deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/rs3' into jd3mr

Browse Source
This commit is contained in:
jdeckerMS 2017-10-05 06:06:25 -07:00
commit fe2a33bbf5
151 changed files with 12098 additions and 314 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
devices/surface-hub/install-apps-on-surface-hub.md
View File

@ -18,7 +18,7 @@ ms.localizationpriority: medium
You can install additional apps on your Surface Hub to fit your team or organization's needs. There are different methods for installing apps depending on whether you are developing and testing an app, or deploying a released app. This topic describes methods for installing apps for either scenario.
A few things to know about apps on Surface Hub:
- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). Apps created using the [Desktop App Converter](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) will not run on Surface Hub. See a [list of apps that work with Surface Hub](https://www.microsoft.com/surface/support/surface-hub/surface-hub-apps).
- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). Apps created using the [Desktop App Converter](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) will not run on Surface Hub. See a [list of apps that work with Surface Hub](https://support.microsoft.com/help/4040382/surface-Apps-that-work-with-Microsoft-Surface-Hub).
- Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631).
- By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.- When submitting an app to the Microsoft Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub.
- You need admin credentials to install apps on your Surface Hub. Since the device is designed to be used in communal spaces like meeting rooms, people can't access the Microsoft Store to download and install apps.

2
devices/surface/microsoft-surface-data-eraser.md
View File

@ -34,7 +34,7 @@ Compatible Surface devices include:
- Surface Pro 4
- Surface Pro3
- Surface Pro 3
- Surface 3

22
store-for-business/acquire-apps-windows-store-for-business.md
View File

@ -6,6 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
ms.date: 10/01/2017
ms.localizationpriority: high
---
@ -30,18 +31,17 @@ There are a couple of things we need to know when you pay for apps. You can add
- Legal business address
- Payment option (credit card)
## Acquire apps
**To acquire an app**
1. Log in to http://businessstore.microsoft.com
2. Click Shop, or use Search to find an app.
1. Sign in to http://businessstore.microsoft.com
2. Click **Shop**, or use Search to find an app.
3. Click the app you want to purchase.
4. On the product description page, choose your license type - either online or offline.
5. Free apps will be added to **Inventory** or **Apps & software**. For apps with a price, you can set the quantity you want to buy. Type the quantity and click **Next**.
6. If you dont have a payment method saved in **Account Information** or **Payments & billing**, we will prompt you for one.
7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Account information** or **Payments & billing**.
5. Free apps will be added to **Products & services**. For apps with a price, you can set the quantity you want to buy. Type the quantity and click **Next**.
6. If you dont have a payment method saved in **Billing - Payment methods**, we will prompt you for one.
7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Billing - Payment methods**.
Youll also need to have your business address saved on **Account information** or **Payments & billing**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#organization-tax-information).
Youll also need to have your business address saved on ****Billing - Account profile***. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#organization-tax-information).
Microsoft Store adds the app to your inventory. From **Inventory** or **Apps & software**, you can:
- Distribute the app: add to private store, or assign licenses
@ -51,3 +51,11 @@ Microsoft Store adds the app to your inventory. From **Inventory** or **Apps & s
For info on distributing apps, see [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md).
For info on offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md).
## Request apps
People in your org can request additional licenses for apps that are in your organization's private store. When **Allow app requests** is turned on, people in your org can respond to a notification about app license availability. Admins for your tenant will receive an email with the request, and can decide about making the purchase.
**To manage Allow app requests**
1. Sign in to http://businessstore.microsoft.com
2. Click **Manage**, click **Settings**, and then click **Distribute**.
3. Under **Private store** turn on, or turn off **Allow app requests**.

2
store-for-business/app-inventory-management-windows-store-for-business.md
View File

@ -84,7 +84,7 @@ Once an app is in your private store, people in your org can install the app on
3. Use **Refine results** to search for online-licensed apps under **License type**.
4. From the list of online-licensed apps, click the ellipses for the app you want, and then choose **Add to private store**.
The value under **Private store** for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
The value under **Private store** for the app will change to pending. It will take approximately thirty-six hours before the app is available in the private store.
Employees can claim apps that admins added to the private store by doing the following.
**To claim an app from the private store**

2
store-for-business/distribute-apps-from-your-private-store.md
View File

@ -44,7 +44,7 @@ Microsoft Store adds the app to **Apps & software**. Click **Manage**, **Apps &
<!--- ![Image showing options from Action for each app in Inventory.](images/wsfb-inventoryaddprivatestore.png) -->
The value under **Private store** for the app will change to pending. It will take approximately twelve hours before the app is available in the private store.
The value under **Private store** for the app will change to pending. It will take approximately thirty-six hours before the app is available in the private store.
Employees can claim apps that admins added to the private store by doing the following.

BIN
store-for-business/images/msfb-wn-1709-app-request.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
store-for-business/images/msfb-wn-1709-edge-ext.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
store-for-business/images/msfb-wn-1709-my-org.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

BIN
store-for-business/images/msfb-wn-1709-o365-csp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
store-for-business/images/msfb-wn-1709-o365-prepaid.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
store-for-business/images/msfb-wn-1709-search-result-sub-cat.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 26 KiB

BIN
store-for-business/images/wsfb-wsappprivatestore.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 151 KiB

After

Width:  |  Height:  |  Size: 68 KiB

3
store-for-business/manage-settings-windows-store-for-business.md
View File

@ -12,7 +12,6 @@ ms.localizationpriority: high
# Manage settings for Microsoft Store for Business and Education
**Applies to**
- Windows 10
@ -24,7 +23,7 @@ You can add users and groups, as well as update some of the settings associated
| Topic | Description |
| ----- | ----------- |
| [Update Microsoft Store for Business and Education account settings](update-windows-store-for-business-account-settings.md) | The **Account information** page in Microsoft Store for Business shows information about your organization that you can update, including: organization information, payment options, and offline licensing settings. |
| [Update Microsoft Store for Business and Education account settings](update-windows-store-for-business-account-settings.md) | **Billing - Account profile** in Microsoft Store for Business shows information about your organization that you can update. Payment options can be managed on **Billing - Payment methods**, and offline license settings can be managed on **Settings - Shop**. |
| [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md) | Microsoft Store for Business manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-windows-store-for-business.md), but not to groups. |

22
store-for-business/release-history-microsoft-store-business-education.md Normal file
View File

@ -0,0 +1,22 @@
---
title: Whats new in Microsoft Store for Business and Education
description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
ms.date: 09/21/2017
---
# Microsoft Store for Business and Education release history
Microsoft Store for Business and Education regularly releases new and improved feaures. Here's a summary of new or updated features in previous releases.
Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md)
## August 2017
These items were released or updated in August, 2017.
- **Pellentesque habitant morbi tristique** - Lorem ipsum dolor sit amet, consectetuer adipiscing elit. [Learn more](distribute-apps-from-your-private-store.md)
- **Aenean nec lorem** - Lorem ipsum dolor sit amet, consectetuer adipiscing elit. [Learn more](distribute-apps-from-your-private-store.md)

16
store-for-business/settings-reference-windows-store-for-business.md
View File

@ -22,13 +22,15 @@ The Microsoft Store for Business and Education has a group of settings that admi
| Setting | Description | Location under **Manage** |
| ------- | ----------- | ------------------------------ |
| Account information and payment options | Manage organization and payment option information. For more information, see [Manage settings for the Microsoft Store for Business and Education](manage-settings-windows-store-for-business.md).| **Payments & billing** |
| Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | **Store settings** |
| Offline licensing | Configure whether or not to make offline-licensed apps available in the Microsoft Store for Business and Education. For more information, see [Distribute offline apps](distribute-offline-apps.md). | **Store settings** (Private store tab) |
| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md). | **Store settings** |
| Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Store settings** |
| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-windows-store-for-business.md). | **Permissions** |
| Line-of-business (LOB) publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions** |
| Account information | Manage organization information. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-windows-store-for-business-account-settings.md).| **Billing - Account profile** |
| Payment options | Manage payment options. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-windows-store-for-business-account-settings.md#payment-options).| **Billing - Payment methods** |
| Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | **Settings - Distribute** |
| Offline licensing | Configure whether or not to make offline-licensed apps available in the Microsoft Store for Business and Education. For more information, see [Distribute offline apps](distribute-offline-apps.md). | **Settings - Shop** |
| App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-windows-store-for-business.md). | **Settings - Distribute** |
| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md). | **Settings - Distribute** |
| Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Settings - Devices** |
| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-windows-store-for-business.md). | **Permissions - Roles** and **Permissions - Blocked basic purchasers** |
| Line-of-business (LOB) publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions - Line-of-business apps** |

18
store-for-business/update-windows-store-for-business-account-settings.md
View File

@ -32,7 +32,7 @@ We need an email address in case we need to contact you about your Microsoft Sto
**To update Organization information**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com)
2. Click **Manage**, click **Payments & billing**, and then click **Edit**.
2. Click **Manage**, click **Billing**, **Account profile**, and then click **Edit**.
## Organization tax information
Taxes for Microsoft Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent:
@ -87,7 +87,7 @@ If you qualify for tax-exempt status in your market, start a service request to
**To start a service request**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com).
2. Click **Support**, and then under **Store or account support** click **Start a service request**.
2. Click **Manage**, click **Support**, and then under **Store settings & configuration** click **Create technical support ticket**.
Youll need this documentation:
@ -124,8 +124,8 @@ You can purchase apps from Microsoft Store for Business using your credit card.
**To add a new payment option**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Payments & billing**.
3. Under **Payment options**, click**Show my payment options**, and then select the type of credit card that you want to add.
2. Click **Manage**, click **Billing**, and then click **Payments methods**.
3. Click**Add a payment options**, and then select the type of credit card that you want to add.
4. Add information to any required fields, and then click**Next**.
Once you clickNext, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
@ -136,10 +136,10 @@ Once you clickNext, the information you provided will be validated with a tes
**To update a payment option**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Payments & billng**.
3. Under **Payment options** > **Show my payment options**, select the payment option that you want to update, and then click**Update**.
2. Click **Manage**, click **Billing**, and then click **Payments methods**.
3. Select the payment option that you want to update, and then click**Update**.
4. Enter any updated information in the appropriate fields, and then click**Next**.
Once you click**Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise,you will be prompted for additional information or notified if there are any problems.
Once you click**Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
> [!NOTE]
> Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance.
@ -153,8 +153,8 @@ Admins can decide whether or not offline licenses are shown for apps in Microsof
**To set offline license visibility**
1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Payments & billing**.
3. Under **Offline licensing**, click **Show offline licensed apps to people shopping in the store** to show availability for both online and offline licenses.
2. Click **Manage**, and then click **Settings - Shop**.
3. Under **Shopping experience** turn on or turn off **Show offline apps**,to show availability for offline-licensed apps.
You have the following distribution options for offline-licensed apps:
- Include the app in a provisioning package, and then use it as part of imaging a device.

35
store-for-business/whats-new-microsoft-store-business-education.md Normal file
View File

@ -0,0 +1,35 @@
---
title: Whats new in Microsoft Store for Business and Education
description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: store
author: TrudyHa
ms.date: 09/30/2017
---
# What's new in Microsoft Store for Business and Education
Microsoft Store for Business and Education regularly releases new and improved feaures. Take a look below to see what's available to you today.
## Latest updates for Store for Business and Education
| | |
|-----------------------|---------------------------------|
| <iframe width="288" height="232" src="https://www.youtube.com/embed/IpLIZU_j7Z0" frameborder="0" allowfullscreen></iframe>| **Manage Windows device deployment with Windows AutoPilot Deployment** <br /><br /> In Microsoft Store for Business, you can manage devices for your organization and apply an AutoPilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the AutoPilot deployment profile you applied to the device.<br /><br />[Get more info](distribute-apps-from-your-private-store.md)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**<br /><br />People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. <br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-windows-store-for-business#request-apps)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Microsoft Store for Business My organization page, showing Agreements tab.](images/msfb-wn-1709-my-org.png) |**My organization**<br /><br> **My organization** shows you all Agreements that apply to your organization. You can also update profile info for you org, such as mailing address and email associated with your account. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Microsoft Store for Business Products and Services page, Subscription tab with prepaid Office 365 subscription.](images/msfb-wn-1709-o365-prepaid.png) |**Manage prepaid Office 365 subscriptions**<br /><br />Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redemming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Microsoft Store for Business Products and Services page, Subscription tab with Office 365 subscription acquired by reseller.](images/msfb-wn-1709-o365-csp.png) |**Manage Office 365 subscriptions acquired by partners**<br /><br />Office 365 subscriptions purchased for your organization by a partner or reseller can be managed in Microsoft Store for Business. Admins can assign and manage licenses for these subscriptions. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Microsoft Store for Business shop page.](images/msfb-wn-1709-edge-ext.png) |**Edge extensions in Microsoft Store**<br /><br />Edge Extensions are now available from Microsoft Store! You can acquire and distribute them from Microsoft Store for Business just like any other app. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
| ![Search results in Microsoft Store for Business showing sub categories.](images/msfb-wn-1709-search-result-sub-cat.png) |**Search results in Microsoft Store for Business**<br /><br />Search results now have sub categories to help you refine search results. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
<!---
## Previous releases and updates
[August 2017](release-history-microsoft-store-business-education.md#august-2017)
- Item 1
- Item 2
- Item 3
-->

2
windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
View File

@ -25,7 +25,7 @@ ms.date: 09/08/2017
>[!IMPORTANT]
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
In hybrid deployments, users register the public portion of their Windows Hello for Business crednetial with Azure. Azure AD Connect syncrhonizes the Windows Hello for Business public key to Active Directory.
In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory.
The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually.

17
windows/access-protection/hello-for-business/hello-identity-verification.md
View File

@ -71,6 +71,23 @@ The table shows the minimum requirements for each deployment.
## Frequently Asked Questions
### What is the user experience for Windows Hello for Business?
The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment.
> [!VIDEO https://www.youtube.com/embed/FJqHPTZTpNM]
</br>
> [!VIDEO https://www.youtube.com/embed/etXJsZb8Fso]
### What happens when my user forgets their PIN?
If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with the Fall Creators Update, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider.
> [!VIDEO https://www.youtube.com/embed/KcVTq8lTlkI]
For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network.
### Do I need Windows Server 2016 domain controllers?
There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment

3
windows/application-management/enterprise-background-activity-controls.md
View File

@ -59,5 +59,6 @@ The Universal Windows Platform ensures that consumers will have great battery li
## See also
[Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground)
- [Run in the background indefinitely](https://docs.microsoft.com/windows/uwp/launch-resume/run-in-the-background-indefinetly)
- [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground)
[Optimize background activity](https://docs.microsoft.com/windows/uwp/debug-test-perf/optimize-background-activity)

2
windows/client-management/connect-to-remote-aadj-pc.md
View File

@ -25,7 +25,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
## Set up
- Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
- Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported.
- Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC.
- On the PC that you want to connect to:
1. Open system properties for the remote PC.

1
windows/client-management/mdm/TOC.md
View File

@ -2,6 +2,7 @@
## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md)
## [Mobile device enrollment](mobile-device-enrollment.md)
### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md)
### [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)
### [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)

121
windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md Normal file
View File

@ -0,0 +1,121 @@
---
title: Enroll a Windows 10 device automatically using Group Policy
description: Enroll a Windows 10 device automatically using Group Policy
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 10/02/2017
---
# Enroll a Windows 10 device automatically using Group Policy
Starting in Windows 10, version 1709 you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain joined devices.
Requirements:
- AD-joined PC running Windows 10, version 1709
- Enterprise has MDM service already configured
- Enterprise AD must be registered with Azure AD
> [!Tip]
> [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)
To verify if the device is Azure AD registered, run `dsregcmd /status` from the command line.
Here is a partial screenshot of the result:
![device status result](images/autoenrollment-device-status.png)
The auto-enrollment relies of the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1611, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered.
> [!Note]
> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation.
When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy is take precedence over MDM). In the future release of Windows 10, we are considering a feature that allows the admin to control which policy takes precedence.
For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices.
## Configure the auto-enrollment Group Policy for a single PC
This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
Requirements:
- AD-joined PC running Windows 10, version 1709
- Enterprise has MDM service already configured
- Enterprise AD must be registered with Azure AD
1. Run GPEdit.msc
Click Start, then in the text box type gpedit.
![GPEdit desktop app search result](images/autoenrollment-gpedit.png)
2. Under **Best match**, click **Edit group policy** to launch it.
3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**.
![MDM policies](images/autoenrollment-mdm-policies.png)
4. Double-click **Auto MDM Enrollment with AAD Token**.
![MDM autoenrollment policy](images/autoenrollment-policy.png)
5. Click **Enable**, then click **OK**.
A task is created and scheduled to run every 5 minutes for the duration of 1 day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD."
To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png)
6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account.
7. Click **Info** to see the MDM enrollment information.
![Work School Settings](images/autoenrollment-settings-work-school.png)
If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app).
### Task Scheduler app
1. Click **Start**, then in the text box type **task scheduler**.
![Task Scheduler search result](images/autoenrollment-task-schedulerapp.png)
2. Under **Best match**, click **Task Scheduler** to launch it.
3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**.
![Auto-enrollment scheduled task](images/autoenrollment-scheduled-task.png)
To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab.
If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy. Note that the GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies.
## Configure the auto-enrollment for a group of devices
Requirements:
- AD-joined PC running Windows 10, version 1709
- Enterprise has MDM service already configured (with Intune or a third party service provider)
- Enterprise AD must be integrated with Azure AD.
- Ensure that PCs belong to same computer group.
1. Create a Group Policy Object (GPO) and enable the Group Policy **Auto MDM enrollment with AAD token**.
2. Create a Security Group for the PCs.
3. Link the GPO.
4. Filter using Security Groups.
5. Enforce a GPO link
### Related topics
- [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)
- [Create and Edit a Group Policy Object](https://technet.microsoft.com/en-us/library/cc754740(v=ws.11).aspx)
- [Link a Group Policy Object](https://technet.microsoft.com/en-us/library/cc732979(v=ws.11).aspx)
- [Filter Using Security Groups](https://technet.microsoft.com/en-us/library/cc752992(v=ws.11).aspx)
- [Enforce a Group Policy Object Link](https://technet.microsoft.com/en-us/library/cc753909(v=ws.11).aspx)

BIN
windows/client-management/mdm/images/autoenrollment-2-factor-auth.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 183 KiB

