diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md index cf999ceac8..985d218256 100644 --- a/devices/surface-hub/install-apps-on-surface-hub.md +++ b/devices/surface-hub/install-apps-on-surface-hub.md @@ -18,7 +18,7 @@ ms.localizationpriority: medium You can install additional apps on your Surface Hub to fit your team or organization's needs. There are different methods for installing apps depending on whether you are developing and testing an app, or deploying a released app. This topic describes methods for installing apps for either scenario. A few things to know about apps on Surface Hub: -- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). Apps created using the [Desktop App Converter](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) will not run on Surface Hub. See a [list of apps that work with Surface Hub](https://www.microsoft.com/surface/support/surface-hub/surface-hub-apps). +- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). Apps created using the [Desktop App Converter](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) will not run on Surface Hub. See a [list of apps that work with Surface Hub](https://support.microsoft.com/help/4040382/surface-Apps-that-work-with-Microsoft-Surface-Hub). - Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631). - By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.- When submitting an app to the Microsoft Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub. - You need admin credentials to install apps on your Surface Hub. Since the device is designed to be used in communal spaces like meeting rooms, people can't access the Microsoft Store to download and install apps. diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md index b7993ada90..00d3409f91 100644 --- a/devices/surface/microsoft-surface-data-eraser.md +++ b/devices/surface/microsoft-surface-data-eraser.md @@ -34,7 +34,7 @@ Compatible Surface devices include: - Surface Pro 4 -- Surface Pro3 +- Surface Pro 3 - Surface 3 diff --git a/store-for-business/acquire-apps-windows-store-for-business.md b/store-for-business/acquire-apps-windows-store-for-business.md index aa700ada3e..42ad5a517d 100644 --- a/store-for-business/acquire-apps-windows-store-for-business.md +++ b/store-for-business/acquire-apps-windows-store-for-business.md @@ -6,6 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: store author: TrudyHa +ms.date: 10/01/2017 ms.localizationpriority: high --- @@ -30,18 +31,17 @@ There are a couple of things we need to know when you pay for apps. You can add - Legal business address - Payment option (credit card) - ## Acquire apps **To acquire an app** -1. Log in to http://businessstore.microsoft.com -2. Click Shop, or use Search to find an app. +1. Sign in to http://businessstore.microsoft.com +2. Click **Shop**, or use Search to find an app. 3. Click the app you want to purchase. 4. On the product description page, choose your license type - either online or offline. -5. Free apps will be added to **Inventory** or **Apps & software**. For apps with a price, you can set the quantity you want to buy. Type the quantity and click **Next**. -6. If you don’t have a payment method saved in **Account Information** or **Payments & billing**, we will prompt you for one. -7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Account information** or **Payments & billing**. +5. Free apps will be added to **Products & services**. For apps with a price, you can set the quantity you want to buy. Type the quantity and click **Next**. +6. If you don’t have a payment method saved in **Billing - Payment methods**, we will prompt you for one. +7. Add your credit card or debit card info, and click **Next**. Your card info is saved as a payment option on **Billing - Payment methods**. -You’ll also need to have your business address saved on **Account information** or **Payments & billing**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#organization-tax-information). +You’ll also need to have your business address saved on ****Billing - Account profile***. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#organization-tax-information). Microsoft Store adds the app to your inventory. From **Inventory** or **Apps & software**, you can: - Distribute the app: add to private store, or assign licenses @@ -51,3 +51,11 @@ Microsoft Store adds the app to your inventory. From **Inventory** or **Apps & s For info on distributing apps, see [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md). For info on offline-licensed apps, see [Distribute offline apps](distribute-offline-apps.md). + +## Request apps +People in your org can request additional licenses for apps that are in your organization's private store. When **Allow app requests** is turned on, people in your org can respond to a notification about app license availability. Admins for your tenant will receive an email with the request, and can decide about making the purchase. + +**To manage Allow app requests** +1. Sign in to http://businessstore.microsoft.com +2. Click **Manage**, click **Settings**, and then click **Distribute**. +3. Under **Private store** turn on, or turn off **Allow app requests**. diff --git a/store-for-business/app-inventory-management-windows-store-for-business.md b/store-for-business/app-inventory-management-windows-store-for-business.md index 6c598f70cc..9eebbb170e 100644 --- a/store-for-business/app-inventory-management-windows-store-for-business.md +++ b/store-for-business/app-inventory-management-windows-store-for-business.md @@ -84,7 +84,7 @@ Once an app is in your private store, people in your org can install the app on 3. Use **Refine results** to search for online-licensed apps under **License type**. 4. From the list of online-licensed apps, click the ellipses for the app you want, and then choose **Add to private store**. -The value under **Private store** for the app will change to pending. It will take approximately twelve hours before the app is available in the private store. +The value under **Private store** for the app will change to pending. It will take approximately thirty-six hours before the app is available in the private store. Employees can claim apps that admins added to the private store by doing the following. **To claim an app from the private store** diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md index 29e97b30bb..73c7ff9a4c 100644 --- a/store-for-business/distribute-apps-from-your-private-store.md +++ b/store-for-business/distribute-apps-from-your-private-store.md @@ -44,7 +44,7 @@ Microsoft Store adds the app to **Apps & software**. Click **Manage**, **Apps & -The value under **Private store** for the app will change to pending. It will take approximately twelve hours before the app is available in the private store. +The value under **Private store** for the app will change to pending. It will take approximately thirty-six hours before the app is available in the private store. Employees can claim apps that admins added to the private store by doing the following. diff --git a/store-for-business/images/msfb-wn-1709-app-request.png b/store-for-business/images/msfb-wn-1709-app-request.png new file mode 100644 index 0000000000..e454aca9a9 Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-app-request.png differ diff --git a/store-for-business/images/msfb-wn-1709-edge-ext.png b/store-for-business/images/msfb-wn-1709-edge-ext.png new file mode 100644 index 0000000000..15170ecfc3 Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-edge-ext.png differ diff --git a/store-for-business/images/msfb-wn-1709-my-org.png b/store-for-business/images/msfb-wn-1709-my-org.png new file mode 100644 index 0000000000..ecb47b6e8a Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-my-org.png differ diff --git a/store-for-business/images/msfb-wn-1709-o365-csp.png b/store-for-business/images/msfb-wn-1709-o365-csp.png new file mode 100644 index 0000000000..b51d32923a Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-o365-csp.png differ diff --git a/store-for-business/images/msfb-wn-1709-o365-prepaid.png b/store-for-business/images/msfb-wn-1709-o365-prepaid.png new file mode 100644 index 0000000000..9bdb360a31 Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-o365-prepaid.png differ diff --git a/store-for-business/images/msfb-wn-1709-search-result-sub-cat.png b/store-for-business/images/msfb-wn-1709-search-result-sub-cat.png new file mode 100644 index 0000000000..de246824f5 Binary files /dev/null and b/store-for-business/images/msfb-wn-1709-search-result-sub-cat.png differ diff --git a/store-for-business/images/wsfb-wsappprivatestore.png b/store-for-business/images/wsfb-wsappprivatestore.png index 9c29e7604c..48d9f79892 100644 Binary files a/store-for-business/images/wsfb-wsappprivatestore.png and b/store-for-business/images/wsfb-wsappprivatestore.png differ diff --git a/store-for-business/manage-settings-windows-store-for-business.md b/store-for-business/manage-settings-windows-store-for-business.md index f9592cd92e..e30487958f 100644 --- a/store-for-business/manage-settings-windows-store-for-business.md +++ b/store-for-business/manage-settings-windows-store-for-business.md @@ -12,7 +12,6 @@ ms.localizationpriority: high # Manage settings for Microsoft Store for Business and Education - **Applies to** - Windows 10 @@ -24,7 +23,7 @@ You can add users and groups, as well as update some of the settings associated | Topic | Description | | ----- | ----------- | -| [Update Microsoft Store for Business and Education account settings](update-windows-store-for-business-account-settings.md) | The **Account information** page in Microsoft Store for Business shows information about your organization that you can update, including: organization information, payment options, and offline licensing settings. | +| [Update Microsoft Store for Business and Education account settings](update-windows-store-for-business-account-settings.md) | **Billing - Account profile** in Microsoft Store for Business shows information about your organization that you can update. Payment options can be managed on **Billing - Payment methods**, and offline license settings can be managed on **Settings - Shop**. | | [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md) | Microsoft Store for Business manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-windows-store-for-business.md), but not to groups. | diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md new file mode 100644 index 0000000000..869d8d89db --- /dev/null +++ b/store-for-business/release-history-microsoft-store-business-education.md @@ -0,0 +1,22 @@ +--- +title: Whats new in Microsoft Store for Business and Education +description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: store +author: TrudyHa +ms.date: 09/21/2017 +--- + +# Microsoft Store for Business and Education release history + +Microsoft Store for Business and Education regularly releases new and improved feaures. Here's a summary of new or updated features in previous releases. + +Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) + +## August 2017 +These items were released or updated in August, 2017. + +- **Pellentesque habitant morbi tristique** - Lorem ipsum dolor sit amet, consectetuer adipiscing elit. [Learn more](distribute-apps-from-your-private-store.md) +- **Aenean nec lorem** - Lorem ipsum dolor sit amet, consectetuer adipiscing elit. [Learn more](distribute-apps-from-your-private-store.md) \ No newline at end of file diff --git a/store-for-business/settings-reference-windows-store-for-business.md b/store-for-business/settings-reference-windows-store-for-business.md index 09fbf09a41..6d5922b831 100644 --- a/store-for-business/settings-reference-windows-store-for-business.md +++ b/store-for-business/settings-reference-windows-store-for-business.md @@ -22,13 +22,15 @@ The Microsoft Store for Business and Education has a group of settings that admi | Setting | Description | Location under **Manage** | | ------- | ----------- | ------------------------------ | -| Account information and payment options | Manage organization and payment option information. For more information, see [Manage settings for the Microsoft Store for Business and Education](manage-settings-windows-store-for-business.md).| **Payments & billing** | -| Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | **Store settings** | -| Offline licensing | Configure whether or not to make offline-licensed apps available in the Microsoft Store for Business and Education. For more information, see [Distribute offline apps](distribute-offline-apps.md). | **Store settings** (Private store tab) | -| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md). | **Store settings** | -| Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Store settings** | -| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-windows-store-for-business.md). | **Permissions** | -| Line-of-business (LOB) publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions** | +| Account information | Manage organization information. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-windows-store-for-business-account-settings.md).| **Billing - Account profile** | +| Payment options | Manage payment options. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-windows-store-for-business-account-settings.md#payment-options).| **Billing - Payment methods** | +| Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | **Settings - Distribute** | +| Offline licensing | Configure whether or not to make offline-licensed apps available in the Microsoft Store for Business and Education. For more information, see [Distribute offline apps](distribute-offline-apps.md). | **Settings - Shop** | +| App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-windows-store-for-business.md). | **Settings - Distribute** | +| Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-windows-store-for-business.md). | **Settings - Distribute** | +| Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Settings - Devices** | +| Permissions | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-windows-store-for-business.md). | **Permissions - Roles** and **Permissions - Blocked basic purchasers** | +| Line-of-business (LOB) publishers | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions - Line-of-business apps** | diff --git a/store-for-business/update-windows-store-for-business-account-settings.md b/store-for-business/update-windows-store-for-business-account-settings.md index f88eec0840..951212afbd 100644 --- a/store-for-business/update-windows-store-for-business-account-settings.md +++ b/store-for-business/update-windows-store-for-business-account-settings.md @@ -32,7 +32,7 @@ We need an email address in case we need to contact you about your Microsoft Sto **To update Organization information** 1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com) -2. Click **Manage**, click **Payments & billing**, and then click **Edit**. +2. Click **Manage**, click **Billing**, **Account profile**, and then click **Edit**. ## Organization tax information Taxes for Microsoft Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent: @@ -87,7 +87,7 @@ If you qualify for tax-exempt status in your market, start a service request to **To start a service request** 1. Sign in to the [Store for Business](http://businessstore.microsoft.com). -2. Click **Support**, and then under **Store or account support** click **Start a service request**. +2. Click **Manage**, click **Support**, and then under **Store settings & configuration** click **Create technical support ticket**. You’ll need this documentation: @@ -124,8 +124,8 @@ You can purchase apps from Microsoft Store for Business using your credit card. **To add a new payment option** 1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then click **Payments & billing**. -3. Under **Payment options**, click **Show my payment options**, and then select the type of credit card that you want to add. +2. Click **Manage**, click **Billing**, and then click **Payments methods**. +3. Click **Add a payment options**, and then select the type of credit card that you want to add. 4. Add information to any required fields, and then click **Next**. Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. @@ -136,10 +136,10 @@ Once you click Next, the information you provided will be validated with a tes **To update a payment option** 1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then click **Payments & billng**. -3. Under **Payment options** > **Show my payment options**, select the payment option that you want to update, and then click **Update**. +2. Click **Manage**, click **Billing**, and then click **Payments methods**. +3. Select the payment option that you want to update, and then click **Update**. 4. Enter any updated information in the appropriate fields, and then click **Next**. -Once you click **Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise,you will be prompted for additional information or notified if there are any problems. +Once you click **Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems. > [!NOTE] > Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance. @@ -153,8 +153,8 @@ Admins can decide whether or not offline licenses are shown for apps in Microsof **To set offline license visibility** 1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). -2. Click **Manage**, and then click **Payments & billing**. -3. Under **Offline licensing**, click **Show offline licensed apps to people shopping in the store** to show availability for both online and offline licenses. +2. Click **Manage**, and then click **Settings - Shop**. +3. Under **Shopping experience** turn on or turn off **Show offline apps**,to show availability for offline-licensed apps. You have the following distribution options for offline-licensed apps: - Include the app in a provisioning package, and then use it as part of imaging a device. diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md new file mode 100644 index 0000000000..12c88a2afc --- /dev/null +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -0,0 +1,35 @@ +--- +title: Whats new in Microsoft Store for Business and Education +description: Learn about newest features in Microsoft Store for Business and Microsoft Store for Education. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: store +author: TrudyHa +ms.date: 09/30/2017 +--- + +# What's new in Microsoft Store for Business and Education + +Microsoft Store for Business and Education regularly releases new and improved feaures. Take a look below to see what's available to you today. + +## Latest updates for Store for Business and Education + +| | | +|-----------------------|---------------------------------| +| | **Manage Windows device deployment with Windows AutoPilot Deployment**

