Node.
-***NAPX*/Bearer/BearerType**
+***NAPX*/Bearer/BearerType**
Required. Specifies the network type of the destination network. This can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, and Wi-Fi.
diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md
index ebef8beec0..862e53d138 100644
--- a/windows/client-management/mdm/napdef-csp.md
+++ b/windows/client-management/mdm/napdef-csp.md
@@ -1,7 +1,7 @@
---
title: NAPDEF CSP
description: Learn how the NAPDEF configuration service provider (CSP) is used to add, modify, or delete WAP network access points (NAPs).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -28,8 +28,8 @@ The NAPDEF configuration service provider is used to add, modify, or delete WAP
> [!Note]
> You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list.
->
-> This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application.
+>
+> This configuration service provider requires the `ID_CAP_CSP_FOUNDATION` and `ID_CAP_NETWORKING_ADMIN` capabilities to be accessed from a network configuration application.
The following shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol isn't supported by this configuration service provider.
@@ -67,62 +67,62 @@ NAPDEF
----NAP-ADDRTYPE
```
-**NAPAUTHINFO**
+**NAPAUTHINFO**
Defines a group of authentication settings.
-**AUTHNAME**
+**AUTHNAME**
Specifies the name used to authenticate the user.
-**AUTHSECRET**
+**AUTHSECRET**
Specifies the password used to authenticate the user.
A query of this parameter returns asterisks (\*) in the results.
-**AUTHTYPE**
+**AUTHTYPE**
Specifies the protocol used to authenticate the user.
The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols.
> [!Note]
-> **AuthName** and **AuthSecret** are not created if **AuthType** isn't included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** isn't included in the provisioning XML used to make the change.
+> **AuthName** and **AuthSecret** are not created if **AuthType** isn't included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** isn't included in the provisioning XML used to make the change.
-**BEARER**
+**BEARER**
Specifies the type of bearer.
Only Global System for Mobile Communication (GSM) and GSM-General Packet Radio Services (GPRS) are supported.
-**INTERNET**
+**INTERNET**
Optional. Specifies whether this connection is an AlwaysOn connection.
If **INTERNET** exists, the connection is an AlwaysOn connection and doesn't require a connection manager policy.
If **INTERNET** doesn't exist, the connection isn't an AlwaysOn connection and the connection requires a connection manager connection policy to be set.
-**LOCAL-ADDR**
+**LOCAL-ADDR**
Required for GPRS. Specifies the local address of the WAP client for GPRS access points.
-**LOCAL-ADDRTYPE**
+**LOCAL-ADDRTYPE**
Required for GPRS. Specifies the address format of the **LOCAL-ADDR** element.
The value of LOCAL-ADDRTYPE can be "IPv4".
-**NAME**
+**NAME**
Specifies the logical, user-readable identity of the NAP.
-**NAP-ADDRESS**
+**NAP-ADDRESS**
Specifies the address of the NAP.
-**NAP-ADDRTYPE**
+**NAP-ADDRTYPE**
Specifies the format and protocol of the **NAP-ADDRESS** element.
Only Access Point Name (APN) and E164 are supported.
-**NAPID**
+**NAPID**
Required for initial bootstrapping. Specifies the name of the NAP.
The maximum length of the **NAPID** value is 16 characters.
-***NAPID***
+***NAPID***
Required for bootstrapping updating. Defines the name of the NAP.
The name of the *NAPID* element is the same as the value passed during initial bootstrapping. In addition, the Microsoft format for NAPDEF contains the provisioning XML attribute mwid. This custom attribute is optional when adding a NAP or a proxy. It's required for *NAPID* when updating and deleting existing NAPs and proxies and must have its value set to 1.
diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md
index c249a38718..8ad815d592 100644
--- a/windows/client-management/mdm/networkproxy-csp.md
+++ b/windows/client-management/mdm/networkproxy-csp.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 08/29/2018
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -26,7 +26,7 @@ The table below shows the applicability of Windows:
The NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. These settings do not apply to VPN connections. This CSP was added in Windows 10, version 1703.
-How the settings work:
+How the settings work:
- If auto-detect is enabled, the system tries to find the path to a Proxy Auto Config (PAC) script and download it.
- If #1 fails and a setup script is specified, the system tries to download the explicitly configured PAC script.
@@ -47,10 +47,10 @@ NetworkProxy
--------UseProxyForLocalAddresses
```
-**./Vendor/MSFT/NetworkProxy**
+**./Vendor/MSFT/NetworkProxy**
The root node for the NetworkProxy configuration service provider.
-**ProxySettingsPerUser**
+**ProxySettingsPerUser**
Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide.
Supported operations are Add, Get, Replace, and Delete.
@@ -73,22 +73,22 @@ Address to the PAC script you want to use.
The data type is string. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
-**ProxyServer**
+**ProxyServer**
Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections.
Supported operation is Get.
-**ProxyAddress**
+**ProxyAddress**
Address to the proxy server. Specify an address in the format <server>[“:”<port>].
The data type is string. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
-**Exceptions**
+**Exceptions**
Addresses that should not use the proxy server. The system will not use the proxy server for addresses beginning with what is specified in this node. Use semicolons (;) to separate entries.
The data type is string. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
-**UseProxyForLocalAddresses**
+**UseProxyForLocalAddresses**
Specifies whether the proxy server should be used for local (intranet) addresses.
Valid values:
@@ -131,7 +131,7 @@ These generic code portions for the options **ProxySettingsPerUser**, **Autodete
1
-
+
```
```xml
diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md
index ed25d003b2..22513a4fe6 100644
--- a/windows/client-management/mdm/networkproxy-ddf.md
+++ b/windows/client-management/mdm/networkproxy-ddf.md
@@ -7,13 +7,13 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 12/05/2017
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
# NetworkProxy DDF file
-This topic shows the OMA DM device description framework (DDF) for the **NetworkProxy** configuration service provider.
+This topic shows the OMA DM device description framework (DDF) for the **NetworkProxy** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md
index 5b5d5d930e..5ac902a866 100644
--- a/windows/client-management/mdm/networkqospolicy-csp.md
+++ b/windows/client-management/mdm/networkqospolicy-csp.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 04/22/2021
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -30,7 +30,7 @@ The following conditions are supported:
- Network traffic from a specific application name
- Network traffic from specific source or destination ports
- Network traffic from a specific IP protocol (TCP, UDP, or both)
-
+
The following actions are supported:
- Layer 2 tagging using a IEEE 802.1p priority value
- Layer 3 tagging using a differentiated services code point (DSCP) value
@@ -39,7 +39,7 @@ The following actions are supported:
> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on the following devices:
> - Azure AD Hybrid joined devices.
> - Devices that use both GPO and CSP at the same time.
->
+>
> The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Windows 10, version 2004.
The following example shows the NetworkQoSPolicy configuration service provider in tree format.
@@ -55,64 +55,64 @@ NetworkQoSPolicy
--------PriorityValue8021Action
--------DSCPAction
```
-**NetworkQoSPolicy**
+**NetworkQoSPolicy**
The root node for the NetworkQoSPolicy configuration service provider.
-**Version**
+**Version**
Specifies the version information.
-
The data type is int.
+
The data type is int.
The only supported operation is Get.
-***Name***
+***Name***
Node for the QoS policy name.
-***Name*/IPProtocolMatchCondition**
-
Specifies the IP protocol used to match the network traffic.
+***Name*/IPProtocolMatchCondition**
+
Specifies the IP protocol used to match the network traffic.
Valid values are:
-- 0 (default) - Both TCP and UDP
+- 0 (default) - Both TCP and UDP
- 1 - TCP
- 2 - UDP
-
The data type is int.
+
The data type is int.
The supported operations are Add, Get, Delete, and Replace.
-***Name*/AppPathNameMatchCondition**
+***Name*/AppPathNameMatchCondition**
Specifies the name of an application to be used to match the network traffic, such as `application.exe` or `%ProgramFiles%\application.exe`.
-
The data type is char.
+
The data type is char.
The supported operations are Add, Get, Delete, and Replace.
-***Name*/SourcePortMatchCondition**
-
Specifies a single port or a range of ports to be used to match the network traffic source.
+***Name*/SourcePortMatchCondition**
+
Specifies a single port or a range of ports to be used to match the network traffic source.
-
Valid values are:
+
Valid values are:
- A range of source ports: _[first port number]_-_[last port number]_
- A single source port: _[port number]_
-
-
The data type is char.
+
+
The data type is char.
The supported operations are Add, Get, Delete, and Replace.
-***Name*/DestinationPortMatchCondition**
+***Name*/DestinationPortMatchCondition**
Specifies a single source port or a range of ports to be used to match the network traffic destination.
-
Valid values are:
+
Valid values are:
- A range of destination ports: _[first port number]_-_[last port number]_
- A single destination port: _[port number]_
-
-
The data type is char.
+
+
The data type is char.
The supported operations are Add, Get, Delete, and Replace.
-***Name*/PriorityValue8021Action**
+***Name*/PriorityValue8021Action**
Specifies the IEEE 802.1p priority value to apply to matching network traffic.
Valid values are 0-7.
@@ -121,7 +121,7 @@ NetworkQoSPolicy
The supported operations are Add, Get, Delete, and Replace.
-***Name*/DSCPAction**
+***Name*/DSCPAction**
The Differentiated Services Code Point (DSCP) value to apply to matching network traffic.
Valid values are 0-63.
diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md
index 972f823ac5..8844a456cf 100644
--- a/windows/client-management/mdm/networkqospolicy-ddf.md
+++ b/windows/client-management/mdm/networkqospolicy-ddf.md
@@ -1,7 +1,7 @@
---
title: NetworkQoSPolicy DDF
description: View the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md
index dc9bf7a054..baf2add3e3 100644
--- a/windows/client-management/mdm/nodecache-csp.md
+++ b/windows/client-management/mdm/nodecache-csp.md
@@ -1,7 +1,7 @@
---
title: NodeCache CSP
description: Use the NodeCache configuration service provider (CSP) to synchronize, monitor, and manage the client cache.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -77,45 +77,45 @@ NodeCache
----------------ExpectedValue
----------------AutoSetExpectedValue
```
-**./Device/Vendor/MSFT and ./User/Vendor/MSFT**
+**./Device/Vendor/MSFT and ./User/Vendor/MSFT**
Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This parameter's value is a predefined MIME type to identify this managed object in OMA DM syntax.
-***ProviderID***
+***ProviderID***
Optional. Group settings per DM server. Each group of settings is distinguished by the server’s Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one **ProviderID** node under **NodeCache**. Scope is dynamic.
Supported operations are Get, Add, and Delete.
-***ProviderID*/CacheVersion**
+***ProviderID*/CacheVersion**
Optional. Character string representing the cache version set by the server. Scope is dynamic.
Data type is string. Supported operations are Get, Add, and Replace.
-***ProviderID*/ChangedNodes**
+***ProviderID*/ChangedNodes**
Optional. List of nodes whose values don't match their expected values as specified in **/*NodeID*/ExpectedValue**. Scope is dynamic.
Data type is string. Supported operation is Get.
-***ProviderID*/ChangedNodesData**
+***ProviderID*/ChangedNodesData**
Added in Windows 10, version 1703. Optional. XML containing nodes whose values don't match their expected values as specified in /NodeID/ExpectedValue.
Supported operation is Get.
-***ProviderID*/Nodes**
+***ProviderID*/Nodes**
Required. Root node for cached nodes. Scope is dynamic.
Supported operation is Get.
-**/Nodes/***NodeID*
+**/Nodes/***NodeID*
Optional. Information about each cached node is stored under *NodeID* as specified by the server. This value must not contain a comma. Scope is dynamic.
Supported operations are Get, Add, and Delete.
-**/*NodeID*/NodeURI**
+**/*NodeID*/NodeURI**
Required. This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree. Scope is dynamic.
Data type is string. Supported operations are Get, Add, and Delete.
-**/*NodeID*/ExpectedValue**
+**/*NodeID*/ExpectedValue**
Required. The server expects this value to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. Scope is dynamic. Supported values are string and x-nodemon-nonexistent.
Supported operations are Get, Add, and Delete.
@@ -137,7 +137,7 @@ Here's an example for setting the ExpectedValue to nonexistent.
```
-**/*NodeID*/AutoSetExpectedValue**
+**/*NodeID*/AutoSetExpectedValue**
Added in Windows 10, version 1703. Required. This parameter's value automatically sets the value on the device to match the actual value of the node. The node is specified in NodeURI.
Supported operations are Add, Get, and Delete.
@@ -404,9 +404,9 @@ The value inside of the node tag is the actual value returned by the Uri, which
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
+
+
+
diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md
index 8fb7117803..72e0bcce45 100644
--- a/windows/client-management/mdm/nodecache-ddf-file.md
+++ b/windows/client-management/mdm/nodecache-ddf-file.md
@@ -1,7 +1,7 @@
---
title: NodeCache DDF file
description: Learn about the OMA DM device description framework (DDF) for the NodeCache configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index 5fc7af65c0..fa96d98a49 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 08/15/2018
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -24,7 +24,7 @@ The table below shows the applicability of Windows:
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
-The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](/intune/apps-add-office365).
+The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](/intune/apps-add-office365).
This CSP was added in Windows 10, version 1703.
@@ -58,41 +58,41 @@ Office
------------Status
```
-**./Device/Vendor/MSFT/Office/ or ./User/Vendor/MSFT/Office**
+**./Device/Vendor/MSFT/Office/ or ./User/Vendor/MSFT/Office**
The root node for the Office configuration service provider.
-**Installation**
+**Installation**
Specifies the options for the Microsoft Office installation.
The supported operations are Add, Delete, and Get.
-**Installation/_id_**
-Specifies a unique identifier that represents the ID of the Microsoft Office product to install.
+**Installation/_id_**
+Specifies a unique identifier that represents the ID of the Microsoft Office product to install.
The supported operations are Add, Delete, and Get.
-**Installation/_id_/Install**
-Installs Office by using the XML data specified in the configuration.xml file.
+**Installation/_id_/Install**
+Installs Office by using the XML data specified in the configuration.xml file.
The supported operations are Get and Execute.
-**Installation/_id_/Status**
-The Microsoft Office installation status.
+**Installation/_id_/Status**
+The Microsoft Office installation status.
The only supported operation is Get.
-**Installation/_id_/FinalStatus**
+**Installation/_id_/FinalStatus**
Added in Windows 10, version 1809. Indicates the status of the Final Office 365 installation.
The only supported operation is Get.
-Behavior:
+Behavior:
- When Office CSP is triggered to install, it will first check if the FinalStatus node exists or not. If the node exists, delete it.
-- When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values:
+- When Office installation reaches any terminal states (either success or failure), this node is created that contains the following values:
- When status = 0: 70 (succeeded)
- When status!= 0: 60 (failed)
-**Installation/CurrentStatus**
+**Installation/CurrentStatus**
Returns an XML of current Office 365 installation status on the device.
The only supported operation is Get.
@@ -112,7 +112,7 @@ Sample SyncML to install Microsoft 365 Apps for business Retail from current cha
chr
-
+
<Configuration><Add OfficeClientEdition="32" Channel="Current"><Product ID="O365BusinessRetail"><Language ID="en-us" /></Product></Add><Display Level="None" AcceptEULA="TRUE" /></Configuration>
@@ -134,7 +134,7 @@ To uninstall the Office 365 from the system:
chr
-
+
<Configuration><Remove All="TRUE"/><Display Level="None" AcceptEULA="TRUE" /></Configuration>
diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md
index 94b6fecffe..8ff66a40d9 100644
--- a/windows/client-management/mdm/office-ddf.md
+++ b/windows/client-management/mdm/office-ddf.md
@@ -1,7 +1,7 @@
---
title: Office DDF
description: This topic shows the OMA DM device description framework (DDF) for the Office configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 8379da3699..c88737941e 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -1,7 +1,7 @@
---
title: PassportForWork CSP
description: The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -96,34 +96,34 @@ PassportForWork
----------UseSecurityKeyForSignin
```
-**PassportForWork**
+**PassportForWork**
Root node for PassportForWork configuration service provider.
-***TenantId***
+***TenantId***
A globally unique identifier (GUID), without curly braces (`{`, `}`), that's used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](/powershell/module/servicemanagement/azure.service/get-azureaccount). For more information, see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell).
-***TenantId*/Policies**
+***TenantId*/Policies**
Node for defining the Windows Hello for Business policy settings.
-***TenantId*/Policies/UsePassportForWork**
+***TenantId*/Policies/UsePassportForWork**
Boolean value that sets Windows Hello for Business as a method for signing into Windows.
Default value is true. If you set this policy to false, the user can't provision Windows Hello for Business.
Supported operations are Add, Get, Delete, and Replace.
-***TenantId*/Policies/RequireSecurityDevice**
+***TenantId*/Policies/RequireSecurityDevice**
Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an extra security benefit over software so that data stored in it can't be used on other devices.
Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there isn't a usable TPM. If you don't configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable.
Supported operations are Add, Get, Delete, and Replace.
-***TenantId*/Policies/ExcludeSecurityDevices** (only for ./Device/Vendor/MSFT)
+***TenantId*/Policies/ExcludeSecurityDevices** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1703. Root node for excluded security devices.
*Not supported on Windows Holographic and Windows Holographic for Business.*
-***TenantId*/Policies/ExcludeSecurityDevices/TPM12** (only for ./Device/Vendor/MSFT)
+***TenantId*/Policies/ExcludeSecurityDevices/TPM12** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1703. Some Trusted Platform Modules (TPMs) are compliant only with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG).
Default value is false. If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
@@ -132,8 +132,8 @@ If you disable or don't configure this policy setting, TPM revision 1.2 modules
Supported operations are Add, Get, Delete, and Replace.
-***TenantId*/Policies/EnablePinRecovery**
-Added in Windows 10, version 1703. Boolean value that enables a user to change their PIN by using the Windows Hello for Business PIN recovery service.
+***TenantId*/Policies/EnablePinRecovery**
+Added in Windows 10, version 1703. Boolean value that enables a user to change their PIN by using the Windows Hello for Business PIN recovery service.
This cloud service encrypts a recovery secret, which is stored locally on the client, and can be decrypted only by the cloud service.
Default value is false. If you enable this policy setting, the PIN recovery secret will be stored on the device and the user can change their PIN if needed.
@@ -142,7 +142,7 @@ If you disable or don't configure this policy setting, the PIN recovery secret w
Supported operations are Add, Get, Delete, and Replace.
-***TenantId*/Policies/UseCertificateForOnPremAuth** (only for ./Device/Vendor/MSFT)
+***TenantId*/Policies/UseCertificateForOnPremAuth** (only for ./Device/Vendor/MSFT)
Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premises resources.
If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
@@ -151,7 +151,7 @@ If you disable or don't configure this policy setting, the PIN will be provision
Supported operations are Add, Get, Delete, and Replace.
-***TenantId*/Policies/UseCloudTrustForOnPremAuth** (only for ./Device/Vendor/MSFT)
+***TenantId*/Policies/UseCloudTrustForOnPremAuth** (only for ./Device/Vendor/MSFT)
Boolean value that enables Windows Hello for Business to use Azure AD Kerberos to authenticate to on-premises resources.
If you enable this policy setting, Windows Hello for Business will use an Azure AD Kerberos ticket to authenticate to on-premises resources. The Azure AD Kerberos ticket is returned to the client after a successful authentication to Azure AD if Azure AD Kerberos is enabled for the tenant and domain.
@@ -160,10 +160,10 @@ If you disable or do not configure this policy setting, Windows Hello for Busine
Supported operations are Add, Get, Delete, and Replace.
-***TenantId*/Policies/PINComplexity**
+***TenantId*/Policies/PINComplexity**
Node for defining PIN settings.
-***TenantId*/Policies/PINComplexity/MinimumPINLength**
+***TenantId*/Policies/PINComplexity/MinimumPINLength**
Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest.
If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or don't configure this policy setting, the PIN length must be greater than or equal to 4.
@@ -174,7 +174,7 @@ If you configure this policy setting, the PIN length must be greater than or equ
Value type is int. Supported operations are Add, Get, Delete, and Replace.
-***TenantId*/Policies/PINComplexity/MaximumPINLength**
+***TenantId*/Policies/PINComplexity/MaximumPINLength**
Integer value that sets the maximum number of characters allowed for the PIN. Default value is 127. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater.
If you configure this policy setting, the PIN length must be less than or equal to this number. If you disable or don't configure this policy setting, the PIN length must be less than or equal to 127.
@@ -185,7 +185,7 @@ If you configure this policy setting, the PIN length must be less than or equal
Supported operations are Add, Get, Delete, and Replace.
-***TenantId*/Policies/PINComplexity/UppercaseLetters**
+***TenantId*/Policies/PINComplexity/UppercaseLetters**
Integer value that configures the use of uppercase letters in the Windows Hello for Business PIN.
Valid values:
@@ -198,7 +198,7 @@ Default value is 2. Default PIN complexity behavior is that digits are required
Supported operations are Add, Get, Delete, and Replace.
-***TenantId*/Policies/PINComplexity/LowercaseLetters**
+***TenantId*/Policies/PINComplexity/LowercaseLetters**
Integer value that configures the use of lowercase letters in the Windows Hello for Business PIN.
Valid values:
@@ -211,7 +211,7 @@ Default value is 2. Default PIN complexity behavior is that digits are required
Supported operations are Add, Get, Delete, and Replace.
-***TenantId*/Policies/PINComplexity/SpecialCharacters**
+***TenantId*/Policies/PINComplexity/SpecialCharacters**
Integer value that configures the use of special characters in the Windows Hello for Business PIN. Valid special characters for Windows Hello for Business PIN gestures include: ! " \# $ % & ' ( ) \* + , - . / : ; < = > ? @ \[ \\ \] ^ \_ \` { | } ~ .
Valid values:
@@ -224,7 +224,7 @@ Default value is 2. Default PIN complexity behavior is that digits are required
Supported operations are Add, Get, Delete, and Replace.
-***TenantId*/Policies/PINComplexity/Digits**
+***TenantId*/Policies/PINComplexity/Digits**
Integer value that configures the use of digits in the Windows Hello for Business PIN.
Valid values:
@@ -237,7 +237,7 @@ Default value is 1. Default PIN complexity behavior is that digits are required
Supported operations are Add, Get, Delete, and Replace.
-***TenantId*/Policies/PINComplexity/History**
+***TenantId*/Policies/PINComplexity/History**
Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs isn't required. This node was added in Windows 10, version 1511.
The current PIN of the user is included in the set of PINs associated with the user account. PIN history isn't preserved through a PIN reset.
@@ -246,18 +246,18 @@ Default value is 0.
Supported operations are Add, Get, Delete, and Replace.
-***TenantId*/Policies/PINComplexity/Expiration**
+***TenantId*/Policies/PINComplexity/Expiration**
Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. This node was added in Windows 10, version 1511.
Default is 0.
Supported operations are Add, Get, Delete, and Replace.
-***TenantId*/Policies/Remote** (only for ./Device/Vendor/MSFT)
+***TenantId*/Policies/Remote** (only for ./Device/Vendor/MSFT)
Interior node for defining remote Windows Hello for Business policies. This node was added in Windows 10, version 1511.
*Not supported on Windows Holographic and Windows Holographic for Business.*
-***TenantId*/Policies/Remote/UseRemotePassport** (only for ./Device/Vendor/MSFT)
+***TenantId*/Policies/Remote/UseRemotePassport** (only for ./Device/Vendor/MSFT)
Boolean value used to enable or disable the use of remote Windows Hello for Business. Remote Windows Hello for Business provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. Remote Windows Hello for Business requires that the desktop be Azure AD joined and that the companion device has a Windows Hello for Business PIN. This node was added in Windows 10, version 1511.
Default value is false. If you set this policy to true, Remote Windows Hello for Business will be enabled and a portable, registered device can be used as a companion device for desktop authentication. If you set this policy to false, Remote Windows Hello for Business will be disabled.
@@ -266,7 +266,7 @@ Supported operations are Add, Get, Delete, and Replace.
*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
-***TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates** (only for ./Device/Vendor/MSFT)
+***TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1809. If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
If you disable or don't configure this policy setting, applications don't use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.
@@ -275,14 +275,14 @@ Windows requires a user to lock and unlock their session after changing this set
Value type is bool. Supported operations are Add, Get, Replace, and Delete.
-**UseBiometrics**
+**UseBiometrics**
This node is deprecated. Use **Biometrics/UseBiometrics** node instead.
-**Biometrics** (only for ./Device/Vendor/MSFT)
+**Biometrics** (only for ./Device/Vendor/MSFT)
Node for defining biometric settings. This node was added in Windows 10, version 1511.
*Not supported on Windows Holographic and Windows Holographic for Business.*
-**Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT)
+**Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT)
Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use if there are failures. This node was added in Windows 10, version 1511.
Default value is true, enabling the biometric gestures for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business.
@@ -291,7 +291,7 @@ Supported operations are Add, Get, Delete, and Replace.
*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
-**Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT)
+**Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT)
Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511.
Default value is false. If you set this policy to false or don't configure this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication.
@@ -304,7 +304,7 @@ Supported operations are Add, Get, Delete, and Replace.
*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
-**Biometrics/EnableESSwithSupportedPeripherals** (only for ./Device/Vendor/MSFT)
+**Biometrics/EnableESSwithSupportedPeripherals** (only for ./Device/Vendor/MSFT)
If this policy is enabled, Windows Hello authentication using peripheral biometric sensors will be blocked. Any non-authentication operational functionalities such as camera usage (for instance, video calls and the camera) will be unaffected.
@@ -312,7 +312,7 @@ If you enable this policy it can have the following possible values:
**0 - Enhanced Sign-in Security Disabled** (not recommended)
-Enhanced sign-in security will be disabled on all systems, enabling the use of peripheral biometric authentication. If this policy value is set to 0 after users have enrolled in ESS biometrics, users will be prompted to reset their PIN. They will lose all their existing biometric enrollments. To use biometrics they will have to enroll again.
+Enhanced sign-in security will be disabled on all systems, enabling the use of peripheral biometric authentication. If this policy value is set to 0 after users have enrolled in ESS biometrics, users will be prompted to reset their PIN. They will lose all their existing biometric enrollments. To use biometrics they will have to enroll again.
**1 - Enhanced Sign-in Security Enabled** (default and recommended for highest security)
@@ -324,52 +324,52 @@ Supported operations are Add, Get, Delete, and Replace.
*Supported from Windows 11 version 22H2*
-**DeviceUnlock** (only for ./Device/Vendor/MSFT)
+**DeviceUnlock** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1803. Interior node.
-**DeviceUnlock/GroupA** (only for ./Device/Vendor/MSFT)
+**DeviceUnlock/GroupA** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1803. Contains a list of credential providers by GUID (comma separated) that are the first step of authentication.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
-**DeviceUnlock/GroupB** (only for ./Device/Vendor/MSFT)
+**DeviceUnlock/GroupB** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1803. Contains a list of credential providers by GUID (comma separated) that are the second step of authentication.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
-**DeviceUnlock/Plugins** (only for ./Device/Vendor/MSFT)
+**DeviceUnlock/Plugins** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1803. List of plugins (comma separated) that the passive provider monitors to detect user presence.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
-**DynamicLock** (only for ./Device/Vendor/MSFT)
+**DynamicLock** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1803. Interior node.
-**DynamicLock/DynamicLock** (only for ./Device/Vendor/MSFT)
+**DynamicLock/DynamicLock** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1803. Enables the dynamic lock.
Value type is bool. Supported operations are Add, Get, Replace, and Delete.
-**DynamicLock/Plugins** (only for ./Device/Vendor/MSFT)
+**DynamicLock/Plugins** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1803. List of plugins (comma separated) that the passive provider monitors to detect user absence.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
-**SecurityKey** (only for ./Device/Vendor/MSFT)
+**SecurityKey** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1903. Interior node.
Scope is permanent. Supported operation is Get.
-**SecurityKey/UseSecurityKeyForSignin** (only for ./Device/Vendor/MSFT)
+**SecurityKey/UseSecurityKeyForSignin** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1903. Enables users to sign in to their device with a [FIDO2 security key](/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-keys) that is compatible with Microsoft’s implementation.
Scope is dynamic. Supported operations are Add, Get, Replace, and Delete.
-Value type is integer.
+Value type is integer.
-Valid values:
+Valid values:
- 0 (default) - disabled.
- 1 - enabled.
@@ -600,7 +600,7 @@ Here's an example for setting Windows Hello for Business and setting the PIN pol
0
-
+
```
diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md
index 5bdaf460f7..c6fde7fcc2 100644
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@@ -1,7 +1,7 @@
---
title: PassportForWork DDF
description: View the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -658,7 +658,7 @@ If you disable or do not configure this policy setting, the PIN recovery secret
False
- Windows Hello for Business can use certificates to authenticate to on-premise resources.
+ Windows Hello for Business can use certificates to authenticate to on-premise resources.
If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN.
diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md
index 5524dfcf1a..aa250f64aa 100644
--- a/windows/client-management/mdm/personalization-csp.md
+++ b/windows/client-management/mdm/personalization-csp.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 06/28/2022
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -40,14 +40,14 @@ Personalization
----LockScreenImageUrl
----LockScreenImageStatus
```
-**./Vendor/MSFT/Personalization**
+**./Vendor/MSFT/Personalization**
Defines the root node for the Personalization configuration service provider.
-**DesktopImageUrl**
+**DesktopImageUrl**
Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.
Value type is string. Supported operations are Add, Get, Delete, and Replace.
-**DesktopImageStatus**
+**DesktopImageStatus**
Represents the status of the desktop image. Valid values:
- 1 - Successfully downloaded or copied.
@@ -63,12 +63,12 @@ Personalization
> [!Note]
> This setting is only used to query status. To set the image, use the DesktopImageUrl setting.
-**LockScreenImageUrl**
+**LockScreenImageUrl**
Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take an http or https Url to a remote image to be downloaded, a file Url to a local image.
Value type is string. Supported operations are Add, Get, Delete, and Replace.
-**LockScreenImageStatus**
+**LockScreenImageStatus**
Represents the status of the lock screen image. Valid values:
- 1 - Successfully downloaded or copied.
@@ -120,7 +120,7 @@ Personalization
https://www.contoso.com/lockscreenimage.JPG
-
+
```
diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md
index 80cdb39b9b..192c4da6da 100644
--- a/windows/client-management/mdm/personalization-ddf.md
+++ b/windows/client-management/mdm/personalization-ddf.md
@@ -7,13 +7,13 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 12/05/2017
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
# Personalization DDF file
-This topic shows the OMA DM device description framework (DDF) for the **Personalization** configuration service provider.
+This topic shows the OMA DM device description framework (DDF) for the **Personalization** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
index aa15270570..0284863bcc 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
@@ -1,7 +1,7 @@
---
title: ADMX-backed policies in Policy CSP
description: Learn about the ADMX-backed policies in Policy CSP.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
index 55f6a99ca0..e3c8cbcc3f 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-group-policy.md
@@ -1,7 +1,7 @@
---
title: Policies in Policy CSP supported by Group Policy
description: Learn about the policies in Policy CSP supported by Group Policy.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -15,7 +15,7 @@ ms.date: 07/18/2019
# Policies in Policy CSP supported by Group Policy
> [!div class="op_single_selector"]
->
+>
> - [Policies in Policy CSP supported by Group Policy]()
> - [ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)
>
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md
index f70f86e654..f3ec49a77c 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md
@@ -1,7 +1,7 @@
---
title: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite
description: Learn the policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md
index 102a2eb6bc..e9110b33ba 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md
@@ -1,7 +1,7 @@
---
title: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition
description: Learn about the policies in Policy CSP supported by HoloLens (1st gen) Development Edition.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
index 8687773b6b..7758127373 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-hololens2.md
@@ -1,7 +1,7 @@
---
title: Policies in Policy CSP supported by HoloLens 2
description: Learn about the policies in Policy CSP supported by HoloLens 2.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md
index 710a6bea37..53c2197ecc 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-iot-core.md
@@ -1,7 +1,7 @@
---
title: Policies in Policy CSP supported by Windows 10 IoT Core
description: Learn about the policies in Policy CSP supported by Windows 10 IoT Core.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
index 128bb7099b..ab174bf9a1 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
@@ -1,7 +1,7 @@
---
title: Policies in Policy CSP supported by Microsoft Surface Hub
description: Learn about the policies in Policy CSP supported by Microsoft Surface Hub.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md
index 0529c08779..9cf93f4e1e 100644
--- a/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md
+++ b/windows/client-management/mdm/policies-in-policy-csp-that-can-be-set-using-eas.md
@@ -1,7 +1,7 @@
---
title: Policies in Policy CSP that can be set using Exchange Active Sync (EAS)
description: Learn about the policies in Policy CSP that can be set using Exchange Active Sync (EAS).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -14,25 +14,25 @@ ms.date: 07/18/2019
# Policies in Policy CSP that can be set using Exchange Active Sync (EAS)
-- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera)
-- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui)
-- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth)
-- [Connectivity/AllowCellularDataRoaming](policy-csp-connectivity.md#connectivity-allowcellulardataroaming)
-- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword)
-- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired)
-- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled)
-- [DeviceLock/DevicePasswordExpiration](policy-csp-devicelock.md#devicelock-devicepasswordexpiration)
-- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory)
-- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts)
-- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock)
-- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters)
-- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength)
-- [DeviceLock/PreventLockScreenSlideShow](policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
-- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation)
-- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption)
-- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
-- [System/TelemetryProxy](policy-csp-system.md#system-telemetryproxy)
-- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing)
+- [Camera/AllowCamera](policy-csp-camera.md#camera-allowcamera)
+- [Cellular/ShowAppCellularAccessUI](policy-csp-cellular.md#cellular-showappcellularaccessui)
+- [Connectivity/AllowBluetooth](policy-csp-connectivity.md#connectivity-allowbluetooth)
+- [Connectivity/AllowCellularDataRoaming](policy-csp-connectivity.md#connectivity-allowcellulardataroaming)
+- [DeviceLock/AllowSimpleDevicePassword](policy-csp-devicelock.md#devicelock-allowsimpledevicepassword)
+- [DeviceLock/AlphanumericDevicePasswordRequired](policy-csp-devicelock.md#devicelock-alphanumericdevicepasswordrequired)
+- [DeviceLock/DevicePasswordEnabled](policy-csp-devicelock.md#devicelock-devicepasswordenabled)
+- [DeviceLock/DevicePasswordExpiration](policy-csp-devicelock.md#devicelock-devicepasswordexpiration)
+- [DeviceLock/DevicePasswordHistory](policy-csp-devicelock.md#devicelock-devicepasswordhistory)
+- [DeviceLock/MaxDevicePasswordFailedAttempts](policy-csp-devicelock.md#devicelock-maxdevicepasswordfailedattempts)
+- [DeviceLock/MaxInactivityTimeDeviceLock](policy-csp-devicelock.md#devicelock-maxinactivitytimedevicelock)
+- [DeviceLock/MinDevicePasswordComplexCharacters](policy-csp-devicelock.md#devicelock-mindevicepasswordcomplexcharacters)
+- [DeviceLock/MinDevicePasswordLength](policy-csp-devicelock.md#devicelock-mindevicepasswordlength)
+- [DeviceLock/PreventLockScreenSlideShow](policy-csp-devicelock.md#devicelock-preventlockscreenslideshow)
+- [Search/AllowSearchToUseLocation](policy-csp-search.md#search-allowsearchtouselocation)
+- [Security/RequireDeviceEncryption](policy-csp-security.md#security-requiredeviceencryption)
+- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
+- [System/TelemetryProxy](policy-csp-system.md#system-telemetryproxy)
+- [Wifi/AllowInternetSharing](policy-csp-wifi.md#wifi-allowinternetsharing)
- [Wifi/AllowWiFi](policy-csp-wifi.md#wifi-allowwifi)
## Related topics
diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md
index da3b56f932..fb87086127 100644
--- a/windows/client-management/mdm/policy-csp-abovelock.md
+++ b/windows/client-management/mdm/policy-csp-abovelock.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## AboveLock policies
+## AboveLock policies
-
@@ -33,7 +33,7 @@ manager: aaroncz
-**AboveLock/AllowCortanaAboveLock**
+**AboveLock/AllowCortanaAboveLock**
@@ -62,7 +62,7 @@ Added in Windows 10, version 1607. Specifies whether or not the user can intera
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Cortana above lock screen*
- GP name: *AllowCortanaAboveLock*
- GP path: *Windows Components/Search*
@@ -81,7 +81,7 @@ The following list shows the supported values:
-**AboveLock/AllowToasts**
+**AboveLock/AllowToasts**
diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md
index 9320bce051..0d954b6ce2 100644
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -19,7 +19,7 @@ manager: aaroncz
-## Accounts policies
+## Accounts policies
-
@@ -43,7 +43,7 @@ manager: aaroncz
-**Accounts/AllowAddingNonMicrosoftAccountsManually**
+**Accounts/AllowAddingNonMicrosoftAccountsManually**
@@ -88,7 +88,7 @@ The following list shows the supported values:
-**Accounts/AllowMicrosoftAccountConnection**
+**Accounts/AllowMicrosoftAccountConnection**
@@ -131,7 +131,7 @@ The following list shows the supported values:
-**Accounts/AllowMicrosoftAccountSignInAssistant**
+**Accounts/AllowMicrosoftAccountSignInAssistant**
@@ -163,7 +163,7 @@ Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "
> If the Microsoft account service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
> [!NOTE]
-> If the Microsoft account service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the Microsoft account ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app.
+> If the Microsoft account service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the Microsoft account ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app.
@@ -178,7 +178,7 @@ The following list shows the supported values:
-**Accounts/DomainNamesForEmailSync**
+**Accounts/DomainNamesForEmailSync**
@@ -216,7 +216,7 @@ The following list shows the supported values:
-**Accounts/RestrictToEnterpriseDeviceAuthenticationOnly**
+**Accounts/RestrictToEnterpriseDeviceAuthenticationOnly**
diff --git a/windows/client-management/mdm/policy-csp-admx-servicing.md b/windows/client-management/mdm/policy-csp-admx-servicing.md
index 07ca3a013c..9f50b7554c 100644
--- a/windows/client-management/mdm/policy-csp-admx-servicing.md
+++ b/windows/client-management/mdm/policy-csp-admx-servicing.md
@@ -8,7 +8,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 09/18/2020
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -18,7 +18,7 @@ manager: aaroncz
-## ADMX_Servicing policies
+## ADMX_Servicing policies
-
@@ -30,7 +30,7 @@ manager: aaroncz
-**ADMX_Servicing/Servicing**
+**ADMX_Servicing/Servicing**
@@ -58,7 +58,7 @@ manager: aaroncz
This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed.
-If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new location in the "Alternate source file path" text box. Multiple locations can be specified when each path is separated by a semicolon.
+If you enable this policy setting and specify the new location, the files in that location will be used to repair operating system corruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new location in the "Alternate source file path" text box. Multiple locations can be specified when each path is separated by a semicolon.
The network location can be either a folder, or a WIM file. If it's a WIM file, the location should be specified by prefixing the path with “wim:” and include the index of the image to use in the WIM file, for example, “wim:\\server\share\install.wim:3”.
@@ -68,7 +68,7 @@ If you disable or don't configure this policy setting, or if the required files
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify settings for optional component installation and component repair*
- GP name: *Servicing*
- GP path: *System*
diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md
index db27b3a605..70e57eef1e 100644
--- a/windows/client-management/mdm/policy-csp-applicationdefaults.md
+++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -19,7 +19,7 @@ manager: aaroncz
-## ApplicationDefaults policies
+## ApplicationDefaults policies
-
@@ -34,7 +34,7 @@ manager: aaroncz
-**ApplicationDefaults/DefaultAssociationsConfiguration**
+**ApplicationDefaults/DefaultAssociationsConfiguration**
@@ -61,12 +61,12 @@ manager: aaroncz
This policy allows an administrator to set default file type and protocol associations. When set, default associations are applied on sign in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml). Then, it needs to be base64 encoded before being added to SyncML.
-
+
If policy is enabled and the client machine is having Azure Active Directory, the associations assigned in SyncML are processed and default associations are applied.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Set a default associations configuration file*
- GP name: *DefaultAssociationsConfiguration*
- GP element: *DefaultAssociationsConfiguration_TextBox*
@@ -133,7 +133,7 @@ Here's the SyncMl example:
-**ApplicationDefaults/EnableAppUriHandlers**
+**ApplicationDefaults/EnableAppUriHandlers**
@@ -169,7 +169,7 @@ If you don't configure this policy setting, the default behavior depends on the
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure web-to-app linking with app URI handlers*
- GP name: *EnableAppUriHandlers*
- GP path: *System/Group Policy*
diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md
index a9bd9d1f06..3c8b32b9eb 100644
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 02/11/2020
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## ApplicationManagement policies
+## ApplicationManagement policies
-
@@ -38,8 +38,8 @@ manager: aaroncz
-
ApplicationManagement/AllowSharedUserAppData
- -
- ApplicationManagement/BlockNonAdminUserInstall
+
-
+ ApplicationManagement/BlockNonAdminUserInstall
-
ApplicationManagement/DisableStoreOriginatedApps
@@ -71,7 +71,7 @@ manager: aaroncz
-**ApplicationManagement/AllowAutomaticAppArchiving**
+**ApplicationManagement/AllowAutomaticAppArchiving**
@@ -107,7 +107,7 @@ If you don't configure this policy setting (default), then the system will follo
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow all trusted apps to install*
- GP name: *AllowAutomaticAppArchiving*
- GP path: *Windows Components/App Package Deployment*
@@ -127,7 +127,7 @@ The following list shows the supported values:
-**ApplicationManagement/AllowAllTrustedApps**
+**ApplicationManagement/AllowAllTrustedApps**
@@ -159,7 +159,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow all trusted apps to install*
- GP name: *AppxDeploymentAllowAllTrustedApps*
- GP path: *Windows Components/App Package Deployment*
@@ -179,7 +179,7 @@ The following list shows the supported values:
-**ApplicationManagement/AllowAppStoreAutoUpdate**
+**ApplicationManagement/AllowAppStoreAutoUpdate**
@@ -212,7 +212,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off Automatic Download and Install of updates*
- GP name: *DisableAutoInstall*
- GP path: *Windows Components/Store*
@@ -231,7 +231,7 @@ The following list shows the supported values:
-**ApplicationManagement/AllowDeveloperUnlock**
+**ApplicationManagement/AllowDeveloperUnlock**
@@ -263,7 +263,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allows development of Windows Store apps and installing them from an integrated development environment (IDE)*
- GP name: *AllowDevelopmentWithoutDevLicense*
- GP path: *Windows Components/App Package Deployment*
@@ -283,7 +283,7 @@ The following list shows the supported values:
-**ApplicationManagement/AllowGameDVR**
+**ApplicationManagement/AllowGameDVR**
@@ -318,7 +318,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Enables or disables Windows Game Recording and Broadcasting*
- GP name: *AllowGameDVR*
- GP path: *Windows Components/Windows Game Recording and Broadcasting*
@@ -337,7 +337,7 @@ The following list shows the supported values:
-**ApplicationManagement/AllowSharedUserAppData**
+**ApplicationManagement/AllowSharedUserAppData**
@@ -368,7 +368,7 @@ The following list shows the supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow a Windows app to share application data between users*
- GP name: *AllowSharedLocalAppData*
- GP path: *Windows Components/App Package Deployment*
@@ -378,7 +378,7 @@ ADMX Info:
The following list shows the supported values:
-- 0 (default) – Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user.
+- 0 (default) – Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user.
- 1 – Allowed. Microsoft Edge downloads book files into a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account.
Most restricted value: 0
@@ -388,7 +388,7 @@ Most restricted value: 0
-**ApplicationManagement/BlockNonAdminUserInstall**
+**ApplicationManagement/BlockNonAdminUserInstall**
@@ -424,7 +424,7 @@ If you disable or don't configure this policy, all users will be able to initiat
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Prevent non-admin users from installing packaged Windows apps*
- GP name: *BlockNonAdminUserInstall*
- GP path: *Windows Components/App Package Deployment*
@@ -432,7 +432,7 @@ ADMX Info:
-The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) - Disabled. All users will be able to initiate installation of Windows app packages.
- 1 - Enabled. Non-administrator users won't be able to initiate installation of Windows app packages.
@@ -447,7 +447,7 @@ The following list shows the supported values:
-**ApplicationManagement/DisableStoreOriginatedApps**
+**ApplicationManagement/DisableStoreOriginatedApps**
@@ -477,7 +477,7 @@ Added in Windows 10, version 1607. Boolean value that disables the launch of al
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Disable all apps from Microsoft Store*
- GP name: *DisableStoreApps*
- GP path: *Windows Components/Store*
@@ -496,7 +496,7 @@ The following list shows the supported values:
-**ApplicationManagement/LaunchAppAfterLogOn**
+**ApplicationManagement/LaunchAppAfterLogOn**
@@ -524,11 +524,11 @@ The following list shows the supported values:
List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are launched after a sign in. This policy allows the IT admin to specify a list of applications that users can run after logging on to the device.
-For this policy to work, the Windows apps need to declare in their manifest that they'll use the startup task. Example of the declaration here:
+For this policy to work, the Windows apps need to declare in their manifest that they'll use the startup task. Example of the declaration here:
```xml
-
-
+
+
```
@@ -550,7 +550,7 @@ For this policy to work, the Windows apps need to declare in their manifest that
-**ApplicationManagement/MSIAllowUserControlOverInstall**
+**ApplicationManagement/MSIAllowUserControlOverInstall**
@@ -588,7 +588,7 @@ This policy setting is designed for less restrictive environments. It can be use
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow user control over installs*
- GP name: *EnableUserControl*
- GP path: *Windows Components/Windows Installer*
@@ -604,7 +604,7 @@ This setting supports a range of values between 0 and 1.
-**ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges**
+**ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges**
@@ -645,7 +645,7 @@ If you disable or don't configure this policy setting, the system applies the cu
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Always install with elevated privileges*
- GP name: *AlwaysInstallElevated*
- GP path: *Windows Components/Windows Installer*
@@ -661,7 +661,7 @@ This setting supports a range of values between 0 and 1.
-**ApplicationManagement/RequirePrivateStoreOnly**
+**ApplicationManagement/RequirePrivateStoreOnly**
@@ -695,7 +695,7 @@ Most restricted value is 1.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Only display the private store within the Microsoft Store*
- GP name: *RequirePrivateStoreOnly*
- GP path: *Windows Components/Store*
@@ -714,7 +714,7 @@ The following list shows the supported values:
-**ApplicationManagement/RestrictAppDataToSystemVolume**
+**ApplicationManagement/RestrictAppDataToSystemVolume**
@@ -746,7 +746,7 @@ Most restricted value is 1.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Prevent users' app data from being stored on non-system volumes*
- GP name: *RestrictAppDataToSystemVolume*
- GP path: *Windows Components/App Package Deployment*
@@ -765,7 +765,7 @@ The following list shows the supported values:
-**ApplicationManagement/RestrictAppToSystemVolume**
+**ApplicationManagement/RestrictAppToSystemVolume**
@@ -797,7 +797,7 @@ Most restricted value is 1.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Disable installing Windows apps on non-system volumes*
- GP name: *DisableDeploymentToNonSystemVolumes*
- GP path: *Windows Components/App Package Deployment*
@@ -816,7 +816,7 @@ The following list shows the supported values:
-**ApplicationManagement/ScheduleForceRestartForUpdateFailures**
+**ApplicationManagement/ScheduleForceRestartForUpdateFailures**
@@ -842,7 +842,7 @@ The following list shows the supported values:
-To ensure apps are up-to-date, this policy allows the admins to set a recurring or one time date to restart apps whose update failed due to the app being in use allowing the update to be applied.
+To ensure apps are up-to-date, this policy allows the admins to set a recurring or one time date to restart apps whose update failed due to the app being in use allowing the update to be applied.
Value type is string.
@@ -856,28 +856,28 @@ Value type is string.
Sample SyncML:
```xml
-
-
-
- 2
- -
-
- ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/ScheduleForceRestartForUpdateFailures
-
-
-
- xml
-
-
-
-
-
-
-
+
+
+
+ 2
+ -
+
+ ./Device/Vendor/MSFT/Policy/Config/ApplicationManagement/ScheduleForceRestartForUpdateFailures
+
+
+
+ xml
+
+
+
+
+
+
+
```
XSD:
@@ -908,11 +908,11 @@ XSD:
-
-
-
-
-
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-audit.md b/windows/client-management/mdm/policy-csp-audit.md
index f70ec5324f..f21586fb2d 100644
--- a/windows/client-management/mdm/policy-csp-audit.md
+++ b/windows/client-management/mdm/policy-csp-audit.md
@@ -15,7 +15,7 @@ ms.date: 09/27/2019
-## Audit policies
+## Audit policies
-
@@ -201,7 +201,7 @@ ms.date: 09/27/2019
-**Audit/AccountLogonLogoff_AuditAccountLockout**
+**Audit/AccountLogonLogoff_AuditAccountLockout**
@@ -238,15 +238,15 @@ Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Account Lockout*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff*
-The following are the supported values:
+The following are the supported values:
- 0—Off/None
-- 1 (default)—Success
+- 1 (default)—Success
- 2—Failure
- 3—Success+Failure
@@ -262,7 +262,7 @@ The following are the supported values:
-**Audit/AccountLogonLogoff_AuditGroupMembership**
+**Audit/AccountLogonLogoff_AuditGroupMembership**
@@ -297,13 +297,13 @@ Volume: Low on a client computer. Medium on a domain controller or a network ser
-GP Info:
+GP Info:
- GP Friendly name: *Audit Group Membership*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -321,7 +321,7 @@ The following are the supported values:
-**Audit/AccountLogonLogoff_AuditIPsecExtendedMode**
+**Audit/AccountLogonLogoff_AuditIPsecExtendedMode**
@@ -357,13 +357,13 @@ Volume: High.
-GP Info:
+GP Info:
- GP Friendly name: *Audit IPsec Extended Mode*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -381,7 +381,7 @@ The following are the supported values:
-**Audit/AccountLogonLogoff_AuditIPsecMainMode**
+**Audit/AccountLogonLogoff_AuditIPsecMainMode**
@@ -416,13 +416,13 @@ If you don't configure this policy setting, no audit event is generated during a
Volume: High.
-GP Info:
+GP Info:
- GP Friendly name: *Audit IPsec Main Mode*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -440,7 +440,7 @@ The following are the supported values:
-**Audit/AccountLogonLogoff_AuditIPsecQuickMode**
+**Audit/AccountLogonLogoff_AuditIPsecQuickMode**
@@ -474,13 +474,13 @@ If you configure this policy setting, an audit event is generated during an IPse
Volume: High.
-GP Info:
+GP Info:
- GP Friendly name: *Audit IPsec Quick Mode*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -498,7 +498,7 @@ The following are the supported values:
-**Audit/AccountLogonLogoff_AuditLogoff**
+**Audit/AccountLogonLogoff_AuditLogoff**
@@ -533,13 +533,13 @@ If you don't configure this policy setting, no audit event is generated when a s
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Logoff*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff*
-The following are the supported values:
+The following are the supported values:
- 0—Off/None
- 1 (default)—Success
- 2—Failure
@@ -557,7 +557,7 @@ The following are the supported values:
-**Audit/AccountLogonLogoff_AuditLogon**
+**Audit/AccountLogonLogoff_AuditLogon**
@@ -585,8 +585,8 @@ The following are the supported values:
This policy setting allows you to audit events generated by user account sign-in attempts on the computer.
-Events in this subcategory are related to the creation of sign in sessions and occur on the computer that was accessed. For an interactive sign in, the security audit event is generated on the computer that the user account signed in to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
-The following events are included:
+Events in this subcategory are related to the creation of sign in sessions and occur on the computer that was accessed. For an interactive sign in, the security audit event is generated on the computer that the user account signed in to. For a network sign in, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
+The following events are included:
- Successful sign in attempts.
- Failed sign in attempts.
- Sign-in attempts using explicit credentials. This event is generated when a process attempts to sign in an account by explicitly specifying that account’s credentials. This process most commonly occurs in batch sign-in configurations, such as scheduled tasks or when using the RUNAS command.
@@ -596,13 +596,13 @@ Volume: Low on a client computer. Medium on a domain controller or a network ser
-GP Info:
+GP Info:
- GP Friendly name: *Audit Logon*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff*
-The following are the supported values:
+The following are the supported values:
- 0—Off/None
- 1 (default)—Success
- 2—Failure
@@ -620,7 +620,7 @@ The following are the supported values:
-**Audit/AccountLogonLogoff_AuditNetworkPolicyServer**
+**Audit/AccountLogonLogoff_AuditNetworkPolicyServer**
@@ -655,13 +655,13 @@ Volume: Medium or High on NPS and IAS server. No volume on other computers.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Network Policy Server*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff*
-The following are the supported values:
+The following are the supported values:
- 0—Off/None
- 1—Success
- 2—Failure
@@ -679,7 +679,7 @@ The following are the supported values:
-**Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents**
+**Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents**
@@ -706,7 +706,7 @@ The following are the supported values:
-This policy setting allows you to audit other logon/logoff-related events that aren't covered in the “Logon/Logoff” policy setting, such as the following:
+This policy setting allows you to audit other logon/logoff-related events that aren't covered in the “Logon/Logoff” policy setting, such as the following:
- Terminal Services session disconnections.
- New Terminal Services sessions.
- Locking and unlocking a workstation.
@@ -719,13 +719,13 @@ This policy setting allows you to audit other logon/logoff-related events that a
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Other Logon Logoff Events*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff*
-The following values are the supported values:
+The following values are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -743,7 +743,7 @@ The following values are the supported values:
-**Audit/AccountLogonLogoff_AuditSpecialLogon**
+**Audit/AccountLogonLogoff_AuditSpecialLogon**
@@ -770,20 +770,20 @@ The following values are the supported values:
-This policy setting allows you to audit events generated by special sign ins, such as:
+This policy setting allows you to audit events generated by special sign ins, such as:
- The use of a special sign in, which is a sign in that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
- A sign in by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during sign in and the subcategory is enabled, an event is logged. For more information about this feature, see [Audit Special Logon](/windows/security/threat-protection/auditing/audit-special-logon).
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Special Logon*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff*
-The following are the supported values:
+The following are the supported values:
- 0—Off/None
- 1 (default)—Success
- 2—Failure
@@ -801,7 +801,7 @@ The following are the supported values:
-**Audit/AccountLogonLogoff_AuditUserDeviceClaims**
+**Audit/AccountLogonLogoff_AuditUserDeviceClaims**
@@ -838,13 +838,13 @@ Volume: Low on a client computer. Medium on a domain controller or a network ser
-GP Info:
+GP Info:
- GP Friendly name: *Audit User Device Claims*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Logon/Logoff*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -862,7 +862,7 @@ The following are the supported values:
-**Audit/AccountLogon_AuditCredentialValidation**
+**Audit/AccountLogon_AuditCredentialValidation**
@@ -897,13 +897,13 @@ Volume: High on domain controllers.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Credential Validation*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Logon*
]
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -921,7 +921,7 @@ The following are the supported values:
-**Audit/AccountLogon_AuditKerberosAuthenticationService**
+**Audit/AccountLogon_AuditKerberosAuthenticationService**
@@ -957,13 +957,13 @@ Volume: High on Kerberos Key Distribution Center servers.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Kerberos Authentication Service*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Logon*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -981,7 +981,7 @@ The following are the supported values:
-**Audit/AccountLogon_AuditKerberosServiceTicketOperations**
+**Audit/AccountLogon_AuditKerberosServiceTicketOperations**
@@ -1016,13 +1016,13 @@ If you don't configure this policy setting, no audit event is generated after a
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Kerberos Service Ticket Operations*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Logon*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -1040,7 +1040,7 @@ The following are the supported values:
-**Audit/AccountLogon_AuditOtherAccountLogonEvents**
+**Audit/AccountLogon_AuditOtherAccountLogonEvents**
@@ -1073,13 +1073,13 @@ Currently, there are no events in this subcategory.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Other Account Logon Events*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Logon*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -1097,7 +1097,7 @@ The following are the supported values:
-**Audit/AccountManagement_AuditApplicationGroupManagement**
+**Audit/AccountManagement_AuditApplicationGroupManagement**
@@ -1124,7 +1124,7 @@ The following are the supported values:
-This policy setting allows you to audit events generated by changes to application groups as follows:
+This policy setting allows you to audit events generated by changes to application groups as follows:
- Application group is created, changed, or deleted.
- Member is added or removed from an application group.
@@ -1134,13 +1134,13 @@ If you don't configure this policy setting, no audit event is generated when an
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Application Group Management*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -1158,7 +1158,7 @@ The following are the supported values:
-**Audit/AccountManagement_AuditComputerAccountManagement**
+**Audit/AccountManagement_AuditComputerAccountManagement**
@@ -1193,13 +1193,13 @@ If you don't configure this policy setting, no audit event is generated when a c
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Computer Account Management*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -1217,7 +1217,7 @@ The following are the supported values:
-**Audit/AccountManagement_AuditDistributionGroupManagement**
+**Audit/AccountManagement_AuditDistributionGroupManagement**
@@ -1244,7 +1244,7 @@ The following are the supported values:
-This policy setting allows you to audit events generated by changes to distribution groups as follows:
+This policy setting allows you to audit events generated by changes to distribution groups as follows:
- Distribution group is created, changed, or deleted.
- Member is added or removed from a distribution group.
- Distribution group type is changed.
@@ -1258,13 +1258,13 @@ If you don't configure this policy setting, no audit event is generated when a d
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Distribution Group Management*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -1282,7 +1282,7 @@ The following are the supported values:
-**Audit/AccountManagement_AuditOtherAccountManagementEvents**
+**Audit/AccountManagement_AuditOtherAccountManagementEvents**
@@ -1309,7 +1309,7 @@ The following are the supported values:
-This policy setting allows you to audit events generated by other user account changes that aren't covered in this category, such as:
+This policy setting allows you to audit events generated by other user account changes that aren't covered in this category, such as:
- The password hash of a user account was accessed. This change happens during an Active Directory Management Tool password migration.
- The Password Policy Checking API was called. Calls to this function can be part of an attack when a malicious application tests the policy to reduce the number of attempts during a password dictionary attack.
- Changes to the Default Domain Group Policy under the following Group Policy paths:
@@ -1322,13 +1322,13 @@ Computer Configuration\Windows Settings\Security Settings\Account Policies\Accou
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Other Account Management Events*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -1346,7 +1346,7 @@ The following are the supported values:
-**Audit/AccountManagement_AuditSecurityGroupManagement**
+**Audit/AccountManagement_AuditSecurityGroupManagement**
@@ -1373,7 +1373,7 @@ The following are the supported values:
-This policy setting allows you to audit events generated by changes to security groups, such as:
+This policy setting allows you to audit events generated by changes to security groups, such as:
- Security group is created, changed, or deleted.
- Member is added or removed from a security group.
- Group type is changed.
@@ -1384,13 +1384,13 @@ If you don't configure this policy setting, no audit event is generated when a s
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Security Group Management*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management*
-The following are the supported values:
+The following are the supported values:
- 0—Off/None
- 1 (default)—Success
- 2—Failure
@@ -1408,7 +1408,7 @@ The following are the supported values:
-**Audit/AccountManagement_AuditUserAccountManagement**
+**Audit/AccountManagement_AuditUserAccountManagement**
@@ -1435,8 +1435,8 @@ The following are the supported values:
-This policy setting allows you to audit changes to user accounts.
-The events included are as follows:
+This policy setting allows you to audit changes to user accounts.
+The events included are as follows:
- A user account is created, changed, deleted; renamed, disabled, enabled, locked out, or unlocked.
- A user account’s password is set or changed.
- A security identifier (SID) is added to the SID History of a user account.
@@ -1444,19 +1444,19 @@ The events included are as follows:
- Permissions on administrative user accounts are changed.
- Credential Manager credentials are backed up or restored.
-If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
+If you configure this policy setting, an audit event is generated when an attempt to change a user account is made. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you don't configure this policy setting, no audit event is generated when a user account changes.
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit User Account Management*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Account Management*
-The following are the supported values:
+The following are the supported values:
- 0—Off/None
- 1 (default)—Success
- 2—Failure
@@ -1474,7 +1474,7 @@ The following are the supported values:
-**Audit/DSAccess_AuditDetailedDirectoryServiceReplication**
+**Audit/DSAccess_AuditDetailedDirectoryServiceReplication**
@@ -1507,13 +1507,13 @@ Volume: High.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Detailed Directory Service Replication*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/DS Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -1531,7 +1531,7 @@ The following are the supported values:
-**Audit/DSAccess_AuditDirectoryServiceAccess**
+**Audit/DSAccess_AuditDirectoryServiceAccess**
@@ -1558,7 +1558,7 @@ The following are the supported values:
-This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed.
+This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed.
Only AD DS objects with a matching system access control list (SACL) are logged.