BIN
windows/client-management/mdm/images/autoenrollment-device-status.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.0 KiB

BIN
windows/client-management/mdm/images/autoenrollment-gpedit.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 30 KiB

BIN
windows/client-management/mdm/images/autoenrollment-mdm-policies.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 65 KiB

BIN
windows/client-management/mdm/images/autoenrollment-policy.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/client-management/mdm/images/autoenrollment-scheduled-task.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/client-management/mdm/images/autoenrollment-settings-work-school.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB

BIN
windows/client-management/mdm/images/autoenrollment-task-schedulerapp.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 40 KiB

BIN
windows/client-management/mdm/images/unifiedenrollment-rs1-21-b.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 61 KiB

BIN
windows/client-management/mdm/images/unifiedenrollment-rs1-23-b.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
windows/client-management/mdm/images/unifiedenrollment-rs1-24-b.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/client-management/mdm/images/unifiedenrollment-rs1-25-b.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
windows/client-management/mdm/images/unifiedenrollment-rs1-33-b.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 91 KiB

BIN
windows/client-management/mdm/images/unifiedenrollment-rs1-34-b.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 84 KiB

BIN
windows/client-management/mdm/images/unifiedenrollment-rs1-35-b.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
windows/client-management/mdm/images/unifiedenrollment-rs1-37-b.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
windows/client-management/mdm/images/unifiedenrollment-rs1-37-c.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

62
windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 09/19/2017
---
# MDM enrollment of Windows-based devices
@ -178,35 +178,33 @@ All Windows 10-based devices can be connected to a work or school account. You
### Using the Settings app
1. Launch the Settings app.
1. Launch the Settings app and then click **Accounts**. Click **Start**, then the Settings icon, and then select **Accounts**
![windows settings page](images/unifiedenrollment-rs1-21.png)
![windows settings page](images/unifiedenrollment-rs1-21-b.png)
2. Next, navigate to **Accounts**.
2. Navigate to **Access work or school**.
![windows settings accounts select](images/unifiedenrollment-rs1-22.png)
![select access work or school](images/unifiedenrollment-rs1-23-b.png)
3. Navigate to **Access work or school**.
3. Click **Connect**.
![select access work or school](images/unifiedenrollment-rs1-23.png)
![connect to work or school](images/unifiedenrollment-rs1-24-b.png)
4. Click **Connect**.
4. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
![connect to work or school](images/unifiedenrollment-rs1-24.png)
![join work or school account to azure ad](images/unifiedenrollment-rs1-25-b.png)
5. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
![join work or school account to azure ad](images/unifiedenrollment-rs1-25.png)
6. If the tenant is a cloud only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly into the page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication.
5. If the tenant is a cloud only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly into the page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM.
Starting in Windows 10, version 1709, you will see the status page that shows the progress of your device being set up.
![corporate sign in](images/unifiedenrollment-rs1-26.png)
7. After you complete the flow, your Microsoft account will be connected to your work or school account.
6. After you complete the flow, your Microsoft account will be connected to your work or school account.
![account successfully added](images/unifiedenrollment-rs1-27.png)
@ -238,11 +236,12 @@ All Windows 10-based devices can be connected to an MDM. You can connect to an
6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, youll be presented with a new window that will ask you for additional authentication information.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen.
![corporate sign in](images/unifiedenrollment-rs1-33-b.png)
After you complete the flow, your device will be connected to your organizations MDM.
![corporate sign in](images/unifiedenrollment-rs1-33.png)
### Connecting to MDM on a phone (Enrolling in device management)
@ -343,16 +342,7 @@ The following procedure describes how users can connect their devices to MDM usi
Your work or school connections can be managed on the **Settings** &gt; **Accounts** &gt; **Access work or school** page. Your connections will show on this page and clicking on one will expand options for that connection.
![managing work or school account](images/unifiedenrollment-rs1-34.png)
### Manage
The **Manage** button can be found on work or school connections involving Azure AD. This includes the following scenarios:
- Connecting your device to an Azure AD domain
- Connecting to a work or school account.
Clicking on the manage button will open the Azure AD portal associated with that connection in your default browser.
![managing work or school account](images/unifiedenrollment-rs1-34-b.png)
### Info
@ -364,7 +354,12 @@ The **Info** button can be found on work or school connections involving MDM. Th
Clicking the **Info** button will open a new page in the Settings app that provides details about your MDM connection. Youll be able to view your organizations support information (if configured) on this page. Youll also be able to start a sync session which will force your device to communicate to the MDM server and fetch any updates to policies if needed.
![work or school info](images/unifiedenrollment-rs1-35.png)
Starting in Windows 10, version 1709, clicking the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screehshot.
![work or school info](images/unifiedenrollment-rs1-35-b.png)
> [!Note]
> Starting in Windows 10, version 1709, the **Manage** button is no longer available.
### Disconnect
@ -375,16 +370,14 @@ The **Disconnect** button can be found on all work connections. Generally, click
> **Warning**  Disconnecting might result in the loss of data on the device.
 
![disconnect work or school account](images/unifiedenrollment-rs1-36.png)
## Collecting diagnostic logs
You can collect diagnostic logs around your work connections by going to **Settings** &gt; **Accounts** &gt; **Access work or school**, and clicking the **Export your management logs** link under **Related Settings**. After you click the link, click **Export** and follow the path displayed to retrieve your management log files.
![collecting enrollment management log files](images/unifiedenrollment-rs1-37.png)
Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** &gt; **Accounts** &gt; **Access work or school**, and clicking the **Info** button. At the bottom of the Settings page you will see the button to create a report. Here is an example screenshot.
![collecting enrollment management log files](images/unifiedenrollment-rs1-37-c.png)
 
@ -392,4 +385,3 @@ You can collect diagnostic logs around your work connections by going to **Setti

38
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/19/2017
ms.date: 10/02/2017
---
# What's new in MDM enrollment and management
@ -1000,8 +1000,21 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<td style="vertical-align:top"><p>Added new policies.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">Microsoft Store for Business</td>
<td style="vertical-align:top"><p>Windows Store for Business name changed to Microsoft Store for Business.</p>
<td style="vertical-align:top">Microsoft Store for Business and Microsoft Store</td>
<td style="vertical-align:top"><p>Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.</p>
</td></tr>
<td style="vertical-align:top">[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)</td>
<td style="vertical-align:top"><p>New features in the Settings app:</p>
<ul>
<li>User sees installation progress of critical policies during MDM enrollment.</li>
<li>User knows what policies, profiles, apps MDM has configured</li>
<li>IT helpdesk can get detailed MDM diagnostic information using client tools</li>
</ul>
<p>For details, see [Managing connection](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)</td>
<td style="vertical-align:top"><p>Added new topic to introduce a new Group Policy for automatic MDM enrollment.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
@ -1384,8 +1397,8 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top"><p>Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">Microsoft Store for Business</td>
<td style="vertical-align:top"><p>Windows Store for Business name changed to Microsoft Store for Business.</p>
<td style="vertical-align:top">Microsoft Store for Business and Microsoft Store</td>
<td style="vertical-align:top"><p>Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.</p>
</td></tr>
<tr class="even">
<td style="vertical-align:top">The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx)</td>
@ -1401,9 +1414,24 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top">[EntepriseAPN CSP](enterpriseapn-csp.md)</td>
<td style="vertical-align:top"><p>Added a SyncML example.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[VPNv2 CSP](vpnv2-csp.md)</td>
<td style="vertical-align:top"><p>Added RegisterDNS setting in Windows 10, version 1709.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md)</td>
<td style="vertical-align:top"><p>Added new topic to introduce a new Group Policy for automatic MDM enrollment.</p>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)</td>
<td style="vertical-align:top"><p>New features in the Settings app:</p>
<ul>
<li>User sees installation progress of critical policies during MDM enrollment.</li>
<li>User knows what policies, profiles, apps MDM has configured</li>
<li>IT helpdesk can get detailed MDM diagnostic information using client tools</li>
</ul>
<p>For details, see [Managing connections](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)</p>
</td></tr>
</tbody>
</table>

22
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/25/2017
ms.date: 09/29/2017
---
# Policy CSP
@ -22,6 +22,26 @@ The Policy configuration service provider has the following sub-categories:
- Policy/Config/*AreaName* Handles the policy configuration request from the server.
- Policy/Result/*AreaName* Provides a read-only path to policies enforced on the device.
<a href="" id="policy-scope"></a>
> [!Important]
> Policy scope is the level at which a policy can be configured. Some policies can only be configured at the device level, meaning the policy will take effect independent of who is logged into the device. Other policies can be configured at the user level, meaning the policy will only take effect for that user.
>
> The allowed scope of a specific policy is represented below its table of supported Windows editions. To configure a policy under a specific scope (user vs. device), please use the following paths:
>
> User scope:
> - **./User/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy.
> - **./User/Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result.
>
> Device scope:
> - **./Device/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy.
> - **./Device/Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result.
>
> For device wide configuration the **_Device/_** portion may be omitted from the path, deeming the following paths respectively equivalent:
>
> - **./Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy.
> - **./Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result.
The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
![policy csp diagram](images/provisioning-csp-policy.png)

46
windows/client-management/mdm/policy-csp-abovelock.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - AboveLock
@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## AboveLock policies
<dl>
<dd>
<a href="#abovelock-allowactioncenternotifications">AboveLock/AllowActionCenterNotifications</a>
</dd>
<dd>
<a href="#abovelock-allowcortanaabovelock">AboveLock/AllowCortanaAboveLock</a>
</dd>
<dd>
<a href="#abovelock-allowtoasts">AboveLock/AllowToasts</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="abovelock-allowactioncenternotifications"></a>**AboveLock/AllowActionCenterNotifications**
@ -45,6 +58,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@ -60,6 +82,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="abovelock-allowcortanaabovelock"></a>**AboveLock/AllowCortanaAboveLock**
@ -86,6 +109,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or dont configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech.
@ -96,6 +128,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="abovelock-allowtoasts"></a>**AboveLock/AllowToasts**
@ -122,6 +155,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether to allow toast notifications above the device lock screen.

59
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Accounts
@ -14,11 +14,27 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Accounts policies
<dl>
<dd>
<a href="#accounts-allowaddingnonmicrosoftaccountsmanually">Accounts/AllowAddingNonMicrosoftAccountsManually</a>
</dd>
<dd>
<a href="#accounts-allowmicrosoftaccountconnection">Accounts/AllowMicrosoftAccountConnection</a>
</dd>
<dd>
<a href="#accounts-allowmicrosoftaccountsigninassistant">Accounts/AllowMicrosoftAccountSignInAssistant</a>
</dd>
<dd>
<a href="#accounts-domainnamesforemailsync">Accounts/DomainNamesForEmailSync</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="accounts-allowaddingnonmicrosoftaccountsmanually"></a>**Accounts/AllowAddingNonMicrosoftAccountsManually**
@ -45,6 +61,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether user is allowed to add non-MSA email accounts.
@ -60,6 +85,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="accounts-allowmicrosoftaccountconnection"></a>**Accounts/AllowMicrosoftAccountConnection**
@ -86,6 +112,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services.
@ -98,6 +133,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="accounts-allowmicrosoftaccountsigninassistant"></a>**Accounts/AllowMicrosoftAccountSignInAssistant**
@ -124,6 +160,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service.
@ -134,6 +179,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="accounts-domainnamesforemailsync"></a>**Accounts/DomainNamesForEmailSync**
@ -160,6 +206,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies a list of the domains that are allowed to sync email on the device.

20
windows/client-management/mdm/policy-csp-activexcontrols.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - ActiveXControls
@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## ActiveXControls policies
<dl>
<dd>
<a href="#activexcontrols-approvedinstallationsites">ActiveXControls/ApprovedInstallationSites</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="activexcontrols-approvedinstallationsites"></a>**ActiveXControls/ApprovedInstallationSites**
@ -45,6 +52,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.

20
windows/client-management/mdm/policy-csp-applicationdefaults.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - ApplicationDefaults
@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## ApplicationDefaults policies
<dl>
<dd>
<a href="#applicationdefaults-defaultassociationsconfiguration">ApplicationDefaults/DefaultAssociationsConfiguration</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="applicationdefaults-defaultassociationsconfiguration"></a>**ApplicationDefaults/DefaultAssociationsConfiguration**
@ -45,6 +52,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML.

150
windows/client-management/mdm/policy-csp-applicationmanagement.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - ApplicationManagement
@ -14,11 +14,48 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## ApplicationManagement policies
<dl>
<dd>
<a href="#applicationmanagement-allowalltrustedapps">ApplicationManagement/AllowAllTrustedApps</a>
</dd>
<dd>
<a href="#applicationmanagement-allowappstoreautoupdate">ApplicationManagement/AllowAppStoreAutoUpdate</a>
</dd>
<dd>
<a href="#applicationmanagement-allowdeveloperunlock">ApplicationManagement/AllowDeveloperUnlock</a>
</dd>
<dd>
<a href="#applicationmanagement-allowgamedvr">ApplicationManagement/AllowGameDVR</a>
</dd>
<dd>
<a href="#applicationmanagement-allowshareduserappdata">ApplicationManagement/AllowSharedUserAppData</a>
</dd>
<dd>
<a href="#applicationmanagement-allowstore">ApplicationManagement/AllowStore</a>
</dd>
<dd>
<a href="#applicationmanagement-applicationrestrictions">ApplicationManagement/ApplicationRestrictions</a>
</dd>
<dd>
<a href="#applicationmanagement-disablestoreoriginatedapps">ApplicationManagement/DisableStoreOriginatedApps</a>
</dd>
<dd>
<a href="#applicationmanagement-requireprivatestoreonly">ApplicationManagement/RequirePrivateStoreOnly</a>
</dd>
<dd>
<a href="#applicationmanagement-restrictappdatatosystemvolume">ApplicationManagement/RestrictAppDataToSystemVolume</a>
</dd>
<dd>
<a href="#applicationmanagement-restrictapptosystemvolume">ApplicationManagement/RestrictAppToSystemVolume</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="applicationmanagement-allowalltrustedapps"></a>**ApplicationManagement/AllowAllTrustedApps**
@ -45,6 +82,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether non Microsoft Store apps are allowed.
@ -58,6 +104,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="applicationmanagement-allowappstoreautoupdate"></a>**ApplicationManagement/AllowAppStoreAutoUpdate**
@ -84,6 +131,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether automatic update of apps from Microsoft Store are allowed.
@ -96,6 +152,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="applicationmanagement-allowdeveloperunlock"></a>**ApplicationManagement/AllowDeveloperUnlock**
@ -122,6 +179,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether developer unlock is allowed.
@ -135,6 +201,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="applicationmanagement-allowgamedvr"></a>**ApplicationManagement/AllowGameDVR**
@ -161,6 +228,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> The policy is only enforced in Windows 10 for desktop.
@ -176,6 +252,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="applicationmanagement-allowshareduserappdata"></a>**ApplicationManagement/AllowSharedUserAppData**
@ -202,6 +279,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether multiple users of the same app can share data.
@ -214,6 +300,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="applicationmanagement-allowstore"></a>**ApplicationManagement/AllowStore**
@ -240,6 +327,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether app store is allowed at the device.
@ -252,6 +348,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="applicationmanagement-applicationrestrictions"></a>**ApplicationManagement/ApplicationRestrictions**
@ -278,6 +375,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
@ -305,6 +411,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="applicationmanagement-disablestoreoriginatedapps"></a>**ApplicationManagement/DisableStoreOriginatedApps**
@ -331,6 +438,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded.
@ -341,6 +457,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="applicationmanagement-requireprivatestoreonly"></a>**ApplicationManagement/RequirePrivateStoreOnly**
@ -367,6 +484,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows disabling of the retail catalog and only enables the Private store.
@ -388,6 +514,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="applicationmanagement-restrictappdatatosystemvolume"></a>**ApplicationManagement/RestrictAppDataToSystemVolume**
@ -414,6 +541,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether application data is restricted to the system drive.
@ -426,6 +562,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="applicationmanagement-restrictapptosystemvolume"></a>**ApplicationManagement/RestrictAppToSystemVolume**
@ -452,6 +589,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether the installation of applications is restricted to the system drive.