In Microsoft Store for Business, you can manage devices for your organization and apply an AutoPilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the AutoPilot deployment profile you applied to the device.

[Get more info](distribute-apps-from-your-private-store.md)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +| ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**

People in your organization can reqest additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases.

[Get more info](https://docs.microsoft.com/microsoft-store/acquire-apps-windows-store-for-business#request-apps)

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +| ![Microsoft Store for Business My organization page, showing Agreements tab.](images/msfb-wn-1709-my-org.png) |**My organization**

**My organization** shows you all Agreements that apply to your organization. You can also update profile info for you org, such as mailing address and email associated with your account.

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +| ![Microsoft Store for Business Products and Services page, Subscription tab with prepaid Office 365 subscription.](images/msfb-wn-1709-o365-prepaid.png) |**Manage prepaid Office 365 subscriptions**

Office 365 prepaid subscriptions can be redeemed using a prepaid token. Tokens are available through 3rd-party businesses, outside of Microsoft Store for Business or the Office 365 Admin portal. After redemming prepaid subscriptions, Admins can add more licenses or extend the subscription's expiration date. 

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +| ![Microsoft Store for Business Products and Services page, Subscription tab with Office 365 subscription acquired by reseller.](images/msfb-wn-1709-o365-csp.png) |**Manage Office 365 subscriptions acquired by partners**

Office 365 subscriptions purchased for your organization by a partner or reseller can be managed in Microsoft Store for Business. Admins can assign and manage licenses for these subscriptions. 

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +| ![Microsoft Store for Business shop page.](images/msfb-wn-1709-edge-ext.png) |**Edge extensions in Microsoft Store**

Edge Extensions are now available from Microsoft Store! You can acquire and distribute them from Microsoft Store for Business just like any other app.

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | +| ![Search results in Microsoft Store for Business showing sub categories.](images/msfb-wn-1709-search-result-sub-cat.png) |**Search results in Microsoft Store for Business**

Search results now have sub categories to help you refine search results.