@@ -1567,13 +1567,13 @@ Events in this subcategory are similar to the Directory Service Access events av
Volume: High on domain controllers. None on client computers.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Directory Service Access*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/DS Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -1591,7 +1591,7 @@ The following are the supported values:
-**Audit/DSAccess_AuditDirectoryServiceChanges**
+**Audit/DSAccess_AuditDirectoryServiceChanges**
@@ -1633,13 +1633,13 @@ If you don't configure this policy setting, no audit event is generated when an
Volume: High on domain controllers only.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Directory Service Changes*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/DS Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -1657,7 +1657,7 @@ The following are the supported values:
-**Audit/DSAccess_AuditDirectoryServiceReplication**
+**Audit/DSAccess_AuditDirectoryServiceReplication**
@@ -1695,13 +1695,13 @@ If you don't configure this policy setting, no audit event is generated during A
Volume: Medium on domain controllers. None on client computers.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Directory Service Replication*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/DS Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -1719,7 +1719,7 @@ The following are the supported values:
-**Audit/DetailedTracking_AuditDPAPIActivity**
+**Audit/DetailedTracking_AuditDPAPIActivity**
@@ -1754,13 +1754,13 @@ If you don't configure this policy setting, no audit event is generated when an
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit DPAPI Activity*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -1777,7 +1777,7 @@ The following are the supported values:
-**Audit/DetailedTracking_AuditPNPActivity**
+**Audit/DetailedTracking_AuditPNPActivity**
@@ -1812,13 +1812,13 @@ If you don't configure this policy setting, no audit event is generated when an
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit PNP Activity*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -1835,7 +1835,7 @@ The following are the supported values:
-**Audit/DetailedTracking_AuditProcessCreation**
+**Audit/DetailedTracking_AuditProcessCreation**
@@ -1870,13 +1870,13 @@ If you don't configure this policy setting, no audit event is generated when a p
Volume: Depends on how the computer is used.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Process Creation*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -1893,7 +1893,7 @@ The following are the supported values:
-**Audit/DetailedTracking_AuditProcessTermination**
+**Audit/DetailedTracking_AuditProcessTermination**
@@ -1920,7 +1920,7 @@ The following are the supported values:
-This policy setting allows you to audit events generated when a process ends.
+This policy setting allows you to audit events generated when a process ends.
If you configure this policy setting, an audit event is generated when a process ends. Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you don't configure this policy setting, no audit event is generated when a process ends.
@@ -1928,13 +1928,13 @@ If you don't configure this policy setting, no audit event is generated when a p
Volume: Depends on how the computer is used.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Process Termination*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking*
-The following are the supported values:
+The following are the supported values:
- 0—Off/None
- 1—Success
- 2—Failure
@@ -1951,7 +1951,7 @@ The following are the supported values:
-**Audit/DetailedTracking_AuditRPCEvents**
+**Audit/DetailedTracking_AuditRPCEvents**
@@ -1986,13 +1986,13 @@ If you don't configure this policy setting, no audit event is generated when a r
Volume: High on RPC servers.
-GP Info:
+GP Info:
- GP Friendly name: *Audit RPC Events*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -2009,7 +2009,7 @@ The following are the supported values:
-**Audit/DetailedTracking_AuditTokenRightAdjusted**
+**Audit/DetailedTracking_AuditTokenRightAdjusted**
@@ -2041,13 +2041,13 @@ This policy setting allows you to audit events generated by adjusting the privil
Volume: High.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Token Right Adjusted*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Detailed Tracking*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -2065,7 +2065,7 @@ The following are the supported values:
-**Audit/ObjectAccess_AuditApplicationGenerated**
+**Audit/ObjectAccess_AuditApplicationGenerated**
@@ -2093,7 +2093,7 @@ The following are the supported values:
This policy setting allows you to audit applications that generate events using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function.
-Events in this subcategory include:
+Events in this subcategory include:
- Creation of an application client context.
- Deletion of an application client context.
- Initialization of an application client context.
@@ -2102,13 +2102,13 @@ Events in this subcategory include:
Volume: Depends on the applications that are generating them.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Application Generated*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -2125,7 +2125,7 @@ The following are the supported values:
-**Audit/ObjectAccess_AuditCentralAccessPolicyStaging**
+**Audit/ObjectAccess_AuditCentralAccessPolicyStaging**
@@ -2154,9 +2154,9 @@ The following are the supported values:
This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object.
-If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that of the permission granted by the proposed policy. The resulting audit event will be generated as follows:
+If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that of the permission granted by the proposed policy. The resulting audit event will be generated as follows:
1. Success audits, when configured, records access attempts when the current central access policy grants access but the proposed policy denies access.
-2. Failure audits when configured records access attempts when:
+2. Failure audits when configured records access attempts when:
- The current central access policy doesn't grant access but the proposed policy grants access.
- A principal requests the maximum access rights they're allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy.
@@ -2164,13 +2164,13 @@ Volume: Potentially high on a file server when the proposed policy differs signi
-GP Info:
+GP Info:
- GP Friendly name: *Audit Central Access Policy Staging*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -2188,7 +2188,7 @@ The following are the supported values:
-**Audit/ObjectAccess_AuditCertificationServices**
+**Audit/ObjectAccess_AuditCertificationServices**
@@ -2216,7 +2216,7 @@ The following are the supported values:
This policy setting allows you to audit Active Directory Certificate Services (AD CS) operations.
-AD CS operations include:
+AD CS operations include:
- AD CS startup/shutdown/backup/restore.
- Changes to the certificate revocation list (CRL).
@@ -2238,13 +2238,13 @@ AD CS operations include:
Volume: Medium or Low on computers running Active Directory Certificate Services.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Certification Services*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -2261,7 +2261,7 @@ The following are the supported values:
-**Audit/ObjectAccess_AuditDetailedFileShare**
+**Audit/ObjectAccess_AuditDetailedFileShare**
@@ -2298,13 +2298,13 @@ If you configure this policy setting, an audit event is generated when an attemp
Volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Detailed File Share*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -2321,7 +2321,7 @@ The following are the supported values:
-**Audit/ObjectAccess_AuditFileShare**
+**Audit/ObjectAccess_AuditFileShare**
@@ -2358,13 +2358,13 @@ If you configure this policy setting, an audit event is generated when an attemp
Volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy.
-GP Info:
+GP Info:
- GP Friendly name: *Audit File Share*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -2381,7 +2381,7 @@ The following are the supported values:
-**Audit/ObjectAccess_AuditFileSystem**
+**Audit/ObjectAccess_AuditFileSystem**
@@ -2419,13 +2419,13 @@ If you don't configure this policy setting, no audit event is generated when an
Volume: Depends on how the file system SACLs are configured.
-GP Info:
+GP Info:
- GP Friendly name: *Audit File System*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -2442,7 +2442,7 @@ The following are the supported values:
-**Audit/ObjectAccess_AuditFilteringPlatformConnection**
+**Audit/ObjectAccess_AuditFilteringPlatformConnection**
@@ -2469,8 +2469,8 @@ The following are the supported values:
-This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP).
-The following events are included:
+This policy setting allows you to audit connections that are allowed or blocked by the Windows Filtering Platform (WFP).
+The following events are included:
- The Windows Firewall Service blocks an application from accepting incoming connections on the network.
- The WFP allows a connection.
- The WFP blocks a connection.
@@ -2488,13 +2488,13 @@ If you don't configure this policy setting, no audit event is generated when con
Volume: High.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Filtering Platform Connection*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -2511,7 +2511,7 @@ The following are the supported values:
-**Audit/ObjectAccess_AuditFilteringPlatformPacketDrop**
+**Audit/ObjectAccess_AuditFilteringPlatformPacketDrop**
@@ -2544,13 +2544,13 @@ Volume: High.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Filtering Platform Packet Drop*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -2567,7 +2567,7 @@ The following are the supported values:
-**Audit/ObjectAccess_AuditHandleManipulation**
+**Audit/ObjectAccess_AuditHandleManipulation**
@@ -2605,13 +2605,13 @@ If you don't configure this policy setting, no audit event is generated when a h
Volume: Depends on how SACLs are configured.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Handle Manipulation*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -2628,7 +2628,7 @@ The following are the supported values:
-**Audit/ObjectAccess_AuditKernelObject**
+**Audit/ObjectAccess_AuditKernelObject**
@@ -2655,7 +2655,7 @@ The following are the supported values:
-This policy setting allows you to audit attempts to access the kernel, which includes mutexes and semaphores.
+This policy setting allows you to audit attempts to access the kernel, which includes mutexes and semaphores.
Only kernel objects with a matching System Access Control List (SACL) generate security audit events.
> [!Note]
@@ -2664,13 +2664,13 @@ Only kernel objects with a matching System Access Control List (SACL) generate s
Volume: High if auditing access of global system objects is enabled.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Kernel Object*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -2687,7 +2687,7 @@ The following are the supported values:
-**Audit/ObjectAccess_AuditOtherObjectAccessEvents**
+**Audit/ObjectAccess_AuditOtherObjectAccessEvents**
@@ -2714,15 +2714,15 @@ The following are the supported values:
-This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects.
-For scheduler jobs, the following are audited:
+This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects.
+For scheduler jobs, the following are audited:
- Job created.
- Job deleted.
- Job enabled.
- Job disabled.
- Job updated.
-For COM+ objects, the following are audited:
+For COM+ objects, the following are audited:
- Catalog object added.
- Catalog object updated.
- Catalog object deleted.
@@ -2730,13 +2730,13 @@ For COM+ objects, the following are audited:
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Other Object Access Events*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -2753,7 +2753,7 @@ The following are the supported values:
-**Audit/ObjectAccess_AuditRegistry**
+**Audit/ObjectAccess_AuditRegistry**
@@ -2791,13 +2791,13 @@ If you don't configure this policy setting, no audit event is generated when an
Volume: Depends on how registry SACLs are configured.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Registry*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -2814,7 +2814,7 @@ The following are the supported values:
-**Audit/ObjectAccess_AuditRemovableStorage**
+**Audit/ObjectAccess_AuditRemovableStorage**
@@ -2849,13 +2849,13 @@ If you don't configure this policy setting, no audit event is generated when an
-GP Info:
+GP Info:
- GP Friendly name: *Audit Removable Storage*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -2872,7 +2872,7 @@ The following are the supported values:
-**Audit/ObjectAccess_AuditSAM**
+**Audit/ObjectAccess_AuditSAM**
@@ -2900,7 +2900,7 @@ The following are the supported values:
This policy setting allows you to audit events generated by attempts to access to Security Accounts Manager (SAM) objects.
-SAM objects include:
+SAM objects include:
- SAM_ALIAS -- A local group.
- SAM_GROUP -- A group that isn't a local group.
- SAM_USER – A user account.
@@ -2917,13 +2917,13 @@ Volume: High on domain controllers. For more information about reducing the numb
-GP Info:
+GP Info:
- GP Friendly name: *Audit SAM*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Object Access*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -2940,7 +2940,7 @@ The following are the supported values:
-**Audit/PolicyChange_AuditAuthenticationPolicyChange**
+**Audit/PolicyChange_AuditAuthenticationPolicyChange**
@@ -2967,12 +2967,12 @@ The following are the supported values:
-This policy setting allows you to audit events generated by changes to the authentication policy, such as:
+This policy setting allows you to audit events generated by changes to the authentication policy, such as:
- Creation of forest and domain trusts.
- Modification of forest and domain trusts.
- Removal of forest and domain trusts.
- Changes to Kerberos policy under Computer Configuration\Windows Settings\Security Settings\Account Policies\Kerberos Policy.
-- Granting of any of the following user rights to a user or group:
+- Granting of any of the following user rights to a user or group:
- Access This Computer From the Network.
- Allow Logon Locally.
- Allow Logon Through Terminal Services.
@@ -2989,13 +2989,13 @@ If you don't configure this policy setting, no audit event is generated when the
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Authentication Policy Change*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change*
-The following are the supported values:
+The following are the supported values:
- 0—Off/None
- 1 (default)—Success
- 2—Failure
@@ -3013,7 +3013,7 @@ The following are the supported values:
-**Audit/PolicyChange_AuditAuthorizationPolicyChange**
+**Audit/PolicyChange_AuditAuthorizationPolicyChange**
@@ -3040,7 +3040,7 @@ The following are the supported values:
-This policy setting allows you to audit events generated by changes to the authorization policy, such as:
+This policy setting allows you to audit events generated by changes to the authorization policy, such as:
- Assignment of user rights (privileges), such as SeCreateTokenPrivilege, that aren't audited through the “Authentication Policy Change” subcategory.
- Removal of user rights (privileges), such as SeCreateTokenPrivilege, that aren't audited through the “Authentication Policy Change” subcategory.
- Changes in the Encrypted File System (EFS) policy.
@@ -3053,13 +3053,13 @@ If you don't configure this policy setting, no audit event is generated when the
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Authorization Policy Change*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -3077,7 +3077,7 @@ The following are the supported values:
-**Audit/PolicyChange_AuditFilteringPlatformPolicyChange**
+**Audit/PolicyChange_AuditFilteringPlatformPolicyChange**
@@ -3104,7 +3104,7 @@ The following are the supported values:
-This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP), such as:
+This policy setting allows you to audit events generated by changes to the Windows Filtering Platform (WFP), such as:
- IPsec services status.
- Changes to IPsec policy settings.
- Changes to Windows Firewall policy settings.
@@ -3116,13 +3116,13 @@ If you don't configure this policy setting, no audit event is generated when a c
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Filtering Platform Policy Change*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -3140,7 +3140,7 @@ The following are the supported values:
-**Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange**
+**Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange**
@@ -3167,8 +3167,8 @@ The following are the supported values:
-This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall.
-Events include:
+This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall.
+Events include:
- Reporting of active policies when Windows Firewall service starts.
- Changes to Windows Firewall rules.
- Changes to Windows Firewall exception list.
@@ -3182,13 +3182,13 @@ If you don't configure this policy setting, no audit event is generated by chang
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit MPSSVC Rule Level Policy Change*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -3206,7 +3206,7 @@ The following are the supported values:
-**Audit/PolicyChange_AuditOtherPolicyChangeEvents**
+**Audit/PolicyChange_AuditOtherPolicyChangeEvents**
@@ -3233,7 +3233,7 @@ The following are the supported values:
-This policy setting allows you to audit events generated by other security policy changes that aren't audited in the policy change category, such as:
+This policy setting allows you to audit events generated by other security policy changes that aren't audited in the policy change category, such as:
- Trusted Platform Module (TPM) configuration changes.
- Kernel-mode cryptographic self tests.
- Cryptographic provider operations.
@@ -3244,13 +3244,13 @@ This policy setting allows you to audit events generated by other security polic
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Other Policy Change Events*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -3268,7 +3268,7 @@ The following are the supported values:
-**Audit/PolicyChange_AuditPolicyChange**
+**Audit/PolicyChange_AuditPolicyChange**
@@ -3295,7 +3295,7 @@ The following are the supported values:
-This policy setting allows you to audit changes in the security audit policy settings, such as:
+This policy setting allows you to audit changes in the security audit policy settings, such as:
- Settings permissions and audit settings on the Audit Policy object.
- Changes to the system audit policy.
- Registration of security event sources.
@@ -3311,13 +3311,13 @@ This policy setting allows you to audit changes in the security audit policy set
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Policy Change*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Policy Change*
-The following are the supported values:
+The following are the supported values:
- 0—Off/None
- 1 (default)—Success
- 2—Failure
@@ -3335,7 +3335,7 @@ The following are the supported values:
-**Audit/PrivilegeUse_AuditNonSensitivePrivilegeUse**
+**Audit/PrivilegeUse_AuditNonSensitivePrivilegeUse**
@@ -3363,7 +3363,7 @@ The following are the supported values:
This policy setting allows you to audit events generated by the use of non-sensitive privileges (user rights).
-The following privileges are non-sensitive:
+The following privileges are non-sensitive:
- Access Credential Manager as a trusted caller.
- Access this computer from the network.
- Add workstations to domain.
@@ -3401,13 +3401,13 @@ If you don't configure this policy setting, no audit event is generated when a n
Volume: Very High.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Non Sensitive Privilege Use*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Privilege Use*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -3424,7 +3424,7 @@ The following are the supported values:
-**Audit/PrivilegeUse_AuditOtherPrivilegeUseEvents**
+**Audit/PrivilegeUse_AuditOtherPrivilegeUseEvents**
@@ -3455,13 +3455,13 @@ Not used.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Other Privilege Use Events*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Privilege Use*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -3478,7 +3478,7 @@ The following are the supported values:
-**Audit/PrivilegeUse_AuditSensitivePrivilegeUse**
+**Audit/PrivilegeUse_AuditSensitivePrivilegeUse**
@@ -3505,9 +3505,9 @@ The following are the supported values:
-This policy setting allows you to audit events generated when sensitive privileges (user rights) are used, such as:
+This policy setting allows you to audit events generated when sensitive privileges (user rights) are used, such as:
- A privileged service is called.
-- One of the following privileges is called:
+- One of the following privileges is called:
- Act as part of the operating system.
- Back up files and directories.
- Create a token object.
@@ -3528,13 +3528,13 @@ If you don't configure this policy setting, no audit event is generated when sen
Volume: High.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Sensitive Privilege Use*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/Privilege Use*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -3551,7 +3551,7 @@ The following are the supported values:
-**Audit/System_AuditIPsecDriver**
+**Audit/System_AuditIPsecDriver**
@@ -3578,7 +3578,7 @@ The following are the supported values:
-This policy setting allows you to audit events generated by the IPsec filter driver, such as:
+This policy setting allows you to audit events generated by the IPsec filter driver, such as:
- Startup and shutdown of the IPsec services.
- Network packets dropped due to integrity check failure.
- Network packets dropped due to replay check failure.
@@ -3592,13 +3592,13 @@ If you don't configure this policy setting, no audit event is generated on an IP
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit IPsec Driver*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/System*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -3616,7 +3616,7 @@ The following are the supported values:
-**Audit/System_AuditOtherSystemEvents**
+**Audit/System_AuditOtherSystemEvents**
@@ -3643,7 +3643,7 @@ The following are the supported values:
-This policy setting allows you to audit any of the following events:
+This policy setting allows you to audit any of the following events:
- Startup and shutdown of the Windows Firewall service and driver.
- Security policy processing by the Windows Firewall Service.
- Cryptography key file and migration operations.
@@ -3651,13 +3651,13 @@ This policy setting allows you to audit any of the following events:
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Other System Events*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/System*
-The following are the supported values:
+The following are the supported values:
- 0—Off/None
- 1—Success
- 2—Failure
@@ -3675,7 +3675,7 @@ The following are the supported values:
-**Audit/System_AuditSecurityStateChange**
+**Audit/System_AuditSecurityStateChange**
@@ -3702,7 +3702,7 @@ The following are the supported values:
-This policy setting allows you to audit events generated by changes in the security state of the computer, such as the following events:
+This policy setting allows you to audit events generated by changes in the security state of the computer, such as the following events:
- Startup and shutdown of the computer.
- Change of system time.
- Recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured.
@@ -3710,13 +3710,13 @@ This policy setting allows you to audit events generated by changes in the secur
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Security State Change*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/System*
-The following are the supported values:
+The following are the supported values:
- 0—Off/None
- 1 (default)—Success
- 2—Failure
@@ -3734,7 +3734,7 @@ The following are the supported values:
-**Audit/System_AuditSecuritySystemExtension**
+**Audit/System_AuditSecuritySystemExtension**
@@ -3761,7 +3761,7 @@ The following are the supported values:
-This policy setting allows you to audit events related to security system extensions or services, such as the following:
+This policy setting allows you to audit events related to security system extensions or services, such as the following:
- A security system extension, such as an authentication, notification, or security package is loaded and is registered with the Local Security Authority (LSA). It's used to authenticate sign-in attempts, submit sign-in requests, and any account or password changes. Examples of security system extensions are Kerberos and NTLM.
- A service is installed and registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account.
@@ -3771,13 +3771,13 @@ If you don't configure this policy setting, no audit event is generated when an
Volume: Low. Security system extension events are generated more often on a domain controller than on client computers or member servers.
-GP Info:
+GP Info:
- GP Friendly name: *Audit Security System Extension*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/System*
-The following are the supported values:
+The following are the supported values:
- 0 (default)—Off/None
- 1—Success
- 2—Failure
@@ -3795,7 +3795,7 @@ The following are the supported values:
-**Audit/System_AuditSystemIntegrity**
+**Audit/System_AuditSystemIntegrity**
@@ -3822,7 +3822,7 @@ The following are the supported values:
-This policy setting allows you to audit events that violate the integrity of the security subsystem, such as:
+This policy setting allows you to audit events that violate the integrity of the security subsystem, such as:
- Events that couldn't be written to the event log because of a problem with the auditing system.
- A process that uses a local procedure call (LPC) port that isn't valid in an attempt to impersonate a client by replying, reading, or writing to or from a client address space.
- The detection of a Remote Procedure Call (RPC) that compromises system integrity.
@@ -3832,13 +3832,13 @@ This policy setting allows you to audit events that violate the integrity of the
Volume: Low.
-GP Info:
+GP Info:
- GP Friendly name: *Audit System Integrity*
- GP path: *Windows Settings/Security Settings/Advanced Audit Policy Configuration/System Audit Policies/System*
-The following are the supported values:
+The following are the supported values:
- 0—Off/None
- 1—Success
- 2—Failure
diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index b7a3091207..e36a54a137 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -18,7 +18,7 @@ manager: aaroncz
-## Authentication policies
+## Authentication policies
-
@@ -57,7 +57,7 @@ manager: aaroncz
-**Authentication/AllowAadPasswordReset**
+**Authentication/AllowAadPasswordReset**
@@ -99,7 +99,7 @@ The following list shows the supported values:
-**Authentication/AllowEAPCertSSO**
+**Authentication/AllowEAPCertSSO**
@@ -141,7 +141,7 @@ The following list shows the supported values:
-**Authentication/AllowFastReconnect**
+**Authentication/AllowFastReconnect**
@@ -185,7 +185,7 @@ The following list shows the supported values:
-**Authentication/AllowFidoDeviceSignon**
+**Authentication/AllowFidoDeviceSignon**
@@ -231,7 +231,7 @@ The following list shows the supported values:
-**Authentication/AllowSecondaryAuthenticationDevice**
+**Authentication/AllowSecondaryAuthenticationDevice**
@@ -266,7 +266,7 @@ In the next major release of Windows 10, the default for this policy for consume
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow companion device for secondary authentication*
- GP name: *MSSecondaryAuthFactor_AllowSecondaryAuthenticationDevice*
- GP path: *Windows Components/Microsoft Secondary Authentication Factor*
@@ -285,7 +285,7 @@ The following list shows the supported values:
-**Authentication/ConfigureWebSignInAllowedUrls**
+**Authentication/ConfigureWebSignInAllowedUrls**
@@ -331,7 +331,7 @@ Specifies the list of domains that are allowed to be navigated to in Azure Activ
-**Authentication/ConfigureWebcamAccessDomainNames**
+**Authentication/ConfigureWebcamAccessDomainNames**
@@ -381,7 +381,7 @@ Web Sign-in is only supported on Azure AD Joined PCs.
-**Authentication/EnableFastFirstSignIn**
+**Authentication/EnableFastFirstSignIn**
@@ -409,7 +409,7 @@ Web Sign-in is only supported on Azure AD Joined PCs.
> [!Warning]
-> The Web Sign-in feature is in private preview mode only and not meant or recommended for production purposes. This setting is not currently supported at this time.
+> The Web Sign-in feature is in private preview mode only and not meant or recommended for production purposes. This setting is not currently supported at this time.
This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
@@ -437,7 +437,7 @@ Value type is integer. Supported values:
-**Authentication/EnableWebSignIn**
+**Authentication/EnableWebSignIn**
@@ -465,7 +465,7 @@ Value type is integer. Supported values:
> [!Warning]
-> The Web Sign-in feature is in private preview mode only and not meant or recommended for production purposes. This setting is not currently supported at this time.
+> The Web Sign-in feature is in private preview mode only and not meant or recommended for production purposes. This setting is not currently supported at this time.
"Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for new Azure AD credentials, like Temporary Access Pass.
@@ -493,7 +493,7 @@ Value type is integer. Supported values:
-**Authentication/PreferredAadTenantDomainName**
+**Authentication/PreferredAadTenantDomainName**
diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md
index 7aa01b7d63..ce76b05817 100644
--- a/windows/client-management/mdm/policy-csp-bitlocker.md
+++ b/windows/client-management/mdm/policy-csp-bitlocker.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -22,7 +22,7 @@ manager: aaroncz
-## BitLocker policies
+## BitLocker policies
-
@@ -34,7 +34,7 @@ manager: aaroncz
-**Bitlocker/EncryptionMethod**
+**Bitlocker/EncryptionMethod**
diff --git a/windows/client-management/mdm/policy-csp-bits.md b/windows/client-management/mdm/policy-csp-bits.md
index 639d2c8e86..9d95819603 100644
--- a/windows/client-management/mdm/policy-csp-bits.md
+++ b/windows/client-management/mdm/policy-csp-bits.md
@@ -8,16 +8,16 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
# Policy CSP - BITS
-The following bandwidth policies are used together to define the bandwidth-throttling schedule and transfer rate.
+The following bandwidth policies are used together to define the bandwidth-throttling schedule and transfer rate.
-- BITS/BandwidthThrottlingEndTime
-- BITS/BandwidthThrottlingStartTime
+- BITS/BandwidthThrottlingEndTime
+- BITS/BandwidthThrottlingStartTime
- BITS/BandwidthThrottlingTransferRate
If BITS/BandwidthThrottlingStartTime or BITS/BandwidthThrottlingEndTime are NOT defined, but BITS/BandwidthThrottlingTransferRate IS defined, then default values will be used for StartTime and EndTime (8 AM and 5 PM respectively). The time policies are based on the 24-hour clock.
@@ -25,7 +25,7 @@ If BITS/BandwidthThrottlingStartTime or BITS/BandwidthThrottlingEndTime are NOT
-## BITS policies
+## BITS policies
-
@@ -52,7 +52,7 @@ If BITS/BandwidthThrottlingStartTime or BITS/BandwidthThrottlingEndTime are NOT
-**BITS/BandwidthThrottlingEndTime**
+**BITS/BandwidthThrottlingEndTime**
@@ -98,7 +98,7 @@ Consider using this setting to prevent BITS transfers from competing for network
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Limit the maximum network bandwidth for BITS background transfers*
- GP name: *BITS_MaxBandwidth*
- GP element: *BITS_BandwidthLimitSchedTo*
@@ -120,7 +120,7 @@ ADMX Info:
-**BITS/BandwidthThrottlingStartTime**
+**BITS/BandwidthThrottlingStartTime**
@@ -165,7 +165,7 @@ Consider using this setting to prevent BITS transfers from competing for network
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Limit the maximum network bandwidth for BITS background transfers*
- GP name: *BITS_MaxBandwidth*
- GP element: *BITS_BandwidthLimitSchedFrom*
@@ -187,7 +187,7 @@ ADMX Info:
-**BITS/BandwidthThrottlingTransferRate**
+**BITS/BandwidthThrottlingTransferRate**
@@ -233,7 +233,7 @@ Consider using this setting to prevent BITS transfers from competing for network
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Limit the maximum network bandwidth for BITS background transfers*
- GP name: *BITS_MaxBandwidth*
- GP element: *BITS_MaxTransferRateText*
@@ -255,7 +255,7 @@ ADMX Info:
-**BITS/CostedNetworkBehaviorBackgroundPriority**
+**BITS/CostedNetworkBehaviorBackgroundPriority**
@@ -294,7 +294,7 @@ For example, you can specify that background jobs are by default to transfer onl
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Set default download behavior for BITS jobs on costed networks*
- GP name: *BITS_SetTransferPolicyOnCostedNetwork*
- GP element: *BITS_TransferPolicyNormalPriorityValue*
@@ -316,7 +316,7 @@ ADMX Info:
-**BITS/CostedNetworkBehaviorForegroundPriority**
+**BITS/CostedNetworkBehaviorForegroundPriority**
@@ -355,7 +355,7 @@ For example, you can specify that foreground jobs are by default to transfer onl
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Set default download behavior for BITS jobs on costed networks*
- GP name: *BITS_SetTransferPolicyOnCostedNetwork*
- GP element: *BITS_TransferPolicyForegroundPriorityValue*
@@ -377,7 +377,7 @@ ADMX Info:
-**BITS/JobInactivityTimeout**
+**BITS/JobInactivityTimeout**
@@ -412,14 +412,14 @@ Value type is integer. Default is 90 days.
Supported values range: 0 - 999
-Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs.
+Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending jobs.
Consider decreasing this value if you're concerned about orphaned jobs occupying disk space.
If you disable or don't configure this policy setting, the default value of 90 (days) will be used for the inactive job timeout.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Timeout for inactive BITS jobs*
- GP name: *BITS_Job_Timeout*
- GP element: *BITS_Job_Timeout_Time*
diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md
index 0a044cfc57..d4cf37c54e 100644
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 02/12/2020
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## Bluetooth policies
+## Bluetooth policies
-
@@ -47,7 +47,7 @@ manager: aaroncz
-**Bluetooth/AllowAdvertising**
+**Bluetooth/AllowAdvertising**
@@ -93,7 +93,7 @@ The following list shows the supported values:
-**Bluetooth/AllowDiscoverableMode**
+**Bluetooth/AllowDiscoverableMode**
@@ -139,7 +139,7 @@ The following list shows the supported values:
-**Bluetooth/AllowPrepairing**
+**Bluetooth/AllowPrepairing**
@@ -181,7 +181,7 @@ The following list shows the supported values:
-**Bluetooth/AllowPromptedProximalConnections**
+**Bluetooth/AllowPromptedProximalConnections**
@@ -212,7 +212,7 @@ This policy allows the IT admin to block users on these managed devices from usi
-The following list shows the supported values:
+The following list shows the supported values:
- 0 - Disallow. Block users on these managed devices from using Swift Pair and other proximity based scenarios
- 1 - Allow (default). Allow users on these managed devices to use Swift Pair and other proximity based scenarios
@@ -223,7 +223,7 @@ The following list shows the supported values:
-**Bluetooth/LocalDeviceName**
+**Bluetooth/LocalDeviceName**
@@ -262,7 +262,7 @@ If this policy isn't set or is deleted, the default local radio name is used.
-**Bluetooth/ServicesAllowedList**
+**Bluetooth/ServicesAllowedList**
@@ -299,7 +299,7 @@ The default value is an empty string. For more information, see [ServicesAllowed
-**Bluetooth/SetMinimumEncryptionKeySize**
+**Bluetooth/SetMinimumEncryptionKeySize**
@@ -330,7 +330,7 @@ There are multiple levels of encryption strength when pairing Bluetooth devices.
-The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) - All Bluetooth traffic is allowed.
- N - A number from 1 through 16 representing the bytes that must be used in the encryption process. Currently, 16 is the largest allowed value for N and 16 bytes is the largest key size that Bluetooth supports. If you want to enforce Windows to always use Bluetooth encryption, ignoring the precise encryption key strength, use 1 as the value for N.
@@ -361,7 +361,7 @@ When the Bluetooth/ServicesAllowedList policy is provisioned, it will only allow
- Disabling a service shall log when a service is blocked for auditing purposes
- Disabling a service shall take effect upon reload of the stack or system reboot
-To define which profiles and services are allowed, enter the semicolon delimited profile or service Universally Unique Identifiers (UUID). To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website.
+To define which profiles and services are allowed, enter the semicolon delimited profile or service Universally Unique Identifiers (UUID). To get a profile UUID, refer to the [Service Discovery](https://www.bluetooth.com/specifications/assigned-numbers/service-discovery) page on the Bluetooth SIG website.
These UUIDs all use the same base UUID with the profile identifiers added to the beginning of the base UUID.
@@ -414,7 +414,7 @@ This means that if you only want Bluetooth headsets, the UUIDs are:
|Profile |Reasoning |UUID |
|---------|---------|---------|
|HFP (Hands Free Profile) |For voice enabled headsets |0x111E |
-|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers |0x110B|
+|A2DP Source (Advance Audio Distribution)|For streaming to Bluetooth speakers |0x110B|
|Generic Audio Service|Generic service used by Bluetooth|0x1203|
|Headset Service Class|For older voice-enabled headsets|0x1108|
|AV Remote Control Target Service|For controlling audio remotely|0x110C|
@@ -422,7 +422,7 @@ This means that if you only want Bluetooth headsets, the UUIDs are:
|AV Remote Control Controller Service|For controlling audio remotely|0x110F|
|PnP Information|Used to identify devices occasionally|0x1200|
-{0000111E-0000-1000-8000-00805F9B34FB};{0000110B-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{0000110C-0000-1000-8000-00805F9B34FB};{0000110E-0000-1000-8000-00805F9B34FB};{0000110F-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB};
+{0000111E-0000-1000-8000-00805F9B34FB};{0000110B-0000-1000-8000-00805F9B34FB};{00001203-0000-1000-8000-00805F9B34FB};{00001108-0000-1000-8000-00805F9B34FB};{0000110C-0000-1000-8000-00805F9B34FB};{0000110E-0000-1000-8000-00805F9B34FB};{0000110F-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB};
**Classic Keyboards and Mice**
@@ -434,7 +434,7 @@ This means that if you only want Bluetooth headsets, the UUIDs are:
{00001124-0000-1000-8000-00805F9B34FB};{00001200-0000-1000-8000-00805F9B34FB};
-**LE Keyboards and Mice**
+**LE Keyboards and Mice**
|Profile |Reasoning |UUID |
|---------|---------|---------|
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 6da1550f1d..e6f8aa0527 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -7,7 +7,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.localizationpriority: medium
---
@@ -19,7 +19,7 @@ ms.localizationpriority: medium
-## Browser policies
+## Browser policies
-
@@ -197,7 +197,7 @@ ms.localizationpriority: medium
-**Browser/AllowAddressBarDropdown**
+**Browser/AllowAddressBarDropdown**
@@ -225,14 +225,14 @@ ms.localizationpriority: medium
->*Supported versions: Microsoft Edge on Windows 10, version 1703*
+>*Supported versions: Microsoft Edge on Windows 10, version 1703*
[!INCLUDE [allow-address-bar-drop-down-shortdesc](../includes/allow-address-bar-drop-down-shortdesc.md)]
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Address bar drop-down list suggestions*
- GP name: *AllowAddressBarDropdown*
- GP path: *Windows Components/Microsoft Edge*
@@ -252,7 +252,7 @@ Most restricted value: 0
-**Browser/AllowAutofill**
+**Browser/AllowAutofill**
@@ -285,7 +285,7 @@ Most restricted value: 0
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Autofill*
- GP name: *AllowAutofill*
- GP path: *Windows Components/Microsoft Edge*
@@ -299,7 +299,7 @@ Supported values:
- 0 – Prevented/not allowed.
- 1 (default) – Allowed.
-Most restricted value: 0
+Most restricted value: 0
To verify AllowAutofill is set to 0 (not allowed):
@@ -315,7 +315,7 @@ To verify AllowAutofill is set to 0 (not allowed):
-**Browser/AllowConfigurationUpdateForBooksLibrary**
+**Browser/AllowConfigurationUpdateForBooksLibrary**
@@ -349,7 +349,7 @@ To verify AllowAutofill is set to 0 (not allowed):
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow configuration updates for the Books Library*
- GP name: *AllowConfigurationUpdateForBooksLibrary*
- GP path: *Windows Components/Microsoft Edge*
@@ -368,7 +368,7 @@ Supported values:
-**Browser/AllowCookies**
+**Browser/AllowCookies**
@@ -400,7 +400,7 @@ Supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure cookies*
- GP name: *Cookies*
- GP element: *CookiesListBox*
@@ -431,7 +431,7 @@ To verify AllowCookies is set to 0 (not allowed):
-**Browser/AllowDeveloperTools**
+**Browser/AllowDeveloperTools**
@@ -464,7 +464,7 @@ To verify AllowCookies is set to 0 (not allowed):
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Developer Tools*
- GP name: *AllowDeveloperTools*
- GP path: *Windows Components/Microsoft Edge*
@@ -484,7 +484,7 @@ Most restricted value: 0
-**Browser/AllowDoNotTrack**
+**Browser/AllowDoNotTrack**
@@ -516,7 +516,7 @@ Most restricted value: 0
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Do Not Track*
- GP name: *AllowDoNotTrack*
- GP path: *Windows Components/Microsoft Edge*
@@ -546,7 +546,7 @@ To verify AllowDoNotTrack is set to 0 (not allowed):
-**Browser/AllowExtensions**
+**Browser/AllowExtensions**
@@ -574,13 +574,13 @@ To verify AllowDoNotTrack is set to 0 (not allowed):
->*Supported versions: Microsoft Edge on Windows 10, version 1607*
+>*Supported versions: Microsoft Edge on Windows 10, version 1607*
[!INCLUDE [allow-extensions-shortdesc](../includes/allow-extensions-shortdesc.md)]
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Extensions*
- GP name: *AllowExtensions*
- GP path: *Windows Components/Microsoft Edge*
@@ -599,7 +599,7 @@ Supported values:
-**Browser/AllowFlash**
+**Browser/AllowFlash**
@@ -633,7 +633,7 @@ Supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Adobe Flash*
- GP name: *AllowFlash*
- GP path: *Windows Components/Microsoft Edge*
@@ -652,7 +652,7 @@ Supported values:
-**Browser/AllowFlashClickToRun**
+**Browser/AllowFlashClickToRun**
@@ -680,14 +680,14 @@ Supported values:
->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../includes/configure-adobe-flash-click-to-run-setting-shortdesc.md)]
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure the Adobe Flash Click-to-Run setting*
- GP name: *AllowFlashClickToRun*
- GP path: *Windows Components/Microsoft Edge*
@@ -708,7 +708,7 @@ Most restricted value: 1
-**Browser/AllowFullScreenMode**
+**Browser/AllowFullScreenMode**
@@ -742,7 +742,7 @@ Most restricted value: 1
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow FullScreen Mode*
- GP name: *AllowFullScreenMode*
- GP path: *Windows Components/Microsoft Edge*
@@ -769,7 +769,7 @@ Most restricted value: 0
-**Browser/AllowInPrivate**
+**Browser/AllowInPrivate**
@@ -801,7 +801,7 @@ Most restricted value: 0
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow InPrivate browsing*
- GP name: *AllowInPrivate*
- GP path: *Windows Components/Microsoft Edge*
@@ -822,7 +822,7 @@ Most restricted value: 0
-**Browser/AllowMicrosoftCompatibilityList**
+**Browser/AllowMicrosoftCompatibilityList**
@@ -850,7 +850,7 @@ Most restricted value: 0
->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [allow-microsoft-compatibility-list-shortdesc](../includes/allow-microsoft-compatibility-list-shortdesc.md)]
@@ -858,7 +858,7 @@ Most restricted value: 0
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Microsoft Compatibility List*
- GP name: *AllowCVList*
- GP path: *Windows Components/Microsoft Edge*
@@ -879,7 +879,7 @@ Most restricted value: 0
-**Browser/AllowPasswordManager**
+**Browser/AllowPasswordManager**
@@ -912,7 +912,7 @@ Most restricted value: 0
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Password Manager*
- GP name: *AllowPasswordManager*
- GP path: *Windows Components/Microsoft Edge*
@@ -941,7 +941,7 @@ To verify AllowPasswordManager is set to 0 (not allowed):
-**Browser/AllowPopups**
+**Browser/AllowPopups**
@@ -974,7 +974,7 @@ To verify AllowPasswordManager is set to 0 (not allowed):
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Pop-up Blocker*
- GP name: *AllowPopups*
- GP path: *Windows Components/Microsoft Edge*
@@ -1003,7 +1003,7 @@ To verify AllowPopups is set to 0 (not allowed):
-**Browser/AllowPrelaunch**
+**Browser/AllowPrelaunch**
@@ -1038,7 +1038,7 @@ To verify AllowPopups is set to 0 (not allowed):
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed*
- GP name: *AllowPrelaunch*
- GP path: *Windows Components/Microsoft Edge*
@@ -1065,7 +1065,7 @@ Most restricted value: 0
-**Browser/AllowPrinting**
+**Browser/AllowPrinting**
@@ -1099,7 +1099,7 @@ Most restricted value: 0
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow printing*
- GP name: *AllowPrinting*
- GP path: *Windows Components/Microsoft Edge*
@@ -1126,7 +1126,7 @@ Most restricted value: 0
-**Browser/AllowSavingHistory**
+**Browser/AllowSavingHistory**
@@ -1160,7 +1160,7 @@ Most restricted value: 0
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Saving History*
- GP name: *AllowSavingHistory*
- GP path: *Windows Components/Microsoft Edge*
@@ -1187,7 +1187,7 @@ Most restricted value: 0
-**Browser/AllowSearchEngineCustomization**
+**Browser/AllowSearchEngineCustomization**
@@ -1216,7 +1216,7 @@ Most restricted value: 0
->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [allow-search-engine-customization-shortdesc](../includes/allow-search-engine-customization-shortdesc.md)]
@@ -1225,7 +1225,7 @@ Most restricted value: 0
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow search engine customization*
- GP name: *AllowSearchEngineCustomization*
- GP path: *Windows Components/Microsoft Edge*
@@ -1246,7 +1246,7 @@ Most restricted value: 0
-**Browser/AllowSearchSuggestionsinAddressBar**
+**Browser/AllowSearchSuggestionsinAddressBar**
@@ -1278,7 +1278,7 @@ Most restricted value: 0
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure search suggestions in Address bar*
- GP name: *AllowSearchSuggestionsinAddressBar*
- GP path: *Windows Components/Microsoft Edge*
@@ -1300,7 +1300,7 @@ Most restricted value: 0
-**Browser/AllowSideloadingOfExtensions**
+**Browser/AllowSideloadingOfExtensions**
@@ -1334,7 +1334,7 @@ Most restricted value: 0
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow sideloading of Extensions*
- GP name: *AllowSideloadingOfExtensions*
- GP path: *Windows Components/Microsoft Edge*
@@ -1361,7 +1361,7 @@ Most restricted value: 0
-**Browser/AllowSmartScreen**
+**Browser/AllowSmartScreen**
@@ -1393,7 +1393,7 @@ Most restricted value: 0
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Windows Defender SmartScreen*
- GP name: *AllowSmartScreen*
- GP path: *Windows Components/Microsoft Edge*
@@ -1422,7 +1422,7 @@ To verify AllowSmartScreen is set to 0 (not allowed):
-**Browser/AllowTabPreloading**
+**Browser/AllowTabPreloading**
@@ -1456,7 +1456,7 @@ To verify AllowSmartScreen is set to 0 (not allowed):
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Microsoft Edge to start and load the Start and New Tab pages in the background at Windows startup and each time Microsoft Edge is closed*
- GP name: *AllowTabPreloading*
- GP path: *Windows Components/Microsoft Edge*
@@ -1482,7 +1482,7 @@ Most restricted value: 1
-**Browser/AllowWebContentOnNewTabPage**
+**Browser/AllowWebContentOnNewTabPage**
@@ -1516,7 +1516,7 @@ Most restricted value: 1
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow web content on New Tab page*
- GP name: *AllowWebContentOnNewTabPage*
- GP path: *Windows Components/Microsoft Edge*
@@ -1542,7 +1542,7 @@ Supported values:
-**Browser/AlwaysEnableBooksLibrary**
+**Browser/AlwaysEnableBooksLibrary**
@@ -1577,7 +1577,7 @@ Supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Always show the Books Library in Microsoft Edge*
- GP name: *AlwaysEnableBooksLibrary*
- GP path: *Windows Components/Microsoft Edge*
@@ -1598,7 +1598,7 @@ Most restricted value: 0
-**Browser/ClearBrowsingDataOnExit**
+**Browser/ClearBrowsingDataOnExit**
@@ -1626,13 +1626,13 @@ Most restricted value: 0
->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../includes/allow-clearing-browsing-data-on-exit-shortdesc.md)]
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow clearing browsing data on exit*
- GP name: *AllowClearingBrowsingDataOnExit*
- GP path: *Windows Components/Microsoft Edge*
@@ -1649,11 +1649,11 @@ Most restricted value: 1
-To verify whether browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1):
+To verify whether browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1):
1. Open Microsoft Edge and browse to websites.
2. Close the Microsoft Edge window.
-3. Open Microsoft Edge and start typing the same URL in address bar.
+3. Open Microsoft Edge and start typing the same URL in address bar.
4. Verify that it doesn't auto-complete from history.
@@ -1662,7 +1662,7 @@ To verify whether browsing data is cleared on exit (ClearBrowsingDataOnExit is s
-**Browser/ConfigureAdditionalSearchEngines**
+**Browser/ConfigureAdditionalSearchEngines**
@@ -1690,7 +1690,7 @@ To verify whether browsing data is cleared on exit (ClearBrowsingDataOnExit is s
->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [configure-additional-search-engines-shortdesc](../includes/configure-additional-search-engines-shortdesc.md)]
@@ -1700,7 +1700,7 @@ To verify whether browsing data is cleared on exit (ClearBrowsingDataOnExit is s
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure additional search engines*
- GP name: *ConfigureAdditionalSearchEngines*
- GP element: *ConfigureAdditionalSearchEngines_Prompt*
@@ -1721,7 +1721,7 @@ Most restricted value: 0
-**Browser/ConfigureFavoritesBar**
+**Browser/ConfigureFavoritesBar**
@@ -1755,7 +1755,7 @@ Most restricted value: 0
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Favorites Bar*
- GP name: *ConfigureFavoritesBar*
- GP path: *Windows Components/Microsoft Edge*
@@ -1782,7 +1782,7 @@ Supported values:
-**Browser/ConfigureHomeButton**
+**Browser/ConfigureHomeButton**
@@ -1815,7 +1815,7 @@ Supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Home Button*
- GP name: *ConfigureHomeButton*
- GP element: *ConfigureHomeButtonDropdown*
@@ -1847,7 +1847,7 @@ Supported values:
-**Browser/ConfigureKioskMode**
+**Browser/ConfigureKioskMode**
@@ -1884,7 +1884,7 @@ For this policy to work, you must configure Microsoft Edge in assigned access; o
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure kiosk mode*
- GP name: *ConfigureKioskMode*
- GP element: *ConfigureKioskMode_TextBox*
@@ -1895,11 +1895,11 @@ ADMX Info:
Supported values:
-**0 (Default or not configured)**:
+**0 (Default or not configured)**:
- If it’s a single app, it runs InPrivate full screen for digital signage or interactive displays.
- If it’s one of many apps, Microsoft Edge runs as normal.
-**1**:
+**1**:
- If it’s a single app, it runs a limited multi-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize, close, or open windows or customize Microsoft Edge, but can clear browsing data and downloads and restart by clicking “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. _**For single-app public browsing:**_ If you don't configure the Configure kiosk reset after idle timeout policy and you enable this policy, Microsoft Edge kiosk resets after 5 minutes of idle time.
- If it’s one of many apps, it runs in a limited multi-tab version of InPrivate for public browsing with other apps. Users can minimize, close, and open multiple InPrivate windows, but they can’t customize Microsoft Edge.
@@ -1915,7 +1915,7 @@ Supported values:
-**Browser/ConfigureKioskResetAfterIdleTimeout**
+**Browser/ConfigureKioskResetAfterIdleTimeout**
@@ -1951,7 +1951,7 @@ You must set ConfigureKioskMode to enabled (1 - InPrivate public browsing) and c
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure kiosk reset after idle timeout*
- GP name: *ConfigureKioskResetAfterIdleTimeout*
- GP element: *ConfigureKioskResetAfterIdleTimeout_TextBox*
@@ -1978,7 +1978,7 @@ Supported values:
-**Browser/ConfigureOpenMicrosoftEdgeWith**
+**Browser/ConfigureOpenMicrosoftEdgeWith**
@@ -2018,7 +2018,7 @@ When you enable this policy and select an option, and also enter the URLs of the
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Open Microsoft Edge With*
- GP name: *ConfigureOpenEdgeWith*
- GP element: *ConfigureOpenEdgeWithListBox*
@@ -2051,7 +2051,7 @@ Supported values:
-**Browser/ConfigureTelemetryForMicrosoft365Analytics**
+**Browser/ConfigureTelemetryForMicrosoft365Analytics**
@@ -2084,7 +2084,7 @@ Supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure collection of browsing data for Microsoft 365 Analytics*
- GP name: *ConfigureTelemetryForMicrosoft365Analytics*
- GP element: *ZonesListBox*
@@ -2113,7 +2113,7 @@ Most restricted value: 0
-**Browser/DisableLockdownOfStartPages**
+**Browser/DisableLockdownOfStartPages**
@@ -2141,19 +2141,19 @@ Most restricted value: 0
->*Supported versions: Microsoft Edge on Windows 10*
+>*Supported versions: Microsoft Edge on Windows 10*
[!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../includes/disable-lockdown-of-start-pages-shortdesc.md)]
> [!NOTE]
> This policy has no effect when the Browser/HomePages policy isn't configured.
-
+
> [!IMPORTANT]
> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the [Microsoft browser extension policy](/legal/microsoft-edge/microsoft-browser-extension-policy).
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Disable lockdown of Start pages*
- GP name: *DisableLockdownOfStartPages*
- GP path: *Windows Components/Microsoft Edge*
@@ -2173,7 +2173,7 @@ Most restricted value: 0
-**Browser/EnableExtendedBooksTelemetry**
+**Browser/EnableExtendedBooksTelemetry**
@@ -2206,7 +2206,7 @@ Most restricted value: 0
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow extended telemetry for the Books tab*
- GP name: *EnableExtendedBooksTelemetry*
- GP path: *Windows Components/Microsoft Edge*
@@ -2226,7 +2226,7 @@ Most restricted value: 0
-**Browser/EnterpriseModeSiteList**
+**Browser/EnterpriseModeSiteList**
@@ -2259,7 +2259,7 @@ Most restricted value: 0
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure the Enterprise Mode Site List*
- GP name: *EnterpriseModeSiteList*
- GP element: *EnterSiteListPrompt*
@@ -2280,7 +2280,7 @@ Supported values:
-**Browser/EnterpriseSiteListServiceUrl**
+**Browser/EnterpriseSiteListServiceUrl**
@@ -2317,7 +2317,7 @@ Supported values:
-**Browser/HomePages**
+**Browser/HomePages**
@@ -2352,10 +2352,10 @@ Supported values:
From this version, the HomePages policy enforces that users can't change the Start pages settings.
**Version 1703**
-If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL.
+If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL.
**Version 1809**
-When you enable the Configure Open Microsoft Edge With policy and select an option, and you enter the URLs of the pages you want to load as the Start pages in this policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the HomePages policy.
+When you enable the Configure Open Microsoft Edge With policy and select an option, and you enter the URLs of the pages you want to load as the Start pages in this policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the HomePages policy.
> [!NOTE]
@@ -2363,7 +2363,7 @@ When you enable the Configure Open Microsoft Edge With policy and select an opti
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Start pages*
- GP name: *HomePages*
- GP element: *HomePagesPrompt*
@@ -2383,7 +2383,7 @@ Supported values:
-**Browser/LockdownFavorites**
+**Browser/LockdownFavorites**
@@ -2411,14 +2411,14 @@ Supported values:
->*Supported versions: Microsoft Edge on Windows 10, version 1709*
+>*Supported versions: Microsoft Edge on Windows 10, version 1709*
[!INCLUDE [prevent-changes-to-favorites-shortdesc](../includes/prevent-changes-to-favorites-shortdesc.md)]
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Prevent changes to Favorites on Microsoft Edge*
- GP name: *LockdownFavorites*
- GP path: *Windows Components/Microsoft Edge*
@@ -2438,7 +2438,7 @@ Most restricted value: 1
-**Browser/PreventAccessToAboutFlagsInMicrosoftEdge**
+**Browser/PreventAccessToAboutFlagsInMicrosoftEdge**
@@ -2471,7 +2471,7 @@ Most restricted value: 1
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Prevent access to the about:flags page in Microsoft Edge*
- GP name: *PreventAccessToAboutFlagsInMicrosoftEdge*
- GP path: *Windows Components/Microsoft Edge*
@@ -2491,7 +2491,7 @@ Most restricted value: 1
-**Browser/PreventCertErrorOverrides**
+**Browser/PreventCertErrorOverrides**
@@ -2524,7 +2524,7 @@ Most restricted value: 1
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Prevent certificate error overrides*
- GP name: *PreventCertErrorOverrides*
- GP path: *Windows Components/Microsoft Edge*
@@ -2550,7 +2550,7 @@ Most restricted value: 1
-**Browser/PreventFirstRunPage**
+**Browser/PreventFirstRunPage**
@@ -2578,13 +2578,13 @@ Most restricted value: 1
->*Supported versions: Microsoft Edge on Windows 10, version 1703*
+>*Supported versions: Microsoft Edge on Windows 10, version 1703*
[!INCLUDE [prevent-first-run-webpage-from-opening-shortdesc](../includes/prevent-first-run-webpage-from-opening-shortdesc.md)]
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Prevent the First Run webpage from opening on Microsoft Edge*
- GP name: *PreventFirstRunPage*
- GP path: *Windows Components/Microsoft Edge*
@@ -2594,7 +2594,7 @@ ADMX Info:
Supported values:
-- 0 (default) – Allowed. Load the First Run webpage.
+- 0 (default) – Allowed. Load the First Run webpage.
- 1 – Prevented/not allowed.
Most restricted value: 1
@@ -2604,7 +2604,7 @@ Most restricted value: 1
-**Browser/PreventLiveTileDataCollection**
+**Browser/PreventLiveTileDataCollection**
@@ -2632,13 +2632,13 @@ Most restricted value: 1
->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
[!INCLUDE [prevent-edge-from-gathering-live-tile-info-shortdesc](../includes/prevent-edge-from-gathering-live-tile-info-shortdesc.md)]
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start*
- GP name: *PreventLiveTileDataCollection*
- GP path: *Windows Components/Microsoft Edge*
@@ -2658,7 +2658,7 @@ Most restricted value: 1
-**Browser/PreventSmartScreenPromptOverride**
+**Browser/PreventSmartScreenPromptOverride**
@@ -2690,7 +2690,7 @@ Most restricted value: 1
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Prevent bypassing Windows Defender SmartScreen prompts for sites*
- GP name: *PreventSmartScreenPromptOverride*
- GP path: *Windows Components/Microsoft Edge*
@@ -2710,7 +2710,7 @@ Most restricted value: 1
-**Browser/PreventSmartScreenPromptOverrideForFiles**
+**Browser/PreventSmartScreenPromptOverrideForFiles**
@@ -2743,7 +2743,7 @@ Most restricted value: 1
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Prevent bypassing Windows Defender SmartScreen prompts for files*
- GP name: *PreventSmartScreenPromptOverrideForFiles*
- GP path: *Windows Components/Microsoft Edge*
@@ -2763,7 +2763,7 @@ Most restricted value: 1
-**Browser/PreventTurningOffRequiredExtensions**
+**Browser/PreventTurningOffRequiredExtensions**
@@ -2795,7 +2795,7 @@ Most restricted value: 1
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Prevent turning off required extensions*
- GP name: *PreventTurningOffRequiredExtensions*
- GP element: *PreventTurningOffRequiredExtensions_Prompt*
@@ -2804,7 +2804,7 @@ ADMX Info:
-Supported values:
+Supported values:
- Blank (default) - Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored.
@@ -2822,7 +2822,7 @@ Supported values:
-**Browser/PreventUsingLocalHostIPAddressForWebRTC**
+**Browser/PreventUsingLocalHostIPAddressForWebRTC**
@@ -2855,7 +2855,7 @@ Supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Prevent using Localhost IP address for WebRTC*
- GP name: *HideLocalHostIPAddress*
- GP path: *Windows Components/Microsoft Edge*
@@ -2875,7 +2875,7 @@ Most restricted value: 1
-**Browser/ProvisionFavorites**
+**Browser/ProvisionFavorites**
@@ -2903,10 +2903,10 @@ Most restricted value: 1
->*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
+>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
[!INCLUDE [provision-favorites-shortdesc](../includes/provision-favorites-shortdesc.md)]
-
+
Define a default list of favorites in Microsoft Edge. In this case, the Save a Favorite, Import settings, and context menu options (such as Create a new folder) are turned off.
@@ -2924,7 +2924,7 @@ To define a default list of favorites:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Provision Favorites*
- GP name: *ConfiguredFavorites*
- GP element: *ConfiguredFavoritesPrompt*
@@ -2937,7 +2937,7 @@ ADMX Info:
-**Browser/SendIntranetTraffictoInternetExplorer**
+**Browser/SendIntranetTraffictoInternetExplorer**
@@ -2970,7 +2970,7 @@ ADMX Info:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Send all intranet sites to Internet Explorer 11*
- GP name: *SendIntranetTraffictoInternetExplorer*
- GP path: *Windows Components/Microsoft Edge*
@@ -2991,7 +2991,7 @@ Most restricted value: 0
-**Browser/SetDefaultSearchEngine**
+**Browser/SetDefaultSearchEngine**
@@ -3019,7 +3019,7 @@ Most restricted value: 0
->*Supported versions: Microsoft Edge on Windows 10, version 1703*
+>*Supported versions: Microsoft Edge on Windows 10, version 1703*
[!INCLUDE [set-default-search-engine-shortdesc](../includes/set-default-search-engine-shortdesc.md)]
@@ -3031,7 +3031,7 @@ Most restricted value: 0
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Set default search engine*
- GP name: *SetDefaultSearchEngine*
- GP element: *SetDefaultSearchEngine_Prompt*
@@ -3053,7 +3053,7 @@ Most restricted value: 1
-**Browser/SetHomeButtonURL**
+**Browser/SetHomeButtonURL**
@@ -3086,7 +3086,7 @@ Most restricted value: 1
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Set Home Button URL*
- GP name: *SetHomeButtonURL*
- GP element: *SetHomeButtonURLPrompt*
@@ -3112,7 +3112,7 @@ Supported values:
-**Browser/SetNewTabPageURL**
+**Browser/SetNewTabPageURL**
@@ -3145,7 +3145,7 @@ Supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Set New Tab page URL*
- GP name: *SetNewTabPageURL*
- GP element: *SetNewTabPageURLPrompt*
@@ -3170,7 +3170,7 @@ Supported values:
-**Browser/ShowMessageWhenOpeningSitesInInternetExplorer**
+**Browser/ShowMessageWhenOpeningSitesInInternetExplorer**
@@ -3202,7 +3202,7 @@ Supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Show message when opening sites in Internet Explorer*
- GP name: *ShowMessageWhenOpeningSitesInInternetExplorer*
- GP path: *Windows Components/Microsoft Edge*
@@ -3223,7 +3223,7 @@ Most restricted value: 0
-**Browser/SuppressEdgeDeprecationNotification**
+**Browser/SuppressEdgeDeprecationNotification**
@@ -3251,13 +3251,13 @@ Most restricted value: 0
-This policy allows Enterprise Admins to turn off the notification for company devices that the Edge Legacy browser is no longer supported after March 9, 2021, to avoid confusion for their enterprise users and reduce help desk calls.
+This policy allows Enterprise Admins to turn off the notification for company devices that the Edge Legacy browser is no longer supported after March 9, 2021, to avoid confusion for their enterprise users and reduce help desk calls.
By default, a notification will be presented to the user informing them of this update upon application startup.
With this policy, you can either allow (default) or suppress this notification.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Suppress Edge Deprecation Notification*
- GP name: *SuppressEdgeDeprecationNotification*
- GP path: *Windows Components/Microsoft Edge*
@@ -3300,14 +3300,14 @@ Supported values:
->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
-
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+
[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)]
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Keep favorites in sync between Internet Explorer and Microsoft Edge*
- GP name: *SyncFavoritesBetweenIEAndMicrosoftEdge*
- GP path: *Windows Components/Microsoft Edge*
@@ -3336,7 +3336,7 @@ To verify that favorites are in synchronized between Internet Explorer and Micro
-**Browser/UnlockHomeButton**
+**Browser/UnlockHomeButton**
@@ -3370,7 +3370,7 @@ To verify that favorites are in synchronized between Internet Explorer and Micro
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Unlock Home Button*
- GP name: *UnlockHomeButton*
- GP path: *Windows Components/Microsoft Edge*
@@ -3395,7 +3395,7 @@ Supported values:
-**Browser/UseSharedFolderForBooks**
+**Browser/UseSharedFolderForBooks**
@@ -3428,7 +3428,7 @@ Supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow a shared Books folder*
- GP name: *UseSharedFolderForBooks*
- GP path: *Windows Components/Microsoft Edge*
@@ -3438,7 +3438,7 @@ ADMX Info:
Supported values:
-- 0 - Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user.
+- 0 - Prevented/not allowed, but Microsoft Edge downloads book files to a per-user folder for each user.
- 1 - Allowed. Microsoft Edge downloads book files to a shared folder. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account.