371
windows/client-management/mdm/policy-csp-appvirtualization.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - AppVirtualization
@ -14,11 +14,99 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## AppVirtualization policies
<dl>
<dd>
<a href="#appvirtualization-allowappvclient">AppVirtualization/AllowAppVClient</a>
</dd>
<dd>
<a href="#appvirtualization-allowdynamicvirtualization">AppVirtualization/AllowDynamicVirtualization</a>
</dd>
<dd>
<a href="#appvirtualization-allowpackagecleanup">AppVirtualization/AllowPackageCleanup</a>
</dd>
<dd>
<a href="#appvirtualization-allowpackagescripts">AppVirtualization/AllowPackageScripts</a>
</dd>
<dd>
<a href="#appvirtualization-allowpublishingrefreshux">AppVirtualization/AllowPublishingRefreshUX</a>
</dd>
<dd>
<a href="#appvirtualization-allowreportingserver">AppVirtualization/AllowReportingServer</a>
</dd>
<dd>
<a href="#appvirtualization-allowroamingfileexclusions">AppVirtualization/AllowRoamingFileExclusions</a>
</dd>
<dd>
<a href="#appvirtualization-allowroamingregistryexclusions">AppVirtualization/AllowRoamingRegistryExclusions</a>
</dd>
<dd>
<a href="#appvirtualization-allowstreamingautoload">AppVirtualization/AllowStreamingAutoload</a>
</dd>
<dd>
<a href="#appvirtualization-clientcoexistenceallowmigrationmode">AppVirtualization/ClientCoexistenceAllowMigrationmode</a>
</dd>
<dd>
<a href="#appvirtualization-integrationallowrootglobal">AppVirtualization/IntegrationAllowRootGlobal</a>
</dd>
<dd>
<a href="#appvirtualization-integrationallowrootuser">AppVirtualization/IntegrationAllowRootUser</a>
</dd>
<dd>
<a href="#appvirtualization-publishingallowserver1">AppVirtualization/PublishingAllowServer1</a>
</dd>
<dd>
<a href="#appvirtualization-publishingallowserver2">AppVirtualization/PublishingAllowServer2</a>
</dd>
<dd>
<a href="#appvirtualization-publishingallowserver3">AppVirtualization/PublishingAllowServer3</a>
</dd>
<dd>
<a href="#appvirtualization-publishingallowserver4">AppVirtualization/PublishingAllowServer4</a>
</dd>
<dd>
<a href="#appvirtualization-publishingallowserver5">AppVirtualization/PublishingAllowServer5</a>
</dd>
<dd>
<a href="#appvirtualization-streamingallowcertificatefilterforclient-ssl">AppVirtualization/StreamingAllowCertificateFilterForClient_SSL</a>
</dd>
<dd>
<a href="#appvirtualization-streamingallowhighcostlaunch">AppVirtualization/StreamingAllowHighCostLaunch</a>
</dd>
<dd>
<a href="#appvirtualization-streamingallowlocationprovider">AppVirtualization/StreamingAllowLocationProvider</a>
</dd>
<dd>
<a href="#appvirtualization-streamingallowpackageinstallationroot">AppVirtualization/StreamingAllowPackageInstallationRoot</a>
</dd>
<dd>
<a href="#appvirtualization-streamingallowpackagesourceroot">AppVirtualization/StreamingAllowPackageSourceRoot</a>
</dd>
<dd>
<a href="#appvirtualization-streamingallowreestablishmentinterval">AppVirtualization/StreamingAllowReestablishmentInterval</a>
</dd>
<dd>
<a href="#appvirtualization-streamingallowreestablishmentretries">AppVirtualization/StreamingAllowReestablishmentRetries</a>
</dd>
<dd>
<a href="#appvirtualization-streamingsharedcontentstoremode">AppVirtualization/StreamingSharedContentStoreMode</a>
</dd>
<dd>
<a href="#appvirtualization-streamingsupportbranchcache">AppVirtualization/StreamingSupportBranchCache</a>
</dd>
<dd>
<a href="#appvirtualization-streamingverifycertificaterevocationlist">AppVirtualization/StreamingVerifyCertificateRevocationList</a>
</dd>
<dd>
<a href="#appvirtualization-virtualcomponentsallowlist">AppVirtualization/VirtualComponentsAllowList</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-allowappvclient"></a>**AppVirtualization/AllowAppVClient**
@ -45,6 +133,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.
@ -65,6 +162,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-allowdynamicvirtualization"></a>**AppVirtualization/AllowDynamicVirtualization**
@ -91,6 +189,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.
@ -111,6 +218,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-allowpackagecleanup"></a>**AppVirtualization/AllowPackageCleanup**
@ -137,6 +245,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Enables automatic cleanup of appv packages that were added after Windows10 anniversary release.
@ -157,6 +274,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-allowpackagescripts"></a>**AppVirtualization/AllowPackageScripts**
@ -183,6 +301,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Enables scripts defined in the package manifest of configuration files that should run.
@ -203,6 +330,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-allowpublishingrefreshux"></a>**AppVirtualization/AllowPublishingRefreshUX**
@ -229,6 +357,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Enables a UX to display to the user when a publishing refresh is performed on the client.
@ -249,6 +386,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-allowreportingserver"></a>**AppVirtualization/AllowReportingServer**
@ -275,6 +413,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Reporting Server URL: Displays the URL of reporting server.
@ -305,6 +452,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-allowroamingfileexclusions"></a>**AppVirtualization/AllowRoamingFileExclusions**
@ -331,6 +479,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.
@ -351,6 +508,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-allowroamingregistryexclusions"></a>**AppVirtualization/AllowRoamingRegistryExclusions**
@ -377,6 +535,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.
@ -397,6 +564,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-allowstreamingautoload"></a>**AppVirtualization/AllowStreamingAutoload**
@ -423,6 +591,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Specifies how new packages should be loaded automatically by App-V on a specific computer.
@ -443,6 +620,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-clientcoexistenceallowmigrationmode"></a>**AppVirtualization/ClientCoexistenceAllowMigrationmode**
@ -469,6 +647,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.
@ -489,6 +676,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-integrationallowrootglobal"></a>**AppVirtualization/IntegrationAllowRootGlobal**
@ -515,6 +703,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.
@ -535,6 +732,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-integrationallowrootuser"></a>**AppVirtualization/IntegrationAllowRootUser**
@ -561,6 +759,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.
@ -581,6 +788,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-publishingallowserver1"></a>**AppVirtualization/PublishingAllowServer1**
@ -607,6 +815,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Publishing Server Display Name: Displays the name of publishing server.
@ -645,6 +862,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-publishingallowserver2"></a>**AppVirtualization/PublishingAllowServer2**
@ -671,6 +889,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Publishing Server Display Name: Displays the name of publishing server.
@ -709,6 +936,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-publishingallowserver3"></a>**AppVirtualization/PublishingAllowServer3**
@ -735,6 +963,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Publishing Server Display Name: Displays the name of publishing server.
@ -773,6 +1010,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-publishingallowserver4"></a>**AppVirtualization/PublishingAllowServer4**
@ -799,6 +1037,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Publishing Server Display Name: Displays the name of publishing server.
@ -837,6 +1084,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-publishingallowserver5"></a>**AppVirtualization/PublishingAllowServer5**
@ -863,6 +1111,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Publishing Server Display Name: Displays the name of publishing server.
@ -901,6 +1158,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-streamingallowcertificatefilterforclient-ssl"></a>**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL**
@ -927,6 +1185,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Specifies the path to a valid certificate in the certificate store.
@ -947,6 +1214,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-streamingallowhighcostlaunch"></a>**AppVirtualization/StreamingAllowHighCostLaunch**
@ -973,6 +1241,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).
@ -993,6 +1270,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-streamingallowlocationprovider"></a>**AppVirtualization/StreamingAllowLocationProvider**
@ -1019,6 +1297,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.
@ -1039,6 +1326,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-streamingallowpackageinstallationroot"></a>**AppVirtualization/StreamingAllowPackageInstallationRoot**
@ -1065,6 +1353,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Specifies directory where all new applications and updates will be installed.
@ -1085,6 +1382,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-streamingallowpackagesourceroot"></a>**AppVirtualization/StreamingAllowPackageSourceRoot**
@ -1111,6 +1409,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Overrides source location for downloading package content.
@ -1131,6 +1438,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-streamingallowreestablishmentinterval"></a>**AppVirtualization/StreamingAllowReestablishmentInterval**
@ -1157,6 +1465,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Specifies the number of seconds between attempts to reestablish a dropped session.
@ -1177,6 +1494,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-streamingallowreestablishmentretries"></a>**AppVirtualization/StreamingAllowReestablishmentRetries**
@ -1203,6 +1521,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Specifies the number of times to retry a dropped session.
@ -1223,6 +1550,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-streamingsharedcontentstoremode"></a>**AppVirtualization/StreamingSharedContentStoreMode**
@ -1249,6 +1577,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Specifies that streamed package contents will be not be saved to the local hard disk.
@ -1269,6 +1606,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-streamingsupportbranchcache"></a>**AppVirtualization/StreamingSupportBranchCache**
@ -1295,6 +1633,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache
@ -1315,6 +1662,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-streamingverifycertificaterevocationlist"></a>**AppVirtualization/StreamingVerifyCertificateRevocationList**
@ -1341,6 +1689,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Verifies Server certificate revocation status before streaming using HTTPS.
@ -1361,6 +1718,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="appvirtualization-virtualcomponentsallowlist"></a>**AppVirtualization/VirtualComponentsAllowList**
@ -1387,6 +1745,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.

46
windows/client-management/mdm/policy-csp-attachmentmanager.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - AttachmentManager
@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## AttachmentManager policies
<dl>
<dd>
<a href="#attachmentmanager-donotpreservezoneinformation">AttachmentManager/DoNotPreserveZoneInformation</a>
</dd>
<dd>
<a href="#attachmentmanager-hidezoneinfomechanism">AttachmentManager/HideZoneInfoMechanism</a>
</dd>
<dd>
<a href="#attachmentmanager-notifyantivirusprograms">AttachmentManager/NotifyAntivirusPrograms</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="attachmentmanager-donotpreservezoneinformation"></a>**AttachmentManager/DoNotPreserveZoneInformation**
@ -45,6 +58,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.
@ -71,6 +93,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="attachmentmanager-hidezoneinfomechanism"></a>**AttachmentManager/HideZoneInfoMechanism**
@ -97,6 +120,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.
@ -123,6 +155,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="attachmentmanager-notifyantivirusprograms"></a>**AttachmentManager/NotifyAntivirusPrograms**
@ -149,6 +182,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.

59
windows/client-management/mdm/policy-csp-authentication.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/06/2017
ms.date: 09/29/2017
---
# Policy CSP - Authentication
@ -14,11 +14,27 @@ ms.date: 09/06/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Authentication policies
<dl>
<dd>
<a href="#authentication-allowaadpasswordreset">Authentication/AllowAadPasswordReset</a>
</dd>
<dd>
<a href="#authentication-alloweapcertsso">Authentication/AllowEAPCertSSO</a>
</dd>
<dd>
<a href="#authentication-allowfastreconnect">Authentication/AllowFastReconnect</a>
</dd>
<dd>
<a href="#authentication-allowsecondaryauthenticationdevice">Authentication/AllowSecondaryAuthenticationDevice</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="authentication-allowaadpasswordreset"></a>**Authentication/AllowAadPasswordReset**
@ -45,6 +61,15 @@ ms.date: 09/06/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen. 
@ -55,6 +80,7 @@ ms.date: 09/06/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="authentication-alloweapcertsso"></a>**Authentication/AllowEAPCertSSO**
@ -81,6 +107,15 @@ ms.date: 09/06/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources.
@ -98,6 +133,7 @@ ms.date: 09/06/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="authentication-allowfastreconnect"></a>**Authentication/AllowFastReconnect**
@ -124,6 +160,15 @@ ms.date: 09/06/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows EAP Fast Reconnect from being attempted for EAP Method TLS.
@ -136,6 +181,7 @@ ms.date: 09/06/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="authentication-allowsecondaryauthenticationdevice"></a>**Authentication/AllowSecondaryAuthenticationDevice**
@ -162,6 +208,15 @@ ms.date: 09/06/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows.

49
windows/client-management/mdm/policy-csp-autoplay.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Autoplay
@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Autoplay policies
<dl>
<dd>
<a href="#autoplay-disallowautoplayfornonvolumedevices">Autoplay/DisallowAutoplayForNonVolumeDevices</a>
</dd>
<dd>
<a href="#autoplay-setdefaultautorunbehavior">Autoplay/SetDefaultAutoRunBehavior</a>
</dd>
<dd>
<a href="#autoplay-turnoffautoplay">Autoplay/TurnOffAutoPlay</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="autoplay-disallowautoplayfornonvolumedevices"></a>**Autoplay/DisallowAutoplayForNonVolumeDevices**
@ -45,6 +58,16 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting disallows AutoPlay for MTP devices like cameras or phones.
@ -69,6 +92,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="autoplay-setdefaultautorunbehavior"></a>**Autoplay/SetDefaultAutoRunBehavior**
@ -95,6 +119,16 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting sets the default behavior for Autorun commands.
@ -128,6 +162,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="autoplay-turnoffautoplay"></a>**Autoplay/TurnOffAutoPlay**
@ -154,6 +189,16 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting allows you to turn off the Autoplay feature.

20
windows/client-management/mdm/policy-csp-bitlocker.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Bitlocker
@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Bitlocker policies
<dl>
<dd>
<a href="#bitlocker-encryptionmethod">Bitlocker/EncryptionMethod</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="bitlocker-encryptionmethod"></a>**Bitlocker/EncryptionMethod**
@ -45,6 +52,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies the BitLocker Drive Encryption method and cipher strength.

72
windows/client-management/mdm/policy-csp-bluetooth.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Bluetooth
@ -14,11 +14,30 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Bluetooth policies
<dl>
<dd>
<a href="#bluetooth-allowadvertising">Bluetooth/AllowAdvertising</a>
</dd>
<dd>
<a href="#bluetooth-allowdiscoverablemode">Bluetooth/AllowDiscoverableMode</a>
</dd>
<dd>
<a href="#bluetooth-allowprepairing">Bluetooth/AllowPrepairing</a>
</dd>
<dd>
<a href="#bluetooth-localdevicename">Bluetooth/LocalDeviceName</a>
</dd>
<dd>
<a href="#bluetooth-servicesallowedlist">Bluetooth/ServicesAllowedList</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="bluetooth-allowadvertising"></a>**Bluetooth/AllowAdvertising**
@ -45,6 +64,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether the device can send out Bluetooth advertisements.
@ -59,6 +87,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="bluetooth-allowdiscoverablemode"></a>**Bluetooth/AllowDiscoverableMode**
@ -85,6 +114,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether other Bluetooth-enabled devices can discover the device.
@ -99,6 +137,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="bluetooth-allowprepairing"></a>**Bluetooth/AllowPrepairing**
@ -125,6 +164,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device.
@ -135,6 +183,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="bluetooth-localdevicename"></a>**Bluetooth/LocalDeviceName**
@ -161,6 +210,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Sets the local Bluetooth device name.
@ -170,6 +228,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="bluetooth-servicesallowedlist"></a>**Bluetooth/ServicesAllowedList**
@ -196,6 +255,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}.

511
windows/client-management/mdm/policy-csp-browser.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Browser
@ -14,11 +14,123 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Browser policies
<dl>
<dd>
<a href="#browser-allowaddressbardropdown">Browser/AllowAddressBarDropdown</a>
</dd>
<dd>
<a href="#browser-allowautofill">Browser/AllowAutofill</a>
</dd>
<dd>
<a href="#browser-allowbrowser">Browser/AllowBrowser</a>
</dd>
<dd>
<a href="#browser-allowcookies">Browser/AllowCookies</a>
</dd>
<dd>
<a href="#browser-allowdevelopertools">Browser/AllowDeveloperTools</a>
</dd>
<dd>
<a href="#browser-allowdonottrack">Browser/AllowDoNotTrack</a>
</dd>
<dd>
<a href="#browser-allowextensions">Browser/AllowExtensions</a>
</dd>
<dd>
<a href="#browser-allowflash">Browser/AllowFlash</a>
</dd>
<dd>
<a href="#browser-allowflashclicktorun">Browser/AllowFlashClickToRun</a>
</dd>
<dd>
<a href="#browser-allowinprivate">Browser/AllowInPrivate</a>
</dd>
<dd>
<a href="#browser-allowmicrosoftcompatibilitylist">Browser/AllowMicrosoftCompatibilityList</a>
</dd>
<dd>
<a href="#browser-allowpasswordmanager">Browser/AllowPasswordManager</a>
</dd>
<dd>
<a href="#browser-allowpopups">Browser/AllowPopups</a>
</dd>
<dd>
<a href="#browser-allowsearchenginecustomization">Browser/AllowSearchEngineCustomization</a>
</dd>
<dd>
<a href="#browser-allowsearchsuggestionsinaddressbar">Browser/AllowSearchSuggestionsinAddressBar</a>
</dd>
<dd>
<a href="#browser-allowsmartscreen">Browser/AllowSmartScreen</a>
</dd>
<dd>
<a href="#browser-alwaysenablebookslibrary">Browser/AlwaysEnableBooksLibrary</a>
</dd>
<dd>
<a href="#browser-clearbrowsingdataonexit">Browser/ClearBrowsingDataOnExit</a>
</dd>
<dd>
<a href="#browser-configureadditionalsearchengines">Browser/ConfigureAdditionalSearchEngines</a>
</dd>
<dd>
<a href="#browser-disablelockdownofstartpages">Browser/DisableLockdownOfStartPages</a>
</dd>
<dd>
<a href="#browser-enterprisemodesitelist">Browser/EnterpriseModeSiteList</a>
</dd>
<dd>
<a href="#browser-enterprisesitelistserviceurl">Browser/EnterpriseSiteListServiceUrl</a>
</dd>
<dd>
<a href="#browser-firstrunurl">Browser/FirstRunURL</a>
</dd>
<dd>
<a href="#browser-homepages">Browser/HomePages</a>
</dd>
<dd>
<a href="#browser-lockdownfavorites">Browser/LockdownFavorites</a>
</dd>
<dd>
<a href="#browser-preventaccesstoaboutflagsinmicrosoftedge">Browser/PreventAccessToAboutFlagsInMicrosoftEdge</a>
</dd>
<dd>
<a href="#browser-preventfirstrunpage">Browser/PreventFirstRunPage</a>
</dd>
<dd>
<a href="#browser-preventlivetiledatacollection">Browser/PreventLiveTileDataCollection</a>
</dd>
<dd>
<a href="#browser-preventsmartscreenpromptoverride">Browser/PreventSmartScreenPromptOverride</a>
</dd>
<dd>
<a href="#browser-preventsmartscreenpromptoverrideforfiles">Browser/PreventSmartScreenPromptOverrideForFiles</a>
</dd>
<dd>
<a href="#browser-preventusinglocalhostipaddressforwebrtc">Browser/PreventUsingLocalHostIPAddressForWebRTC</a>
</dd>
<dd>
<a href="#browser-provisionfavorites">Browser/ProvisionFavorites</a>
</dd>
<dd>
<a href="#browser-sendintranettraffictointernetexplorer">Browser/SendIntranetTraffictoInternetExplorer</a>
</dd>
<dd>
<a href="#browser-setdefaultsearchengine">Browser/SetDefaultSearchEngine</a>
</dd>
<dd>
<a href="#browser-showmessagewhenopeningsitesininternetexplorer">Browser/ShowMessageWhenOpeningSitesInInternetExplorer</a>
</dd>
<dd>
<a href="#browser-syncfavoritesbetweenieandmicrosoftedge">Browser/SyncFavoritesBetweenIEAndMicrosoftEdge</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="browser-allowaddressbardropdown"></a>**Browser/AllowAddressBarDropdown**
@ -45,6 +157,16 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. 
@ -60,6 +182,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-allowautofill"></a>**Browser/AllowAutofill**
@ -86,6 +209,16 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether autofill on websites is allowed.
@ -105,6 +238,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-allowbrowser"></a>**Browser/AllowBrowser**
@ -131,6 +265,16 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead.
@ -149,6 +293,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-allowcookies"></a>**Browser/AllowCookies**
@ -175,6 +320,16 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether cookies are allowed.
@ -194,6 +349,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-allowdevelopertools"></a>**Browser/AllowDeveloperTools**
@ -220,6 +376,16 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -236,6 +402,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-allowdonottrack"></a>**Browser/AllowDoNotTrack**
@ -262,6 +429,16 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether Do Not Track headers are allowed.
@ -281,6 +458,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-allowextensions"></a>**Browser/AllowExtensions**
@ -307,6 +485,16 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed.
@ -317,6 +505,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-allowflash"></a>**Browser/AllowFlash**
@ -343,6 +532,16 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge.
@ -353,6 +552,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-allowflashclicktorun"></a>**Browser/AllowFlashClickToRun**
@ -379,6 +579,16 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash.
@ -389,6 +599,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-allowinprivate"></a>**Browser/AllowInPrivate**
@ -415,6 +626,16 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether InPrivate browsing is allowed on corporate networks.
@ -427,6 +648,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-allowmicrosoftcompatibilitylist"></a>**Browser/AllowMicrosoftCompatibilityList**
@ -453,6 +675,16 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly.
By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat".
@ -468,6 +700,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-allowpasswordmanager"></a>**Browser/AllowPasswordManager**
@ -494,6 +727,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether saving and managing passwords locally on the device is allowed.
@ -513,6 +756,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-allowpopups"></a>**Browser/AllowPopups**
@ -539,6 +783,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether pop-up blocker is allowed or enabled.
@ -558,6 +812,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-allowsearchenginecustomization"></a>**Browser/AllowSearchEngineCustomization**
@ -584,6 +839,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine. 
 