**Applies to**:
Microsoft Store for Business
Microsoft Store for Education | + + \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 51d3af12b8..084999e656 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -25,7 +25,7 @@ ms.date: 09/08/2017 >[!IMPORTANT] >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. -In hybrid deployments, users register the public portion of their Windows Hello for Business crednetial with Azure. Azure AD Connect syncrhonizes the Windows Hello for Business public key to Active Directory. +In hybrid deployments, users register the public portion of their Windows Hello for Business credential with Azure. Azure AD Connect synchronizes the Windows Hello for Business public key to Active Directory. The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. diff --git a/windows/access-protection/hello-for-business/hello-identity-verification.md b/windows/access-protection/hello-for-business/hello-identity-verification.md index 59a9bb791e..68f001e2f3 100644 --- a/windows/access-protection/hello-for-business/hello-identity-verification.md +++ b/windows/access-protection/hello-for-business/hello-identity-verification.md @@ -71,6 +71,23 @@ The table shows the minimum requirements for each deployment. ## Frequently Asked Questions +### What is the user experience for Windows Hello for Business? +The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment. + +> [!VIDEO https://www.youtube.com/embed/FJqHPTZTpNM] + +
+ +> [!VIDEO https://www.youtube.com/embed/etXJsZb8Fso] + +### What happens when my user forgets their PIN? + +If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with the Fall Creators Update, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider. + +> [!VIDEO https://www.youtube.com/embed/KcVTq8lTlkI] + +For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network. + ### Do I need Windows Server 2016 domain controllers? There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md index 238dc36fc2..48e61b947d 100644 --- a/windows/application-management/enterprise-background-activity-controls.md +++ b/windows/application-management/enterprise-background-activity-controls.md @@ -59,5 +59,6 @@ The Universal Windows Platform ensures that consumers will have great battery li ## See also -[Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground) +- [Run in the background indefinitely](https://docs.microsoft.com/windows/uwp/launch-resume/run-in-the-background-indefinetly) +- [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsruninbackground) [Optimize background activity](https://docs.microsoft.com/windows/uwp/debug-test-perf/optimize-background-activity) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 2d1385d654..6b56d24b8f 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -25,7 +25,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo ## Set up -- Both PCs (local and remote) must be running Windows 10, version 1607. Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported. +- Both PCs (local and remote) must be running Windows 10, version 1607 (or later). Remote connection to an Azure AD-joined PC that is running earlier versions of Windows 10 is not supported. - Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC that you are using to connect to the remote PC. - On the PC that you want to connect to: 1. Open system properties for the remote PC. diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 947ffa3bac..623210a376 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -2,6 +2,7 @@ ## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md) ## [Mobile device enrollment](mobile-device-enrollment.md) ### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md) +### [Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) ### [Federated authentication device enrollment](federated-authentication-device-enrollment.md) ### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) ### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md new file mode 100644 index 0000000000..a9449a22c1 --- /dev/null +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -0,0 +1,121 @@ +--- +title: Enroll a Windows 10 device automatically using Group Policy +description: Enroll a Windows 10 device automatically using Group Policy +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +ms.date: 10/02/2017 +--- + +# Enroll a Windows 10 device automatically using Group Policy + +Starting in Windows 10, version 1709 you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain joined devices. + +Requirements: +- AD-joined PC running Windows 10, version 1709 +- Enterprise has MDM service already configured +- Enterprise AD must be registered with Azure AD + +> [!Tip] +> [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup) + +To verify if the device is Azure AD registered, run `dsregcmd /status` from the command line. + +Here is a partial screenshot of the result: + +![device status result](images/autoenrollment-device-status.png) + +The auto-enrollment relies of the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1611, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically AAD registered. + +> [!Note] +> In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx). For examples, see section 4.3.1 RequestSecurityToken of the the MS-MDE2 protocol documentation. + +When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. + +In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy is take precedence over MDM). In the future release of Windows 10, we are considering a feature that allows the admin to control which policy takes precedence. + +For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices. + +## Configure the auto-enrollment Group Policy for a single PC + +This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices). + +Requirements: +- AD-joined PC running Windows 10, version 1709 +- Enterprise has MDM service already configured +- Enterprise AD must be registered with Azure AD + +1. Run GPEdit.msc + + Click Start, then in the text box type gpedit. + + ![GPEdit desktop app search result](images/autoenrollment-gpedit.png) + +2. Under **Best match**, click **Edit group policy** to launch it. + +3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**. + + ![MDM policies](images/autoenrollment-mdm-policies.png) + +4. Double-click **Auto MDM Enrollment with AAD Token**. + + ![MDM autoenrollment policy](images/autoenrollment-policy.png) + +5. Click **Enable**, then click **OK**. + + A task is created and scheduled to run every 5 minutes for the duration of 1 day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." + + To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app). + + If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot. + + ![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png) + +6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account. + +7. Click **Info** to see the MDM enrollment information. + + ![Work School Settings](images/autoenrollment-settings-work-school.png) + + If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app). + + +### Task Scheduler app + +1. Click **Start**, then in the text box type **task scheduler**. + + ![Task Scheduler search result](images/autoenrollment-task-schedulerapp.png) + +2. Under **Best match**, click **Task Scheduler** to launch it. + +3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**. + + ![Auto-enrollment scheduled task](images/autoenrollment-scheduled-task.png) + + To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab. + + If the device enrollment is blocked, your IT admin may have enabled the **Disable MDM Enrollment** policy. Note that the GPEdit console does not reflect the status of policies set by your IT admin on your device. It is only used by the user to set policies. + +## Configure the auto-enrollment for a group of devices + +Requirements: +- AD-joined PC running Windows 10, version 1709 +- Enterprise has MDM service already configured (with Intune or a third party service provider) +- Enterprise AD must be integrated with Azure AD. +- Ensure that PCs belong to same computer group. + +1. Create a Group Policy Object (GPO) and enable the Group Policy **Auto MDM enrollment with AAD token**. +2. Create a Security Group for the PCs. +3. Link the GPO. +4. Filter using Security Groups. +5. Enforce a GPO link + +### Related topics + +- [Group Policy Management Console](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx) +- [Create and Edit a Group Policy Object](https://technet.microsoft.com/en-us/library/cc754740(v=ws.11).aspx) +- [Link a Group Policy Object](https://technet.microsoft.com/en-us/library/cc732979(v=ws.11).aspx) +- [Filter Using Security Groups](https://technet.microsoft.com/en-us/library/cc752992(v=ws.11).aspx) +- [Enforce a Group Policy Object Link](https://technet.microsoft.com/en-us/library/cc753909(v=ws.11).aspx) diff --git a/windows/client-management/mdm/images/autoenrollment-2-factor-auth.png b/windows/client-management/mdm/images/autoenrollment-2-factor-auth.png new file mode 100644 index 0000000000..ba16fbcd27 Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-2-factor-auth.png differ diff --git a/windows/client-management/mdm/images/autoenrollment-device-status.png b/windows/client-management/mdm/images/autoenrollment-device-status.png new file mode 100644 index 0000000000..67072b0da7 Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-device-status.png differ diff --git a/windows/client-management/mdm/images/autoenrollment-gpedit.png b/windows/client-management/mdm/images/autoenrollment-gpedit.png new file mode 100644 index 0000000000..e863dfc945 Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-gpedit.png differ diff --git a/windows/client-management/mdm/images/autoenrollment-mdm-policies.png b/windows/client-management/mdm/images/autoenrollment-mdm-policies.png new file mode 100644 index 0000000000..29cb6d14da Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-mdm-policies.png differ diff --git a/windows/client-management/mdm/images/autoenrollment-policy.png b/windows/client-management/mdm/images/autoenrollment-policy.png new file mode 100644 index 0000000000..f9bb009514 Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-policy.png differ diff --git a/windows/client-management/mdm/images/autoenrollment-scheduled-task.png b/windows/client-management/mdm/images/autoenrollment-scheduled-task.png new file mode 100644 index 0000000000..bfa805bfbd Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-scheduled-task.png differ diff --git a/windows/client-management/mdm/images/autoenrollment-settings-work-school.png b/windows/client-management/mdm/images/autoenrollment-settings-work-school.png new file mode 100644 index 0000000000..31fb7a400a Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-settings-work-school.png differ diff --git a/windows/client-management/mdm/images/autoenrollment-task-schedulerapp.png b/windows/client-management/mdm/images/autoenrollment-task-schedulerapp.png new file mode 100644 index 0000000000..56f071dcda Binary files /dev/null and b/windows/client-management/mdm/images/autoenrollment-task-schedulerapp.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-21-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-21-b.png new file mode 100644 index 0000000000..c75d6ca38f Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-21-b.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-23-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-23-b.png new file mode 100644 index 0000000000..bf44fb2d97 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-23-b.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-24-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-24-b.png new file mode 100644 index 0000000000..66c6b0ee19 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-24-b.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-25-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-25-b.png new file mode 100644 index 0000000000..cd28d561d8 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-25-b.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-33-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-33-b.png new file mode 100644 index 0000000000..48025064e0 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-33-b.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-34-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-34-b.png new file mode 100644 index 0000000000..8fbb961540 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-34-b.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-35-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-35-b.png new file mode 100644 index 0000000000..a3e3fe20d2 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-35-b.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-37-b.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-b.png new file mode 100644 index 0000000000..304bf8aa0b Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-b.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-37-c.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-c.png new file mode 100644 index 0000000000..5ed04fb4a2 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-37-c.png differ diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index af2ac59df8..2066c8391f 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 09/19/2017 --- # MDM enrollment of Windows-based devices @@ -178,35 +178,33 @@ All Windows 10-based devices can be connected to a work or school account. You ### Using the Settings app -1. Launch the Settings app. +1. Launch the Settings app and then click **Accounts**. Click **Start**, then the Settings icon, and then select **Accounts** - ![windows settings page](images/unifiedenrollment-rs1-21.png) + ![windows settings page](images/unifiedenrollment-rs1-21-b.png) -2. Next, navigate to **Accounts**. +2. Navigate to **Access work or school**. - ![windows settings accounts select](images/unifiedenrollment-rs1-22.png) + ![select access work or school](images/unifiedenrollment-rs1-23-b.png) -3. Navigate to **Access work or school**. +3. Click **Connect**. - ![select access work or school](images/unifiedenrollment-rs1-23.png) + ![connect to work or school](images/unifiedenrollment-rs1-24-b.png) -4. Click **Connect**. +4. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services. - ![connect to work or school](images/unifiedenrollment-rs1-24.png) + ![join work or school account to azure ad](images/unifiedenrollment-rs1-25-b.png) -5. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services. - - ![join work or school account to azure ad](images/unifiedenrollment-rs1-25.png) - -6. If the tenant is a cloud only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly into the page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication. +5. If the tenant is a cloud only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly into the page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. + Starting in Windows 10, version 1709, you will see the status page that shows the progress of your device being set up. + ![corporate sign in](images/unifiedenrollment-rs1-26.png) -7. After you complete the flow, your Microsoft account will be connected to your work or school account. +6. After you complete the flow, your Microsoft account will be connected to your work or school account. ![account successfully added](images/unifiedenrollment-rs1-27.png) @@ -238,11 +236,12 @@ All Windows 10-based devices can be connected to an MDM. You can connect to an 6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen. + + ![corporate sign in](images/unifiedenrollment-rs1-33-b.png) After you complete the flow, your device will be connected to your organization’s MDM. - - ![corporate sign in](images/unifiedenrollment-rs1-33.png) + ### Connecting to MDM on a phone (Enrolling in device management) @@ -343,16 +342,7 @@ The following procedure describes how users can connect their devices to MDM usi Your work or school connections can be managed on the **Settings** > **Accounts** > **Access work or school** page. Your connections will show on this page and clicking on one will expand options for that connection. -![managing work or school account](images/unifiedenrollment-rs1-34.png) - -### Manage - -The **Manage** button can be found on work or school connections involving Azure AD. This includes the following scenarios: - -- Connecting your device to an Azure AD domain -- Connecting to a work or school account. - -Clicking on the manage button will open the Azure AD portal associated with that connection in your default browser. +![managing work or school account](images/unifiedenrollment-rs1-34-b.png) ### Info @@ -364,7 +354,12 @@ The **Info** button can be found on work or school connections involving MDM. Th Clicking the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session which will force your device to communicate to the MDM server and fetch any updates to policies if needed. -![work or school info](images/unifiedenrollment-rs1-35.png) +Starting in Windows 10, version 1709, clicking the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screehshot. + +![work or school info](images/unifiedenrollment-rs1-35-b.png) + +> [!Note] +> Starting in Windows 10, version 1709, the **Manage** button is no longer available. ### Disconnect @@ -375,16 +370,14 @@ The **Disconnect** button can be found on all work connections. Generally, click > **Warning**  Disconnecting might result in the loss of data on the device. -  - -![disconnect work or school account](images/unifiedenrollment-rs1-36.png) - ## Collecting diagnostic logs You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and clicking the **Export your management logs** link under **Related Settings**. After you click the link, click **Export** and follow the path displayed to retrieve your management log files. -![collecting enrollment management log files](images/unifiedenrollment-rs1-37.png) +Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and clicking the **Info** button. At the bottom of the Settings page you will see the button to create a report. Here is an example screenshot. + +![collecting enrollment management log files](images/unifiedenrollment-rs1-37-c.png)   @@ -392,4 +385,3 @@ You can collect diagnostic logs around your work connections by going to **Setti - diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index 239445ade8..e9c457174a 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -10,7 +10,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/19/2017 +ms.date: 10/02/2017 --- # What's new in MDM enrollment and management @@ -1000,8 +1000,21 @@ For details about Microsoft mobile device management protocols for Windows 10 s

Added new policies.