Most restricted value: 0
diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md
index ed98c5d85b..50b9bb3e51 100644
--- a/windows/client-management/mdm/policy-csp-camera.md
+++ b/windows/client-management/mdm/policy-csp-camera.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -19,7 +19,7 @@ manager: aaroncz
-## Camera policies
+## Camera policies
-
@@ -31,7 +31,7 @@ manager: aaroncz
-**Camera/AllowCamera**
+**Camera/AllowCamera**
@@ -63,7 +63,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Use of Camera*
- GP name: *L_AllowCamera*
- GP path: *Windows Components/Camera*
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index da457db759..10eebb715f 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -18,7 +18,7 @@ manager: aaroncz
-## ControlPolicyConflict policies
+## ControlPolicyConflict policies
-
@@ -30,7 +30,7 @@ manager: aaroncz
-**ControlPolicyConflict/MDMWinsOverGP**
+**ControlPolicyConflict/MDMWinsOverGP**
> [!NOTE]
> This setting doesn't apply to the following types of group policies:
@@ -70,7 +70,7 @@ This policy allows the IT admin to control which policy will be used whenever bo
> [!NOTE]
> MDMWinsOverGP only applies to policies in Policy CSP. MDM policies win over Group Policies where applicable; not all Group Policies are available via MDM or CSP. It does not apply to other MDM settings with equivalent GP settings that are defined in other CSPs.
-This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel.
+This policy is used to ensure that MDM policy wins over GP when policy is configured on MDM channel.
The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
> [!NOTE]
@@ -81,19 +81,19 @@ The following list shows the supported values:
- 0 (default)
- 1 - The MDM policy is used and the GP policy is blocked.
-The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy.
+The policy should be set at every sync to ensure the device removes any settings that conflict with MDM just as it does on the very first set of the policy.
This ensures that:
-- GP settings that correspond to MDM applied settings aren't conflicting
-- The current Policy Manager policies are refreshed from what MDM has set
+- GP settings that correspond to MDM applied settings aren't conflicting
+- The current Policy Manager policies are refreshed from what MDM has set
- Any values set by scripts/user outside of GP that conflict with MDM are removed
-The [Policy DDF](policy-ddf-file.md) contains the following tags to identify the policies with equivalent GP:
+The [Policy DDF](policy-ddf-file.md) contains the following tags to identify the policies with equivalent GP:
-- \
+- \
- \
-- \
-- \
+- \
+- \
For the list MDM-GP mapping list, see [Policies in Policy CSP supported by Group Policy
](./policies-in-policy-csp-supported-by-group-policy.md).
diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md
index 1eb727623a..7df10140df 100644
--- a/windows/client-management/mdm/policy-csp-cryptography.md
+++ b/windows/client-management/mdm/policy-csp-cryptography.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -19,7 +19,7 @@ manager: aaroncz
-## Cryptography policies
+## Cryptography policies
-
@@ -34,7 +34,7 @@ manager: aaroncz
-**Cryptography/AllowFipsAlgorithmPolicy**
+**Cryptography/AllowFipsAlgorithmPolicy**
@@ -65,7 +65,7 @@ This policy setting allows or disallows the Federal Information Processing Stand
-ADMX Info:
+ADMX Info:
- GP Friendly name: *System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -87,7 +87,7 @@ The following list shows the supported values:
-**Cryptography/TLSCipherSuites**
+**Cryptography/TLSCipherSuites**
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index 9bb4559320..557d7e1a16 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -19,7 +19,7 @@ manager: aaroncz
-## DataProtection policies
+## DataProtection policies
-
@@ -34,7 +34,7 @@ manager: aaroncz
-**DataProtection/AllowDirectMemoryAccess**
+**DataProtection/AllowDirectMemoryAccess**
@@ -61,7 +61,7 @@ manager: aaroncz
-This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows.
+This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows.
Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when [BitLocker Device Encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) is enabled.
@@ -80,7 +80,7 @@ The following list shows the supported values:
-**DataProtection/LegacySelectiveWipeID**
+**DataProtection/LegacySelectiveWipeID**
@@ -110,7 +110,7 @@ The following list shows the supported values:
> [!IMPORTANT]
> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time.
-
+
Setting used by Windows 8.1 Selective Wipe.
> [!NOTE]
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 172eeb0f4f..b3684deace 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 05/12/2022
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.collection: highpri
---
@@ -20,7 +20,7 @@ ms.collection: highpri
-## Defender policies
+## Defender policies
-
@@ -152,7 +152,7 @@ ms.collection: highpri
-**Defender/AllowArchiveScanning**
+**Defender/AllowArchiveScanning**
@@ -187,7 +187,7 @@ Allows or disallows scanning of archives.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Scan archive files*
- GP name: *Scan_DisableArchiveScanning*
- GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
@@ -206,7 +206,7 @@ The following list shows the supported values:
-**Defender/AllowBehaviorMonitoring**
+**Defender/AllowBehaviorMonitoring**
@@ -236,12 +236,12 @@ The following list shows the supported values:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
+
Allows or disallows Windows Defender Behavior Monitoring functionality.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn on behavior monitoring*
- GP name: *RealtimeProtection_DisableBehaviorMonitoring*
- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection*
@@ -260,7 +260,7 @@ The following list shows the supported values:
-**Defender/AllowCloudProtection**
+**Defender/AllowCloudProtection**
@@ -294,7 +294,7 @@ To best protect your PC, Windows Defender will send information to Microsoft abo
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Join Microsoft MAPS*
- GP name: *SpynetReporting*
- GP element: *SpynetReporting*
@@ -314,7 +314,7 @@ The following list shows the supported values:
-**Defender/AllowEmailScanning**
+**Defender/AllowEmailScanning**
@@ -348,7 +348,7 @@ Allows or disallows scanning of email.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn on e-mail scanning*
- GP name: *Scan_DisableEmailScanning*
- GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
@@ -367,7 +367,7 @@ The following list shows the supported values:
-**Defender/AllowFullScanOnMappedNetworkDrives**
+**Defender/AllowFullScanOnMappedNetworkDrives**
@@ -401,7 +401,7 @@ Allows or disallows a full scan of mapped network drives.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Run full scan on mapped network drives*
- GP name: *Scan_DisableScanningMappedNetworkDrivesForFullScan*
- GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
@@ -420,7 +420,7 @@ The following list shows the supported values:
-**Defender/AllowFullScanRemovableDriveScanning**
+**Defender/AllowFullScanRemovableDriveScanning**
@@ -454,7 +454,7 @@ Allows or disallows a full scan of removable drives. During a quick scan, remova
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Scan removable drives*
- GP name: *Scan_DisableRemovableDriveScanning*
- GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
@@ -473,7 +473,7 @@ The following list shows the supported values:
-**Defender/AllowIOAVProtection**
+**Defender/AllowIOAVProtection**
@@ -502,12 +502,12 @@ The following list shows the supported values:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
+
Allows or disallows Windows Defender IOAVP Protection functionality.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Scan all downloaded files and attachments*
- GP name: *RealtimeProtection_DisableIOAVProtection*
- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection*
@@ -526,7 +526,7 @@ The following list shows the supported values:
-**Defender/AllowOnAccessProtection**
+**Defender/AllowOnAccessProtection**
@@ -560,7 +560,7 @@ Allows or disallows Windows Defender On Access Protection functionality.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Monitor file and program activity on your computer*
- GP name: *RealtimeProtection_DisableOnAccessProtection*
- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection*
@@ -582,7 +582,7 @@ The following list shows the supported values:
-**Defender/AllowRealtimeMonitoring**
+**Defender/AllowRealtimeMonitoring**
@@ -616,7 +616,7 @@ Allows or disallows Windows Defender real-time Monitoring functionality.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off real-time protection*
- GP name: *DisableRealtimeMonitoring*
- GP path: *Windows Components/Microsoft Defender Antivirus/Real-time Protection*
@@ -635,7 +635,7 @@ The following list shows the supported values:
-**Defender/AllowScanningNetworkFiles**
+**Defender/AllowScanningNetworkFiles**
@@ -669,7 +669,7 @@ Allows or disallows a scanning of network files.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Scan network files*
- GP name: *Scan_DisableScanningNetworkFiles*
- GP path: *Windows Components/Microsoft Defender Antivirus/Scan*
@@ -688,7 +688,7 @@ The following list shows the supported values:
-**Defender/AllowScriptScanning**
+**Defender/AllowScriptScanning**
@@ -733,7 +733,7 @@ The following list shows the supported values:
-**Defender/AllowUserUIAccess**
+**Defender/AllowUserUIAccess**
@@ -767,7 +767,7 @@ Allows or disallows user access to the Windows Defender UI. I disallowed, all Wi
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Enable headless UI mode*
- GP name: *UX_Configuration_UILockdown*
- GP path: *Windows Components/Microsoft Defender Antivirus/Client Interface*
@@ -786,7 +786,7 @@ The following list shows the supported values:
-**Defender/AttackSurfaceReductionOnlyExclusions**
+**Defender/AttackSurfaceReductionOnlyExclusions**
@@ -822,7 +822,7 @@ Value type is string.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Exclude files and paths from Attack Surface Reduction Rules*
- GP name: *ExploitGuard_ASR_ASROnlyExclusions*
- GP element: *ExploitGuard_ASR_ASROnlyExclusions*
@@ -835,7 +835,7 @@ ADMX Info:
-**Defender/AttackSurfaceReductionRules**
+**Defender/AttackSurfaceReductionRules**
@@ -873,7 +873,7 @@ Value type is string.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Attack Surface Reduction rules*
- GP name: *ExploitGuard_ASR_Rules*
- GP element: *ExploitGuard_ASR_Rules*
@@ -886,7 +886,7 @@ ADMX Info:
-**Defender/AvgCPULoadFactor**
+**Defender/AvgCPULoadFactor**
@@ -915,14 +915,14 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
+
Represents the average CPU load factor for the Windows Defender scan (in percent).
The default value is 50.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify the maximum percentage of CPU utilization during a scan*
- GP name: *Scan_AvgCPULoadFactor*
- GP element: *Scan_AvgCPULoadFactor*
@@ -939,7 +939,7 @@ Valid values: 0–100
-**Defender/CheckForSignaturesBeforeRunningScan**
+**Defender/CheckForSignaturesBeforeRunningScan**
@@ -966,7 +966,7 @@ Valid values: 0–100
-This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan.
+This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan.
This setting applies to scheduled scans and the command line "mpcmdrun -SigUpdate", but it has no effect on scans initiated manually from the user interface.
@@ -976,14 +976,14 @@ If you disable this setting or don't configure this setting, the scan will start
Supported values:
-- 0 (default) - Disabled
+- 0 (default) - Disabled
- 1 - Enabled
OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/CheckForSignaturesBeforeRunningScan
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Check for the latest virus and spyware definitions before running a scheduled scan*
- GP name: *CheckForSignaturesBeforeRunningScan*
- GP element: *CheckForSignaturesBeforeRunningScan*
@@ -1005,7 +1005,7 @@ ADMX Info:
-**Defender/CloudBlockLevel**
+**Defender/CloudBlockLevel**
@@ -1037,16 +1037,16 @@ ADMX Info:
This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. Value type is integer.
-If this setting is on, Microsoft Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency.
+If this setting is on, Microsoft Defender Antivirus will be more aggressive when identifying suspicious files to block and scan; otherwise, it will be less aggressive and therefore block and scan with less frequency.
For more information about specific values that are supported, see the Microsoft Defender Antivirus documentation site.
-
+
> [!NOTE]
> This feature requires the "Join Microsoft MAPS" setting enabled in order to function.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Select cloud protection level*
- GP name: *MpEngine_MpCloudBlockLevel*
- GP element: *MpCloudBlockLevel*
@@ -1058,7 +1058,7 @@ ADMX Info:
The following list shows the supported values:
- 0x0 - Default windows defender blocking level
-- 0x2 - High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)
+- 0x2 - High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives)
- 0x4 - High+ blocking level – aggressively block unknowns and apply more protection measures (may impact client performance)
- 0x6 - Zero tolerance blocking level – block all unknown executables
@@ -1068,7 +1068,7 @@ The following list shows the supported values:
-**Defender/CloudExtendedTimeout**
+**Defender/CloudExtendedTimeout**
@@ -1100,16 +1100,16 @@ The following list shows the supported values:
This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds, and scan it in the cloud to make sure it's safe. Value type is integer, range is 0 - 50.
-The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an extra 50 seconds.
+The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature, specify the extended time in seconds, up to an extra 50 seconds.
-For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.
+For example, if the desired timeout is 60 seconds, specify 50 seconds in this setting, which will enable the extended cloud check feature, and will raise the total time to 60 seconds.
> [!NOTE]
> This feature depends on three other MAPS settings the must all be enabled- "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required".
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure extended cloud check*
- GP name: *MpEngine_MpBafsExtendedTimeout*
- GP element: *MpBafsExtendedTimeout*
@@ -1122,7 +1122,7 @@ ADMX Info:
-**Defender/ControlledFolderAccessAllowedApplications**
+**Defender/ControlledFolderAccessAllowedApplications**
@@ -1156,7 +1156,7 @@ Added in Windows 10, version 1709. This policy setting allows user-specified app
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure allowed applications*
- GP name: *ExploitGuard_ControlledFolderAccess_AllowedApplications*
- GP element: *ExploitGuard_ControlledFolderAccess_AllowedApplications*
@@ -1169,7 +1169,7 @@ ADMX Info:
-**Defender/ControlledFolderAccessProtectedFolders**
+**Defender/ControlledFolderAccessProtectedFolders**
@@ -1203,7 +1203,7 @@ This policy setting allows adding user-specified folder locations to the contro
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure protected folders*
- GP name: *ExploitGuard_ControlledFolderAccess_ProtectedFolders*
- GP element: *ExploitGuard_ControlledFolderAccess_ProtectedFolders*
@@ -1216,7 +1216,7 @@ ADMX Info:
-**Defender/DaysToRetainCleanedMalware**
+**Defender/DaysToRetainCleanedMalware**
@@ -1245,14 +1245,14 @@ ADMX Info:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
+
Time period (in days) that quarantine items will be stored on the system.
The default value is 0, which keeps items in quarantine, and doesn't automatically remove them.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure removal of items from Quarantine folder*
- GP name: *Quarantine_PurgeItemsAfterDelay*
- GP element: *Quarantine_PurgeItemsAfterDelay*
@@ -1269,7 +1269,7 @@ Valid values: 0–90
-**Defender/DisableCatchupFullScan**
+**Defender/DisableCatchupFullScan**
@@ -1296,22 +1296,22 @@ Valid values: 0–90
-This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
+This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
-If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone signs in to the computer. If there's no scheduled scan configured, there will be no catch-up scan run.
+If you enable this setting, catch-up scans for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone signs in to the computer. If there's no scheduled scan configured, there will be no catch-up scan run.
If you disable or don't configure this setting, catch-up scans for scheduled full scans will be turned off.
Supported values:
- 1 - Disabled (default)
-- 0 - Enabled
+- 0 - Enabled
OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/DisableCatchupFullScan
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn on catch-up full scan*
- GP name: *Scan_DisableCatchupFullScan*
- GP element: *Scan_DisableCatchupFullScan*
@@ -1333,7 +1333,7 @@ ADMX Info:
-**Defender/DisableCatchupQuickScan**
+**Defender/DisableCatchupQuickScan**
@@ -1360,7 +1360,7 @@ ADMX Info:
-This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
+This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled time.
If you enable this setting, catch-up scans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans, a catch-up scan is started the next time someone signs in to the computer. If there's no scheduled scan configured, there will be no catch-up scan run.
@@ -1369,13 +1369,13 @@ If you disable or don't configure this setting, catch-up scans for scheduled qui
Supported values:
- 1 - Disabled (default)
-- 0 - Enabled
+- 0 - Enabled
OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/DisableCatchupQuickScan
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn on catch-up quick scan*
- GP name: *Scan_DisableCatchupQuickScan*
- GP element: *Scan_DisableCatchupQuickScan*
@@ -1397,7 +1397,7 @@ ADMX Info:
-**Defender/EnableControlledFolderAccess**
+**Defender/EnableControlledFolderAccess**
@@ -1431,7 +1431,7 @@ This policy enables setting the state (On/Off/Audit) for the controlled folder a
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Controlled folder access*
- GP name: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess*
- GP element: *ExploitGuard_ControlledFolderAccess_EnableControlledFolderAccess*
@@ -1452,7 +1452,7 @@ The following list shows the supported values:
-**Defender/EnableLowCPUPriority**
+**Defender/EnableLowCPUPriority**
@@ -1488,11 +1488,11 @@ If you disable or don't configure this setting, no changes will be made to CPU p
Supported values:
- 0 - Disabled (default)
-- 1 - Enabled
+- 1 - Enabled
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure low CPU priority for scheduled scans*
- GP name: *Scan_LowCpuPriority*
- GP element: *Scan_LowCpuPriority*
@@ -1514,7 +1514,7 @@ ADMX Info:
-**Defender/EnableNetworkProtection**
+**Defender/EnableNetworkProtection**
@@ -1554,7 +1554,7 @@ If you don't configure this policy, network blocking will be disabled by default
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Prevent users and apps from accessing dangerous websites*
- GP name: *ExploitGuard_EnableNetworkProtection*
- GP element: *ExploitGuard_EnableNetworkProtection*
@@ -1575,7 +1575,7 @@ The following list shows the supported values:
-**Defender/ExcludedExtensions**
+**Defender/ExcludedExtensions**
@@ -1604,12 +1604,12 @@ The following list shows the supported values:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
+
Allows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj".
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Path Exclusions*
- GP name: *Exclusions_Paths*
- GP element: *Exclusions_PathsList*
@@ -1622,7 +1622,7 @@ ADMX Info:
-**Defender/ExcludedPaths**
+**Defender/ExcludedPaths**
@@ -1656,7 +1656,7 @@ Allows an administrator to specify a list of directory paths to ignore during a
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Extension Exclusions*
- GP name: *Exclusions_Extensions*
- GP element: *Exclusions_ExtensionsList*
@@ -1669,7 +1669,7 @@ ADMX Info:
-**Defender/ExcludedProcesses**
+**Defender/ExcludedProcesses**
@@ -1708,7 +1708,7 @@ Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\E
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Process Exclusions*
- GP name: *Exclusions_Processes*
- GP element: *Exclusions_ProcessesList*
@@ -1721,7 +1721,7 @@ ADMX Info:
-**Defender/PUAProtection**
+**Defender/PUAProtection**
@@ -1759,7 +1759,7 @@ Specifies the level of detection for potentially unwanted applications (PUAs). W
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure detection for potentially unwanted applications*
- GP name: *Root_PUAProtection*
- GP element: *Root_PUAProtection*
@@ -1780,7 +1780,7 @@ The following list shows the supported values:
-**Defender/RealTimeScanDirection**
+**Defender/RealTimeScanDirection**
@@ -1817,7 +1817,7 @@ Controls which sets of files should be monitored.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure monitoring for incoming and outgoing file and program activity*
- GP name: *RealtimeProtection_RealtimeScanDirection*
- GP element: *RealtimeProtection_RealtimeScanDirection*
@@ -1838,7 +1838,7 @@ The following list shows the supported values:
-**Defender/ScanParameter**
+**Defender/ScanParameter**
@@ -1872,7 +1872,7 @@ Selects whether to perform a quick scan or full scan.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify the scan type to use for a scheduled scan*
- GP name: *Scan_ScanParameters*
- GP element: *Scan_ScanParameters*
@@ -1892,7 +1892,7 @@ The following list shows the supported values:
-**Defender/ScheduleQuickScanTime**
+**Defender/ScheduleQuickScanTime**
@@ -1921,10 +1921,10 @@ The following list shows the supported values:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
-
+
Selects the time of day that the Windows Defender quick scan should run. The Windows Defender quick scan runs daily if a time is specified.
-
+
For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM.
@@ -1932,7 +1932,7 @@ The default value is 120
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify the time for a daily quick scan*
- GP name: *Scan_ScheduleQuickScantime*
- GP element: *Scan_ScheduleQuickScantime*
@@ -1949,7 +1949,7 @@ Valid values: 0–1380
-**Defender/ScheduleScanDay**
+**Defender/ScheduleScanDay**
@@ -1986,7 +1986,7 @@ Selects the day that the Windows Defender scan should run.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify the day of the week to run a scheduled scan*
- GP name: *Scan_ScheduleDay*
- GP element: *Scan_ScheduleDay*
@@ -1995,16 +1995,16 @@ ADMX Info:
-The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) – Every day
-- 1 – Sunday
-- 2 – Monday
-- 3 – Tuesday
+- 1 – Sunday
+- 2 – Monday
+- 3 – Tuesday
- 4 – Wednesday
-- 5 – Thursday
-- 6 – Friday
-- 7 – Saturday
+- 5 – Thursday
+- 6 – Friday
+- 7 – Saturday
- 8 – No scheduled scan
@@ -2013,7 +2013,7 @@ The following list shows the supported values:
-**Defender/ScheduleScanTime**
+**Defender/ScheduleScanTime**
@@ -2054,7 +2054,7 @@ The default value is 120.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify the time of day to run a scheduled scan*
- GP name: *Scan_ScheduleTime*
- GP element: *Scan_ScheduleTime*
@@ -2071,7 +2071,7 @@ Valid values: 0–1380.
-**Defender/SecurityIntelligenceLocation**
+**Defender/SecurityIntelligenceLocation**
@@ -2098,13 +2098,13 @@ Valid values: 0–1380.
-This policy setting allows you to define the security intelligence location for VDI-configured computers.
+This policy setting allows you to define the security intelligence location for VDI-configured computers.
If you disable or don't configure this setting, security intelligence will be referred from the default local source.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify the signature (Security intelligence) delivery optimization for Defender in Virtual Environments*
- GP name: *SecurityIntelligenceLocation*
- GP element: *SecurityIntelligenceLocation*
@@ -2123,7 +2123,7 @@ ADMX Info:
-**Defender/SignatureUpdateFallbackOrder**
+**Defender/SignatureUpdateFallbackOrder**
@@ -2150,16 +2150,16 @@ ADMX Info:
-This policy setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order.
+This policy setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in order.
-Possible values are:
+Possible values are:
- InternalDefinitionUpdateServer
- MicrosoftUpdateServer
- MMPC
- FileShares
-For example: InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC
+For example: InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC
If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted.
@@ -2169,7 +2169,7 @@ OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFallbackOrder
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Define the order of sources for downloading definition updates*
- GP name: *SignatureUpdate_FallbackOrder*
- GP element: *SignatureUpdate_FallbackOrder*
@@ -2191,7 +2191,7 @@ ADMX Info:
-**Defender/SignatureUpdateFileSharesSources**
+**Defender/SignatureUpdateFileSharesSources**
@@ -2218,9 +2218,9 @@ ADMX Info:
-This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources.
+This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources.
-For example: \\unc1\Signatures | \\unc2\Signatures
+For example: \\unc1\Signatures | \\unc2\Signatures
The list is empty by default.
@@ -2232,7 +2232,7 @@ OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateFileSharesSour
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Define file shares for downloading definition updates*
- GP name: *SignatureUpdate_DefinitionUpdateFileSharesSources*
- GP element: *SignatureUpdate_DefinitionUpdateFileSharesSources*
@@ -2254,7 +2254,7 @@ ADMX Info:
-**Defender/SignatureUpdateInterval**
+**Defender/SignatureUpdateInterval**
@@ -2294,7 +2294,7 @@ OMA-URI Path: ./Vendor/MSFT/Policy/Config/Defender/SignatureUpdateInterval
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify the interval to check for definition updates*
- GP name: *SignatureUpdate_SignatureUpdateInterval*
- GP element: *SignatureUpdate_SignatureUpdateInterval*
@@ -2311,7 +2311,7 @@ Valid values: 0–24.
-**Defender/SubmitSamplesConsent**
+**Defender/SubmitSamplesConsent**
@@ -2345,7 +2345,7 @@ Checks for the user consent level in Windows Defender to send data. If the requi
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Send file samples when further analysis is required*
- GP name: *SubmitSamplesConsent*
- GP element: *SubmitSamplesConsent*
@@ -2367,7 +2367,7 @@ The following list shows the supported values:
-**Defender/ThreatSeverityDefaultAction**
+**Defender/ThreatSeverityDefaultAction**
@@ -2419,7 +2419,7 @@ The following list shows the supported values for possible actions:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify threat alert levels at which default action should not be taken when detected*
- GP name: *Threats_ThreatSeverityDefaultAction*
- GP element: *Threats_ThreatSeverityDefaultActionList*
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index d34fce4b14..af7a4fe34d 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -18,7 +18,7 @@ manager: aaroncz
-## DeviceGuard policies
+## DeviceGuard policies
-
@@ -39,7 +39,7 @@ manager: aaroncz
-**DeviceGuard/ConfigureSystemGuardLaunch**
+**DeviceGuard/ConfigureSystemGuardLaunch**
@@ -78,7 +78,7 @@ For more information about System Guard, see [Introducing Windows Defender Syste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn On Virtualization Based Security*
- GP name: *VirtualizationBasedSecurity*
- GP element: *SystemGuardDrop*
@@ -100,7 +100,7 @@ ADMX Info:
-**DeviceGuard/EnableVirtualizationBasedSecurity**
+**DeviceGuard/EnableVirtualizationBasedSecurity**
@@ -131,7 +131,7 @@ Turns on virtualization based security(VBS) at the next reboot. Virtualization b
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn On Virtualization Based Security*
- GP name: *VirtualizationBasedSecurity*
- GP path: *System/Device Guard*
@@ -150,7 +150,7 @@ The following list shows the supported values:
-**DeviceGuard/LsaCfgFlags**
+**DeviceGuard/LsaCfgFlags**
@@ -181,7 +181,7 @@ This setting lets users turn on Credential Guard with virtualization-based secur
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn On Virtualization Based Security*
- GP name: *VirtualizationBasedSecurity*
- GP element: *CredentialIsolationDrop*
@@ -202,7 +202,7 @@ The following list shows the supported values:
-**DeviceGuard/RequirePlatformSecurityFeatures**
+**DeviceGuard/RequirePlatformSecurityFeatures**
@@ -232,7 +232,7 @@ This setting specifies the platform security level at the next reboot. Value typ
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn On Virtualization Based Security*
- GP name: *VirtualizationBasedSecurity*
- GP element: *RequirePlatformSecurityFeaturesDrop*
diff --git a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
index b412a147d6..5b5ba2a9dd 100644
--- a/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
+++ b/windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -19,7 +19,7 @@ manager: aaroncz
-## DeviceHealthMonitoring policies
+## DeviceHealthMonitoring policies
-
@@ -37,7 +37,7 @@ manager: aaroncz
-**DeviceHealthMonitoring/AllowDeviceHealthMonitoring**
+**DeviceHealthMonitoring/AllowDeviceHealthMonitoring**
@@ -68,7 +68,7 @@ DeviceHealthMonitoring is an opt-in health monitoring connection between the dev
-The following list shows the supported values:
+The following list shows the supported values:
- 1 -The DeviceHealthMonitoring connection is enabled.
- 0 - (default)—The DeviceHealthMonitoring connection is disabled.
@@ -85,7 +85,7 @@ The following list shows the supported values:
-**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope**
+**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope**
@@ -112,7 +112,7 @@ The following list shows the supported values:
-This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
+This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
This policy modifies which health events are sent to Microsoft on the DeviceHealthMonitoring connection.
IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service.
@@ -132,7 +132,7 @@ IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to
-**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination**
+**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination**
@@ -162,7 +162,7 @@ IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to
This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
The value of this policy constrains the DeviceHealthMonitoring connection to certain destinations in order to support regional and sovereign cloud scenarios.
-In most cases, an IT Pro doesn't need to define this policy. Instead, it's expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked.
+In most cases, an IT Pro doesn't need to define this policy. Instead, it's expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked.
Configure this policy manually only when explicitly instructed to do so by a Microsoft device monitoring service.
diff --git a/windows/client-management/mdm/policy-csp-display.md b/windows/client-management/mdm/policy-csp-display.md
index 601c24c077..e8d522f6ec 100644
--- a/windows/client-management/mdm/policy-csp-display.md
+++ b/windows/client-management/mdm/policy-csp-display.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## Display policies
+## Display policies
-
@@ -41,7 +41,7 @@ manager: aaroncz
-**Display/DisablePerProcessDpiForApps**
+**Display/DisablePerProcessDpiForApps**
@@ -72,7 +72,7 @@ This policy allows you to disable Per-Process System DPI for a semicolon-separat
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Per-Process System DPI settings*
- GP name: *DisplayPerProcessSystemDpiSettings*
- GP element: *DisplayDisablePerProcessSystemDpiSettings*
@@ -85,7 +85,7 @@ ADMX Info:
-**Display/EnablePerProcessDpi**
+**Display/EnablePerProcessDpi**
@@ -113,15 +113,15 @@ ADMX Info:
-Per Process System DPI is an application compatibility feature for desktop applications that don't render properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI), connect remotely from a device with a different display scale factor, or manually change the display scale factor), many desktop applications can display blurry. Desktop applications that haven't been updated to display properly in this scenario will be blurry until you sign out and back in to Windows.
+Per Process System DPI is an application compatibility feature for desktop applications that don't render properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI), connect remotely from a device with a different display scale factor, or manually change the display scale factor), many desktop applications can display blurry. Desktop applications that haven't been updated to display properly in this scenario will be blurry until you sign out and back in to Windows.
-When you enable this policy some blurry applications will be crisp after they're restarted, without requiring the user to sign out and back in to Windows.
+When you enable this policy some blurry applications will be crisp after they're restarted, without requiring the user to sign out and back in to Windows.
Be aware of the following points:
-Per Process System DPI will only improve the rendering of desktop applications that are positioned on the primary display (or any other display having the same scale factor as that of the primary display). Some desktop applications can still be blurry on secondary displays that have different display scale factors.
+Per Process System DPI will only improve the rendering of desktop applications that are positioned on the primary display (or any other display having the same scale factor as that of the primary display). Some desktop applications can still be blurry on secondary displays that have different display scale factors.
-Per Process System DPI won't work for all applications as some older desktop applications will always be blurry on high DPI displays.
+Per Process System DPI won't work for all applications as some older desktop applications will always be blurry on high DPI displays.
In some cases, you may see some unexpected behavior in some desktop applications that have Per-Process System DPI applied. If that happens, Per Process System DPI should be disabled.
@@ -129,7 +129,7 @@ Enabling this setting lets you specify the system-wide default for desktop appli
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Per-Process System DPI settings*
- GP name: *DisplayPerProcessSystemDpiSettings*
- GP element: *DisplayGlobalPerProcessSystemDpiSettings*
@@ -149,7 +149,7 @@ The following list shows the supported values:
-**Display/EnablePerProcessDpiForApps**
+**Display/EnablePerProcessDpiForApps**
@@ -180,7 +180,7 @@ This policy allows you to enable Per-Process System DPI for a semicolon-separate
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Per-Process System DPI settings*
- GP name: *DisplayPerProcessSystemDpiSettings*
- GP element: *DisplayEnablePerProcessSystemDpiSettings*
@@ -193,7 +193,7 @@ ADMX Info:
-**Display/TurnOffGdiDPIScalingForApps**
+**Display/TurnOffGdiDPIScalingForApps**
@@ -232,7 +232,7 @@ If GDI DPI Scaling is configured to both turn-off and turn-on an application, th
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off GdiDPIScaling for applications*
- GP name: *DisplayTurnOffGdiDPIScaling*
- GP element: *DisplayTurnOffGdiDPIScalingPrompt*
@@ -252,7 +252,7 @@ To validate on Desktop, do the following tasks:
-**Display/TurnOnGdiDPIScalingForApps**
+**Display/TurnOnGdiDPIScalingForApps**
@@ -291,7 +291,7 @@ If GDI DPI Scaling is configured to both turn-off and turn-on an application, th
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn on GdiDPIScaling for applications*
- GP name: *DisplayTurnOnGdiDPIScaling*
- GP element: *DisplayTurnOnGdiDPIScalingPrompt*
diff --git a/windows/client-management/mdm/policy-csp-dmaguard.md b/windows/client-management/mdm/policy-csp-dmaguard.md
index 1188039966..e9343f71e2 100644
--- a/windows/client-management/mdm/policy-csp-dmaguard.md
+++ b/windows/client-management/mdm/policy-csp-dmaguard.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## DmaGuard policies
+## DmaGuard policies
-
@@ -29,7 +29,7 @@ manager: aaroncz
-**DmaGuard/DeviceEnumerationPolicy**
+**DmaGuard/DeviceEnumerationPolicy**
@@ -56,7 +56,7 @@ manager: aaroncz
-This policy is intended to provide more security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices that are incompatible with [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers), device memory isolation and sandboxing.
+This policy is intended to provide more security against external DMA capable devices. It allows for more control over the enumeration of external DMA capable devices that are incompatible with [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers), device memory isolation and sandboxing.
Device memory sandboxing allows the OS to use the I/O Memory Management Unit (IOMMU) of a device to block unallowed I/O, or memory access by the peripheral. In other words, the OS assigns a certain memory range to the peripheral. If the peripheral attempts to read/write to memory outside of the assigned range, the OS blocks it.
@@ -75,7 +75,7 @@ The following are the supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Enumeration policy for external devices incompatible with Kernel DMA Protection*
- GP name: *DmaGuardEnumerationPolicy*
- GP path: *System/Kernel DMA Protection*
diff --git a/windows/client-management/mdm/policy-csp-eap.md b/windows/client-management/mdm/policy-csp-eap.md
index 9b16db9fd4..e90f5b26f7 100644
--- a/windows/client-management/mdm/policy-csp-eap.md
+++ b/windows/client-management/mdm/policy-csp-eap.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## EAP policies
+## EAP policies
-
@@ -29,7 +29,7 @@ manager: aaroncz
-**EAP/AllowTLS1_3**
+**EAP/AllowTLS1_3**
@@ -60,7 +60,7 @@ Added in Windows 10, version 21H1. This policy setting allows or disallows use o
-ADMX Info:
+ADMX Info:
- GP Friendly name: *AllowTLS1_3*
- GP name: *AllowTLS1_3*
- GP path: *Windows Components/EAP*
@@ -68,7 +68,7 @@ ADMX Info:
-The following list shows the supported values:
+The following list shows the supported values:
- 0 – Use of TLS version 1.3 is not allowed for authentication.
- 1 (default) – Use of TLS version 1.3 is allowed for authentication.
diff --git a/windows/client-management/mdm/policy-csp-education.md b/windows/client-management/mdm/policy-csp-education.md
index 1fd25bb275..f24efbe205 100644
--- a/windows/client-management/mdm/policy-csp-education.md
+++ b/windows/client-management/mdm/policy-csp-education.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## Education policies
+## Education policies
-
@@ -37,7 +37,7 @@ manager: aaroncz
-**Education/AllowGraphingCalculator**
+**Education/AllowGraphingCalculator**
@@ -66,7 +66,7 @@ manager: aaroncz
This policy setting allows you to control, whether graphing functionality is available in the Windows Calculator app. If you disable this policy setting, graphing functionality won't be accessible in the Windows Calculator app. If you enable or don't configure this policy setting, you'll be able to access graphing functionality.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Graphing Calculator*
- GP name: *AllowGraphingCalculator*
- GP path: *Windows Components/Calculator*
@@ -74,7 +74,7 @@ ADMX Info:
-The following list shows the supported values:
+The following list shows the supported values:
- 0 - Disabled
- 1 (default) - Enabled
@@ -83,7 +83,7 @@ The following list shows the supported values:
-**Education/DefaultPrinterName**
+**Education/DefaultPrinterName**
@@ -109,7 +109,7 @@ The following list shows the supported values:
-This policy allows IT Admins to set the user's default printer.
+This policy allows IT Admins to set the user's default printer.
The policy value is expected to be the name (network host name) of an installed printer.
@@ -119,7 +119,7 @@ The policy value is expected to be the name (network host name) of an installed
-**Education/PreventAddingNewPrinters**
+**Education/PreventAddingNewPrinters**
@@ -150,7 +150,7 @@ Allows IT Admins to prevent user installation of more printers from the printers
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Prevent addition of printers*
- GP name: *NoAddPrinter*
- GP path: *Control Panel/Printers*
@@ -169,7 +169,7 @@ The following list shows the supported values:
-**Education/PrinterNames**
+**Education/PrinterNames**
diff --git a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
index 2c125b1d1f..53254a0dbb 100644
--- a/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
+++ b/windows/client-management/mdm/policy-csp-enterprisecloudprint.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## EnterpriseCloudPrint policies
+## EnterpriseCloudPrint policies
-
@@ -43,7 +43,7 @@ manager: aaroncz
-**EnterpriseCloudPrint/CloudPrintOAuthAuthority**
+**EnterpriseCloudPrint/CloudPrintOAuthAuthority**
@@ -81,7 +81,7 @@ The default value is an empty string. Otherwise, the value should contain the UR
-**EnterpriseCloudPrint/CloudPrintOAuthClientId**
+**EnterpriseCloudPrint/CloudPrintOAuthClientId**
@@ -119,7 +119,7 @@ The default value is an empty string. Otherwise, the value should contain a GUID
-**EnterpriseCloudPrint/CloudPrintResourceId**
+**EnterpriseCloudPrint/CloudPrintResourceId**
@@ -147,7 +147,7 @@ The default value is an empty string. Otherwise, the value should contain a GUID
Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails.
-Supported datatype is string.
+Supported datatype is string.
The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MicrosoftEnterpriseCloudPrint/CloudPrint".
@@ -157,7 +157,7 @@ The default value is an empty string. Otherwise, the value should contain a URL.
-**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint**
+**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint**
@@ -195,7 +195,7 @@ The default value is an empty string. Otherwise, the value should contain the UR
-**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit**
+**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit**
@@ -223,7 +223,7 @@ The default value is an empty string. Otherwise, the value should contain the UR
Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails.
-Supported datatype is integer.
+Supported datatype is integer.
@@ -231,7 +231,7 @@ Supported datatype is integer.
-**EnterpriseCloudPrint/MopriaDiscoveryResourceId**
+**EnterpriseCloudPrint/MopriaDiscoveryResourceId**
diff --git a/windows/client-management/mdm/policy-csp-eventlogservice.md b/windows/client-management/mdm/policy-csp-eventlogservice.md
index 3212b6504e..44732f7313 100644
--- a/windows/client-management/mdm/policy-csp-eventlogservice.md
+++ b/windows/client-management/mdm/policy-csp-eventlogservice.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## EventLogService policies
+## EventLogService policies
-
@@ -37,7 +37,7 @@ manager: aaroncz
-**EventLogService/ControlEventLogBehavior**
+**EventLogService/ControlEventLogBehavior**
@@ -75,7 +75,7 @@ If you disable or don't configure this policy setting and a log file reaches its
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Control Event Log behavior when the log file reaches its maximum size*
- GP name: *Channel_Log_Retention_1*
- GP path: *Windows Components/Event Log Service/Application*
@@ -87,7 +87,7 @@ ADMX Info:
-**EventLogService/SpecifyMaximumFileSizeApplicationLog**
+**EventLogService/SpecifyMaximumFileSizeApplicationLog**
@@ -122,7 +122,7 @@ If you disable or don't configure this policy setting, the maximum size of the l
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_1*
- GP path: *Windows Components/Event Log Service/Application*
@@ -134,7 +134,7 @@ ADMX Info:
-**EventLogService/SpecifyMaximumFileSizeSecurityLog**
+**EventLogService/SpecifyMaximumFileSizeSecurityLog**
@@ -169,7 +169,7 @@ If you disable or don't configure this policy setting, the maximum size of the l
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_2*
- GP path: *Windows Components/Event Log Service/Security*
@@ -181,7 +181,7 @@ ADMX Info:
-**EventLogService/SpecifyMaximumFileSizeSystemLog**
+**EventLogService/SpecifyMaximumFileSizeSystemLog**
@@ -216,7 +216,7 @@ If you disable or don't configure this policy setting, the maximum size of the l
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify the maximum log file size (KB)*
- GP name: *Channel_LogMaxSize_4*
- GP path: *Windows Components/Event Log Service/System*
diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md
index baeea5bf25..b49e98aa9f 100644
--- a/windows/client-management/mdm/policy-csp-experience.md
+++ b/windows/client-management/mdm/policy-csp-experience.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 11/02/2020
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## Experience policies
+## Experience policies
-
@@ -103,7 +103,7 @@ manager: aaroncz
-**Experience/AllowClipboardHistory**
+**Experience/AllowClipboardHistory**
@@ -137,7 +137,7 @@ Supported value type is integer. Supported values are:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Clipboard History*
- GP name: *AllowClipboardHistory*
- GP path: *System/OS Policies*
@@ -165,7 +165,7 @@ ADMX Info:
-**Experience/AllowCortana**
+**Experience/AllowCortana**
@@ -197,7 +197,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Cortana*
- GP name: *AllowCortana*
- GP path: *Windows Components/Search*
@@ -216,7 +216,7 @@ The following list shows the supported values:
-**Experience/AllowDeviceDiscovery**
+**Experience/AllowDeviceDiscovery**
@@ -261,7 +261,7 @@ The following list shows the supported values:
-**Experience/AllowFindMyDevice**
+**Experience/AllowFindMyDevice**
@@ -295,7 +295,7 @@ When Find My Device is off, the device and its location aren't registered, and t
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn On/Off Find My Device*
- GP name: *FindMy_AllowFindMyDeviceConfig*
- GP path: *Windows Components/Find My Device*
@@ -314,7 +314,7 @@ The following list shows the supported values:
-**Experience/AllowManualMDMUnenrollment**
+**Experience/AllowManualMDMUnenrollment**
@@ -373,7 +373,7 @@ This policy is deprecated.
-**Experience/AllowScreenCapture**
+**Experience/AllowScreenCapture**
@@ -411,7 +411,7 @@ Describe what values are supported in by this policy and meaning of each value i
-**Experience/AllowSharingOfOfficeFiles**
+**Experience/AllowSharingOfOfficeFiles**
This policy is deprecated.
@@ -420,7 +420,7 @@ This policy is deprecated.
-**Experience/AllowSIMErrorDialogPromptWhenNoSIM**
+**Experience/AllowSIMErrorDialogPromptWhenNoSIM**
@@ -457,7 +457,7 @@ Describes what values are supported in by this policy and meaning of each value
-**Experience/AllowSyncMySettings**
+**Experience/AllowSyncMySettings**
@@ -498,7 +498,7 @@ The following list shows the supported values:
-**Experience/AllowSpotlightCollection**
+**Experience/AllowSpotlightCollection**
@@ -542,7 +542,7 @@ The following list shows the supported values:
-**Experience/AllowTailoredExperiencesWithDiagnosticData**
+**Experience/AllowTailoredExperiencesWithDiagnosticData**
@@ -580,7 +580,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Do not use diagnostic data for tailored experiences*
- GP name: *DisableTailoredExperiencesWithDiagnosticData*
- GP path: *Windows Components/Cloud Content*
@@ -599,7 +599,7 @@ The following list shows the supported values:
-**Experience/AllowThirdPartySuggestionsInWindowsSpotlight**
+**Experience/AllowThirdPartySuggestionsInWindowsSpotlight**
@@ -632,7 +632,7 @@ Specifies whether to allow app and content suggestions from third-party software
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Do not suggest third-party content in Windows spotlight*
- GP name: *DisableThirdPartySuggestions*
- GP path: *Windows Components/Cloud Content*
@@ -651,7 +651,7 @@ The following list shows the supported values:
-**Experience/AllowWindowsConsumerFeatures**
+**Experience/AllowWindowsConsumerFeatures**
@@ -686,7 +686,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off Microsoft consumer experiences*
- GP name: *DisableWindowsConsumerFeatures*
- GP path: *Windows Components/Cloud Content*
@@ -705,7 +705,7 @@ The following list shows the supported values:
-**Experience/AllowWindowsSpotlight**
+**Experience/AllowWindowsSpotlight**
@@ -740,7 +740,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off all Windows spotlight features*
- GP name: *DisableWindowsSpotlightFeatures*
- GP path: *Windows Components/Cloud Content*
@@ -759,7 +759,7 @@ The following list shows the supported values:
-**Experience/AllowWindowsSpotlightOnActionCenter**
+**Experience/AllowWindowsSpotlightOnActionCenter**
@@ -792,7 +792,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off Windows Spotlight on Action Center*
- GP name: *DisableWindowsSpotlightOnActionCenter*
- GP path: *Windows Components/Cloud Content*
@@ -811,7 +811,7 @@ The following list shows the supported values:
-**Experience/AllowWindowsSpotlightOnSettings**
+**Experience/AllowWindowsSpotlightOnSettings**
@@ -845,7 +845,7 @@ This policy allows IT admins to turn off Suggestions in Settings app. These sugg
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off Windows Spotlight on Settings*
- GP name: *DisableWindowsSpotlightOnSettings*
- GP path: *Windows Components/Cloud Content*
@@ -864,7 +864,7 @@ The following list shows the supported values:
-**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**
+**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**
@@ -898,7 +898,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off the Windows Welcome Experience*
- GP name: *DisableWindowsSpotlightWindowsWelcomeExperience*
- GP path: *Windows Components/Cloud Content*
@@ -917,7 +917,7 @@ The following list shows the supported values:
-**Experience/AllowWindowsTips**
+**Experience/AllowWindowsTips**
@@ -947,7 +947,7 @@ Enables or disables Windows Tips / soft landing.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Do not show Windows tips*
- GP name: *DisableSoftLanding*
- GP path: *Windows Components/Cloud Content*
@@ -966,7 +966,7 @@ The following list shows the supported values:
-**Experience/ConfigureChatIcon**
+**Experience/ConfigureChatIcon**
@@ -1010,7 +1010,7 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0, if not
-**Experience/ConfigureWindowsSpotlightOnLockScreen**
+**Experience/ConfigureWindowsSpotlightOnLockScreen**
@@ -1043,7 +1043,7 @@ Allows IT admins to specify, whether spotlight should be used on the user's lock
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Windows spotlight on lock screen*
- GP name: *ConfigureWindowsSpotlight*
- GP path: *Windows Components/Cloud Content*
@@ -1061,7 +1061,7 @@ The following list shows the supported values:
-**Experience/DisableCloudOptimizedContent**
+**Experience/DisableCloudOptimizedContent**
@@ -1095,7 +1095,7 @@ If you disable or don't configure this policy setting, Windows experiences will
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off cloud optimized content*
- GP name: *DisableCloudOptimizedContent*
- GP path: *Windows Components/Cloud Content*
@@ -1114,7 +1114,7 @@ The following list shows the supported values:
-**Experience/DoNotShowFeedbackNotifications**
+**Experience/DoNotShowFeedbackNotifications**
@@ -1148,7 +1148,7 @@ If you disable or don't configure this policy setting, users can control how oft
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Do not show feedback notifications*
- GP name: *DoNotShowFeedbackNotifications*
- GP path: *Data Collection and Preview Builds*
@@ -1167,7 +1167,7 @@ The following list shows the supported values:
-**Experience/DoNotSyncBrowserSettings**
+**Experience/DoNotSyncBrowserSettings**
@@ -1200,7 +1200,7 @@ Related policy:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Do not sync browser settings*
- GP name: *DisableWebBrowserSettingSync*
- GP path: *Windows Components/Sync your settings*
@@ -1241,7 +1241,7 @@ _**Turn syncing off by default but don’t disable**_
-**Experience/PreventUsersFromTurningOnBrowserSyncing**
+**Experience/PreventUsersFromTurningOnBrowserSyncing**
@@ -1275,7 +1275,7 @@ Related policy:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Prevent users from turning on browser syncing*
- GP name: *PreventUsersFromTurningOnBrowserSyncing*
- GP path: *Windows Components/Sync your settings*
@@ -1319,7 +1319,7 @@ Validation procedure:
-**Experience/ShowLockOnUserTile**
+**Experience/ShowLockOnUserTile**
@@ -1356,7 +1356,7 @@ If you don't configure this policy setting, the lock option is shown in the User
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Show lock in the user tile menu*
- GP name: *ShowLockOption*
- GP path: *File Explorer*
@@ -1364,7 +1364,7 @@ ADMX Info:
-Supported values:
+Supported values:
- false - The lock option isn't displayed in the User Tile menu.
- true (default) - The lock option is displayed in the User Tile menu.
diff --git a/windows/client-management/mdm/policy-csp-exploitguard.md b/windows/client-management/mdm/policy-csp-exploitguard.md
index c187c4bbef..6153aac0a4 100644
--- a/windows/client-management/mdm/policy-csp-exploitguard.md
+++ b/windows/client-management/mdm/policy-csp-exploitguard.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## ExploitGuard policies
+## ExploitGuard policies
-
@@ -28,7 +28,7 @@ manager: aaroncz
-**ExploitGuard/ExploitProtectionSettings**
+**ExploitGuard/ExploitProtectionSettings**
@@ -60,7 +60,7 @@ The system settings require a reboot; the application settings do not require a
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Use a common set of exploit protection settings*
- GP name: *ExploitProtection_Name*
- GP element: *ExploitProtection_Name*
diff --git a/windows/client-management/mdm/policy-csp-feeds.md b/windows/client-management/mdm/policy-csp-feeds.md
index 281f12f579..202470f2e2 100644
--- a/windows/client-management/mdm/policy-csp-feeds.md
+++ b/windows/client-management/mdm/policy-csp-feeds.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/17/2021
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## Feeds policies
+## Feeds policies
-
@@ -28,7 +28,7 @@ manager: aaroncz
-**Feeds/FeedsEnabled**
+**Feeds/FeedsEnabled**
@@ -65,7 +65,7 @@ The values for this policy are 1 and 0. This policy defaults to 1.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Enable news and interests on the taskbar*
- GP name: *FeedsEnabled*
- GP path: *Windows Components\News and interests*
diff --git a/windows/client-management/mdm/policy-csp-games.md b/windows/client-management/mdm/policy-csp-games.md
index 16a07d2e71..05806d474a 100644
--- a/windows/client-management/mdm/policy-csp-games.md
+++ b/windows/client-management/mdm/policy-csp-games.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## Games policies
+## Games policies
-
@@ -28,7 +28,7 @@ manager: aaroncz
-**Games/AllowAdvancedGamingServices**
+**Games/AllowAdvancedGamingServices**
@@ -54,7 +54,7 @@ manager: aaroncz
-Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services.
+Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services.
Supported value type is integer.
diff --git a/windows/client-management/mdm/policy-csp-handwriting.md b/windows/client-management/mdm/policy-csp-handwriting.md
index 3146be4db8..c696d4a83f 100644
--- a/windows/client-management/mdm/policy-csp-handwriting.md
+++ b/windows/client-management/mdm/policy-csp-handwriting.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## Handwriting policies
+## Handwriting policies
-
@@ -28,7 +28,7 @@ manager: aaroncz
-**Handwriting/PanelDefaultModeDocked**
+**Handwriting/PanelDefaultModeDocked**
@@ -64,7 +64,7 @@ The docked mode is especially useful in Kiosk mode, where you don't expect the e
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Handwriting Panel Default Mode Docked*
- GP name: *PanelDefaultModeDocked*
- GP path: *Windows Components/Handwriting*
diff --git a/windows/client-management/mdm/policy-csp-humanpresence.md b/windows/client-management/mdm/policy-csp-humanpresence.md
index d1a49971c5..3edb7515e1 100644
--- a/windows/client-management/mdm/policy-csp-humanpresence.md
+++ b/windows/client-management/mdm/policy-csp-humanpresence.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## HumanPresence policies
+## HumanPresence policies
-
@@ -37,7 +37,7 @@ manager: aaroncz
-**HumanPresence/ForceInstantDim**
+**HumanPresence/ForceInstantDim**
@@ -66,7 +66,7 @@ This feature dims the screen based on user attention. This is a power saving fea
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Force Instant Dim*
- GP name: *ForceInstantDim*
- GP path: *Windows Components/Human Presence*
@@ -87,7 +87,7 @@ The following list shows the supported values:
-**HumanPresence/ForceInstantLock**
+**HumanPresence/ForceInstantLock**
@@ -117,7 +117,7 @@ This policy specifies, whether the device can lock when a human presence sensor
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM*
- GP name: *ForceInstantLock*
- GP path: *Windows Components/HumanPresence*
@@ -137,7 +137,7 @@ The following list shows the supported values:
-**HumanPresence/ForceInstantWake**
+**HumanPresence/ForceInstantWake**
@@ -167,7 +167,7 @@ This policy specifies, whether the device can lock when a human presence sensor
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM*
- GP name: *ForceInstantWake*
- GP path: *Windows Components/HumanPresence*
@@ -187,7 +187,7 @@ The following list shows the supported values:
-**HumanPresence/ForceLockTimeout**
+**HumanPresence/ForceLockTimeout**
@@ -217,7 +217,7 @@ This policy specifies, at what distance the sensor wakes up when it sees a human
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Implements wake on approach and lock on leave that can be managed from MDM*
- GP name: *ForceLockTimeout*
- GP path: *Windows Components/HumanPresence*
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index e1456fa569..e205b4485b 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -8,19 +8,19 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
# Policy CSP - KioskBrowser
-These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end user's browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_).
+These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Microsoft Store app, added in Windows 10 version 1803, that provides IT a way to customize the end user's browsing experience to fulfill kiosk, signage, and shared device scenarios. Application developers can also create their own kiosk browser and read these policies using [NamedPolicy.GetPolicyFromPath(String, String) Method](/uwp/api/windows.management.policies.namedpolicy.getpolicyfrompath#Windows_Management_Policies_NamedPolicy_GetPolicyFromPath_System_String_System_String_).
-## KioskBrowser policies
+## KioskBrowser policies
-
@@ -50,7 +50,7 @@ These policies currently only apply to Kiosk Browser app. Kiosk Browser is a Mic
-**KioskBrowser/BlockedUrlExceptions**
+**KioskBrowser/BlockedUrlExceptions**
@@ -87,7 +87,7 @@ List of exceptions to the blocked website URLs (with wildcard support). This pol
-**KioskBrowser/BlockedUrls**
+**KioskBrowser/BlockedUrls**
@@ -124,7 +124,7 @@ List of blocked website URLs (with wildcard support). This policy is used to con
-**KioskBrowser/DefaultURL**
+**KioskBrowser/DefaultURL**
@@ -161,7 +161,7 @@ Configures the default URL kiosk browsers to navigate on launch and restart.
-**KioskBrowser/EnableEndSessionButton**
+**KioskBrowser/EnableEndSessionButton**
@@ -195,7 +195,7 @@ Shows the Kiosk Browser's end session button. When the policy is enabled, the Ki
-**KioskBrowser/EnableHomeButton**
+**KioskBrowser/EnableHomeButton**
@@ -232,7 +232,7 @@ Enable/disable kiosk browser's home button.
-**KioskBrowser/EnableNavigationButtons**
+**KioskBrowser/EnableNavigationButtons**
@@ -269,7 +269,7 @@ Enable/disable kiosk browser's navigation buttons (forward/back).
-**KioskBrowser/RestartOnIdleTime**
+**KioskBrowser/RestartOnIdleTime**
@@ -295,7 +295,7 @@ Enable/disable kiosk browser's navigation buttons (forward/back).
-Amount of time in minutes, the session is idle until the kiosk browser restarts in a fresh state.
+Amount of time in minutes, the session is idle until the kiosk browser restarts in a fresh state.
The value is an int 1-1440 that specifies the number of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty, which means there's no idle timeout within the kiosk browser.
diff --git a/windows/client-management/mdm/policy-csp-lanmanworkstation.md b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
index 15b727545c..bbe9307e31 100644
--- a/windows/client-management/mdm/policy-csp-lanmanworkstation.md
+++ b/windows/client-management/mdm/policy-csp-lanmanworkstation.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## LanmanWorkstation policies
+## LanmanWorkstation policies
-
@@ -28,7 +28,7 @@ manager: aaroncz
-**LanmanWorkstation/EnableInsecureGuestLogons**
+**LanmanWorkstation/EnableInsecureGuestLogons**
@@ -64,7 +64,7 @@ Insecure guest sign in are used by file servers to allow unauthenticated access
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Enable insecure guest logons*
- GP name: *Pol_EnableInsecureGuestLogons*
- GP path: *Network/Lanman Workstation*
diff --git a/windows/client-management/mdm/policy-csp-licensing.md b/windows/client-management/mdm/policy-csp-licensing.md
index af74d4384d..effa809a71 100644
--- a/windows/client-management/mdm/policy-csp-licensing.md
+++ b/windows/client-management/mdm/policy-csp-licensing.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## Licensing policies
+## Licensing policies
-
@@ -31,7 +31,7 @@ manager: aaroncz
-**Licensing/AllowWindowsEntitlementReactivation**
+**Licensing/AllowWindowsEntitlementReactivation**
@@ -61,7 +61,7 @@ Enables or Disable Windows license reactivation on managed devices.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Control Device Reactivation for Retail devices*
- GP name: *AllowWindowsEntitlementReactivation*
- GP path: *Windows Components/Software Protection Platform*
@@ -80,7 +80,7 @@ The following list shows the supported values:
-**Licensing/DisallowKMSClientOnlineAVSValidation**
+**Licensing/DisallowKMSClientOnlineAVSValidation**
@@ -110,7 +110,7 @@ Enabling this setting prevents this computer from sending data to Microsoft rega
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off KMS Client Online AVS Validation*
- GP name: *NoAcquireGT*
- GP path: *Windows Components/Software Protection Platform*
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 21dfa77d35..cda8035487 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 12/16/2021
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## LocalPoliciesSecurityOptions policies
+## LocalPoliciesSecurityOptions policies
-
@@ -174,7 +174,7 @@ manager: aaroncz
> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md).
-**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts**
+**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts**
@@ -209,12 +209,12 @@ If you select the "Users cannot add or log on with Microsoft accounts" option, e
If you disable or don't configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *Accounts: Block Microsoft accounts*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -231,7 +231,7 @@ The following list shows the supported values:
-**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**
+**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**
@@ -260,12 +260,12 @@ The following list shows the supported values:
This setting allows the administrator to enable the local Administrator account.
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *Accounts: Enable Administrator Account Status*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -281,7 +281,7 @@ The following list shows the supported values:
-**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**
+**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**
@@ -310,12 +310,12 @@ The following list shows the supported values:
This setting allows the administrator to enable the guest Administrator account.
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *Accounts: Enable Guest Account Status*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -332,7 +332,7 @@ The following list shows the supported values:
-**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**
+**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**
@@ -373,18 +373,18 @@ This setting doesn't affect sign in that use domain accounts.
It's possible for applications that use remote interactive sign in to bypass this setting.
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *Accounts: Limit local account use of blank passwords to console logon only*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-Valid values:
+Valid values:
- 0 - disabled - local accounts that aren't password protected can be used to sign in from locations other than the physical computer console.
- 1 - enabled - local accounts that aren't password protected will only be able to sign in at the computer's keyboard.
@@ -394,7 +394,7 @@ Valid values:
-**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount**
+**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount**
@@ -427,12 +427,12 @@ This security setting determines whether a different account name is associated
Default: Administrator
This policy supports the following:
-- Supported value type is string.
+- Supported value type is string.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *Accounts: Rename administrator account*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -442,7 +442,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount**
+**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount**
@@ -475,12 +475,12 @@ This security setting determines whether a different account name is associated
Default: Guest
This policy supports the following:
-- Supported value type is string.
+- Supported value type is string.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *Accounts: Rename guest account*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -490,7 +490,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon**
+**LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon**
@@ -527,7 +527,7 @@ Default: Enabled
-GP Info:
+GP Info:
- GP Friendly name: *Devices: Allow undock without having to log on*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -537,7 +537,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia**
+**LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia**
@@ -574,7 +574,7 @@ Default: This policy isn't defined, and only Administrators have this ability.
-GP Info:
+GP Info:
- GP Friendly name: *Devices: Allowed to format and eject removable media*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -584,7 +584,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters**
+**LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters**
@@ -622,7 +622,7 @@ Default on workstations: Disabled
-GP Info:
+GP Info:
- GP Friendly name: *Devices: Prevent users from installing printer drivers*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -632,7 +632,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly**
+**LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly**
@@ -668,7 +668,7 @@ Default: This policy isn't defined and CD-ROM access isn't restricted to the loc
-GP Info:
+GP Info:
- GP Friendly name: *Devices: Restrict CD-ROM access to locally logged-on user only*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -678,7 +678,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
+**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
@@ -707,12 +707,12 @@ GP Info:
Interactive Logon: Display user information when the session is locked
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *Interactive logon: Display user information when the session is locked*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -729,7 +729,7 @@ Valid values:
-**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn**
+**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn**
@@ -766,18 +766,18 @@ If this policy is disabled, the username will be shown.
Default: Disabled
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *Interactive logon: Don't display last signed-in*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-Valid values:
+Valid values:
- 0 - disabled (username will be shown).
- 1 - enabled (username won't be shown).
@@ -787,7 +787,7 @@ Valid values:
-**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn**
+**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn**
@@ -824,18 +824,18 @@ If this policy is disabled, the username will be shown.