@ -598,6 +863,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-allowsearchsuggestionsinaddressbar"></a>**Browser/AllowSearchSuggestionsinAddressBar**
@ -624,6 +890,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether search suggestions are allowed in the address bar.
@ -636,6 +912,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-allowsmartscreen"></a>**Browser/AllowSmartScreen**
@ -662,6 +939,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether Windows Defender SmartScreen is allowed.
@ -681,9 +968,20 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-alwaysenablebookslibrary"></a>**Browser/AlwaysEnableBooksLibrary**
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">
@ -691,6 +989,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-clearbrowsingdataonexit"></a>**Browser/ClearBrowsingDataOnExit**
@ -717,6 +1016,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge.
@ -735,6 +1044,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-configureadditionalsearchengines"></a>**Browser/ConfigureAdditionalSearchEngines**
@ -761,6 +1071,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices. 
 
@ -781,6 +1101,7 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-disablelockdownofstartpages"></a>**Browser/DisableLockdownOfStartPages**
@ -807,6 +1128,16 @@ Employees cannot remove these search engines, but they can set any one as the de
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect. 
 
@ -825,6 +1156,7 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-enterprisemodesitelist"></a>**Browser/EnterpriseModeSiteList**
@ -851,6 +1183,16 @@ Employees cannot remove these search engines, but they can set any one as the de
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -865,6 +1207,7 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-enterprisesitelistserviceurl"></a>**Browser/EnterpriseSiteListServiceUrl**
@ -891,12 +1234,23 @@ Employees cannot remove these search engines, but they can set any one as the de
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!IMPORTANT]
> This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist).
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-firstrunurl"></a>**Browser/FirstRunURL**
@ -923,6 +1277,16 @@ Employees cannot remove these search engines, but they can set any one as the de
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@ -936,6 +1300,7 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-homepages"></a>**Browser/HomePages**
@ -962,6 +1327,16 @@ Employees cannot remove these search engines, but they can set any one as the de
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -977,6 +1352,7 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-lockdownfavorites"></a>**Browser/LockdownFavorites**
@ -1003,6 +1379,16 @@ Employees cannot remove these search engines, but they can set any one as the de
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge.
@ -1022,6 +1408,7 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-preventaccesstoaboutflagsinmicrosoftedge"></a>**Browser/PreventAccessToAboutFlagsInMicrosoftEdge**
@ -1048,6 +1435,16 @@ Employees cannot remove these search engines, but they can set any one as the de
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features.
@ -1058,6 +1455,7 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-preventfirstrunpage"></a>**Browser/PreventFirstRunPage**
@ -1084,6 +1482,16 @@ Employees cannot remove these search engines, but they can set any one as the de
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening.
@ -1096,6 +1504,7 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-preventlivetiledatacollection"></a>**Browser/PreventLiveTileDataCollection**
@ -1122,6 +1531,16 @@ Employees cannot remove these search engines, but they can set any one as the de
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge.
@ -1134,6 +1553,7 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-preventsmartscreenpromptoverride"></a>**Browser/PreventSmartScreenPromptOverride**
@ -1160,6 +1580,16 @@ Employees cannot remove these search engines, but they can set any one as the de
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites.
@ -1172,6 +1602,7 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-preventsmartscreenpromptoverrideforfiles"></a>**Browser/PreventSmartScreenPromptOverrideForFiles**
@ -1198,6 +1629,16 @@ Employees cannot remove these search engines, but they can set any one as the de
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process.
@ -1208,6 +1649,7 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-preventusinglocalhostipaddressforwebrtc"></a>**Browser/PreventUsingLocalHostIPAddressForWebRTC**
@ -1234,6 +1676,16 @@ Employees cannot remove these search engines, but they can set any one as the de
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -1248,6 +1700,7 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-provisionfavorites"></a>**Browser/ProvisionFavorites**
@ -1274,6 +1727,16 @@ Employees cannot remove these search engines, but they can set any one as the de
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines.
 
@ -1292,6 +1755,7 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-sendintranettraffictointernetexplorer"></a>**Browser/SendIntranetTraffictoInternetExplorer**
@ -1318,6 +1782,16 @@ Employees cannot remove these search engines, but they can set any one as the de
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -1334,6 +1808,7 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-setdefaultsearchengine"></a>**Browser/SetDefaultSearchEngine**
@ -1360,6 +1835,16 @@ Employees cannot remove these search engines, but they can set any one as the de
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy.
@ -1379,6 +1864,7 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-showmessagewhenopeningsitesininternetexplorer"></a>**Browser/ShowMessageWhenOpeningSitesInInternetExplorer**
@ -1405,6 +1891,16 @@ Employees cannot remove these search engines, but they can set any one as the de
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -1421,6 +1917,7 @@ Employees cannot remove these search engines, but they can set any one as the de
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="browser-syncfavoritesbetweenieandmicrosoftedge"></a>**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge**
@ -1447,6 +1944,16 @@ Employees cannot remove these search engines, but they can set any one as the de
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering.

20
windows/client-management/mdm/policy-csp-camera.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Camera
@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Camera policies
<dl>
<dd>
<a href="#camera-allowcamera">Camera/AllowCamera</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="camera-allowcamera"></a>**Camera/AllowCamera**
@ -45,6 +52,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Disables or enables the camera.

20
windows/client-management/mdm/policy-csp-cellular.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Cellular
@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Cellular policies
<dl>
<dd>
<a href="#cellular-showappcellularaccessui">Cellular/ShowAppCellularAccessUI</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="cellular-showappcellularaccessui"></a>**Cellular/ShowAppCellularAccessUI**
@ -45,6 +52,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]

176
windows/client-management/mdm/policy-csp-connectivity.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Connectivity
@ -14,11 +14,54 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Connectivity policies
<dl>
<dd>
<a href="#connectivity-allowbluetooth">Connectivity/AllowBluetooth</a>
</dd>
<dd>
<a href="#connectivity-allowcellulardata">Connectivity/AllowCellularData</a>
</dd>
<dd>
<a href="#connectivity-allowcellulardataroaming">Connectivity/AllowCellularDataRoaming</a>
</dd>
<dd>
<a href="#connectivity-allowconnecteddevices">Connectivity/AllowConnectedDevices</a>
</dd>
<dd>
<a href="#connectivity-allownfc">Connectivity/AllowNFC</a>
</dd>
<dd>
<a href="#connectivity-allowusbconnection">Connectivity/AllowUSBConnection</a>
</dd>
<dd>
<a href="#connectivity-allowvpnovercellular">Connectivity/AllowVPNOverCellular</a>
</dd>
<dd>
<a href="#connectivity-allowvpnroamingovercellular">Connectivity/AllowVPNRoamingOverCellular</a>
</dd>
<dd>
<a href="#connectivity-diableprintingoverhttp">Connectivity/DiablePrintingOverHTTP</a>
</dd>
<dd>
<a href="#connectivity-disabledownloadingofprintdriversoverhttp">Connectivity/DisableDownloadingOfPrintDriversOverHTTP</a>
</dd>
<dd>
<a href="#connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards">Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards</a>
</dd>
<dd>
<a href="#connectivity-hardeneduncpaths">Connectivity/HardenedUNCPaths</a>
</dd>
<dd>
<a href="#connectivity-prohibitinstallationandconfigurationofnetworkbridge">Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="connectivity-allowbluetooth"></a>**Connectivity/AllowBluetooth**
@ -45,6 +88,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows the user to enable Bluetooth or restrict access.
@ -64,6 +116,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="connectivity-allowcellulardata"></a>**Connectivity/AllowCellularData**
@ -90,6 +143,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows the cellular data channel on the device. Device reboot is not required to enforce the policy.
@ -101,6 +163,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="connectivity-allowcellulardataroaming"></a>**Connectivity/AllowCellularDataRoaming**
@ -127,6 +190,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy.
@ -148,6 +220,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="connectivity-allowconnecteddevices"></a>**Connectivity/AllowConnectedDevices**
@ -174,6 +247,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy requires reboot to take effect.
@ -187,6 +269,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="connectivity-allownfc"></a>**Connectivity/AllowNFC**
@ -213,6 +296,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@ -229,6 +321,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="connectivity-allowusbconnection"></a>**Connectivity/AllowUSBConnection**
@ -255,6 +348,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@ -273,6 +375,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="connectivity-allowvpnovercellular"></a>**Connectivity/AllowVPNOverCellular**
@ -299,6 +402,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies what type of underlying connections VPN is allowed to use.
@ -311,6 +423,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="connectivity-allowvpnroamingovercellular"></a>**Connectivity/AllowVPNRoamingOverCellular**
@ -337,6 +450,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Prevents the device from connecting to VPN when the device roams over cellular networks.
@ -349,6 +471,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="connectivity-diableprintingoverhttp"></a>**Connectivity/DiablePrintingOverHTTP**
@ -375,6 +498,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -393,6 +525,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="connectivity-disabledownloadingofprintdriversoverhttp"></a>**Connectivity/DisableDownloadingOfPrintDriversOverHTTP**
@ -419,6 +552,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -437,6 +579,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="connectivity-disableinternetdownloadforwebpublishingandonlineorderingwizards"></a>**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards**
@ -463,6 +606,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -481,6 +633,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="connectivity-hardeneduncpaths"></a>**Connectivity/HardenedUNCPaths**
@ -507,6 +660,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting configures secure access to UNC paths.
@ -529,6 +691,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="connectivity-prohibitinstallationandconfigurationofnetworkbridge"></a>**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge**
@ -555,6 +718,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]

46
windows/client-management/mdm/policy-csp-credentialproviders.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - CredentialProviders
@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## CredentialProviders policies
<dl>
<dd>
<a href="#credentialproviders-allowpinlogon">CredentialProviders/AllowPINLogon</a>
</dd>
<dd>
<a href="#credentialproviders-blockpicturepassword">CredentialProviders/BlockPicturePassword</a>
</dd>
<dd>
<a href="#credentialproviders-disableautomaticredeploymentcredentials">CredentialProviders/DisableAutomaticReDeploymentCredentials</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="credentialproviders-allowpinlogon"></a>**CredentialProviders/AllowPINLogon**
@ -45,6 +58,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting allows you to control whether a domain user can sign in using a convenience PIN.
@ -73,6 +95,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="credentialproviders-blockpicturepassword"></a>**CredentialProviders/BlockPicturePassword**
@ -99,6 +122,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting allows you to control whether a domain user can sign in using a picture password.
@ -125,6 +157,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="credentialproviders-disableautomaticredeploymentcredentials"></a>**CredentialProviders/DisableAutomaticReDeploymentCredentials**
@ -151,6 +184,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device.

34
windows/client-management/mdm/policy-csp-credentialsui.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - CredentialsUI
@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## CredentialsUI policies
<dl>
<dd>
<a href="#credentialsui-disablepasswordreveal">CredentialsUI/DisablePasswordReveal</a>
</dd>
<dd>
<a href="#credentialsui-enumerateadministrators">CredentialsUI/EnumerateAdministrators</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="credentialsui-disablepasswordreveal"></a>**CredentialsUI/DisablePasswordReveal**
@ -45,6 +55,16 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting allows you to configure the display of the password reveal button in password entry user experiences.
@ -73,6 +93,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="credentialsui-enumerateadministrators"></a>**CredentialsUI/EnumerateAdministrators**
@ -99,6 +120,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.

33
windows/client-management/mdm/policy-csp-cryptography.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Cryptography
@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Cryptography policies
<dl>
<dd>
<a href="#cryptography-allowfipsalgorithmpolicy">Cryptography/AllowFipsAlgorithmPolicy</a>
</dd>
<dd>
<a href="#cryptography-tlsciphersuites">Cryptography/TLSCipherSuites</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="cryptography-allowfipsalgorithmpolicy"></a>**Cryptography/AllowFipsAlgorithmPolicy**
@ -45,6 +55,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows or disallows the Federal Information Processing Standard (FIPS) policy.
@ -55,6 +74,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="cryptography-tlsciphersuites"></a>**Cryptography/TLSCipherSuites**
@ -81,6 +101,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win.

33
windows/client-management/mdm/policy-csp-dataprotection.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - DataProtection
@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## DataProtection policies
<dl>
<dd>
<a href="#dataprotection-allowdirectmemoryaccess">DataProtection/AllowDirectMemoryAccess</a>
</dd>
<dd>
<a href="#dataprotection-legacyselectivewipeid">DataProtection/LegacySelectiveWipeID</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="dataprotection-allowdirectmemoryaccess"></a>**DataProtection/AllowDirectMemoryAccess**
@ -45,6 +55,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.
@ -57,6 +76,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="dataprotection-legacyselectivewipeid"></a>**DataProtection/LegacySelectiveWipeID**
@ -83,6 +103,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!IMPORTANT]
> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time.

33
windows/client-management/mdm/policy-csp-datausage.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - DataUsage
@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## DataUsage policies
<dl>
<dd>
<a href="#datausage-setcost3g">DataUsage/SetCost3G</a>
</dd>
<dd>
<a href="#datausage-setcost4g">DataUsage/SetCost4G</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="datausage-setcost3g"></a>**DataUsage/SetCost3G**
@ -45,6 +55,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting configures the cost of 3G connections on the local machine.
@ -75,6 +94,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="datausage-setcost4g"></a>**DataUsage/SetCost4G**
@ -101,6 +121,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting configures the cost of 4G connections on the local machine.