-Microsoft Store for Business -

Windows Store for Business name changed to Microsoft Store for Business.

+Microsoft Store for Business and Microsoft Store +

Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.

+ +[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) +

New features in the Settings app:

+ +

For details, see [Managing connection](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)

+ + +[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) +

Added new topic to introduce a new Group Policy for automatic MDM enrollment.

[Policy CSP](policy-configuration-service-provider.md) @@ -1384,8 +1397,8 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware

Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.

-Microsoft Store for Business -

Windows Store for Business name changed to Microsoft Store for Business.

+Microsoft Store for Business and Microsoft Store +

Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.

The [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://msdn.microsoft.com/en-us/library/mt221945.aspx) @@ -1401,9 +1414,24 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware [EntepriseAPN CSP](enterpriseapn-csp.md)

Added a SyncML example.

+ [VPNv2 CSP](vpnv2-csp.md)

Added RegisterDNS setting in Windows 10, version 1709.

+ +[Enroll a Windows 10 device automatically using Group Policy](enroll-a-windows-10-device-automatically-using-group-policy.md) +

Added new topic to introduce a new Group Policy for automatic MDM enrollment.

+ + +[MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) +

New features in the Settings app:

+ +

For details, see [Managing connections](mdm-enrollment-of-windows-devices.md#managing-connections) and [Collecting diagnostic logs](mdm-enrollment-of-windows-devices.md#collecting-diagnostic-logs)

+ diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 121d77fdb7..f0b176f45a 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/25/2017 +ms.date: 09/29/2017 --- # Policy CSP @@ -22,6 +22,26 @@ The Policy configuration service provider has the following sub-categories: - Policy/Config/*AreaName* – Handles the policy configuration request from the server. - Policy/Result/*AreaName* – Provides a read-only path to policies enforced on the device. + + +> [!Important] +> Policy scope is the level at which a policy can be configured. Some policies can only be configured at the device level, meaning the policy will take effect independent of who is logged into the device. Other policies can be configured at the user level, meaning the policy will only take effect for that user. +> +> The allowed scope of a specific policy is represented below its table of supported Windows editions. To configure a policy under a specific scope (user vs. device), please use the following paths: +> +> User scope: +> - **./User/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy. +> - **./User/Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result. +> +> Device scope: +> - **./Device/Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy. +> - **./Device/Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result. +> +> For device wide configuration the **_Device/_** portion may be omitted from the path, deeming the following paths respectively equivalent: +> +> - **./Vendor/MSFT/Policy/Config/_AreaName/PolicyName_** to configure the policy. +> - **./Vendor/MSFT/Policy/Result/_AreaName/PolicyName_** to get the result. + The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. ![policy csp diagram](images/provisioning-csp-policy.png) diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 2268695665..64f921aac1 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - AboveLock @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## AboveLock policies +
+
+ AboveLock/AllowActionCenterNotifications +
+
+ AboveLock/AllowCortanaAboveLock +
+
+ AboveLock/AllowToasts +
+
+ +
**AboveLock/AllowActionCenterNotifications** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -60,6 +82,7 @@ ms.date: 08/30/2017 +
**AboveLock/AllowCortanaAboveLock** @@ -86,6 +109,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. @@ -96,6 +128,7 @@ ms.date: 08/30/2017 +

**AboveLock/AllowToasts** @@ -122,6 +155,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Specifies whether to allow toast notifications above the device lock screen. diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index f2e678427b..cbec351d99 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Accounts @@ -14,11 +14,27 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

+ ## Accounts policies +
+
+ Accounts/AllowAddingNonMicrosoftAccountsManually +
+
+ Accounts/AllowMicrosoftAccountConnection +
+
+ Accounts/AllowMicrosoftAccountSignInAssistant +
+
+ Accounts/DomainNamesForEmailSync +
+
+ +
**Accounts/AllowAddingNonMicrosoftAccountsManually** @@ -45,6 +61,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Specifies whether user is allowed to add non-MSA email accounts. @@ -60,6 +85,7 @@ ms.date: 08/30/2017 +

**Accounts/AllowMicrosoftAccountConnection** @@ -86,6 +112,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. @@ -98,6 +133,7 @@ ms.date: 08/30/2017 +

**Accounts/AllowMicrosoftAccountSignInAssistant** @@ -124,6 +160,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service. @@ -134,6 +179,7 @@ ms.date: 08/30/2017 +

**Accounts/DomainNamesForEmailSync** @@ -160,6 +206,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Specifies a list of the domains that are allowed to sync email on the device. diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 755aeb5a2e..d01ca2a458 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - ActiveXControls @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

+ ## ActiveXControls policies +
+
+ ActiveXControls/ApprovedInstallationSites +
+
+ +
**ActiveXControls/ApprovedInstallationSites** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL. diff --git a/windows/client-management/mdm/policy-csp-applicationdefaults.md b/windows/client-management/mdm/policy-csp-applicationdefaults.md index 838ad9fbc8..4e71e25975 100644 --- a/windows/client-management/mdm/policy-csp-applicationdefaults.md +++ b/windows/client-management/mdm/policy-csp-applicationdefaults.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - ApplicationDefaults @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## ApplicationDefaults policies +
+
+ ApplicationDefaults/DefaultAssociationsConfiguration +
+
+ +
**ApplicationDefaults/DefaultAssociationsConfiguration** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML. diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index bb72e071a6..7690c7eb20 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - ApplicationManagement @@ -14,11 +14,48 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

+ ## ApplicationManagement policies +
+
+ ApplicationManagement/AllowAllTrustedApps +
+
+ ApplicationManagement/AllowAppStoreAutoUpdate +
+
+ ApplicationManagement/AllowDeveloperUnlock +
+
+ ApplicationManagement/AllowGameDVR +
+
+ ApplicationManagement/AllowSharedUserAppData +
+
+ ApplicationManagement/AllowStore +
+
+ ApplicationManagement/ApplicationRestrictions +
+
+ ApplicationManagement/DisableStoreOriginatedApps +
+
+ ApplicationManagement/RequirePrivateStoreOnly +
+
+ ApplicationManagement/RestrictAppDataToSystemVolume +
+
+ ApplicationManagement/RestrictAppToSystemVolume +
+
+ +
**ApplicationManagement/AllowAllTrustedApps** @@ -45,6 +82,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Specifies whether non Microsoft Store apps are allowed. @@ -58,6 +104,7 @@ ms.date: 08/30/2017 +

**ApplicationManagement/AllowAppStoreAutoUpdate** @@ -84,6 +131,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Specifies whether automatic update of apps from Microsoft Store are allowed. @@ -96,6 +152,7 @@ ms.date: 08/30/2017 +

**ApplicationManagement/AllowDeveloperUnlock** @@ -122,6 +179,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Specifies whether developer unlock is allowed. @@ -135,6 +201,7 @@ ms.date: 08/30/2017 +

**ApplicationManagement/AllowGameDVR** @@ -161,6 +228,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > The policy is only enforced in Windows 10 for desktop. @@ -176,6 +252,7 @@ ms.date: 08/30/2017 +
**ApplicationManagement/AllowSharedUserAppData** @@ -202,6 +279,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Specifies whether multiple users of the same app can share data. @@ -214,6 +300,7 @@ ms.date: 08/30/2017 +

**ApplicationManagement/AllowStore** @@ -240,6 +327,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Specifies whether app store is allowed at the device. @@ -252,6 +348,7 @@ ms.date: 08/30/2017 +

**ApplicationManagement/ApplicationRestrictions** @@ -278,6 +375,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. @@ -305,6 +411,7 @@ ms.date: 08/30/2017 +
**ApplicationManagement/DisableStoreOriginatedApps** @@ -331,6 +438,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. @@ -341,6 +457,7 @@ ms.date: 08/30/2017 +

**ApplicationManagement/RequirePrivateStoreOnly** @@ -367,6 +484,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ +

Allows disabling of the retail catalog and only enables the Private store. @@ -388,6 +514,7 @@ ms.date: 08/30/2017 +

**ApplicationManagement/RestrictAppDataToSystemVolume** @@ -414,6 +541,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Specifies whether application data is restricted to the system drive. @@ -426,6 +562,7 @@ ms.date: 08/30/2017 +

**ApplicationManagement/RestrictAppToSystemVolume** @@ -452,6 +589,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Specifies whether the installation of applications is restricted to the system drive. diff --git a/windows/client-management/mdm/policy-csp-appvirtualization.md b/windows/client-management/mdm/policy-csp-appvirtualization.md index e44fda0b34..512cbecf60 100644 --- a/windows/client-management/mdm/policy-csp-appvirtualization.md +++ b/windows/client-management/mdm/policy-csp-appvirtualization.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - AppVirtualization @@ -14,11 +14,99 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