Default: Disabled
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *Interactive logon: Don't display username at sign-in*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-Valid values:
+Valid values:
- 0 - disabled (username will be shown).
- 1 - enabled (username won't be shown).
@@ -845,7 +845,7 @@ Valid values:
-**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL**
+**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL**
@@ -883,18 +883,18 @@ Default on domain-computers: Enabled: At least Windows 8 / Disabled: Windows 7 o
Default on stand-alone computers: Enabled
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *Interactive logon: Do not require CTRL+ALT+DEL*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-Valid values:
+Valid values:
- 0 - disabled.
- 1 - enabled (a user isn't required to press CTRL+ALT+DEL to sign in).
@@ -904,7 +904,7 @@ Valid values:
-**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit**
+**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit**
@@ -937,12 +937,12 @@ Windows notices inactivity of a sign-in session, and if the amount of inactive t
Default: Not enforced
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *Interactive logon: Machine inactivity limit*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -956,7 +956,7 @@ Valid values: From 0 to 599940, where the value is the amount of inactivity time
-**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn**
+**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn**
@@ -991,12 +991,12 @@ This text is often used for legal reasons. For example, to warn users about the
Default: No message
This policy supports the following:
-- Supported value type is string.
+- Supported value type is string.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *Interactive logon: Message text for users attempting to log on*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -1006,7 +1006,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn**
+**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn**
@@ -1039,12 +1039,12 @@ This security setting allows the specification of a title to appear in the title
Default: No message
This policy supports the following:
-- Supported value type is string.
+- Supported value type is string.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *Interactive logon: Message title for users attempting to log on*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -1054,7 +1054,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior**
+**LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior**
@@ -1089,7 +1089,7 @@ The options are:
- No Action
- Lock Workstation
- Force Logoff
-- Disconnect if a Remote Desktop Services session
+- Disconnect if a Remote Desktop Services session
If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
@@ -1106,7 +1106,7 @@ On Windows Vista and above: For this setting to work, the Smart Card Removal Pol
-GP Info:
+GP Info:
- GP Friendly name: *Interactive logon: Smart card removal behavior*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -1115,7 +1115,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways**
+**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways**
@@ -1143,24 +1143,24 @@ GP Info:
Microsoft network client: Digitally sign communications (always)
-This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
+This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file, print sharing, and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted.
+
+If this setting is enabled, the Microsoft network client won't communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
-If this setting is enabled, the Microsoft network client won't communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server.
-
Default: Disabled
-> [!Note]
+> [!Note]
> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings:
-> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
+> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing.
> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled.
-> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
-> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
+> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing.
+> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled.
>
> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing).
-GP Info:
+GP Info:
- GP Friendly name: *Microsoft network client: Digitally sign communications (always)*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -1170,7 +1170,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees**
+**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees**
@@ -1219,7 +1219,7 @@ Default: Enabled
-GP Info:
+GP Info:
- GP Friendly name: *Microsoft network client: Digitally sign communications (if server agrees)*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -1229,7 +1229,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers**
+**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers**
@@ -1265,7 +1265,7 @@ Default: Disabled
-GP Info:
+GP Info:
- GP Friendly name: *Microsoft network client: Send unencrypted password to third-party SMB servers*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -1275,7 +1275,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession**
+**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession**
@@ -1317,7 +1317,7 @@ Default: This policy isn't defined, which means that the system treats it as 15
-GP Info:
+GP Info:
- GP Friendly name: *Microsoft network server: Amount of idle time required before suspending session*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -1336,7 +1336,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways**
+**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways**
@@ -1385,7 +1385,7 @@ Default: Disabled for member servers. Enabled for domain controllers.
-GP Info:
+GP Info:
- GP Friendly name: *Microsoft network server: Digitally sign communications (always)*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -1395,7 +1395,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees**
+**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees**
@@ -1444,7 +1444,7 @@ For more information, reference: [Reduced performance after SMB Encryption or SM
-GP Info:
+GP Info:
- GP Friendly name: *Microsoft network server: Digitally sign communications (if client agrees)*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -1454,7 +1454,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts**
+**LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts**
@@ -1499,7 +1499,7 @@ Default on server: Enabled
-GP Info:
+GP Info:
- GP Friendly name: *Network access: Do not allow anonymous enumeration of SAM accounts*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -1509,7 +1509,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares**
+**LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares**
@@ -1545,7 +1545,7 @@ Default: Disabled
-GP Info:
+GP Info:
- GP Friendly name: *Network access: Do not allow anonymous enumeration of SAM accounts and shares*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -1555,7 +1555,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares**
+**LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares**
@@ -1591,7 +1591,7 @@ When enabled, this security setting restricts anonymous access to shares and pip
-GP Info:
+GP Info:
- GP Friendly name: *Network access: Restrict anonymous access to Named Pipes and Shares*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -1601,7 +1601,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM**
+**LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM**
@@ -1637,7 +1637,7 @@ This policy is supported on at least Windows Server 2016.
-GP Info:
+GP Info:
- GP Friendly name: *Network access: Restrict clients allowed to make remote calls to SAM*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -1647,7 +1647,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM**
+**LocalPoliciesSecurityOptions/NetworkSecurity_AllowLocalSystemToUseComputerIdentityForNTLM**
@@ -1681,13 +1681,13 @@ When a service connects with the device identity, signing and encryption are sup
-GP Info:
+GP Info:
- GP Friendly name: *Network security: Allow Local System to use computer identity for NTLM*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-Valid values:
+Valid values:
- 0 - Disabled.
- 1 - Enabled (Allow Local System to use computer identity for NTLM).
@@ -1697,7 +1697,7 @@ Valid values:
-**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**
+**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**
@@ -1728,18 +1728,18 @@ Network security: Allow PKU2U authentication requests to this computer to use on
This policy will be turned off by default on domain joined machines. This disablement would prevent online identities from authenticating to the domain joined machine.
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *Network security: Allow PKU2U authentication requests to this computer to use online identities.*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-Valid values:
+Valid values:
- 0 - disabled.
- 1 - enabled (allow PKU2U authentication requests to this computer to use online identities).
@@ -1749,7 +1749,7 @@ Valid values:
-**LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange**
+**LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange**
@@ -1784,7 +1784,7 @@ This security setting determines if, at the next password change, the LAN Manage
-GP Info:
+GP Info:
- GP Friendly name: *Network security: Do not store LAN Manager hash value on next password change*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -1794,7 +1794,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel**
+**LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel**
@@ -1846,7 +1846,7 @@ Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2: Send
-GP Info:
+GP Info:
- GP Friendly name: *Network security: LAN Manager authentication level*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -1856,7 +1856,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients**
+**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients**
@@ -1897,7 +1897,7 @@ This security setting allows a client device to require the negotiation of 128-b
-GP Info:
+GP Info:
- GP Friendly name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) clients*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -1907,7 +1907,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers**
+**LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers**
@@ -1949,7 +1949,7 @@ This security setting allows a server to require the negotiation of 128-bit encr
-GP Info:
+GP Info:
- GP Friendly name: *Network security: Minimum session security for NTLM SSP based (including secure RPC) servers*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -1959,7 +1959,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication**
+**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication**
@@ -1997,7 +1997,7 @@ The naming format for servers on this exception list is the fully qualified doma
-GP Info:
+GP Info:
- GP Friendly name: *Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -2016,7 +2016,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic**
+**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic**
@@ -2059,7 +2059,7 @@ This policy is supported on at least Windows 7 or Windows Server 2008 R2.
-GP Info:
+GP Info:
- GP Friendly name: *Network security: Restrict NTLM: Audit Incoming NTLM Traffic*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -2078,7 +2078,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic**
+**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic**
@@ -2121,7 +2121,7 @@ This policy is supported on at least Windows 7 or Windows Server 2008 R2.
-GP Info:
+GP Info:
- GP Friendly name: *Network security: Restrict NTLM: Incoming NTLM traffic*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -2140,7 +2140,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers**
+**LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers**
@@ -2183,7 +2183,7 @@ This policy is supported on at least Windows 7 or Windows Server 2008 R2.
-GP Info:
+GP Info:
- GP Friendly name: *Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -2202,7 +2202,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn**
+**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn**
@@ -2240,18 +2240,18 @@ When this policy is disabled, the option to shut down the computer doesn't appea
- Default on servers: Disabled.
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *Shutdown: Allow system to be shut down without having to log on*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-Valid values:
+Valid values:
- 0 - disabled.
- 1 - enabled (allow system to be shut down without having to sign in).
@@ -2261,7 +2261,7 @@ Valid values:
-**LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile**
+**LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile**
@@ -2299,7 +2299,7 @@ Default: Disabled
-GP Info:
+GP Info:
- GP Friendly name: *Shutdown: Clear virtual memory pagefile*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -2309,7 +2309,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**
+**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**
@@ -2341,23 +2341,23 @@ This policy setting controls whether User Interface Accessibility (UIAccess or U
Enabled: UIA programs, including Windows Remote Assistance, automatically disable the secure desktop for elevation prompts. If you don't disable the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting, the prompts appear on the interactive user's desktop instead of the secure desktop.
-Disabled: (Default)
+Disabled: (Default)
The secure desktop can be disabled only by the user of the interactive desktop or by disabling the "User Account Control: Switch to the secure desktop when prompting for elevation" policy setting.
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-Valid values:
+Valid values:
- 0 - disabled.
- 1 - enabled (allow UIAccess applications to prompt for elevation without using the secure desktop).
@@ -2367,7 +2367,7 @@ Valid values:
-**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators**
+**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators**
@@ -2416,12 +2416,12 @@ The options are:
- 5 - Prompt for consent for non-Windows binaries: (Default) When an operation for a non-Microsoft application requires elevation of privilege, the user is prompted on the secure desktop to select either Permit or Deny. If the user selects Permit, the operation continues with the user's highest available privilege.
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -2431,7 +2431,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers**
+**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers**
@@ -2462,12 +2462,12 @@ User Account Control: Behavior of the elevation prompt for standard users
This policy setting controls the behavior of the elevation prompt for standard users.
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *User Account Control: Behavior of the elevation prompt for standard users*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -2485,7 +2485,7 @@ The following list shows the supported values:
-**LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation**
+**LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation**
@@ -2523,7 +2523,7 @@ The options are:
-GP Info:
+GP Info:
- GP Friendly name: *User Account Control: Detect application installations and prompt for elevation*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -2533,7 +2533,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated**
+**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated**
@@ -2568,12 +2568,12 @@ The options are:
- 1 - Enabled: Enforces the PKI certification path validation for a given executable file before it's permitted to run.
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *User Account Control: Only elevate executables that are signed and validated*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -2583,7 +2583,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations**
+**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations**
@@ -2620,17 +2620,17 @@ This policy setting controls, whether applications that request to run with a Us
> [!NOTE]
> Windows enforces a public key infrastructure (PKI) signature check on any interactive application that requests to run with a UIAccess integrity level regardless of the state of this security setting.
-The options are:
+The options are:
- 0 - Disabled: An application runs with UIAccess integrity even if it doesn't reside in a secure location in the file system.
- 1 - Enabled: (Default) If an application resides in a secure location in the file system, it runs only with UIAccess integrity.
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *User Account Control: Only elevate UIAccess applications that are installed in secure locations*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -2640,7 +2640,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode**
+**LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode**
@@ -2676,15 +2676,15 @@ The options are:
> [!NOTE]
> If this policy setting is disabled, Windows Security notifies you that the overall security of the operating system has been reduced.
-- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately, to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
+- 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately, to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *User Account Control: Run all administrators in Admin Approval Mode*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -2694,7 +2694,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation**
+**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation**
@@ -2729,12 +2729,12 @@ The options are:
- 1 - Enabled: (Default) All elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *User Account Control: Switch to the secure desktop when prompting for elevation*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -2744,7 +2744,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode**
+**LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode**
@@ -2782,7 +2782,7 @@ The options are:
-GP Info:
+GP Info:
- GP Friendly name: *User Account Control: Admin Approval Mode for the Built-in Administrator account*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
@@ -2792,7 +2792,7 @@ GP Info:
-**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations**
+**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations**
@@ -2823,12 +2823,12 @@ User Account Control: Virtualize file and registry write failures to per-user lo
This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
This policy supports the following:
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-GP Info:
+GP Info:
- GP Friendly name: *User Account Control: Virtualize file and registry write failures to per-user locations*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md
index c2c636a46f..8f9a5ef4cd 100644
--- a/windows/client-management/mdm/policy-csp-localusersandgroups.md
+++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 10/14/2020
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## LocalUsersAndGroups policies
+## LocalUsersAndGroups policies
-
@@ -28,7 +28,7 @@ manager: aaroncz
-**LocalUsersAndGroups/Configure**
+**LocalUsersAndGroups/Configure**
@@ -59,14 +59,14 @@ This policy setting allows IT admins to add, remove, or replace members of local
> [!NOTE]
> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or Azure Active Directory groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove.
>
-> Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results.
+> Starting from Windows 10, version 20H2, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results.
Here is an example of the policy definition XML for group configuration:
```xml
-
+
@@ -75,22 +75,22 @@ Here is an example of the policy definition XML for group configuration:
where:
-- ``: Specifies the name or SID of the local group to configure. If you specify a SID, the [LookupAccountSid](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API is used to translate the SID to a valid group name. If you specify a name, the [LookupAccountName](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API is used to lookup the group and validate the name. If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. If there are multiple errors, the last error is returned at the end of the policy processing.
-- ``: Specifies the action to take on the local group, which can be Update and Restrict, represented by U and R:
+- ``: Specifies the name or SID of the local group to configure. If you specify a SID, the [LookupAccountSid](/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API is used to translate the SID to a valid group name. If you specify a name, the [LookupAccountName](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API is used to lookup the group and validate the name. If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. If there are multiple errors, the last error is returned at the end of the policy processing.
+- ``: Specifies the action to take on the local group, which can be Update and Restrict, represented by U and R:
- Update. This action must be used to keep the current group membership intact and add or remove members of the specific group.
- Restrict. This action must be used to replace current membership with the newly specified groups. This action provides the same functionality as the [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting.
- ``: Specifies the SID or name of the member to configure.
- ``: Specifies the SID or name of the member to remove from the specified group.
> [!NOTE]
- > When specifying member names of the user accounts, you must use following format – AzureAD\userUPN. For example, "AzureAD\user1@contoso.com" or "AzureAD\user2@contoso.co.uk".
+ > When specifying member names of the user accounts, you must use following format – AzureAD\userUPN. For example, "AzureAD\user1@contoso.com" or "AzureAD\user2@contoso.co.uk".
For adding Azure AD groups, you need to specify the Azure AD Group SID. Azure AD group names are not supported with this policy.
-For more information, see [LookupAccountNameA function](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea).
+For more information, see [LookupAccountNameA function](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea).
See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles.
> [!IMPORTANT]
-> - `` and `` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](/graph/api/resources/group?view=graph-rest-1.0&preserve-view=true#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute.
+> - `` and `` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](/graph/api/resources/group?view=graph-rest-1.0&preserve-view=true#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute.
> - When specifying a SID in the `` or ``, member SIDs are added without attempting to resolve them. Therefore, be very careful when specifying a SID to ensure it is correct.
> - `` is not valid for the R (Restrict) action and will be ignored if present.
> - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that, if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present.
@@ -104,7 +104,7 @@ See [Use custom settings for Windows 10 devices in Intune](/mem/intune/configura
Example 1: Azure Active Directory focused.
-The following example updates the built-in administrators group with Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine.
+The following example updates the built-in administrators group with Azure AD account "bob@contoso.com" and an Azure AD group with the SID **S-1-12-1-111111111-22222222222-3333333333-4444444444** on an AAD-joined machine.
```xml
@@ -137,13 +137,13 @@ Example 3: Update action for adding and removing group members on a hybrid joine
The following example shows how you can update a local group (**Administrators**)—add an AD domain group as a member using its name (**Contoso\ITAdmins**), add a Azure Active Directory group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**) if it exists.
```xml
-
-
-
+
+
+
-
-
+
+
```
@@ -155,9 +155,9 @@ The following example shows how you can update a local group (**Administrators**
> [!NOTE]
->
+>
> When Azure Active Directory group SID’s are added to local groups, Azure AD account logon privileges are evaluated only for the following well-known groups on a Windows 10 device:
->
+>
> - Administrators
> - Users
> - Guests
@@ -167,12 +167,12 @@ The following example shows how you can update a local group (**Administrators**
## FAQs
-This section provides answers to some common questions you might have about the LocalUsersAndGroups policy CSP.
+This section provides answers to some common questions you might have about the LocalUsersAndGroups policy CSP.
### What happens if I accidentally remove the built-in Administrator SID from the Administrators group?
-Removing the built-in Administrator account from the built-in Administrators group is blocked at SAM/OS level for security reasons. Attempting to do so will result in failure with the following error:
-
+Removing the built-in Administrator account from the built-in Administrators group is blocked at SAM/OS level for security reasons. Attempting to do so will result in failure with the following error:
+
| Error Code | Symbolic Name | Error Description | Header |
|----------|----------|----------|----------|
| 0x55b (Hex)
1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h |
@@ -189,7 +189,7 @@ Yes, you can remove a member even if it isn't a member of the group. This will r
### How can I add a domain group as a member to a local group?
-To add a domain group as a member to a local group, specify the domain group in `` of the local group. Use fully qualified account names (for example, domain_name\group_name) instead of isolated names (for example, group_name) for the best results. See [LookupAccountNameA function](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information.
+To add a domain group as a member to a local group, specify the domain group in `` of the local group. Use fully qualified account names (for example, domain_name\group_name) instead of isolated names (for example, group_name) for the best results. See [LookupAccountNameA function](/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information.
### Can I apply more than one LocalUserAndGroups policy/XML to the same device?
@@ -197,7 +197,7 @@ No, this is not allowed. Attempting to do so will result in a conflict in Intune
### What happens if I specify a group name that doesn't exist?
-Invalid group names or SIDs will be skipped. Valid parts of the policy will apply, and error will be returned at the end of the processing. This behavior aligns with the on-prem AD GPP (Group Policy Preferences) LocalUsersAndGroups policy. Similarly, invalid member names will be skipped, and error will be returned at the end to notify that not all settings were applied successfully.
+Invalid group names or SIDs will be skipped. Valid parts of the policy will apply, and error will be returned at the end of the processing. This behavior aligns with the on-prem AD GPP (Group Policy Preferences) LocalUsersAndGroups policy. Similarly, invalid member names will be skipped, and error will be returned at the end to notify that not all settings were applied successfully.
### What happens if I specify R and U in the same XML?
@@ -205,7 +205,7 @@ If you specify both R and U in the same XML, the R (Restrict) action takes prece
### How do I check the result of a policy that is applied on the client device?
-After a policy is applied on the client device, you can investigate the event log to review the result:
+After a policy is applied on the client device, you can investigate the event log to review the result:
1. Open Event Viewer (**eventvwr.exe**).
2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise-
@@ -230,7 +230,7 @@ To troubleshoot Name/SID lookup APIs:
```powershell
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force
-
+
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x0 -Type dword -Force
```
diff --git a/windows/client-management/mdm/policy-csp-lockdown.md b/windows/client-management/mdm/policy-csp-lockdown.md
index 7b338795e8..e81ef5bdbd 100644
--- a/windows/client-management/mdm/policy-csp-lockdown.md
+++ b/windows/client-management/mdm/policy-csp-lockdown.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## LockDown policies
+## LockDown policies
-
@@ -28,7 +28,7 @@ manager: aaroncz
-**LockDown/AllowEdgeSwipe**
+**LockDown/AllowEdgeSwipe**
@@ -60,7 +60,7 @@ The easiest way to verify the policy is to restart the explorer process or to re
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow edge swipe*
- GP name: *AllowEdgeSwipe*
- GP path: *Windows Components/Edge UI*
diff --git a/windows/client-management/mdm/policy-csp-maps.md b/windows/client-management/mdm/policy-csp-maps.md
index d62a84d748..81e6388586 100644
--- a/windows/client-management/mdm/policy-csp-maps.md
+++ b/windows/client-management/mdm/policy-csp-maps.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## Maps policies
+## Maps policies
-
@@ -31,7 +31,7 @@ manager: aaroncz
-**Maps/AllowOfflineMapsDownloadOverMeteredConnection**
+**Maps/AllowOfflineMapsDownloadOverMeteredConnection**
@@ -75,7 +75,7 @@ The following list shows the supported values:
-**Maps/EnableOfflineMapsAutoUpdate**
+**Maps/EnableOfflineMapsAutoUpdate**
@@ -107,7 +107,7 @@ After the policy is applied, you can verify the settings in the user interface i
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off Automatic Download and Update of Map Data*
- GP name: *TurnOffAutoUpdate*
- GP path: *Windows Components/Maps*
diff --git a/windows/client-management/mdm/policy-csp-memorydump.md b/windows/client-management/mdm/policy-csp-memorydump.md
index 37bcafe0e4..55f2821dc5 100644
--- a/windows/client-management/mdm/policy-csp-memorydump.md
+++ b/windows/client-management/mdm/policy-csp-memorydump.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## MemoryDump policies
+## MemoryDump policies
-
@@ -31,7 +31,7 @@ manager: aaroncz
-**MemoryDump/AllowCrashDump**
+**MemoryDump/AllowCrashDump**
@@ -72,7 +72,7 @@ The following list shows the supported values:
-**MemoryDump/AllowLiveDump**
+**MemoryDump/AllowLiveDump**
diff --git a/windows/client-management/mdm/policy-csp-messaging.md b/windows/client-management/mdm/policy-csp-messaging.md
index ea92d4a966..af0864c827 100644
--- a/windows/client-management/mdm/policy-csp-messaging.md
+++ b/windows/client-management/mdm/policy-csp-messaging.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## Messaging policies
+## Messaging policies
-
@@ -28,7 +28,7 @@ manager: aaroncz
-**Messaging/AllowMessageSync**
+**Messaging/AllowMessageSync**
@@ -58,7 +58,7 @@ Enables text message backup and restore and Messaging Everywhere. This policy al
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Message Service Cloud Sync*
- GP name: *AllowMessageSync*
- GP path: *Windows Components/Messaging*
diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md
index e49f9c7be8..800812d6e2 100644
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -16,7 +16,7 @@ manager: aaroncz
-## MixedReality policies
+## MixedReality policies
-
@@ -51,7 +51,7 @@ manager: aaroncz
-
MixedReality/ManualDownDirectionDisabled
-
+
-
MixedReality/MicrophoneDisabled
@@ -75,7 +75,7 @@ manager: aaroncz
-**MixedReality/AADGroupMembershipCacheValidityInDays**
+**MixedReality/AADGroupMembershipCacheValidityInDays**
@@ -103,7 +103,7 @@ Steps to use this policy correctly:
-**MixedReality/AllowCaptivePortalBeforeSignIn**
+**MixedReality/AllowCaptivePortalBeforeSignIn**
@@ -229,7 +229,7 @@ Supported values are 0-60. The default value is 0 (day) and maximum value is 60
-**MixedReality/BrightnessButtonDisabled**
+**MixedReality/BrightnessButtonDisabled**
@@ -272,7 +272,7 @@ The following list shows the supported values:
-**MixedReality/ConfigureMovingPlatform**
+**MixedReality/ConfigureMovingPlatform**
@@ -314,7 +314,7 @@ Supported value is Integer.
-**MixedReality/ConfigureNtpClient**
+**MixedReality/ConfigureNtpClient**
@@ -379,7 +379,7 @@ value="0"/>
-**MixedReality/DisallowNetworkConnectivityPassivePolling**
+**MixedReality/DisallowNetworkConnectivityPassivePolling**
@@ -415,7 +415,7 @@ The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/Disa
-**MixedReality/FallbackDiagnostics**
+**MixedReality/FallbackDiagnostics**
@@ -459,7 +459,7 @@ The following list shows the supported values:
-**MixedReality/HeadTrackingMode**
+**MixedReality/HeadTrackingMode**
@@ -502,7 +502,7 @@ The following list shows the supported values:
-**MixedReality/ManualDownDirectionDisabled**
+**MixedReality/ManualDownDirectionDisabled**
@@ -542,7 +542,7 @@ Supported values:
-**MixedReality/MicrophoneDisabled**
+**MixedReality/MicrophoneDisabled**
@@ -583,7 +583,7 @@ The following list shows the supported values:
-**MixedReality/NtpClientEnabled**
+**MixedReality/NtpClientEnabled**
@@ -627,7 +627,7 @@ This policy setting specifies whether the Windows NTP Client is enabled.
-**MixedReality/SkipCalibrationDuringSetup**
+**MixedReality/SkipCalibrationDuringSetup**
@@ -663,7 +663,7 @@ The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/Skip
-**MixedReality/SkipTrainingDuringSetup**
+**MixedReality/SkipTrainingDuringSetup**
@@ -699,7 +699,7 @@ The OMA-URI of new policy: `./Device/Vendor/MSFT/Policy/Config/MixedReality/Skip
-**MixedReality/VolumeButtonDisabled**
+**MixedReality/VolumeButtonDisabled**
@@ -742,7 +742,7 @@ The following list shows the supported values:
-**MixedReality/VisitorAutoLogon**
+**MixedReality/VisitorAutoLogon**
diff --git a/windows/client-management/mdm/policy-csp-networkisolation.md b/windows/client-management/mdm/policy-csp-networkisolation.md
index d2d4a901b0..53c14116f6 100644
--- a/windows/client-management/mdm/policy-csp-networkisolation.md
+++ b/windows/client-management/mdm/policy-csp-networkisolation.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## NetworkIsolation policies
+## NetworkIsolation policies
-
@@ -49,7 +49,7 @@ manager: aaroncz
-**NetworkIsolation/EnterpriseCloudResources**
+**NetworkIsolation/EnterpriseCloudResources**
@@ -79,7 +79,7 @@ Contains a list of Enterprise resource domains hosted in the cloud that need to
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Enterprise resource domains hosted in the cloud*
- GP name: *WF_NetIsolation_EnterpriseCloudResources*
- GP element: *WF_NetIsolation_EnterpriseCloudResourcesBox*
@@ -92,7 +92,7 @@ ADMX Info:
-**NetworkIsolation/EnterpriseIPRange**
+**NetworkIsolation/EnterpriseIPRange**
@@ -122,7 +122,7 @@ Sets the enterprise IP ranges that define the computers in the enterprise networ
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Private network ranges for apps*
- GP name: *WF_NetIsolation_PrivateSubnet*
- GP element: *WF_NetIsolation_PrivateSubnetBox*
@@ -139,7 +139,7 @@ For example:
2001:4898:dc05::-2001:4898:dc05:ffff:ffff:ffff:ffff:ffff,
2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-
+
```
@@ -148,7 +148,7 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
-**NetworkIsolation/EnterpriseIPRangesAreAuthoritative**
+**NetworkIsolation/EnterpriseIPRangesAreAuthoritative**
@@ -178,7 +178,7 @@ Integer value that tells the client to accept the configured list and not to use
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Subnet definitions are authoritative*
- GP name: *WF_NetIsolation_Authoritative_Subnet*
- GP path: *Network/Network Isolation*
@@ -190,7 +190,7 @@ ADMX Info:
-**NetworkIsolation/EnterpriseInternalProxyServers**
+**NetworkIsolation/EnterpriseInternalProxyServers**
@@ -220,7 +220,7 @@ This list is the comma-separated list of internal proxy servers. For example "15
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Intranet proxy servers for apps*
- GP name: *WF_NetIsolation_Intranet_Proxies*
- GP element: *WF_NetIsolation_Intranet_ProxiesBox*
@@ -233,7 +233,7 @@ ADMX Info:
-**NetworkIsolation/EnterpriseNetworkDomainNames**
+**NetworkIsolation/EnterpriseNetworkDomainNames**
@@ -276,7 +276,7 @@ Here are the steps to create canonical domain names:
-**NetworkIsolation/EnterpriseProxyServers**
+**NetworkIsolation/EnterpriseProxyServers**
@@ -306,7 +306,7 @@ This list is a comma-separated list of proxy servers. Any server on this list is
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Internet proxy servers for apps*
- GP name: *WF_NetIsolation_Domain_Proxies*
- GP element: *WF_NetIsolation_Domain_ProxiesBox*
@@ -319,7 +319,7 @@ ADMX Info:
-**NetworkIsolation/EnterpriseProxyServersAreAuthoritative**
+**NetworkIsolation/EnterpriseProxyServersAreAuthoritative**
@@ -349,7 +349,7 @@ Integer value that tells the client to accept the configured list of proxies and
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Proxy definitions are authoritative*
- GP name: *WF_NetIsolation_Authoritative_Proxies*
- GP path: *Network/Network Isolation*
@@ -361,7 +361,7 @@ ADMX Info:
-**NetworkIsolation/NeutralResources**
+**NetworkIsolation/NeutralResources**
@@ -391,7 +391,7 @@ List of domain names that can be used for work or personal resource.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Domains categorized as both work and personal*
- GP name: *WF_NetIsolation_NeutralResources*
- GP element: *WF_NetIsolation_NeutralResourcesBox*
diff --git a/windows/client-management/mdm/policy-csp-networklistmanager.md b/windows/client-management/mdm/policy-csp-networklistmanager.md
index bd33a1ddfa..60a664f65e 100644
--- a/windows/client-management/mdm/policy-csp-networklistmanager.md
+++ b/windows/client-management/mdm/policy-csp-networklistmanager.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 12/16/2021
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## NetworkListManager policies
+## NetworkListManager policies
-
@@ -31,7 +31,7 @@ manager: aaroncz
-**NetworkListManager/AllowedTlsAuthenticationEndpoints**
+**NetworkListManager/AllowedTlsAuthenticationEndpoints**
@@ -57,9 +57,9 @@ manager: aaroncz
-This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated.
+This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated.
-When entering a list of TLS endpoints in Microsoft Endpoint Manager, you must follow this format, even in the UI:
+When entering a list of TLS endpoints in Microsoft Endpoint Manager, you must follow this format, even in the UI:
``
@@ -75,7 +75,7 @@ When entering a list of TLS endpoints in Microsoft Endpoint Manager, you must fo
-**NetworkListManager/ConfiguredTLSAuthenticationNetworkName**
+**NetworkListManager/ConfiguredTLSAuthenticationNetworkName**
diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md
index 59566c1026..4f5672eead 100644
--- a/windows/client-management/mdm/policy-csp-newsandinterests.md
+++ b/windows/client-management/mdm/policy-csp-newsandinterests.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## NewsAndInterests policies
+## NewsAndInterests policies
-
@@ -27,7 +27,7 @@ manager: aaroncz
-**NewsAndInterests/AllowNewsAndInterests**
+**NewsAndInterests/AllowNewsAndInterests**
@@ -55,7 +55,7 @@ manager: aaroncz
This policy specifies whether to allow the entire widgets experience, including the content on taskbar.
-
+
@@ -68,7 +68,7 @@ The following are the supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specifies whether to allow the entire widgets experience, including the content on taskbar*.
- GP name: *AllowNewsAndInterests*
- GP path: *Network/NewsandInterests*
diff --git a/windows/client-management/mdm/policy-csp-notifications.md b/windows/client-management/mdm/policy-csp-notifications.md
index 32ddde9d1a..f8ed9bde43 100644
--- a/windows/client-management/mdm/policy-csp-notifications.md
+++ b/windows/client-management/mdm/policy-csp-notifications.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## Notifications policies
+## Notifications policies
-
@@ -38,7 +38,7 @@ manager: aaroncz
-**Notifications/DisallowCloudNotification**
+**Notifications/DisallowCloudNotification**
@@ -79,7 +79,7 @@ No reboots or service restarts are required for this policy setting to take effe
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off notifications network usage*
- GP name: *NoCloudNotification*
- GP path: *Start Menu and Taskbar/Notifications*
@@ -91,7 +91,7 @@ This setting supports a range of values between 0 and 1.
-Validation:
+Validation:
1. Enable policy.
2. Reboot machine.
3. Ensure that you can't receive a notification from Facebook app while FB app isn't running.
@@ -102,7 +102,7 @@ Validation:
-**Notifications/DisallowNotificationMirroring**
+**Notifications/DisallowNotificationMirroring**
@@ -136,7 +136,7 @@ No reboot or service restart is required for this policy to take effect.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off notification mirroring*
- GP name: *NoNotificationMirroring*
- GP path: *Start Menu and Taskbar/Notifications*
@@ -155,7 +155,7 @@ The following list shows the supported values:
-**Notifications/DisallowTileNotification**
+**Notifications/DisallowTileNotification**
@@ -191,7 +191,7 @@ No reboots or service restarts are required for this policy setting to take effe
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off tile notifications*
- GP name: *NoTileNotification*
- GP path: *Start Menu and Taskbar/Notifications*
@@ -203,7 +203,7 @@ This setting supports a range of values between 0 and 1.
-Validation:
+Validation:
1. Enable policy.
2. Reboot machine.
3. Ensure that all tiles are default (no live tile content showing, like no weather forecast on the Weather tile).
@@ -213,7 +213,7 @@ Validation:
-**Notifications/WnsEndpoint**
+**Notifications/WnsEndpoint**
@@ -262,7 +262,7 @@ Validation:
-This policy setting determines which Windows Notification Service endpoint will be used to connect for Windows Push Notifications.
+This policy setting determines which Windows Notification Service endpoint will be used to connect for Windows Push Notifications.
If you disable or don't configure this setting, the push notifications will connect to the default endpoint of client.wns.windows.com.
@@ -271,7 +271,7 @@ If you disable or don't configure this setting, the push notifications will conn
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Required for Airgap servers that may have a unique FQDN that is different from the public endpoint*
- GP name: *WnsEndpoint*
- GP path: *Start Menu and Taskbar/Notifications*
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index eef582a24e..de522351e1 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -18,7 +18,7 @@ manager: aaroncz
-## Privacy policies
+## Privacy policies
-
@@ -297,7 +297,7 @@ manager: aaroncz
-**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts**
+**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts**
@@ -343,7 +343,7 @@ The following list shows the supported values:
-**Privacy/AllowCrossDeviceClipboard**
+**Privacy/AllowCrossDeviceClipboard**
@@ -375,7 +375,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Clipboard synchronization across devices*
- GP name: *AllowCrossDeviceClipboard*
- GP path: *System/OS Policies*
@@ -383,7 +383,7 @@ ADMX Info:
-The following list shows the supported values:
+The following list shows the supported values:
0 – Not allowed.
1 (default) – Allowed.
@@ -394,7 +394,7 @@ The following list shows the supported values:
-**Privacy/AllowInputPersonalization**
+**Privacy/AllowInputPersonalization**
@@ -426,7 +426,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow input personalization*
- GP name: *AllowInputPersonalization*
- GP path: *Control Panel/Regional and Language Options*
@@ -445,7 +445,7 @@ The following list shows the supported values:
-**Privacy/DisableAdvertisingId**
+**Privacy/DisableAdvertisingId**
@@ -477,7 +477,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off the advertising ID*
- GP name: *DisableAdvertisingId*
- GP path: *System/User Profiles*
@@ -497,7 +497,7 @@ The following list shows the supported values:
-**Privacy/DisablePrivacyExperience**
+**Privacy/DisablePrivacyExperience**
@@ -526,16 +526,16 @@ The following list shows the supported values:
Enabling this policy prevents the privacy experience from launching during user logon for new and upgraded users.
-Supported value type is integer.
+Supported value type is integer.
- 0 (default) - Allow the "choose privacy settings for your device" screen for a new user during their first logon or when an existing user logs in for the first time after an upgrade.
- 1 - Do not allow the "choose privacy settings for your device" screen when a new user logs in or an existing user logs in for the first time after an upgrade.
-In some enterprise managed environments, the privacy settings may be set by policies. In these cases, you can use this policy if you do not want to show a screen that would prompt your users to change these privacy settings.
+In some enterprise managed environments, the privacy settings may be set by policies. In these cases, you can use this policy if you do not want to show a screen that would prompt your users to change these privacy settings.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Don't launch privacy settings experience on user logon*
- GP name: *DisablePrivacyExperience*
- GP path: *Windows Components/OOBE*
@@ -556,7 +556,7 @@ ADMX Info:
-**Privacy/EnableActivityFeed**
+**Privacy/EnableActivityFeed**
@@ -586,7 +586,7 @@ Allows IT Admins to allow Apps/OS to publish to the activity feed.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Enables Activity Feed*
- GP name: *EnableActivityFeed*
- GP path: *System/OS Policies*
@@ -605,7 +605,7 @@ The following list shows the supported values:
-**Privacy/LetAppsAccessAccountInfo**
+**Privacy/LetAppsAccessAccountInfo**
@@ -637,7 +637,7 @@ Most restricted value is 2.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access account information*
- GP name: *LetAppsAccessAccountInfo*
- GP element: *LetAppsAccessAccountInfo_Enum*
@@ -658,7 +658,7 @@ The following list shows the supported values:
-**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps**
+**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps**
@@ -688,7 +688,7 @@ List of semi-colon delimited Package Family Names of Windows apps. Listed Window
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access account information*
- GP name: *LetAppsAccessAccountInfo*
- GP element: *LetAppsAccessAccountInfo_ForceAllowTheseApps_List*
@@ -701,7 +701,7 @@ ADMX Info:
-**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps**
+**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps**
@@ -731,7 +731,7 @@ List of semi-colon delimited Package Family Names of Windows apps. Listed Window
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access account information*
- GP name: *LetAppsAccessAccountInfo*
- GP element: *LetAppsAccessAccountInfo_ForceDenyTheseApps_List*
@@ -744,7 +744,7 @@ ADMX Info:
-**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps**
+**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps**
@@ -774,7 +774,7 @@ List of semi-colon delimited Package Family Names of Windows apps. The user is a
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access account information*
- GP name: *LetAppsAccessAccountInfo*
- GP element: *LetAppsAccessAccountInfo_UserInControlOfTheseApps_List*
@@ -787,7 +787,7 @@ ADMX Info:
-**Privacy/LetAppsAccessBackgroundSpatialPerception**
+**Privacy/LetAppsAccessBackgroundSpatialPerception**
@@ -812,7 +812,7 @@ ADMX Info:
-
+
> [!NOTE]
> Currently, this policy is supported only in HoloLens 2.
@@ -822,7 +822,7 @@ Supported value type is integer.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access background spatial perception*
- GP name: *LetAppsAccessBackgroundSpatialPerception*
- GP element: *LetAppsAccessBackgroundSpatialPerception_Enum*
@@ -843,7 +843,7 @@ The following list shows the supported values:
-**Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps**
+**Privacy/LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps**
@@ -878,7 +878,7 @@ Supported value type is chr.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access background spatial perception*
- GP name: *LetAppsAccessBackgroundSpatialPerception*
- GP element: *LetAppsAccessBackgroundSpatialPerception_ForceAllowTheseApps_List*
@@ -894,7 +894,7 @@ ADMX Info:
-**Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps**
+**Privacy/LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps**
@@ -929,7 +929,7 @@ Supported value type is chr.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access background spatial perception*
- GP name: *LetAppsAccessBackgroundSpatialPerception*
- GP element: *LetAppsAccessBackgroundSpatialPerception_ForceDenyTheseApps_List*
@@ -945,7 +945,7 @@ ADMX Info:
-**Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps**
+**Privacy/LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps**
@@ -970,18 +970,18 @@ ADMX Info:
-
+
> [!NOTE]
> Currently, this policy is supported only in HoloLens 2.
-List of semi-colon delimited Package Family Names of Windows Store Apps.
+List of semi-colon delimited Package Family Names of Windows Store Apps.
The user is able to control the user movements privacy setting for the listed apps. This setting overrides the default LetAppsAccessBackgroundSpatialPerception policy setting for the specified apps.
Supported value type is chr.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access background spatial perception*
- GP name: *LetAppsAccessBackgroundSpatialPerception*
- GP element: *LetAppsAccessBackgroundSpatialPerception_UserInControlOfTheseApps_List*
@@ -997,7 +997,7 @@ ADMX Info:
-**Privacy/LetAppsAccessCalendar**
+**Privacy/LetAppsAccessCalendar**
@@ -1029,7 +1029,7 @@ Most restricted value is 2.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access the calendar*
- GP name: *LetAppsAccessCalendar*
- GP element: *LetAppsAccessCalendar_Enum*
@@ -1050,7 +1050,7 @@ The following list shows the supported values:
-**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps**
+**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps**
@@ -1080,7 +1080,7 @@ List of semi-colon delimited Package Family Names of Windows apps. Listed Window
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access the calendar*
- GP name: *LetAppsAccessCalendar*
- GP element: *LetAppsAccessCalendar_ForceAllowTheseApps_List*
@@ -1093,7 +1093,7 @@ ADMX Info:
-**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps**
+**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps**
@@ -1123,7 +1123,7 @@ List of semi-colon delimited Package Family Names of Windows apps. Listed Window
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access the calendar*
- GP name: *LetAppsAccessCalendar*
- GP element: *LetAppsAccessCalendar_ForceDenyTheseApps_List*
@@ -1136,7 +1136,7 @@ ADMX Info:
-**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps**
+**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps**
@@ -1166,7 +1166,7 @@ List of semi-colon delimited Package Family Names of Windows apps. The user is a
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access the calendar*
- GP name: *LetAppsAccessCalendar*
- GP element: *LetAppsAccessCalendar_UserInControlOfTheseApps_List*
@@ -1179,7 +1179,7 @@ ADMX Info:
-**Privacy/LetAppsAccessCallHistory**
+**Privacy/LetAppsAccessCallHistory**
@@ -1211,7 +1211,7 @@ Most restricted value is 2.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access call history*
- GP name: *LetAppsAccessCallHistory*
- GP element: *LetAppsAccessCallHistory_Enum*
@@ -1232,7 +1232,7 @@ The following list shows the supported values:
-**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps**
+**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps**
@@ -1262,7 +1262,7 @@ List of semi-colon delimited Package Family Names of Windows apps. Listed Window
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access call history*
- GP name: *LetAppsAccessCallHistory*
- GP element: *LetAppsAccessCallHistory_ForceAllowTheseApps_List*
@@ -1275,7 +1275,7 @@ ADMX Info:
-**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps**
+**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps**
@@ -1305,7 +1305,7 @@ List of semi-colon delimited Package Family Names of Windows apps. Listed Window
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access call history*
- GP name: *LetAppsAccessCallHistory*
- GP element: *LetAppsAccessCallHistory_ForceDenyTheseApps_List*
@@ -1318,7 +1318,7 @@ ADMX Info:
-**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps**
+**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps**
@@ -1348,7 +1348,7 @@ List of semi-colon delimited Package Family Names of Windows apps. The user is a
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access call history*
- GP name: *LetAppsAccessCallHistory*
- GP element: *LetAppsAccessCallHistory_UserInControlOfTheseApps_List*
@@ -1361,7 +1361,7 @@ ADMX Info:
-**Privacy/LetAppsAccessCamera**
+**Privacy/LetAppsAccessCamera**
@@ -1393,7 +1393,7 @@ Most restricted value is 2.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access the camera*
- GP name: *LetAppsAccessCamera*
- GP element: *LetAppsAccessCamera_Enum*
@@ -1414,7 +1414,7 @@ The following list shows the supported values:
-**Privacy/LetAppsAccessCamera_ForceAllowTheseApps**
+**Privacy/LetAppsAccessCamera_ForceAllowTheseApps**
@@ -1444,7 +1444,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access the camera*
- GP name: *LetAppsAccessCamera*
- GP element: *LetAppsAccessCamera_ForceAllowTheseApps_List*
@@ -1457,7 +1457,7 @@ ADMX Info:
-**Privacy/LetAppsAccessCamera_ForceDenyTheseApps**
+**Privacy/LetAppsAccessCamera_ForceDenyTheseApps**
@@ -1487,7 +1487,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access the camera*
- GP name: *LetAppsAccessCamera*
- GP element: *LetAppsAccessCamera_ForceDenyTheseApps_List*
@@ -1500,7 +1500,7 @@ ADMX Info:
-**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps**
+**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps**
@@ -1530,7 +1530,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access the camera*
- GP name: *LetAppsAccessCamera*
- GP element: *LetAppsAccessCamera_UserInControlOfTheseApps_List*
@@ -1543,7 +1543,7 @@ ADMX Info:
-**Privacy/LetAppsAccessContacts**
+**Privacy/LetAppsAccessContacts**
@@ -1575,7 +1575,7 @@ Most restricted value is 2.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access contacts*
- GP name: *LetAppsAccessContacts*
- GP element: *LetAppsAccessContacts_Enum*
@@ -1596,7 +1596,7 @@ The following list shows the supported values:
-**Privacy/LetAppsAccessContacts_ForceAllowTheseApps**
+**Privacy/LetAppsAccessContacts_ForceAllowTheseApps**
@@ -1626,7 +1626,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access contacts*
- GP name: *LetAppsAccessContacts*
- GP element: *LetAppsAccessContacts_ForceAllowTheseApps_List*
@@ -1639,7 +1639,7 @@ ADMX Info:
-**Privacy/LetAppsAccessContacts_ForceDenyTheseApps**
+**Privacy/LetAppsAccessContacts_ForceDenyTheseApps**
@@ -1669,7 +1669,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access contacts*
- GP name: *LetAppsAccessContacts*
- GP element: *LetAppsAccessContacts_ForceDenyTheseApps_List*
@@ -1682,7 +1682,7 @@ ADMX Info:
-**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps**
+**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps**
@@ -1712,7 +1712,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access contacts*
- GP name: *LetAppsAccessContacts*
- GP element: *LetAppsAccessContacts_UserInControlOfTheseApps_List*
@@ -1725,7 +1725,7 @@ ADMX Info:
-**Privacy/LetAppsAccessEmail**
+**Privacy/LetAppsAccessEmail**
@@ -1757,7 +1757,7 @@ Most restricted value is 2.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access email*
- GP name: *LetAppsAccessEmail*
- GP element: *LetAppsAccessEmail_Enum*
@@ -1778,7 +1778,7 @@ The following list shows the supported values:
-**Privacy/LetAppsAccessEmail_ForceAllowTheseApps**
+**Privacy/LetAppsAccessEmail_ForceAllowTheseApps**
@@ -1808,7 +1808,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access email*
- GP name: *LetAppsAccessEmail*
- GP element: *LetAppsAccessEmail_ForceAllowTheseApps_List*
@@ -1821,7 +1821,7 @@ ADMX Info:
-**Privacy/LetAppsAccessEmail_ForceDenyTheseApps**
+**Privacy/LetAppsAccessEmail_ForceDenyTheseApps**
@@ -1851,7 +1851,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access email*
- GP name: *LetAppsAccessEmail*
- GP element: *LetAppsAccessEmail_ForceDenyTheseApps_List*
@@ -1864,7 +1864,7 @@ ADMX Info:
-**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps**
+**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps**
@@ -1894,7 +1894,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access email*
- GP name: *LetAppsAccessEmail*
- GP element: *LetAppsAccessEmail_UserInControlOfTheseApps_List*
@@ -1907,7 +1907,7 @@ ADMX Info:
-**Privacy/LetAppsAccessGazeInput**
+**Privacy/LetAppsAccessGazeInput**
@@ -1941,7 +1941,7 @@ This policy setting specifies whether Windows apps can access the eye tracker.
-**Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps**
+**Privacy/LetAppsAccessGazeInput_ForceAllowTheseApps**
@@ -1975,7 +1975,7 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed
-**Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps**
+**Privacy/LetAppsAccessGazeInput_ForceDenyTheseApps**
@@ -2009,7 +2009,7 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. Listed
-**Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps**
+**Privacy/LetAppsAccessGazeInput_UserInControlOfTheseApps**
@@ -2043,7 +2043,7 @@ List of semi-colon delimited Package Family Names of Windows Store Apps. The use
-**Privacy/LetAppsAccessLocation**
+**Privacy/LetAppsAccessLocation**
@@ -2075,7 +2075,7 @@ Most restricted value is 2.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access location*
- GP name: *LetAppsAccessLocation*
- GP element: *LetAppsAccessLocation_Enum*
@@ -2096,7 +2096,7 @@ The following list shows the supported values:
-**Privacy/LetAppsAccessLocation_ForceAllowTheseApps**
+**Privacy/LetAppsAccessLocation_ForceAllowTheseApps**
@@ -2126,7 +2126,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access location*
- GP name: *LetAppsAccessLocation*
- GP element: *LetAppsAccessLocation_ForceAllowTheseApps_List*
@@ -2139,7 +2139,7 @@ ADMX Info:
-**Privacy/LetAppsAccessLocation_ForceDenyTheseApps**
+**Privacy/LetAppsAccessLocation_ForceDenyTheseApps**
@@ -2169,7 +2169,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access location*
- GP name: *LetAppsAccessLocation*
- GP element: *LetAppsAccessLocation_ForceDenyTheseApps_List*
@@ -2182,7 +2182,7 @@ ADMX Info:
-**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps**
+**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps**
@@ -2212,7 +2212,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access location*
- GP name: *LetAppsAccessLocation*
- GP element: *LetAppsAccessLocation_UserInControlOfTheseApps_List*
@@ -2225,7 +2225,7 @@ ADMX Info:
-**Privacy/LetAppsAccessMessaging**
+**Privacy/LetAppsAccessMessaging**
@@ -2257,7 +2257,7 @@ Most restricted value is 2.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access messaging*
- GP name: *LetAppsAccessMessaging*
- GP element: *LetAppsAccessMessaging_Enum*
@@ -2278,7 +2278,7 @@ The following list shows the supported values:
-**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps**
+**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps**
@@ -2308,7 +2308,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access messaging*
- GP name: *LetAppsAccessMessaging*
- GP element: *LetAppsAccessMessaging_ForceAllowTheseApps_List*
@@ -2321,7 +2321,7 @@ ADMX Info:
-**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps**
+**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps**
@@ -2351,7 +2351,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access messaging*
- GP name: *LetAppsAccessMessaging*
- GP element: *LetAppsAccessMessaging_ForceDenyTheseApps_List*
@@ -2364,7 +2364,7 @@ ADMX Info:
-**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps**
+**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps**
@@ -2394,7 +2394,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access messaging*
- GP name: *LetAppsAccessMessaging*
- GP element: *LetAppsAccessMessaging_UserInControlOfTheseApps_List*
@@ -2407,7 +2407,7 @@ ADMX Info:
-**Privacy/LetAppsAccessMicrophone**
+**Privacy/LetAppsAccessMicrophone**
@@ -2439,7 +2439,7 @@ Most restricted value is 2.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access the microphone*
- GP name: *LetAppsAccessMicrophone*
- GP element: *LetAppsAccessMicrophone_Enum*
@@ -2460,7 +2460,7 @@ The following list shows the supported values:
-**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps**
+**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps**
@@ -2490,7 +2490,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access the microphone*
- GP name: *LetAppsAccessMicrophone*
- GP element: *LetAppsAccessMicrophone_ForceAllowTheseApps_List*
@@ -2503,7 +2503,7 @@ ADMX Info:
-**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps**
+**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps**
@@ -2533,7 +2533,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access the microphone*
- GP name: *LetAppsAccessMicrophone*
- GP element: *LetAppsAccessMicrophone_ForceDenyTheseApps_List*
@@ -2546,7 +2546,7 @@ ADMX Info:
-**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps**
+**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps**
@@ -2576,7 +2576,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access the microphone*
- GP name: *LetAppsAccessMicrophone*
- GP element: *LetAppsAccessMicrophone_UserInControlOfTheseApps_List*
@@ -2589,7 +2589,7 @@ ADMX Info:
-**Privacy/LetAppsAccessMotion**
+**Privacy/LetAppsAccessMotion**
@@ -2621,7 +2621,7 @@ Most restricted value is 2.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access motion*
- GP name: *LetAppsAccessMotion*
- GP element: *LetAppsAccessMotion_Enum*
@@ -2642,7 +2642,7 @@ The following list shows the supported values:
-**Privacy/LetAppsAccessMotion_ForceAllowTheseApps**
+**Privacy/LetAppsAccessMotion_ForceAllowTheseApps**
@@ -2672,7 +2672,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access motion*
- GP name: *LetAppsAccessMotion*
- GP element: *LetAppsAccessMotion_ForceAllowTheseApps_List*
@@ -2685,7 +2685,7 @@ ADMX Info:
-**Privacy/LetAppsAccessMotion_ForceDenyTheseApps**
+**Privacy/LetAppsAccessMotion_ForceDenyTheseApps**
@@ -2715,7 +2715,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access motion*
- GP name: *LetAppsAccessMotion*
- GP element: *LetAppsAccessMotion_ForceDenyTheseApps_List*
@@ -2728,7 +2728,7 @@ ADMX Info:
-**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps**
+**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps**
@@ -2758,7 +2758,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access motion*
- GP name: *LetAppsAccessMotion*
- GP element: *LetAppsAccessMotion_UserInControlOfTheseApps_List*
@@ -2771,7 +2771,7 @@ ADMX Info:
-**Privacy/LetAppsAccessNotifications**
+**Privacy/LetAppsAccessNotifications**
@@ -2803,7 +2803,7 @@ Most restricted value is 2.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access notifications*
- GP name: *LetAppsAccessNotifications*
- GP element: *LetAppsAccessNotifications_Enum*
@@ -2824,7 +2824,7 @@ The following list shows the supported values:
-**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps**
+**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps**
@@ -2854,7 +2854,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access notifications*
- GP name: *LetAppsAccessNotifications*
- GP element: *LetAppsAccessNotifications_ForceAllowTheseApps_List*
@@ -2867,7 +2867,7 @@ ADMX Info:
-**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps**
+**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps**
@@ -2897,7 +2897,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access notifications*
- GP name: *LetAppsAccessNotifications*
- GP element: *LetAppsAccessNotifications_ForceDenyTheseApps_List*
@@ -2910,7 +2910,7 @@ ADMX Info:
-**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps**
+**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps**
@@ -2940,7 +2940,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access notifications*
- GP name: *LetAppsAccessNotifications*
- GP element: *LetAppsAccessNotifications_UserInControlOfTheseApps_List*
@@ -2953,7 +2953,7 @@ ADMX Info:
-**Privacy/LetAppsAccessPhone**
+**Privacy/LetAppsAccessPhone**
@@ -2985,7 +2985,7 @@ Most restricted value is 2.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps make phone calls*
- GP name: *LetAppsAccessPhone*
- GP element: *LetAppsAccessPhone_Enum*
@@ -3006,7 +3006,7 @@ The following list shows the supported values:
-**Privacy/LetAppsAccessPhone_ForceAllowTheseApps**
+**Privacy/LetAppsAccessPhone_ForceAllowTheseApps**
@@ -3036,7 +3036,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps make phone calls*
- GP name: *LetAppsAccessPhone*
- GP element: *LetAppsAccessPhone_ForceAllowTheseApps_List*
@@ -3049,7 +3049,7 @@ ADMX Info:
-**Privacy/LetAppsAccessPhone_ForceDenyTheseApps**
+**Privacy/LetAppsAccessPhone_ForceDenyTheseApps**
@@ -3079,7 +3079,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps make phone calls*
- GP name: *LetAppsAccessPhone*
- GP element: *LetAppsAccessPhone_ForceDenyTheseApps_List*
@@ -3092,7 +3092,7 @@ ADMX Info:
-**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps**
+**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps**
@@ -3122,7 +3122,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps make phone calls*
- GP name: *LetAppsAccessPhone*
- GP element: *LetAppsAccessPhone_UserInControlOfTheseApps_List*
@@ -3135,7 +3135,7 @@ ADMX Info:
-**Privacy/LetAppsAccessRadios**
+**Privacy/LetAppsAccessRadios**
@@ -3167,7 +3167,7 @@ Most restricted value is 2.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps control radios*
- GP name: *LetAppsAccessRadios*
- GP element: *LetAppsAccessRadios_Enum*
@@ -3188,7 +3188,7 @@ The following list shows the supported values:
-**Privacy/LetAppsAccessRadios_ForceAllowTheseApps**
+**Privacy/LetAppsAccessRadios_ForceAllowTheseApps**
@@ -3218,7 +3218,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps control radios*
- GP name: *LetAppsAccessRadios*
- GP element: *LetAppsAccessRadios_ForceAllowTheseApps_List*
@@ -3231,7 +3231,7 @@ ADMX Info:
-**Privacy/LetAppsAccessRadios_ForceDenyTheseApps**
+**Privacy/LetAppsAccessRadios_ForceDenyTheseApps**
@@ -3261,7 +3261,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps control radios*
- GP name: *LetAppsAccessRadios*
- GP element: *LetAppsAccessRadios_ForceDenyTheseApps_List*
@@ -3274,7 +3274,7 @@ ADMX Info:
-**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps**
+**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps**
@@ -3304,7 +3304,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps control radios*
- GP name: *LetAppsAccessRadios*
- GP element: *LetAppsAccessRadios_UserInControlOfTheseApps_List*
@@ -3317,7 +3317,7 @@ ADMX Info:
-**Privacy/LetAppsAccessTasks**
+**Privacy/LetAppsAccessTasks**
@@ -3347,7 +3347,7 @@ Specifies whether Windows apps can access tasks.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access Tasks*
- GP name: *LetAppsAccessTasks*
- GP element: *LetAppsAccessTasks_Enum*
@@ -3360,7 +3360,7 @@ ADMX Info:
-**Privacy/LetAppsAccessTasks_ForceAllowTheseApps**
+**Privacy/LetAppsAccessTasks_ForceAllowTheseApps**
@@ -3390,7 +3390,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access Tasks*
- GP name: *LetAppsAccessTasks*
- GP element: *LetAppsAccessTasks_ForceAllowTheseApps_List*
@@ -3403,7 +3403,7 @@ ADMX Info:
-**Privacy/LetAppsAccessTasks_ForceDenyTheseApps**
+**Privacy/LetAppsAccessTasks_ForceDenyTheseApps**
@@ -3433,7 +3433,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access Tasks*
- GP name: *LetAppsAccessTasks*
- GP element: *LetAppsAccessTasks_ForceDenyTheseApps_List*
@@ -3446,7 +3446,7 @@ ADMX Info:
-**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps**
+**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps**
@@ -3476,7 +3476,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access Tasks*
- GP name: *LetAppsAccessTasks*
- GP element: *LetAppsAccessTasks_UserInControlOfTheseApps_List*
@@ -3489,7 +3489,7 @@ ADMX Info:
-**Privacy/LetAppsAccessTrustedDevices**
+**Privacy/LetAppsAccessTrustedDevices**
@@ -3521,7 +3521,7 @@ Most restricted value is 2.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access trusted devices*
- GP name: *LetAppsAccessTrustedDevices*
- GP element: *LetAppsAccessTrustedDevices_Enum*
@@ -3542,7 +3542,7 @@ The following list shows the supported values:
-**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps**
+**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps**
@@ -3572,7 +3572,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access trusted devices*
- GP name: *LetAppsAccessTrustedDevices*
- GP element: *LetAppsAccessTrustedDevices_ForceAllowTheseApps_List*
@@ -3585,7 +3585,7 @@ ADMX Info:
-**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps**
+**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps**
@@ -3615,7 +3615,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access trusted devices*
- GP name: *LetAppsAccessTrustedDevices*
- GP element: *LetAppsAccessTrustedDevices_ForceDenyTheseApps_List*
@@ -3628,7 +3628,7 @@ ADMX Info:
-**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps**
+**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps**
@@ -3658,7 +3658,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access trusted devices*
- GP name: *LetAppsAccessTrustedDevices*
- GP element: *LetAppsAccessTrustedDevices_UserInControlOfTheseApps_List*
@@ -3671,7 +3671,7 @@ ADMX Info:
-**Privacy/LetAppsActivateWithVoice**
+**Privacy/LetAppsActivateWithVoice**
@@ -3701,7 +3701,7 @@ Specifies if Windows apps can be activated by voice.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow voice activation*
- GP name: *LetAppsActivateWithVoice*
- GP element: *LetAppsActivateWithVoice_Enum*
@@ -3722,7 +3722,7 @@ The following list shows the supported values:
-**Privacy/LetAppsActivateWithVoiceAboveLock**
+**Privacy/LetAppsActivateWithVoiceAboveLock**
@@ -3752,7 +3752,7 @@ Specifies if Windows apps can be activated by voice while the screen is locked.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow voice activation above locked screen*
- GP name: *LetAppsActivateWithVoiceAboveLock*
- GP element: *LetAppsActivateWithVoiceAboveLock_Enum*
@@ -3773,7 +3773,7 @@ The following list shows the supported values:
-**Privacy/LetAppsGetDiagnosticInfo**
+**Privacy/LetAppsGetDiagnosticInfo**
@@ -3805,7 +3805,7 @@ Most restricted value is 2.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access diagnostic information about other apps*
- GP name: *LetAppsGetDiagnosticInfo*
- GP element: *LetAppsGetDiagnosticInfo_Enum*
@@ -3826,7 +3826,7 @@ The following list shows the supported values:
-**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps**
+**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps**
@@ -3856,7 +3856,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access diagnostic information about other apps*
- GP name: *LetAppsGetDiagnosticInfo*
- GP element: *LetAppsGetDiagnosticInfo_ForceAllowTheseApps_List*
@@ -3869,7 +3869,7 @@ ADMX Info:
-**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps**
+**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps**
@@ -3899,7 +3899,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access diagnostic information about other apps*
- GP name: *LetAppsGetDiagnosticInfo*
- GP element: *LetAppsGetDiagnosticInfo_ForceDenyTheseApps_List*
@@ -3912,7 +3912,7 @@ ADMX Info:
-**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps**
+**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps**
@@ -3942,7 +3942,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps access diagnostic information about other apps*
- GP name: *LetAppsGetDiagnosticInfo*
- GP element: *LetAppsGetDiagnosticInfo_UserInControlOfTheseApps_List*
@@ -3955,7 +3955,7 @@ ADMX Info:
-**Privacy/LetAppsRunInBackground**
+**Privacy/LetAppsRunInBackground**
@@ -3990,7 +3990,7 @@ Most restricted value is 2.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps run in the background*
- GP name: *LetAppsRunInBackground*
- GP element: *LetAppsRunInBackground_Enum*
@@ -4011,7 +4011,7 @@ The following list shows the supported values:
-**Privacy/LetAppsRunInBackground_ForceAllowTheseApps**
+**Privacy/LetAppsRunInBackground_ForceAllowTheseApps**
@@ -4041,7 +4041,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps run in the background*
- GP name: *LetAppsRunInBackground*
- GP element: *LetAppsRunInBackground_ForceAllowTheseApps_List*
@@ -4054,7 +4054,7 @@ ADMX Info:
-**Privacy/LetAppsRunInBackground_ForceDenyTheseApps**
+**Privacy/LetAppsRunInBackground_ForceDenyTheseApps**
@@ -4084,7 +4084,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps run in the background*
- GP name: *LetAppsRunInBackground*
- GP element: *LetAppsRunInBackground_ForceDenyTheseApps_List*
@@ -4097,7 +4097,7 @@ ADMX Info:
-**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps**
+**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps**
@@ -4127,7 +4127,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps run in the background*
- GP name: *LetAppsRunInBackground*
- GP element: *LetAppsRunInBackground_UserInControlOfTheseApps_List*
@@ -4140,7 +4140,7 @@ ADMX Info:
-**Privacy/LetAppsSyncWithDevices**
+**Privacy/LetAppsSyncWithDevices**
@@ -4172,7 +4172,7 @@ Most restricted value is 2.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps communicate with unpaired devices*
- GP name: *LetAppsSyncWithDevices*
- GP element: *LetAppsSyncWithDevices_Enum*
@@ -4193,7 +4193,7 @@ The following list shows the supported values:
-**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps**
+**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps**
@@ -4223,7 +4223,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps communicate with unpaired devices*
- GP name: *LetAppsSyncWithDevices*
- GP element: *LetAppsSyncWithDevices_ForceAllowTheseApps_List*
@@ -4236,7 +4236,7 @@ ADMX Info:
-**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps**
+**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps**
@@ -4266,7 +4266,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. Liste
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps communicate with unpaired devices*
- GP name: *LetAppsSyncWithDevices*
- GP element: *LetAppsSyncWithDevices_ForceDenyTheseApps_List*
@@ -4279,7 +4279,7 @@ ADMX Info:
-**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps**
+**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps**
@@ -4309,7 +4309,7 @@ List of semi-colon delimited Package Family Names of Microsoft Store Apps. The u
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Let Windows apps communicate with unpaired devices*
- GP name: *LetAppsSyncWithDevices*
- GP element: *LetAppsSyncWithDevices_UserInControlOfTheseApps_List*
@@ -4322,7 +4322,7 @@ ADMX Info:
-**Privacy/PublishUserActivities**
+**Privacy/PublishUserActivities**
@@ -4352,7 +4352,7 @@ Allows IT Admins to enable publishing of user activities to the activity feed.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow publishing of User Activities*
- GP name: *PublishUserActivities*
- GP path: *System/OS Policies*
@@ -4371,7 +4371,7 @@ The following list shows the supported values:
-**Privacy/UploadUserActivities**
+**Privacy/UploadUserActivities**
@@ -4401,7 +4401,7 @@ Allows ActivityFeed to upload published 'User Activities'.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow upload of User Activities*
- GP name: *UploadUserActivities*
- GP path: *System/OS Policies*
diff --git a/windows/client-management/mdm/policy-csp-remotedesktop.md b/windows/client-management/mdm/policy-csp-remotedesktop.md
index 85588a127d..04d874a3fe 100644
--- a/windows/client-management/mdm/policy-csp-remotedesktop.md
+++ b/windows/client-management/mdm/policy-csp-remotedesktop.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## RemoteDesktop policies
+## RemoteDesktop policies
> [!Warning]
> Some information relates to prerelease products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
@@ -33,7 +33,7 @@ manager: aaroncz
-**RemoteDesktop/AutoSubscription**
+**RemoteDesktop/AutoSubscription**
@@ -69,7 +69,7 @@ This policy allows administrators to enable automatic subscription for the Micro
-**RemoteDesktop/LoadAadCredKeyFromProfile**
+**RemoteDesktop/LoadAadCredKeyFromProfile**
@@ -102,8 +102,8 @@ This policy allows the user to load the DPAPI cred key from their user profile,
The following list shows the supported values:
-- 0 (default) - Disabled.