462
windows/client-management/mdm/policy-csp-defender.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Defender
@ -14,11 +14,120 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Defender policies
<dl>
<dd>
<a href="#defender-allowarchivescanning">Defender/AllowArchiveScanning</a>
</dd>
<dd>
<a href="#defender-allowbehaviormonitoring">Defender/AllowBehaviorMonitoring</a>
</dd>
<dd>
<a href="#defender-allowcloudprotection">Defender/AllowCloudProtection</a>
</dd>
<dd>
<a href="#defender-allowemailscanning">Defender/AllowEmailScanning</a>
</dd>
<dd>
<a href="#defender-allowfullscanonmappednetworkdrives">Defender/AllowFullScanOnMappedNetworkDrives</a>
</dd>
<dd>
<a href="#defender-allowfullscanremovabledrivescanning">Defender/AllowFullScanRemovableDriveScanning</a>
</dd>
<dd>
<a href="#defender-allowioavprotection">Defender/AllowIOAVProtection</a>
</dd>
<dd>
<a href="#defender-allowintrusionpreventionsystem">Defender/AllowIntrusionPreventionSystem</a>
</dd>
<dd>
<a href="#defender-allowonaccessprotection">Defender/AllowOnAccessProtection</a>
</dd>
<dd>
<a href="#defender-allowrealtimemonitoring">Defender/AllowRealtimeMonitoring</a>
</dd>
<dd>
<a href="#defender-allowscanningnetworkfiles">Defender/AllowScanningNetworkFiles</a>
</dd>
<dd>
<a href="#defender-allowscriptscanning">Defender/AllowScriptScanning</a>
</dd>
<dd>
<a href="#defender-allowuseruiaccess">Defender/AllowUserUIAccess</a>
</dd>
<dd>
<a href="#defender-attacksurfacereductiononlyexclusions">Defender/AttackSurfaceReductionOnlyExclusions</a>
</dd>
<dd>
<a href="#defender-attacksurfacereductionrules">Defender/AttackSurfaceReductionRules</a>
</dd>
<dd>
<a href="#defender-avgcpuloadfactor">Defender/AvgCPULoadFactor</a>
</dd>
<dd>
<a href="#defender-cloudblocklevel">Defender/CloudBlockLevel</a>
</dd>
<dd>
<a href="#defender-cloudextendedtimeout">Defender/CloudExtendedTimeout</a>
</dd>
<dd>
<a href="#defender-controlledfolderaccessallowedapplications">Defender/ControlledFolderAccessAllowedApplications</a>
</dd>
<dd>
<a href="#defender-controlledfolderaccessprotectedfolders">Defender/ControlledFolderAccessProtectedFolders</a>
</dd>
<dd>
<a href="#defender-daystoretaincleanedmalware">Defender/DaysToRetainCleanedMalware</a>
</dd>
<dd>
<a href="#defender-enablecontrolledfolderaccess">Defender/EnableControlledFolderAccess</a>
</dd>
<dd>
<a href="#defender-enablenetworkprotection">Defender/EnableNetworkProtection</a>
</dd>
<dd>
<a href="#defender-excludedextensions">Defender/ExcludedExtensions</a>
</dd>
<dd>
<a href="#defender-excludedpaths">Defender/ExcludedPaths</a>
</dd>
<dd>
<a href="#defender-excludedprocesses">Defender/ExcludedProcesses</a>
</dd>
<dd>
<a href="#defender-puaprotection">Defender/PUAProtection</a>
</dd>
<dd>
<a href="#defender-realtimescandirection">Defender/RealTimeScanDirection</a>
</dd>
<dd>
<a href="#defender-scanparameter">Defender/ScanParameter</a>
</dd>
<dd>
<a href="#defender-schedulequickscantime">Defender/ScheduleQuickScanTime</a>
</dd>
<dd>
<a href="#defender-schedulescanday">Defender/ScheduleScanDay</a>
</dd>
<dd>
<a href="#defender-schedulescantime">Defender/ScheduleScanTime</a>
</dd>
<dd>
<a href="#defender-signatureupdateinterval">Defender/SignatureUpdateInterval</a>
</dd>
<dd>
<a href="#defender-submitsamplesconsent">Defender/SubmitSamplesConsent</a>
</dd>
<dd>
<a href="#defender-threatseveritydefaultaction">Defender/ThreatSeverityDefaultAction</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="defender-allowarchivescanning"></a>**Defender/AllowArchiveScanning**
@ -45,6 +154,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -59,6 +177,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-allowbehaviormonitoring"></a>**Defender/AllowBehaviorMonitoring**
@ -85,6 +204,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -99,6 +227,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-allowcloudprotection"></a>**Defender/AllowCloudProtection**
@ -125,6 +254,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -139,6 +277,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-allowemailscanning"></a>**Defender/AllowEmailScanning**
@ -165,6 +304,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -179,6 +327,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-allowfullscanonmappednetworkdrives"></a>**Defender/AllowFullScanOnMappedNetworkDrives**
@ -205,6 +354,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -219,6 +377,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-allowfullscanremovabledrivescanning"></a>**Defender/AllowFullScanRemovableDriveScanning**
@ -245,6 +404,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -259,6 +427,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-allowioavprotection"></a>**Defender/AllowIOAVProtection**
@ -285,6 +454,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -299,6 +477,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-allowintrusionpreventionsystem"></a>**Defender/AllowIntrusionPreventionSystem**
@ -325,6 +504,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -339,6 +527,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-allowonaccessprotection"></a>**Defender/AllowOnAccessProtection**
@ -365,6 +554,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -379,6 +577,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-allowrealtimemonitoring"></a>**Defender/AllowRealtimeMonitoring**
@ -405,6 +604,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -419,6 +627,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-allowscanningnetworkfiles"></a>**Defender/AllowScanningNetworkFiles**
@ -445,6 +654,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -459,6 +677,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-allowscriptscanning"></a>**Defender/AllowScriptScanning**
@ -485,6 +704,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -499,6 +727,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-allowuseruiaccess"></a>**Defender/AllowUserUIAccess**
@ -525,6 +754,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -539,6 +777,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-attacksurfacereductiononlyexclusions"></a>**Defender/AttackSurfaceReductionOnlyExclusions**
@ -565,6 +804,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -576,6 +824,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-attacksurfacereductionrules"></a>**Defender/AttackSurfaceReductionRules**
@ -602,6 +851,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -615,6 +873,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-avgcpuloadfactor"></a>**Defender/AvgCPULoadFactor**
@ -641,6 +900,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -654,6 +922,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-cloudblocklevel"></a>**Defender/CloudBlockLevel**
@ -680,6 +949,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -703,6 +981,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-cloudextendedtimeout"></a>**Defender/CloudExtendedTimeout**
@ -729,6 +1008,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -744,6 +1032,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-controlledfolderaccessallowedapplications"></a>**Defender/ControlledFolderAccessAllowedApplications**
@ -770,6 +1059,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications.
@ -778,6 +1076,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-controlledfolderaccessprotectedfolders"></a>**Defender/ControlledFolderAccessProtectedFolders**
@ -804,6 +1103,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders.
@ -812,6 +1120,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-daystoretaincleanedmalware"></a>**Defender/DaysToRetainCleanedMalware**
@ -838,6 +1147,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -851,6 +1169,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-enablecontrolledfolderaccess"></a>**Defender/EnableControlledFolderAccess**
@ -877,6 +1196,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess.
@ -889,6 +1217,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-enablenetworkprotection"></a>**Defender/EnableNetworkProtection**
@ -915,6 +1244,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -935,6 +1273,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-excludedextensions"></a>**Defender/ExcludedExtensions**
@ -961,6 +1300,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -970,6 +1318,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-excludedpaths"></a>**Defender/ExcludedPaths**
@ -996,6 +1345,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -1005,6 +1363,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-excludedprocesses"></a>**Defender/ExcludedProcesses**
@ -1031,6 +1390,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -1046,6 +1414,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-puaprotection"></a>**Defender/PUAProtection**
@ -1072,6 +1441,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -1087,6 +1465,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-realtimescandirection"></a>**Defender/RealTimeScanDirection**
@ -1113,6 +1492,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -1132,6 +1520,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-scanparameter"></a>**Defender/ScanParameter**
@ -1158,6 +1547,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -1172,6 +1570,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-schedulequickscantime"></a>**Defender/ScheduleQuickScanTime**
@ -1198,6 +1597,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -1217,6 +1625,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-schedulescanday"></a>**Defender/ScheduleScanDay**
@ -1243,6 +1652,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -1268,6 +1686,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-schedulescantime"></a>**Defender/ScheduleScanTime**
@ -1294,6 +1713,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -1313,6 +1741,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-signatureupdateinterval"></a>**Defender/SignatureUpdateInterval**
@ -1339,6 +1768,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -1354,6 +1792,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-submitsamplesconsent"></a>**Defender/SubmitSamplesConsent**
@ -1380,6 +1819,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.
@ -1396,6 +1844,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="defender-threatseveritydefaultaction"></a>**Defender/ThreatSeverityDefaultAction**
@ -1422,6 +1871,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop.

215
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - DeliveryOptimization
@ -14,11 +14,63 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## DeliveryOptimization policies
<dl>
<dd>
<a href="#deliveryoptimization-doabsolutemaxcachesize">DeliveryOptimization/DOAbsoluteMaxCacheSize</a>
</dd>
<dd>
<a href="#deliveryoptimization-doallowvpnpeercaching">DeliveryOptimization/DOAllowVPNPeerCaching</a>
</dd>
<dd>
<a href="#deliveryoptimization-dodownloadmode">DeliveryOptimization/DODownloadMode</a>
</dd>
<dd>
<a href="#deliveryoptimization-dogroupid">DeliveryOptimization/DOGroupId</a>
</dd>
<dd>
<a href="#deliveryoptimization-domaxcacheage">DeliveryOptimization/DOMaxCacheAge</a>
</dd>
<dd>
<a href="#deliveryoptimization-domaxcachesize">DeliveryOptimization/DOMaxCacheSize</a>
</dd>
<dd>
<a href="#deliveryoptimization-domaxdownloadbandwidth">DeliveryOptimization/DOMaxDownloadBandwidth</a>
</dd>
<dd>
<a href="#deliveryoptimization-domaxuploadbandwidth">DeliveryOptimization/DOMaxUploadBandwidth</a>
</dd>
<dd>
<a href="#deliveryoptimization-dominbackgroundqos">DeliveryOptimization/DOMinBackgroundQos</a>
</dd>
<dd>
<a href="#deliveryoptimization-dominbatterypercentageallowedtoupload">DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload</a>
</dd>
<dd>
<a href="#deliveryoptimization-domindisksizeallowedtopeer">DeliveryOptimization/DOMinDiskSizeAllowedToPeer</a>
</dd>
<dd>
<a href="#deliveryoptimization-dominfilesizetocache">DeliveryOptimization/DOMinFileSizeToCache</a>
</dd>
<dd>
<a href="#deliveryoptimization-dominramallowedtopeer">DeliveryOptimization/DOMinRAMAllowedToPeer</a>
</dd>
<dd>
<a href="#deliveryoptimization-domodifycachedrive">DeliveryOptimization/DOModifyCacheDrive</a>
</dd>
<dd>
<a href="#deliveryoptimization-domonthlyuploaddatacap">DeliveryOptimization/DOMonthlyUploadDataCap</a>
</dd>
<dd>
<a href="#deliveryoptimization-dopercentagemaxdownloadbandwidth">DeliveryOptimization/DOPercentageMaxDownloadBandwidth</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="deliveryoptimization-doabsolutemaxcachesize"></a>**DeliveryOptimization/DOAbsoluteMaxCacheSize**
@ -45,6 +97,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@ -56,6 +117,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deliveryoptimization-doallowvpnpeercaching"></a>**DeliveryOptimization/DOAllowVPNPeerCaching**
@ -82,6 +144,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@ -93,6 +164,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deliveryoptimization-dodownloadmode"></a>**DeliveryOptimization/DODownloadMode**
@ -119,6 +191,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@ -137,6 +218,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deliveryoptimization-dogroupid"></a>**DeliveryOptimization/DOGroupId**
@ -163,6 +245,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@ -175,6 +266,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deliveryoptimization-domaxcacheage"></a>**DeliveryOptimization/DOMaxCacheAge**
@ -201,6 +293,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@ -212,6 +313,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deliveryoptimization-domaxcachesize"></a>**DeliveryOptimization/DOMaxCacheSize**
@ -238,6 +340,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@ -249,6 +360,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deliveryoptimization-domaxdownloadbandwidth"></a>**DeliveryOptimization/DOMaxDownloadBandwidth**
@ -275,6 +387,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@ -286,6 +407,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deliveryoptimization-domaxuploadbandwidth"></a>**DeliveryOptimization/DOMaxUploadBandwidth**
@ -312,6 +434,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@ -323,6 +454,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deliveryoptimization-dominbackgroundqos"></a>**DeliveryOptimization/DOMinBackgroundQos**
@ -349,6 +481,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@ -360,6 +501,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deliveryoptimization-dominbatterypercentageallowedtoupload"></a>**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload**
@ -386,6 +528,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@ -396,6 +547,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deliveryoptimization-domindisksizeallowedtopeer"></a>**DeliveryOptimization/DOMinDiskSizeAllowedToPeer**
@ -422,6 +574,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@ -436,6 +597,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deliveryoptimization-dominfilesizetocache"></a>**DeliveryOptimization/DOMinFileSizeToCache**
@ -462,6 +624,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@ -473,6 +644,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deliveryoptimization-dominramallowedtopeer"></a>**DeliveryOptimization/DOMinRAMAllowedToPeer**
@ -499,6 +671,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@ -510,6 +691,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deliveryoptimization-domodifycachedrive"></a>**DeliveryOptimization/DOModifyCacheDrive**
@ -536,6 +718,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@ -547,6 +738,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deliveryoptimization-domonthlyuploaddatacap"></a>**DeliveryOptimization/DOMonthlyUploadDataCap**
@ -573,6 +765,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.
@ -586,6 +787,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deliveryoptimization-dopercentagemaxdownloadbandwidth"></a>**DeliveryOptimization/DOPercentageMaxDownloadBandwidth**
@ -612,6 +814,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile.

20
windows/client-management/mdm/policy-csp-desktop.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Desktop
@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Desktop policies
<dl>
<dd>
<a href="#desktop-preventuserredirectionofprofilefolders">Desktop/PreventUserRedirectionOfProfileFolders</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="desktop-preventuserredirectionofprofilefolders"></a>**Desktop/PreventUserRedirectionOfProfileFolders**
@ -45,6 +52,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
Prevents users from changing the path to their profile folders.

46
windows/client-management/mdm/policy-csp-deviceguard.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - DeviceGuard
@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## DeviceGuard policies
<dl>
<dd>
<a href="#deviceguard-enablevirtualizationbasedsecurity">DeviceGuard/EnableVirtualizationBasedSecurity</a>
</dd>
<dd>
<a href="#deviceguard-lsacfgflags">DeviceGuard/LsaCfgFlags</a>
</dd>
<dd>
<a href="#deviceguard-requireplatformsecurityfeatures">DeviceGuard/RequirePlatformSecurityFeatures</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="deviceguard-enablevirtualizationbasedsecurity"></a>**DeviceGuard/EnableVirtualizationBasedSecurity**
@ -45,6 +58,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
 
<p style="margin-left: 20px">Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. Supported values:
@ -55,6 +77,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deviceguard-lsacfgflags"></a>**DeviceGuard/LsaCfgFlags**
@ -81,6 +104,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
 
<p style="margin-left: 20px">Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. Supported values:
@ -93,6 +125,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deviceguard-requireplatformsecurityfeatures"></a>**DeviceGuard/RequirePlatformSecurityFeatures**
@ -119,6 +152,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer. Supported values:
<ul>

33
windows/client-management/mdm/policy-csp-deviceinstallation.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - DeviceInstallation
@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## DeviceInstallation policies
<dl>
<dd>
<a href="#deviceinstallation-preventinstallationofmatchingdeviceids">DeviceInstallation/PreventInstallationOfMatchingDeviceIDs</a>
</dd>
<dd>
<a href="#deviceinstallation-preventinstallationofmatchingdevicesetupclasses">DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="deviceinstallation-preventinstallationofmatchingdeviceids"></a>**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs**
@ -45,6 +55,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
@ -69,6 +88,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="deviceinstallation-preventinstallationofmatchingdevicesetupclasses"></a>**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses**
@ -95,6 +115,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

215
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - DeviceLock
@ -14,11 +14,63 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## DeviceLock policies
<dl>
<dd>
<a href="#devicelock-allowidlereturnwithoutpassword">DeviceLock/AllowIdleReturnWithoutPassword</a>
</dd>
<dd>
<a href="#devicelock-allowscreentimeoutwhilelockeduserconfig">DeviceLock/AllowScreenTimeoutWhileLockedUserConfig</a>
</dd>
<dd>
<a href="#devicelock-allowsimpledevicepassword">DeviceLock/AllowSimpleDevicePassword</a>
</dd>
<dd>
<a href="#devicelock-alphanumericdevicepasswordrequired">DeviceLock/AlphanumericDevicePasswordRequired</a>
</dd>
<dd>
<a href="#devicelock-devicepasswordenabled">DeviceLock/DevicePasswordEnabled</a>
</dd>
<dd>
<a href="#devicelock-devicepasswordexpiration">DeviceLock/DevicePasswordExpiration</a>
</dd>
<dd>
<a href="#devicelock-devicepasswordhistory">DeviceLock/DevicePasswordHistory</a>
</dd>
<dd>
<a href="#devicelock-enforcelockscreenandlogonimage">DeviceLock/EnforceLockScreenAndLogonImage</a>
</dd>
<dd>
<a href="#devicelock-enforcelockscreenprovider">DeviceLock/EnforceLockScreenProvider</a>
</dd>
<dd>
<a href="#devicelock-maxdevicepasswordfailedattempts">DeviceLock/MaxDevicePasswordFailedAttempts</a>
</dd>
<dd>
<a href="#devicelock-maxinactivitytimedevicelock">DeviceLock/MaxInactivityTimeDeviceLock</a>
</dd>
<dd>
<a href="#devicelock-maxinactivitytimedevicelockwithexternaldisplay">DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay</a>
</dd>
<dd>
<a href="#devicelock-mindevicepasswordcomplexcharacters">DeviceLock/MinDevicePasswordComplexCharacters</a>
</dd>
<dd>
<a href="#devicelock-mindevicepasswordlength">DeviceLock/MinDevicePasswordLength</a>
</dd>
<dd>
<a href="#devicelock-preventlockscreenslideshow">DeviceLock/PreventLockScreenSlideShow</a>
</dd>
<dd>
<a href="#devicelock-screentimeoutwhilelocked">DeviceLock/ScreenTimeoutWhileLocked</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="devicelock-allowidlereturnwithoutpassword"></a>**DeviceLock/AllowIdleReturnWithoutPassword**
@ -45,6 +97,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@ -63,6 +124,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="devicelock-allowscreentimeoutwhilelockeduserconfig"></a>**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig**
@ -89,6 +151,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@ -110,6 +181,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="devicelock-allowsimpledevicepassword"></a>**DeviceLock/AllowSimpleDevicePassword**
@ -136,6 +208,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords.
@ -152,6 +233,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="devicelock-alphanumericdevicepasswordrequired"></a>**DeviceLock/AlphanumericDevicePasswordRequired**
@ -178,6 +260,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
@ -202,6 +293,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="devicelock-devicepasswordenabled"></a>**DeviceLock/DevicePasswordEnabled**
@ -228,6 +320,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether device lock is enabled.
@ -278,6 +379,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="devicelock-devicepasswordexpiration"></a>**DeviceLock/DevicePasswordExpiration**
@ -304,6 +406,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies when the password expires (in days).
@ -322,6 +433,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="devicelock-devicepasswordhistory"></a>**DeviceLock/DevicePasswordHistory**
@ -348,6 +460,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies how many passwords can be stored in the history that cant be used.
@ -368,6 +489,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="devicelock-enforcelockscreenandlogonimage"></a>**DeviceLock/EnforceLockScreenAndLogonImage**
@ -394,6 +516,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
@ -405,6 +536,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="devicelock-enforcelockscreenprovider"></a>**DeviceLock/EnforceLockScreenProvider**
@ -431,6 +563,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider.
@ -442,6 +583,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="devicelock-maxdevicepasswordfailedattempts"></a>**DeviceLock/MaxDevicePasswordFailedAttempts**
@ -468,6 +610,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
@ -493,6 +644,7 @@ The number of authentication failures allowed before the device will be wiped. A
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="devicelock-maxinactivitytimedevicelock"></a>**DeviceLock/MaxInactivityTimeDeviceLock**
@ -519,6 +671,15 @@ The number of authentication failures allowed before the device will be wiped. A
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy.
@ -535,6 +696,7 @@ The number of authentication failures allowed before the device will be wiped. A
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="devicelock-maxinactivitytimedevicelockwithexternaldisplay"></a>**DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay**
@ -561,6 +723,15 @@ The number of authentication failures allowed before the device will be wiped. A
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display.
@ -575,6 +746,7 @@ The number of authentication failures allowed before the device will be wiped. A
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="devicelock-mindevicepasswordcomplexcharacters"></a>**DeviceLock/MinDevicePasswordComplexCharacters**
@ -601,6 +773,15 @@ The number of authentication failures allowed before the device will be wiped. A
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
@ -677,6 +858,7 @@ The number of authentication failures allowed before the device will be wiped. A
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="devicelock-mindevicepasswordlength"></a>**DeviceLock/MinDevicePasswordLength**
@ -703,6 +885,15 @@ The number of authentication failures allowed before the device will be wiped. A
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies the minimum number or characters required in the PIN or password.
@ -724,6 +915,7 @@ The number of authentication failures allowed before the device will be wiped. A
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="devicelock-preventlockscreenslideshow"></a>**DeviceLock/PreventLockScreenSlideShow**
@ -750,6 +942,15 @@ The number of authentication failures allowed before the device will be wiped. A
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.
@ -774,6 +975,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="devicelock-screentimeoutwhilelocked"></a>**DeviceLock/ScreenTimeoutWhileLocked**
@ -800,6 +1002,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

33
windows/client-management/mdm/policy-csp-display.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Display
@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Display policies
<dl>
<dd>
<a href="#display-turnoffgdidpiscalingforapps">Display/TurnOffGdiDPIScalingForApps</a>
</dd>
<dd>
<a href="#display-turnongdidpiscalingforapps">Display/TurnOnGdiDPIScalingForApps</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="display-turnoffgdidpiscalingforapps"></a>**Display/TurnOffGdiDPIScalingForApps**
@ -45,6 +55,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.
@ -63,6 +82,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="display-turnongdidpiscalingforapps"></a>**Display/TurnOnGdiDPIScalingForApps**
@ -89,6 +109,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.