+ ## AppVirtualization policies +
+
+ AppVirtualization/AllowAppVClient +
+
+ AppVirtualization/AllowDynamicVirtualization +
+
+ AppVirtualization/AllowPackageCleanup +
+
+ AppVirtualization/AllowPackageScripts +
+
+ AppVirtualization/AllowPublishingRefreshUX +
+
+ AppVirtualization/AllowReportingServer +
+
+ AppVirtualization/AllowRoamingFileExclusions +
+
+ AppVirtualization/AllowRoamingRegistryExclusions +
+
+ AppVirtualization/AllowStreamingAutoload +
+
+ AppVirtualization/ClientCoexistenceAllowMigrationmode +
+
+ AppVirtualization/IntegrationAllowRootGlobal +
+
+ AppVirtualization/IntegrationAllowRootUser +
+
+ AppVirtualization/PublishingAllowServer1 +
+
+ AppVirtualization/PublishingAllowServer2 +
+
+ AppVirtualization/PublishingAllowServer3 +
+
+ AppVirtualization/PublishingAllowServer4 +
+
+ AppVirtualization/PublishingAllowServer5 +
+
+ AppVirtualization/StreamingAllowCertificateFilterForClient_SSL +
+
+ AppVirtualization/StreamingAllowHighCostLaunch +
+
+ AppVirtualization/StreamingAllowLocationProvider +
+
+ AppVirtualization/StreamingAllowPackageInstallationRoot +
+
+ AppVirtualization/StreamingAllowPackageSourceRoot +
+
+ AppVirtualization/StreamingAllowReestablishmentInterval +
+
+ AppVirtualization/StreamingAllowReestablishmentRetries +
+
+ AppVirtualization/StreamingSharedContentStoreMode +
+
+ AppVirtualization/StreamingSupportBranchCache +
+
+ AppVirtualization/StreamingVerifyCertificateRevocationList +
+
+ AppVirtualization/VirtualComponentsAllowList +
+
+ +
**AppVirtualization/AllowAppVClient** @@ -45,6 +133,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect. @@ -65,6 +162,7 @@ ADMX Info: +
**AppVirtualization/AllowDynamicVirtualization** @@ -91,6 +189,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls. @@ -111,6 +218,7 @@ ADMX Info: +
**AppVirtualization/AllowPackageCleanup** @@ -137,6 +245,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Enables automatic cleanup of appv packages that were added after Windows10 anniversary release. @@ -157,6 +274,7 @@ ADMX Info: +
**AppVirtualization/AllowPackageScripts** @@ -183,6 +301,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Enables scripts defined in the package manifest of configuration files that should run. @@ -203,6 +330,7 @@ ADMX Info: +
**AppVirtualization/AllowPublishingRefreshUX** @@ -229,6 +357,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Enables a UX to display to the user when a publishing refresh is performed on the client. @@ -249,6 +386,7 @@ ADMX Info: +
**AppVirtualization/AllowReportingServer** @@ -275,6 +413,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Reporting Server URL: Displays the URL of reporting server. @@ -305,6 +452,7 @@ ADMX Info: +
**AppVirtualization/AllowRoamingFileExclusions** @@ -331,6 +479,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'. @@ -351,6 +508,7 @@ ADMX Info: +
**AppVirtualization/AllowRoamingRegistryExclusions** @@ -377,6 +535,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients. @@ -397,6 +564,7 @@ ADMX Info: +
**AppVirtualization/AllowStreamingAutoload** @@ -423,6 +591,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies how new packages should be loaded automatically by App-V on a specific computer. @@ -443,6 +620,7 @@ ADMX Info: +
**AppVirtualization/ClientCoexistenceAllowMigrationmode** @@ -469,6 +647,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V. @@ -489,6 +676,7 @@ ADMX Info: +
**AppVirtualization/IntegrationAllowRootGlobal** @@ -515,6 +703,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration. @@ -535,6 +732,7 @@ ADMX Info: +
**AppVirtualization/IntegrationAllowRootUser** @@ -561,6 +759,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration. @@ -581,6 +788,7 @@ ADMX Info: +
**AppVirtualization/PublishingAllowServer1** @@ -607,6 +815,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Publishing Server Display Name: Displays the name of publishing server. @@ -645,6 +862,7 @@ ADMX Info: +
**AppVirtualization/PublishingAllowServer2** @@ -671,6 +889,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Publishing Server Display Name: Displays the name of publishing server. @@ -709,6 +936,7 @@ ADMX Info: +
**AppVirtualization/PublishingAllowServer3** @@ -735,6 +963,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Publishing Server Display Name: Displays the name of publishing server. @@ -773,6 +1010,7 @@ ADMX Info: +
**AppVirtualization/PublishingAllowServer4** @@ -799,6 +1037,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Publishing Server Display Name: Displays the name of publishing server. @@ -837,6 +1084,7 @@ ADMX Info: +
**AppVirtualization/PublishingAllowServer5** @@ -863,6 +1111,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Publishing Server Display Name: Displays the name of publishing server. @@ -901,6 +1158,7 @@ ADMX Info: +
**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL** @@ -927,6 +1185,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies the path to a valid certificate in the certificate store. @@ -947,6 +1214,7 @@ ADMX Info: +
**AppVirtualization/StreamingAllowHighCostLaunch** @@ -973,6 +1241,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G). @@ -993,6 +1270,7 @@ ADMX Info: +
**AppVirtualization/StreamingAllowLocationProvider** @@ -1019,6 +1297,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. @@ -1039,6 +1326,7 @@ ADMX Info: +
**AppVirtualization/StreamingAllowPackageInstallationRoot** @@ -1065,6 +1353,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies directory where all new applications and updates will be installed. @@ -1085,6 +1382,7 @@ ADMX Info: +
**AppVirtualization/StreamingAllowPackageSourceRoot** @@ -1111,6 +1409,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Overrides source location for downloading package content. @@ -1131,6 +1438,7 @@ ADMX Info: +
**AppVirtualization/StreamingAllowReestablishmentInterval** @@ -1157,6 +1465,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies the number of seconds between attempts to reestablish a dropped session. @@ -1177,6 +1494,7 @@ ADMX Info: +
**AppVirtualization/StreamingAllowReestablishmentRetries** @@ -1203,6 +1521,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies the number of times to retry a dropped session. @@ -1223,6 +1550,7 @@ ADMX Info: +
**AppVirtualization/StreamingSharedContentStoreMode** @@ -1249,6 +1577,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies that streamed package contents will be not be saved to the local hard disk. @@ -1269,6 +1606,7 @@ ADMX Info: +
**AppVirtualization/StreamingSupportBranchCache** @@ -1295,6 +1633,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache @@ -1315,6 +1662,7 @@ ADMX Info: +
**AppVirtualization/StreamingVerifyCertificateRevocationList** @@ -1341,6 +1689,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Verifies Server certificate revocation status before streaming using HTTPS. @@ -1361,6 +1718,7 @@ ADMX Info: +
**AppVirtualization/VirtualComponentsAllowList** @@ -1387,6 +1745,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components. diff --git a/windows/client-management/mdm/policy-csp-attachmentmanager.md b/windows/client-management/mdm/policy-csp-attachmentmanager.md index 202f7f324a..19b60c53f6 100644 --- a/windows/client-management/mdm/policy-csp-attachmentmanager.md +++ b/windows/client-management/mdm/policy-csp-attachmentmanager.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - AttachmentManager @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## AttachmentManager policies +
+
+ AttachmentManager/DoNotPreserveZoneInformation +
+
+ AttachmentManager/HideZoneInfoMechanism +
+
+ AttachmentManager/NotifyAntivirusPrograms +
+
+ +
**AttachmentManager/DoNotPreserveZoneInformation** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments. @@ -71,6 +93,7 @@ ADMX Info: +
**AttachmentManager/HideZoneInfoMechanism** @@ -97,6 +120,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening. @@ -123,6 +155,7 @@ ADMX Info: +
**AttachmentManager/NotifyAntivirusPrograms** @@ -149,6 +182,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant. diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 3c483fb097..d33bbd648c 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 09/06/2017 +ms.date: 09/29/2017 --- # Policy CSP - Authentication @@ -14,11 +14,27 @@ ms.date: 09/06/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Authentication policies +
+
+ Authentication/AllowAadPasswordReset +
+
+ Authentication/AllowEAPCertSSO +
+
+ Authentication/AllowFastReconnect +
+
+ Authentication/AllowSecondaryAuthenticationDevice +
+
+ +
**Authentication/AllowAadPasswordReset** @@ -45,6 +61,15 @@ ms.date: 09/06/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Added in Windows 10, version 1709. Specifies whether password reset is enabled for Azure Active Directory accounts. This policy allows the Azure AD tenant administrators to enable self service password reset feature on the windows logon screen.  @@ -55,6 +80,7 @@ ms.date: 09/06/2017 +

**Authentication/AllowEAPCertSSO** @@ -81,6 +107,15 @@ ms.date: 09/06/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ +

Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources. @@ -98,6 +133,7 @@ ms.date: 09/06/2017 +

**Authentication/AllowFastReconnect** @@ -124,6 +160,15 @@ ms.date: 09/06/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Allows EAP Fast Reconnect from being attempted for EAP Method TLS. @@ -136,6 +181,7 @@ ms.date: 09/06/2017 +

**Authentication/AllowSecondaryAuthenticationDevice** @@ -162,6 +208,15 @@ ms.date: 09/06/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows. diff --git a/windows/client-management/mdm/policy-csp-autoplay.md b/windows/client-management/mdm/policy-csp-autoplay.md index daac26b55d..f63666cdc6 100644 --- a/windows/client-management/mdm/policy-csp-autoplay.md +++ b/windows/client-management/mdm/policy-csp-autoplay.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Autoplay @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