-- 1 - Enabled.
+- 0 (default) - Disabled.
+- 1 - Enabled.
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index 4e4e6b8876..2e2a8c86b5 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 04/07/2020
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -21,7 +21,7 @@ manager: aaroncz
-## RestrictedGroups policies
+## RestrictedGroups policies
-
@@ -33,7 +33,7 @@ manager: aaroncz
-**RestrictedGroups/ConfigureGroupMembership**
+**RestrictedGroups/ConfigureGroupMembership**
@@ -61,10 +61,10 @@ manager: aaroncz
This security setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. When a Restricted Groups policy is enforced, any current member of a restricted group that is not on the Members list is removed, except for the built-in administrator in the built-in Administrators group. Any user on the Members list who is not currently a member of the restricted group is added. An empty Members list means that the restricted group has no members. The membership configuration is based on SIDS, therefore renaming these built-in groups does not affect retention of this special membership.
-For example, you can create a Restricted Groups policy to allow only specified users. Alice and John, to be members of the Backup Operators group. When this policy is refreshed, only Alice and John will remain as members of the Backup Operators group, and all other members will be removed.
+For example, you can create a Restricted Groups policy to allow only specified users. Alice and John, to be members of the Backup Operators group. When this policy is refreshed, only Alice and John will remain as members of the Backup Operators group, and all other members will be removed.
> [!CAUTION]
-> Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error:
+> Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error:
>
> | Error Code | Symbolic Name | Error Description | Header |
> |----------|----------|----------|----------|
@@ -73,7 +73,7 @@ For example, you can create a Restricted Groups policy to allow only specified u
Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of zero members when applying the policy implies clearing the access group, and should be used with caution.
```xml
-
+
@@ -145,7 +145,7 @@ where:
### Policy timeline
-The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For Windows 10, version 2004, you can use name or SID for both the elements, as described in this topic.
+The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For Windows 10, version 2004, you can use name or SID for both the elements, as described in this topic.
The following table describes how this policy setting behaves in different Windows 10 versions:
@@ -153,7 +153,7 @@ The following table describes how this policy setting behaves in different Windo
| ------------------ | --------------- |
|Windows 10, version 1803 | Added this policy setting.
XML accepts group and member only by name.
Supports configuring the administrators group using the group name.
Expects member name to be in the account name format. |
| Windows 10, version 1809
Windows 10, version 1903
Windows 10, version 1909 | Supports configuring any local group.
`` accepts only name.
`` accepts a name or an SID.
This is useful when you want to ensure a certain local group always has a well-known SID as member. |
-| Windows 10, version 2004 | Behaves as described in this topic.
Accepts name or SID for group and members and translates as appropriate.|
+| Windows 10, version 2004 | Behaves as described in this topic.
Accepts name or SID for group and members and translates as appropriate.|
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index dced08216c..7dc26a67b2 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## Security policies
+## Security policies
-
@@ -55,7 +55,7 @@ manager: aaroncz
-**Security/AllowAddProvisioningPackage**
+**Security/AllowAddProvisioningPackage**
@@ -96,11 +96,11 @@ The following list shows the supported values:
-**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**
+**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**
> [!NOTE]
->
+>
> - This policy is deprecated in Windows 10, version 1607.
Specifies whether to allow automatic [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined.
@@ -118,7 +118,7 @@ The following list shows the supported values:
-**Security/AllowRemoveProvisioningPackage**
+**Security/AllowRemoveProvisioningPackage**
@@ -159,7 +159,7 @@ The following list shows the supported values:
-**Security/ClearTPMIfNotReady**
+**Security/ClearTPMIfNotReady**
@@ -190,7 +190,7 @@ Admin access is required. The prompt will appear on first admin logon after a re
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure the system to clear the TPM if it is not in a ready state.*
- GP name: *ClearTPMIfNotReady_Name*
- GP path: *System/Trusted Platform Module Services*
@@ -209,7 +209,7 @@ The following list shows the supported values:
-**Security/ConfigureWindowsPasswords**
+**Security/ConfigureWindowsPasswords**
@@ -254,7 +254,7 @@ The following list shows the supported values:
-**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices**
+**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices**
@@ -298,7 +298,7 @@ The following list shows the supported values:
-**Security/RecoveryEnvironmentAuthentication**
+**Security/RecoveryEnvironmentAuthentication**
@@ -327,7 +327,7 @@ The following list shows the supported values:
This policy controls the Admin Authentication requirement in RecoveryEnvironment.
-Supported values:
+Supported values:
- 0 - Default: Keep using default(current) behavior.
- 1 - RequireAuthentication: Admin Authentication is always required for components in RecoveryEnvironment.
@@ -349,7 +349,7 @@ The process of starting Push Button Reset (PBR) in WinRE:
1. Open a cmd as Administrator, run command "reagentc /boottore" and restart the OS to boot to WinRE.
1. OS should boot to the blue screen of WinRE UI, go through TroubleShoot -> Reset this PC, it should show two options: "Keep my files" and "Remove everything".
-If the MDM policy is set to "Default" (0) or doesn't exist, the admin authentication flow should work as default behavior:
+If the MDM policy is set to "Default" (0) or doesn't exist, the admin authentication flow should work as default behavior:
1. Start PBR in WinRE, choose "Keep my files", it should pop up admin authentication.
1. Click "<-" (right arrow) button and choose "Remove everything", it shouldn't pop up admin authentication and just go to PBR options.
@@ -371,7 +371,7 @@ If the MDM policy is set to "NoRequireAuthentication" (2)
-**Security/RequireDeviceEncryption**
+**Security/RequireDeviceEncryption**
@@ -417,7 +417,7 @@ The following list shows the supported values:
-**Security/RequireProvisioningPackageSignature**
+**Security/RequireProvisioningPackageSignature**
@@ -458,7 +458,7 @@ The following list shows the supported values:
-**Security/RequireRetrieveHealthCertificateOnBoot**
+**Security/RequireRetrieveHealthCertificateOnBoot**
@@ -493,7 +493,7 @@ Setting this policy to 1 (Required):
> [!NOTE]
> We recommend that this policy is set to Required after MDM enrollment.
-
+
Most restricted value is 1.
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 37e5e21450..0cc8ab89e0 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## Settings policies
+## Settings policies
-
@@ -67,7 +67,7 @@ manager: aaroncz
-**Settings/AllowAutoPlay**
+**Settings/AllowAutoPlay**
@@ -112,7 +112,7 @@ The following list shows the supported values:
-**Settings/AllowDataSense**
+**Settings/AllowDataSense**
@@ -156,7 +156,7 @@ The following list shows the supported values:
-**Settings/AllowDateTime**
+**Settings/AllowDateTime**
@@ -197,7 +197,7 @@ The following list shows the supported values:
-**Settings/AllowEditDeviceName**
+**Settings/AllowEditDeviceName**
@@ -259,7 +259,7 @@ Describes what values are supported in/by this policy and meaning of each value,
-**Settings/AllowLanguage**
+**Settings/AllowLanguage**
@@ -301,7 +301,7 @@ The following list shows the supported values:
-**Settings/AllowOnlineTips**
+**Settings/AllowOnlineTips**
@@ -333,7 +333,7 @@ If disabled, Settings won't contact Microsoft content services to retrieve tips
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Online Tips*
- GP name: *AllowOnlineTips*
- GP element: *CheckBox_AllowOnlineTips*
@@ -346,7 +346,7 @@ ADMX Info:
-**Settings/AllowPowerSleep**
+**Settings/AllowPowerSleep**
@@ -388,7 +388,7 @@ The following list shows the supported values:
-**Settings/AllowRegion**
+**Settings/AllowRegion**
@@ -430,7 +430,7 @@ The following list shows the supported values:
-**Settings/AllowSignInOptions**
+**Settings/AllowSignInOptions**
@@ -472,7 +472,7 @@ The following list shows the supported values:
-**Settings/AllowVPN**
+**Settings/AllowVPN**
@@ -513,7 +513,7 @@ The following list shows the supported values:
-**Settings/AllowWorkplace**
+**Settings/AllowWorkplace**
@@ -555,7 +555,7 @@ The following list shows the supported values:
-**Settings/AllowYourAccount**
+**Settings/AllowYourAccount**
@@ -596,7 +596,7 @@ The following list shows the supported values:
-**Settings/ConfigureTaskbarCalendar**
+**Settings/ConfigureTaskbarCalendar**
@@ -626,7 +626,7 @@ Allows IT Admins to configure the default setting for showing more calendars (be
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Show additional calendar*
- GP name: *ConfigureTaskbarCalendar*
- GP path: *Start Menu and Taskbar*
@@ -647,7 +647,7 @@ The following list shows the supported values:
-**Settings/PageVisibilityList**
+**Settings/PageVisibilityList**
@@ -712,7 +712,7 @@ The default value for this setting is an empty string, which is interpreted as s
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Settings Page Visibility*
- GP name: *SettingsPageVisibility*
- GP element: *SettingsPageVisibilityBox*
diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md
index 11d6e32c39..0f0f324cc7 100644
--- a/windows/client-management/mdm/policy-csp-smartscreen.md
+++ b/windows/client-management/mdm/policy-csp-smartscreen.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -18,7 +18,7 @@ manager: aaroncz
-## SmartScreen policies
+## SmartScreen policies
-
@@ -36,7 +36,7 @@ manager: aaroncz
-**SmartScreen/EnableAppInstallControl**
+**SmartScreen/EnableAppInstallControl**
@@ -69,7 +69,7 @@ Allows IT Admins to control whether users are allowed to install apps from place
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure App Install Control*
- GP name: *ConfigureAppInstallControl*
- GP path: *Windows Components/Windows Defender SmartScreen/Explorer*
@@ -88,7 +88,7 @@ The following list shows the supported values:
-**SmartScreen/EnableSmartScreenInShell**
+**SmartScreen/EnableSmartScreenInShell**
@@ -118,7 +118,7 @@ Allows IT Admins to configure SmartScreen for Windows.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Windows Defender SmartScreen*
- GP name: *ShellConfigureSmartScreen*
- GP path: *Windows Components/Windows Defender SmartScreen/Explorer*
@@ -137,7 +137,7 @@ The following list shows the supported values:
-**SmartScreen/PreventOverrideForFilesInShell**
+**SmartScreen/PreventOverrideForFilesInShell**
@@ -167,7 +167,7 @@ Allows IT Admins to control whether users can ignore SmartScreen warnings and ru
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Windows Defender SmartScreen*
- GP name: *ShellConfigureSmartScreen*
- GP element: *ShellConfigureSmartScreen_Dropdown*
diff --git a/windows/client-management/mdm/policy-csp-speech.md b/windows/client-management/mdm/policy-csp-speech.md
index b97360b3f1..ea98f581cb 100644
--- a/windows/client-management/mdm/policy-csp-speech.md
+++ b/windows/client-management/mdm/policy-csp-speech.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## Speech policies
+## Speech policies
-
@@ -28,7 +28,7 @@ manager: aaroncz
-**Speech/AllowSpeechModelUpdate**
+**Speech/AllowSpeechModelUpdate**
@@ -58,7 +58,7 @@ Specifies whether the device will receive updates to the speech recognition and
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Automatic Update of Speech Data*
- GP name: *AllowSpeechModelUpdate*
- GP path: *Windows Components/Speech*
diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md
index faf949f902..b0fbf583d5 100644
--- a/windows/client-management/mdm/policy-csp-start.md
+++ b/windows/client-management/mdm/policy-csp-start.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## Start policies
+## Start policies
-
@@ -136,7 +136,7 @@ manager: aaroncz
-**Start/AllowPinnedFolderDocuments**
+**Start/AllowPinnedFolderDocuments**
The table below shows the applicability of Windows:
@@ -179,7 +179,7 @@ The following list shows the supported values:
-**Start/AllowPinnedFolderDownloads**
+**Start/AllowPinnedFolderDownloads**
The table below shows the applicability of Windows:
@@ -222,7 +222,7 @@ The following list shows the supported values:
-**Start/AllowPinnedFolderFileExplorer**
+**Start/AllowPinnedFolderFileExplorer**
The table below shows the applicability of Windows:
@@ -265,7 +265,7 @@ The following list shows the supported values:
-**Start/AllowPinnedFolderHomeGroup**
+**Start/AllowPinnedFolderHomeGroup**
The table below shows the applicability of Windows:
@@ -308,7 +308,7 @@ The following list shows the supported values:
-**Start/AllowPinnedFolderMusic**
+**Start/AllowPinnedFolderMusic**
The table below shows the applicability of Windows:
@@ -351,7 +351,7 @@ The following list shows the supported values:
-**Start/AllowPinnedFolderNetwork**
+**Start/AllowPinnedFolderNetwork**
The table below shows the applicability of Windows:
@@ -394,7 +394,7 @@ The following list shows the supported values:
-**Start/AllowPinnedFolderPersonalFolder**
+**Start/AllowPinnedFolderPersonalFolder**
The table below shows the applicability of Windows:
@@ -437,7 +437,7 @@ The following list shows the supported values:
-**Start/AllowPinnedFolderPictures**
+**Start/AllowPinnedFolderPictures**
The table below shows the applicability of Windows:
@@ -480,7 +480,7 @@ The following list shows the supported values:
-**Start/AllowPinnedFolderSettings**
+**Start/AllowPinnedFolderSettings**
The table below shows the applicability of Windows:
@@ -523,7 +523,7 @@ The following list shows the supported values:
-**Start/AllowPinnedFolderVideos**
+**Start/AllowPinnedFolderVideos**
The table below shows the applicability of Windows:
@@ -566,7 +566,7 @@ The following list shows the supported values:
-**Start/ConfigureStartPins**
+**Start/ConfigureStartPins**
@@ -627,7 +627,7 @@ This string policy will take a JSON file (expected name LayoutModification.json)
-**Start/DisableContextMenus**
+**Start/DisableContextMenus**
The table below shows the applicability of Windows:
@@ -659,7 +659,7 @@ Enabling this policy prevents context menus from being invoked in the Start Menu
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Disable context menus in the Start Menu*
- GP name: *DisableContextMenusInStart*
- GP path: *Start Menu and Taskbar*
@@ -683,7 +683,7 @@ The following list shows the supported values:
-**Start/DisableControlCenter**
+**Start/DisableControlCenter**
@@ -709,9 +709,9 @@ The following list shows the supported values:
-This policy setting disables the Control Center button from the bottom right area on the taskbar. The Control Center area is located at the left of the clock in the taskbar and includes icons for current network and volume.
+This policy setting disables the Control Center button from the bottom right area on the taskbar. The Control Center area is located at the left of the clock in the taskbar and includes icons for current network and volume.
-If this setting is enabled, Control Center area is displayed but the button to open the Control Center will be disabled.
+If this setting is enabled, Control Center area is displayed but the button to open the Control Center will be disabled.
>[!Note]
> A reboot is required for this policy setting to take effect.
@@ -719,7 +719,7 @@ If this setting is enabled, Control Center area is displayed but the button to o
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Remove control center*
- GP name: *DisableControlCenter*
- GP path: *Start Menu and Taskbar*
@@ -737,7 +737,7 @@ The following are the supported values:
-**Start/DisableEditingQuickSettings**
+**Start/DisableEditingQuickSettings**
@@ -778,7 +778,7 @@ The following are the supported values:
-**Start/ForceStartSize**
+**Start/ForceStartSize**
The table below shows the applicability of Windows:
@@ -825,7 +825,7 @@ The following list shows the supported values:
-**Start/HideAppList**
+**Start/HideAppList**
The table below shows the applicability of Windows:
@@ -859,7 +859,7 @@ The table below shows the applicability of Windows:
Allows IT Admins to configure Start by collapsing or removing the all apps list.
> [!Note]
-> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
+> There were issues reported with the previous release of this policy and a fix was added in Windows 10, version 1709.
To validate on Desktop, do the following steps:
@@ -883,7 +883,7 @@ The following list shows the supported values:
-**Start/HideChangeAccountSettings**
+**Start/HideChangeAccountSettings**
The table below shows the applicability of Windows:
@@ -932,7 +932,7 @@ To validate on Desktop, do the following steps:
-**Start/HideFrequentlyUsedApps**
+**Start/HideFrequentlyUsedApps**
The table below shows the applicability of Windows:
@@ -989,7 +989,7 @@ To validate on Desktop, do the following steps:
-**Start/HideHibernate**
+**Start/HideHibernate**
The table below shows the applicability of Windows:
@@ -1041,7 +1041,7 @@ To validate on Laptop, do the following steps:
-**Start/HideLock**
+**Start/HideLock**
The table below shows the applicability of Windows:
@@ -1090,7 +1090,7 @@ To validate on Desktop, do the following steps:
-**Start/HidePeopleBar**
+**Start/HidePeopleBar**
The table below shows the applicability of Windows:
@@ -1123,7 +1123,7 @@ Supported value type is integer.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Remove the People Bar from the taskbar*
- GP name: *HidePeopleBar*
- GP path: *Start Menu and Taskbar*
@@ -1142,7 +1142,7 @@ The following list shows the supported values:
-**Start/HidePowerButton**
+**Start/HidePowerButton**
The table below shows the applicability of Windows:
@@ -1194,7 +1194,7 @@ To validate on Desktop, do the following steps:
-**Start/HideRecentJumplists**
+**Start/HideRecentJumplists**
The table below shows the applicability of Windows:
@@ -1253,7 +1253,7 @@ To validate on Desktop, do the following steps:
-**Start/HideRecentlyAddedApps**
+**Start/HideRecentlyAddedApps**
The table below shows the applicability of Windows:
@@ -1288,7 +1288,7 @@ Allows IT Admins to configure Start by hiding recently added apps.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Remove "Recently added" list from Start Menu*
- GP name: *HideRecentlyAddedApps*
- GP path: *Start Menu and Taskbar*
@@ -1318,7 +1318,7 @@ To validate on Desktop, do the following steps:
-**Start/HideRecommendedSection**
+**Start/HideRecommendedSection**
@@ -1359,7 +1359,7 @@ The following are the supported values:
-**Start/HideRestart**
+**Start/HideRestart**
The table below shows the applicability of Windows:
@@ -1408,7 +1408,7 @@ To validate on Desktop, do the following steps:
-**Start/HideShutDown**
+**Start/HideShutDown**
The table below shows the applicability of Windows:
@@ -1457,7 +1457,7 @@ To validate on Desktop, do the following steps:
-**Start/HideSignOut**
+**Start/HideSignOut**
The table below shows the applicability of Windows:
@@ -1506,7 +1506,7 @@ To validate on Desktop, do the following steps:
-**Start/HideSleep**
+**Start/HideSleep**
The table below shows the applicability of Windows:
@@ -1555,7 +1555,7 @@ To validate on Desktop, do the following steps:
-**Start/HideSwitchAccount**
+**Start/HideSwitchAccount**
The table below shows the applicability of Windows:
@@ -1604,7 +1604,7 @@ To validate on Desktop, do the following steps:
-**Start/HideTaskViewButton**
+**Start/HideTaskViewButton**
@@ -1646,7 +1646,7 @@ The following are the supported values:
-**Start/HideUserTile**
+**Start/HideUserTile**
The table below shows the applicability of Windows:
@@ -1699,7 +1699,7 @@ To validate on Desktop, do the following steps:
-**Start/ImportEdgeAssets**
+**Start/ImportEdgeAssets**
The table below shows the applicability of Windows:
@@ -1759,7 +1759,7 @@ To validate on Desktop, do the following steps:
-**Start/NoPinningToTaskbar**
+**Start/NoPinningToTaskbar**
The table below shows the applicability of Windows:
@@ -1811,7 +1811,7 @@ To validate on Desktop, do the following steps:
-**Start/ShowOrHideMostUsedApps**
+**Start/ShowOrHideMostUsedApps**
@@ -1856,7 +1856,7 @@ On clean install, the user setting defaults to "hide".
-**Start/SimplifyQuickSettings**
+**Start/SimplifyQuickSettings**
@@ -1897,7 +1897,7 @@ The following are the supported values:
-**Start/StartLayout**
+**Start/StartLayout**
The table below shows the applicability of Windows:
@@ -1926,7 +1926,7 @@ The table below shows the applicability of Windows:
> [!IMPORTANT]
-> In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis. For more information, see [Policy scope](./policy-configuration-service-provider.md#policy-scope)
+> In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis. For more information, see [Policy scope](./policy-configuration-service-provider.md#policy-scope)
Here's more SKU support information:
@@ -1942,7 +1942,7 @@ For more information on how to customize the Start layout, see [Customize and ex
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Start Layout*
- GP name: *LockedStartLayout*
- GP path: *Start Menu and Taskbar*
diff --git a/windows/client-management/mdm/policy-csp-systemservices.md b/windows/client-management/mdm/policy-csp-systemservices.md
index dda3779328..9138227f47 100644
--- a/windows/client-management/mdm/policy-csp-systemservices.md
+++ b/windows/client-management/mdm/policy-csp-systemservices.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## SystemServices policies
+## SystemServices policies
-
@@ -44,7 +44,7 @@ manager: aaroncz
-**SystemServices/ConfigureHomeGroupListenerServiceStartupMode**
+**SystemServices/ConfigureHomeGroupListenerServiceStartupMode**
The table below shows the applicability of Windows:
@@ -71,13 +71,13 @@ The table below shows the applicability of Windows:
-This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
Default: Manual.
-GP Info:
+GP Info:
- GP Friendly name: *HomeGroup Listener*
- GP path: *Windows Settings/Security Settings/System Services*
@@ -87,7 +87,7 @@ GP Info:
-**SystemServices/ConfigureHomeGroupProviderServiceStartupMode**
+**SystemServices/ConfigureHomeGroupProviderServiceStartupMode**
The table below shows the applicability of Windows:
@@ -114,13 +114,13 @@ The table below shows the applicability of Windows:
-This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
Default: Manual.
-GP Info:
+GP Info:
- GP Friendly name: *HomeGroup Provider*
- GP path: *Windows Settings/Security Settings/System Services*
@@ -130,7 +130,7 @@ GP Info:
-**SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode**
+**SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode**
The table below shows the applicability of Windows:
@@ -157,13 +157,13 @@ The table below shows the applicability of Windows:
-This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
Default: Manual.
-GP Info:
+GP Info:
- GP Friendly name: *Xbox Accessory Management Service*
- GP path: *Windows Settings/Security Settings/System Services*
@@ -173,7 +173,7 @@ GP Info:
-**SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode**
+**SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode**
The table below shows the applicability of Windows:
@@ -200,13 +200,13 @@ The table below shows the applicability of Windows:
-This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
Default: Manual.
-GP Info:
+GP Info:
- GP Friendly name: *Xbox Live Auth Manager*
- GP path: *Windows Settings/Security Settings/System Services*
@@ -216,7 +216,7 @@ GP Info:
-**SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode**
+**SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode**
The table below shows the applicability of Windows:
@@ -243,13 +243,13 @@ The table below shows the applicability of Windows:
-This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
Default: Manual.
-GP Info:
+GP Info:
- GP Friendly name: *Xbox Live Game Save*
- GP path: *Windows Settings/Security Settings/System Services*
@@ -259,7 +259,7 @@ GP Info:
-**SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode**
+**SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode**
The table below shows the applicability of Windows:
@@ -286,13 +286,13 @@ The table below shows the applicability of Windows:
-This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
+This setting determines whether the service's start type is Automatic(2), Manual(3), Disabled(4).
Default: Manual.
-GP Info:
+GP Info:
- GP Friendly name: *Xbox Live Networking Service*
- GP path: *Windows Settings/Security Settings/System Services*
diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md
index 359565b3aa..19193cea93 100644
--- a/windows/client-management/mdm/policy-csp-taskmanager.md
+++ b/windows/client-management/mdm/policy-csp-taskmanager.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## TaskManager policies
+## TaskManager policies
-
@@ -28,7 +28,7 @@ manager: aaroncz
-**TaskManager/AllowEndTask**
+**TaskManager/AllowEndTask**
The table below shows the applicability of Windows:
@@ -57,9 +57,9 @@ The table below shows the applicability of Windows:
This setting determines whether non-administrators can use Task Manager to end tasks.
-Supported value type is integer.
+Supported value type is integer.
-Supported values:
+Supported values:
- 0 - Disabled. EndTask functionality is blocked in TaskManager.
- 1 - Enabled (default). Users can perform EndTask in TaskManager.
@@ -71,8 +71,8 @@ Supported values:
-**Validation procedure:**
-- When this policy is set to 1 - users CAN execute 'End task' on processes in TaskManager.
+**Validation procedure:**
+- When this policy is set to 1 - users CAN execute 'End task' on processes in TaskManager.
- When the policy is set to 0 - users CANNOT execute 'End task' on processes in TaskManager.
diff --git a/windows/client-management/mdm/policy-csp-taskscheduler.md b/windows/client-management/mdm/policy-csp-taskscheduler.md
index f6493ca356..eb016f3e4f 100644
--- a/windows/client-management/mdm/policy-csp-taskscheduler.md
+++ b/windows/client-management/mdm/policy-csp-taskscheduler.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## TaskScheduler policies
+## TaskScheduler policies
-
@@ -29,7 +29,7 @@ manager: aaroncz
-**TaskScheduler/EnableXboxGameSaveTask**
+**TaskScheduler/EnableXboxGameSaveTask**
The table below shows the applicability of Windows:
diff --git a/windows/client-management/mdm/policy-csp-textinput.md b/windows/client-management/mdm/policy-csp-textinput.md
index f2976b8893..a643b71697 100644
--- a/windows/client-management/mdm/policy-csp-textinput.md
+++ b/windows/client-management/mdm/policy-csp-textinput.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 03/03/2022
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## TextInput policies
+## TextInput policies
-
@@ -110,7 +110,7 @@ manager: aaroncz
-**TextInput/AllowHardwareKeyboardTextSuggestions**
+**TextInput/AllowHardwareKeyboardTextSuggestions**
@@ -132,7 +132,7 @@ Placeholder only. Do not use in production environment.
-**TextInput/AllowIMELogging**
+**TextInput/AllowIMELogging**
The table below shows the applicability of Windows:
@@ -179,7 +179,7 @@ The following list shows the supported values:
-**TextInput/AllowIMENetworkAccess**
+**TextInput/AllowIMENetworkAccess**
The table below shows the applicability of Windows:
@@ -225,7 +225,7 @@ The following list shows the supported values:
-**TextInput/AllowInputPanel**
+**TextInput/AllowInputPanel**
The table below shows the applicability of Windows:
@@ -272,7 +272,7 @@ The following list shows the supported values:
-**TextInput/AllowJapaneseIMESurrogatePairCharacters**
+**TextInput/AllowJapaneseIMESurrogatePairCharacters**
The table below shows the applicability of Windows:
@@ -319,7 +319,7 @@ The following list shows the supported values:
-**TextInput/AllowJapaneseIVSCharacters**
+**TextInput/AllowJapaneseIVSCharacters**
The table below shows the applicability of Windows:
@@ -366,7 +366,7 @@ The following list shows the supported values:
-**TextInput/AllowJapaneseNonPublishingStandardGlyph**
+**TextInput/AllowJapaneseNonPublishingStandardGlyph**
The table below shows the applicability of Windows:
@@ -413,7 +413,7 @@ The following list shows the supported values:
-**TextInput/AllowJapaneseUserDictionary**
+**TextInput/AllowJapaneseUserDictionary**
The table below shows the applicability of Windows:
@@ -460,7 +460,7 @@ The following list shows the supported values:
-**TextInput/AllowKeyboardTextSuggestions**
+**TextInput/AllowKeyboardTextSuggestions**
The table below shows the applicability of Windows:
@@ -490,7 +490,7 @@ The table below shows the applicability of Windows:
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
-Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled.
+Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled.
Most restricted value is 0.
@@ -515,7 +515,7 @@ To validate that text prediction is disabled on Windows 10 for desktop, do the f
-**TextInput/AllowKoreanExtendedHanja**
+**TextInput/AllowKoreanExtendedHanja**
@@ -528,7 +528,7 @@ This policy has been deprecated.
-**TextInput/AllowLanguageFeaturesUninstall**
+**TextInput/AllowLanguageFeaturesUninstall**
The table below shows the applicability of Windows:
@@ -564,7 +564,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Uninstallation of Language Features*
- GP name: *AllowLanguageFeaturesUninstall*
- GP path: *Windows Components/Text Input*
@@ -583,7 +583,7 @@ The following list shows the supported values:
-**TextInput/AllowLinguisticDataCollection**
+**TextInput/AllowLinguisticDataCollection**
The table below shows the applicability of Windows:
@@ -614,7 +614,7 @@ This policy setting controls the ability to send inking and typing data to Micro
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Improve inking and typing recognition*
- GP name: *AllowLinguisticDataCollection*
- GP path: *Windows Components/Text Input*
@@ -630,7 +630,7 @@ This setting supports a range of values between 0 and 1.
-**TextInput/AllowTextInputSuggestionUpdate**
+**TextInput/AllowTextInputSuggestionUpdate**
The table below shows the applicability of Windows:
@@ -677,7 +677,7 @@ The following list shows the supported values:
-**TextInput/ConfigureJapaneseIMEVersion**
+**TextInput/ConfigureJapaneseIMEVersion**
The table below shows the applicability of Windows:
@@ -705,7 +705,7 @@ The table below shows the applicability of Windows:
> [!NOTE]
-> - The policy is only enforced in Windows 10 for desktop.
+> - The policy is only enforced in Windows 10 for desktop.
> - This policy requires reboot to take effect.
Allows IT admins to configure Microsoft Japanese IME version in the desktop.
@@ -724,7 +724,7 @@ The following list shows the supported values:
-**TextInput/ConfigureSimplifiedChineseIMEVersion**
+**TextInput/ConfigureSimplifiedChineseIMEVersion**
The table below shows the applicability of Windows:
@@ -752,7 +752,7 @@ The table below shows the applicability of Windows:
> [!NOTE]
-> - This policy is enforced only in Windows 10 for desktop.
+> - This policy is enforced only in Windows 10 for desktop.
> - This policy requires reboot to take effect.
Allows IT admins to configure Microsoft Simplified Chinese IME version in the desktop.
@@ -771,7 +771,7 @@ The following list shows the supported values:
-**TextInput/ConfigureTraditionalChineseIMEVersion**
+**TextInput/ConfigureTraditionalChineseIMEVersion**
The table below shows the applicability of Windows:
@@ -799,7 +799,7 @@ The table below shows the applicability of Windows:
> [!NOTE]
-> - This policy is enforced only in Windows 10 for desktop.
+> - This policy is enforced only in Windows 10 for desktop.
> - This policy requires reboot to take effect.
Allows IT admins to configure Microsoft Traditional Chinese IME version in the desktop.
@@ -818,7 +818,7 @@ The following list shows the supported values:
-**TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode**
+**TextInput/EnableTouchKeyboardAutoInvokeInDesktopMode**
The table below shows the applicability of Windows:
@@ -845,10 +845,10 @@ The table below shows the applicability of Windows:
-This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode.
+This policy allows the IT admin to enable the touch keyboard to automatically show up when the device is in the desktop mode.
-The touch keyboard is enabled in both the tablet and desktop mode. In the tablet mode, when you touch a textbox, the touch keyboard automatically shows up.
-But in the desktop mode, by default, the touch keyboard does not automatically show up when you touch a textbox. The user must click the system tray to enable the touch keyboard.
+The touch keyboard is enabled in both the tablet and desktop mode. In the tablet mode, when you touch a textbox, the touch keyboard automatically shows up.
+But in the desktop mode, by default, the touch keyboard does not automatically show up when you touch a textbox. The user must click the system tray to enable the touch keyboard.
When this policy is enabled, the touch keyboard automatically shows up when the device is in the desktop mode.
This policy corresponds to "Show the touch keyboard when not in tablet mode and there's no keyboard attached" in the Settings app.
@@ -866,7 +866,7 @@ The following list shows the supported values:
-**TextInput/ExcludeJapaneseIMEExceptJIS0208**
+**TextInput/ExcludeJapaneseIMEExceptJIS0208**
The table below shows the applicability of Windows:
@@ -911,7 +911,7 @@ The following list shows the supported values:
-**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC**
+**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC**
The table below shows the applicability of Windows:
@@ -956,7 +956,7 @@ The following list shows the supported values:
-**TextInput/ExcludeJapaneseIMEExceptShiftJIS**
+**TextInput/ExcludeJapaneseIMEExceptShiftJIS**
The table below shows the applicability of Windows:
@@ -1001,7 +1001,7 @@ The following list shows the supported values:
-**TextInput/ForceTouchKeyboardDockedState**
+**TextInput/ForceTouchKeyboardDockedState**
The table below shows the applicability of Windows:
@@ -1034,7 +1034,7 @@ Specifies the touch keyboard is always docked. When this policy is set to enable
The following list shows the supported values:
-- 0 - (default) - The OS determines when it's most appropriate to be available.
+- 0 - (default) - The OS determines when it's most appropriate to be available.
- 1 - Touch keyboard is always docked.
- 2 - Touch keyboard docking can be changed.
@@ -1044,7 +1044,7 @@ The following list shows the supported values:
-**TextInput/TouchKeyboardDictationButtonAvailability**
+**TextInput/TouchKeyboardDictationButtonAvailability**
The table below shows the applicability of Windows:
@@ -1087,7 +1087,7 @@ The following list shows the supported values:
-**TextInput/TouchKeyboardEmojiButtonAvailability**
+**TextInput/TouchKeyboardEmojiButtonAvailability**
The table below shows the applicability of Windows:
@@ -1130,7 +1130,7 @@ The following list shows the supported values:
-**TextInput/TouchKeyboardFullModeAvailability**
+**TextInput/TouchKeyboardFullModeAvailability**
The table below shows the applicability of Windows:
@@ -1173,7 +1173,7 @@ The following list shows the supported values:
-**TextInput/TouchKeyboardHandwritingModeAvailability**
+**TextInput/TouchKeyboardHandwritingModeAvailability**
The table below shows the applicability of Windows:
@@ -1216,7 +1216,7 @@ The following list shows the supported values:
-**TextInput/TouchKeyboardNarrowModeAvailability**
+**TextInput/TouchKeyboardNarrowModeAvailability**
The table below shows the applicability of Windows:
@@ -1259,7 +1259,7 @@ The following list shows the supported values:
-**TextInput/TouchKeyboardSplitModeAvailability**
+**TextInput/TouchKeyboardSplitModeAvailability**
The table below shows the applicability of Windows:
@@ -1302,7 +1302,7 @@ The following list shows the supported values:
-**TextInput/TouchKeyboardWideModeAvailability**
+**TextInput/TouchKeyboardWideModeAvailability**
The table below shows the applicability of Windows:
diff --git a/windows/client-management/mdm/policy-csp-timelanguagesettings.md b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
index 610c3a4580..7487a19698 100644
--- a/windows/client-management/mdm/policy-csp-timelanguagesettings.md
+++ b/windows/client-management/mdm/policy-csp-timelanguagesettings.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/28/2021
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## TimeLanguageSettings policies
+## TimeLanguageSettings policies
-
@@ -38,7 +38,7 @@ manager: aaroncz
-**TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks**
+**TimeLanguageSettings/BlockCleanupOfUnusedPreinstalledLangPacks**
The table below shows the applicability of Windows:
@@ -76,7 +76,7 @@ If you disable (value 0) or don't configure this policy setting, language packs
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Block cleanup of unused language packs*
- GP name: *BlockCleanupOfUnusedPreinstalledLangPacks*
- GP path: *Computer Configuration/Administrative Templates/Control Panel/Regional and Language Options*
@@ -94,7 +94,7 @@ ADMX Info:
-**TimeLanguageSettings/ConfigureTimeZone**
+**TimeLanguageSettings/ConfigureTimeZone**
The table below shows the applicability of Windows:
@@ -140,7 +140,7 @@ Specifies the time zone to be applied to the device. This policy name is the sta
-**TimeLanguageSettings/MachineUILanguageOverwrite**
+**TimeLanguageSettings/MachineUILanguageOverwrite**
The table below shows the applicability of Windows:
@@ -178,7 +178,7 @@ If you disable or don't configure this policy setting, there's no restriction of
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Force selected system UI language to overwrite the user UI language*
- GP name: *MachineUILanguageOverwrite*
- GP path: *Computer Configuration/Administrative Templates/Control Panel/Regional and Language Options*
@@ -196,7 +196,7 @@ ADMX Info:
-**TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall**
+**TimeLanguageSettings/RestrictLanguagePacksAndFeaturesInstall**
The table below shows the applicability of Windows:
@@ -223,9 +223,9 @@ The table below shows the applicability of Windows:
-This policy setting restricts standard users from installing language features on demand. This policy doesn't restrict the Windows language, if you want to restrict the Windows language use the following policy: “Restricts the UI languages Windows should use for the selected user.”
+This policy setting restricts standard users from installing language features on demand. This policy doesn't restrict the Windows language, if you want to restrict the Windows language use the following policy: “Restricts the UI languages Windows should use for the selected user.”
-If you enable this policy setting, the installation of language features is prevented for standard users.
+If you enable this policy setting, the installation of language features is prevented for standard users.
If you disable or don't configure this policy setting, there's no language feature installation restriction for the standard users.
diff --git a/windows/client-management/mdm/policy-csp-troubleshooting.md b/windows/client-management/mdm/policy-csp-troubleshooting.md
index 44b6119a56..a57ac594c1 100644
--- a/windows/client-management/mdm/policy-csp-troubleshooting.md
+++ b/windows/client-management/mdm/policy-csp-troubleshooting.md
@@ -15,7 +15,7 @@ ms.date: 09/27/2019
-## Troubleshooting policies
+## Troubleshooting policies
-
@@ -27,7 +27,7 @@ ms.date: 09/27/2019
-**Troubleshooting/AllowRecommendations**
+**Troubleshooting/AllowRecommendations**
The table below shows the applicability of Windows:
@@ -58,7 +58,7 @@ This policy setting allows IT admins to configure, how to apply recommended trou
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Troubleshooting: Allow users to access recommended troubleshooting for known problems*
- GP name: *TroubleshootingAllowRecommendations*
- GP path: *Troubleshooting and Diagnostics/Microsoft Support Diagnostic Tool*
@@ -68,7 +68,7 @@ ADMX Info:
This setting is a numeric policy setting with merge algorithm (lowest value is the most secure) that uses the most restrictive settings for complex manageability scenarios.
-Supported values:
+Supported values:
- 0 (default) - Turn off this feature.
- 1 - Turn off this feature but still apply critical troubleshooting.
- 2 - Notify users when recommended troubleshooting is available, then allow the user to run or ignore it.
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index e056057f7a..37ef1ecd8d 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 06/15/2022
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.collection: highpri
---
@@ -19,7 +19,7 @@ ms.collection: highpri
-## Update policies
+## Update policies
-
@@ -138,7 +138,7 @@ ms.collection: highpri
-
Update/ManagePreviewBuilds
-
+
-
Update/NoUpdateNotificationDuringActiveHours
@@ -220,11 +220,11 @@ ms.collection: highpri
-
Update/SetProxyBehaviorForUpdateDetection
- -
- Update/ProductVersion
+
-
+ Update/ProductVersion
- -
- Update/TargetReleaseVersion
+
-
+ Update/TargetReleaseVersion
-
Update/UpdateNotificationLevel
@@ -241,7 +241,7 @@ ms.collection: highpri
-**Update/ActiveHoursEnd**
+**Update/ActiveHoursEnd**
The table below shows the applicability of Windows:
@@ -279,7 +279,7 @@ The default is 17 (5 PM).
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off auto-restart for updates during active hours*
- GP name: *ActiveHours*
- GP element: *ActiveHoursEndTime*
@@ -292,7 +292,7 @@ ADMX Info:
-**Update/ActiveHoursMaxRange**
+**Update/ActiveHoursMaxRange**
The table below shows the applicability of Windows:
@@ -327,7 +327,7 @@ The default value is 18 (hours).
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify active hours range for auto-restarts*
- GP name: *ActiveHoursMaxRange*
- GP element: *ActiveHoursMaxRange*
@@ -340,7 +340,7 @@ ADMX Info:
-**Update/ActiveHoursStart**
+**Update/ActiveHoursStart**
The table below shows the applicability of Windows:
@@ -378,7 +378,7 @@ The default value is 8 (8 AM).
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off auto-restart for updates during active hours*
- GP name: *ActiveHours*
- GP element: *ActiveHoursStartTime*
@@ -391,7 +391,7 @@ ADMX Info:
-**Update/AllowAutoUpdate**
+**Update/AllowAutoUpdate**
The table below shows the applicability of Windows:
@@ -426,7 +426,7 @@ If the policy isn't configured, end-users get the default behavior (Auto downloa
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Automatic Updates*
- GP name: *AutoUpdateCfg*
- GP element: *AutoUpdateMode*
@@ -454,7 +454,7 @@ The following list shows the supported values:
-**Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork**
+**Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork**
The table below shows the applicability of Windows:
@@ -489,7 +489,7 @@ This policy is accessible through the Update setting in the user interface or Gr
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow updates to be downloaded automatically over metered connections*
- GP name: *AllowAutoWindowsUpdateDownloadOverMeteredNetwork*
- GP path: *Windows Components/Windows Update*
@@ -508,7 +508,7 @@ The following list shows the supported values:
-**Update/AllowMUUpdateService**
+**Update/AllowMUUpdateService**
The table below shows the applicability of Windows:
@@ -539,7 +539,7 @@ Allows the IT admin to manage whether to scan for app updates from Microsoft Upd
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Automatic Updates*
- GP name: *AutoUpdateCfg*
- GP element: *AllowMUUpdateServiceId*
@@ -567,7 +567,7 @@ $MUSM.RemoveService("7971f918-a847-4430-9279-4a52d1efe18d")
-**Update/AllowNonMicrosoftSignedUpdate**
+**Update/AllowNonMicrosoftSignedUpdate**
The table below shows the applicability of Windows:
@@ -613,7 +613,7 @@ The following list shows the supported values:
-**Update/AllowUpdateService**
+**Update/AllowUpdateService**
The table below shows the applicability of Windows:
@@ -651,7 +651,7 @@ Enabling this policy will disable that functionality, and may cause connection t
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify intranet Microsoft update service location*
- GP name: *CorpWuURL*
- GP path: *Windows Components/Windows Update*
@@ -670,7 +670,7 @@ The following list shows the supported values:
-**Update/AutoRestartDeadlinePeriodInDays**
+**Update/AutoRestartDeadlinePeriodInDays**
The table below shows the applicability of Windows:
@@ -701,7 +701,7 @@ For Quality Updates, this policy specifies the deadline in days before automatic
The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system, and user busy checks.
-Supported value type is integer. Default is seven days.
+Supported value type is integer. Default is seven days.
Supported values range: 2-30.
@@ -718,7 +718,7 @@ If any of the following two policies are enabled, this policy has no effect:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify deadline before auto-restart for update installation*
- GP name: *AutoRestartDeadline*
- GP element: *AutoRestartDeadline*
@@ -731,7 +731,7 @@ ADMX Info:
-**Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates**
+**Update/AutoRestartDeadlinePeriodInDaysForFeatureUpdates**
The table below shows the applicability of Windows:
@@ -762,7 +762,7 @@ For Feature Updates, this policy specifies the deadline in days before automatic
The system will reboot on or after the specified deadline. The reboot is prioritized over any configured Active Hours and any existing system, and user busy checks.
-Supported value type is integer. Default is 7 days.
+Supported value type is integer. Default is 7 days.
Supported values range: 2-30.
@@ -779,7 +779,7 @@ If any of the following two policies are enabled, this policy has no effect:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify deadline before auto-restart for update installation*
- GP name: *AutoRestartDeadline*
- GP element: *AutoRestartDeadlineForFeatureUpdates*
@@ -792,7 +792,7 @@ ADMX Info:
-**Update/AutoRestartNotificationSchedule**
+**Update/AutoRestartNotificationSchedule**
The table below shows the applicability of Windows:
@@ -825,7 +825,7 @@ The default value is 15 (minutes).
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure auto-restart reminder notifications for updates*
- GP name: *AutoRestartNotificationConfig*
- GP element: *AutoRestartNotificationSchd*
@@ -842,7 +842,7 @@ Supported values are 15, 30, 60, 120, and 240 (minutes).
-**Update/AutoRestartRequiredNotificationDismissal**
+**Update/AutoRestartRequiredNotificationDismissal**
The table below shows the applicability of Windows:
@@ -873,7 +873,7 @@ Allows the IT Admin to specify the method by which the autorestart required noti
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure auto-restart required notification for updates*
- GP name: *AutoRestartRequiredNotificationDismissal*
- GP element: *AutoRestartRequiredNotificationDismissal*
@@ -893,7 +893,7 @@ The following list shows the supported values:
-**Update/AutomaticMaintenanceWakeUp**
+**Update/AutomaticMaintenanceWakeUp**
The table below shows the applicability of Windows:
@@ -931,7 +931,7 @@ If you disable or don't configure this policy setting, the wake setting as speci
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Automatic Maintenance WakeUp Policy*
- GP name: *WakeUpPolicy*
- GP path: *Windows Components/Maintenance Scheduler*
@@ -939,7 +939,7 @@ ADMX Info:
-Supported values:
+Supported values:
- 0 - Disable
- 1 - Enable (Default)
@@ -954,7 +954,7 @@ Supported values:
-**Update/BranchReadinessLevel**
+**Update/BranchReadinessLevel**
The table below shows the applicability of Windows:
@@ -985,7 +985,7 @@ Allows the IT admin to set which branch a device receives their updates from. As
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Select when Preview Builds and Feature Updates are received*
- GP name: *DeferFeatureUpdates*
- GP element: *BranchReadinessLevelId*
@@ -1008,7 +1008,7 @@ The following list shows the supported values:
-**Update/ConfigureDeadlineForFeatureUpdates**
+**Update/ConfigureDeadlineForFeatureUpdates**
The table below shows the applicability of Windows:
@@ -1038,7 +1038,7 @@ The table below shows the applicability of Windows:
Allows admins to specify the number of days before feature updates are installed on the device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After the deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify deadlines for automatic updates and restarts*
- GP name: *ConfigureDeadlineForFeatureUpdates*
- GP element: *ConfigureDeadlineForFeatureUpdates*
@@ -1062,7 +1062,7 @@ Default value is 7.
-**Update/ConfigureDeadlineForQualityUpdates**
+**Update/ConfigureDeadlineForQualityUpdates**
The table below shows the applicability of Windows:
@@ -1092,7 +1092,7 @@ The table below shows the applicability of Windows:
Allows admins to specify the number of days before quality updates are installed on a device automatically. Before the deadline, restarts can be scheduled by users or automatically scheduled outside of active hours, according to [Update/ConfigureDeadlineNoAutoReboot](#update-configuredeadlinenoautoreboot). After deadline passes, restarts will occur regardless of active hours and users won't be able to reschedule.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify deadlines for automatic updates and restarts*
- GP name: *ConfigureDeadlineForQualityUpdates*
- GP element: *ConfigureDeadlineForQualityUpdates*
@@ -1116,7 +1116,7 @@ Default value is 7.
-**Update/ConfigureDeadlineGracePeriod**
+**Update/ConfigureDeadlineGracePeriod**
The table below shows the applicability of Windows:
@@ -1147,7 +1147,7 @@ When used with [Update/ConfigureDeadlineForQualityUpdates](#update-configuredead
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify deadlines for automatic updates and restarts*
- GP name: *ConfigureDeadlineGracePeriod*
- GP element: *ConfigureDeadlineGracePeriod*
@@ -1171,7 +1171,7 @@ Default value is 2.
-**Update/ConfigureDeadlineGracePeriodForFeatureUpdates**
+**Update/ConfigureDeadlineGracePeriodForFeatureUpdates**
The table below shows the applicability of Windows:
@@ -1203,7 +1203,7 @@ When used with [Update/ConfigureDeadlineForFeatureUpdates](#update-configuredead
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify deadlines for automatic updates and restarts*
- GP name: *ConfigureDeadlineGracePeriodForFeatureUpdates*
- GP element: *ConfigureDeadlineGracePeriodForFeatureUpdates*
@@ -1227,7 +1227,7 @@ Default value is 2.
-**Update/ConfigureDeadlineNoAutoReboot**
+**Update/ConfigureDeadlineNoAutoReboot**
The table below shows the applicability of Windows:
@@ -1261,7 +1261,7 @@ When disabled, if the device has installed updates and is outside of active hour
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify deadlines for automatic updates and restarts*
- GP name: *ConfigureDeadlineNoAutoReboot*
- GP element: *ConfigureDeadlineNoAutoReboot*
@@ -1270,7 +1270,7 @@ ADMX Info:
-Supported values:
+Supported values:
- 1 - Enabled
- 0 (default) - Disabled
@@ -1285,7 +1285,7 @@ Supported values:
-**Update/ConfigureFeatureUpdateUninstallPeriod**
+**Update/ConfigureFeatureUpdateUninstallPeriod**
The table below shows the applicability of Windows:
@@ -1312,9 +1312,9 @@ The table below shows the applicability of Windows:
-Enable IT admin to configure feature update uninstall period.
+Enable IT admin to configure feature update uninstall period.
-Values range 2 - 60 days.
+Values range 2 - 60 days.
Default is 10 days.
@@ -1324,7 +1324,7 @@ Default is 10 days.
-**Update/DeferFeatureUpdatesPeriodInDays**
+**Update/DeferFeatureUpdatesPeriodInDays**
The table below shows the applicability of Windows:
@@ -1361,7 +1361,7 @@ Supported values are 0-365 days.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Select when Preview Builds and Feature Updates are received*
- GP name: *DeferFeatureUpdates*
- GP element: *DeferFeatureUpdatesPeriodId*
@@ -1374,7 +1374,7 @@ ADMX Info:
-**Update/DeferQualityUpdatesPeriodInDays**
+**Update/DeferQualityUpdatesPeriodInDays**
The table below shows the applicability of Windows:
@@ -1407,7 +1407,7 @@ Supported values are 0-30.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Select when Quality Updates are received*
- GP name: *DeferQualityUpdates*
- GP element: *DeferQualityUpdatesPeriodId*
@@ -1420,7 +1420,7 @@ ADMX Info:
-**Update/DeferUpdatePeriod**
+**Update/DeferUpdatePeriod**
The table below shows the applicability of Windows:
@@ -1468,7 +1468,7 @@ Update:
- Maximum deferral: One month
- Deferral increment: One week
- Update type/notes: If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic:
-
+
- Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
- Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
- Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
@@ -1488,7 +1488,7 @@ Other/can't defer:
-ADMX Info:
+ADMX Info:
- GP name: *DeferUpgrade*
- GP element: *DeferUpdatePeriodId*
- GP ADMX file name: *WindowsUpdate.admx*
@@ -1499,7 +1499,7 @@ ADMX Info:
-**Update/DeferUpgradePeriod**
+**Update/DeferUpgradePeriod**
The table below shows the applicability of Windows:
@@ -1539,7 +1539,7 @@ If the "Allow Telemetry" policy is enabled and the Options value is set to 0, th
-ADMX Info:
+ADMX Info:
- GP name: *DeferUpgrade*
- GP element: *DeferUpgradePeriodId*
- GP ADMX file name: *WindowsUpdate.admx*
@@ -1550,7 +1550,7 @@ ADMX Info:
-**Update/DetectionFrequency**
+**Update/DetectionFrequency**
The table below shows the applicability of Windows:
@@ -1577,11 +1577,11 @@ The table below shows the applicability of Windows:
-Specifies the scan frequency from every 1 - 22 hours with a random variant of 0 - 4 hours. Default is 22 hours. This policy should be enabled only when Update/UpdateServiceUrl is configured to point the device at a WSUS server rather than Microsoft Update.
+Specifies the scan frequency from every 1 - 22 hours with a random variant of 0 - 4 hours. Default is 22 hours. This policy should be enabled only when Update/UpdateServiceUrl is configured to point the device at a WSUS server rather than Microsoft Update.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Automatic Updates detection frequency*
- GP name: *DetectionFrequency_Title*
- GP element: *DetectionFrequency_Hour2*
@@ -1594,7 +1594,7 @@ ADMX Info:
-**Update/DisableDualScan**
+**Update/DisableDualScan**
The table below shows the applicability of Windows:
@@ -1627,12 +1627,12 @@ For more information about dual scan, see [Demystifying "Dual Scan"](/archive/bl
This setting is the same as the Group Policy in **Windows Components** > **Windows Update**: "Do not allow update deferral policies to cause scans against Windows Update."
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Do not allow update deferral policies to cause scans against Windows Update*
- GP name: *DisableDualScan*
- GP path: *Windows Components/Windows Update*
@@ -1651,7 +1651,7 @@ The following list shows the supported values:
-**Update/DisableWUfBSafeguards**
+**Update/DisableWUfBSafeguards**
The table below shows the applicability of Windows:
@@ -1684,18 +1684,18 @@ Safeguard holds prevent a device with a known compatibility issue from being off
The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update.
-IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the "Disable safeguards for Feature Updates" Group Policy.
+IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the "Disable safeguards for Feature Updates" Group Policy.
> [!NOTE]
> Opting out of the safeguards can put devices at risk from known performance issues. We recommend opting out only in an IT environment for validation purposes. Further, you can leverage the Windows Insider Program for Business Release Preview Channel in order to validate the upcoming Windows 10 Feature Update version without the safeguards being applied.
>
-> The disable safeguards policy will revert to "Not Configured" on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft's default protection from known issues for each new feature update.
+> The disable safeguards policy will revert to "Not Configured" on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft's default protection from known issues for each new feature update.
>
> Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade, as you're bypassing the protection given by Microsoft pertaining to known issues.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Disable safeguards for Feature Updates*
- GP name: *DisableWUfBSafeguards*
- GP path: *Windows Components/Windows Update/Windows Update for Business*
@@ -1714,7 +1714,7 @@ The following list shows the supported values:
-**Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection**
+**Update/DoNotEnforceEnterpriseTLSCertPinningForUpdateDetection**
The table below shows the applicability of Windows:
@@ -1741,13 +1741,13 @@ The table below shows the applicability of Windows:
-To ensure the highest levels of security, we recommended using WSUS TLS certificate pinning on all devices.
+To ensure the highest levels of security, we recommended using WSUS TLS certificate pinning on all devices.
-By default, certificate pinning for Windows Update client isn't enforced.
+By default, certificate pinning for Windows Update client isn't enforced.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow user proxy to be used as a fallback if detection using system proxy fails*
- GP name: *Allow user proxy to be used as a fallback if detection using system proxy fails*
- GP path: *Windows Update\SpecifyintranetMicrosoftupdateserviceLocation*
@@ -1766,7 +1766,7 @@ The following list shows the supported values:
-**Update/EngagedRestartDeadline**
+**Update/EngagedRestartDeadline**
The table below shows the applicability of Windows:
@@ -1800,7 +1800,7 @@ The system will reboot on or after the specified deadline. The reboot is priorit
> [!NOTE]
> If Update/EngagedDeadline is the only policy set (Update/EngagedRestartTransitionSchedule and Update/EngagedRestartSnoozeSchedule aren't set), the behavior goes from reboot required -> engaged behavior -> forced reboot after deadline is reached with a 3-day snooze period.
-Supporting value type is integer.
+Supporting value type is integer.
Default is 14.
@@ -1817,7 +1817,7 @@ If any of the following policies are configured, this policy has no effect:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates*
- GP name: *EngagedRestartTransitionSchedule*
- GP element: *EngagedRestartDeadline*
@@ -1830,7 +1830,7 @@ ADMX Info:
-**Update/EngagedRestartDeadlineForFeatureUpdates**
+**Update/EngagedRestartDeadlineForFeatureUpdates**
The table below shows the applicability of Windows:
@@ -1859,7 +1859,7 @@ The table below shows the applicability of Windows:
For Feature Updates, this policy specifies the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be executed automatically, within the specified period.
-Supported value type is integer.
+Supported value type is integer.
Default is 14.
@@ -1876,7 +1876,7 @@ If any of the following policies are configured, this policy has no effect:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates*
- GP name: *EngagedRestartTransitionSchedule*
- GP element: *EngagedRestartDeadlineForFeatureUpdates*
@@ -1889,7 +1889,7 @@ ADMX Info:
-**Update/EngagedRestartSnoozeSchedule**
+**Update/EngagedRestartSnoozeSchedule**
The table below shows the applicability of Windows:
@@ -1918,7 +1918,7 @@ The table below shows the applicability of Windows:
For Quality Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1-3 days.
-Supported value type is integer.
+Supported value type is integer.
Default is three days.
@@ -1933,7 +1933,7 @@ If any of the following policies are configured, this policy has no effect:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates*
- GP name: *EngagedRestartTransitionSchedule*
- GP element: *EngagedRestartSnoozeSchedule*
@@ -1946,7 +1946,7 @@ ADMX Info:
-**Update/EngagedRestartSnoozeScheduleForFeatureUpdates**
+**Update/EngagedRestartSnoozeScheduleForFeatureUpdates**
The table below shows the applicability of Windows:
@@ -1975,7 +1975,7 @@ The table below shows the applicability of Windows:
For Feature Updates, this policy specifies the number of days a user can snooze Engaged restart reminder notifications. The snooze period can be set between 1-3 days.
-Supported value type is integer.
+Supported value type is integer.
Default is three days.
@@ -1990,7 +1990,7 @@ If any of the following policies are configured, this policy has no effect:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates*
- GP name: *EngagedRestartTransitionSchedule*
- GP element: *EngagedRestartSnoozeScheduleForFeatureUpdates*
@@ -2003,7 +2003,7 @@ ADMX Info:
-**Update/EngagedRestartTransitionSchedule**
+**Update/EngagedRestartTransitionSchedule**
The table below shows the applicability of Windows:
@@ -2032,11 +2032,11 @@ The table below shows the applicability of Windows:
For Quality Updates, this policy specifies the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
-Supported value type is integer.
+Supported value type is integer.
Default value is 7 days.
-Supported value range: 2 - 30.
+Supported value range: 2 - 30.
If you disable or don't configure this policy, the default behaviors will be used.
@@ -2047,7 +2047,7 @@ If any of the following policies are configured, this policy has no effect:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates*
- GP name: *EngagedRestartTransitionSchedule*
- GP element: *EngagedRestartTransitionSchedule*
@@ -2060,7 +2060,7 @@ ADMX Info:
-**Update/EngagedRestartTransitionScheduleForFeatureUpdates**
+**Update/EngagedRestartTransitionScheduleForFeatureUpdates**
The table below shows the applicability of Windows:
@@ -2089,7 +2089,7 @@ The table below shows the applicability of Windows:
For Feature Updates, this policy specifies the timing before transitioning from Auto restarts scheduled_outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
-Supported value type is integer.
+Supported value type is integer.
Default value is seven days.
@@ -2104,7 +2104,7 @@ If any of the following policies are configured, this policy has no effect:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify Engaged restart transition and notification schedule for updates*
- GP name: *EngagedRestartTransitionSchedule*
- GP element: *EngagedRestartTransitionScheduleForFeatureUpdates*
@@ -2117,7 +2117,7 @@ ADMX Info:
-**Update/ExcludeWUDriversInQualityUpdate**
+**Update/ExcludeWUDriversInQualityUpdate**
The table below shows the applicability of Windows:
@@ -2149,7 +2149,7 @@ Allows IT Admins to exclude Windows Update (WU) drivers during updates.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Do not include drivers with Windows Updates*
- GP name: *ExcludeWUDriversInQualityUpdate*
- GP path: *Windows Components/Windows Update*
@@ -2168,7 +2168,7 @@ The following list shows the supported values:
-**Update/FillEmptyContentUrls**
+**Update/FillEmptyContentUrls**
The table below shows the applicability of Windows:
@@ -2202,7 +2202,7 @@ Allows Windows Update Agent to determine the download URL when it's missing from
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify intranet Microsoft update service location*
- GP name: *CorpWuURL*
- GP element: *CorpWUFillEmptyContentUrls*
@@ -2222,7 +2222,7 @@ The following list shows the supported values:
-**Update/IgnoreMOAppDownloadLimit**
+**Update/IgnoreMOAppDownloadLimit**
The table below shows the applicability of Windows:
@@ -2249,7 +2249,7 @@ The table below shows the applicability of Windows:
-Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
@@ -2266,7 +2266,7 @@ The following list shows the supported values:
To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
-2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell:
+2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell:
```TShell
exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I'
```
@@ -2277,7 +2277,7 @@ To validate this policy:
-**Update/IgnoreMOUpdateDownloadLimit**
+**Update/IgnoreMOUpdateDownloadLimit**
The table below shows the applicability of Windows:
@@ -2304,7 +2304,7 @@ The table below shows the applicability of Windows:
-Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
@@ -2321,7 +2321,7 @@ The following list shows the supported values:
To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
-2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell:
+2. Run the scheduled task on your device to check for app updates in the background. For example, on a device, run the following commands in TShell:
```TShell
exec-device schtasks.exe -arguments '/run /tn "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /I'
```
@@ -2332,7 +2332,7 @@ To validate this policy:
-**Update/ManagePreviewBuilds**
+**Update/ManagePreviewBuilds**
The table below shows the applicability of Windows:
@@ -2359,13 +2359,13 @@ The table below shows the applicability of Windows:
-Used to manage Windows 10 Insider Preview builds.
+Used to manage Windows 10 Insider Preview builds.
Supported value type is integer.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Manage preview builds*
- GP name: *ManagePreviewBuilds*
- GP element: *ManagePreviewBuildsId*
@@ -2386,7 +2386,7 @@ The following list shows the supported values:
-**Update/NoUpdateNotificationDuringActiveHours**
+**Update/NoUpdateNotificationDuringActiveHours**
The table below shows the applicability of Windows:
@@ -2417,12 +2417,12 @@ This policy can be used in conjunction with Update/ActiveHoursStart and Update/A
Supported value type is a boolean.
-0 (Default) This configuration will provide the default behavior (notifications may display during active hours)
+0 (Default) This configuration will provide the default behavior (notifications may display during active hours)
1: This setting will prevent notifications from displaying during active hours.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Display options for update notifications*
- GP name: *NoUpdateNotificationDuringActiveHours*
- GP element: *NoUpdateNotificationDuringActiveHours*
@@ -2435,7 +2435,7 @@ ADMX Info:
-**Update/PauseDeferrals**
+**Update/PauseDeferrals**
The table below shows the applicability of Windows:
@@ -2473,7 +2473,7 @@ If the "Allow Telemetry" policy is enabled and the Options value is set to 0, th
-ADMX Info:
+ADMX Info:
- GP name: *DeferUpgrade*
- GP element: *PauseDeferralsId*
- GP ADMX file name: *WindowsUpdate.admx*
@@ -2491,7 +2491,7 @@ The following list shows the supported values:
-**Update/PauseFeatureUpdates**
+**Update/PauseFeatureUpdates**
The table below shows the applicability of Windows:
@@ -2523,7 +2523,7 @@ Allows IT Admins to pause feature updates for up to 35 days. We recommend that y
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Select when Preview Builds and Feature Updates are received*
- GP name: *DeferFeatureUpdates*
- GP element: *PauseFeatureUpdatesId*
@@ -2543,7 +2543,7 @@ The following list shows the supported values:
-**Update/PauseFeatureUpdatesStartTime**
+**Update/PauseFeatureUpdatesStartTime**
The table below shows the applicability of Windows:
@@ -2570,14 +2570,14 @@ The table below shows the applicability of Windows:
-Specifies the date and time when the IT admin wants to start pausing the Feature Updates. When this policy is configured, Feature Updates will be paused for 35 days from the specified start date.
+Specifies the date and time when the IT admin wants to start pausing the Feature Updates. When this policy is configured, Feature Updates will be paused for 35 days from the specified start date.
-- Supported value type is string (yyyy-mm-dd, ex. 2018-10-28).
+- Supported value type is string (yyyy-mm-dd, ex. 2018-10-28).
- Supported operations are Add, Get, Delete, and Replace.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Select when Preview Builds and Feature Updates are received*
- GP name: *DeferFeatureUpdates*
- GP element: *PauseFeatureUpdatesStartId*
@@ -2590,7 +2590,7 @@ ADMX Info:
-**Update/PauseQualityUpdates**
+**Update/PauseQualityUpdates**
The table below shows the applicability of Windows:
@@ -2621,7 +2621,7 @@ Allows IT Admins to pause quality updates. For those running Windows 10, version
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Select when Quality Updates are received*
- GP name: *DeferQualityUpdates*
- GP element: *PauseQualityUpdatesId*
@@ -2641,7 +2641,7 @@ The following list shows the supported values:
-**Update/PauseQualityUpdatesStartTime**
+**Update/PauseQualityUpdatesStartTime**
The table below shows the applicability of Windows:
@@ -2668,14 +2668,14 @@ The table below shows the applicability of Windows:
-Specifies the date and time when the IT admin wants to start pausing the Quality Updates. When this policy is configured, Quality Updates will be paused for 35 days from the specified start date.
+Specifies the date and time when the IT admin wants to start pausing the Quality Updates. When this policy is configured, Quality Updates will be paused for 35 days from the specified start date.
-- Supported value type is string (yyyy-mm-dd, ex. 2018-10-28).
+- Supported value type is string (yyyy-mm-dd, ex. 2018-10-28).
- Supported operations are Add, Get, Delete, and Replace.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Select when Quality Updates are received*
- GP name: *DeferQualityUpdates*
- GP element: *PauseQualityUpdatesStartId*
@@ -2688,7 +2688,7 @@ ADMX Info:
-**Update/PhoneUpdateRestrictions**
+**Update/PhoneUpdateRestrictions**
This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupdateapproval) instead.
@@ -2699,7 +2699,7 @@ This policy is deprecated. Use [Update/RequireUpdateApproval](#update-requireupd
-**Update/ProductVersion**
+**Update/ProductVersion**
The table below shows the applicability of Windows:
@@ -2726,13 +2726,13 @@ The table below shows the applicability of Windows:
-Available in Windows 10, version 2004 and later. Enables IT administrators to specify which product they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy to target a new product.
+Available in Windows 10, version 2004 and later. Enables IT administrators to specify which product they would like their device(s) to move to and/or stay on until they reach end of service or reconfigure the policy to target a new product.
If no product is specified, the device will continue receiving newer versions of the Windows product it's currently on. For details about different Windows 10 versions, see [release information](/windows/release-health/release-information).
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Select the target Feature Update version*
- GP name: *TargetReleaseVersion*
- GP element: *ProductVersion*
@@ -2759,7 +2759,7 @@ By using this Windows Update for Business policy to upgrade devices to a new pro
-**Update/RequireDeferUpgrade**
+**Update/RequireDeferUpgrade**
The table below shows the applicability of Windows:
@@ -2793,7 +2793,7 @@ Allows the IT admin to set a device to General Availability Channel train.
-ADMX Info:
+ADMX Info:
- GP name: *DeferUpgrade*
- GP element: *DeferUpgradePeriodId*
- GP ADMX file name: *WindowsUpdate.admx*
@@ -2811,7 +2811,7 @@ The following list shows the supported values:
-**Update/RequireUpdateApproval**
+**Update/RequireUpdateApproval**
The table below shows the applicability of Windows:
@@ -2839,7 +2839,7 @@ The table below shows the applicability of Windows:
> [!NOTE]
-> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
+> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end user. EULAs are approved once an update is approved.
@@ -2858,7 +2858,7 @@ The following list shows the supported values:
-**Update/ScheduleImminentRestartWarning**
+**Update/ScheduleImminentRestartWarning**
The table below shows the applicability of Windows:
@@ -2891,7 +2891,7 @@ The default value is 15 (minutes).
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure auto-restart warning notifications schedule for updates*
- GP name: *RestartWarnRemind*
- GP element: *RestartWarn*
@@ -2908,7 +2908,7 @@ Supported values are 15, 30, or 60 (minutes).
-**Update/ScheduleRestartWarning**
+**Update/ScheduleRestartWarning**
The table below shows the applicability of Windows:
@@ -2944,7 +2944,7 @@ The default value is 4 (hours).
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure auto-restart warning notifications schedule for updates*
- GP name: *RestartWarnRemind*
- GP element: *RestartWarnRemind*
@@ -2961,7 +2961,7 @@ Supported values are 2, 4, 8, 12, or 24 (hours).
-**Update/ScheduledInstallDay**
+**Update/ScheduledInstallDay**
The table below shows the applicability of Windows:
@@ -2996,7 +2996,7 @@ Supported operations are Add, Delete, Get, and Replace.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Automatic Updates*
- GP name: *AutoUpdateCfg*
- GP element: *AutoUpdateSchDay*
@@ -3022,7 +3022,7 @@ The following list shows the supported values:
-**Update/ScheduledInstallEveryWeek**
+**Update/ScheduledInstallEveryWeek**
The table below shows the applicability of Windows:
@@ -3049,9 +3049,9 @@ The table below shows the applicability of Windows:
-Enables the IT admin to schedule the update installation on every week.
+Enables the IT admin to schedule the update installation on every week.
-Supported Value type is integer.
+Supported Value type is integer.
Supported values:
- 0 - no update in the schedule.
@@ -3060,7 +3060,7 @@ Supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Automatic Updates*
- GP name: *AutoUpdateCfg*
- GP element: *AutoUpdateSchEveryWeek*
@@ -3073,7 +3073,7 @@ ADMX Info:
-**Update/ScheduledInstallFirstWeek**
+**Update/ScheduledInstallFirstWeek**
The table below shows the applicability of Windows:
@@ -3100,9 +3100,9 @@ The table below shows the applicability of Windows:
-Enables the IT admin to schedule the update installation on the first week of the month.
+Enables the IT admin to schedule the update installation on the first week of the month.
-Supported value type is integer.
+Supported value type is integer.
Supported values:
- 0 - no update in the schedule.
@@ -3111,7 +3111,7 @@ Supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Automatic Updates*
- GP name: *AutoUpdateCfg*
- GP element: *AutoUpdateSchFirstWeek*
@@ -3124,7 +3124,7 @@ ADMX Info:
-**Update/ScheduledInstallFourthWeek**
+**Update/ScheduledInstallFourthWeek**
The table below shows the applicability of Windows:
@@ -3151,9 +3151,9 @@ The table below shows the applicability of Windows:
-Enables the IT admin to schedule the update installation on the fourth week of the month.
+Enables the IT admin to schedule the update installation on the fourth week of the month.
-Supported value type is integer.
+Supported value type is integer.
Supported values:
- 0 - no update in the schedule.
@@ -3162,7 +3162,7 @@ Supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Automatic Updates*
- GP name: *AutoUpdateCfg*
- GP element: *ScheduledInstallFourthWeek*
@@ -3175,7 +3175,7 @@ ADMX Info:
-**Update/ScheduledInstallSecondWeek**
+**Update/ScheduledInstallSecondWeek**
The table below shows the applicability of Windows:
@@ -3202,9 +3202,9 @@ The table below shows the applicability of Windows:
-Enables the IT admin to schedule the update installation on the second week of the month.
+Enables the IT admin to schedule the update installation on the second week of the month.
-Supported vlue type is integer.
+Supported vlue type is integer.
Supported values:
@@ -3214,7 +3214,7 @@ Supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Automatic Updates*
- GP name: *AutoUpdateCfg*
- GP element: *ScheduledInstallSecondWeek*
@@ -3227,7 +3227,7 @@ ADMX Info:
-**Update/ScheduledInstallThirdWeek**
+**Update/ScheduledInstallThirdWeek**
The table below shows the applicability of Windows:
@@ -3254,9 +3254,9 @@ The table below shows the applicability of Windows:
-Enables the IT admin to schedule the update installation on the third week of the month.
+Enables the IT admin to schedule the update installation on the third week of the month.
-Supported value type is integer.
+Supported value type is integer.
Supported values:
- 0 - no update in the schedule.
@@ -3265,7 +3265,7 @@ Supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Automatic Updates*
- GP name: *AutoUpdateCfg*
- GP element: *ScheduledInstallThirdWeek*
@@ -3278,7 +3278,7 @@ ADMX Info:
-**Update/ScheduledInstallTime**
+**Update/ScheduledInstallTime**
The table below shows the applicability of Windows:
@@ -3317,7 +3317,7 @@ The default value is 3.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure Automatic Updates*
- GP name: *AutoUpdateCfg*
- GP element: *AutoUpdateSchTime*
@@ -3330,7 +3330,7 @@ ADMX Info:
-**Update/SetAutoRestartNotificationDisable**
+**Update/SetAutoRestartNotificationDisable**
The table below shows the applicability of Windows:
@@ -3361,7 +3361,7 @@ Allows the IT Admin to disable autorestart notifications for update installation
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Turn off auto-restart notifications for update installations*
- GP name: *AutoRestartNotificationDisable*
- GP element: *AutoRestartNotificationSchd*
@@ -3381,7 +3381,7 @@ The following list shows the supported values:
-**Update/SetDisablePauseUXAccess**
+**Update/SetDisablePauseUXAccess**
The table below shows the applicability of Windows:
@@ -3410,15 +3410,15 @@ The table below shows the applicability of Windows:
This policy allows the IT admin to disable the "Pause Updates" feature. When this policy is enabled, the user can't access the "Pause updates" feature.
-Supported value type is integer.
+Supported value type is integer.
-Default is 0.
+Default is 0.
Supported values 0, 1.
-ADMX Info:
+ADMX Info:
- GP name: *SetDisablePauseUXAccess*
- GP ADMX file name: *WindowsUpdate.admx*
@@ -3428,7 +3428,7 @@ ADMX Info:
-**Update/SetDisableUXWUAccess**
+**Update/SetDisableUXWUAccess**
The table below shows the applicability of Windows:
@@ -3457,15 +3457,15 @@ The table below shows the applicability of Windows:
This policy allows the IT admin to remove access to scan Windows Update. When this policy is enabled, the user can't access the Windows Update scan, download, and install features.
-Supported value type is integer.
+Supported value type is integer.
-Default is 0.
+Default is 0.
Supported values 0, 1.
-ADMX Info:
+ADMX Info:
- GP name: *SetDisableUXWUAccess*
- GP ADMX file name: *WindowsUpdate.admx*
@@ -3475,7 +3475,7 @@ ADMX Info:
-**Update/SetEDURestart**
+**Update/SetEDURestart**
The table below shows the applicability of Windows:
@@ -3508,7 +3508,7 @@ When you set this policy along with Update/ActiveHoursStart, Update/ActiveHoursE
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Update Power Policy for Cart Restarts*
- GP name: *SetEDURestart*
- GP path: *Windows Components/Windows Update*
@@ -3527,7 +3527,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForDriverUpdates**
+**Update/SetPolicyDrivenUpdateSourceForDriverUpdates**
The table below shows the applicability of Windows:
@@ -3554,7 +3554,7 @@ The table below shows the applicability of Windows:
-Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
+Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
- SetPolicyDrivenUpdateSourceForFeatureUpdates
@@ -3562,11 +3562,11 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify source service for specific classes of Windows Updates*
- GP name: *SetPolicyDrivenUpdateSourceForDriver*
- GP path: *Windows Components/Windows Update*
@@ -3576,8 +3576,8 @@ ADMX Info:
The following list shows the supported values:
-- 0: (Default) Detect, download, and deploy Drivers from Windows Update.
-- 1: Enabled, Detect, download, and deploy Drivers from Windows Server Update Server (WSUS).
+- 0: (Default) Detect, download, and deploy Drivers from Windows Update.
+- 1: Enabled, Detect, download, and deploy Drivers from Windows Server Update Server (WSUS).
@@ -3585,7 +3585,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForFeatureUpdates**
+**Update/SetPolicyDrivenUpdateSourceForFeatureUpdates**
The table below shows the applicability of Windows:
@@ -3612,7 +3612,7 @@ The table below shows the applicability of Windows:
-Configure this policy to specify whether to receive Windows Feature Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
+Configure this policy to specify whether to receive Windows Feature Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
- SetPolicyDrivenUpdateSourceForQualityUpdates
@@ -3620,11 +3620,11 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify source service for specific classes of Windows Updates*
- GP name: *SetPolicyDrivenUpdateSourceForFeature*
- GP path: *Windows Components/Windows Update*
@@ -3634,8 +3634,8 @@ ADMX Info:
The following list shows the supported values:
-- 0: (Default) Detect, download, and deploy Feature Updates from Windows Update.
-- 1: Enabled, Detect, download, and deploy Feature Updates from Windows Server Update Server (WSUS).
+- 0: (Default) Detect, download, and deploy Feature Updates from Windows Update.
+- 1: Enabled, Detect, download, and deploy Feature Updates from Windows Server Update Server (WSUS).
@@ -3643,7 +3643,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForOtherUpdates**
+**Update/SetPolicyDrivenUpdateSourceForOtherUpdates**
The table below shows the applicability of Windows:
@@ -3670,7 +3670,7 @@ The table below shows the applicability of Windows:
-Configure this policy to specify whether to receive Other Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
+Configure this policy to specify whether to receive Other Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
- SetPolicyDrivenUpdateSourceForFeatureUpdates
@@ -3678,11 +3678,11 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForDriverUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify source service for specific classes of Windows Updates*
- GP name: *SetPolicyDrivenUpdateSourceForOther*
- GP path: *Windows Components/Windows Update*
@@ -3693,7 +3693,7 @@ ADMX Info:
The following list shows the supported values:
- 0: (Default) Detect, download, and deploy Other updates from Windows Update.
-- 1: Enabled, Detect, download, and deploy Other updates from Windows Server Update Server (WSUS).
+- 1: Enabled, Detect, download, and deploy Other updates from Windows Server Update Server (WSUS).
@@ -3701,7 +3701,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForQualityUpdates**
+**Update/SetPolicyDrivenUpdateSourceForQualityUpdates**
The table below shows the applicability of Windows:
@@ -3728,7 +3728,7 @@ The table below shows the applicability of Windows:
-Configure this policy to specify whether to receive Windows Quality Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
+Configure this policy to specify whether to receive Windows Quality Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server.
If you configure this policy, also configure the scan source policies for other update types:
- SetPolicyDrivenUpdateSourceForFeatureUpdates
@@ -3736,11 +3736,11 @@ If you configure this policy, also configure the scan source policies for other
- SetPolicyDrivenUpdateSourceForOtherUpdates
>[!NOTE]
->If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
+>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify source service for specific classes of Windows Updates*
- GP name: *SetPolicyDrivenUpdateSourceForQuality*
- GP path: *Windows Components/Windows Update*
@@ -3750,8 +3750,8 @@ ADMX Info:
The following list shows the supported values:
-- 0: (Default) Detect, download, and deploy Quality Updates from Windows Update.
-- 1: Enabled, Detect, download, and deploy Quality Updates from Windows Server Update Server (WSUS).
+- 0: (Default) Detect, download, and deploy Quality Updates from Windows Update.
+- 1: Enabled, Detect, download, and deploy Quality Updates from Windows Server Update Server (WSUS).
@@ -3759,7 +3759,7 @@ The following list shows the supported values:
-**Update/SetProxyBehaviorForUpdateDetection**
+**Update/SetProxyBehaviorForUpdateDetection**
The table below shows the applicability of Windows:
@@ -3792,7 +3792,7 @@ This policy setting doesn't impact those customers who have, per Microsoft recom
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Select the proxy behavior for Windows Update client for detecting updates with non-TLS (HTTP) based service*
- GP name: *Select the proxy behavior*
- GP element: *Select the proxy behavior*
@@ -3804,7 +3804,7 @@ ADMX Info:
The following list shows the supported values:
- 0 (default) - Allow system proxy only for HTTP scans.
-- 1 - Allow user proxy to be used as a fallback if detection using system proxy fails.
+- 1 - Allow user proxy to be used as a fallback if detection using system proxy fails.
> [!NOTE]
> Configuring this policy setting to 1 exposes your environment to potential security risk and makes scans unsecure.
@@ -3815,7 +3815,7 @@ The following list shows the supported values:
-**Update/TargetReleaseVersion**
+**Update/TargetReleaseVersion**
The table below shows the applicability of Windows:
@@ -3846,7 +3846,7 @@ Available in Windows 10, version 1803 and later. Enables IT administrators to sp
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Select the target Feature Update version*
- GP name: *TargetReleaseVersion*
- GP element: *TargetReleaseVersionInfo*
@@ -3868,7 +3868,7 @@ Supported value type is a string containing Windows 10 version number. For examp
-**Update/UpdateNotificationLevel**
+**Update/UpdateNotificationLevel**
The table below shows the applicability of Windows:
@@ -3897,7 +3897,7 @@ The table below shows the applicability of Windows:
Display options for update notifications. This policy allows you to define what Windows Update notifications users see. This policy doesn't control how and when updates are downloaded and installed.
-Options:
+Options:
- 0 (default) - Use the default Windows Update notifications.
- 1 - Turn off all notifications, excluding restart warnings.
@@ -3908,7 +3908,7 @@ Options:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Display options for update notifications*
- GP name: *UpdateNotificationLevel*
- GP path: *Windows Components/Windows Update*
@@ -3929,7 +3929,7 @@ ADMX Info:
-**Update/UpdateServiceUrl**
+**Update/UpdateServiceUrl**
The table below shows the applicability of Windows:
@@ -3965,7 +3965,7 @@ Supported operations are Get and Replace.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify intranet Microsoft update service location*
- GP name: *CorpWuURL*
- GP element: *CorpWUURL_Name*
@@ -4005,7 +4005,7 @@ Example
-**Update/UpdateServiceUrlAlternate**
+**Update/UpdateServiceUrlAlternate**
The table below shows the applicability of Windows:
@@ -4041,13 +4041,13 @@ To use this setting, you must set two server name values: the server from which
Supported value type is string and the default value is an empty string, "". If the setting isn't configured, and if Automatic Updates isn't disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
> [!NOTE]
-> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
-> If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates.
+> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
+> If the "Alternate Download Server" Group Policy isn't set, it will use the WSUS server by default to download updates.
> This policy isn't supported on Windows RT. Setting this policy won't have any effect on Windows RT PCs.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify intranet Microsoft update service location*
- GP name: *CorpWuURL*
- GP element: *CorpWUContentHost_Name*
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index 628076c675..a4779f0075 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 11/24/2021
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -50,7 +50,7 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s
```xml
*S-1-5-32-544
```
-
+
- Grant a user right to multiple groups (Administrators, Authenticated Users) via SID:
```xml
*S-1-5-32-544*S-1-5-11
@@ -60,7 +60,7 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s
```xml
*S-1-5-32-544Authenticated Users
```
-
+
- Grant a user right to multiple groups (Authenticated Users, Administrators) via strings:
```xml
Authenticated UsersAdministrators
@@ -70,7 +70,7 @@ Here are examples of data fields. The encoded 0xF000 is the standard delimiter/s
```xml
```
-
+
If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (``) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator.
> [!NOTE]
@@ -441,9 +441,9 @@ This user right determines which users and groups can change the time and date o
> [!CAUTION]
> Configuring user rights replaces existing users or groups previously assigned to those user rights. The system requires that Local Service account (SID S-1-5-19) always has the ChangeSystemTime right. Therefore, Local Service must always be specified in addition to any other accounts being configured in this policy.
->
+>
> Not including the Local Service account will result in failure with the following error:
->
+>
> | Error code | Symbolic name | Error description | Header |
> |----------|----------|----------|----------|
> | 0x80070032 (Hex)|ERROR_NOT_SUPPORTED|The request isn't supported.| winerror.h |
@@ -965,7 +965,7 @@ Assigning this user right to a user allows programs running on behalf of that us
> Assigning this user right can be a security risk. Assign this user right to trusted users only.
> [!NOTE]
-> By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+> By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
1. The access token that is being impersonated is for this user.
1. The user, in this sign-in session, created the access token by signing in to the network with explicit credentials.
diff --git a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
index 1647ce615c..11630b2ae4 100644
--- a/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
+++ b/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 11/25/2021
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -31,7 +31,7 @@ manager: aaroncz
-**VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity**
+**VirtualizationBasedTechnology/HypervisorEnforcedCodeIntegrity**
The table below shows the applicability of Windows:
@@ -82,7 +82,7 @@ The following are the supported values:
-**VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable**
+**VirtualizationBasedTechnology/RequireUEFIMemoryAttributesTable**
The table below shows the applicability of Windows:
diff --git a/windows/client-management/mdm/policy-csp-wifi.md b/windows/client-management/mdm/policy-csp-wifi.md
index 8d71416429..6c4a95d9d8 100644
--- a/windows/client-management/mdm/policy-csp-wifi.md
+++ b/windows/client-management/mdm/policy-csp-wifi.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -18,7 +18,7 @@ manager: aaroncz
-## Wifi policies
+## Wifi policies
-
@@ -48,7 +48,7 @@ manager: aaroncz
-**WiFi/AllowWiFiHotSpotReporting**
+**WiFi/AllowWiFiHotSpotReporting**
@@ -61,7 +61,7 @@ This policy has been deprecated.
-**Wifi/AllowAutoConnectToWiFiSenseHotspots**
+**Wifi/AllowAutoConnectToWiFiSenseHotspots**
@@ -93,7 +93,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services*
- GP name: *WiFiSense*
- GP path: *Network/WLAN Service/WLAN Settings*
@@ -112,7 +112,7 @@ The following list shows the supported values:
-**Wifi/AllowInternetSharing**
+**Wifi/AllowInternetSharing**
@@ -144,7 +144,7 @@ Most restricted value is 0.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Prohibit use of Internet Connection Sharing on your DNS domain network*
- GP name: *NC_ShowSharedAccessUI*
- GP path: *Network/Network Connections*
@@ -163,7 +163,7 @@ The following list shows the supported values:
-**Wifi/AllowManualWiFiConfiguration**
+**Wifi/AllowManualWiFiConfiguration**
@@ -209,7 +209,7 @@ The following list shows the supported values:
-**Wifi/AllowWiFi**
+**Wifi/AllowWiFi**
@@ -252,7 +252,7 @@ The following list shows the supported values:
-**Wifi/AllowWiFiDirect**
+**Wifi/AllowWiFiDirect**
@@ -293,7 +293,7 @@ The following list shows the supported values:
-**Wifi/WLANScanMode**
+**Wifi/WLANScanMode**
diff --git a/windows/client-management/mdm/policy-csp-windowsautopilot.md b/windows/client-management/mdm/policy-csp-windowsautopilot.md
index 80be71fb1a..9ced4af382 100644
--- a/windows/client-management/mdm/policy-csp-windowsautopilot.md
+++ b/windows/client-management/mdm/policy-csp-windowsautopilot.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 11/25/2021
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -19,7 +19,7 @@ manager: aaroncz
-## WindowsAutoPilot policies
+## WindowsAutoPilot policies
-
@@ -31,7 +31,7 @@ manager: aaroncz
-**WindowsAutoPilot/EnableAgilityPostEnrollment**
+**WindowsAutoPilot/EnableAgilityPostEnrollment**
diff --git a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
index 874ba7b1ce..cac7ae5d62 100644
--- a/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
+++ b/windows/client-management/mdm/policy-csp-windowsdefendersecuritycenter.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -18,7 +18,7 @@ manager: aaroncz
-## WindowsDefenderSecurityCenter policies
+## WindowsDefenderSecurityCenter policies
-
@@ -92,7 +92,7 @@ manager: aaroncz
-**WindowsDefenderSecurityCenter/CompanyName**
+**WindowsDefenderSecurityCenter/CompanyName**
The table below shows the applicability of Windows:
@@ -121,13 +121,13 @@ The table below shows the applicability of Windows:
The company name that is displayed to the users. CompanyName is required for both EnableCustomizedToasts and EnableInAppCustomization. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display the contact options.
-- Supported value type is string.
+- Supported value type is string.
- Supported operations are Add, Get, Replace and Delete.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify contact company name*
- GP name: *EnterpriseCustomization_CompanyName*
- GP element: *Presentation_EnterpriseCustomization_CompanyName*
@@ -140,7 +140,7 @@ ADMX Info:
-**WindowsDefenderSecurityCenter/DisableAccountProtectionUI**
+**WindowsDefenderSecurityCenter/DisableAccountProtectionUI**
The table below shows the applicability of Windows:
@@ -171,7 +171,7 @@ Use this policy setting to specify if to display the Account protection area in
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Hide the Account protection area*
- GP name: *AccountProtection_UILockdown*
- GP path: *Windows Components/Windows Defender Security Center/Account protection*
@@ -190,7 +190,7 @@ Valid values:
-**WindowsDefenderSecurityCenter/DisableAppBrowserUI**
+**WindowsDefenderSecurityCenter/DisableAppBrowserUI**
The table below shows the applicability of Windows:
@@ -219,12 +219,12 @@ The table below shows the applicability of Windows:
Use this policy setting if you want to disable the display of the app and browser protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area.
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace and Delete.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Hide the App and browser protection area*
- GP name: *AppBrowserProtection_UILockdown*
- GP path: *Windows Components/Windows Defender Security Center/App and browser protection*
@@ -243,7 +243,7 @@ The following list shows the supported values:
-**WindowsDefenderSecurityCenter/DisableClearTpmButton**
+**WindowsDefenderSecurityCenter/DisableClearTpmButton**
The table below shows the applicability of Windows:
@@ -283,7 +283,7 @@ Supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Disable the Clear TPM button*
- GP name: *DeviceSecurity_DisableClearTpmButton*
- GP path: *Windows Components/Windows Security/Device security*
@@ -304,7 +304,7 @@ ADMX Info:
-**WindowsDefenderSecurityCenter/DisableDeviceSecurityUI**
+**WindowsDefenderSecurityCenter/DisableDeviceSecurityUI**
The table below shows the applicability of Windows:
@@ -335,7 +335,7 @@ Use this policy setting if you want to disable the display of the Device securit
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Hide the Device security area*
- GP name: *DeviceSecurity_UILockdown*
- GP path: *Windows Components/Windows Defender Security Center/Device security*
@@ -354,7 +354,7 @@ Valid values:
-**WindowsDefenderSecurityCenter/DisableEnhancedNotifications**
+**WindowsDefenderSecurityCenter/DisableEnhancedNotifications**
The table below shows the applicability of Windows:
@@ -386,12 +386,12 @@ Use this policy if you want Windows Defender Security Center to only display not
> [!NOTE]
> If Suppress notification is enabled then users won't see critical or non-critical messages.
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace and Delete.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Hide non-critical notifications*
- GP name: *Notifications_DisableEnhancedNotifications*
- GP path: *Windows Components/Windows Defender Security Center/Notifications*
@@ -410,7 +410,7 @@ The following list shows the supported values:
-**WindowsDefenderSecurityCenter/DisableFamilyUI**
+**WindowsDefenderSecurityCenter/DisableFamilyUI**
The table below shows the applicability of Windows:
@@ -439,12 +439,12 @@ The table below shows the applicability of Windows:
Use this policy setting if you want to disable the display of the family options area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area.
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace and Delete.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Hide the Family options area*
- GP name: *FamilyOptions_UILockdown*
- GP path: *Windows Components/Windows Defender Security Center/Family options*
@@ -463,7 +463,7 @@ The following list shows the supported values:
-**WindowsDefenderSecurityCenter/DisableHealthUI**
+**WindowsDefenderSecurityCenter/DisableHealthUI**
The table below shows the applicability of Windows:
@@ -492,12 +492,12 @@ The table below shows the applicability of Windows:
Use this policy setting if you want to disable the display of the device performance and health area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area.
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace and Delete.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Hide the Device performance and health area*
- GP name: *DevicePerformanceHealth_UILockdown*
- GP path: *Windows Components/Windows Defender Security Center/Device performance and health*
@@ -516,7 +516,7 @@ The following list shows the supported values:
-**WindowsDefenderSecurityCenter/DisableNetworkUI**
+**WindowsDefenderSecurityCenter/DisableNetworkUI**
The table below shows the applicability of Windows:
@@ -545,12 +545,12 @@ The table below shows the applicability of Windows:
Use this policy setting if you want to disable the display of the firewall and network protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area.
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace and Delete.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Hide the Firewall and network protection area*
- GP name: *FirewallNetworkProtection_UILockdown*
- GP path: *Windows Components/Windows Defender Security Center/Firewall and network protection*
@@ -569,7 +569,7 @@ The following list shows the supported values:
-**WindowsDefenderSecurityCenter/DisableNotifications**
+**WindowsDefenderSecurityCenter/DisableNotifications**
The table below shows the applicability of Windows:
@@ -598,12 +598,12 @@ The table below shows the applicability of Windows:
Use this policy setting if you want to disable the display of Windows Defender Security Center notifications. If you disable or don't configure this setting, Windows Defender Security Center notifications will display on devices.
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace and Delete.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Hide all notifications*
- GP name: *Notifications_DisableNotifications*
- GP path: *Windows Components/Windows Defender Security Center/Notifications*
@@ -622,7 +622,7 @@ The following list shows the supported values:
-**WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning**
+**WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning**
The table below shows the applicability of Windows:
@@ -662,7 +662,7 @@ Supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Hide the TPM Firmware Update recommendation.*
- GP name: *DeviceSecurity_DisableTpmFirmwareUpdateWarning*
- GP path: *Windows Components/Windows Security/Device security*
@@ -683,7 +683,7 @@ ADMX Info:
-**WindowsDefenderSecurityCenter/DisableVirusUI**
+**WindowsDefenderSecurityCenter/DisableVirusUI**
The table below shows the applicability of Windows:
@@ -712,12 +712,12 @@ The table below shows the applicability of Windows:
Use this policy setting if you want to disable the display of the virus and threat protection area in Windows Defender Security Center. If you disable or don't configure this setting, Windows Defender Security Center will display this area.
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace and Delete.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Hide the Virus and threat protection area*
- GP name: *VirusThreatProtection_UILockdown*
- GP path: *Windows Components/Windows Defender Security Center/Virus and threat protection*
@@ -736,7 +736,7 @@ The following list shows the supported values:
-**WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride**
+**WindowsDefenderSecurityCenter/DisallowExploitProtectionOverride**
The table below shows the applicability of Windows:
@@ -765,12 +765,12 @@ The table below shows the applicability of Windows:
Prevent users from making changes to the exploit protection settings area in the Windows Defender Security Center. If you disable or don't configure this setting, local users can make changes in the exploit protection settings area.
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace and Delete.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Prevent users from modifying settings*
- GP name: *AppBrowserProtection_DisallowExploitProtectionOverride*
- GP path: *Windows Components/Windows Defender Security Center/App and browser protection*
@@ -789,7 +789,7 @@ The following list shows the supported values:
-**WindowsDefenderSecurityCenter/Email**
+**WindowsDefenderSecurityCenter/Email**
The table below shows the applicability of Windows:
@@ -818,12 +818,12 @@ The table below shows the applicability of Windows:
The email address that is displayed to users. The default mail application is used to initiate email actions. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display contact options.
-- Supported value type is string.
+- Supported value type is string.
- Supported operations are Add, Get, Replace and Delete.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify contact email address or Email ID*
- GP name: *EnterpriseCustomization_Email*
- GP element: *Presentation_EnterpriseCustomization_Email*
@@ -836,7 +836,7 @@ ADMX Info:
-**WindowsDefenderSecurityCenter/EnableCustomizedToasts**
+**WindowsDefenderSecurityCenter/EnableCustomizedToasts**
The table below shows the applicability of Windows:
@@ -865,12 +865,12 @@ The table below shows the applicability of Windows:
Enable this policy to display your company name and contact options in the notifications. If you disable or don't configure this setting, or don't provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center will display a default notification text.
-- Supported value type is integer.
+- Supported value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure customized notifications*
- GP name: *EnterpriseCustomization_EnableCustomizedToasts*
- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
@@ -889,7 +889,7 @@ The following list shows the supported values:
-**WindowsDefenderSecurityCenter/EnableInAppCustomization**
+**WindowsDefenderSecurityCenter/EnableInAppCustomization**
The table below shows the applicability of Windows:
@@ -918,12 +918,12 @@ The table below shows the applicability of Windows:
Enable this policy to have your company name and contact options displayed in a contact card fly out in Windows Defender Security Center. If you disable or don't configure this setting, or don't provide CompanyName and a minimum of one contact method (Phone using Skype, Email, Help portal URL) Windows Defender Security Center won't display the contact card fly out notification.
-- Support value type is integer.
+- Support value type is integer.
- Supported operations are Add, Get, Replace, and Delete.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Configure customized contact information*
- GP name: *EnterpriseCustomization_EnableInAppCustomization*
- GP path: *Windows Components/Windows Defender Security Center/Enterprise Customization*
@@ -942,7 +942,7 @@ The following list shows the supported values:
-**WindowsDefenderSecurityCenter/HideRansomwareDataRecovery**
+**WindowsDefenderSecurityCenter/HideRansomwareDataRecovery**
The table below shows the applicability of Windows:
@@ -973,7 +973,7 @@ Use this policy setting to hide the Ransomware data recovery area in Windows Def
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Hide the Ransomware data recovery area*
- GP name: *VirusThreatProtection_HideRansomwareRecovery*
- GP path: *Windows Components/Windows Defender Security Center/Virus and threat protection*
@@ -992,7 +992,7 @@ Valid values:
-**WindowsDefenderSecurityCenter/HideSecureBoot**
+**WindowsDefenderSecurityCenter/HideSecureBoot**
The table below shows the applicability of Windows:
@@ -1023,7 +1023,7 @@ Use this policy to hide the Secure boot area in the Windows Defender Security Ce
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Hide the Secure boot area*
- GP name: *DeviceSecurity_HideSecureBoot*
- GP path: *Windows Components/Windows Defender Security Center/Device security*
@@ -1042,7 +1042,7 @@ Valid values:
-**WindowsDefenderSecurityCenter/HideTPMTroubleshooting**
+**WindowsDefenderSecurityCenter/HideTPMTroubleshooting**
The table below shows the applicability of Windows:
@@ -1073,7 +1073,7 @@ Use this policy to hide the Security processor (TPM) troubleshooting area in the
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Hide the Security processor (TPM) troubleshooter page*
- GP name: *DeviceSecurity_HideTPMTroubleshooting*
- GP path: *Windows Components/Windows Defender Security Center/Device security*
@@ -1092,7 +1092,7 @@ Valid values:
-**WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl**
+**WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl**
The table below shows the applicability of Windows:
@@ -1134,7 +1134,7 @@ Supported values:
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Hide Windows Security Systray*
- GP name: *Systray_HideSystray*
- GP path: *Windows Components/Windows Security/Systray*
@@ -1155,7 +1155,7 @@ ADMX Info:
-**WindowsDefenderSecurityCenter/Phone**
+**WindowsDefenderSecurityCenter/Phone**
The table below shows the applicability of Windows:
@@ -1184,12 +1184,12 @@ The table below shows the applicability of Windows:
The phone number or Skype ID that is displayed to users. Skype is used to initiate the call. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then devices won't display contact options.
-- Supported value type is string.
+- Supported value type is string.
- Supported operations are Add, Get, Replace, and Delete.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify contact phone number or Skype ID*
- GP name: *EnterpriseCustomization_Phone*
- GP element: *Presentation_EnterpriseCustomization_Phone*
@@ -1202,7 +1202,7 @@ ADMX Info:
-**WindowsDefenderSecurityCenter/URL**
+**WindowsDefenderSecurityCenter/URL**
The table below shows the applicability of Windows:
@@ -1231,12 +1231,12 @@ The table below shows the applicability of Windows:
The help portal URL that is displayed to users. The default browser is used to initiate this action. If you disable or don't configure this setting, or don't have EnableCustomizedToasts or EnableInAppCustomization enabled, then the device won't display contact options.
-- Supported value type is string.
+- Supported value type is string.
- Supported operations are Add, Get, Replace, and Delete.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Specify contact website*
- GP name: *EnterpriseCustomization_URL*
- GP element: *Presentation_EnterpriseCustomization_URL*
diff --git a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
index 6879085541..97e61809eb 100644
--- a/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
+++ b/windows/client-management/mdm/policy-csp-windowsinkworkspace.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## WindowsInkWorkspace policies
+## WindowsInkWorkspace policies
-
@@ -31,7 +31,7 @@ manager: aaroncz
-**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace**
+**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace**
The table below shows the applicability of Windows:
@@ -62,7 +62,7 @@ Show recommended app suggestions in the ink workspace.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow suggested apps in Windows Ink Workspace*
- GP name: *AllowSuggestedAppsInWindowsInkWorkspace*
- GP path: *Windows Components/Windows Ink Workspace*
@@ -81,7 +81,7 @@ The following list shows the supported values:
-**WindowsInkWorkspace/AllowWindowsInkWorkspace**
+**WindowsInkWorkspace/AllowWindowsInkWorkspace**
The table below shows the applicability of Windows:
@@ -112,7 +112,7 @@ Specifies whether to allow the user to access the ink workspace.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow Windows Ink Workspace*
- GP name: *AllowWindowsInkWorkspace*
- GP element: *AllowWindowsInkWorkspaceDropdown*
diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md
index b66b784a64..614d5d9496 100644
--- a/windows/client-management/mdm/policy-csp-windowssandbox.md
+++ b/windows/client-management/mdm/policy-csp-windowssandbox.md
@@ -16,7 +16,7 @@ ms.date: 10/14/2020
-## WindowsSandbox policies
+## WindowsSandbox policies
-
@@ -71,14 +71,14 @@ The table below shows the applicability of Windows:
-This policy setting allows the IT admin to enable or disable audio input to the Sandbox.
+This policy setting allows the IT admin to enable or disable audio input to the Sandbox.
> [!NOTE]
> There may be security implications of exposing host audio input to the container.
-If this policy isn't configured, end-users get the default behavior (audio input enabled).
+If this policy isn't configured, end-users get the default behavior (audio input enabled).
-If audio input is disabled, a user won't be able to enable audio input from their own configuration file.
+If audio input is disabled, a user won't be able to enable audio input from their own configuration file.
If audio input is enabled, a user will be able to disable audio input from their own configuration file to make the device more secure.
@@ -91,12 +91,12 @@ ADMX Info:
- GP Friendly name: *Allow audio input in Windows Sandbox*
- GP name: *AllowAudioInput*
-- GP path: *Windows Components/Windows Sandbox*
+- GP path: *Windows Components/Windows Sandbox*
- GP ADMX file name: *WindowsSandbox.admx*
-The following are the supported values:
+The following are the supported values:
- 0 - Disabled
- 1 (default) - Enabled
@@ -114,7 +114,7 @@ The following are the supported values:
-**WindowsSandbox/AllowClipboardRedirection**
+**WindowsSandbox/AllowClipboardRedirection**
Available in the latest Windows 10 insider preview build.
@@ -145,9 +145,9 @@ The table below shows the applicability of Windows:
This policy setting allows the IT admin to enable or disable sharing of the host clipboard with the sandbox.
-If this policy isn't configured, end-users get the default behavior (clipboard redirection enabled).
+If this policy isn't configured, end-users get the default behavior (clipboard redirection enabled).
-If clipboard sharing is disabled, a user won't be able to enable clipboard sharing from their own configuration file.
+If clipboard sharing is disabled, a user won't be able to enable clipboard sharing from their own configuration file.
If clipboard sharing is enabled, a user will be able to disable clipboard sharing from their own configuration file to make the device more secure.
@@ -165,7 +165,7 @@ ADMX Info:
-The following are the supported values:
+The following are the supported values:
- 0 - Disabled
- 1 (default) - Enabled
@@ -183,7 +183,7 @@ The following are the supported values:
-**WindowsSandbox/AllowNetworking**
+**WindowsSandbox/AllowNetworking**
Available in the latest Windows 10 insider preview build.
@@ -234,7 +234,7 @@ ADMX Info:
-The following are the supported values:
+The following are the supported values:
- 0 - Disabled
- 1 (default) - Enabled
@@ -250,7 +250,7 @@ The following are the supported values:
-**WindowsSandbox/AllowPrinterRedirection**
+**WindowsSandbox/AllowPrinterRedirection**
Available in the latest Windows 10 insider preview build.
@@ -281,9 +281,9 @@ The table below shows the applicability of Windows:
This policy setting allows the IT admin to enable or disable printer sharing from the host into the Sandbox.
-If this policy isn't configured, end-users get the default behavior (printer sharing disabled).
+If this policy isn't configured, end-users get the default behavior (printer sharing disabled).
-If printer sharing is disabled, a user won't be able to enable printer sharing from their own configuration file.
+If printer sharing is disabled, a user won't be able to enable printer sharing from their own configuration file.
If printer sharing is enabled, a user will be able to disable printer sharing from their own configuration file to make the device more secure.
@@ -296,7 +296,7 @@ ADMX Info:
- GP Friendly name: *Allow printer sharing with Windows Sandbox*
- GP name: *AllowPrinterRedirection*
-- GP path: *Windows Components/Windows Sandbox*
+- GP path: *Windows Components/Windows Sandbox*
- GP ADMX file name: *WindowsSandbox.admx*
@@ -318,7 +318,7 @@ The following are the supported values:
-**WindowsSandbox/AllowVGPU**
+**WindowsSandbox/AllowVGPU**
Available in the latest Windows 10 insider preview build.
@@ -350,11 +350,11 @@ The table below shows the applicability of Windows:
This policy setting allows the IT admin to enable or disable virtualized GPU for Windows Sandbox.
> [!NOTE]
-> Enabling virtualized GPU can potentially increase the attack surface of Windows Sandbox.
+> Enabling virtualized GPU can potentially increase the attack surface of Windows Sandbox.
-If this policy isn't configured, end-users get the default behavior (vGPU is disabled).
+If this policy isn't configured, end-users get the default behavior (vGPU is disabled).
-If vGPU is disabled, a user won't be able to enable vGPU support from their own configuration file.
+If vGPU is disabled, a user won't be able to enable vGPU support from their own configuration file.
If vGPU is enabled, a user will be able to disable vGPU support from their own configuration file to make the device more secure.
@@ -389,7 +389,7 @@ The following are the supported values:
-**WindowsSandbox/AllowVideoInput**
+**WindowsSandbox/AllowVideoInput**
Available in the latest Windows 10 insider preview build.
@@ -418,14 +418,14 @@ The table below shows the applicability of Windows:
-This policy setting allows the IT admin to enable or disable video input to the Sandbox.
+This policy setting allows the IT admin to enable or disable video input to the Sandbox.
> [!NOTE]
> There may be security implications of exposing host video input to the container.
-If this policy isn't configured, users get the default behavior (video input disabled).
+If this policy isn't configured, users get the default behavior (video input disabled).
-If video input is disabled, users won't be able to enable video input from their own configuration file.
+If video input is disabled, users won't be able to enable video input from their own configuration file.
If video input is enabled, users will be able to disable video input from their own configuration file to make the device more secure.
@@ -434,7 +434,7 @@ If video input is enabled, users will be able to disable video input from their
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Allow video input in Windows Sandbox*
- GP name: *AllowVideoInput*
- GP path: *Windows Components/Windows Sandbox*
diff --git a/windows/client-management/mdm/policy-csp-wirelessdisplay.md b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
index 1c50ab927a..b290aca34c 100644
--- a/windows/client-management/mdm/policy-csp-wirelessdisplay.md
+++ b/windows/client-management/mdm/policy-csp-wirelessdisplay.md
@@ -8,7 +8,7 @@ ms.technology: windows
author: vinaypamnani-msft
ms.localizationpriority: medium
ms.date: 09/27/2019
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -17,7 +17,7 @@ manager: aaroncz
-## WirelessDisplay policies
+## WirelessDisplay policies
-
@@ -53,7 +53,7 @@ manager: aaroncz
-**WirelessDisplay/AllowMdnsAdvertisement**
+**WirelessDisplay/AllowMdnsAdvertisement**
The table below shows the applicability of Windows:
@@ -95,7 +95,7 @@ The following list shows the supported values:
-**WirelessDisplay/AllowMdnsDiscovery**
+**WirelessDisplay/AllowMdnsDiscovery**
The table below shows the applicability of Windows:
@@ -137,7 +137,7 @@ The following list shows the supported values:
-**WirelessDisplay/AllowMovementDetectionOnInfrastructure**
+**WirelessDisplay/AllowMovementDetectionOnInfrastructure**
The table below shows the applicability of Windows:
@@ -186,7 +186,7 @@ The following list shows the supported values:
-**WirelessDisplay/AllowProjectionFromPC**
+**WirelessDisplay/AllowProjectionFromPC**
The table below shows the applicability of Windows:
@@ -228,7 +228,7 @@ The following list shows the supported values:
-**WirelessDisplay/AllowProjectionFromPCOverInfrastructure**
+**WirelessDisplay/AllowProjectionFromPCOverInfrastructure**
The table below shows the applicability of Windows:
@@ -270,7 +270,7 @@ The following list shows the supported values:
-**WirelessDisplay/AllowProjectionToPC**
+**WirelessDisplay/AllowProjectionToPC**
The table below shows the applicability of Windows:
@@ -305,7 +305,7 @@ Supported value type is integer.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Don't allow this PC to be projected to*
- GP name: *AllowProjectionToPC*
- GP path: *Windows Components/Connect*
@@ -324,7 +324,7 @@ The following list shows the supported values:
-**WirelessDisplay/AllowProjectionToPCOverInfrastructure**
+**WirelessDisplay/AllowProjectionToPCOverInfrastructure**
The table below shows the applicability of Windows:
@@ -366,7 +366,7 @@ The following list shows the supported values:
-**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**
+**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver**
The table below shows the applicability of Windows:
@@ -408,7 +408,7 @@ The following list shows the supported values:
-**WirelessDisplay/RequirePinForPairing**
+**WirelessDisplay/RequirePinForPairing**
The table below shows the applicability of Windows:
@@ -443,7 +443,7 @@ Supported value type is integer.
-ADMX Info:
+ADMX Info:
- GP Friendly name: *Require pin for pairing*
- GP name: *RequirePinForPairing*
- GP path: *Windows Components/Connect*
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index 16bce236f5..02c1258009 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -1,7 +1,7 @@
---
title: Policy DDF file
description: Learn about the OMA DM device description framework (DDF) for the Policy configuration service provider.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md
index 5b0882d135..1b640b1ba3 100644
--- a/windows/client-management/mdm/provisioning-csp.md
+++ b/windows/client-management/mdm/provisioning-csp.md
@@ -1,7 +1,7 @@
---
title: Provisioning CSP
description: The Provisioning configuration service provider is used for bulk user enrollment to an MDM service.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md
index 78bb60896b..4ea8a6d805 100644
--- a/windows/client-management/mdm/pxlogical-csp.md
+++ b/windows/client-management/mdm/pxlogical-csp.md
@@ -1,7 +1,7 @@
---
title: PXLOGICAL configuration service provider
description: The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -69,76 +69,76 @@ PXLOGICAL
```
-**PXPHYSICAL**
+**PXPHYSICAL**
Defines a group of logical proxy settings.
The element's mwid attribute is a Microsoft provisioning XML attribute, and is optional when adding a NAP or a proxy. It's required when updating and deleting existing NAPs and proxies and must have its value set to 1.
-**DOMAIN**
+**DOMAIN**
Specifies the domain associated with the proxy (for example, "\*.com").
A Windows device supports only one proxy that doesn't have a DOMAIN parameter, or has an empty DOMAIN value. That is, the device only supports one default proxy. All other proxy configurations must have a DOMAIN parameter with a non-empty value. A query of this parameter returns a semicolon-delimited string of all domains associated with the proxy.
-**NAME**
+**NAME**
Specifies the name of the logical proxy.
When a list of proxies is displayed to the user they're displayed together in a single line, so the length of this value should be short for readability.
-**PORT**
+**PORT**
Defines the bindings between a port number and one or more protocols or services.
This configuration service provider can accept a maximum of two ports per physical proxy. A query of this characteristic returns information relating only to the first port.
-**PORTNBR**
+**PORTNBR**
Specifies the port number associated with some services on this proxy.
If the PORTNBR is 80 or 443, or the PORT characteristic is missing, it's treated as an HTTP proxy.
-**SERVICE**
+**SERVICE**
Specifies the service associated with the port number.
Windows supports accepting WAP push connectionless sessions over a Short Message Service (SMS) bearer for WAP push messages. Internet Explore uses HTTP protocol, not WAP proxy. A query of this parameter returns a semicolon-delimited string of services for only the first port.
-**PUSHENABLED**
+**PUSHENABLED**
Specifies whether or not push operations are enabled.
If this element is used in PXLOGICAL, it applies to all of the PXPHYSICAL elements embedded in the PXLOGICAL element. A value of "0" indicates that the proxy doesn't support push operations. A value of "1" indicates that the proxy supports push operations.
-**PROXY-ID**
+**PROXY-ID**
Used during initial bootstrapping. Specifies the unique identifier of the logical proxy.
-***PROXY-ID***
+***PROXY-ID***
Used during bootstrapping updates. Specifies the unique identifier of the logical proxy.
The name of the **PROXY-ID** element is the same as the value passed during initial bootstrapping.
-**TRUST**
+**TRUST**
Specifies whether or not the physical proxies in this logical proxy are privileged. The SECPOLICY\_TRUSTED\_WAP\_PROXY security policy (4121) governs what roles can set this element.
-**PXPHYSICAL**
+**PXPHYSICAL**
Defines a group of physical proxy settings associated with the parent logical proxy.
The element's mwid attribute is a Microsoft provisioning XML attribute, and is optional when adding a NAP or a proxy. It's required when updating and deleting existing NAPs and proxies and must have its value set to 1.
-**PHYSICAL-PROXY-ID**
+**PHYSICAL-PROXY-ID**
Used during initial bootstrapping. Specifies the identifier of the physical proxy.
When a list of proxies is displayed to the user they're displayed together in a single line, so the length of this value should be short for readability.
-***PHYSICAL-PROXY-ID***
+***PHYSICAL-PROXY-ID***
Used during bootstrapping updates. Specifies the identifier of the physical proxy.
The name of the **PHYSICAL-PROXY-ID** element is the same as the value passed during initial bootstrapping.
-**PXADDR**
+**PXADDR**
Specifies the address of the physical proxy.
-**PXADDRTYPE**
+**PXADDRTYPE**
Specifies the format and protocol of the PXADDR element for a physical proxy.
The only values supported are "E164" and "IPv4".
-**TO-NAPID**
+**TO-NAPID**
Specifies the network access point associated with this physical proxy. Only one per proxy is supported.
If **TO-NAPID** is used, the NAP whose **NAPID** is referred to by **TO-NAPID** must also be added.
diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md
index 50bb03819f..d14e5831c0 100644
--- a/windows/client-management/mdm/reboot-csp.md
+++ b/windows/client-management/mdm/reboot-csp.md
@@ -1,7 +1,7 @@
---
title: Reboot CSP
description: Learn how the Reboot configuration service provider (CSP) is used to configure reboot settings.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -37,13 +37,13 @@ Reboot
--------DailyRecurrent
```
-**./Vendor/MSFT/Reboot**
+**./Vendor/MSFT/Reboot**
The root node for the Reboot configuration service provider.
The supported operation is Get.
-**RebootNow**
+**RebootNow**
This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work.
@@ -52,13 +52,13 @@ This node executes a reboot of the device. RebootNow triggers a reboot within 5
The supported operations are Execute and Get.
-**Schedule**
+**Schedule**
The supported operation is Get.
-**Schedule/Single**
+**Schedule/Single**
-This node will execute a reboot at a scheduled date and time. The date and time value is **ISO 8601**, and both the date and time are required.
+This node will execute a reboot at a scheduled date and time. The date and time value is **ISO 8601**, and both the date and time are required.
Example to configure: 2018-10-25T18:00:00
Setting a null (empty) date will delete the existing schedule. In accordance with the ISO 8601 format, the date and time representation needs to be 0000-00-00T00:00:00.
@@ -66,9 +66,9 @@ Setting a null (empty) date will delete the existing schedule. In accordance wit
- The supported operations are Get, Add, Replace, and Delete.
- The supported data type is "String".
-**Schedule/DailyRecurrent**
+**Schedule/DailyRecurrent**
-This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.
+This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00.
Example to configure: 2018-10-25T18:00:00
- The supported operations are Get, Add, Replace, and Delete.
diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md
index 3628eaf7e4..f0e0c0718f 100644
--- a/windows/client-management/mdm/reboot-ddf-file.md
+++ b/windows/client-management/mdm/reboot-ddf-file.md
@@ -1,7 +1,7 @@
---
title: Reboot DDF file
description: This topic shows the OMA DM device description framework (DDF) for the Reboot configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/remotefind-csp.md b/windows/client-management/mdm/remotefind-csp.md
index 96140781af..18db6e62b6 100644
--- a/windows/client-management/mdm/remotefind-csp.md
+++ b/windows/client-management/mdm/remotefind-csp.md
@@ -1,7 +1,7 @@
---
title: RemoteFind CSP
description: The RemoteFind configuration service provider retrieves the location information for a particular device.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -41,34 +41,34 @@ RemoteFind
--------AltitudeAccuracy
--------Age
```
-**DesiredAccuracy**
+**DesiredAccuracy**
Optional. The node accepts the requested radius value in meters. Valid values for accuracy are any value between 1 and 1000 meters.
The default value is 50. Replacing this value only replaces it for the current session. The value isn't retained.
-- Supported operations are Replace and Get.
+- Supported operations are Replace and Get.
- The Add command isn't supported.
-**Timeout**
+**Timeout**
Optional. Value is DWORD in seconds.
The default value is 7, and the range is 0 to 1800 seconds. Replacing this value only replaces it for the current session. The value isn't retained.
-- Supported operations are Replace and Get.
+- Supported operations are Replace and Get.
- The Add command isn't supported.
-**MaximumAge**
+**MaximumAge**
Optional. The value represents the desired time window in minutes that the server will accept a successful location retrieval. The node enables the server to set the requested age value in 100 nanoseconds. Valid values for accuracy include any integer value between 0 and 1440 minutes.
The default value is 60. Replacing this value only replaces it for the current session. The value isn't retained.
-- Supported operations are Replace and Get.
+- Supported operations are Replace and Get.
- The Add command isn't supported.
-**Location**
+**Location**
Required. Nodes under this path must be queried atomically in order to succeed. This condition is to prevent servers from querying incomplete sets of data.
-**Latitude**
+**Latitude**
Required. Provides the latitude of the last successful remote find.
The value returned is double.
@@ -77,7 +77,7 @@ The default value is Null.
Supported operation is Get.
-**Longitude**
+**Longitude**
Required. Provides the longitude of the last successful remote find.
The value returned is double.
@@ -86,7 +86,7 @@ The default value is Null.
Supported operation is Get.
-**Altitude**
+**Altitude**
Required. Provides the altitude of the last successful remote find.
The value returned is double.
@@ -95,7 +95,7 @@ The default value is Null.
Supported operation is Get.
-**Accuracy**
+**Accuracy**
Required. Provides the accuracy in meters of the location fix of the last successful remote find. Values range from 0 – 1000 meters.
The value returned is an integer.
@@ -104,7 +104,7 @@ The default value is 0.
Supported operation is Get.
-**AltitudeAccuracy**
+**AltitudeAccuracy**
Required. Provides the altitude accuracy in meters of the location fix of the last successful remote find. Values range from 0 – 1000 meters.
The value returned is an integer.
@@ -113,7 +113,7 @@ The default value is 0.
Supported operation is Get.
-**Age**
+**Age**
Required. Provides the age in 100 nanoseconds for the current location data.
The value returned is an integer.
@@ -128,60 +128,60 @@ Supported operation is Get.
```xml
-
- 1
-
- 10
-
- 30
- -
-
- ./Vendor/MSFT/RemoteFind/Location/Latitude
-
-
-
-
- 40
- -
-
- ./Vendor/MSFT/RemoteFind/Location/Longitude
-
-
-
-
- 40
- -
-
- ./Vendor/MSFT/RemoteFind/Location/Altitude
-
-
-
-
- 45
- -
-
- ./Vendor/MSFT/RemoteFind/Location/Accuracy
-
-
-
-
- 50
- -
-
- ./Vendor/MSFT/RemoteFind/Location/AltitudeAccuracy
-
-
-
-
- 60
- -
-
- ./Vendor/MSFT/RemoteFind/Location/Age
-
-
-
-
-
+
+ 1
+
+ 10
+
+ 30
+ -
+
+ ./Vendor/MSFT/RemoteFind/Location/Latitude
+
+
+
+
+ 40
+ -
+
+ ./Vendor/MSFT/RemoteFind/Location/Longitude
+
+
+
+
+ 40
+ -
+
+ ./Vendor/MSFT/RemoteFind/Location/Altitude
+
+
+
+
+ 45
+ -
+
+ ./Vendor/MSFT/RemoteFind/Location/Accuracy
+
+
+
+
+ 50
+ -
+
+ ./Vendor/MSFT/RemoteFind/Location/AltitudeAccuracy
+
+
+
+
+ 60
+ -
+
+ ./Vendor/MSFT/RemoteFind/Location/Age
+
+
+
+
+
```
diff --git a/windows/client-management/mdm/remotefind-ddf-file.md b/windows/client-management/mdm/remotefind-ddf-file.md
index e92498a5f3..039978ac39 100644
--- a/windows/client-management/mdm/remotefind-ddf-file.md
+++ b/windows/client-management/mdm/remotefind-ddf-file.md
@@ -1,7 +1,7 @@
---
title: RemoteFind DDF file
description: This topic shows the OMA DM device description framework (DDF) for the RemoteFind configuration service provider. DDF files are used only with OMA DM provisioning XML.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md
index 441f69fe60..fc8e8d1044 100644
--- a/windows/client-management/mdm/remotering-csp.md
+++ b/windows/client-management/mdm/remotering-csp.md
@@ -1,7 +1,7 @@
---
title: RemoteRing CSP
description: The RemoteRing CSP can be used to remotely trigger a device to produce an audible ringing sound regardless of the volume that's set on the device.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -32,7 +32,7 @@ Root
RemoteRing
----Ring
```
-**Ring**
+**Ring**
Required. The node accepts requests to ring the device.
The supported operation is Exec.
diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md
index 07413835c9..78a7b329a2 100644
--- a/windows/client-management/mdm/remotewipe-csp.md
+++ b/windows/client-management/mdm/remotewipe-csp.md
@@ -1,7 +1,7 @@
---
title: RemoteWipe CSP
description: Learn how the RemoteWipe configuration service provider (CSP) can be used by mobile operators DM server or enterprise management server to remotely wipe a device.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -41,15 +41,15 @@ RemoteWipe
--------Status
```
-**doWipe**
+**doWipe**
Exec on this node starts a remote reset of the device. A remote reset is equivalent to running "Reset this PC > Remove everything" from the Settings app, with **Clean Data** set to No and **Delete Files** set to Yes. The return status code indicates whether the device accepted the Exec command. If a doWipe reset is started and then interrupted, the PC will attempt to roll-back to the pre-reset state. If the PC can't be rolled-back, the recovery environment will take no additional actions and the PC could be in an unusable state and Windows will have to be reinstalled.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
Supported operation is Exec.
-**doWipePersistProvisionedData**
-Exec on this node specifies that provisioning packages in the `%SystemDrive%\ProgramData\Microsoft\Provisioning` folder will be retained and then applied to the OS after the reset.
+**doWipePersistProvisionedData**
+Exec on this node specifies that provisioning packages in the `%SystemDrive%\ProgramData\Microsoft\Provisioning` folder will be retained and then applied to the OS after the reset.
When used with OMA Client Provisioning, a dummy value of "1" should be included for this element.
@@ -57,36 +57,36 @@ Supported operation is Exec.
The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command.
-**doWipeProtected**
+**doWipeProtected**
Added in Windows 10, version 1703. Exec on this node performs a remote reset on the device and also fully cleans the internal drive. Drives that are cleaned with doWipeProtected aren't expected to meet industry or government standards for data cleaning. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command, but not whether the reset was successful.
The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, if a reset that uses doWipeProtected is interrupted, upon restart it will clean the PC's disk partitions. Because doWipeProtected will clean the partitions in case of failure or interruption, use doWipeProtected in lost/stolen device scenarios.
Supported operation is Exec.
-**doWipePersistUserData**
+**doWipePersistUserData**
Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device, and persist user accounts and data. This setting is equivalent to selecting "Reset this PC > Keep my files" when manually starting a reset from the Settings app. The return status code shows whether the device accepted the Exec command.
-**AutomaticRedeployment**
+**AutomaticRedeployment**
Added in Windows 10, version 1809. Node for the Autopilot Reset operation.
-**AutomaticRedeployment/doAutomaticRedeployment**
+**AutomaticRedeployment/doAutomaticRedeployment**
Added in Windows 10, version 1809. Exec on this node triggers Autopilot Reset operation. This node works like PC Reset, similar to other existing nodes in this RemoteWipe CSP, except that it keeps the device enrolled in Azure AD and MDM, keeps Wi-Fi profiles, and a few other settings like region, language, keyboard.
-**AutomaticRedeployment/LastError**
+**AutomaticRedeployment/LastError**
Added in Windows 10, version 1809. Error value, if any, associated with Autopilot Reset operation (typically an HRESULT).
-**AutomaticRedeployment/Status**
-Added in Windows 10, version 1809. Status value indicating current state of an Autopilot Reset operation.
+**AutomaticRedeployment/Status**
+Added in Windows 10, version 1809. Status value indicating current state of an Autopilot Reset operation.
-Supported values:
+Supported values:
-- 0: Never run (not started). The default state.
+- 0: Never run (not started). The default state.
- 1: Complete.
-- 10: Reset has been scheduled.
-- 20: Reset is scheduled and waiting for a reboot.
-- 30: Failed during CSP Execute ("Exec" in SyncML).
-- 40: Failed: power requirements not met.
+- 10: Reset has been scheduled.
+- 20: Reset is scheduled and waiting for a reboot.
+- 30: Failed during CSP Execute ("Exec" in SyncML).
+- 40: Failed: power requirements not met.
- 50: Failed: reset internals failed during reset attempt.
## Related topics
diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md
index 290767b7a1..1bcc4db61d 100644
--- a/windows/client-management/mdm/remotewipe-ddf-file.md
+++ b/windows/client-management/mdm/remotewipe-ddf-file.md
@@ -1,7 +1,7 @@
---
title: RemoteWipe DDF file
description: Learn about the OMA DM device description framework (DDF) for the RemoteWipe configuration service provider.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md
index 79814579cb..e869b30f35 100644
--- a/windows/client-management/mdm/reporting-csp.md
+++ b/windows/client-management/mdm/reporting-csp.md
@@ -1,7 +1,7 @@
---
title: Reporting CSP
description: The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -44,19 +44,19 @@ Reporting
------------Type
```
-**Reporting**
+**Reporting**
The root node for the reporting configuration service provider.
-**Reporting/EnterpriseDataProtection**
+**Reporting/EnterpriseDataProtection**
Interior node for retrieving the Windows Information Protection (formerly known as Enterprise Data Protection) logs.
-**RetrieveByTimeRange**
+**RetrieveByTimeRange**
Returns the logs that exist within the StartTime and StopTime. The StartTime and StopTime are expressed in ISO 8601 format. If the StartTime and StopTime aren't specified, then the values are interpreted as either first existing or last existing time.
Here are the other possible scenarios:
@@ -65,34 +65,34 @@ Here are the other possible scenarios:
- If the StopTime is specified, but the StartTime isn't specified, then all logs that exist before the StopTime are returned.
- If the StartTime is specified, but the StopTime isn't specified, then all that logs that exist from the StartTime are returned.
-**RetrieveByCount**
+**RetrieveByCount**
Interior node for retrieving a specified number of logs from the StartTime. The StartTime is expressed in ISO 8601 format. You can set the number of logs required by setting LogCount and StartTime. It returns the specified number of logs or less, if the total number of logs is less than LogCount.
-**Logs**
+**Logs**
Contains the reporting logs.
-- Value type is XML.
+- Value type is XML.
- Supported operation is Get.
-**StartTime**
+**StartTime**
Specifies the starting time for retrieving logs.
- Value type is string. Use ISO 8601 format.
- Supported operations are Get and Replace.
-**StopTime**
+**StopTime**
Specifies the ending time for retrieving logs.
- Value type is string. Use ISO 8601 format.
- Supported operations are Get and Replace.
-**Type**
+**Type**
Added in Windows 10, version 1703. Specifies the type of logs to retrieve. You can use this policy to retrieve the Windows Information Protection learning logs.
- Value type is integer.
- Supported operations are Get and Replace.
-**LogCount**
+**LogCount**
Specifies the number of logs to retrieve from the StartTime.
- Value type is int.
@@ -170,7 +170,7 @@ Retrieve a specified number of security auditing logs starting from the specifie
-
+
```
diff --git a/windows/client-management/mdm/reporting-ddf-file.md b/windows/client-management/mdm/reporting-ddf-file.md
index a18c3cb3b6..5869aa9472 100644
--- a/windows/client-management/mdm/reporting-ddf-file.md
+++ b/windows/client-management/mdm/reporting-ddf-file.md
@@ -1,7 +1,7 @@
---
title: Reporting DDF file
description: View the OMA DM device description framework (DDF) for the Reporting configuration service provider.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md
index 0ff47616c0..1e6868087d 100644
--- a/windows/client-management/mdm/rootcacertificates-csp.md
+++ b/windows/client-management/mdm/rootcacertificates-csp.md
@@ -1,7 +1,7 @@
---
title: RootCATrustedCertificates CSP
description: Learn how the RootCATrustedCertificates configuration service provider (CSP) enables the enterprise to set the Root Certificate Authority (CA) certificates.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -68,51 +68,51 @@ RootCATrustedCertificates
------------ValidTo
------------TemplateName
```
-**Device or User**
+**Device or User**
For device certificates, use **./Device/Vendor/MSFT** path, and for user certificates use **./User/Vendor/MSFT** path.
-**RootCATrustedCertificates**
+**RootCATrustedCertificates**
The root node for the RootCATrustedCertificates configuration service provider.
-**RootCATrustedCertificates/Root/**
+**RootCATrustedCertificates/Root/**
Defines the certificate store that contains root or self-signed certificates, in this case, the computer store.
> [!Note]
> The **./User/** configuration is not supported for **RootCATrustedCertificates/Root/**.
-**RootCATrustedCertificates/CA**
+**RootCATrustedCertificates/CA**
Node for CA certificates.
-**RootCATrustedCertificates/TrustedPublisher**
+**RootCATrustedCertificates/TrustedPublisher**
Node for trusted publisher certificates.
-**RootCATrustedCertificates/TrustedPeople**
+**RootCATrustedCertificates/TrustedPeople**
Node for trusted people certificates.
-**RootCATrustedCertificates/UntrustedCertificates**
+**RootCATrustedCertificates/UntrustedCertificates**
Added in Windows 10, version 1803. Node for certificates that aren't trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable.
-**_CertHash_**
+**_CertHash_**
Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. This node is common for all the principal root nodes. The supported operations are Get and Delete.
The following nodes are all common to the **_CertHash_** node:
-- **/EncodedCertificate**
+- **/EncodedCertificate**
Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. The supported operations are Add, Get, and Replace.
-- **/IssuedBy**
+- **/IssuedBy**
Returns the name of the certificate issuer. This name is equivalent to the **Issuer** member in the CERT\_INFO data structure. The only supported operation is Get.
-- **/IssuedTo**
+- **/IssuedTo**
Returns the name of the certificate subject. This name is equivalent to the **Subject** member in the CERT\_INFO data structure. The only supported operation is Get.
-- **/ValidFrom**
+- **/ValidFrom**
Returns the starting date of the certificate's validity. This date is equivalent to the **NotBefore** member in the CERT\_INFO data structure. The only supported operation is Get.
-- **/ValidTo**
+- **/ValidTo**
Returns the expiration date of the certificate. This date is equivalent to the **NotAfter** member in the CERT\_INFO data structure. The only supported operation is Get.
-- **/TemplateName**
+- **/TemplateName**
Returns the certificate template name. The only supported operation is Get.
## Related topics
diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md
index 67f5c3a6d7..426e778b1d 100644
--- a/windows/client-management/mdm/rootcacertificates-ddf-file.md
+++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md
@@ -1,7 +1,7 @@
---
title: RootCATrustedCertificates DDF file
description: Learn about the OMA DM device description framework (DDF) for the RootCACertificates configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md
index dcc9b9b0f9..08be1e7716 100644
--- a/windows/client-management/mdm/secureassessment-csp.md
+++ b/windows/client-management/mdm/secureassessment-csp.md
@@ -1,7 +1,7 @@
---
title: SecureAssessment CSP
description: Learn how the SecureAssessment configuration service provider (CSP) is used to provide configuration information for the secure assessment browser.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -37,17 +37,17 @@ SecureAssessment
----AllowTextSuggestions
----Assessments
```
-**./Vendor/MSFT/SecureAssessment**
+**./Vendor/MSFT/SecureAssessment**
The root node for the SecureAssessment configuration service provider.
The supported operation is Get.
-**LaunchURI**
+**LaunchURI**
URI link to an assessment that's automatically loaded when the secure assessment browser is launched.
The supported operations are Add, Delete, Get, and Replace.
-**TesterAccount**
+**TesterAccount**
The user name of the test taking account.
- To specify a domain account, use domain\\user.
@@ -56,23 +56,23 @@ The user name of the test taking account.
The supported operations are Add, Delete, Get, and Replace.
-**AllowScreenMonitoring**
-Added in Windows 10, version 1703. Boolean value that indicates whether screen capture is allowed by the app.
+**AllowScreenMonitoring**
+Added in Windows 10, version 1703. Boolean value that indicates whether screen capture is allowed by the app.
Supported operations are Get and Replace.
-**RequirePrinting**
+**RequirePrinting**
Added in Windows 10, version 1703. Boolean value that indicates whether printing is allowed by the app.
-Supported operations are Get and Replace.
+Supported operations are Get and Replace.
-**AllowTextSuggestions**
-Added in Windows 10, version 1703. Boolean value that indicates whether keyboard text suggestions are allowed by the app.
+**AllowTextSuggestions**
+Added in Windows 10, version 1703. Boolean value that indicates whether keyboard text suggestions are allowed by the app.
Supported operations are Get and Replace.
-**Assessments**
-Added in Windows 11, version 22H2. Enables support for multiple assessments. When configured, users can select from a list of assessments. The node accepts an XML string that represents the list of available assessments.
+**Assessments**
+Added in Windows 11, version 22H2. Enables support for multiple assessments. When configured, users can select from a list of assessments. The node accepts an XML string that represents the list of available assessments.
Supported operations are Add, Delete, Get and Replace.
@@ -127,9 +127,9 @@ Example:
## Related topics
-[Set up Take a Test](/education/windows/take-a-test-multiple-pcs)
+[Set up Take a Test](/education/windows/take-a-test-multiple-pcs)
[Configuration service provider reference](configuration-service-provider-reference.md)
-
+
diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md
index 67118163ea..8e6a1721ab 100644
--- a/windows/client-management/mdm/secureassessment-ddf-file.md
+++ b/windows/client-management/mdm/secureassessment-ddf-file.md
@@ -1,7 +1,7 @@
---
title: SecureAssessment DDF file
description: View the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md
index a3f9722270..d6c3784263 100644
--- a/windows/client-management/mdm/securitypolicy-csp.md
+++ b/windows/client-management/mdm/securitypolicy-csp.md
@@ -1,7 +1,7 @@
---
title: SecurityPolicy CSP
description: The SecurityPolicy CSP is used to configure security policy settings for WAP push, OMA DM, Service Indication (SI), Service Loading (SL), and MMS.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -39,7 +39,7 @@ SecurityPolicy
----PolicyID
```
-***PolicyID***
+***PolicyID***
Defines the security policy identifier as a decimal value.
The following security policies are supported.
@@ -80,7 +80,7 @@ The following security policies are supported.
- **Policy name**: WSP Push Policy
- **Policy description**: This setting indicates whether Wireless Session Protocol (WSP) notifications from the WAP stack are routed.
- Default value: 1
- - Supported values:
+ - Supported values:
- 0: Routing of WSP notifications isn't allowed.
- 1: Routing of WSP notifications is allowed.
@@ -88,7 +88,7 @@ The following security policies are supported.
- **Policy name**: Network PIN signed OTA Provision Message User Prompt Policy
- **Policy description**: This policy specifies whether the device will prompt a UI to get the user confirmation before processing a pure network pin signed OTA Provisioning message. If prompt, the user has the ability to discard the OTA provisioning message.
- Default value: 0
- - Supported values:
+ - Supported values:
- 0: The device prompts a UI to get user confirmation when the OTA WAP provisioning message is signed purely with network pin.
- 1: There's no user prompt.
@@ -166,7 +166,7 @@ Setting a security policy:
-
./Vendor/MSFT/SecurityPolicy/4141
- int
+ int
0
@@ -187,7 +187,7 @@ Querying a security policy:
1
-
- ./Vendor/MSFT/SecurityPolicy/4141
+ ./Vendor/MSFT/SecurityPolicy/4141
diff --git a/windows/client-management/mdm/storage-csp.md b/windows/client-management/mdm/storage-csp.md
index 03f3fe6afa..eb7166717f 100644
--- a/windows/client-management/mdm/storage-csp.md
+++ b/windows/client-management/mdm/storage-csp.md
@@ -1,7 +1,7 @@
---
title: Storage CSP
description: Learn how the Storage enterprise configuration service provider (CSP) is used to configure the storage card settings.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -29,7 +29,7 @@ The following shows the Storage configuration service provider in tree format.
Storage
----Disable
```
-**Disable**
+**Disable**
Required. A Boolean value that specifies whether to enable or disable a storage card. A value of **True** disables the storage card. A value of **False** enables the storage card. The default value is **False**. The value is case sensitive.
The supported operations are Get and Replace.
diff --git a/windows/client-management/mdm/storage-ddf-file.md b/windows/client-management/mdm/storage-ddf-file.md
index 4d2a9283a7..5b0bb1c394 100644
--- a/windows/client-management/mdm/storage-ddf-file.md
+++ b/windows/client-management/mdm/storage-ddf-file.md
@@ -1,7 +1,7 @@
---
title: Storage DDF file
description: Learn about the OMA DM device description framework (DDF) for the Storage configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md
index 802b366a55..3d3a195578 100644
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@@ -1,7 +1,7 @@
---
title: SUPL CSP
description: Learn how the SUPL configuration service provider (CSP) is used to configure the location client.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -31,14 +31,14 @@ The SUPL configuration service provider is used to configure the location client
- **V2 UPL**: CDMA
- **Location Service**: Configuration
- - **SUPL**:
+ - **SUPL**:
- Settings that need to get pushed to the GNSS driver to configure the SUPL behavior:
- Address of the Home SUPL (H-SLP) server.
- H-SLP server certificate.
- Positioning method.
- Version of the protocol to use by default.
- MCC/MNC value pairs that are used to specify which networks' UUIC the SUPL account matches.
- - **V2 UPL**:
+ - **V2 UPL**:
- Address of the server—a mobile positioning center for non-trusted mode.
- The positioning method used by the MPC for non-trusted mode.
@@ -61,7 +61,7 @@ SUPL
----------------MCCMNPairs
----------------HighAccPositioningMethod
----------------LocMasterSwitchDependencyNII
-----------------NIDefaultTimeout
+----------------NIDefaultTimeout
----------------ServerAccessInterval
----------------RootCertificate
--------------------Name
@@ -72,43 +72,43 @@ SUPL
----------------RootCertificate3
--------------------Name
--------------------Data
-----V2UPL1
+----V2UPL1
--------MPC
--------PDE
--------PositioningMethod_MR
--------LocMasterSwitchDependencyNII
--------ApplicationTypeIndicator_MR
---------NIDefaultTimeout
+--------NIDefaultTimeout
--------ServerAccessInterval
```
-**SUPL1**
+**SUPL1**
Required for SUPL. Defines the account for the SUPL Enabled Terminal (SET) node. Only one SUPL account is supported at a given time.
-**AppID**
+**AppID**
Required. The AppID for SUPL is automatically set to `"ap0004"`. This value is a read-only value.
-**Addr**
+**Addr**
Optional. Specifies the address of the Home SUPL Location Platform (H-SLP) server for non-proxy mode. The value is a server address specified as a fully qualified domain name, and the port specified as an integer, with the format *server*: *port*.
If this value isn't specified, the device infers the H-SLP address from the IMSI as defined in the SUPL standard. To use automatic generation of the H-SLP address based on the IMSI, the MNC length must be set correctly on the UICC. Generally, this value is 2 or 3.
For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned. But the configuration service provider will continue processing the rest of the parameters.
-**Version**
+**Version**
Optional. Determines the major version of the SUPL protocol to use. For SUPL 1.0.0, set this value to 1. For SUPL 2.0.0, set this value to 2. The default is 1. Refer to FullVersion to define the minor version and the service indicator.
-**FullVersion**
+**FullVersion**
Added in Windows 10, version 2004. Optional. Determines the full version (X.Y.Z where X, Y, and Z are the major version, the minor version, and the service indicator, respectively) of the SUPL protocol to use. The default is 1.0.0. If FullVersion is defined, Version field is ignored.
-**MCCMNCPairs**
+**MCCMNCPairs**
Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network don't match, the device uses the default location service and doesn't use SUPL.
This value is a string with the format `(X1, Y1)(X2, Y2)…(Xn, Yn)`, in which `X` is an MCC and `Y` is an MNC.
For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
-**HighAccPositioningMethod**
+**HighAccPositioningMethod**
Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The value can be one of the following integers:
|Value|Description|
@@ -127,7 +127,7 @@ The default is 0. The default method in Windows devices provides high-quality as
For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
-**LocMasterSwitchDependencyNII**
+**LocMasterSwitchDependencyNII**
Optional. Boolean. Specifies whether the location toggle on the **location** screen in **Settings** is also used to manage SUPL network-initiated (NI) requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. The default value is 1.
This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used.
@@ -155,78 +155,78 @@ When the location toggle is set to Off and this value is set to 0, the location
For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
-**NIDefaultTimeout**
+**NIDefaultTimeout**
Optional. Time in seconds. It defines that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended.
This value manages the settings for SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL, then these values will differ, and the SUPL setting will always be used.
-**ServerAccessInterval**
+**ServerAccessInterval**
Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60.
-**RootCertificate**
+**RootCertificate**
Required. Specifies the root certificate for the H-SLP server. Windows doesn't support a non-secure mode. If this node isn't included, the configuration service provider will fail but may not return a specific error.
-**RootCertificate/Name**
+**RootCertificate/Name**
Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
-**RootCertificate/Data**
+**RootCertificate/Data**
The base 64 encoded blob of the H-SLP root certificate.
-**RootCertificate2**
+**RootCertificate2**
Specifies the root certificate for the H-SLP server.
-**RootCertificate2/Name**
+**RootCertificate2/Name**
Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
-**RootCertificate2/Data**
+**RootCertificate2/Data**
The base 64 encoded blob of the H-SLP root certificate.
-**RootCertificate3**
+**RootCertificate3**
Specifies the root certificate for the H-SLP server.
-**RootCertificate3/Name**
+**RootCertificate3/Name**
Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
-**RootCertificate3/Data**
+**RootCertificate3/Data**
The base 64 encoded blob of the H-SLP root certificate.
-**RootCertificate4**
+**RootCertificate4**
Added in Windows 10, version 1809. Specifies the root certificate for the H-SLP server.
-**RootCertificate4/Name**
+**RootCertificate4/Name**
Added in Windows 10, version 1809. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
-**RootCertificate4/Data**
+**RootCertificate4/Data**
Added in Windows 10, version 1809. The base 64 encoded blob of the H-SLP root certificate.
-**RootCertificate5**
+**RootCertificate5**
Added in Windows 10, version 1809. Specifies the root certificate for the H-SLP server.
-**RootCertificate5/Name**
+**RootCertificate5/Name**
Added in Windows 10, version 1809. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
-**RootCertificate5/Data**
+**RootCertificate5/Data**
Added in Windows 10, version 1809. The base 64 encoded blob of the H-SLP root certificate.
-**RootCertificate6**
+**RootCertificate6**
Added in Windows 10, version 1809. Specifies the root certificate for the H-SLP server.
-**RootCertificate6/Name**
+**RootCertificate6/Name**
Added in Windows 10, version 1809. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
-**RootCertificate6/Data**
+**RootCertificate6/Data**
Added in Windows 10, version 1809. The base 64 encoded blob of the H-SLP root certificate.
-**V2UPL1**
+**V2UPL1**
Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time.
-**MPC**
+**MPC**
Optional. Specifies the address of the mobile positioning center (MPC), in the format *ipAddress*: *portNumber*. For non-trusted mode of operation, this parameter is mandatory and the PDE parameter must be empty.
-**PDE**
+**PDE**
Optional. Specifies the address of the Position Determination Entity (PDE), in the format *ipAddress*: *portNumber*. For non-trusted mode of operation, this parameter must be empty.
-**PositioningMethod\_MR**
+**PositioningMethod\_MR**
Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The value can be one of the following integers:
|Value|Description|
@@ -245,7 +245,7 @@ The default is 0. The default method provides high-quality assisted GNSS positio
For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
-**LocMasterSwitchDependencyNII**
+**LocMasterSwitchDependencyNII**
Optional. Boolean. Specifies whether the location toggle on the **location** screen in **Settings** is also used to manage network-initiated requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. For CDMA devices, this value must be set to 1. The default value is 1.
This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL, then these values will differ, and the SUPL setting will always be used.
@@ -273,15 +273,15 @@ When the location toggle is set to Off and this value is set to 0, the location
For OMA DM, if the format for this node is incorrect then an entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters.
-**ApplicationTypeIndicator\_MR**
+**ApplicationTypeIndicator\_MR**
Required. This value must always be set to `00000011`.
-**NIDefaultTimeout**
+**NIDefaultTimeout**
Optional. Time in seconds. It defines that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended.
This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL, then these values will differ, and the SUPL setting will always be used.
-**ServerAccessInterval**
+**ServerAccessInterval**
Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60.
## Unsupported Nodes
diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md
index 62a7531702..5a15efc5d7 100644
--- a/windows/client-management/mdm/supl-ddf-file.md
+++ b/windows/client-management/mdm/supl-ddf-file.md
@@ -1,7 +1,7 @@
---
title: SUPL DDF file
description: This topic shows the OMA DM device description framework (DDF) for the SUPL configuration service provider.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md
index a7ea49f35d..31ac48aedd 100644
--- a/windows/client-management/mdm/surfacehub-csp.md
+++ b/windows/client-management/mdm/surfacehub-csp.md
@@ -1,7 +1,7 @@
---
title: SurfaceHub CSP
description: The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -73,7 +73,7 @@ SurfaceHub
--------WorkspaceKey
```
-**./Vendor/MSFT/SurfaceHub**
+**./Vendor/MSFT/SurfaceHub**
The root node for the Surface Hub configuration service provider.
**DeviceAccount**
@@ -158,35 +158,35 @@ Domain of the device account when you're using Active Directory. To use a device
Username of the device account when you're using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account.
-- The data type is string.
+- The data type is string.
- Supported operation is Get and Replace.
**DeviceAccount/UserPrincipalName**
User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account.
-- The data type is string.
+- The data type is string.
- Supported operation is Get and Replace.
**DeviceAccount/SipAddress**
Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails.
-- The data type is string.
+- The data type is string.
- Supported operation is Get and Replace.
**DeviceAccount/Password**
Password for the device account.
-- The data type is string.
+- The data type is string.
- Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank.
**DeviceAccount/ValidateAndCommit**
This method validates the data provided and then commits the changes.
-- The data type is string.
+- The data type is string.
- Supported operation is Execute.
**DeviceAccount/Email**
@@ -204,28 +204,28 @@ Valid values:
- 1 - disabled
It performs the following:
-- The data type is integer.
+- The data type is integer.
- Supported operation is Get and Replace.
**DeviceAccount/ExchangeServer**
Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails.
-- The data type is string.
+- The data type is string.
- Supported operation is Get and Replace.
**DeviceAccount/ExchangeModernAuthEnabled**
Added in KB4598291 for Windows 10, version 20H2. Specifies, whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True.
-- The data type is boolean.
+- The data type is boolean.
- Supported operation is Get and Replace.
**DeviceAccount/CalendarSyncEnabled**
Specifies, whether calendar sync and other Exchange server services is enabled.
-- The data type is boolean.
+- The data type is boolean.
- Supported operation is Get and Replace.
**DeviceAccount/ErrorContext**
@@ -252,14 +252,14 @@ Node for maintenance schedule.
Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120.
-- The data type is integer.
+- The data type is integer.
- Supported operation is Get and Replace.
**MaintenanceHoursSimple/Hours/Duration**
Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180.
-- The data type is integer.
+- The data type is integer.
- Supported operation is Get and Replace.
**InBoxApps**
@@ -274,7 +274,7 @@ Added in Windows 10, version 1703. Node for the Skype for Business settings.
Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you're using Active Directory. For more information, see Set up Skype for Business Online.
-- The data type is string.
+- The data type is string.
- Supported operation is Get and Replace.
**InBoxApps/Welcome**
@@ -284,14 +284,14 @@ Node for the welcome screen.
Automatically turn on the screen using motion sensors.
-- The data type is boolean.
+- The data type is boolean.
- Supported operation is Get and Replace.
**InBoxApps/Welcome/CurrentBackgroundPath**
Download location for image, to be used as the background during user sessions and on the welcome screen. To set this location, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, ensure they're valid and installed on the Hub. Otherwise, it may not be able to load the image.
-- The data type is string.
+- The data type is string.
- Supported operation is Get and Replace.
**InBoxApps/Welcome/MeetingInfoOption**
@@ -304,7 +304,7 @@ Valid values:
- 1 - Organizer, time, and subject. Subject is hidden in private meetings.
It performs the following:
-- The data type is integer.
+- The data type is integer.
- Supported operation is Get and Replace.
**InBoxApps/Whiteboard**
@@ -315,21 +315,21 @@ Node for the Whiteboard app settings.
Invitations to collaborate from the Whiteboard app aren't allowed.
-- The data type is boolean.
+- The data type is boolean.
- Supported operation is Get and Replace.
**InBoxApps/Whiteboard/SigninDisabled**
Sign-ins from the Whiteboard app aren't allowed.
-- The data type is boolean.
+- The data type is boolean.
- Supported operation is Get and Replace.
**InBoxApps/Whiteboard/TelemeteryDisabled**
Telemetry collection from the Whiteboard app isn't allowed.
-- The data type is boolean.
+- The data type is boolean.
- Supported operation is Get and Replace.
**InBoxApps/WirelessProjection**
@@ -340,14 +340,14 @@ Node for the wireless projector app settings.
Users must enter a PIN to wireless project to the device.
-- The data type is boolean.
+- The data type is boolean.
- Supported operation is Get and Replace.
**InBoxApps/WirelessProjection/Enabled**
Enables wireless projection to the device.
-- The data type is boolean.
+- The data type is boolean.
- Supported operation is Get and Replace.
**InBoxApps/WirelessProjection/Channel**
@@ -362,7 +362,7 @@ Wireless channel to use for Miracast operation. The supported channels are defin
The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly, the driver will either not boot or will broadcast on the wrong channel (which senders won't be looking for).
-- The data type is integer.
+- The data type is integer.
- Supported operation is Get and Replace.
**InBoxApps/Connect**
@@ -375,7 +375,7 @@ Added in Windows 10, version 1703. Specifies, whether to automatically launch th
If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings.
-- The data type is boolean.
+- The data type is boolean.
- Supported operation is Get and Replace.
**Properties**
@@ -386,21 +386,21 @@ Node for the device properties.
Friendly name of the device. Specifies the name that users see when they want wireless project to the device.
-- The data type is string.
+- The data type is string.
- Supported operation is Get and Replace.
**Properties/DefaultVolume**
Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45.
-- The data type is integer.
+- The data type is integer.
- Supported operation is Get and Replace.
**Properties/DefaultAutomaticFraming**
Added in KB5010415 for Windows 10, version 20H2. Specifies whether the Surface Hub 2 Smart Camera feature to automatically zoom and keep users centered in the video is enabled. Default value is True.
-- The data type is boolean.
+- The data type is boolean.
- Supported operation is Get and Replace.
**Properties/ScreenTimeout**
@@ -424,7 +424,7 @@ The following table shows the permitted values.
|240|4 hours|
It performs the following:
-- The data type is integer.
+- The data type is integer.
- Supported operation is Get and Replace.
**Properties/SessionTimeout**
@@ -448,7 +448,7 @@ The following table shows the permitted values.
|240|4 hours|
It performs the following:
-- The data type is integer.
+- The data type is integer.
- Supported operation is Get and Replace.
**Properties/SleepTimeout**
@@ -472,7 +472,7 @@ The following table shows the permitted values.
|240|4 hours|
It performs the following:
-- The data type is integer.
+- The data type is integer.
- Supported operation is Get and Replace.
**Properties/SleepMode**
@@ -485,7 +485,7 @@ Valid values:
- 1 - Hibernate
It performs the following:
-- The data type is integer.
+- The data type is integer.
- Supported operation is Get and Replace.
**Properties/AllowSessionResume**
@@ -494,7 +494,7 @@ Added in Windows 10, version 1703. Specifies whether to allow the ability to res
If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated.
-- The data type is boolean.
+- The data type is boolean.
- Supported operation is Get and Replace.
**Properties/AllowAutoProxyAuth**
@@ -503,14 +503,14 @@ Added in Windows 10, version 1703. Specifies whether to use the device account f
If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used.
-- The data type is boolean.
+- The data type is boolean.
- Supported operation is Get and Replace.
**Properties/ProxyServers**
Added in KB4499162 for Windows 10, version 1703. Specifies hostnames of proxy servers to automatically provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names (FQDN), without any extra prefixes (for example, https://).
-- The data type is string.
+- The data type is string.
- Supported operation is Get and Replace.
**Properties/DisableSigninSuggestions**
@@ -519,7 +519,7 @@ Added in Windows 10, version 1703. Specifies whether to disable auto-populating
If this setting is true, the sign-in dialog won't be populated. If false, the dialog will auto-populate.
-- The data type is boolean.
+- The data type is boolean.
- Supported operation is Get and Replace.
**Properties/DoNotShowMyMeetingsAndFiles**
@@ -528,7 +528,7 @@ Added in Windows 10, version 1703. Specifies whether to disable the "My mee
If this setting is true, the “My meetings and files” feature won't be shown. When false, the “My meetings and files” feature will be shown.
-- The data type is boolean.
+- The data type is boolean.
- Supported operation is Get and Replace.
**MOMAgent**
@@ -539,14 +539,14 @@ Node for the Microsoft Operations Management Suite.
GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this GUID to an empty string to disable the MOM agent.
-- The data type is string.
+- The data type is string.
- Supported operation is Get and Replace.
-**MOMAgent/WorkspaceKey**
+**MOMAgent/WorkspaceKey**
Primary key for authenticating with the workspace.
-- The data type is string.
+- The data type is string.
- Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string.
## Related topics
diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md
index 3f66986007..afc0b837f3 100644
--- a/windows/client-management/mdm/surfacehub-ddf-file.md
+++ b/windows/client-management/mdm/surfacehub-ddf-file.md
@@ -1,7 +1,7 @@
---
title: SurfaceHub DDF file
description: This topic shows the OMA DM device description framework (DDF) for the SurfaceHub configuration service provider. This CSP was added in Windows 10, version 1511.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md
index c271871ce1..625f171ce3 100644
--- a/windows/client-management/mdm/tenantlockdown-csp.md
+++ b/windows/client-management/mdm/tenantlockdown-csp.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 08/13/2018
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -38,18 +38,18 @@ The following example shows the TenantLockdown configuration service provider in
TenantLockdown
----RequireNetworkInOOBE
```
-**./Vendor/MSFT/TenantLockdown**
+**./Vendor/MSFT/TenantLockdown**
The root node for the TenantLockdown configuration service provider.
-**RequireNetworkInOOBE**
+**RequireNetworkInOOBE**
Specifies whether a network connection is required during the out-of-box experience (OOBE) at first logon.
When RequireNetworkInOOBE is true, when the device goes through OOBE at first sign in or after a reset, the user is required to choose a network before proceeding. There's no "skip for now" option.
-- Value type is bool.
+- Value type is bool.
- Supported operations are Get and Replace.
- - True - Require network in OOBE.
+ - True - Require network in OOBE.
- False - No network connection requirement in OOBE.
Example scenario: Henry is the IT admin at Contoso. He deploys 1000 devices successfully with RequireNetworkInOOBE set to true. When users accidentally or intentionally reset their device, they are required to connect to a network before they can proceed. Upon successful connection, users see the Contoso branded sign-in experience where they must use their Azure AD credentials. There is no option to skip the network connection and create a local account.
diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md
index 12dc9f5348..e567d013bd 100644
--- a/windows/client-management/mdm/tenantlockdown-ddf.md
+++ b/windows/client-management/mdm/tenantlockdown-ddf.md
@@ -7,11 +7,11 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 08/13/2018
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
-# TenantLockdown DDF file
+# TenantLockdown DDF file
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md
index 14bb56f7ca..7ed88086de 100644
--- a/windows/client-management/mdm/tpmpolicy-csp.md
+++ b/windows/client-management/mdm/tpmpolicy-csp.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 11/01/2017
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -34,10 +34,10 @@ The following example shows the TPMPolicy configuration service provider in tree
TPMPolicy
----IsActiveZeroExhaust
```
-**./Device/Vendor/MSFT/TPMPolicy**
+**./Device/Vendor/MSFT/TPMPolicy**
Defines the root node.
-**IsActiveZeroExhaust**
+**IsActiveZeroExhaust**
Boolean value that indicates that network traffic from the device to public IP addresses is not allowed unless directly intended by the user (zero exhaust). The default value is false. Examples of zero-exhaust configuration and the conditions it requires are described below:
diff --git a/windows/client-management/mdm/tpmpolicy-ddf-file.md b/windows/client-management/mdm/tpmpolicy-ddf-file.md
index 42f7a373d5..00271f9ff4 100644
--- a/windows/client-management/mdm/tpmpolicy-ddf-file.md
+++ b/windows/client-management/mdm/tpmpolicy-ddf-file.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 12/05/2017
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -18,7 +18,7 @@ This topic shows the OMA DM device description framework (DDF) for the **TPMPoli
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is the current version for this CSP.
+The XML below is the current version for this CSP.
```xml
@@ -71,4 +71,4 @@ The XML below is the current version for this CSP.
-```
+```
diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md
index b1fd8cdde4..aa2b3b9ef4 100644
--- a/windows/client-management/mdm/uefi-csp.md
+++ b/windows/client-management/mdm/uefi-csp.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 10/02/2018
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -62,105 +62,105 @@ Uefi
```
The following list describes the characteristics and parameters.
-**./Vendor/MSFT/UEFI**
+**./Vendor/MSFT/UEFI**
Root node.
-**DeviceIdentifier**
+**DeviceIdentifier**
Retrieves XML from UEFI that describes the device identifier.
Supported operation is Get.
-**Identity**
+**Identity**
Node for identity certificate operations.
Supported operation is Get.
-**Identity/Current**
+**Identity/Current**
Retrieves XML from UEFI that describes the current UEFI identity certificate information.
Supported operation is Get.
-**Identity/Apply**
+**Identity/Apply**
Applies an identity information package to UEFI. Input is the signed package in base64 encoded format.
Value type is Base64. Supported operation is Replace.
-**Identity/Result**
+**Identity/Result**
Retrieves the binary result package of the previous Identity/Apply operation.
Supported operation is Get.
-**Permissions**
+**Permissions**
Node for settings permission operations.
-**Permissions/Current**
+**Permissions/Current**
Retrieves XML from UEFI that describes the current UEFI settings permissions.
Supported operation is Get.
-**Permissions/Apply**
+**Permissions/Apply**
Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format.
Value type is Base64. Supported operation is Replace.
-**Permissions/Result**
+**Permissions/Result**
Retrieves the binary result package of the previous Permissions/Apply operation. This binary package contains XML describing the action taken for each individual permission.
Supported operation is Get.
-**Settings**
+**Settings**
Node for device settings operations.
-**Settings/Current**
+**Settings/Current**
Retrieves XML from UEFI that describes the current UEFI settings.
Supported operation is Get.
-**Settings/Apply**
+**Settings/Apply**
Apply a settings information package to UEFI. Input is the signed package in base64 encoded format.
Value type is Base64. Supported operation is Replace.
-**Settings/Result**
+**Settings/Result**
Retrieves the binary result package of the previous Settings/Apply operation. This binary package contains XML describing the action taken for each individual setting.
Supported operation is Get.
-**Identity2**
+**Identity2**
Node for identity certificate operations. Alternate endpoint for sending a second identity package without an OS restart.
-**Identity2/Apply**
+**Identity2/Apply**
Apply an identity information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two identity packages in the same session.
Value type is Base64. Supported operation is Replace.
-**Identity2/Result**
+**Identity2/Result**
Retrieves the binary result package of the previous Identity2/Apply operation.
Supported operation is Get.
-**Permissions2**
+**Permissions2**
Node for settings permission operations. Alternate endpoint for sending a second permission package without an OS restart.
-**Permissions2/Apply**
+**Permissions2/Apply**
Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two permissions information packages in the same session.
Value type is Base64. Supported operation is Replace.
-**Permissions2/Result**
+**Permissions2/Result**
Retrieves the binary result package from the previous Permissions2/Apply operation. This binary package contains XML describing the action taken for each individual permission.
Supported operation is Get.
-**Settings2**
+**Settings2**
Node for device settings operations. Alternate endpoint for sending a second settings package without an OS restart.
-**Settings2/Apply**
+**Settings2/Apply**
Apply a settings information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two settings information packages in the same session.
Value type is Base64. Supported operation is Replace.
-**Settings2/Result**
+**Settings2/Result**
Retrieves the binary result package of previous Settings2/Apply operation. This binary package contains XML describing the action taken for each individual setting.
Supported operation is Get.
diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md
index 51dec0bdd7..9936bf5bc9 100644
--- a/windows/client-management/mdm/uefi-ddf.md
+++ b/windows/client-management/mdm/uefi-ddf.md
@@ -7,18 +7,18 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 10/02/2018
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
# UEFI DDF file
-This topic shows the OMA DM device description framework (DDF) for the **Uefi** configuration service provider.
+This topic shows the OMA DM device description framework (DDF) for the **Uefi** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, version 1809.
+The XML below is for Windows 10, version 1809.
```xml
diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md
index 6e9a7e9322..a8826e0088 100644
--- a/windows/client-management/mdm/unifiedwritefilter-csp.md
+++ b/windows/client-management/mdm/unifiedwritefilter-csp.md
@@ -1,7 +1,7 @@
---
title: UnifiedWriteFilter CSP
description: The UnifiedWriteFilter (UWF) configuration service provider allows you to remotely manage the UWF. Understand how it helps protect physical storage media.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -37,7 +37,7 @@ UnifiedWriteFilter
┃ ┣━━━OverlayConsumption
┃ ┣━━━AvailableOverlaySpace
┃ ┣━━━CriticalOverlayThreshold
-┃ ┣━━━SWAPFileSize
+┃ ┣━━━SWAPFileSize
┃ ┣━━━WarningOverlayThreshold
┃ ┣━━━OverlayType
┃ ┣━━━OverlayFlags
@@ -84,25 +84,25 @@ UnifiedWriteFilter
┣━━━ShutdownSystem
┗━━━RestartSystem
```
-**CurrentSession**
+**CurrentSession**
Required. Represents the current UWF configuration in the current session (power cycle).
-**CurrentSession/FilterEnabled**
+**CurrentSession/FilterEnabled**
Required. Indicates if UWF is enabled for the current session.
The only supported operation is Get.
-**CurrentSession/OverlayConsumption**
+**CurrentSession/OverlayConsumption**
Required. The current size, in megabytes, of the UWF overlay.
The only supported operation is Get.
-**CurrentSession/AvailableOverlaySpace**
+**CurrentSession/AvailableOverlaySpace**
Required. The amount of free space, in megabytes, available for the UWF overlay.
The only supported operation is Get.
-**CurrentSession/CriticalOverlayThreshold**
+**CurrentSession/CriticalOverlayThreshold**
Required. The critical threshold size, in megabytes. UWF sends a critical threshold notification event when the UWF overlay size reaches or exceeds this value.
The only supported operation is Get.
@@ -123,7 +123,7 @@ Setting the value
To “move” swapfile to another volume, set the SwapfileSize property on that other volume's CSP note to non-zero.
-Currently SwapfileSize shouldn't be relied for determining or controlling the overlay size,
+Currently SwapfileSize shouldn't be relied for determining or controlling the overlay size,
**CurrentSession/MaximumOverlaySize** or **NextSession/MaximumOverlaySize**
should be used for that purpose.
@@ -134,190 +134,190 @@ should be used for that purpose.
> Only single swapfile is supported in current implementation and creating swapfile on specific volume will disable any other swapfile created on other volumes.
-**CurrentSession/WarningOverlayThreshold**
+**CurrentSession/WarningOverlayThreshold**
Required. The warning threshold size, in megabytes. UWF sends a warning threshold notification event when the UWF overlay size reaches or exceeds this value.
Supported operations are Get and Replace.
-**CurrentSession/OverlayType**
+**CurrentSession/OverlayType**
Required. Indicates the type of overlay in the current session.
The only supported operation is Get.
-**CurrentSession/MaximumOverlaySize**
+**CurrentSession/MaximumOverlaySize**
Required. Indicates the maximum cache size, in megabytes, of the overlay in the current session.
The only supported operation is Get.
-**CurrentSession/PersisitDomainSecretKey**
+**CurrentSession/PersisitDomainSecretKey**
Required. Indicates if the domain secret registry key is in the registry exclusion list. If the registry key isn't in the exclusion list, changes don't persist after a restart.
The only supported operation is Get.
-**CurrentSession/PersistTSCAL**
+**CurrentSession/PersistTSCAL**
Required. Indicates if the Terminal Server Client Access License (TSCAL) registry key is in the UWF registry exclusion list. If the registry key isn't in the exclusion list, changes don't persist after a restart.
The only supported operation is Get.
-**CurrentSession/RegistryExclusions**
+**CurrentSession/RegistryExclusions**
Required. The root node that contains all registry exclusions.
-**CurrentSession/RegistryExclusions/***ExcludedRegistry*
+**CurrentSession/RegistryExclusions/***ExcludedRegistry*
Optional. A registry key in the registry exclusion list for UWF in the current session.
The only supported operation is Get.
-**CurrentSession/ServicingEnabled**
+**CurrentSession/ServicingEnabled**
Required. Indicates when servicing is enabled in the current session.
The only supported operation is Get.
-**CurrentSession/Volume**
+**CurrentSession/Volume**
Required. The root node to contain all volumes protected by UWF in the current session.
-**CurrentSession/Volume/***Volume*
+**CurrentSession/Volume/***Volume*
Optional. Represents a specific volume in the current session.
-**CurrentSession/Volume/*Volume*/Protected**
+**CurrentSession/Volume/*Volume*/Protected**
Required. Indicates if the volume is currently protected by UWF in the current session.
The only supported operation is Get.
-**CurrentSession/Volume/*Volume*/BindByDriveLetter**
+**CurrentSession/Volume/*Volume*/BindByDriveLetter**
Required. Indicates the type of binding that the volume uses in the current session.
The only supported operation is Get.
-**CurrentSession/Volume/*Volume*/DriveLetter**
+**CurrentSession/Volume/*Volume*/DriveLetter**
Required. The drive letter of the volume. If the volume doesn't have a drive letter, this value is NULL.
The only supported operation is Get.
-**CurrentSession/Volume/*Volume*/Exclusions**
+**CurrentSession/Volume/*Volume*/Exclusions**
Required. The root node that contains all file exclusions for the volume.
-**CurrentSession/Volume/*Volume*/Exclusions/***ExclusionPath*
+**CurrentSession/Volume/*Volume*/Exclusions/***ExclusionPath*
Optional. A string that contains the full path of the file or folder relative to the volume.
The only supported operation is Get.
-**CurrentSession/Volume/*Volume*/CommitFile**
+**CurrentSession/Volume/*Volume*/CommitFile**
Required. This method commits changes from the overlay to the physical volume for a specified file on a volume protected by Unified Write Filter (UWF).
Supported operations are Get and Execute.
-**CurrentSession/Volume/*Volume*/CommitFileDeletion**
+**CurrentSession/Volume/*Volume*/CommitFileDeletion**
Required. This method deletes the specified file and commits the deletion to the physical volume.
Supported operations are Get and Execute.
-**CurrentSession/ShutdownPending**
+**CurrentSession/ShutdownPending**
Required. This value is True if the system is pending on shutdown. Otherwise, it's False.
The only supported operation is Get.
-**CurrentSession/CommitRegistry**
+**CurrentSession/CommitRegistry**
Required. This method commits changes to the specified registry key and value.
Supported operations are Get and Execute.
-**CurrentSession/CommitRegistryDeletion**
+**CurrentSession/CommitRegistryDeletion**
Required. This method deletes the specified registry key or registry value and commits the deletion.
Supported operations are Get and Execute.
-**NextSession**
+**NextSession**
Required.
The root node that contains settings for the next UWF session (after a reboot).
-**NextSession/FilterEnabled**
+**NextSession/FilterEnabled**
Required. Boolean value that indicates if UWF is enabled for the next session.
Supported operations are Get and Replace.
-**NextSession/HORMEnabled**
+**NextSession/HORMEnabled**
Added in Windows 10, version 1607. Required. Boolean value that indicates if Hibernate Once/Resume Many (HORM) is enabled for the next session.
Supported operations are Get and Replace.
-**NextSession/OverlayType**
+**NextSession/OverlayType**
Required. Indicates the type of overlay for the next session.
Supported operations are Get and Replace.
-**NextSession/MaximumOverlaySize**
+**NextSession/MaximumOverlaySize**
Required. Indicates the maximum cache size, in megabytes, of the overlay for the next session.
Supported operations are Get and Replace.
-**NextSession/PersisitDomainSecretKey**
+**NextSession/PersisitDomainSecretKey**
Required. Indicates if the domain secret registry key is in the registry exclusion list. If the registry key isn't in the exclusion list, changes don't persist after a restart.
Supported operations are Get and Replace.
-**NextSession/PersistTSCAL**
+**NextSession/PersistTSCAL**
Required. Indicates if the Terminal Server Client Access License (TSCAL) registry key is in the UWF registry exclusion list. If the registry key isn't in the exclusion list, changes don't persist after a restart.
Supported operations are Get and Replace.
-**NextSession/RegistryExclusions**
+**NextSession/RegistryExclusions**
Required. The root node that contains all registry exclusions for the next session.
Supported operations are Add, Delete, and Replace.
-**NextSession/RegistryExclusions/***ExcludedRegistry*
+**NextSession/RegistryExclusions/***ExcludedRegistry*
Optional. A registry key in the registry exclusion list for UWF.
Supported operations are Add, Delete, Get, and Replace.
-**NextSession/ServicingEnabled**
+**NextSession/ServicingEnabled**
Required. Indicates when to enable servicing.
Supported operations are Get and Replace.
-**NextSession/Volume**
+**NextSession/Volume**
Required. The root node that contains all volumes protected by UWF for the next session.
-**NextSession/Volume/***Volume*
+**NextSession/Volume/***Volume*
Optional. Represents a specific volume in the next session.
Supported operations are Add, Delete, and Replace.
-**NextSession/Volume/*Volume*/Protected**
+**NextSession/Volume/*Volume*/Protected**
Required. Indicates if the volume is currently protected by UWF in the next session.
Supported operations are Get and Replace.
-**NextSession/Volume/*Volume*/BindByDriveLetter**
+**NextSession/Volume/*Volume*/BindByDriveLetter**
Required. Indicates the type of binding that the volume uses in the next session.
Supported operations are Get and Replace.
-**NextSession/Volume/*Volume*/DriveLetter**
+**NextSession/Volume/*Volume*/DriveLetter**
The drive letter of the volume. If the volume doesn't have a drive letter, this value is NULL.
The only supported operation is Get.
-**NextSession/Volume/*Volume*/Exclusions**
+**NextSession/Volume/*Volume*/Exclusions**
Required. The root node that contains all file exclusions for this volume in the next session.
-**NextSession/Volume/*Volume*/Exclusions/***ExclusionPath*
+**NextSession/Volume/*Volume*/Exclusions/***ExclusionPath*
Optional. A string that contains the full path of the file or folder relative to the volume.
Supported operations are Add, Delete, Get, and Replace.
-**ResetSettings**
+**ResetSettings**
Required. Restores UWF settings to the original state that was captured at installation time.
Supported operations are Get and Execute.
-**ShutdownSystem**
+**ShutdownSystem**
Required. Safely shuts down a system protected by UWF, even if the overlay is full.
Supported operations are Get and Execute.
-**RestartSystem**
+**RestartSystem**
Required. Safely restarts a system protected by UWF, even if the overlay is full.
Supported operations are Get and Execute.
@@ -326,9 +326,9 @@ Supported operations are Get and Execute.
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
-
+
+
+
diff --git a/windows/client-management/mdm/unifiedwritefilter-ddf.md b/windows/client-management/mdm/unifiedwritefilter-ddf.md
index f6cfcd2307..d1da859d86 100644
--- a/windows/client-management/mdm/unifiedwritefilter-ddf.md
+++ b/windows/client-management/mdm/unifiedwritefilter-ddf.md
@@ -1,7 +1,7 @@
---
title: UnifiedWriteFilter DDF File
description: UnifiedWriteFilter DDF File
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/universalprint-csp.md b/windows/client-management/mdm/universalprint-csp.md
index bb4cae4a7b..5feb529511 100644
--- a/windows/client-management/mdm/universalprint-csp.md
+++ b/windows/client-management/mdm/universalprint-csp.md
@@ -42,7 +42,7 @@ PrinterProvisioning
--------ErrorCode
```
-**./Vendor/MSFT/PrinterProvisioning**
+**./Vendor/MSFT/PrinterProvisioning**
The root node for the Universal Print PrinterProvisioning configuration service provider.
**UPPrinterInstalls**
diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md
index e7c54fb69a..2cc06638ee 100644
--- a/windows/client-management/mdm/update-csp.md
+++ b/windows/client-management/mdm/update-csp.md
@@ -1,7 +1,7 @@
---
title: Update CSP
description: Learn how the Update configuration service provider (CSP) enables IT administrators to manage and control the rollout of new updates.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md
index 06da8be6f1..ce452100da 100644
--- a/windows/client-management/mdm/update-ddf-file.md
+++ b/windows/client-management/mdm/update-ddf-file.md
@@ -1,7 +1,7 @@
---
title: Update DDF file
description: Learn about the OMA DM device description framework (DDF) for the Update configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md
index 6d484acd8d..8e2189681d 100644
--- a/windows/client-management/mdm/vpn-csp.md
+++ b/windows/client-management/mdm/vpn-csp.md
@@ -1,7 +1,7 @@
---
title: VPN CSP
description: Learn how the VPN configuration service provider (CSP) allows the mobile device management (MDM) server to configure the VPN profile of the device.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md
index 4cf629cb79..703e1a64d4 100644
--- a/windows/client-management/mdm/vpn-ddf-file.md
+++ b/windows/client-management/mdm/vpn-ddf-file.md
@@ -1,7 +1,7 @@
---
title: VPN DDF file
description: Learn about the OMA DM device description framework (DDF) for the VPN configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md
index fb60f1756f..43db459434 100644
--- a/windows/client-management/mdm/vpnv2-csp.md
+++ b/windows/client-management/mdm/vpnv2-csp.md
@@ -326,10 +326,10 @@ VPNv2
------------DisableClassBasedDefaultRoute
------------PlumbIKEv2TSAsRoutes
```
-**Device or User profile**
+**Device or User profile**
For user profile, use **./User/Vendor/MSFT** path and for device profile, use **./Device/Vendor/MSFT** path.
-**VPNv2/**ProfileName
+**VPNv2/**ProfileName
Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/).
Supported operations include Get, Add, and Delete.
@@ -337,20 +337,20 @@ Supported operations include Get, Add, and Delete.
> [!NOTE]
> If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
-**VPNv2/**ProfileName**/AppTriggerList**
+**VPNv2/**ProfileName**/AppTriggerList**
Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect.
-**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId
+**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId
A sequential integer identifier that allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you shouldn't skip numbers.
Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App**
+**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App**
App Node under the Row ID.
-**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Id**
+**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Id**
App identity, which is either an app’s package family name or file path. The type is inferred by the ID, and therefore can't be specified in the get only App/Type field
-**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Type**
+**VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Type**
Returns the type of **App/Id**. This value can be either of the following values:
- PackageFamilyName - When this value is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Microsoft Store application.
@@ -358,35 +358,35 @@ Returns the type of **App/Id**. This value can be either of the following values
Value type is chr. Supported operation is Get.
-**VPNv2/**ProfileName**/RouteList/**
+**VPNv2/**ProfileName**/RouteList/**
Optional node. List of routes to be added to the routing table for the VPN interface. This information is required for split tunneling case where the VPN server site has more subnets that the default subnet based on the IP assigned to the interface.
Every computer that runs TCP/IP makes routing decisions. These decisions are controlled by the IP routing table. Adding values under this node updates the routing table with routes for the VPN interface post connection. The values under this node represent the destination prefix of IP routes. A destination prefix consists of an IP address prefix and a prefix length.
Adding a route here allows the networking stack to identify the traffic that needs to go over the VPN interface for split tunnel VPN. Some VPN servers can configure this during connect negotiation and don't need this information in the VPN Profile. Check with your VPN server administrator to determine whether you need this information in the VPN profile.
-**VPNv2/**ProfileName**/RouteList/**routeRowId
+**VPNv2/**ProfileName**/RouteList/**routeRowId
A sequential integer identifier for the RouteList. This value is required if you're adding routes. Sequencing must start at 0.
Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/RouteList/**routeRowId**/Address**
+**VPNv2/**ProfileName**/RouteList/**routeRowId**/Address**
Subnet address in IPv4/v6 address format which, along with the prefix, will be used to determine the destination prefix to send via the VPN Interface. This subnet address is the IP address part of the destination prefix.
Supported operations include Get, Add, Replace, and Delete. Value type is chr. Example, `192.168.0.0`
-**VPNv2/**ProfileName**/RouteList/**routeRowId**/PrefixSize**
+**VPNv2/**ProfileName**/RouteList/**routeRowId**/PrefixSize**
The subnet prefix size part of the destination prefix for the route entry. This subnet prefix, along with the address, will be used to determine the destination prefix to route through the VPN Interface.
Value type is int. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/RouteList/**routeRowId**/Metric**
+**VPNv2/**ProfileName**/RouteList/**routeRowId**/Metric**
Added in Windows 10, version 1607. The route's metric.
Value type is int. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/RouteList/**routeRowId**/ExclusionRoute**
+**VPNv2/**ProfileName**/RouteList/**routeRowId**/ExclusionRoute**
Added in Windows 10, version 1607. A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway. Valid values:
- False (default) - This route will direct traffic over the VPN
@@ -394,20 +394,20 @@ Added in Windows 10, version 1607. A boolean value that specifies if the route
Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/DomainNameInformationList**
+**VPNv2/**ProfileName**/DomainNameInformationList**
Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile.
The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before name resolution queries are issued, the DNS client consults the NRPT to determine if any extra flags must be set in the query. After the response is received, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface.
-> [!NOTE]
+> [!NOTE]
> Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT.
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId
+**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId
A sequential integer identifier for the Domain Name information. Sequencing must start at 0.
Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainName**
+**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainName**
Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types:
- FQDN - Fully qualified domain name
@@ -415,7 +415,7 @@ Used to indicate the namespace to which the policy applies. When a Name query is
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainNameType**
+**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainNameType**
Returns the namespace type. This value can be one of the following values:
- FQDN - If the DomainName wasn't prepended with a**.** and applies only to the fully qualified domain name (FQDN) of a specified host.
@@ -423,20 +423,20 @@ Returns the namespace type. This value can be one of the following values:
Value type is chr. Supported operation is Get.
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DnsServers**
+**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DnsServers**
List of comma-separated DNS Server IP addresses to use for the namespace.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/WebProxyServers**
+**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/WebProxyServers**
Optional. Web Proxy Server IP address if you're redirecting traffic through your intranet.
-> [!NOTE]
-> Currently only one web proxy server is supported.
+> [!NOTE]
+> Currently only one web proxy server is supported.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/AutoTrigger**
+**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/AutoTrigger**
Added in Windows 10, version 1607. Optional. Boolean to determine whether this domain name rule will trigger the VPN.
If set to False, this DomainName rule won't trigger the VPN.
@@ -447,7 +447,7 @@ By default, this value is false.
Value type is bool.
-**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/Persistent**
+**VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/Persistent**
Added in Windows 10, version 1607. A boolean value that specifies if the rule being added should persist even when the VPN isn't connected. Value values:
- False (default) - This DomainName rule will only be applied when VPN is connected.
@@ -455,7 +455,7 @@ Added in Windows 10, version 1607. A boolean value that specifies if the rule b
Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/TrafficFilterList**
+**VPNv2/**ProfileName**/TrafficFilterList**
An optional node that specifies a list of rules. Only traffic that matches these rules can be sent via the VPN Interface.
> [!NOTE]
@@ -463,13 +463,13 @@ An optional node that specifies a list of rules. Only traffic that matches these
When multiple rules are being added, each rule operates based on an OR with the other rules. Within each rule, each property operates based on an AND with each other.
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId
+**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId
A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0.
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App**
+**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App**
Per app VPN rule. This property will allow only the apps specified to be allowed over the VPN interface. Value type is chr.
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App/Id**
+**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App/Id**
App identity for the app-based traffic filter.
The value for this node can be one of the following values:
@@ -480,20 +480,20 @@ The value for this node can be one of the following values:
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App/Type**
+**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/App/Type**
Returns the type of ID of the **App/Id**.
Value type is chr. Supported operation is Get.
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Claims**
+**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Claims**
Reserved for future use.
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Protocol**
+**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Protocol**
Numeric value from 0-255 representing the IP protocol to allow. For example, TCP = 6 and UDP = 17.
Value type is int. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalPortRanges**
+**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalPortRanges**
A list of comma-separated values specifying local port ranges to allow. For example, `100-120, 200, 300-320`.
> [!NOTE]
@@ -501,7 +501,7 @@ A list of comma-separated values specifying local port ranges to allow. For exam
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemotePortRanges**
+**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemotePortRanges**
A list of comma-separated values specifying remote port ranges to allow. For example, `100-120, 200, 300-320`.
> [!NOTE]
@@ -509,17 +509,17 @@ A list of comma-separated values specifying remote port ranges to allow. For exa
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalAddressRanges**
+**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/LocalAddressRanges**
A list of comma-separated values specifying local IP address ranges to allow.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemoteAddressRanges**
+**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RemoteAddressRanges**
A list of comma-separated values specifying remote IP address ranges to allow.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RoutingPolicyType**
+**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/RoutingPolicyType**
Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. The value can be one of the following values:
- SplitTunnel - For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces.
@@ -529,7 +529,7 @@ This property is only applicable for App ID-based Traffic Filter rules.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Direction**
+**VPNv2/**ProfileName**/TrafficFilterList/**trafficFilterId**/Direction**
Added in Windows 10, version 2004. Specifies the traffic direction to apply this policy to. Default is Outbound. The value can be one of the following values:
- Outbound - The rule applies to all outbound traffic
@@ -539,19 +539,19 @@ If no inbound filter is provided, then by default all unsolicited inbound traffi
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/EdpModeId**
+**VPNv2/**ProfileName**/EdpModeId**
Enterprise ID, which is required for connecting this VPN profile with a Windows Information Protection policy. When this ID is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device.
Additionally when a connection is being established with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin doesn't have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the Windows Information Protection policies and App lists automatically takes effect.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/RememberCredentials**
+**VPNv2/**ProfileName**/RememberCredentials**
Boolean value (true or false) for caching credentials. Default is false, which means don't cache credentials. If set to true, credentials are cached whenever possible.
Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/AlwaysOn**
+**VPNv2/**ProfileName**/AlwaysOn**
An optional flag to enable Always On mode. This flag will automatically connect the VPN at sign in and will stay connected until the user manually disconnects.
> [!NOTE]
@@ -559,7 +559,7 @@ An optional flag to enable Always On mode. This flag will automatically connect
Preserving user Always On preference
-Windows has a feature to preserve a user’s AlwaysOn preference. If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.
+Windows has a feature to preserve a user’s AlwaysOn preference. If a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList.
Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows won't check the box if the profile name exists in the below registry value in order to preserve user preference.
Key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config`
Value: AutoTriggerDisabledProfilesList
@@ -573,7 +573,7 @@ Valid values:
Value type is bool. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/DeviceTunnel** (./Device only profile)
+**VPNv2/**ProfileName**/DeviceTunnel** (./Device only profile)
Device tunnel profile.
Valid values:
@@ -599,124 +599,124 @@ Valid values:
- False = Don't register the connection's address in DNS (default).
- True = Register the connection's addresses in DNS.
-**VPNv2/**ProfileName**/DnsSuffix**
+**VPNv2/**ProfileName**/DnsSuffix**
Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. Windows has a limit of 50 DNS suffixes that can be set. Windows name resolution will apply each suffix in order. Long DNS suffix lists may impact performance.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/ByPassForLocal**
+**VPNv2/**ProfileName**/ByPassForLocal**
Reserved for future use.
-**VPNv2/**ProfileName**/TrustedNetworkDetection**
+**VPNv2/**ProfileName**/TrustedNetworkDetection**
Optional. Comma-separated string to identify the trusted network. VPN won't connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/ProfileXML**
+**VPNv2/**ProfileName**/ProfileXML**
Added in Windows 10, version 1607. The XML schema for provisioning all the fields of a VPN. For the XSD, see [ProfileXML XSD](vpnv2-profile-xsd.md).
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/Proxy**
+**VPNv2/**ProfileName**/Proxy**
A collection of configuration objects to enable a post-connect proxy support for VPN Force Tunnel connections. The proxy defined for this profile is applied when this profile is active and connected.
> [!NOTE]
> VPN proxy settings are used only on Force Tunnel connections. On Split Tunnel connections, the general proxy settings are used.
-**VPNv2/**ProfileName**/Proxy/Manual**
+**VPNv2/**ProfileName**/Proxy/Manual**
Optional node containing the manual server settings.
-**VPNv2/**ProfileName**/Proxy/Manual/Server**
+**VPNv2/**ProfileName**/Proxy/Manual/Server**
Optional. Proxy server address as a fully qualified hostname or an IP address. You should set this element together with Port. Example, proxy.contoso.com.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/Proxy/AutoConfigUrl**
+**VPNv2/**ProfileName**/Proxy/AutoConfigUrl**
Optional. URL to automatically retrieve the proxy settings.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/APNBinding**
+**VPNv2/**ProfileName**/APNBinding**
Reserved for future use.
-**VPNv2/**ProfileName**/APNBinding/ProviderId**
+**VPNv2/**ProfileName**/APNBinding/ProviderId**
Reserved for future use. Optional node.
-**VPNv2/**ProfileName**/APNBinding/AccessPointName**
+**VPNv2/**ProfileName**/APNBinding/AccessPointName**
Reserved for future use.
-**VPNv2/**ProfileName**/APNBinding/UserName**
+**VPNv2/**ProfileName**/APNBinding/UserName**
Reserved for future use.
-**VPNv2/**ProfileName**/APNBinding/Password**
+**VPNv2/**ProfileName**/APNBinding/Password**
Reserved for future use.
-**VPNv2/**ProfileName**/APNBinding/IsCompressionEnabled**
+**VPNv2/**ProfileName**/APNBinding/IsCompressionEnabled**
Reserved for future use.
-**VPNv2/**ProfileName**/APNBinding/AuthenticationType**
+**VPNv2/**ProfileName**/APNBinding/AuthenticationType**
Reserved for future use.
-**VPNv2/**ProfileName**/DeviceCompliance**
+**VPNv2/**ProfileName**/DeviceCompliance**
Added in Windows 10, version 1607. Nodes under DeviceCompliance can be used to enable Azure Active Directory-based Conditional Access for VPN.
-**VPNv2/**ProfileName**/DeviceCompliance/Enabled**
+**VPNv2/**ProfileName**/DeviceCompliance/Enabled**
Added in Windows 10, version 1607. Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with Azure Active Directory to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory (AAD).
Value type is bool. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/DeviceCompliance/Sso**
+**VPNv2/**ProfileName**/DeviceCompliance/Sso**
Added in Windows 10, version 1607. Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication if there's Device Compliance.
-**VPNv2/**ProfileName**/DeviceCompliance/Sso/Enabled**
+**VPNv2/**ProfileName**/DeviceCompliance/Sso/Enabled**
Added in Windows 10, version 1607. If this field is set to True, the VPN Client will look for a separate certificate for Kerberos Authentication.
Value type is bool. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/DeviceCompliance/Sso/IssuerHash**
+**VPNv2/**ProfileName**/DeviceCompliance/Sso/IssuerHash**
Added in Windows 10, version 1607. Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/DeviceCompliance/Sso/Eku**
+**VPNv2/**ProfileName**/DeviceCompliance/Sso/Eku**
Added in Windows 10, version 1607. Comma-Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/PluginProfile**
+**VPNv2/**ProfileName**/PluginProfile**
Nodes under the PluginProfile are required when using a Microsoft Store based VPN plugin.
-**VPNv2/**ProfileName**/PluginProfile/ServerUrlList**
+**VPNv2/**ProfileName**/PluginProfile/ServerUrlList**
Required for plug-in profiles. Semicolon-separated list of servers in URL, hostname, or IP format.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/PluginProfile/CustomConfiguration**
+**VPNv2/**ProfileName**/PluginProfile/CustomConfiguration**
Optional. This property is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations and defaults.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/PluginProfile/PluginPackageFamilyName**
+**VPNv2/**ProfileName**/PluginProfile/PluginPackageFamilyName**
Required for plug-in profiles. Package family name for the SSL-VPN plug-in.
Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/PluginProfile/CustomStoreUrl**
+**VPNv2/**ProfileName**/PluginProfile/CustomStoreUrl**
Reserved for future use.
-**VPNv2/**ProfileName**/NativeProfile**
+**VPNv2/**ProfileName**/NativeProfile**
Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, and L2TP).
-**VPNv2/**ProfileName**/NativeProfile/Servers**
-Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com.
+**VPNv2/**ProfileName**/NativeProfile/Servers**
+Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com.
-The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name.
+The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name.
You can make a list of server by making a list of server names (with optional friendly names) separated by commas. For example, server1.example.com,server2.example.com.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/NativeProfile/RoutingPolicyType**
+**VPNv2/**ProfileName**/NativeProfile/RoutingPolicyType**
Optional for native profiles. Type of routing policy. This value can be one of the following values:
- SplitTunnel - Traffic can go over any interface as determined by the networking stack.
@@ -724,7 +724,7 @@ Optional for native profiles. Type of routing policy. This value can be one of t
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/NativeProfile/NativeProtocolType**
+**VPNv2/**ProfileName**/NativeProfile/NativeProtocolType**
Required for native profiles. Type of tunneling protocol used. This value can be one of the following values:
- PPTP
@@ -735,12 +735,12 @@ Required for native profiles. Type of tunneling protocol used. This value can be
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
> [!NOTE]
-> The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt protocols in following order: SSTP, IKEv2, PPTP and then L2TP. This order isn't customizable.
+> The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt protocols in following order: SSTP, IKEv2, PPTP and then L2TP. This order isn't customizable.
-**VPNv2/**ProfileName**/NativeProfile/Authentication**
+**VPNv2/**ProfileName**/NativeProfile/Authentication**
Required node for native profile. It contains authentication information for the native VPN profile.
-**VPNv2/**ProfileName**/NativeProfile/Authentication/UserMethod**
+**VPNv2/**ProfileName**/NativeProfile/Authentication/UserMethod**
This value can be one of the following:
- EAP
@@ -748,7 +748,7 @@ This value can be one of the following:
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/NativeProfile/Authentication/MachineMethod**
+**VPNv2/**ProfileName**/NativeProfile/Authentication/MachineMethod**
This is only supported in IKEv2.
This value can be one of the following values:
@@ -757,34 +757,34 @@ This value can be one of the following values:
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap**
+**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap**
Required when the native profile specifies EAP authentication. EAP configuration XML.
Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap/Configuration**
+**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap/Configuration**
HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see [EAP configuration](eap-configuration.md).
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap/Type**
+**VPNv2/**ProfileName**/NativeProfile/Authentication/Eap/Type**
Reserved for future use.
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate**
+**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate**
Reserved for future use.
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate/Issuer**
+**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate/Issuer**
Reserved for future use.
-**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate/Eku**
+**VPNv2/**ProfileName**/NativeProfile/Authentication/Certificate/Eku**
Reserved for future use.
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite**
-Added in Windows 10, version 1607. Properties of IPSec tunnels.
+**VPNv2/**ProfileName**/NativeProfile/CryptographySuite**
+Added in Windows 10, version 1607. Properties of IPSec tunnels.
[!NOTE] If you specify any of the properties under CryptographySuite, you must specify all of them. It's not valid to specify just some of the properties.
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/AuthenticationTransformConstants**
+**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/AuthenticationTransformConstants**
Added in Windows 10, version 1607.
The following list contains the valid values:
@@ -798,7 +798,7 @@ The following list contains the valid values:
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/CipherTransformConstants**
+**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/CipherTransformConstants**
Added in Windows 10, version 1607.
The following list contains the valid values:
@@ -814,7 +814,7 @@ The following list contains the valid values:
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/EncryptionMethod**
+**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/EncryptionMethod**
Added in Windows 10, version 1607.
The following list contains the valid values:
@@ -829,7 +829,7 @@ The following list contains the valid values:
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/IntegrityCheckMethod**
+**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/IntegrityCheckMethod**
Added in Windows 10, version 1607.
The following list contains the valid values:
@@ -841,7 +841,7 @@ The following list contains the valid values:
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/DHGroup**
+**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/DHGroup**
Added in Windows 10, version 1607.
The following list contains the valid values:
@@ -855,7 +855,7 @@ The following list contains the valid values:
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/PfsGroup**
+**VPNv2/**ProfileName**/NativeProfile/CryptographySuite/PfsGroup**
Added in Windows 10, version 1607.
The following list contains the valid values:
@@ -870,17 +870,17 @@ The following list contains the valid values:
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/NativeProfile/L2tpPsk**
+**VPNv2/**ProfileName**/NativeProfile/L2tpPsk**
Added in Windows 10, version 1607. The preshared key used for an L2TP connection.
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/NativeProfile/DisableClassBasedDefaultRoute**
+**VPNv2/**ProfileName**/NativeProfile/DisableClassBasedDefaultRoute**
Added in Windows 10, version 1607. Specifies the class-based default routes. For example, if the interface IP begins with 10, it assumes a class an IP and pushes the route to 10.0.0.0/8
Value type is bool. Supported operations include Get, Add, Replace, and Delete.
-**VPNv2/**ProfileName**/NativeProfile/PlumbIKEv2TSAsRoutes**
+**VPNv2/**ProfileName**/NativeProfile/PlumbIKEv2TSAsRoutes**
Determines whether plumbing IPSec traffic selectors as routes onto VPN interface is enabled.
If set to False, plumbing traffic selectors as routes is disabled.
@@ -928,11 +928,11 @@ Profile example
.contoso.com
10.5.5.5
-
- %ProgramFiles%\Internet Explorer\iexplore.exe
-
-
- Microsoft.MicrosoftEdge_8wekyb3d8bbwe
+
+ %ProgramFiles%\Internet Explorer\iexplore.exe
+
+
+ Microsoft.MicrosoftEdge_8wekyb3d8bbwe
10.0.0.0
@@ -1033,7 +1033,7 @@ DomainNameInformationList
10013
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DomainName
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DomainName
.contoso.com
@@ -1042,7 +1042,7 @@ DomainNameInformationList
10014
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DnsServers
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DnsServers
192.168.0.11,192.168.0.12
@@ -1053,7 +1053,7 @@ DomainNameInformationList
10013
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/DomainName
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/DomainName
.contoso.com
@@ -1063,7 +1063,7 @@ DomainNameInformationList
10015
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/WebProxyServers
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/WebProxyServers
192.168.0.100:8888
@@ -1075,7 +1075,7 @@ DomainNameInformationList
10016
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DomainName
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DomainName
finance.contoso.com
@@ -1084,7 +1084,7 @@ DomainNameInformationList
10017
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DnsServers
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DnsServers
192.168.0.11,192.168.0.12
@@ -1096,7 +1096,7 @@ DomainNameInformationList
10016
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/DomainName
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/DomainName
finance.contoso.com
@@ -1105,7 +1105,7 @@ DomainNameInformationList
10017
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/WebProxyServers
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/WebProxyServers
192.168.0.11:8080
@@ -1116,7 +1116,7 @@ DomainNameInformationList
10016
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DomainName
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DomainName
.
@@ -1125,7 +1125,7 @@ DomainNameInformationList
10017
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DnsServers
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DnsServers
192.168.0.11,192.168.0.12
@@ -1137,7 +1137,7 @@ DomainNameInformationList
10016
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/DomainName
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/DomainName
.
@@ -1146,7 +1146,7 @@ DomainNameInformationList
10017
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/WebProxyServers
+ ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/WebProxyServers
192.168.0.11
@@ -1205,7 +1205,7 @@ TrafficFilterLIst App
10014
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/1/App/Id
+ ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/1/App/Id
Microsoft.MicrosoftEdge_8wekyb3d8bbwe
@@ -1215,7 +1215,7 @@ TrafficFilterLIst App
10015
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/App/Id
+ ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/App/Id
SYSTEM
@@ -1230,7 +1230,7 @@ Protocol
$CmdID$
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/Protocol
+ ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/Protocol
int
@@ -1243,45 +1243,45 @@ Protocol
$CmdID$
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/LocalPortRanges
+ ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/LocalPortRanges
10,20-50,100-200
-
+
RemotePortRanges
$CmdID$
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/RemotePortRanges
+ ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/RemotePortRanges
20-50,100-200,300
-
+
LocalAddressRanges
$CmdID$
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/LocalAddressRanges/LocURI>
+ ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/LocalAddressRanges/LocURI>
3.3.3.3/32,1.1.1.1-2.2.2.2
-
+
RemoteAddressRanges
$CmdID$
-
- ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/RemoteAddressRanges
+ ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/RemoteAddressRanges
30.30.0.0/16,10.10.10.10-20.20.20.20
-
+
RoutingPolicyType
$CmdID$
@@ -1292,7 +1292,7 @@ Protocol
ForceTunnel
-
+
EDPModeId
$CmdID$
@@ -1303,7 +1303,7 @@ Protocol
corp.contoso.com
-
+
RememberCredentials
$CmdID$
@@ -1317,7 +1317,7 @@ Protocol
true
-
+
AlwaysOn
$CmdID$
@@ -1331,7 +1331,7 @@ Protocol
true
-
+
Lockdown
$CmdID$
@@ -1345,7 +1345,7 @@ Protocol
true
-
+
DnsSuffix
$CmdID$
@@ -1356,7 +1356,7 @@ Protocol
Adatum.com
-
+
TrustedNetworkDetection
@@ -1383,7 +1383,7 @@ Manual
192.168.0.100:8888
-
+
AutoConfigUrl
$CmdID$
@@ -1412,7 +1412,7 @@ Device Compliance - Sso
true
-
+
IssuerHash
10011
@@ -1423,7 +1423,7 @@ Device Compliance - Sso
ffffffffffffffffffffffffffffffffffffffff;ffffffffffffffffffffffffffffffffffffffee
-
+
Eku
10011
@@ -1450,7 +1450,7 @@ PluginPackageFamilyName
selfhost.corp.contoso.com
-
+
10002
@@ -1461,7 +1461,7 @@ PluginPackageFamilyName
TestVpnPluginApp-SL_8wekyb3d8bbwe
-
+
10003
@@ -1487,7 +1487,7 @@ Servers
Selfhost.corp.contoso.com
-
+
RoutingPolicyType
10007
@@ -1498,7 +1498,7 @@ Servers
ForceTunnel
-
+
NativeProtocolType
@@ -1510,7 +1510,7 @@ Servers
Automatic
-
+
Authentication
UserMethod
@@ -1523,7 +1523,7 @@ Servers
Eap
-
+
MachineMethod
@@ -1535,7 +1535,7 @@ Servers
Eap
-
+
CryptographySuite
10004
@@ -1591,8 +1591,8 @@ Servers
PFS2048
-
- DisableClassBasedDefaultRoute
+
+ DisableClassBasedDefaultRoute
10011
-
@@ -1610,7 +1610,7 @@ Servers
[Configuration service provider reference](configuration-service-provider-reference.md)
-
-
+
+
diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md
index 6e67b7102c..9462a1cbbf 100644
--- a/windows/client-management/mdm/vpnv2-profile-xsd.md
+++ b/windows/client-management/mdm/vpnv2-profile-xsd.md
@@ -1,7 +1,7 @@
---
title: ProfileXML XSD
description: Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md
index 7bc64259b1..26f952284b 100644
--- a/windows/client-management/mdm/w4-application-csp.md
+++ b/windows/client-management/mdm/w4-application-csp.md
@@ -1,7 +1,7 @@
---
title: w4 APPLICATION CSP
description: Use an APPLICATION configuration service provider (CSP) that has an APPID of w4 to configure Multimedia Messaging Service (MMS).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md
index f5dc037820..62724dd673 100644
--- a/windows/client-management/mdm/w7-application-csp.md
+++ b/windows/client-management/mdm/w7-application-csp.md
@@ -1,7 +1,7 @@
---
title: w7 APPLICATION CSP
description: Learn that the APPLICATION configuration service provider (CSP) that has an APPID of w7 is used for bootstrapping a device with an OMA DM account.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -54,7 +54,7 @@ APPLICATION
---NAME
---PROTOVER
---PROVIDER-ID
----ROLE
+---ROLE
---TO-NAPID
---USEHWDEVID
---SSLCLIENTCERTSEARCHCRITERIA
@@ -64,30 +64,30 @@ APPLICATION
> All parameter names and characteristic types are case sensitive and must use all uppercase.
Both APPSRV and CLIENT credentials must be provided in provisioning XML.
-**APPADDR**
+**APPADDR**
This characteristic is used in the w7 APPLICATION characteristic to specify the DM server address.
-**APPADDR/ADDR**
+**APPADDR/ADDR**
Optional. The ADDR parameter is used in the APPADDR characteristic to get or set the address of the OMA DM server. This parameter takes a string value.
-**APPADDR/ADDRTYPE**
+**APPADDR/ADDRTYPE**
Optional. The ADDRTYPE parameter is used in the APPADDR characteristic to get or set the format of the ADDR parameter. This parameter takes a string value.
In OMA DM XML, if there are multiple instances of this parameter, the first valid parameter value is used.
-**APPADDR/PORT**
+**APPADDR/PORT**
This characteristic is used in the APPADDR characteristic to specify port information.
-**APPADDR/PORT/PORTNBR**
+**APPADDR/PORT/PORTNBR**
Required. The PORTNBR parameter is used in the PORT characteristic to get or set the number of the port to connect to. This parameter takes a numeric value in string format.
-**APPAUTH**
+**APPAUTH**
This characteristic is used in the w7 APPLICATION characteristic to specify authentication information.
-**APPAUTH/AAUTHDATA**
+**APPAUTH/AAUTHDATA**
Optional. The AAUTHDATA parameter is used in the APPAUTH characteristic to get or set more data used in authentication. This parameter is used to convey the nonce for digest authentication type. This parameter takes a string value. The value of this parameter is a base64-encoded in the form of a series of bytes. If the AAUTHTYPE is DIGEST, this value is used as a nonce value in the MD5 hash calculation, and the octal form of the binary data should be used when calculating the hash at the server side and device side.
-**APPAUTH/AAUTHLEVEL**
+**APPAUTH/AAUTHLEVEL**
Required. The AAUTHLEVEL parameter is used in the APPAUTH characteristic to indicate whether credentials are for server authentication or client authentication. This parameter takes a string value. You can set this value.
Valid values:
@@ -96,13 +96,13 @@ Valid values:
- CLIENT - specifies that the server authenticates itself to the OMA DM Client at the DM protocol level.
-**APPAUTH/AAUTHNAME**
+**APPAUTH/AAUTHNAME**
Optional. The AAUTHNAME parameter is used in the APPAUTH characteristic to differentiate OMA DM client names. This parameter takes a string value. You can set this value.
-**APPAUTH/AAUTHSECRET**
+**APPAUTH/AAUTHSECRET**
Required. The AAUTHSECRET parameter is used in the APPAUTH characteristic to get or set the authentication secret used to authenticate the user. This parameter takes a string value.
-**APPAUTH/AAUTHTYPE**
+**APPAUTH/AAUTHTYPE**
Optional. The AAUTHTYPE parameter of the APPAUTH characteristic is used to get or set the method of authentication. This parameter takes a string value.
Valid values:
@@ -111,20 +111,20 @@ Valid values:
- DIGEST - Specifies that the SyncML DM 'syncml:auth-md5' authentication type.
- When AAUTHLEVEL is CLIENT, then AAUTHTYPE must be DIGEST. When AAUTHLEVEL is APPSRV, AAUTHTYPE can be BASIC or DIGEST.
-**APPID**
+**APPID**
Required. The APPID parameter is used in the APPLICATION characteristic to differentiate the types of available application services and protocols. This parameter takes a string value. You can get or set this value. The only valid value to configure the OMA Client Provisioning bootstrap APPID is w7.
-**BACKCOMPATRETRYDISABLED**
+**BACKCOMPATRETRYDISABLED**
Optional. The BACKCOMPATRETRYDISABLED parameter is used in the APPLICATION characteristic to specify whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr (not including the first time).
> [!Note]
> This parameter doesn't contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled.
-**CONNRETRYFREQ**
+**CONNRETRYFREQ**
Optional. The CONNRETRYFREQ parameter is used in the APPLICATION characteristic to specify how many retries the DM client performs when there are Connection Manager-level or WinInet-level errors. This parameter takes a numeric value in string format. The default value is “3”. You can set this parameter.
-**DEFAULTENCODING**
+**DEFAULTENCODING**
Optional. The DEFAULTENCODING parameter is used in the APPLICATION characteristic to specify whether the DM client should use WBXML or XML for the DM package when communicating with the server. You can get or set this parameter.
The valid values are:
@@ -132,7 +132,7 @@ The valid values are:
- application/vnd.syncml.dm+xml (Default)
- application/vnd.syncml.dm+wbxml
-**INIT**
+**INIT**
Optional. The INIT parameter is used in the APPLICATION characteristic to indicate that the management server wants the client to initiate a management session immediately after settings approval. If the current w7 APPLICATION document will be put in ROM, the INIT parameter must not be present.
> [!Note]
@@ -140,18 +140,18 @@ Optional. The INIT parameter is used in the APPLICATION characteristic to indica
This parameter forces the device to attempt to connect with the OMA DM server. The connection attempt fails if the XML is set during the coldinit phase. A common cause of this failure is that immediately after coldinit is finished the radio isn't yet ready.
-**INITIALBACKOFFTIME**
+**INITIALBACKOFFTIME**
Optional. The INITIALBACKOFFTIME parameter is used in the APPLICATION characteristic to specify the initial wait time in milliseconds when the DM client retries for the first time. The wait time grows exponentially. This parameter takes a numeric value in string format. The default value is “16000”. You can get or set this parameter.
-**MAXBACKOFFTIME**
+**MAXBACKOFFTIME**
Optional. The MAXBACKOFFTIME parameter is used in the APPLICATION characteristic to specify the maximum number of milliseconds to sleep after package-sending failure. This parameter takes numeric value in string format. The default value is “86400000”. You can set this parameter.
-**NAME**
+**NAME**
Optional. The NAME parameter is used in the APPLICATION characteristic to specify a user readable application identity. This parameter is used to define part of the registry path for the APPLICATION parameters. You can set this parameter.
The NAME parameter can be a string or null (no value). If no value is specified, the registry location will default to <unnamed>.
-**PROTOVER**
+**PROTOVER**
Optional. The PROTOVER parameter is used in the APPLICATION characteristic to specify the OMA DM Protocol version the server supports. No default value is assumed. The protocol version set by this node will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this node isn't specified when adding a DM server account, the latest DM protocol version that the client supports is used. In Windows Phone, this version is 1.2. This parameter is a Microsoft custom parameter. You can set this parameter.
Possible values:
@@ -159,22 +159,22 @@ Possible values:
- 1.1
- 1.2
-**PROVIDER-ID**
+**PROVIDER-ID**
Optional. The PROVIDER-ID parameter is used in the APPLICATION characteristic to differentiate OMA DM servers. It specifies the server identifier for a management server used in the current management session. This parameter takes a string value. You can set this parameter.
-**ROLE**
+**ROLE**
Optional. The ROLE parameter is used in the APPLICATION characteristic to specify the security application chamber that the DM session should run with when communicating with the DM server. The only supported roles are 8 (mobile operator) and 32 (enterprise). If this parameter isn't present, the mobile operator role is assumed. The enterprise role can only be set by the enterprise enrollment client. The enterprise client can't set the mobile operator role. This parameter is a Microsoft custom parameter. This parameter takes a numeric value in string format. You can get or set this parameter.
-**TO-NAPID**
+**TO-NAPID**
Optional. The TO-NAPID parameter is used in the APPLICATION characteristic to specify the Network Access Point the client will use to connect to the OMA DM server. If multiple TO-NAPID parameters are specified, only the first TO-NAPID value will be stored. This parameter takes a string value. You can set this parameter.
-**USEHWDEVID**
+**USEHWDEVID**
Optional. The USEHWDEVID parameter is used in the APPLICATION characteristic to specify use of device hardware identification. It doesn't have a value.
- If the parameter isn't present, the default behavior is to use an application-specific GUID used rather than the hardware device ID.
- If the parameter is present, the hardware device ID will be provided at the **./DevInfo/DevID** node and in the Source LocURI for the DM package sent to the server. International Mobile Subscriber Identity (IMEI) is returned for a GSM device.
-**SSLCLIENTCERTSEARCHCRITERIA**
+**SSLCLIENTCERTSEARCHCRITERIA**
Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter is used in the APPLICATION characteristic to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it's ignored.
The string is a concatenation of name/value pairs, each member of the pair delimited by the "&" character. The name and values are delimited by the "=" character. If there are multiple values, each value is delimited by the Unicode character "U+F000". If the name or value contains characters not in the UNRESERVED set (as specified in RFC2396), then those characters are URI-escaped per the RFC.
@@ -189,7 +189,7 @@ Subject specifies the certificate to search for. For example, to specify that yo
> `%EF%80%80` is the UTF8-encoded character U+F000.
```xml
-
```
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index 60791f3a53..026e190026 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -1,7 +1,7 @@
---
title: WiFi CSP
description: The WiFi configuration service provider (CSP) provides the functionality to add or delete Wi-Fi networks on a Windows device.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -45,7 +45,7 @@ The following example shows the WiFi configuration service provider in tree form
or
./User/Vendor/MSFT
WiFi
----Profile
+---Profile
------SSID
---------WlanXML
---------WiFiCost
diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md
index 3f1d8d46e7..f2a53dc84b 100644
--- a/windows/client-management/mdm/wifi-ddf-file.md
+++ b/windows/client-management/mdm/wifi-ddf-file.md
@@ -1,7 +1,7 @@
---
title: WiFi DDF file
description: Learn about the OMA DM device description framework (DDF) for the WiFi configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md
index 82a4e341dd..3965a1f04b 100644
--- a/windows/client-management/mdm/win32appinventory-csp.md
+++ b/windows/client-management/mdm/win32appinventory-csp.md
@@ -1,7 +1,7 @@
---
title: Win32AppInventory CSP
description: Learn how the Win32AppInventory configuration service provider (CSP) is used to provide an inventory of installed applications on a device.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md
index 9cd08b73e2..8bef41b746 100644
--- a/windows/client-management/mdm/win32appinventory-ddf-file.md
+++ b/windows/client-management/mdm/win32appinventory-ddf-file.md
@@ -1,7 +1,7 @@
---
title: Win32AppInventory DDF file
description: Learn about the OMA DM device description framework (DDF) for the Win32AppInventory configuration service provider (CSP).
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
index 816e68336d..29e0c9d4c1 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 07/19/2018
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -57,172 +57,172 @@ Win32CompatibilityAppraiser
--------WerConnectionReport
```
-**./Vendor/MSFT/Win32CompatibilityAppraiser**
+**./Vendor/MSFT/Win32CompatibilityAppraiser**
The root node for the Win32CompatibilityAppraiser configuration service provider.
-**CompatibilityAppraiser**
+**CompatibilityAppraiser**
This represents the state of the Compatibility Appraiser.
-**CompatibilityAppraiser/AppraiserConfigurationDiagnosis**
-This represents various settings that affect whether the Compatibility Appraiser can collect and upload compatibility data.
+**CompatibilityAppraiser/AppraiserConfigurationDiagnosis**
+This represents various settings that affect whether the Compatibility Appraiser can collect and upload compatibility data.
-**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialId**
+**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialId**
The unique identifier specifying what organization owns this device. This helps correlate telemetry after it has been uploaded.
-Value type is string.
+Value type is string.
Supported operation is Get.
-**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialIdSetAndValid**
+**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/CommercialIdSetAndValid**
A boolean value representing whether the CommercialId is set to a valid value. Valid values are strings in the form of GUIDs, with no surrounding braces.
-Value type is bool.
+Value type is bool.
Supported operation is Get.
-**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AllTargetOsVersionsRequested**
+**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AllTargetOsVersionsRequested**
A boolean value representing whether the flag to request that the Compatibility Appraiser check compatibility with all possible Windows 10 versions has been set. By default, versions 1507 and 1511, and any version equal to or less than the current version, are not checked.
-Value type is bool.
+Value type is bool.
Supported operation is Get.
-**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/OsSkuIsValidForAppraiser**
+**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/OsSkuIsValidForAppraiser**
A boolean value indicating whether the current Windows SKU is able to run the Compatibility Appraiser.
Value type is bool.
Supported operation is Get.
-**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AppraiserCodeAndDataVersionsAboveMinimum**
-An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data.
+**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/AppraiserCodeAndDataVersionsAboveMinimum**
+An integer value representing whether the installed versions of the Compatibility Appraiser code and data meet the minimum requirement to provide useful data.
The values are:
-
-- 0 == Neither the code nor data is of a sufficient version.
+
+- 0 == Neither the code nor data is of a sufficient version.
- 1 == The code version is insufficient but the data version is sufficient.
- 2 == The code version is sufficient but the data version is insufficient.
- 3 == Both the code and data are of a sufficient version.
-Value type is integer.
+Value type is integer.
Supported operation is Get.
-**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/RebootPending**
+**CompatibilityAppraiser/AppraiserConfigurationDiagnosis/RebootPending**
A boolean value representing whether a reboot is pending on this computer. A newly-installed version of the Compatibility Appraiser may require a reboot before useful data is able to be sent.
-Value type is bool.
+Value type is bool.
Supported operation is Get.
-**CompatibilityAppraiser/AppraiserRunResultReport**
+**CompatibilityAppraiser/AppraiserRunResultReport**
This provides an XML representation of the last run of Appraiser and the last runs of Appraiser of certain types or configurations.
For the report XML schema see [Appraiser run result report](#appraiser-run-result-report).
-**UniversalTelemetryClient**
+**UniversalTelemetryClient**
This represents the state of the Universal Telemetry Client, or DiagTrack service.
-**UniversalTelemetryClient/UtcConfigurationDiagnosis**
+**UniversalTelemetryClient/UtcConfigurationDiagnosis**
This represents various settings that affect whether the Universal Telemetry Client can upload data and how much data it can upload.
-**UniversalTelemetryClient/UtcConfigurationDiagnosis/TelemetryOptIn**
-An integer value representing what level of telemetry will be uploaded.
+**UniversalTelemetryClient/UtcConfigurationDiagnosis/TelemetryOptIn**
+An integer value representing what level of telemetry will be uploaded.
-Value type is integer.
+Value type is integer.
Supported operation is Get.
The values are:
-
+
- 0 == Security data will be sent.
- 1 == Basic telemetry will be sent.
- 2 == Enhanced telemetry will be sent.
- 3 == Full telemetry will be sent.
-**UniversalTelemetryClient/UtcConfigurationDiagnosis/CommercialDataOptIn**
-An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload.
+**UniversalTelemetryClient/UtcConfigurationDiagnosis/CommercialDataOptIn**
+An integer value representing whether the CommercialDataOptIn setting is allowing any data to upload.
-Value type is integer.
+Value type is integer.
Supported operation is Get.
The values are:
-
+
- 0 == Setting is disabled.
- 1 == Setting is enabled.
- 2 == Setting is not applicable to this version of Windows.
-**UniversalTelemetryClient/UtcConfigurationDiagnosis/DiagTrackServiceRunning**
+**UniversalTelemetryClient/UtcConfigurationDiagnosis/DiagTrackServiceRunning**
A boolean value representing whether the DiagTrack service is running. This service must be running in order to upload UTC data.
-Value type is bool.
+Value type is bool.
Supported operation is Get.
-**UniversalTelemetryClient/UtcConfigurationDiagnosis/MsaServiceEnabled**
+**UniversalTelemetryClient/UtcConfigurationDiagnosis/MsaServiceEnabled**
A boolean value representing whether the Microsoft account service is enabled. This service must be enabled for UTC data to be indexed with Global Device IDs.
-Value type is bool.
+Value type is bool.
Supported operation is Get.
-**UniversalTelemetryClient/UtcConfigurationDiagnosis/InternetExplorerTelemetryOptIn**
+**UniversalTelemetryClient/UtcConfigurationDiagnosis/InternetExplorerTelemetryOptIn**
An integer value representing what websites Internet Explorer will collect telemetry data for.
-Value type is integer.
+Value type is integer.
Supported operation is Get.
The values are:
-
+
- 0 == Telemetry collection is disabled.
- 1 == Telemetry collection is enabled for websites in the local intranet, trusted websites, and machine local zones.
- 2 == Telemetry collection is enabled for internet websites and restricted website zones.
- 3 == Telemetry collection is enabled for all websites.
- 0x7FFFFFFF == Telemetry collection is not configured.
-**UniversalTelemetryClient/UtcConnectionReport**
+**UniversalTelemetryClient/UtcConnectionReport**
This provides an XML representation of the UTC connections during the most recent summary period.
For the report XML schema, see [UTC connection report](#utc-connection-report).
-**WindowsErrorReporting**
+**WindowsErrorReporting**
This represents the state of the Windows Error Reporting service.
-**WindowsErrorReporting/WerConfigurationDiagnosis**
+**WindowsErrorReporting/WerConfigurationDiagnosis**
This represents various settings that affect whether the Windows Error Reporting service can upload data and how much data it can upload.
-**WindowsErrorReporting/WerConfigurationDiagnosis/WerTelemetryOptIn**
-An integer value indicating the amount of WER data that will be uploaded.
+**WindowsErrorReporting/WerConfigurationDiagnosis/WerTelemetryOptIn**
+An integer value indicating the amount of WER data that will be uploaded.
-Value type is integer.
+Value type is integer.
Supported operation is Get.
The values are:
-
+
- 0 == Data will not send due to UTC opt-in.
- 1 == Data will not send due to WER opt-in.
- 2 == Basic WER data will send but not the complete set of data.
- 3 == The complete set of WER data will send.
-**WindowsErrorReporting/WerConfigurationDiagnosis/MostRestrictiveSetting**
-An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted.
+**WindowsErrorReporting/WerConfigurationDiagnosis/MostRestrictiveSetting**
+An integer value representing which setting category (system telemetry, WER basic policies, WER advanced policies, and WER consent policies) is causing the overall WerTelemetryOptIn value to be restricted.
-Value type is integer.
+Value type is integer.
Supported operation is Get.
The values are:
-
+
- 0 == System telemetry settings are restricting upload.
- 1 == WER basic policies are restricting uploads.
- 2 == WER advanced policies are restricting uploads.
- 3 == WER consent policies are restricting uploads.
- 4 == There are no restrictive settings.
-**WindowsErrorReporting/WerConnectionReport**
+**WindowsErrorReporting/WerConnectionReport**
This provides an XML representation of the most recent WER connections of various types.
For the report XML schema, see [Windows Error Reporting connection report](#windows-error-reporting-connection-report).
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
index 56b7cbd8ed..57c152215b 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
@@ -7,11 +7,11 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 07/19/2018
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
-# Win32CompatibilityAppraiser DDF file
+# Win32CompatibilityAppraiser DDF file
> [!WARNING]
> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index 48b0ea237e..5539ff58df 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -1,7 +1,7 @@
---
title: WindowsAdvancedThreatProtection CSP
description: The Windows Defender Advanced Threat Protection (WDATP) CSP allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -48,34 +48,34 @@ WindowsAdvancedThreatProtection
The following list describes the characteristics and parameters.
-**./Device/Vendor/MSFT/WindowsAdvancedThreatProtection**
+**./Device/Vendor/MSFT/WindowsAdvancedThreatProtection**
The root node for the Windows Defender Advanced Threat Protection configuration service provider.
Supported operation is Get.
-**Onboarding**
+**Onboarding**
Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection.
The data type is a string.
Supported operations are Get and Replace.
-**HealthState**
+**HealthState**
Node that represents the Windows Defender Advanced Threat Protection health state.
-**HealthState/LastConnected**
+**HealthState/LastConnected**
Contains the timestamp of the last successful connection.
Supported operation is Get.
-**HealthState/SenseIsRunning**
+**HealthState/SenseIsRunning**
Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state.
The default value is false.
Supported operation is Get.
-**HealthState/OnboardingState**
+**HealthState/OnboardingState**
Represents the onboarding state.
Supported operation is Get.
@@ -85,15 +85,15 @@ The following list shows the supported values:
- 0 (default) – Not onboarded
- 1 – Onboarded
-**HealthState/OrgId**
+**HealthState/OrgId**
String that represents the OrgID.
Supported operation is Get.
-**Configuration**
+**Configuration**
Represents Windows Defender Advanced Threat Protection configuration.
-**Configuration/SampleSharing**
+**Configuration/SampleSharing**
Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter.
The following list shows the supported values:
@@ -103,7 +103,7 @@ The following list shows the supported values:
Supported operations are Get and Replace.
-**Configuration/TelemetryReportingFrequency**
+**Configuration/TelemetryReportingFrequency**
Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency.
The following list shows the supported values:
@@ -113,27 +113,27 @@ The following list shows the supported values:
Supported operations are Get and Replace.
-**Offboarding**
+**Offboarding**
Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection.
The data type is a string.
Supported operations are Get and Replace.
-**DeviceTagging**
+**DeviceTagging**
Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging.
Supported operation is Get.
-**DeviceTagging/Group**
+**DeviceTagging/Group**
Added in Windows 10, version 1709. Device group identifiers.
The data type is a string.
Supported operations are Get and Replace.
-**DeviceTagging/Criticality**
-Added in Windows 10, version 1709. Asset criticality value. Supported values:
+**DeviceTagging/Criticality**
+Added in Windows 10, version 1709. Asset criticality value. Supported values:
- 0 - Normal
- 1 - Critical
@@ -247,7 +247,7 @@ Supported operations are Get and Replace.
-
+
```
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
index cddb4f73e0..d1fe4898a4 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md
@@ -2,7 +2,7 @@
title: WindowsAdvancedThreatProtection DDF file
description: Learn about the OMA DM device description framework (DDF) for the WindowsAdvancedThreatProtection configuration service provider (CSP).
ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md
index b50630eea2..8730fcec1a 100644
--- a/windows/client-management/mdm/windowsautopilot-csp.md
+++ b/windows/client-management/mdm/windowsautopilot-csp.md
@@ -1,7 +1,7 @@
---
title: WindowsAutopilot CSP
description: Learn how without the ability to mark a device as remediation required, the device will remain in a broken state, which results in security and privacy concerns in Autopilot.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -31,7 +31,7 @@ The WindowsAutopilot CSP exposes Windows Autopilot related device information. T
**./Vendor/MSFT/WindowsAutopilot**
-Root node for the WindowsAutopilot configuration service provider.
+Root node for the WindowsAutopilot configuration service provider.
Supported operation is Get.
**HardwareMismatchRemediationData**
diff --git a/windows/client-management/mdm/windowsautopilot-ddf-file.md b/windows/client-management/mdm/windowsautopilot-ddf-file.md
index dfc52ce96c..af36bcc811 100644
--- a/windows/client-management/mdm/windowsautopilot-ddf-file.md
+++ b/windows/client-management/mdm/windowsautopilot-ddf-file.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 02/07/2022
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -16,7 +16,7 @@ manager: aaroncz
> [!WARNING]
> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-This topic shows the device description framework (DDF) for the **WindowsAutopilot** configuration service provider.
+This topic shows the device description framework (DDF) for the **WindowsAutopilot** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 15cbeaed69..104efb2f70 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 11/02/2021
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -49,16 +49,16 @@ WindowsDefenderApplicationGuard
--------AuditApplicationGuard
```
-**./Device/Vendor/MSFT/WindowsDefenderApplicationGuard**
+**./Device/Vendor/MSFT/WindowsDefenderApplicationGuard**
Root node. Supported operation is Get.
-**Settings**
+**Settings**
Interior node. Supported operation is Get.
-**Settings/AllowWindowsDefenderApplicationGuard**
+**Settings/AllowWindowsDefenderApplicationGuard**
Turn on Microsoft Defender Application Guard in Enterprise Mode.
-Value type is integer.
+Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
@@ -69,16 +69,16 @@ The following list shows the supported values:
- 2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY (added in Windows 10, version 2004).
- 3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments (added in Windows 10, version 2004).
-**Settings/ClipboardFileType**
+**Settings/ClipboardFileType**
Determines the type of content that can be copied from the host to Application Guard environment and vice versa.
-Value type is integer.
+Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
-The following list shows the supported values:
+The following list shows the supported values:
- 1 - Allow text copying.
- 2 - Allow image copying.
@@ -93,16 +93,16 @@ ADMX Info:
- GP ADMX file name: *AppHVSI.admx*
-**Settings/ClipboardSettings**
+**Settings/ClipboardSettings**
This policy setting allows you to decide how the clipboard behaves while in Application Guard.
-Value type is integer.
+Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
-The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) - Completely turns Off the clipboard functionality for the Application Guard.
- 1 - Turns On clipboard operation from an isolated session to the host.
@@ -121,17 +121,17 @@ ADMX Info:
- GP ADMX file name: *AppHVSI.admx*
-**Settings/PrintingSettings**
+**Settings/PrintingSettings**
This policy setting allows you to decide how the print functionality behaves while in Application Guard.
-Value type is integer.
+Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
-
+
- 0 (default) - Disables all print functionality.
- 1 - Enables only XPS printing.
- 2 - Enables only PDF printing.
@@ -158,17 +158,17 @@ ADMX Info:
- GP ADMX file name: *AppHVSI.admx*
-**Settings/BlockNonEnterpriseContent**
-This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer.
+**Settings/BlockNonEnterpriseContent**
+This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer.
-Value type is integer.
+Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
-
+
- 0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
- 1 - Non-enterprise content embedded on enterprise sites is stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard.
@@ -177,87 +177,87 @@ The following list shows the supported values:
ADMX Info:
-
+
- GP Friendly name: *Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer*
- GP name: *BlockNonEnterpriseContent*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
-**Settings/AllowPersistence**
-This policy setting allows you to decide whether data should persist across different sessions in Application Guard.
+**Settings/AllowPersistence**
+This policy setting allows you to decide whether data should persist across different sessions in Application Guard.
-Value type is integer.
+Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
-The following list shows the supported values:
+The following list shows the supported values:
- 0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user sign out.
- 1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.
ADMX Info:
-
+
- GP Friendly name: *Allow data persistence for Microsoft Defender Application Guard*
- GP name: *AllowPersistence*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
-**Settings/AllowVirtualGPU**
+**Settings/AllowVirtualGPU**
Added in Windows 10, version 1803. This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics.
Value type is integer.
-Supported operations are Add, Get, Replace, and Delete.
+Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering.
-The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) - Can't access the vGPU and uses the CPU to support rendering graphics. When the policy isn't configured, it's the same as disabled (0).
-- 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This functionality can create a faster experience when working with graphics intense websites or watching video within the container.
+- 1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This functionality can create a faster experience when working with graphics intense websites or watching video within the container.
> [!WARNING]
> Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
ADMX Info:
-
+
- GP Friendly name: *Allow hardware-accelerated rendering for Microsoft Defender Application Guard*
- GP name: *AllowVirtualGPU*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
-**Settings/SaveFilesToHost**
-Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files from container to the host operating system. This policy setting also enables users to elect files on the host operating system and upload it through Edge in the container.
+**Settings/SaveFilesToHost**
+Added in Windows 10, version 1803. This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files from container to the host operating system. This policy setting also enables users to elect files on the host operating system and upload it through Edge in the container.
-Value type is integer.
+Value type is integer.
-Supported operations are Add, Get, Replace, and Delete.
+Supported operations are Add, Get, Replace, and Delete.
-The following list shows the supported values:
+The following list shows the supported values:
- 0 (default) - The user can't download files from Edge in the container to the host file system, or upload files from host file system to Edge in the container. When the policy isn't configured, it's the same as disabled (0).
-- 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.
+- 1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.
ADMX Info:
-
+
- GP Friendly name: *Allow files to download and save to the host operating system from Microsoft Defender Application Guard*
- GP name: *SaveFilesToHost*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
-**Settings/CertificateThumbprints**
-Added in Windows 10, version 1809. This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container.
+**Settings/CertificateThumbprints**
+Added in Windows 10, version 1809. This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container.
-Value type is string.
+Value type is string.
Supported operations are Add, Get, Replace, and Delete.
@@ -265,14 +265,14 @@ This policy setting is supported on Microsoft Edge on Windows 10/Windows 11 Ente
If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer.
-Here's an example:
+Here's an example:
b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924
If you disable or don’t configure this setting, certificates aren't shared with the Microsoft Defender Application Guard container.
ADMX Info:
-
+
- GP Friendly name: *Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device*
- GP name: *CertificateThumbprints*
- GP path: *Windows Components/Microsoft Defender Application Guard*
@@ -280,12 +280,12 @@ ADMX Info:
> [!NOTE]
-> To enforce this policy, device restart or user logon/logoff is required.
+> To enforce this policy, device restart or user logon/logoff is required.
-**Settings/AllowCameraMicrophoneRedirection**
+**Settings/AllowCameraMicrophoneRedirection**
Added in Windows 10, version 1809. This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device.
-Value type is integer.
+Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
@@ -295,8 +295,8 @@ If you enable this policy setting, applications inside Microsoft Defender Applic
If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user’s device.
-The following list shows the supported values:
-
+The following list shows the supported values:
+
- 0 (default) - Microsoft Defender Application Guard can't access the device’s camera and microphone. When the policy isn't configured, it's the same as disabled (0).
- 1 - Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone.
@@ -305,17 +305,17 @@ The following list shows the supported values:
ADMX Info:
-
+
- GP Friendly name: *Allow camera and microphone access in Microsoft Defender Application Guard*
- GP name: *AllowCameraMicrophoneRedirection*
- GP path: *Windows Components/Microsoft Defender Application Guard*
- GP ADMX file name: *AppHVSI.admx*
-**Status**
+**Status**
Returns bitmask that indicates status of Application Guard installation for Microsoft Edge and prerequisites on the device.
-Value type is integer.
+Value type is integer.
Supported operation is Get.
@@ -327,10 +327,10 @@ Supported operation is Get.
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
- Bit 6 - Set to 1 when system reboot is required.
-**PlatformStatus**
-Added in Windows 10, version 2004. Applies to Microsoft Office/Generic platform. Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device.
+**PlatformStatus**
+Added in Windows 10, version 2004. Applies to Microsoft Office/Generic platform. Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device.
-Value type is integer.
+Value type is integer.
Supported operation is Get.
@@ -341,8 +341,8 @@ Supported operation is Get.
- Bit 4 - Reserved for Microsoft.
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
-**InstallWindowsDefenderApplicationGuard**
-Initiates remote installation of Application Guard feature.
+**InstallWindowsDefenderApplicationGuard**
+Initiates remote installation of Application Guard feature.
Supported operations are Get and Execute.
@@ -351,26 +351,26 @@ The following list shows the supported values:
- Install - Will initiate feature install.
- Uninstall - Will initiate feature uninstall.
-**Audit**
+**Audit**
Interior node. Supported operation is Get.
-**Audit/AuditApplicationGuard**
+**Audit/AuditApplicationGuard**
This policy setting allows you to decide whether auditing events can be collected from Application Guard.
-Value type in integer.
+Value type in integer.
Supported operations are Add, Get, Replace, and Delete.
This policy setting is supported on Windows 10/Windows 11 Enterprise or Windows 10/Windows 11 Education with Microsoft Defender Application Guard in Enterprise mode.
The following list shows the supported values:
-
+
- 0 (default) - Audit event logs aren't collected for Application Guard.
- 1 - Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.
ADMX Info:
-
+
- GP Friendly name: *Allow auditing events in Microsoft Defender Application Guard*
- GP name: *AuditApplicationGuard*
- GP path: *Windows Components/Microsoft Defender Application Guard*
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
index c49a7214d2..5bf8c86e79 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 09/10/2018
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -16,7 +16,7 @@ manager: aaroncz
> [!WARNING]
> Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider.
+This topic shows the OMA DM device description framework (DDF) for the **WindowsDefenderApplicationGuard** configuration service provider.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md
index f120a8272e..a80b40e993 100644
--- a/windows/client-management/mdm/windowslicensing-csp.md
+++ b/windows/client-management/mdm/windowslicensing-csp.md
@@ -1,7 +1,7 @@
---
title: WindowsLicensing CSP
description: Learn how the WindowsLicensing configuration service provider (CSP) is designed for licensing related management scenarios.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -51,12 +51,12 @@ WindowsLicensing
--------Status (Added in Windows 10, version 1809)
```
-**./Device/Vendor/MSFT/WindowsLicensing**
+**./Device/Vendor/MSFT/WindowsLicensing**
This node is the root node for the WindowsLicensing configuration service provider.
The supported operation is Get.
-**UpgradeEditionWithProductKey**
+**UpgradeEditionWithProductKey**
Enters a product key for an edition upgrade of Windows 10 desktop devices.
> [!NOTE]
@@ -96,14 +96,14 @@ Activation or changing a product key can be carried out on the following edition
- Windows 10/Windows 11 Home
- Windows 10/Windows 11 Pro
-**Edition**
+**Edition**
Returns a value that maps to the Windows 10 or Windows 11 edition. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.
The data type is an Int.
The supported operation is Get.
-**Status**
+**Status**
Returns the status of an edition upgrade on Windows devices. The status corresponds to one of the following values:
- 0 = Failed
@@ -116,13 +116,13 @@ The data type is an Int.
The supported operation is Get.
-
-**LicenseKeyType**
+**LicenseKeyType**
Returns the parameter type used by Windows 10 or Windows 11 devices for an edition upgrade, activation, or product key change.
- Windows 10 or Windows 11 client devices require a product key.
@@ -149,44 +149,44 @@ The data type is a chr.
The supported operation is Get.
-**CheckApplicability**
+**CheckApplicability**
Returns TRUE if the entered product key can be used for an edition upgrade, activation or changing a product key of Windows 10 or Windows 11 for desktop devices.
The data type is a chr.
The supported operation is Exec.
-**ChangeProductKey**
+**ChangeProductKey**
Added in Windows 10, version 1703. Installs a product key for Windows desktop devices. Doesn't reboot.
The data type is a chr.
The supported operation is Execute.
-**Subscriptions**
+**Subscriptions**
Added in Windows 10, version 1607. Node for subscriptions.
-**Subscriptions/SubscriptionId**
+**Subscriptions/SubscriptionId**
Added in Windows 10, version 1607. Node for subscription IDs.
-**Subscriptions/SubscriptionId/Status**
+**Subscriptions/SubscriptionId/Status**
Added in Windows 10, version 1607. Returns the status of the subscription.
The data type is an Int.
The supported operation is Get.
-**Subscriptions/SubscriptionId/Name**
+**Subscriptions/SubscriptionId/Name**
Added in Windows 10, version 1607. Returns the name of the subscription.
The data type is a chr.
The supported operation is Get.
-**SMode**
+**SMode**
Interior node for managing S mode.
-**SMode/SwitchingPolicy**
+**SMode/SwitchingPolicy**
Added in Windows 10, version 1809. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode. For examples, see [Add S mode SwitchingPolicy](#smode-switchingpolicy-add), [Get S mode SwitchingPolicy](#smode-switchingpolicy-get), [Replace S mode SwitchingPolicy](#smode-switchingpolicy-replace) and [Delete S mode SwitchingPolicy](#smode-switchingpolicy-delete)
Value type is integer.
@@ -194,11 +194,11 @@ Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
Supported values:
-
+
- 0 - No Restriction: The user is allowed to switch the device out of S mode.
- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node.
-**SMode/SwitchFromSMode**
+**SMode/SwitchFromSMode**
Added in Windows 10, version 1809. Switches a device out of S mode if possible. Doesn't reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute)
Supported operation is Execute.
@@ -206,11 +206,11 @@ Supported operation is Execute.
**SMode/Status**
Added in Windows 10, version 1809. Returns the status of the latest SwitchFromSMode set request. For an example, see [Get S mode status](#smode-status-example)
-Value type is integer.
+Value type is integer.
Supported operation is Get.
-Values:
+Values:
- Request fails with error code 404 - no SwitchFromSMode request has been made.
- 0 - The device successfully switched out of S mode.
@@ -234,7 +234,7 @@ Values:
chr
- XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
+ XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
@@ -313,7 +313,7 @@ Values:
chr
- XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
+ XXXXX-XXXXX-XXXXX-XXXXX-XXXXX
@@ -324,7 +324,7 @@ Values:
> [!NOTE]
> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key.
-