46
windows/client-management/mdm/policy-csp-education.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Education
@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Education policies
<dl>
<dd>
<a href="#education-defaultprintername">Education/DefaultPrinterName</a>
</dd>
<dd>
<a href="#education-preventaddingnewprinters">Education/PreventAddingNewPrinters</a>
</dd>
<dd>
<a href="#education-printernames">Education/PrinterNames</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="education-defaultprintername"></a>**Education/DefaultPrinterName**
@ -45,6 +58,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
Added in Windows 10, version 1709. This policy allows IT Admins to set the user's default printer.
@ -52,6 +74,7 @@ The policy value is expected to be the name (network host name) of an installed
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="education-preventaddingnewprinters"></a>**Education/PreventAddingNewPrinters**
@ -78,6 +101,15 @@ The policy value is expected to be the name (network host name) of an installed
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
Added in Windows 10, version 1709. Allows IT Admins to prevent user installation of additional printers from the printers settings.
@ -88,6 +120,7 @@ The following list shows the supported values:
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="education-printernames"></a>**Education/PrinterNames**
@ -114,6 +147,15 @@ The following list shows the supported values:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
Added in Windows 10, version 1709. Allows IT Admins to automatically provision printers based on their names (network host names).

85
windows/client-management/mdm/policy-csp-enterprisecloudprint.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - EnterpriseCloudPrint
@ -14,11 +14,33 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## EnterpriseCloudPrint policies
<dl>
<dd>
<a href="#enterprisecloudprint-cloudprintoauthauthority">EnterpriseCloudPrint/CloudPrintOAuthAuthority</a>
</dd>
<dd>
<a href="#enterprisecloudprint-cloudprintoauthclientid">EnterpriseCloudPrint/CloudPrintOAuthClientId</a>
</dd>
<dd>
<a href="#enterprisecloudprint-cloudprintresourceid">EnterpriseCloudPrint/CloudPrintResourceId</a>
</dd>
<dd>
<a href="#enterprisecloudprint-cloudprinterdiscoveryendpoint">EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint</a>
</dd>
<dd>
<a href="#enterprisecloudprint-discoverymaxprinterlimit">EnterpriseCloudPrint/DiscoveryMaxPrinterLimit</a>
</dd>
<dd>
<a href="#enterprisecloudprint-mopriadiscoveryresourceid">EnterpriseCloudPrint/MopriaDiscoveryResourceId</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="enterprisecloudprint-cloudprintoauthauthority"></a>**EnterpriseCloudPrint/CloudPrintOAuthAuthority**
@ -45,6 +67,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails.
@ -54,6 +85,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="enterprisecloudprint-cloudprintoauthclientid"></a>**EnterpriseCloudPrint/CloudPrintOAuthClientId**
@ -80,6 +112,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails.
@ -89,6 +130,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="enterprisecloudprint-cloudprintresourceid"></a>**EnterpriseCloudPrint/CloudPrintResourceId**
@ -115,6 +157,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails.
@ -124,6 +175,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="enterprisecloudprint-cloudprinterdiscoveryendpoint"></a>**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint**
@ -150,6 +202,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails.
@ -159,6 +220,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="enterprisecloudprint-discoverymaxprinterlimit"></a>**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit**
@ -185,6 +247,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails.
@ -194,6 +265,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="enterprisecloudprint-mopriadiscoveryresourceid"></a>**EnterpriseCloudPrint/MopriaDiscoveryResourceId**
@ -220,6 +292,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails.

72
windows/client-management/mdm/policy-csp-errorreporting.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - ErrorReporting
@ -14,11 +14,30 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## ErrorReporting policies
<dl>
<dd>
<a href="#errorreporting-customizeconsentsettings">ErrorReporting/CustomizeConsentSettings</a>
</dd>
<dd>
<a href="#errorreporting-disablewindowserrorreporting">ErrorReporting/DisableWindowsErrorReporting</a>
</dd>
<dd>
<a href="#errorreporting-displayerrornotification">ErrorReporting/DisplayErrorNotification</a>
</dd>
<dd>
<a href="#errorreporting-donotsendadditionaldata">ErrorReporting/DoNotSendAdditionalData</a>
</dd>
<dd>
<a href="#errorreporting-preventcriticalerrordisplay">ErrorReporting/PreventCriticalErrorDisplay</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="errorreporting-customizeconsentsettings"></a>**ErrorReporting/CustomizeConsentSettings**
@ -45,6 +64,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting determines the consent behavior of Windows Error Reporting for specific event types.
@ -79,6 +107,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="errorreporting-disablewindowserrorreporting"></a>**ErrorReporting/DisableWindowsErrorReporting**
@ -105,6 +134,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.
@ -129,6 +167,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="errorreporting-displayerrornotification"></a>**ErrorReporting/DisplayErrorNotification**
@ -155,6 +194,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting controls whether users are shown an error dialog box that lets them report an error.
@ -183,6 +231,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="errorreporting-donotsendadditionaldata"></a>**ErrorReporting/DoNotSendAdditionalData**
@ -209,6 +258,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.
@ -233,6 +291,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="errorreporting-preventcriticalerrordisplay"></a>**ErrorReporting/PreventCriticalErrorDisplay**
@ -259,6 +318,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting prevents the display of the user interface for critical errors.

59
windows/client-management/mdm/policy-csp-eventlogservice.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - EventLogService
@ -14,11 +14,27 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## EventLogService policies
<dl>
<dd>
<a href="#eventlogservice-controleventlogbehavior">EventLogService/ControlEventLogBehavior</a>
</dd>
<dd>
<a href="#eventlogservice-specifymaximumfilesizeapplicationlog">EventLogService/SpecifyMaximumFileSizeApplicationLog</a>
</dd>
<dd>
<a href="#eventlogservice-specifymaximumfilesizesecuritylog">EventLogService/SpecifyMaximumFileSizeSecurityLog</a>
</dd>
<dd>
<a href="#eventlogservice-specifymaximumfilesizesystemlog">EventLogService/SpecifyMaximumFileSizeSystemLog</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="eventlogservice-controleventlogbehavior"></a>**EventLogService/ControlEventLogBehavior**
@ -45,6 +61,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting controls Event Log behavior when the log file reaches its maximum size.
@ -71,6 +96,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="eventlogservice-specifymaximumfilesizeapplicationlog"></a>**EventLogService/SpecifyMaximumFileSizeApplicationLog**
@ -97,6 +123,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting specifies the maximum size of the log file in kilobytes.
@ -121,6 +156,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="eventlogservice-specifymaximumfilesizesecuritylog"></a>**EventLogService/SpecifyMaximumFileSizeSecurityLog**
@ -147,6 +183,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting specifies the maximum size of the log file in kilobytes.
@ -171,6 +216,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="eventlogservice-specifymaximumfilesizesystemlog"></a>**EventLogService/SpecifyMaximumFileSizeSystemLog**
@ -197,6 +243,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting specifies the maximum size of the log file in kilobytes.

254
windows/client-management/mdm/policy-csp-experience.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Experience
@ -14,11 +14,72 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Experience policies
<dl>
<dd>
<a href="#experience-allowcopypaste">Experience/AllowCopyPaste</a>
</dd>
<dd>
<a href="#experience-allowcortana">Experience/AllowCortana</a>
</dd>
<dd>
<a href="#experience-allowdevicediscovery">Experience/AllowDeviceDiscovery</a>
</dd>
<dd>
<a href="#experience-allowfindmydevice">Experience/AllowFindMyDevice</a>
</dd>
<dd>
<a href="#experience-allowmanualmdmunenrollment">Experience/AllowManualMDMUnenrollment</a>
</dd>
<dd>
<a href="#experience-allowsimerrordialogpromptwhennosim">Experience/AllowSIMErrorDialogPromptWhenNoSIM</a>
</dd>
<dd>
<a href="#experience-allowscreencapture">Experience/AllowScreenCapture</a>
</dd>
<dd>
<a href="#experience-allowsyncmysettings">Experience/AllowSyncMySettings</a>
</dd>
<dd>
<a href="#experience-allowtailoredexperienceswithdiagnosticdata">Experience/AllowTailoredExperiencesWithDiagnosticData</a>
</dd>
<dd>
<a href="#experience-allowtaskswitcher">Experience/AllowTaskSwitcher</a>
</dd>
<dd>
<a href="#experience-allowthirdpartysuggestionsinwindowsspotlight">Experience/AllowThirdPartySuggestionsInWindowsSpotlight</a>
</dd>
<dd>
<a href="#experience-allowvoicerecording">Experience/AllowVoiceRecording</a>
</dd>
<dd>
<a href="#experience-allowwindowsconsumerfeatures">Experience/AllowWindowsConsumerFeatures</a>
</dd>
<dd>
<a href="#experience-allowwindowsspotlight">Experience/AllowWindowsSpotlight</a>
</dd>
<dd>
<a href="#experience-allowwindowsspotlightonactioncenter">Experience/AllowWindowsSpotlightOnActionCenter</a>
</dd>
<dd>
<a href="#experience-allowwindowsspotlightwindowswelcomeexperience">Experience/AllowWindowsSpotlightWindowsWelcomeExperience</a>
</dd>
<dd>
<a href="#experience-allowwindowstips">Experience/AllowWindowsTips</a>
</dd>
<dd>
<a href="#experience-configurewindowsspotlightonlockscreen">Experience/ConfigureWindowsSpotlightOnLockScreen</a>
</dd>
<dd>
<a href="#experience-donotshowfeedbacknotifications">Experience/DoNotShowFeedbackNotifications</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="experience-allowcopypaste"></a>**Experience/AllowCopyPaste**
@ -45,6 +106,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@ -60,6 +130,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-allowcortana"></a>**Experience/AllowCortana**
@ -86,6 +157,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether Cortana is allowed on the device. If you enable or dont configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device.
@ -106,6 +186,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-allowdevicediscovery"></a>**Experience/AllowDeviceDiscovery**
@ -132,6 +213,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows users to turn on/off device discovery UX.
@ -146,6 +236,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-allowfindmydevice"></a>**Experience/AllowFindMyDevice**
@ -172,6 +263,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. This policy turns on Find My Device.
@ -186,6 +286,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-allowmanualmdmunenrollment"></a>**Experience/AllowManualMDMUnenrollment**
@ -212,6 +313,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether to allow the user to delete the workplace account using the workplace control panel.
@ -228,6 +338,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-allowsimerrordialogpromptwhennosim"></a>**Experience/AllowSIMErrorDialogPromptWhenNoSIM**
@ -254,6 +365,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@ -268,6 +388,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-allowscreencapture"></a>**Experience/AllowScreenCapture**
@ -294,6 +415,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@ -310,6 +440,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-allowsyncmysettings"></a>**Experience/AllowSyncMySettings**
@ -336,6 +467,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
@ -346,6 +486,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-allowtailoredexperienceswithdiagnosticdata"></a>**Experience/AllowTailoredExperiencesWithDiagnosticData**
@ -372,6 +513,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -391,6 +541,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-allowtaskswitcher"></a>**Experience/AllowTaskSwitcher**
@ -417,6 +568,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@ -431,6 +591,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-allowthirdpartysuggestionsinwindowsspotlight"></a>**Experience/AllowThirdPartySuggestionsInWindowsSpotlight**
@ -457,6 +618,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
@ -471,6 +641,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-allowvoicerecording"></a>**Experience/AllowVoiceRecording**
@ -497,6 +668,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@ -513,6 +693,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-allowwindowsconsumerfeatures"></a>**Experience/AllowWindowsConsumerFeatures**
@ -539,6 +720,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -562,6 +752,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-allowwindowsspotlight"></a>**Experience/AllowWindowsSpotlight**
@ -588,6 +779,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
@ -604,6 +804,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-allowwindowsspotlightonactioncenter"></a>**Experience/AllowWindowsSpotlightOnActionCenter**
@ -630,6 +831,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -645,6 +855,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-allowwindowsspotlightwindowswelcomeexperience"></a>**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**
@ -671,6 +882,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -687,6 +907,7 @@ The Windows welcome experience feature introduces onboard users to Windows; for
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-allowwindowstips"></a>**Experience/AllowWindowsTips**
@ -713,6 +934,15 @@ The Windows welcome experience feature introduces onboard users to Windows; for
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Enables or disables Windows Tips / soft landing.
@ -723,6 +953,7 @@ Enables or disables Windows Tips / soft landing.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-configurewindowsspotlightonlockscreen"></a>**Experience/ConfigureWindowsSpotlightOnLockScreen**
@ -749,6 +980,15 @@ Enables or disables Windows Tips / soft landing.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only available for Windows 10 Enterprise and Windows 10 Education.
@ -764,6 +1004,7 @@ Enables or disables Windows Tips / soft landing.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="experience-donotshowfeedbacknotifications"></a>**Experience/DoNotShowFeedbackNotifications**
@ -790,6 +1031,15 @@ Enables or disables Windows Tips / soft landing.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Prevents devices from showing feedback questions from Microsoft.

20
windows/client-management/mdm/policy-csp-exploitguard.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - ExploitGuard
@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## ExploitGuard policies
<dl>
<dd>
<a href="#exploitguard-exploitprotectionsettings">ExploitGuard/ExploitProtectionSettings</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="exploitguard-exploitprotectionsettings"></a>**ExploitGuard/ExploitProtectionSettings**
@ -45,6 +52,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Enables the IT admin to push out a configuration representing the desired system and application mitigation options to all the devices in the organization. The configuration is represented by an XML. For more information Exploit Protection, see [Protect devices from exploits with Windows Defender Exploit Guard](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard) and [Import, export, and deploy Exploit Protection configurations](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml).

21
windows/client-management/mdm/policy-csp-games.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/31/2017
ms.date: 09/29/2017
---
# Policy CSP - Games
@ -14,11 +14,18 @@ ms.date: 08/31/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Games policies
<dl>
<dd>
<a href="#games-allowadvancedgamingservices">Games/AllowAdvancedGamingServices</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="games-allowadvancedgamingservices"></a>**Games/AllowAdvancedGamingServices**
@ -45,6 +52,15 @@ ms.date: 08/31/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. Value type is integer.
@ -52,6 +68,7 @@ ms.date: 08/31/2017
- 1 (default) - Allowed
<p style="margin-left: 20px">This policy can only be turned off in Windows 10 Education and Enterprise editions.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>

25
windows/client-management/mdm/policy-csp-handwriting.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 09/07/2017
ms.date: 09/29/2017
---
# Policy CSP - Handwriting
@ -14,11 +14,18 @@ ms.date: 09/07/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
## Handwriting policies
<!--StartPolicies-->
## Handwriting policies
<dl>
<dd>
<a href="#handwriting-paneldefaultmodedocked">Handwriting/PanelDefaultModeDocked</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="handwriting-paneldefaultmodedocked"></a>**Handwriting/PanelDefaultModeDocked**
@ -45,6 +52,15 @@ ms.date: 09/07/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10. version 1709. This policy allows an enterprise to configure the default mode for the handwriting panel.
@ -69,4 +85,5 @@ Footnote:
- 2 - Added in Windows 10, version 1703.
- 3 - Added in Windows 10, version 1709.
<!--EndPolicies-->
<!--EndPolicies-->

3518
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

File diff suppressed because it is too large Load Diff

72
windows/client-management/mdm/policy-csp-kerberos.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Kerberos
@ -14,11 +14,30 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Kerberos policies
<dl>
<dd>
<a href="#kerberos-allowforestsearchorder">Kerberos/AllowForestSearchOrder</a>
</dd>
<dd>
<a href="#kerberos-kerberosclientsupportsclaimscompoundarmor">Kerberos/KerberosClientSupportsClaimsCompoundArmor</a>
</dd>
<dd>
<a href="#kerberos-requirekerberosarmoring">Kerberos/RequireKerberosArmoring</a>
</dd>
<dd>
<a href="#kerberos-requirestrictkdcvalidation">Kerberos/RequireStrictKDCValidation</a>
</dd>
<dd>
<a href="#kerberos-setmaximumcontexttokensize">Kerberos/SetMaximumContextTokenSize</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="kerberos-allowforestsearchorder"></a>**Kerberos/AllowForestSearchOrder**
@ -45,6 +64,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).
@ -69,6 +97,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="kerberos-kerberosclientsupportsclaimscompoundarmor"></a>**Kerberos/KerberosClientSupportsClaimsCompoundArmor**
@ -95,6 +124,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features.
If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.
@ -118,6 +156,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="kerberos-requirekerberosarmoring"></a>**Kerberos/RequireKerberosArmoring**
@ -144,6 +183,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.
@ -172,6 +220,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="kerberos-requirestrictkdcvalidation"></a>**Kerberos/RequireStrictKDCValidation**
@ -198,6 +247,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.
@ -222,6 +280,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="kerberos-setmaximumcontexttokensize"></a>**Kerberos/SetMaximumContextTokenSize**
@ -248,6 +307,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size.

33
windows/client-management/mdm/policy-csp-licensing.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Licensing
@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Licensing policies
<dl>
<dd>
<a href="#licensing-allowwindowsentitlementreactivation">Licensing/AllowWindowsEntitlementReactivation</a>
</dd>
<dd>
<a href="#licensing-disallowkmsclientonlineavsvalidation">Licensing/DisallowKMSClientOnlineAVSValidation</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="licensing-allowwindowsentitlementreactivation"></a>**Licensing/AllowWindowsEntitlementReactivation**
@ -45,6 +55,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices.
@ -55,6 +74,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="licensing-disallowkmsclientonlineavsvalidation"></a>**Licensing/DisallowKMSClientOnlineAVSValidation**
@ -81,6 +101,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state.