+ ## Autoplay policies +
+
+ Autoplay/DisallowAutoplayForNonVolumeDevices +
+
+ Autoplay/SetDefaultAutoRunBehavior +
+
+ Autoplay/TurnOffAutoPlay +
+
+ +
**Autoplay/DisallowAutoplayForNonVolumeDevices** @@ -45,6 +58,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting disallows AutoPlay for MTP devices like cameras or phones. @@ -69,6 +92,7 @@ ADMX Info: +
**Autoplay/SetDefaultAutoRunBehavior** @@ -95,6 +119,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting sets the default behavior for Autorun commands. @@ -128,6 +162,7 @@ ADMX Info: +
**Autoplay/TurnOffAutoPlay** @@ -154,6 +189,16 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to turn off the Autoplay feature. diff --git a/windows/client-management/mdm/policy-csp-bitlocker.md b/windows/client-management/mdm/policy-csp-bitlocker.md index 1220f63607..3d4c5bac81 100644 --- a/windows/client-management/mdm/policy-csp-bitlocker.md +++ b/windows/client-management/mdm/policy-csp-bitlocker.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Bitlocker @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Bitlocker policies +
+
+ Bitlocker/EncryptionMethod +
+
+ +
**Bitlocker/EncryptionMethod** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Specifies the BitLocker Drive Encryption method and cipher strength. diff --git a/windows/client-management/mdm/policy-csp-bluetooth.md b/windows/client-management/mdm/policy-csp-bluetooth.md index 7bd2ea4992..d874f9ffa2 100644 --- a/windows/client-management/mdm/policy-csp-bluetooth.md +++ b/windows/client-management/mdm/policy-csp-bluetooth.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Bluetooth @@ -14,11 +14,30 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

+ ## Bluetooth policies +
+
+ Bluetooth/AllowAdvertising +
+
+ Bluetooth/AllowDiscoverableMode +
+
+ Bluetooth/AllowPrepairing +
+
+ Bluetooth/LocalDeviceName +
+
+ Bluetooth/ServicesAllowedList +
+
+ +
**Bluetooth/AllowAdvertising** @@ -45,6 +64,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Specifies whether the device can send out Bluetooth advertisements. @@ -59,6 +87,7 @@ ms.date: 08/30/2017 +

**Bluetooth/AllowDiscoverableMode** @@ -85,6 +114,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Specifies whether other Bluetooth-enabled devices can discover the device. @@ -99,6 +137,7 @@ ms.date: 08/30/2017 +

**Bluetooth/AllowPrepairing** @@ -125,6 +164,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device. @@ -135,6 +183,7 @@ ms.date: 08/30/2017 +

**Bluetooth/LocalDeviceName** @@ -161,6 +210,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Sets the local Bluetooth device name. @@ -170,6 +228,7 @@ ms.date: 08/30/2017 +

**Bluetooth/ServicesAllowedList** @@ -196,6 +255,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index 82c992e8eb..2c7f399858 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Browser @@ -14,11 +14,123 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

+ ## Browser policies +
+
+ Browser/AllowAddressBarDropdown +
+
+ Browser/AllowAutofill +
+
+ Browser/AllowBrowser +
+
+ Browser/AllowCookies +
+
+ Browser/AllowDeveloperTools +
+
+ Browser/AllowDoNotTrack +
+
+ Browser/AllowExtensions +
+
+ Browser/AllowFlash +
+
+ Browser/AllowFlashClickToRun +
+
+ Browser/AllowInPrivate +
+
+ Browser/AllowMicrosoftCompatibilityList +
+
+ Browser/AllowPasswordManager +
+
+ Browser/AllowPopups +
+
+ Browser/AllowSearchEngineCustomization +
+
+ Browser/AllowSearchSuggestionsinAddressBar +
+
+ Browser/AllowSmartScreen +
+
+ Browser/AlwaysEnableBooksLibrary +
+
+ Browser/ClearBrowsingDataOnExit +
+
+ Browser/ConfigureAdditionalSearchEngines +
+
+ Browser/DisableLockdownOfStartPages +
+
+ Browser/EnterpriseModeSiteList +
+
+ Browser/EnterpriseSiteListServiceUrl +
+
+ Browser/FirstRunURL +
+
+ Browser/HomePages +
+
+ Browser/LockdownFavorites +
+
+ Browser/PreventAccessToAboutFlagsInMicrosoftEdge +
+
+ Browser/PreventFirstRunPage +
+
+ Browser/PreventLiveTileDataCollection +
+
+ Browser/PreventSmartScreenPromptOverride +
+
+ Browser/PreventSmartScreenPromptOverrideForFiles +
+
+ Browser/PreventUsingLocalHostIPAddressForWebRTC +
+
+ Browser/ProvisionFavorites +
+
+ Browser/SendIntranetTraffictoInternetExplorer +
+
+ Browser/SetDefaultSearchEngine +
+
+ Browser/ShowMessageWhenOpeningSitesInInternetExplorer +
+
+ Browser/SyncFavoritesBetweenIEAndMicrosoftEdge +
+
+ +
**Browser/AllowAddressBarDropdown** @@ -45,6 +157,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality.  @@ -60,6 +182,7 @@ ms.date: 08/30/2017 +

**Browser/AllowAutofill** @@ -86,6 +209,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Specifies whether autofill on websites is allowed. @@ -105,6 +238,7 @@ ms.date: 08/30/2017 +

**Browser/AllowBrowser** @@ -131,6 +265,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. @@ -149,6 +293,7 @@ ms.date: 08/30/2017 +
**Browser/AllowCookies** @@ -175,6 +320,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Specifies whether cookies are allowed. @@ -194,6 +349,7 @@ ms.date: 08/30/2017 +

**Browser/AllowDeveloperTools** @@ -220,6 +376,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -236,6 +402,7 @@ ms.date: 08/30/2017 +
**Browser/AllowDoNotTrack** @@ -262,6 +429,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Specifies whether Do Not Track headers are allowed. @@ -281,6 +458,7 @@ ms.date: 08/30/2017 +

**Browser/AllowExtensions** @@ -307,6 +485,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed. @@ -317,6 +505,7 @@ ms.date: 08/30/2017 +

**Browser/AllowFlash** @@ -343,6 +532,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge. @@ -353,6 +552,7 @@ ms.date: 08/30/2017 +

**Browser/AllowFlashClickToRun** @@ -379,6 +579,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. @@ -389,6 +599,7 @@ ms.date: 08/30/2017 +

**Browser/AllowInPrivate** @@ -415,6 +626,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Specifies whether InPrivate browsing is allowed on corporate networks. @@ -427,6 +648,7 @@ ms.date: 08/30/2017 +

**Browser/AllowMicrosoftCompatibilityList** @@ -453,6 +675,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly. By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat". @@ -468,6 +700,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +

**Browser/AllowPasswordManager** @@ -494,6 +727,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Specifies whether saving and managing passwords locally on the device is allowed. @@ -513,6 +756,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +

**Browser/AllowPopups** @@ -539,6 +783,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Specifies whether pop-up blocker is allowed or enabled. @@ -558,6 +812,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +

**Browser/AllowSearchEngineCustomization** @@ -584,6 +839,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine.     @@ -598,6 +863,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +

**Browser/AllowSearchSuggestionsinAddressBar** @@ -624,6 +890,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Specifies whether search suggestions are allowed in the address bar. @@ -636,6 +912,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +

**Browser/AllowSmartScreen** @@ -662,6 +939,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Specifies whether Windows Defender SmartScreen is allowed. @@ -681,9 +968,20 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +

**Browser/AlwaysEnableBooksLibrary** + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

@@ -691,6 +989,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +

**Browser/ClearBrowsingDataOnExit** @@ -717,6 +1016,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge. @@ -735,6 +1044,7 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis +

**Browser/ConfigureAdditionalSearchEngines** @@ -761,6 +1071,16 @@ By default, the Microsoft compatibility list is enabled and can be viewed by vis + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices.    @@ -781,6 +1101,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

**Browser/DisableLockdownOfStartPages** @@ -807,6 +1128,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect.     @@ -825,6 +1156,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

**Browser/EnterpriseModeSiteList** @@ -851,6 +1183,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -865,6 +1207,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/EnterpriseSiteListServiceUrl** @@ -891,12 +1234,23 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!IMPORTANT] > This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist). +
**Browser/FirstRunURL** @@ -923,6 +1277,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -936,6 +1300,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/HomePages** @@ -962,6 +1327,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!NOTE] > This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -977,6 +1352,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/LockdownFavorites** @@ -1003,6 +1379,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Added in Windows 10, version 1709. This policy setting lets you decide whether employees can add, import, sort, or edit the Favorites list on Microsoft Edge. @@ -1022,6 +1408,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

**Browser/PreventAccessToAboutFlagsInMicrosoftEdge** @@ -1048,6 +1435,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features. @@ -1058,6 +1455,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

**Browser/PreventFirstRunPage** @@ -1084,6 +1482,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening. @@ -1096,6 +1504,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

**Browser/PreventLiveTileDataCollection** @@ -1122,6 +1531,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. @@ -1134,6 +1553,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

**Browser/PreventSmartScreenPromptOverride** @@ -1160,6 +1580,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. @@ -1172,6 +1602,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

**Browser/PreventSmartScreenPromptOverrideForFiles** @@ -1198,6 +1629,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process. @@ -1208,6 +1649,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

**Browser/PreventUsingLocalHostIPAddressForWebRTC** @@ -1234,6 +1676,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -1248,6 +1700,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/ProvisionFavorites** @@ -1274,6 +1727,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Added in Windows 10, version 1709. This policy setting allows you to configure a default set of favorites, which will appear for employees. Employees cannot modify, sort, move, export or delete these provisioned favorites. Specify the URL which points to the file that has all the data for provisioning favorites (in html format). You can export a set of favorites from Edge and use that html file for provisioning user machines.   @@ -1292,6 +1755,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

**Browser/SendIntranetTraffictoInternetExplorer** @@ -1318,6 +1782,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -1334,6 +1808,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/SetDefaultSearchEngine** @@ -1360,6 +1835,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy. @@ -1379,6 +1864,7 @@ Employees cannot remove these search engines, but they can set any one as the de +

**Browser/ShowMessageWhenOpeningSitesInInternetExplorer** @@ -1405,6 +1891,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. @@ -1421,6 +1917,7 @@ Employees cannot remove these search engines, but they can set any one as the de +
**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge** @@ -1447,6 +1944,16 @@ Employees cannot remove these search engines, but they can set any one as the de + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ +

Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. diff --git a/windows/client-management/mdm/policy-csp-camera.md b/windows/client-management/mdm/policy-csp-camera.md index ca7b98ecc5..ce33fa4faa 100644 --- a/windows/client-management/mdm/policy-csp-camera.md +++ b/windows/client-management/mdm/policy-csp-camera.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Camera @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

+ ## Camera policies +
+
+ Camera/AllowCamera +
+
+ +
**Camera/AllowCamera** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Disables or enables the camera. diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index b1c206e118..183748ec41 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Cellular @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

+ ## Cellular policies +
+
+ Cellular/ShowAppCellularAccessUI +
+
+ +
**Cellular/ShowAppCellularAccessUI** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 5ffa503ab6..415ebf1eac 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Connectivity @@ -14,11 +14,54 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Connectivity policies +
+
+ Connectivity/AllowBluetooth +
+
+ Connectivity/AllowCellularData +
+
+ Connectivity/AllowCellularDataRoaming +
+
+ Connectivity/AllowConnectedDevices +
+
+ Connectivity/AllowNFC +
+
+ Connectivity/AllowUSBConnection +
+
+ Connectivity/AllowVPNOverCellular +
+
+ Connectivity/AllowVPNRoamingOverCellular +
+
+ Connectivity/DiablePrintingOverHTTP +
+
+ Connectivity/DisableDownloadingOfPrintDriversOverHTTP +
+
+ Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards +
+
+ Connectivity/HardenedUNCPaths +
+
+ Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge +
+
+ +
**Connectivity/AllowBluetooth** @@ -45,6 +88,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Allows the user to enable Bluetooth or restrict access. @@ -64,6 +116,7 @@ ms.date: 08/30/2017 +

**Connectivity/AllowCellularData** @@ -90,6 +143,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Allows the cellular data channel on the device. Device reboot is not required to enforce the policy. @@ -101,6 +163,7 @@ ms.date: 08/30/2017 +

**Connectivity/AllowCellularDataRoaming** @@ -127,6 +190,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy. @@ -148,6 +220,7 @@ ms.date: 08/30/2017 +

**Connectivity/AllowConnectedDevices** @@ -174,6 +247,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy requires reboot to take effect. @@ -187,6 +269,7 @@ ms.date: 08/30/2017 +
**Connectivity/AllowNFC** @@ -213,6 +296,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -229,6 +321,7 @@ ms.date: 08/30/2017 +
**Connectivity/AllowUSBConnection** @@ -255,6 +348,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. @@ -273,6 +375,7 @@ ms.date: 08/30/2017 +
**Connectivity/AllowVPNOverCellular** @@ -299,6 +402,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Specifies what type of underlying connections VPN is allowed to use. @@ -311,6 +423,7 @@ ms.date: 08/30/2017 +

**Connectivity/AllowVPNRoamingOverCellular** @@ -337,6 +450,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Prevents the device from connecting to VPN when the device roams over cellular networks. @@ -349,6 +471,7 @@ ms.date: 08/30/2017 +

**Connectivity/DiablePrintingOverHTTP** @@ -375,6 +498,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -393,6 +525,7 @@ ADMX Info: +
**Connectivity/DisableDownloadingOfPrintDriversOverHTTP** @@ -419,6 +552,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -437,6 +579,7 @@ ADMX Info: +
**Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards** @@ -463,6 +606,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] @@ -481,6 +633,7 @@ ADMX Info: +
**Connectivity/HardenedUNCPaths** @@ -507,6 +660,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting configures secure access to UNC paths. @@ -529,6 +691,7 @@ ADMX Info: +
**Connectivity/ProhibitInstallationAndConfigurationOfNetworkBridge** @@ -555,6 +718,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!TIP] diff --git a/windows/client-management/mdm/policy-csp-credentialproviders.md b/windows/client-management/mdm/policy-csp-credentialproviders.md index e253febdf8..5274de917b 100644 --- a/windows/client-management/mdm/policy-csp-credentialproviders.md +++ b/windows/client-management/mdm/policy-csp-credentialproviders.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - CredentialProviders @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## CredentialProviders policies +
+
+ CredentialProviders/AllowPINLogon +
+
+ CredentialProviders/BlockPicturePassword +
+
+ CredentialProviders/DisableAutomaticReDeploymentCredentials +
+
+ +
**CredentialProviders/AllowPINLogon** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting allows you to control whether a domain user can sign in using a convenience PIN. @@ -73,6 +95,7 @@ ADMX Info: +
**CredentialProviders/BlockPicturePassword** @@ -99,6 +122,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting allows you to control whether a domain user can sign in using a picture password. @@ -125,6 +157,7 @@ ADMX Info: +
**CredentialProviders/DisableAutomaticReDeploymentCredentials** @@ -151,6 +184,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Added in Windows 10, version 1709. Boolean policy to disable the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. diff --git a/windows/client-management/mdm/policy-csp-credentialsui.md b/windows/client-management/mdm/policy-csp-credentialsui.md index 15d68cf69e..1b7955f4e5 100644 --- a/windows/client-management/mdm/policy-csp-credentialsui.md +++ b/windows/client-management/mdm/policy-csp-credentialsui.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - CredentialsUI @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## CredentialsUI policies +
+
+ CredentialsUI/DisablePasswordReveal +
+
+ CredentialsUI/EnumerateAdministrators +
+
+ +
**CredentialsUI/DisablePasswordReveal** @@ -45,6 +55,16 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + This policy setting allows you to configure the display of the password reveal button in password entry user experiences. @@ -73,6 +93,7 @@ ADMX Info: +
**CredentialsUI/EnumerateAdministrators** @@ -99,6 +120,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. diff --git a/windows/client-management/mdm/policy-csp-cryptography.md b/windows/client-management/mdm/policy-csp-cryptography.md index eef7cdeba4..9c5f328c19 100644 --- a/windows/client-management/mdm/policy-csp-cryptography.md +++ b/windows/client-management/mdm/policy-csp-cryptography.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Cryptography @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Cryptography policies +
+
+ Cryptography/AllowFipsAlgorithmPolicy +
+
+ Cryptography/TLSCipherSuites +
+
+ +
**Cryptography/AllowFipsAlgorithmPolicy** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Allows or disallows the Federal Information Processing Standard (FIPS) policy. @@ -55,6 +74,7 @@ ms.date: 08/30/2017 +

**Cryptography/TLSCipherSuites** @@ -81,6 +101,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md index edba750722..1261f2c311 100644 --- a/windows/client-management/mdm/policy-csp-dataprotection.md +++ b/windows/client-management/mdm/policy-csp-dataprotection.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - DataProtection @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -

+ ## DataProtection policies +
+
+ DataProtection/AllowDirectMemoryAccess +
+
+ DataProtection/LegacySelectiveWipeID +
+
+ +
**DataProtection/AllowDirectMemoryAccess** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +

This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled. @@ -57,6 +76,7 @@ ms.date: 08/30/2017 +