310
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - LocalPoliciesSecurityOptions
@ -14,11 +14,87 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## LocalPoliciesSecurityOptions policies
<dl>
<dd>
<a href="#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts">LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-accounts-enableadministratoraccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-accounts-enableguestaccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly">LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-accounts-renameadministratoraccount">LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-accounts-renameguestaccount">LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked">LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel">LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-interactivelogon-machineinactivitylimit">LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon">LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests">LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon">LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon">LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers">LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations">LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode">LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation">LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</a>
</dd>
<dd>
<a href="#localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations">LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-accounts-blockmicrosoftaccounts"></a>**LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts**
@ -45,6 +121,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting prevents users from adding new Microsoft accounts on this computer.
@ -61,6 +146,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-accounts-enableadministratoraccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**
@ -87,6 +173,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This security setting determines whether the local Administrator account is enabled or disabled.
@ -104,6 +199,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-accounts-enableguestaccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**
@ -130,6 +226,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This security setting determines if the Guest account is enabled or disabled.
@ -144,6 +249,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly"></a>**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**
@ -170,6 +276,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Accounts: Limit local account use of blank passwords to console logon only
@ -192,6 +307,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-accounts-renameadministratoraccount"></a>**LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount**
@ -218,6 +334,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Accounts: Rename administrator account
@ -229,6 +354,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-accounts-renameguestaccount"></a>**LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount**
@ -255,6 +381,15 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Accounts: Rename guest account
@ -266,6 +401,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-interactivelogon-displayuserinformationwhenthesessionislocked"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked**
@ -292,6 +428,15 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Interactive Logon:Display user information when the session is locked
@ -304,6 +449,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayLastSignedIn**
@ -330,6 +476,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Interactive logon: Don't display last signed-in
@ -347,6 +502,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-interactivelogon-donotdisplayusernameatsignin"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotDisplayUsernameAtSignIn**
@ -373,6 +529,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Interactive logon: Don't display username at sign-in
@ -391,6 +556,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-interactivelogon-donotrequirectrlaltdel"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_DoNotRequireCTRLALTDEL**
@ -417,6 +583,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Interactive logon: Do not require CTRL+ALT+DEL
@ -436,6 +611,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-interactivelogon-machineinactivitylimit"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit**
@ -462,6 +638,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Interactive logon: Machine inactivity limit.
@ -476,6 +661,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-interactivelogon-messagetextforusersattemptingtologon"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn**
@ -502,6 +688,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Interactive logon: Message text for users attempting to log on
@ -515,6 +710,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-interactivelogon-messagetitleforusersattemptingtologon"></a>**LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn**
@ -541,6 +737,15 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Interactive logon: Message title for users attempting to log on
@ -552,6 +757,7 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-networksecurity-allowpku2uauthenticationrequests"></a>**LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests**
@ -578,6 +784,15 @@ Value type is string. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Network security: Allow PKU2U authentication requests to this computer to use online identities.
@ -591,6 +806,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-recoveryconsole-allowautomaticadministrativelogon"></a>**LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon**
@ -631,6 +847,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon"></a>**LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn**
@ -657,6 +874,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Shutdown: Allow system to be shut down without having to log on
@ -676,6 +902,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation"></a>**LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation**
@ -702,6 +929,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop.
@ -720,6 +956,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforadministrators"></a>**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators**
@ -746,6 +983,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode
@ -769,6 +1015,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-useraccountcontrol-behavioroftheelevationpromptforstandardusers"></a>**LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers**
@ -795,6 +1042,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
User Account Control: Behavior of the elevation prompt for standard users
This policy setting controls the behavior of the elevation prompt for standard users.
@ -811,6 +1067,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateexecutablefilesthataresignedandvalidated"></a>**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated**
@ -837,6 +1094,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
User Account Control: Only elevate executable files that are signed and validated
@ -850,6 +1116,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-useraccountcontrol-onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations"></a>**LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations**
@ -876,6 +1143,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
User Account Control: Only elevate UIAccess applications that are installed in secure locations
@ -895,6 +1171,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode"></a>**LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode**
@ -921,6 +1198,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
User Account Control: Turn on Admin Approval Mode
@ -935,6 +1221,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-useraccountcontrol-switchtothesecuredesktopwhenpromptingforelevation"></a>**LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation**
@ -961,6 +1248,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
User Account Control: Switch to the secure desktop when prompting for elevation
@ -974,6 +1270,7 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="localpoliciessecurityoptions-useraccountcontrol-virtualizefileandregistrywritefailurestoperuserlocations"></a>**LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations**
@ -1000,6 +1297,15 @@ Value type is integer. Supported operations are Add, Get, Replace, and Delete.
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
User Account Control: Virtualize file and registry write failures to per-user locations

20
windows/client-management/mdm/policy-csp-location.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Location
@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Location policies
<dl>
<dd>
<a href="#location-enablelocation">Location/EnableLocation</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="location-enablelocation"></a>**Location/EnableLocation**
@ -45,6 +52,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page.

20
windows/client-management/mdm/policy-csp-lockdown.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - LockDown
@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## LockDown policies
<dl>
<dd>
<a href="#lockdown-allowedgeswipe">LockDown/AllowEdgeSwipe</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="lockdown-allowedgeswipe"></a>**LockDown/AllowEdgeSwipe**
@ -45,6 +52,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch.

33
windows/client-management/mdm/policy-csp-maps.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Maps
@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Maps policies
<dl>
<dd>
<a href="#maps-allowofflinemapsdownloadovermeteredconnection">Maps/AllowOfflineMapsDownloadOverMeteredConnection</a>
</dd>
<dd>
<a href="#maps-enableofflinemapsautoupdate">Maps/EnableOfflineMapsAutoUpdate</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="maps-allowofflinemapsdownloadovermeteredconnection"></a>**Maps/AllowOfflineMapsDownloadOverMeteredConnection**
@ -45,6 +55,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Allows the download and update of map data over metered connections.
@ -58,6 +77,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="maps-enableofflinemapsautoupdate"></a>**Maps/EnableOfflineMapsAutoUpdate**
@ -84,6 +104,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Disables the automatic download and update of map data.

46
windows/client-management/mdm/policy-csp-messaging.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Messaging
@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Messaging policies
<dl>
<dd>
<a href="#messaging-allowmms">Messaging/AllowMMS</a>
</dd>
<dd>
<a href="#messaging-allowmessagesync">Messaging/AllowMessageSync</a>
</dd>
<dd>
<a href="#messaging-allowrcs">Messaging/AllowRCS</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="messaging-allowmms"></a>**Messaging/AllowMMS**
@ -45,6 +58,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@ -58,6 +80,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="messaging-allowmessagesync"></a>**Messaging/AllowMessageSync**
@ -84,6 +107,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control.
@ -94,6 +126,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="messaging-allowrcs"></a>**Messaging/AllowRCS**
@ -120,6 +153,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

111
windows/client-management/mdm/policy-csp-networkisolation.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - NetworkIsolation
@ -14,11 +14,39 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## NetworkIsolation policies
<dl>
<dd>
<a href="#networkisolation-enterprisecloudresources">NetworkIsolation/EnterpriseCloudResources</a>
</dd>
<dd>
<a href="#networkisolation-enterpriseiprange">NetworkIsolation/EnterpriseIPRange</a>
</dd>
<dd>
<a href="#networkisolation-enterpriseiprangesareauthoritative">NetworkIsolation/EnterpriseIPRangesAreAuthoritative</a>
</dd>
<dd>
<a href="#networkisolation-enterpriseinternalproxyservers">NetworkIsolation/EnterpriseInternalProxyServers</a>
</dd>
<dd>
<a href="#networkisolation-enterprisenetworkdomainnames">NetworkIsolation/EnterpriseNetworkDomainNames</a>
</dd>
<dd>
<a href="#networkisolation-enterpriseproxyservers">NetworkIsolation/EnterpriseProxyServers</a>
</dd>
<dd>
<a href="#networkisolation-enterpriseproxyserversareauthoritative">NetworkIsolation/EnterpriseProxyServersAreAuthoritative</a>
</dd>
<dd>
<a href="#networkisolation-neutralresources">NetworkIsolation/NeutralResources</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="networkisolation-enterprisecloudresources"></a>**NetworkIsolation/EnterpriseCloudResources**
@ -45,11 +73,21 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;,&lt;*proxy*&gt;|&lt;*cloudresource*&gt;|&lt;*cloudresource*&gt;,&lt;*proxy*&gt;|**.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="networkisolation-enterpriseiprange"></a>**NetworkIsolation/EnterpriseIPRange**
@ -76,6 +114,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example:
@ -90,6 +137,7 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="networkisolation-enterpriseiprangesareauthoritative"></a>**NetworkIsolation/EnterpriseIPRangesAreAuthoritative**
@ -116,11 +164,21 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="networkisolation-enterpriseinternalproxyservers"></a>**NetworkIsolation/EnterpriseInternalProxyServers**
@ -147,11 +205,21 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="networkisolation-enterprisenetworkdomainnames"></a>**NetworkIsolation/EnterpriseNetworkDomainNames**
@ -178,6 +246,15 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com".
@ -193,6 +270,7 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="networkisolation-enterpriseproxyservers"></a>**NetworkIsolation/EnterpriseProxyServers**
@ -219,11 +297,21 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59".
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="networkisolation-enterpriseproxyserversareauthoritative"></a>**NetworkIsolation/EnterpriseProxyServersAreAuthoritative**
@ -250,11 +338,21 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies.
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="networkisolation-neutralresources"></a>**NetworkIsolation/NeutralResources**
@ -281,6 +379,15 @@ fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">List of domain names that can used for work or personal resource.

20
windows/client-management/mdm/policy-csp-notifications.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Notifications
@ -14,11 +14,18 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Notifications policies
<dl>
<dd>
<a href="#notifications-disallownotificationmirroring">Notifications/DisallowNotificationMirroring</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="notifications-disallownotificationmirroring"></a>**Notifications/DisallowNotificationMirroring**
@ -45,6 +52,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1607. Boolean value that turns off notification mirroring.

124
windows/client-management/mdm/policy-csp-power.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Power
@ -14,11 +14,42 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Power policies
<dl>
<dd>
<a href="#power-allowstandbywhensleepingpluggedin">Power/AllowStandbyWhenSleepingPluggedIn</a>
</dd>
<dd>
<a href="#power-displayofftimeoutonbattery">Power/DisplayOffTimeoutOnBattery</a>
</dd>
<dd>
<a href="#power-displayofftimeoutpluggedin">Power/DisplayOffTimeoutPluggedIn</a>
</dd>
<dd>
<a href="#power-hibernatetimeoutonbattery">Power/HibernateTimeoutOnBattery</a>
</dd>
<dd>
<a href="#power-hibernatetimeoutpluggedin">Power/HibernateTimeoutPluggedIn</a>
</dd>
<dd>
<a href="#power-requirepasswordwhencomputerwakesonbattery">Power/RequirePasswordWhenComputerWakesOnBattery</a>
</dd>
<dd>
<a href="#power-requirepasswordwhencomputerwakespluggedin">Power/RequirePasswordWhenComputerWakesPluggedIn</a>
</dd>
<dd>
<a href="#power-standbytimeoutonbattery">Power/StandbyTimeoutOnBattery</a>
</dd>
<dd>
<a href="#power-standbytimeoutpluggedin">Power/StandbyTimeoutPluggedIn</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="power-allowstandbywhensleepingpluggedin"></a>**Power/AllowStandbyWhenSleepingPluggedIn**
@ -45,6 +76,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.
@ -69,6 +109,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="power-displayofftimeoutonbattery"></a>**Power/DisplayOffTimeoutOnBattery**
@ -95,6 +136,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Turn off the display (on battery). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
@ -121,6 +171,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="power-displayofftimeoutpluggedin"></a>**Power/DisplayOffTimeoutPluggedIn**
@ -147,6 +198,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Turn off the display (plugged in). This policy setting allows you to specify the period of inactivity before Windows turns off the display.
@ -173,6 +233,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="power-hibernatetimeoutonbattery"></a>**Power/HibernateTimeoutOnBattery**
@ -199,6 +260,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system hibernate timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
@ -226,6 +296,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="power-hibernatetimeoutpluggedin"></a>**Power/HibernateTimeoutPluggedIn**
@ -252,6 +323,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system hibernate timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.
@ -278,6 +358,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="power-requirepasswordwhencomputerwakesonbattery"></a>**Power/RequirePasswordWhenComputerWakesOnBattery**
@ -304,6 +385,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
@ -328,6 +418,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="power-requirepasswordwhencomputerwakespluggedin"></a>**Power/RequirePasswordWhenComputerWakesPluggedIn**
@ -354,6 +445,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.
@ -378,6 +478,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="power-standbytimeoutonbattery"></a>**Power/StandbyTimeoutOnBattery**
@ -404,6 +505,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system sleep timeout (on battery). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.
@ -430,6 +540,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="power-standbytimeoutpluggedin"></a>**Power/StandbyTimeoutPluggedIn**
@ -456,6 +567,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Specify the system sleep timeout (plugged in). This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.

46
windows/client-management/mdm/policy-csp-printers.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Printers
@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Printers policies
<dl>
<dd>
<a href="#printers-pointandprintrestrictions">Printers/PointAndPrintRestrictions</a>
</dd>
<dd>
<a href="#printers-pointandprintrestrictions-user">Printers/PointAndPrintRestrictions_User</a>
</dd>
<dd>
<a href="#printers-publishprinters">Printers/PublishPrinters</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="printers-pointandprintrestrictions"></a>**Printers/PointAndPrintRestrictions**
@ -45,6 +58,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
@ -82,6 +104,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="printers-pointandprintrestrictions-user"></a>**Printers/PointAndPrintRestrictions_User**
@ -108,6 +131,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.
@ -145,6 +177,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="printers-publishprinters"></a>**Printers/PublishPrinters**
@ -171,6 +204,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Determines whether the computer's shared printers can be published in Active Directory.

1008
windows/client-management/mdm/policy-csp-privacy.md
View File

File diff suppressed because it is too large Load Diff

59
windows/client-management/mdm/policy-csp-remoteassistance.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - RemoteAssistance
@ -14,11 +14,27 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## RemoteAssistance policies
<dl>
<dd>
<a href="#remoteassistance-customizewarningmessages">RemoteAssistance/CustomizeWarningMessages</a>
</dd>
<dd>
<a href="#remoteassistance-sessionlogging">RemoteAssistance/SessionLogging</a>
</dd>
<dd>
<a href="#remoteassistance-solicitedremoteassistance">RemoteAssistance/SolicitedRemoteAssistance</a>
</dd>
<dd>
<a href="#remoteassistance-unsolicitedremoteassistance">RemoteAssistance/UnsolicitedRemoteAssistance</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="remoteassistance-customizewarningmessages"></a>**RemoteAssistance/CustomizeWarningMessages**
@ -45,6 +61,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting lets you customize warning messages.
@ -75,6 +100,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remoteassistance-sessionlogging"></a>**RemoteAssistance/SessionLogging**
@ -101,6 +127,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.
@ -127,6 +162,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remoteassistance-solicitedremoteassistance"></a>**RemoteAssistance/SolicitedRemoteAssistance**
@ -153,6 +189,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.
@ -187,6 +232,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remoteassistance-unsolicitedremoteassistance"></a>**RemoteAssistance/UnsolicitedRemoteAssistance**
@ -213,6 +259,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.

85
windows/client-management/mdm/policy-csp-remotedesktopservices.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - RemoteDesktopServices
@ -14,11 +14,33 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## RemoteDesktopServices policies
<dl>
<dd>
<a href="#remotedesktopservices-allowuserstoconnectremotely">RemoteDesktopServices/AllowUsersToConnectRemotely</a>
</dd>
<dd>
<a href="#remotedesktopservices-clientconnectionencryptionlevel">RemoteDesktopServices/ClientConnectionEncryptionLevel</a>
</dd>
<dd>
<a href="#remotedesktopservices-donotallowdriveredirection">RemoteDesktopServices/DoNotAllowDriveRedirection</a>
</dd>
<dd>
<a href="#remotedesktopservices-donotallowpasswordsaving">RemoteDesktopServices/DoNotAllowPasswordSaving</a>
</dd>
<dd>
<a href="#remotedesktopservices-promptforpassworduponconnection">RemoteDesktopServices/PromptForPasswordUponConnection</a>
</dd>
<dd>
<a href="#remotedesktopservices-requiresecurerpccommunication">RemoteDesktopServices/RequireSecureRPCCommunication</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="remotedesktopservices-allowuserstoconnectremotely"></a>**RemoteDesktopServices/AllowUsersToConnectRemotely**
@ -45,6 +67,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting allows you to configure remote access to computers by using Remote Desktop Services.
@ -75,6 +106,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotedesktopservices-clientconnectionencryptionlevel"></a>**RemoteDesktopServices/ClientConnectionEncryptionLevel**
@ -101,6 +133,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.
@ -135,6 +176,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotedesktopservices-donotallowdriveredirection"></a>**RemoteDesktopServices/DoNotAllowDriveRedirection**
@ -161,6 +203,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).
@ -189,6 +240,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotedesktopservices-donotallowpasswordsaving"></a>**RemoteDesktopServices/DoNotAllowPasswordSaving**
@ -215,6 +267,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Controls whether passwords can be saved on this computer from Remote Desktop Connection.
@ -239,6 +300,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotedesktopservices-promptforpassworduponconnection"></a>**RemoteDesktopServices/PromptForPasswordUponConnection**
@ -265,6 +327,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.
@ -295,6 +366,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotedesktopservices-requiresecurerpccommunication"></a>**RemoteDesktopServices/RequireSecureRPCCommunication**
@ -321,6 +393,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.

202
windows/client-management/mdm/policy-csp-remotemanagement.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - RemoteManagement
@ -14,11 +14,60 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## RemoteManagement policies
<dl>
<dd>
<a href="#remotemanagement-allowbasicauthentication-client">RemoteManagement/AllowBasicAuthentication_Client</a>
</dd>
<dd>
<a href="#remotemanagement-allowbasicauthentication-service">RemoteManagement/AllowBasicAuthentication_Service</a>
</dd>
<dd>
<a href="#remotemanagement-allowcredsspauthenticationclient">RemoteManagement/AllowCredSSPAuthenticationClient</a>
</dd>
<dd>
<a href="#remotemanagement-allowcredsspauthenticationservice">RemoteManagement/AllowCredSSPAuthenticationService</a>
</dd>
<dd>
<a href="#remotemanagement-allowremoteservermanagement">RemoteManagement/AllowRemoteServerManagement</a>
</dd>
<dd>
<a href="#remotemanagement-allowunencryptedtraffic-client">RemoteManagement/AllowUnencryptedTraffic_Client</a>
</dd>
<dd>
<a href="#remotemanagement-allowunencryptedtraffic-service">RemoteManagement/AllowUnencryptedTraffic_Service</a>
</dd>
<dd>
<a href="#remotemanagement-disallowdigestauthentication">RemoteManagement/DisallowDigestAuthentication</a>
</dd>
<dd>
<a href="#remotemanagement-disallownegotiateauthenticationclient">RemoteManagement/DisallowNegotiateAuthenticationClient</a>
</dd>
<dd>
<a href="#remotemanagement-disallownegotiateauthenticationservice">RemoteManagement/DisallowNegotiateAuthenticationService</a>
</dd>
<dd>
<a href="#remotemanagement-disallowstoringofrunascredentials">RemoteManagement/DisallowStoringOfRunAsCredentials</a>
</dd>
<dd>
<a href="#remotemanagement-specifychannelbindingtokenhardeninglevel">RemoteManagement/SpecifyChannelBindingTokenHardeningLevel</a>
</dd>
<dd>
<a href="#remotemanagement-trustedhosts">RemoteManagement/TrustedHosts</a>
</dd>
<dd>
<a href="#remotemanagement-turnoncompatibilityhttplistener">RemoteManagement/TurnOnCompatibilityHTTPListener</a>
</dd>
<dd>
<a href="#remotemanagement-turnoncompatibilityhttpslistener">RemoteManagement/TurnOnCompatibilityHTTPSListener</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="remotemanagement-allowbasicauthentication-client"></a>**RemoteManagement/AllowBasicAuthentication_Client**
@ -45,6 +94,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -63,6 +121,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotemanagement-allowbasicauthentication-service"></a>**RemoteManagement/AllowBasicAuthentication_Service**
@ -89,6 +148,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -107,6 +175,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotemanagement-allowcredsspauthenticationclient"></a>**RemoteManagement/AllowCredSSPAuthenticationClient**
@ -133,6 +202,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -151,6 +229,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotemanagement-allowcredsspauthenticationservice"></a>**RemoteManagement/AllowCredSSPAuthenticationService**
@ -177,6 +256,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -195,6 +283,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotemanagement-allowremoteservermanagement"></a>**RemoteManagement/AllowRemoteServerManagement**
@ -221,6 +310,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -239,6 +337,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotemanagement-allowunencryptedtraffic-client"></a>**RemoteManagement/AllowUnencryptedTraffic_Client**
@ -265,6 +364,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -283,6 +391,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotemanagement-allowunencryptedtraffic-service"></a>**RemoteManagement/AllowUnencryptedTraffic_Service**
@ -309,6 +418,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -327,6 +445,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotemanagement-disallowdigestauthentication"></a>**RemoteManagement/DisallowDigestAuthentication**
@ -353,6 +472,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -371,6 +499,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotemanagement-disallownegotiateauthenticationclient"></a>**RemoteManagement/DisallowNegotiateAuthenticationClient**
@ -397,6 +526,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -415,6 +553,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotemanagement-disallownegotiateauthenticationservice"></a>**RemoteManagement/DisallowNegotiateAuthenticationService**
@ -441,6 +580,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -459,6 +607,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotemanagement-disallowstoringofrunascredentials"></a>**RemoteManagement/DisallowStoringOfRunAsCredentials**
@ -485,6 +634,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -503,6 +661,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotemanagement-specifychannelbindingtokenhardeninglevel"></a>**RemoteManagement/SpecifyChannelBindingTokenHardeningLevel**
@ -529,6 +688,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -547,6 +715,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotemanagement-trustedhosts"></a>**RemoteManagement/TrustedHosts**
@ -573,6 +742,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -591,6 +769,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotemanagement-turnoncompatibilityhttplistener"></a>**RemoteManagement/TurnOnCompatibilityHTTPListener**
@ -617,6 +796,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -635,6 +823,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remotemanagement-turnoncompatibilityhttpslistener"></a>**RemoteManagement/TurnOnCompatibilityHTTPSListener**
@ -661,6 +850,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]

33
windows/client-management/mdm/policy-csp-remoteprocedurecall.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - RemoteProcedureCall
@ -14,11 +14,21 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## RemoteProcedureCall policies
<dl>
<dd>
<a href="#remoteprocedurecall-rpcendpointmapperclientauthentication">RemoteProcedureCall/RPCEndpointMapperClientAuthentication</a>
</dd>
<dd>
<a href="#remoteprocedurecall-restrictunauthenticatedrpcclients">RemoteProcedureCall/RestrictUnauthenticatedRPCClients</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="remoteprocedurecall-rpcendpointmapperclientauthentication"></a>**RemoteProcedureCall/RPCEndpointMapperClientAuthentication**
@ -45,6 +55,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.
@ -73,6 +92,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remoteprocedurecall-restrictunauthenticatedrpcclients"></a>**RemoteProcedureCall/RestrictUnauthenticatedRPCClients**
@ -99,6 +119,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.

98
windows/client-management/mdm/policy-csp-remoteshell.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - RemoteShell
@ -14,11 +14,36 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## RemoteShell policies
<dl>
<dd>
<a href="#remoteshell-allowremoteshellaccess">RemoteShell/AllowRemoteShellAccess</a>
</dd>
<dd>
<a href="#remoteshell-maxconcurrentusers">RemoteShell/MaxConcurrentUsers</a>
</dd>
<dd>
<a href="#remoteshell-specifyidletimeout">RemoteShell/SpecifyIdleTimeout</a>
</dd>
<dd>
<a href="#remoteshell-specifymaxmemory">RemoteShell/SpecifyMaxMemory</a>
</dd>
<dd>
<a href="#remoteshell-specifymaxprocesses">RemoteShell/SpecifyMaxProcesses</a>
</dd>
<dd>
<a href="#remoteshell-specifymaxremoteshells">RemoteShell/SpecifyMaxRemoteShells</a>
</dd>
<dd>
<a href="#remoteshell-specifyshelltimeout">RemoteShell/SpecifyShellTimeout</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="remoteshell-allowremoteshellaccess"></a>**RemoteShell/AllowRemoteShellAccess**
@ -45,6 +70,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -63,6 +97,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remoteshell-maxconcurrentusers"></a>**RemoteShell/MaxConcurrentUsers**
@ -89,6 +124,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -107,6 +151,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remoteshell-specifyidletimeout"></a>**RemoteShell/SpecifyIdleTimeout**
@ -133,6 +178,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -151,6 +205,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remoteshell-specifymaxmemory"></a>**RemoteShell/SpecifyMaxMemory**
@ -177,6 +232,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -195,6 +259,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remoteshell-specifymaxprocesses"></a>**RemoteShell/SpecifyMaxProcesses**
@ -221,6 +286,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -239,6 +313,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remoteshell-specifymaxremoteshells"></a>**RemoteShell/SpecifyMaxRemoteShells**
@ -265,6 +340,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]
@ -283,6 +367,7 @@ ADMX Info:
<!--EndADMX-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="remoteshell-specifyshelltimeout"></a>**RemoteShell/SpecifyShellTimeout**
@ -309,6 +394,15 @@ ADMX Info:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<!--EndDescription-->
> [!TIP]

137
windows/client-management/mdm/policy-csp-search.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Search
@ -14,11 +14,45 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Search policies
<dl>
<dd>
<a href="#search-allowcloudsearch">Search/AllowCloudSearch</a>
</dd>
<dd>
<a href="#search-allowindexingencryptedstoresoritems">Search/AllowIndexingEncryptedStoresOrItems</a>
</dd>
<dd>
<a href="#search-allowsearchtouselocation">Search/AllowSearchToUseLocation</a>
</dd>
<dd>
<a href="#search-allowusingdiacritics">Search/AllowUsingDiacritics</a>
</dd>
<dd>
<a href="#search-alwaysuseautolangdetection">Search/AlwaysUseAutoLangDetection</a>
</dd>
<dd>
<a href="#search-disablebackoff">Search/DisableBackoff</a>
</dd>
<dd>
<a href="#search-disableremovabledriveindexing">Search/DisableRemovableDriveIndexing</a>
</dd>
<dd>
<a href="#search-preventindexinglowdiskspacemb">Search/PreventIndexingLowDiskSpaceMB</a>
</dd>
<dd>
<a href="#search-preventremotequeries">Search/PreventRemoteQueries</a>
</dd>
<dd>
<a href="#search-safesearchpermissions">Search/SafeSearchPermissions</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="search-allowcloudsearch"></a>**Search/AllowCloudSearch**
@ -45,6 +79,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1709. Allow search and Cortana to search cloud sources like OneDrive and SharePoint. This policy allows corporate administrators to control whether employees can turn off/on the search of these cloud sources. The default policy value is to allow employees access to the setting that controls search of cloud sources.
@ -55,6 +98,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="search-allowindexingencryptedstoresoritems"></a>**Search/AllowIndexingEncryptedStoresOrItems**
@ -81,6 +125,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files.
@ -97,6 +150,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="search-allowsearchtouselocation"></a>**Search/AllowSearchToUseLocation**
@ -123,6 +177,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether search can leverage location information.
@ -135,6 +198,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="search-allowusingdiacritics"></a>**Search/AllowUsingDiacritics**
@ -161,6 +225,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows the use of diacritics.
@ -173,6 +246,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="search-alwaysuseautolangdetection"></a>**Search/AlwaysUseAutoLangDetection**
@ -199,6 +273,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether to always use automatic language detection when indexing content and properties.
@ -211,6 +294,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="search-disablebackoff"></a>**Search/DisableBackoff**
@ -237,6 +321,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.
@ -247,6 +340,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="search-disableremovabledriveindexing"></a>**Search/DisableRemovableDriveIndexing**
@ -273,6 +367,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">This policy setting configures whether or not locations on removable drives can be added to libraries.
@ -287,6 +390,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="search-preventindexinglowdiskspacemb"></a>**Search/PreventIndexingLowDiskSpaceMB**
@ -313,6 +417,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 1.
@ -327,6 +440,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="search-preventremotequeries"></a>**Search/PreventRemoteQueries**
@ -353,6 +467,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index..
@ -363,6 +486,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="search-safesearchpermissions"></a>**Search/SafeSearchPermissions**
@ -389,6 +513,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.

128
windows/client-management/mdm/policy-csp-security.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Security
@ -14,11 +14,45 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Security policies
<dl>
<dd>
<a href="#security-allowaddprovisioningpackage">Security/AllowAddProvisioningPackage</a>
</dd>
<dd>
<a href="#security-allowautomaticdeviceencryptionforazureadjoineddevices">Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices</a>
</dd>
<dd>
<a href="#security-allowmanualrootcertificateinstallation">Security/AllowManualRootCertificateInstallation</a>
</dd>
<dd>
<a href="#security-allowremoveprovisioningpackage">Security/AllowRemoveProvisioningPackage</a>
</dd>
<dd>
<a href="#security-antitheftmode">Security/AntiTheftMode</a>
</dd>
<dd>
<a href="#security-cleartpmifnotready">Security/ClearTPMIfNotReady</a>
</dd>
<dd>
<a href="#security-preventautomaticdeviceencryptionforazureadjoineddevices">Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices</a>
</dd>
<dd>
<a href="#security-requiredeviceencryption">Security/RequireDeviceEncryption</a>
</dd>
<dd>
<a href="#security-requireprovisioningpackagesignature">Security/RequireProvisioningPackageSignature</a>
</dd>
<dd>
<a href="#security-requireretrievehealthcertificateonboot">Security/RequireRetrieveHealthCertificateOnBoot</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="security-allowaddprovisioningpackage"></a>**Security/AllowAddProvisioningPackage**
@ -45,6 +79,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether to allow the runtime configuration agent to install provisioning packages.
@ -55,6 +98,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="security-allowautomaticdeviceencryptionforazureadjoineddevices"></a>**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**
@ -100,6 +144,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="security-allowmanualrootcertificateinstallation"></a>**Security/AllowManualRootCertificateInstallation**
@ -126,6 +171,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@ -142,6 +196,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="security-allowremoveprovisioningpackage"></a>**Security/AllowRemoveProvisioningPackage**
@ -168,6 +223,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether to allow the runtime configuration agent to remove provisioning packages.
@ -178,6 +242,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="security-antitheftmode"></a>**Security/AntiTheftMode**
@ -204,6 +269,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop.
@ -218,6 +292,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="security-cleartpmifnotready"></a>**Security/ClearTPMIfNotReady**
@ -244,6 +319,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -257,6 +341,7 @@ The following list shows the supported values:
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="security-preventautomaticdeviceencryptionforazureadjoineddevices"></a>**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices**
@ -283,6 +368,15 @@ The following list shows the supported values:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -299,6 +393,7 @@ The following list shows the supported values:
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="security-requiredeviceencryption"></a>**Security/RequireDeviceEncryption**
@ -325,6 +420,15 @@ The following list shows the supported values:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**.
@ -343,6 +447,7 @@ The following list shows the supported values:
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="security-requireprovisioningpackagesignature"></a>**Security/RequireProvisioningPackageSignature**
@ -369,6 +474,15 @@ The following list shows the supported values:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether provisioning packages must have a certificate signed by a device trusted authority.
@ -379,6 +493,7 @@ The following list shows the supported values:
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="security-requireretrievehealthcertificateonboot"></a>**Security/RequireRetrieveHealthCertificateOnBoot**
@ -405,6 +520,15 @@ The following list shows the supported values:
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots.

176
windows/client-management/mdm/policy-csp-settings.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - Settings
@ -14,11 +14,54 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## Settings policies
<dl>
<dd>
<a href="#settings-allowautoplay">Settings/AllowAutoPlay</a>
</dd>
<dd>
<a href="#settings-allowdatasense">Settings/AllowDataSense</a>
</dd>
<dd>
<a href="#settings-allowdatetime">Settings/AllowDateTime</a>
</dd>
<dd>
<a href="#settings-alloweditdevicename">Settings/AllowEditDeviceName</a>
</dd>
<dd>
<a href="#settings-allowlanguage">Settings/AllowLanguage</a>
</dd>
<dd>
<a href="#settings-allowpowersleep">Settings/AllowPowerSleep</a>
</dd>
<dd>
<a href="#settings-allowregion">Settings/AllowRegion</a>
</dd>
<dd>
<a href="#settings-allowsigninoptions">Settings/AllowSignInOptions</a>
</dd>
<dd>
<a href="#settings-allowvpn">Settings/AllowVPN</a>
</dd>
<dd>
<a href="#settings-allowworkplace">Settings/AllowWorkplace</a>
</dd>
<dd>
<a href="#settings-allowyouraccount">Settings/AllowYourAccount</a>
</dd>
<dd>
<a href="#settings-configuretaskbarcalendar">Settings/ConfigureTaskbarCalendar</a>
</dd>
<dd>
<a href="#settings-pagevisibilitylist">Settings/PageVisibilityList</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="settings-allowautoplay"></a>**Settings/AllowAutoPlay**
@ -45,6 +88,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -62,6 +114,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="settings-allowdatasense"></a>**Settings/AllowDataSense**
@ -88,6 +141,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows the user to change Data Sense settings.
@ -98,6 +160,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="settings-allowdatetime"></a>**Settings/AllowDateTime**
@ -124,6 +187,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows the user to change date and time settings.
@ -134,6 +206,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="settings-alloweditdevicename"></a>**Settings/AllowEditDeviceName**
@ -160,6 +233,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows editing of the device name.
@ -170,6 +252,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="settings-allowlanguage"></a>**Settings/AllowLanguage**
@ -196,6 +279,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -210,6 +302,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="settings-allowpowersleep"></a>**Settings/AllowPowerSleep**
@ -236,6 +329,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -250,6 +352,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="settings-allowregion"></a>**Settings/AllowRegion**
@ -276,6 +379,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -290,6 +402,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="settings-allowsigninoptions"></a>**Settings/AllowSignInOptions**
@ -316,6 +429,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -330,6 +452,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="settings-allowvpn"></a>**Settings/AllowVPN**
@ -356,6 +479,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows the user to change VPN settings.
@ -366,6 +498,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="settings-allowworkplace"></a>**Settings/AllowWorkplace**
@ -392,6 +525,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
@ -406,6 +548,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="settings-allowyouraccount"></a>**Settings/AllowYourAccount**
@ -432,6 +575,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Allows user to change account settings.
@ -442,6 +594,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="settings-configuretaskbarcalendar"></a>**Settings/ConfigureTaskbarCalendar**
@ -468,6 +621,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
@ -480,6 +642,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="settings-pagevisibilitylist"></a>**Settings/PageVisibilityList**
@ -506,6 +669,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons.

46
windows/client-management/mdm/policy-csp-smartscreen.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/30/2017
ms.date: 09/29/2017
---
# Policy CSP - SmartScreen
@ -14,11 +14,24 @@ ms.date: 08/30/2017
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
<!--StartPolicies-->
<hr/>
<!--StartPolicies-->
## SmartScreen policies
<dl>
<dd>
<a href="#smartscreen-enableappinstallcontrol">SmartScreen/EnableAppInstallControl</a>
</dd>
<dd>
<a href="#smartscreen-enablesmartscreeninshell">SmartScreen/EnableSmartScreenInShell</a>
</dd>
<dd>
<a href="#smartscreen-preventoverrideforfilesinshell">SmartScreen/PreventOverrideForFilesInShell</a>
</dd>
</dl>
<hr/>
<!--StartPolicy-->
<a href="" id="smartscreen-enableappinstallcontrol"></a>**SmartScreen/EnableAppInstallControl**
@ -45,6 +58,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store.
@ -55,6 +77,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="smartscreen-enablesmartscreeninshell"></a>**SmartScreen/EnableSmartScreenInShell**
@ -81,6 +104,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows.
@ -91,6 +123,7 @@ ms.date: 08/30/2017
<!--EndDescription-->
<!--EndPolicy-->
<hr/>
<!--StartPolicy-->
<a href="" id="smartscreen-preventoverrideforfilesinshell"></a>**SmartScreen/PreventOverrideForFilesInShell**
@ -117,6 +150,15 @@ ms.date: 08/30/2017
</table>
<!--EndSKU-->
<!--StartScope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--EndScope-->
<!--StartDescription-->
<p style="margin-left: 20px">Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files.

Some files were not shown because too many files have changed in this diff Show More