**DataProtection/LegacySelectiveWipeID** @@ -83,6 +103,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!IMPORTANT] > This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md index a8724cc2f6..540a7d26a6 100644 --- a/windows/client-management/mdm/policy-csp-datausage.md +++ b/windows/client-management/mdm/policy-csp-datausage.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - DataUsage @@ -14,11 +14,21 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## DataUsage policies +
+
+ DataUsage/SetCost3G +
+
+ DataUsage/SetCost4G +
+
+ +
**DataUsage/SetCost3G** @@ -45,6 +55,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting configures the cost of 3G connections on the local machine. @@ -75,6 +94,7 @@ ADMX Info: +
**DataUsage/SetCost4G** @@ -101,6 +121,15 @@ ADMX Info: + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + This policy setting configures the cost of 4G connections on the local machine. diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 3f35e2d4eb..9d75a9f6fa 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Defender @@ -14,11 +14,120 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Defender policies +
+
+ Defender/AllowArchiveScanning +
+
+ Defender/AllowBehaviorMonitoring +
+
+ Defender/AllowCloudProtection +
+
+ Defender/AllowEmailScanning +
+
+ Defender/AllowFullScanOnMappedNetworkDrives +
+
+ Defender/AllowFullScanRemovableDriveScanning +
+
+ Defender/AllowIOAVProtection +
+
+ Defender/AllowIntrusionPreventionSystem +
+
+ Defender/AllowOnAccessProtection +
+
+ Defender/AllowRealtimeMonitoring +
+
+ Defender/AllowScanningNetworkFiles +
+
+ Defender/AllowScriptScanning +
+
+ Defender/AllowUserUIAccess +
+
+ Defender/AttackSurfaceReductionOnlyExclusions +
+
+ Defender/AttackSurfaceReductionRules +
+
+ Defender/AvgCPULoadFactor +
+
+ Defender/CloudBlockLevel +
+
+ Defender/CloudExtendedTimeout +
+
+ Defender/ControlledFolderAccessAllowedApplications +
+
+ Defender/ControlledFolderAccessProtectedFolders +
+
+ Defender/DaysToRetainCleanedMalware +
+
+ Defender/EnableControlledFolderAccess +
+
+ Defender/EnableNetworkProtection +
+
+ Defender/ExcludedExtensions +
+
+ Defender/ExcludedPaths +
+
+ Defender/ExcludedProcesses +
+
+ Defender/PUAProtection +
+
+ Defender/RealTimeScanDirection +
+
+ Defender/ScanParameter +
+
+ Defender/ScheduleQuickScanTime +
+
+ Defender/ScheduleScanDay +
+
+ Defender/ScheduleScanTime +
+
+ Defender/SignatureUpdateInterval +
+
+ Defender/SubmitSamplesConsent +
+
+ Defender/ThreatSeverityDefaultAction +
+
+ +
**Defender/AllowArchiveScanning** @@ -45,6 +154,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -59,6 +177,7 @@ ms.date: 08/30/2017 +
**Defender/AllowBehaviorMonitoring** @@ -85,6 +204,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -99,6 +227,7 @@ ms.date: 08/30/2017 +
**Defender/AllowCloudProtection** @@ -125,6 +254,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -139,6 +277,7 @@ ms.date: 08/30/2017 +
**Defender/AllowEmailScanning** @@ -165,6 +304,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -179,6 +327,7 @@ ms.date: 08/30/2017 +
**Defender/AllowFullScanOnMappedNetworkDrives** @@ -205,6 +354,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -219,6 +377,7 @@ ms.date: 08/30/2017 +
**Defender/AllowFullScanRemovableDriveScanning** @@ -245,6 +404,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -259,6 +427,7 @@ ms.date: 08/30/2017 +
**Defender/AllowIOAVProtection** @@ -285,6 +454,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -299,6 +477,7 @@ ms.date: 08/30/2017 +
**Defender/AllowIntrusionPreventionSystem** @@ -325,6 +504,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -339,6 +527,7 @@ ms.date: 08/30/2017 +
**Defender/AllowOnAccessProtection** @@ -365,6 +554,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -379,6 +577,7 @@ ms.date: 08/30/2017 +
**Defender/AllowRealtimeMonitoring** @@ -405,6 +604,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -419,6 +627,7 @@ ms.date: 08/30/2017 +
**Defender/AllowScanningNetworkFiles** @@ -445,6 +654,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -459,6 +677,7 @@ ms.date: 08/30/2017 +
**Defender/AllowScriptScanning** @@ -485,6 +704,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -499,6 +727,7 @@ ms.date: 08/30/2017 +
**Defender/AllowUserUIAccess** @@ -525,6 +754,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -539,6 +777,7 @@ ms.date: 08/30/2017 +
**Defender/AttackSurfaceReductionOnlyExclusions** @@ -565,6 +804,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -576,6 +824,7 @@ ms.date: 08/30/2017 +
**Defender/AttackSurfaceReductionRules** @@ -602,6 +851,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -615,6 +873,7 @@ ms.date: 08/30/2017 +
**Defender/AvgCPULoadFactor** @@ -641,6 +900,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -654,6 +922,7 @@ ms.date: 08/30/2017 +
**Defender/CloudBlockLevel** @@ -680,6 +949,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -703,6 +981,7 @@ ms.date: 08/30/2017 +
**Defender/CloudExtendedTimeout** @@ -729,6 +1008,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -744,6 +1032,7 @@ ms.date: 08/30/2017 +
**Defender/ControlledFolderAccessAllowedApplications** @@ -770,6 +1059,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersAllowedApplications and changed to ControlledFolderAccessAllowedApplications. @@ -778,6 +1076,7 @@ ms.date: 08/30/2017 +
**Defender/ControlledFolderAccessProtectedFolders** @@ -804,6 +1103,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was GuardedFoldersList and changed to ControlledFolderAccessProtectedFolders. @@ -812,6 +1120,7 @@ ms.date: 08/30/2017 +
**Defender/DaysToRetainCleanedMalware** @@ -838,6 +1147,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -851,6 +1169,7 @@ ms.date: 08/30/2017 +
**Defender/EnableControlledFolderAccess** @@ -877,6 +1196,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. The previous name was EnableGuardMyFolders and changed to EnableControlledFolderAccess. @@ -889,6 +1217,7 @@ ms.date: 08/30/2017 +
**Defender/EnableNetworkProtection** @@ -915,6 +1244,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -935,6 +1273,7 @@ ms.date: 08/30/2017 +
**Defender/ExcludedExtensions** @@ -961,6 +1300,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -970,6 +1318,7 @@ ms.date: 08/30/2017 +
**Defender/ExcludedPaths** @@ -996,6 +1345,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1005,6 +1363,7 @@ ms.date: 08/30/2017 +
**Defender/ExcludedProcesses** @@ -1031,6 +1390,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1046,6 +1414,7 @@ ms.date: 08/30/2017 +
**Defender/PUAProtection** @@ -1072,6 +1441,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1087,6 +1465,7 @@ ms.date: 08/30/2017 +
**Defender/RealTimeScanDirection** @@ -1113,6 +1492,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1132,6 +1520,7 @@ ms.date: 08/30/2017 +
**Defender/ScanParameter** @@ -1158,6 +1547,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1172,6 +1570,7 @@ ms.date: 08/30/2017 +
**Defender/ScheduleQuickScanTime** @@ -1198,6 +1597,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1217,6 +1625,7 @@ ms.date: 08/30/2017 +
**Defender/ScheduleScanDay** @@ -1243,6 +1652,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1268,6 +1686,7 @@ ms.date: 08/30/2017 +
**Defender/ScheduleScanTime** @@ -1294,6 +1713,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1313,6 +1741,7 @@ ms.date: 08/30/2017 +
**Defender/SignatureUpdateInterval** @@ -1339,6 +1768,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1354,6 +1792,7 @@ ms.date: 08/30/2017 +
**Defender/SubmitSamplesConsent** @@ -1380,6 +1819,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. @@ -1396,6 +1844,7 @@ ms.date: 08/30/2017 +
**Defender/ThreatSeverityDefaultAction** @@ -1422,6 +1871,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 for desktop. diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md index e352718a5d..f001c4ea3e 100644 --- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md +++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - DeliveryOptimization @@ -14,11 +14,63 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## DeliveryOptimization policies +
+
+ DeliveryOptimization/DOAbsoluteMaxCacheSize +
+
+ DeliveryOptimization/DOAllowVPNPeerCaching +
+
+ DeliveryOptimization/DODownloadMode +
+
+ DeliveryOptimization/DOGroupId +
+
+ DeliveryOptimization/DOMaxCacheAge +
+
+ DeliveryOptimization/DOMaxCacheSize +
+
+ DeliveryOptimization/DOMaxDownloadBandwidth +
+
+ DeliveryOptimization/DOMaxUploadBandwidth +
+
+ DeliveryOptimization/DOMinBackgroundQos +
+
+ DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload +
+
+ DeliveryOptimization/DOMinDiskSizeAllowedToPeer +
+
+ DeliveryOptimization/DOMinFileSizeToCache +
+
+ DeliveryOptimization/DOMinRAMAllowedToPeer +
+
+ DeliveryOptimization/DOModifyCacheDrive +
+
+ DeliveryOptimization/DOMonthlyUploadDataCap +
+
+ DeliveryOptimization/DOPercentageMaxDownloadBandwidth +
+
+ +
**DeliveryOptimization/DOAbsoluteMaxCacheSize** @@ -45,6 +97,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -56,6 +117,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOAllowVPNPeerCaching** @@ -82,6 +144,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -93,6 +164,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DODownloadMode** @@ -119,6 +191,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -137,6 +218,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOGroupId** @@ -163,6 +245,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -175,6 +266,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMaxCacheAge** @@ -201,6 +293,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -212,6 +313,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMaxCacheSize** @@ -238,6 +340,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -249,6 +360,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMaxDownloadBandwidth** @@ -275,6 +387,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -286,6 +407,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMaxUploadBandwidth** @@ -312,6 +434,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -323,6 +454,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMinBackgroundQos** @@ -349,6 +481,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -360,6 +501,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload** @@ -386,6 +528,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -396,6 +547,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMinDiskSizeAllowedToPeer** @@ -422,6 +574,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -436,6 +597,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMinFileSizeToCache** @@ -462,6 +624,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -473,6 +644,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMinRAMAllowedToPeer** @@ -499,6 +671,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -510,6 +691,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOModifyCacheDrive** @@ -536,6 +718,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -547,6 +738,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOMonthlyUploadDataCap** @@ -573,6 +765,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. @@ -586,6 +787,7 @@ ms.date: 08/30/2017 +
**DeliveryOptimization/DOPercentageMaxDownloadBandwidth** @@ -612,6 +814,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + > [!NOTE] > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. diff --git a/windows/client-management/mdm/policy-csp-desktop.md b/windows/client-management/mdm/policy-csp-desktop.md index 8a3b89d0f5..8d89bebfb5 100644 --- a/windows/client-management/mdm/policy-csp-desktop.md +++ b/windows/client-management/mdm/policy-csp-desktop.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - Desktop @@ -14,11 +14,18 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## Desktop policies +
+
+ Desktop/PreventUserRedirectionOfProfileFolders +
+
+ +
**Desktop/PreventUserRedirectionOfProfileFolders** @@ -45,6 +52,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + Prevents users from changing the path to their profile folders. diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md index df77a218e7..b45125a146 100644 --- a/windows/client-management/mdm/policy-csp-deviceguard.md +++ b/windows/client-management/mdm/policy-csp-deviceguard.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 08/30/2017 +ms.date: 09/29/2017 --- # Policy CSP - DeviceGuard @@ -14,11 +14,24 @@ ms.date: 08/30/2017 > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -
+ ## DeviceGuard policies +
+
+ DeviceGuard/EnableVirtualizationBasedSecurity +
+
+ DeviceGuard/LsaCfgFlags +
+
+ DeviceGuard/RequirePlatformSecurityFeatures +
+
+ +
**DeviceGuard/EnableVirtualizationBasedSecurity** @@ -45,6 +58,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +  

Added in Windows 10, version 1709. Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer. Supported values: @@ -55,6 +77,7 @@ ms.date: 08/30/2017 +

**DeviceGuard/LsaCfgFlags** @@ -81,6 +104,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ +  

Added in Windows 10, version 1709. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. Supported values: @@ -93,6 +125,7 @@ ms.date: 08/30/2017 +

**DeviceGuard/RequirePlatformSecurityFeatures** @@ -119,6 +152,15 @@ ms.date: 08/30/2017 + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + Added in Windows 10, version 1709. Specifies the platform security level at the next reboot. Value type is integer. Supported values: