deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-11 21:07:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'main' into ADO-9517656-Update-for-Business

Browse Source
This commit is contained in:
Gary Moore 2025-02-03 10:06:25 -08:00
commit fe5dd4515f
237 changed files with 9668 additions and 947 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.acrolinx-config.edn
View File

@ -39,7 +39,7 @@ For more information about the exception criteria and exception process, see [Mi
Select the total score link to review all feedback on clarity, consistency, tone, brand, terms, spelling, grammar, readability, and inclusive language. _You should fix all spelling errors regardless of your total score_. Fixing spelling errors helps maintain customer trust in overall content quality.
| Article | Total score<br>(Required: 80) | Words + phrases<br>(Brand, terms) | Correctness<br>(Spelling, grammar) | Clarity<br>(Readability) |
| Article | Total score<br>(Required: 80) | Terminology | Spelling and Grammar| Clarity<br>(Readability) |
|---------|:--------------:|:--------------------:|:------:|:---------:|
"

21
.github/workflows/BuildValidation.yml vendored Normal file
View File

@ -0,0 +1,21 @@
name: PR has no warnings or errors
permissions:
pull-requests: write
statuses: write
on:
issue_comment:
types: [created]
jobs:
build-status:
uses: MicrosoftDocs/microsoft-365-docs/.github/workflows/Shared-BuildValidation.yml@workflows-prod
with:
PayloadJson: ${{ toJSON(github) }}
secrets:
AccessToken: ${{ secrets.GITHUB_TOKEN }}

5
.openpublishing.redirection.windows-security.json
View File

@ -5,6 +5,11 @@
"redirect_url": "/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt",
"redirect_document_id": false
},
{
"source_path": "windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md",
"redirect_url": "/windows/security/application-security/application-isolation/windows-sandbox/index",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md",
"redirect_url": "/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity",

2
README.md
View File

@ -6,7 +6,7 @@ Anyone who is interested can contribute to the topics. When you contribute, your
### Quickly update an article using GitHub.com
Contributors who only make infrequent or small updates can edit the file directly on GitHub.com without having to install any additional software. This article shows you how. [This two-minute video](https://www.microsoft.com/videoplayer/embed/RE1XQTG) also covers how to contribute.
Contributors who only make infrequent or small updates can edit the file directly on GitHub.com without having to install any additional software. This article shows you how. [This two-minute video](https://learn-video.azurefd.net/vod/player?id=b5167c5a-9c69-499b-99ac-e5467882bc92) also covers how to contribute.
1. Make sure you're signed in to GitHub.com with your GitHub account.
2. Browse to the page you want to edit on Microsoft Learn.

2
education/windows/federated-sign-in.md
View File

@ -1,7 +1,7 @@
---
title: Configure federated sign-in for Windows devices
description: Learn how federated sign-in in Windows works and how to configure it.
ms.date: 06/03/2024
ms.date: 01/27/2025
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>

2
education/windows/tutorial-deploy-apps-winse/create-policies.md
View File

@ -54,7 +54,7 @@ To create supplemental policies, download and install the [WDAC Policy Wizard][E
The following video provides an overview and explains how to create supplemental policies for apps blocked by the Windows 11 SE base policy.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RWWReO]
> [!VIDEO https://learn-video.azurefd.net/vod/player?id=1eedb284-5592-43e7-9446-ce178953502d]
### Create a supplemental policy for Win32 apps

8
includes/iot/supported-os-enterprise-plus.md Normal file
View File

@ -0,0 +1,8 @@
---
author: TerryWarwick
ms.author: twarwick
ms-topic: include
ms.date: 09/30/2024
---
**Supported Editions** </br> ✅ IoT Enterprise LTSC</br>✅ IoT Enterprise</br>✅ Enterprise LTSC</br>✅ Enterprise</br>✅ Education

72
windows/client-management/manage-windows-copilot.md
View File

@ -1,9 +1,9 @@
---
title: Updated Windows and Microsoft Copilot experience
title: Updated Windows and Microsoft 365 Copilot Chat experience
description: Learn about changes to the Copilot in Windows experience for commercial environments and how to configure it for your organization.
ms.topic: overview
ms.subservice: windows-copilot
ms.date: 12/12/2024
ms.date: 01/28/2025
ms.author: mstewart
author: mestew
ms.collection:
@ -13,60 +13,60 @@ appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11, version 22H2 or later</a>
---
# Updated Windows and Microsoft Copilot experience
# Updated Windows and Microsoft 365 Copilot Chat experience
<!--8445848, 9294806-->
>**Looking for consumer information?** See [Welcome to Copilot in Windows](https://support.microsoft.com/topic/675708af-8c16-4675-afeb-85a5a476ccb0). **Looking for more information on Microsoft Copilot experiences?** See [Understanding the different Microsoft Copilot experiences](https://support.microsoft.com/topic/cfff4791-694a-4d90-9c9c-1eb3fb28e842).
>**Looking for consumer information?** See [Welcome to Copilot on Windows](https://support.microsoft.com/topic/675708af-8c16-4675-afeb-85a5a476ccb0). **Looking for more information on Microsoft 365 Copilot Chat experiences?** See [Understanding the different Microsoft 365 Copilot Chat experiences](https://support.microsoft.com/topic/cfff4791-694a-4d90-9c9c-1eb3fb28e842).
## Enhanced data protection with enterprise data protection
The Copilot experience on Windows is changing to enhance data security, privacy, compliance, and simplify the user experience, for users signed in with a Microsoft Entra work or school account. [Microsoft Copilot will offer enterprise data protection](https://techcommunity.microsoft.com/t5/copilot-for-microsoft-365/updates-to-microsoft-copilot-to-bring-enterprise-data-protection/ba-p/4217152) at no additional cost and redirect users to a new simplified interface designed for work and education. [Enterprise data protection (EDP)](/copilot/microsoft-365/enterprise-data-protection) refers to controls and commitments, under the Data Protection Addendum and Product Terms, that apply to customer data for users of Copilot for Microsoft 365 and Microsoft Copilot. This means that security, privacy, compliance controls and commitments available for Copilot for Microsoft 365 will extend to Microsoft Copilot prompts and responses. Prompts and responses are protected by the same terms and commitments that are widely trusted by our customers - not only for Copilot for Microsoft 365, but also for emails in Exchange and files in SharePoint. This is an improvement on top of the previous commercial data protection (CDP) promise. This update is rolling out now. For more information, see the [Microsoft Copilot updates and enterprise data protection FAQ](/copilot/edpfaq).
The Copilot experience on Windows is changing to enhance data security, privacy, compliance, and simplify the user experience, for users signed in with a Microsoft Entra work or school account. [Microsoft 365 Copilot Chat](https://techcommunity.microsoft.com/t5/copilot-for-microsoft-365/updates-to-microsoft-copilot-to-bring-enterprise-data-protection/ba-p/4217152) is available at no additional cost and it redirects users to a new simplified interface designed for work and education. [Enterprise data protection (EDP)](/copilot/microsoft-365/enterprise-data-protection) refers to controls and commitments, under the Data Protection Addendum and Product Terms, that apply to customer data for users of Microsoft 365 Copilot and Microsoft 365 Copilot Chat. This means that security, privacy, compliance controls and commitments available for Microsoft 365 Copilot will extend to Microsoft 365 Copilot Chat prompts and responses. Prompts and responses are protected by the same terms and commitments that are widely trusted by our customers. This is an improvement on top of the previous commercial data protection (CDP) promise. This update is rolling out now. For more information, see the [Microsoft 365 Copilot Chat updates and enterprise data protection FAQ](/copilot/edpfaq).
> [!IMPORTANT]
> To streamline the user experience, updates to the Copilot entry points in Windows are being made for users. **Copilot in Windows (preview) will be removed from Windows**. The experience will slightly vary depending on whether your organization has already opted into using Copilot in Windows (preview) or not.
## Copilot in Windows (preview) isn't enabled
If your organization hasn't enabled Copilot in Windows (preview), your existing preferences are respected. Neither the Microsoft Copilot app nor the Microsoft 365 app are pinned to the taskbar. To prepare for the eventual removal of the [Copilot in Windows policy](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot), admins should [set Microsoft Copilot pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center.
If your organization hasn't enabled Copilot in Windows (preview), your existing preferences are respected. Neither Microsoft 365 Copilot Chat or the Microsoft 365 Copilot app (formerly the Microsoft 365 app) are pinned to the taskbar. To prepare for the eventual removal of the [Copilot in Windows policy](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot), admins should [set pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center.
> [!NOTE]
> Although we won't be pinning any app to the taskbar by default, IT has the capability to use policies to enforce their preferred app pinning.
## Copilot in Windows (preview) is enabled
If you had previously activated Copilot in Windows (in preview) for your workforce, we want to thank you for your enthusiasm. To provide the best Copilot experience for your users moving forward, and support greater efficiency and productivity, we won't automatically pin the Microsoft 365 app to the taskbar in Windows. Rather, we ensure that you have control over how you enable the Copilot experience within your organization. Our focus remains on empowering IT to seamlessly manage AI experiences and adopt those experiences at a pace that suits your organizational needs.
If you had previously activated Copilot in Windows (in preview) for your workforce, we want to thank you for your enthusiasm. To provide the best Copilot experience for your users moving forward, and support greater efficiency and productivity, we won't automatically pin the Microsoft 365 Copilot app to the taskbar in Windows. Rather, we ensure that you have control over how you enable the Copilot experience within your organization. Our focus remains on empowering IT to seamlessly manage AI experiences and adopt those experiences at a pace that suits your organizational needs.
If you have already activated Copilot in Windows (preview) - and want your users to have uninterrupted access to Copilot on the taskbar after the update - use the [configuration options](/windows/configuration/taskbar/?pivots=windows-11) to pin the Microsoft 365 app to the taskbar as Copilot in Windows (preview) icon will be removed from the taskbar.
If you have already activated Copilot in Windows (preview) - and want your users to have uninterrupted access to Copilot on the taskbar after the update - use the [configuration options](/windows/configuration/taskbar/?pivots=windows-11) to pin the Microsoft 365 Copilot app to the taskbar as Copilot in Windows (preview) icon will be removed from the taskbar.
## Users signing in to new PCs with Microsoft Entra accounts
For users signing in to new PCs with work or school accounts, the following experience occurs:
- The Microsoft 365 app is pinned to the taskbar - this is the app comes preinstalled with Windows and includes convenient access to Office apps such as Word, PowerPoint, etc.
- Users that have the Microsoft 365 Copilot license have Microsoft Copilot pinned by default inside the Microsoft 365 app.
- Within the Microsoft 365 app, the Microsoft Copilot icon is situated next to the home button.
- Microsoft Copilot (`web` grounding chat) isn't the same as Microsoft 365 Copilot (`web` and `work` scope), which is a separate add-on license.
- Microsoft Copilot is available at no additional cost to customers with a Microsoft Entra account. Microsoft Copilot is the entry point for Copilot at work. While the Copilot chat experience helps users ground their conversations in web data, Microsoft 365 Copilot allows users to incorporate both web and work data they have access to into their conversations by switching between work and web modes in Business Chat.
- For users with the Microsoft 365 Copilot license, they can toggle between the web grounding-based chat capabilities of Microsoft Copilot and the work scoped chat capabilities of Microsoft 365 Copilot.
- Customers that don't have a license for Microsoft 365 Copilot are asked if they want to pin Microsoft Copilot to ensure they have easy access to Copilot. To set the default behavior, admins should [set Microsoft Copilot pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center.
- If admins elect not to pin Copilot and indicate that users can be asked, users will be asked to pin it themselves in the Microsoft 365 app, Outlook, and Teams.
- If admins elect not to pin Microsoft Copilot and indicate that users can't be asked, Microsoft Copilot won't be available via the Microsoft 365 app, Outlook, or Teams. Users have access to Microsoft Copilot from <www.microsoft.com/copilot> unless that URL is blocked by the IT admin.
- If the admins make no selection, users will be asked to pin Microsoft Copilot by themselves for easy access.
- The Microsoft 365 Copilot app is pinned to the taskbar - this is the app comes preinstalled with Windows and includes convenient access to Office apps such as Word, PowerPoint, etc.
- Users that have the Microsoft 365 Copilot license have Microsoft 365 Copilot Chat pinned by default inside the Microsoft 365 Copilot app.
- Within the Microsoft 365 Copilot app, the Microsoft 365 Copilot Chat icon is situated next to the home button.
- Microsoft 365 Copilot Chat (`web` grounding chat) isn't the same as Microsoft 365 Copilot (`web` and `work` scope), which is a separate add-on license.
- Microsoft 365 Copilot Chat is available at no additional cost to customers with a Microsoft Entra account. Microsoft 365 Copilot Chat is the entry point for Copilot at work. While the Copilot chat experience helps users ground their conversations in web data, Microsoft 365 Copilot allows users to incorporate both web and work data they have access to into their conversations by switching between work and web modes in Business Chat.
- For users with the Microsoft 365 Copilot license, they can toggle between the web grounding-based chat capabilities of Microsoft 365 Copilot Chat and the work scoped chat capabilities of Microsoft 365 Copilot.
- Customers that don't have a license for Microsoft 365 Copilot are asked if they want to pin Microsoft 365 Copilot Chat to ensure they have easy access to Copilot. To set the default behavior, admins should [set taskbar pinning options](/copilot/microsoft-365/pin-copilot) in the Microsoft 365 admin center.
- If admins elect not to pin Copilot and indicate that users can be asked, users will be asked to pin it themselves in the Microsoft 365 Copilot app, Outlook, and Teams.
- If admins elect not to pin Microsoft 365 Copilot Chat and indicate that users can't be asked, Microsoft 365 Copilot Chat won't be available via the Microsoft 365 Copilot app, Outlook, or Teams. Users have access to Microsoft 365 Copilot Chat from <www.microsoft.com/copilot> unless that URL is blocked by the IT admin.
- If the admins make no selection, users will be asked to pin Microsoft 365 Copilot Chat by themselves for easy access.
## When will this happen?
The update to Microsoft Copilot to offer enterprise data protection is rolling out now.
The shift to the Microsoft 365 app as the entry point for Microsoft Copilot with enterprise data protection (EDP) is coming soon. Changes will be rolled out to managed PCs starting with the September 2024 optional nonsecurity preview release, and following with the October 2024 monthly security update for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience.
The update to Microsoft 365 Copilot Chat to offer enterprise data protection is rolling out now.
The shift to Microsoft 365 Copilot Chat is coming soon. Changes will be rolled out to managed PCs starting with the September 2024 optional nonsecurity preview release, and following with the October 2024 monthly security update for all supported versions of Windows 11. These changes will be applied to Windows 10 PCs the month after. This update is replacing the current Copilot in Windows experience.
The Microsoft Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates.
The Copilot app will be automatically enabled after you install the Windows updates listed above if you haven't previously enabled a group policy to prevent the installation of Copilot. The [AppLocker policy](/windows/security/application-security/application-control/app-control-for-business/applocker/applocker-overview) is available to control this Copilot experience before installing these Windows updates mentioned above or any subsequent Windows updates.
Note that the Microsoft Copilot app doesn't support Microsoft Entra authentication and users trying to sing in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 app to enable easy access.
Note that the Copilot app, which is a consumer experience, doesn't support Microsoft Entra authentication and users trying to sign in to the app using a Microsoft Entra account will be redirected to https://copilot.cloud.microsoft/ in their default browser. For users authenticating with a Microsoft Entra account, they should access Copilot through the Microsoft 365 Copilot app as the entry point. We recommend you pin Copilot to the navigation bar of the Microsoft 365 Copilot app to enable easy access.
## Policy information for previous Copilot in Windows (preview) experience
Admins should configure the [pinning options](/copilot/microsoft-365/pin-copilot) to enable access to Microsoft Copilot within the Microsoft 365 app in the Microsoft 365 admin center.
Admins should configure the [pinning options](/copilot/microsoft-365/pin-copilot) to enable access to Microsoft 365 Copilot Chat within the Microsoft 365 Copilot app in the Microsoft 365 admin center.
The following policy to manage Copilot in Windows (preview) will be removed in the future and is considered a legacy policy:
@ -80,7 +80,7 @@ The following policy to manage Copilot in Windows (preview) will be removed in t
You can remove or uninstall the Copilot app from your device by using one of the following methods:
1. Enterprise users can uninstall the Copilot app by going to **Settings** > **Apps** >**Installed Apps**. Select the three dots appearing on the right side of the app and select **Uninstall** from the dropdown list.
1. Enterprise users can uninstall the [Copilot app](https://apps.microsoft.com/detail/9NHT9RB2F4HD), which is a consumer experience, by going to **Settings** > **Apps** >**Installed Apps**. Select the three dots appearing on the right side of the app and select **Uninstall** from the dropdown list.
1. If you are an IT administrator, you can prevent installation of the app or remove the Copilot app using one of the following methods:
1. Prevent installation of the Copilot app:
@ -94,31 +94,31 @@ You can remove or uninstall the Copilot app from your device by using one of the
1. Open a Windows PowerShell window. You can do this by opening the Start menu, typing `PowerShell`, and selecting **Windows PowerShell** from the results.
1. Once the PowerShell window is open, enter the following commands:
```powershell
# Get the package full name of the Microsoft Copilot app
# Get the package full name of the Copilot app
$packageFullName = Get-AppxPackage -Name "Microsoft.Copilot" | Select-Object -ExpandProperty PackageFullName
# Remove the Microsoft Copilot app
# Remove the Copilot app
Remove-AppxPackage -Package $packageFullName
```
## Implications for the Copilot hardware key
<!--9598546-->
The Microsoft Copilot app is now available only to consumer users authenticating with a Microsoft account and won't work for commercial users authenticating with a Microsoft Entra account. With this change, IT admins need to take steps to ensure users authenticating with a Microsoft Entra account can still access Copilot with the Copilot key. Users attempting to sign in to the Copilot app with their Microsoft Entra account will be redirected to the browser version of Microsoft Copilot with enterprise data protection (https://copilot.cloud.microsoft).
The Microsoft 365 Copilot app is now available only to consumer users authenticating with a Microsoft account and won't work for commercial users authenticating with a Microsoft Entra account. With this change, IT admins need to take steps to ensure users authenticating with a Microsoft Entra account can still access Copilot with the Copilot key. Users attempting to sign in to the Copilot app with their Microsoft Entra account will be redirected to the browser version of Microsoft 365 Copilot Chat for work (https://copilot.cloud.microsoft).
For the optimal experience, enterprise customers should go to Windows client policies, such as Group Policy or Configuration Service Provider (CSP) policies to update the target of the key to the Microsoft 365 app so that users can access Copilot within the Microsoft 365 app. End users can also configure this from the **Settings** page.
For the optimal experience, enterprise customers should go to Windows client policies, such as Group Policy or Configuration Service Provider (CSP) policies to update the target of the key to the Microsoft 365 Copilot app so that users can access Copilot within the Microsoft 365 Copilot app. End users can also configure this from the **Settings** page.
The Microsoft 365 app comes preinstalled on all Windows 11 PCs. If your organization uninstalled the Microsoft 365 app, we suggest you reinstall it from the Microsoft Store or your preferred application management solution so that the Copilot key can be remapped to the Microsoft 365 app. We also suggest you [Pin Microsoft Copilot](/copilot/microsoft-365/pin-copilot) to the navigation bar of the Microsoft 365 app.
The Microsoft 365 Copilot app comes preinstalled on all Windows 11 PCs. If your organization uninstalled the Microsoft 365 Copilot app, we suggest you reinstall it from the Microsoft Store or your preferred application management solution so that the Copilot key can be remapped to the Microsoft 365 Copilot app. We also suggest you [Pin Microsoft 365 Copilot Chat](/copilot/microsoft-365/pin-copilot) to the navigation bar of the Microsoft 365 Copilot app.
To avoid confusion for users as to which entry point for Microsoft Copilot to use, we recommend you uninstall the Copilot app.
To avoid confusion for users as to which entry point for Microsoft 365 Copilot Chat to use, we recommend you uninstall the Copilot app.
Use the table below to help determine the experience for your managed organization:
| Configuration | Copilot experience | Copilot key invokes |
| ---| --- | --- |
| Copilot **not enabled** in environment | Neither Copilot in Windows (preview) nor the Microsoft Copilot app are present. | Windows Search |
| Copilot **enabled** + **do not authenticate** with Microsoft Entra | Copilot in Windows (preview) is removed and replaced by the Microsoft Copilot app, which is not pinned to the taskbar unless you elect to do so. | Microsoft Copilot app |
| Copilot **enabled** + **authenticate** with Microsoft Entra + **new device** | Copilot in Windows (preview) is not present. Microsoft Copilot is accessed through the Microsoft 365 app (after post-setup update). | Microsoft Copilot within the Microsoft 365 app (after post-setup update). |
| Copilot **enabled** + **authenticate** with Microsoft Entra + **existing device** | Copilot in Windows (preview) is removed. Existing users with Copilot enabled on their devices will still see the Microsoft Copilot app. | IT admins should use policy to remap the Copilot key to the Microsoft 365 app, or prompt users to choose. |
| Copilot **not enabled** in environment | Neither Copilot in Windows (preview) nor the Microsoft 365 Copilot app are present. | Windows Search |
| Copilot **enabled** + **do not authenticate** with Microsoft Entra | Copilot in Windows (preview) is removed and replaced by the Microsoft 365 Copilot app, which is not pinned to the taskbar unless you elect to do so. | Microsoft 365 Copilot app |
| Copilot **enabled** + **authenticate** with Microsoft Entra + **new device** | Copilot in Windows (preview) is not present. Microsoft 365 Copilot Chat is accessed through the Microsoft 365 Copilot app (after post-setup update). | Microsoft 365 Copilot Chat within the Microsoft 365 Copilot app (after post-setup update). |
| Copilot **enabled** + **authenticate** with Microsoft Entra + **existing device** | Copilot in Windows (preview) is removed. Existing users with Copilot enabled on their devices will still see the Microsoft 365 Copilot app. | IT admins should use policy to remap the Copilot key to the Microsoft 365 Copilot app, or prompt users to choose. |
## Policies to manage the Copilot key
@ -143,9 +143,9 @@ If you choose to provide users in your organization with the choice to manage th
If a user signed in with their Microsoft Entra account doesn't already have the key mapped to the Microsoft 365 app, they can select the app by going to **Settings** > **Personalization** > **Text input**, then selecting from the dropdown menu in the setting called **Customize Copilot key on keyboard**. This dropdown has options for: **Search**, **Custom**, or a currently mapped app if one is selected.
If a user signed in with their Microsoft Entra account doesn't already have the key mapped to the Microsoft 365 Copilot app, they can select the app by going to **Settings** > **Personalization** > **Text input**, then selecting from the dropdown menu in the setting called **Customize Copilot key on keyboard**. This dropdown has options for: **Search**, **Custom**, or a currently mapped app if one is selected.
To map the key to the Microsoft 365 app, the user should select **Custom** and then choose the Microsoft 365 app from the app picker. If this app picker is empty or doesn't include the Microsoft 365 app, they should reinstall it from the Microsoft Store.
To map the key to the Microsoft 365 Copilot app, the user should select **Custom** and then choose the Microsoft 365 Copilot app from the app picker. If this app picker is empty or doesn't include the Microsoft 365 Copilot app, they should reinstall it from the Microsoft Store.
Users can also choose to have the Copilot key launch an app that is MSIX packaged and signed, ensuring the app options the Copilot key can remap to meet security and privacy requirements.

8
windows/client-management/mdm/bitlocker-csp.md
View File

@ -551,6 +551,10 @@ The possible values for 'zz' are:
- 1 = Store recovery passwords and key packages
- 2 = Store recovery passwords only
For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID.
For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID.
<!-- Device-FixedDrivesRecoveryOptions-Editable-End -->
<!-- Device-FixedDrivesRecoveryOptions-DFProperties-Begin -->
@ -2092,6 +2096,10 @@ The possible values for 'zz' are:
- 1 = Store recovery passwords and key packages.
- 2 = Store recovery passwords only.
For Microsoft Entra hybrid joined devices, the BitLocker recovery password is backed up to both Active Directory and Entra ID.
For Microsoft Entra joined devices, the BitLocker recovery password is backed up to Entra ID.
<!-- Device-SystemDrivesRecoveryOptions-Editable-End -->
<!-- Device-SystemDrivesRecoveryOptions-DFProperties-Begin -->

4
windows/client-management/mdm/healthattestation-csp.md
View File

@ -1,7 +1,7 @@
---
title: HealthAttestation CSP
description: Learn more about the HealthAttestation CSP.
ms.date: 01/31/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -51,7 +51,7 @@ The following list shows the HealthAttestation configuration service provider no
<!-- Device-AttestErrorMessage-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 22H2 with [KB5046732](https://support.microsoft.com/help/5046732) [10.0.22621.4541] and later <br> ✅ Windows 11, version 24H2 with [KB5046617](https://support.microsoft.com/help/5046617) [10.0.26100.2314] and later <br> ✅ Windows Insider Preview |
<!-- Device-AttestErrorMessage-Applicability-End -->
<!-- Device-AttestErrorMessage-OmaUri-Begin -->

4
windows/client-management/mdm/healthattestation-ddf.md
View File

@ -1,7 +1,7 @@
---
title: HealthAttestation DDF file
description: View the XML file containing the device description framework (DDF) for the HealthAttestation configuration service provider.
ms.date: 06/28/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -436,7 +436,7 @@ The following XML file contains the device description framework (DDF) for the H
<MIME />
</DFType>
<MSFT:Applicability>
<MSFT:OsBuildVersion>99.9.99999</MSFT:OsBuildVersion>
<MSFT:OsBuildVersion>99.9.99999, 10.0.26100.2314, 10.0.22621.4541</MSFT:OsBuildVersion>
<MSFT:CspVersion>1.4</MSFT:CspVersion>
</MSFT:Applicability>
</DFProperties>

17
windows/client-management/mdm/policies-in-preview.md
View File

@ -1,7 +1,7 @@
---
title: Configuration service provider preview policies
description: Learn more about configuration service provider (CSP) policies that are available for Windows Insider Preview.
ms.date: 11/27/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -31,6 +31,7 @@ This article lists the policies that are applicable for Windows Insider Preview
## Connectivity
- [DisableCrossDeviceResume](policy-csp-connectivity.md#disablecrossdeviceresume)
- [UseCellularWhenWiFiPoor](policy-csp-connectivity.md#usecellularwhenwifipoor)
- [DisableCellularSettingsPage](policy-csp-connectivity.md#disablecellularsettingspage)
- [DisableCellularOperatorSettingsPage](policy-csp-connectivity.md#disablecellularoperatorsettingspage)
@ -46,6 +47,10 @@ This article lists the policies that are applicable for Windows Insider Preview
- [DODisallowCacheServerDownloadsOnVPN](policy-csp-deliveryoptimization.md#dodisallowcacheserverdownloadsonvpn)
- [DOVpnKeywords](policy-csp-deliveryoptimization.md#dovpnkeywords)
## DeviceGuard
- [MachineIdentityIsolation](policy-csp-deviceguard.md#machineidentityisolation)
## DevicePreparation CSP
- [PageEnabled](devicepreparation-csp.md#pageenabled)
@ -80,6 +85,12 @@ This article lists the policies that are applicable for Windows Insider Preview
- [AttestErrorMessage](healthattestation-csp.md#attesterrormessage)
## HumanPresence
- [ForcePrivacyScreen](policy-csp-humanpresence.md#forceprivacyscreen)
- [ForcePrivacyScreenDim](policy-csp-humanpresence.md#forceprivacyscreendim)
- [ForcePrivacyScreenNotification](policy-csp-humanpresence.md#forceprivacyscreennotification)
## InternetExplorer
- [AllowLegacyURLFields](policy-csp-internetexplorer.md#allowlegacyurlfields)
@ -115,6 +126,10 @@ This article lists the policies that are applicable for Windows Insider Preview
- [DisablePostLogonProvisioning](passportforwork-csp.md#devicetenantidpoliciesdisablepostlogonprovisioning)
## Printers
- [ConfigureIppTlsCertificatePolicy](policy-csp-printers.md#configureipptlscertificatepolicy)
## Reboot CSP
- [WeeklyRecurrent](reboot-csp.md#scheduleweeklyrecurrent)

57
windows/client-management/mdm/policy-csp-connectivity.md
View File

@ -1,7 +1,7 @@
---
title: Connectivity Policy CSP
description: Learn more about the Connectivity Area in Policy CSP.
ms.date: 11/05/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -684,6 +684,61 @@ This policy makes all configurable settings in the 'Cellular' Settings page read
<!-- DisableCellularSettingsPage-End -->
<!-- DisableCrossDeviceResume-Begin -->
## DisableCrossDeviceResume
<!-- DisableCrossDeviceResume-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ❌ Device <br> ✅ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- DisableCrossDeviceResume-Applicability-End -->
<!-- DisableCrossDeviceResume-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/Connectivity/DisableCrossDeviceResume
```
<!-- DisableCrossDeviceResume-OmaUri-End -->
<!-- DisableCrossDeviceResume-Description-Begin -->
<!-- Description-Source-DDF -->
This policy allows IT admins to turn off CrossDeviceResume feature to continue tasks, such as browsing file, continue using 1P/3P apps that require linking between Phone and PC.
- If you enable this policy setting, the Windows device won't receive any CrossDeviceResume notification.
- If you disable this policy setting, the Windows device will receive notification to resume activity from linked phone.
- If you don't configure this policy setting, the default behavior is that the CrossDeviceResume feature is turned 'ON'. Changes to this policy take effect on reboot.
<!-- DisableCrossDeviceResume-Description-End -->
<!-- DisableCrossDeviceResume-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisableCrossDeviceResume-Editable-End -->
<!-- DisableCrossDeviceResume-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- DisableCrossDeviceResume-DFProperties-End -->
<!-- DisableCrossDeviceResume-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | CrossDeviceResume is Enabled. |
| 1 | CrossDeviceResume is Disabled. |
<!-- DisableCrossDeviceResume-AllowedValues-End -->
<!-- DisableCrossDeviceResume-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisableCrossDeviceResume-Examples-End -->
<!-- DisableCrossDeviceResume-End -->
<!-- DisableDownloadingOfPrintDriversOverHTTP-Begin -->
## DisableDownloadingOfPrintDriversOverHTTP

148
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -1,7 +1,7 @@
---
title: DeliveryOptimization Policy CSP
description: Learn more about the DeliveryOptimization Area in Policy CSP.
ms.date: 08/06/2024
ms.date: 01/21/2025
---
<!-- Auto-Generated CSP Document -->
@ -34,11 +34,7 @@ ms.date: 08/06/2024
<!-- DOAbsoluteMaxCacheSize-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the maximum size in GB of Delivery Optimization cache.
This policy overrides the DOMaxCacheSize policy.
The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the cache when the device runs low on disk space.
Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the MaxCacheSize policy.
<!-- DOAbsoluteMaxCacheSize-Description-End -->
<!-- DOAbsoluteMaxCacheSize-Editable-Begin -->
@ -93,7 +89,7 @@ The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the
<!-- DOAllowVPNPeerCaching-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
Specifies whether the device, with an active VPN connection, is allowed to participate in P2P or not.
<!-- DOAllowVPNPeerCaching-Description-End -->
<!-- DOAllowVPNPeerCaching-Editable-Begin -->
@ -125,8 +121,8 @@ Specifies whether the device is allowed to participate in Peer Caching while con
| Name | Value |
|:--|:--|
| Name | AllowVPNPeerCaching |
| Friendly Name | Enable Peer Caching while the device connects via VPN |
| Element Name | Enable Peer Caching while the device connects via VPN. |
| Friendly Name | Enable P2P while the device connects via VPN |
| Element Name | Enable P2P while the device connects via VPN. |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -156,9 +152,7 @@ Specifies whether the device is allowed to participate in Peer Caching while con
<!-- DOCacheHost-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to set one or more Microsoft Connected Cache servers that will be used by your client(s).
One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
Specifies one or more Microsoft Connected Cache servers that will be used by your client(s). One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values, separate each FQDN or IP address by commas.
<!-- DOCacheHost-Description-End -->
<!-- DOCacheHost-Editable-Begin -->
@ -214,17 +208,10 @@ One or more values can be added as either fully qualified domain names (FQDN) or
<!-- DOCacheHostSource-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to specify how your client(s) can discover Microsoft Connected Cache servers dynamically.
Options available are:
0 = Disable DNS-SD.
1 = DHCP Option 235.
Specifies how your client(s) can discover Microsoft Connected Cache servers dynamically.
1 = DHCP Option 235
2 = DHCP Option 235 Force.
If this policy isn't configured, the client will attempt to automatically find a cache server using DNS-SD. If set to 0, the client won't use DNS-SD to automatically find a cache server. If set to 1 or 2, the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Hostname policy, if configured.
<!-- DOCacheHostSource-Description-End -->
<!-- DOCacheHostSource-Editable-Begin -->
@ -240,10 +227,18 @@ If this policy isn't configured, the client will attempt to automatically find a
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: `[0-4294967295]` |
| Default Value | 0 |
<!-- DOCacheHostSource-DFProperties-End -->
<!-- DOCacheHostSource-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 1 | DHCP Option 235. |
| 2 | DHCP Option 235 Force. |
<!-- DOCacheHostSource-AllowedValues-End -->
<!-- DOCacheHostSource-GpMapping-Begin -->
**Group policy mapping**:
@ -281,13 +276,7 @@ If this policy isn't configured, the client will attempt to automatically find a
<!-- DODelayBackgroundDownloadFromHttp-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to delay the use of an HTTP source in a background download that's allowed to use P2P.
After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers.
Note that a download that's waiting for peer sources, will appear to be stuck for the end user.
The recommended value is 1 hour (3600).
For background downloads that use P2P, specifies the time to wait before starting to download from the HTTP source.
<!-- DODelayBackgroundDownloadFromHttp-Description-End -->
<!-- DODelayBackgroundDownloadFromHttp-Editable-Begin -->
@ -311,7 +300,7 @@ The recommended value is 1 hour (3600).
| Name | Value |
|:--|:--|
| Name | DelayBackgroundDownloadFromHttp |
| Friendly Name | Delay background download from http (in secs) |
| Friendly Name | Delay background download from http (in seconds) |
| Element Name | Delay background download from http (in secs) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
@ -342,7 +331,7 @@ The recommended value is 1 hour (3600).
<!-- DODelayCacheServerFallbackBackground-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for a background content download. Note that the DODelayBackgroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
For background downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source.
<!-- DODelayCacheServerFallbackBackground-Description-End -->
<!-- DODelayCacheServerFallbackBackground-Editable-Begin -->
@ -397,7 +386,7 @@ Specifies the time in seconds to delay the fallback from Cache Server to the HTT
<!-- DODelayCacheServerFallbackForeground-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the time in seconds to delay the fallback from Cache Server to the HTTP source for foreground content download. Note that the DODelayForegroundDownloadFromHttp policy takes precedence over this policy to allow downloads from peers first.
For foreground downloads that use a cache server, specifies the time to wait before falling back to download from the original HTTP source.
<!-- DODelayCacheServerFallbackForeground-Description-End -->
<!-- DODelayCacheServerFallbackForeground-Editable-Begin -->
@ -452,13 +441,7 @@ Specifies the time in seconds to delay the fallback from Cache Server to the HTT
<!-- DODelayForegroundDownloadFromHttp-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that's allowed to use P2P.
After the max delay has reached, the download will resume using HTTP, either downloading the entire payload or complementing the bytes that couldn't be downloaded from Peers.
Note that a download that's waiting for peer sources, will appear to be stuck for the end user.
The recommended value is 1 minute (60).
For foreground downloads that use P2P, specifies the time to wait before starting to download from the HTTP source.
<!-- DODelayForegroundDownloadFromHttp-Description-End -->
<!-- DODelayForegroundDownloadFromHttp-Editable-Begin -->
@ -482,7 +465,7 @@ The recommended value is 1 minute (60).
| Name | Value |
|:--|:--|
| Name | DelayForegroundDownloadFromHttp |
| Friendly Name | Delay Foreground download from http (in secs) |
| Friendly Name | Delay Foreground download from http (in seconds) |
| Element Name | Delay Foreground download from http (in secs) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
@ -513,7 +496,7 @@ The recommended value is 1 minute (60).
<!-- DODisallowCacheServerDownloadsOnVPN-Description-Begin -->
<!-- Description-Source-DDF -->
Disallow downloads from Microsoft Connected Cache servers when the device connects via VPN. By default, the device is allowed to download from Microsoft Connected Cache when connected via VPN.
Specify to disallow downloads from Microsoft Connected Cache servers when the device has an active VPN connection. By default, the button is 'Not Set'. This means the device is allowed to download from Microsoft Connected Cache when the device has an active VPN connection. To block these downloads, turn the button on to 'Enabled'.
<!-- DODisallowCacheServerDownloadsOnVPN-Description-End -->
<!-- DODisallowCacheServerDownloadsOnVPN-Editable-Begin -->
@ -535,8 +518,8 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec
| Value | Description |
|:--|:--|
| 0 (Default) | Allowed. |
| 1 | Not allowed. |
| 0 (Default) | Not Set. |
| 1 | Enabled. |
<!-- DODisallowCacheServerDownloadsOnVPN-AllowedValues-End -->
<!-- DODisallowCacheServerDownloadsOnVPN-GpMapping-Begin -->
@ -572,7 +555,7 @@ Disallow downloads from Microsoft Connected Cache servers when the device connec
<!-- DODownloadMode-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. The default value is 1.
Specifies the method that Delivery Optimization can use to download content on behalf of various Microsoft products.
<!-- DODownloadMode-Description-End -->
<!-- DODownloadMode-Editable-Begin -->
@ -598,10 +581,10 @@ Specifies the download method that Delivery Optimization can use in downloads of
|:--|:--|
| 0 (Default) | HTTP only, no peering. |
| 1 | HTTP blended with peering behind the same NAT. |
| 2 | When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. |
| 2 | HTTP blended with peering across a private group. |
| 3 | HTTP blended with Internet peering. |
| 99 | Simple download mode with no peering. Delivery Optimization downloads using HTTP only and doesn't attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. |
| 100 | Bypass mode. Windows 10: Don't use Delivery Optimization and use BITS instead. Windows 11: Deprecated, use Simple mode instead. |
| 99 | HTTP only, no peering, no use of DO cloud service. |
| 100 | Bypass mode, deprecated in Windows 11. |
<!-- DODownloadMode-AllowedValues-End -->
<!-- DODownloadMode-GpMapping-Begin -->
@ -641,11 +624,7 @@ Specifies the download method that Delivery Optimization can use in downloads of
<!-- DOGroupId-Description-Begin -->
<!-- Description-Source-ADMX -->
Group ID must be set as a GUID. This Policy specifies an arbitrary group ID that the device belongs to.
Use this if you need to create a single group for Local Network Peering for branches that are on different domains or aren't on the same LAN.
Note this is a best effort optimization and shouldn't be relied on for an authentication of identity.
Specifies an arbitrary group ID that the device belongs to. A GUID must be used.
<!-- DOGroupId-Description-End -->
<!-- DOGroupId-Editable-Begin -->
@ -698,7 +677,7 @@ Note this is a best effort optimization and shouldn't be relied on for an authen
<!-- DOGroupIdSource-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Set this policy to restrict peer selection to a specific source. Available options are: 1 = AD Site, 2 = Authenticated domain SID, 3 = DHCP Option ID, 4 = DNS Suffix, 5 = Microsoft Entra ID. When set, the Group ID will be assigned automatically from the selected source. This policy is ignored if the GroupID policy is also set. The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored. For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID. Starting with Windows 10, version 1903, you can use the Microsoft Entra tenant ID as a means to define groups. To do this, set the value of DOGroupIdSource to 5.
Specifies the source of group ID used for peer selection.
<!-- DOGroupIdSource-Description-End -->
<!-- DOGroupIdSource-Editable-Begin -->
@ -722,12 +701,12 @@ Set this policy to restrict peer selection to a specific source. Available optio
| Value | Description |
|:--|:--|
| 0 (Default) | Unset. |
| 0 (Default) | Not Set. |
| 1 | AD site. |
| 2 | Authenticated domain SID. |
| 3 | DHCP user option. |
| 4 | DNS suffix. |
| 5 | Microsoft Entra ID. |
| 3 | DHCP Option ID. |
| 4 | DNS Suffix. |
| 5 | Entra ID Tenant ID. |
<!-- DOGroupIdSource-AllowedValues-End -->
<!-- DOGroupIdSource-GpMapping-Begin -->
@ -768,8 +747,6 @@ Set this policy to restrict peer selection to a specific source. Available optio
<!-- DOMaxBackgroundDownloadBandwidth-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
<!-- DOMaxBackgroundDownloadBandwidth-Description-End -->
<!-- DOMaxBackgroundDownloadBandwidth-Editable-Begin -->
@ -824,7 +801,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
<!-- DOMaxCacheAge-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means unlimited; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size hasn't exceeded. The value 0 is new in Windows 10, version 1607. The default value is 604800 seconds (7 days).
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully.
<!-- DOMaxCacheAge-Description-End -->
<!-- DOMaxCacheAge-Editable-Begin -->
@ -879,7 +856,7 @@ Specifies the maximum time in seconds that each file is held in the Delivery Opt
<!-- DOMaxCacheSize-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). The default value is 20.
Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of the available drive space.
<!-- DOMaxCacheSize-Description-End -->
<!-- DOMaxCacheSize-Editable-Begin -->
@ -935,8 +912,6 @@ Specifies the maximum cache size that Delivery Optimization can utilize, as a pe
<!-- DOMaxForegroundDownloadBandwidth-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
<!-- DOMaxForegroundDownloadBandwidth-Description-End -->
<!-- DOMaxForegroundDownloadBandwidth-Editable-Begin -->
@ -991,7 +966,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
<!-- DOMinBackgroundQos-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. The default value is 20480 (20 MB/s).
Specifies the minimum download QoS (Quality of Service) in KiloBytes/sec for background downloads.
<!-- DOMinBackgroundQos-Description-End -->
<!-- DOMinBackgroundQos-Editable-Begin -->
@ -1046,11 +1021,7 @@ Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/se
<!-- DOMinBatteryPercentageAllowedToUpload-Description-Begin -->
<!-- Description-Source-ADMX -->
Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Battery).
The recommended value to set if you allow uploads on battery is 40 (for 40%). The device can download from peers while on battery regardless of this policy.
The value 0 means "not-limited"; The cloud service set default value will be used.
Specifies the minimum battery level required for uploading to peers, while on battery power.
<!-- DOMinBatteryPercentageAllowedToUpload-Description-End -->
<!-- DOMinBatteryPercentageAllowedToUpload-Editable-Begin -->
@ -1105,12 +1076,7 @@ The value 0 means "not-limited"; The cloud service set default value will be use
<!-- DOMinDiskSizeAllowedToPeer-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The cloud service set default value will be used.
Recommended values: 64 GB to 256 GB.
> [!NOTE]
> If the DOModifyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy.
Specifies the required minimum total disk size in GB for the device to use P2P.
<!-- DOMinDiskSizeAllowedToPeer-Description-End -->
<!-- DOMinDiskSizeAllowedToPeer-Editable-Begin -->
@ -1134,8 +1100,8 @@ Recommended values: 64 GB to 256 GB.
| Name | Value |
|:--|:--|
| Name | MinDiskSizeAllowedToPeer |
| Friendly Name | Minimum disk size allowed to use Peer Caching (in GB) |
| Element Name | Minimum disk size allowed to use Peer Caching (in GB) |
| Friendly Name | Minimum disk size allowed to use P2P (in GB) |
| Element Name | Minimum disk size allowed to use P2P (in GB) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -1165,7 +1131,7 @@ Recommended values: 64 GB to 256 GB.
<!-- DOMinFileSizeToCache-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. The default value is 100 MB.
Specifies the minimum content file size in MB eligible to use P2P.
<!-- DOMinFileSizeToCache-Description-End -->
<!-- DOMinFileSizeToCache-Editable-Begin -->
@ -1189,8 +1155,8 @@ Specifies the minimum content file size in MB enabled to use Peer Caching. Recom
| Name | Value |
|:--|:--|
| Name | MinFileSizeToCache |
| Friendly Name | Minimum Peer Caching Content File Size (in MB) |
| Element Name | Minimum Peer Caching Content File Size (in MB) |
| Friendly Name | Minimum P2P Content File Size (in MB) |
| Element Name | Minimum P2P Content File Size (in MB) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -1220,7 +1186,7 @@ Specifies the minimum content file size in MB enabled to use Peer Caching. Recom
<!-- DOMinRAMAllowedToPeer-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. The default value is 4 GB.
Specifies the minimum total RAM size in GB required to use P2P.
<!-- DOMinRAMAllowedToPeer-Description-End -->
<!-- DOMinRAMAllowedToPeer-Editable-Begin -->
@ -1244,8 +1210,8 @@ Specifies the minimum RAM size in GB required to use Peer Caching. For example,
| Name | Value |
|:--|:--|
| Name | MinRAMAllowedToPeer |
| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) |
| Element Name | Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB) |
| Friendly Name | Minimum RAM capacity (inclusive) required to enable use of P2P (in GB) |
| Element Name | Minimum RAM capacity (inclusive) required to enable use of P2P (in GB) |
| Location | Computer Configuration |
| Path | Windows Components > Delivery Optimization |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization |
@ -1275,9 +1241,7 @@ Specifies the minimum RAM size in GB required to use Peer Caching. For example,
<!-- DOModifyCacheDrive-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the drive Delivery Optimization shall use for its cache.
By default, %SystemDrive% is used to store the cache. The drive location can be specified using environment variables, drive letter or using a full path.
Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
<!-- DOModifyCacheDrive-Description-End -->
<!-- DOModifyCacheDrive-Editable-Begin -->
@ -1330,7 +1294,7 @@ By default, %SystemDrive% is used to store the cache. The drive location can be
<!-- DOMonthlyUploadDataCap-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. The value 0 (zero) means unlimited; No monthly upload limit's applied if 0 is set. The default value is 5120 (5 TB).
Specifies the maximum bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.
<!-- DOMonthlyUploadDataCap-Description-End -->
<!-- DOMonthlyUploadDataCap-Editable-Begin -->
@ -1386,8 +1350,6 @@ Specifies the maximum total bytes in GB that Delivery Optimization is allowed to
<!-- DOPercentageMaxBackgroundBandwidth-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
<!-- DOPercentageMaxBackgroundBandwidth-Description-End -->
<!-- DOPercentageMaxBackgroundBandwidth-Editable-Begin -->
@ -1445,8 +1407,6 @@ Downloads from LAN peers won't be throttled even when this policy is set.
<!-- DOPercentageMaxForegroundBandwidth-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth.
The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
<!-- DOPercentageMaxForegroundBandwidth-Description-End -->
<!-- DOPercentageMaxForegroundBandwidth-Editable-Begin -->
@ -1501,7 +1461,7 @@ The default value 0 (zero) means that Delivery Optimization dynamically adjusts
<!-- DORestrictPeerSelectionBy-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Set this policy to restrict peer selection via selected option. Options available are: 1=Subnet mask, 2 = Local discovery (DNS-SD). These options apply to both Download Mode LAN (1) and Group (2).
Specifies to restrict peer selection using the selected method, in addition to the DownloadMode policy.
<!-- DORestrictPeerSelectionBy-Description-End -->
<!-- DORestrictPeerSelectionBy-Editable-Begin -->
@ -1528,7 +1488,7 @@ In Windows 11 the 'Local Peer Discovery' option was introduced to restrict peer
|:--|:--|
| 0 (Default) | None. |
| 1 | Subnet mask. |
| 2 | Local peer discovery (DNS-SD). |
| 2 | Local discovery (DNS-SD). |
<!-- DORestrictPeerSelectionBy-AllowedValues-End -->
<!-- DORestrictPeerSelectionBy-GpMapping-Begin -->
@ -1681,7 +1641,7 @@ This policy allows an IT Admin to define the following details:
<!-- DOVpnKeywords-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy allows you to set one or more keywords used to recognize VPN connections. To add multiple keywords, separate them with commas.
Specifies one or more keywords used to recognize VPN connections. To add multiple keywords, separate each by a comma.
<!-- DOVpnKeywords-Description-End -->
<!-- DOVpnKeywords-Editable-Begin -->

68
windows/client-management/mdm/policy-csp-deviceguard.md
View File

@ -1,7 +1,7 @@
---
title: DeviceGuard Policy CSP
description: Learn more about the DeviceGuard Area in Policy CSP.
ms.date: 01/18/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 01/18/2024
<!-- DeviceGuard-Begin -->
# Policy CSP - DeviceGuard
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- DeviceGuard-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DeviceGuard-Editable-End -->
@ -205,6 +207,70 @@ Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if config
<!-- LsaCfgFlags-End -->
<!-- MachineIdentityIsolation-Begin -->
## MachineIdentityIsolation
<!-- MachineIdentityIsolation-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ❌ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- MachineIdentityIsolation-Applicability-End -->
<!-- MachineIdentityIsolation-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/MachineIdentityIsolation
```
<!-- MachineIdentityIsolation-OmaUri-End -->
<!-- MachineIdentityIsolation-Description-Begin -->
<!-- Description-Source-DDF-Forced -->
Machine Identity Isolation: 0 - Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. 1 - Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. 2 - Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key.
<!-- MachineIdentityIsolation-Description-End -->
<!-- MachineIdentityIsolation-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- MachineIdentityIsolation-Editable-End -->
<!-- MachineIdentityIsolation-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- MachineIdentityIsolation-DFProperties-End -->
<!-- MachineIdentityIsolation-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | (Disabled) Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key. |
| 1 | (Enabled in audit mode) Machine password both LSASS-bound and IUM-bound. It's stored in $MACHINE.ACC and $MACHINE.ACC.IUM registry keys. |
| 2 | (Enabled in enforcement mode) Machine password is only IUM-bound and stored in $MACHINE.ACC.IUM registry key. |
<!-- MachineIdentityIsolation-AllowedValues-End -->
<!-- MachineIdentityIsolation-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | VirtualizationBasedSecurity |
| Friendly Name | Turn On Virtualization Based Security |
| Element Name | Machine Identity Isolation Configuration. |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
| ADMX File Name | DeviceGuard.admx |
<!-- MachineIdentityIsolation-GpMapping-End -->
<!-- MachineIdentityIsolation-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- MachineIdentityIsolation-Examples-End -->
<!-- MachineIdentityIsolation-End -->
<!-- RequirePlatformSecurityFeatures-Begin -->
## RequirePlatformSecurityFeatures

181
windows/client-management/mdm/policy-csp-humanpresence.md
View File

@ -1,7 +1,7 @@
---
title: HumanPresence Policy CSP
description: Learn more about the HumanPresence Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -9,6 +9,8 @@ ms.date: 09/27/2024
<!-- HumanPresence-Begin -->
# Policy CSP - HumanPresence
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- HumanPresence-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- HumanPresence-Editable-End -->
@ -526,6 +528,183 @@ Determines the timeout for Lock on Leave forced by the MDM policy. The user will
<!-- ForceLockTimeout-End -->
<!-- ForcePrivacyScreen-Begin -->
## ForcePrivacyScreen
<!-- ForcePrivacyScreen-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ForcePrivacyScreen-Applicability-End -->
<!-- ForcePrivacyScreen-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreen
```
<!-- ForcePrivacyScreen-OmaUri-End -->
<!-- ForcePrivacyScreen-Description-Begin -->
<!-- Description-Source-DDF -->
Determines whether detect when other people are looking at my screen is forced on/off by the MDM policy. The user won't be able to change this setting and the UI will be greyed out.
<!-- ForcePrivacyScreen-Description-End -->
<!-- ForcePrivacyScreen-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ForcePrivacyScreen-Editable-End -->
<!-- ForcePrivacyScreen-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ForcePrivacyScreen-DFProperties-End -->
<!-- ForcePrivacyScreen-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 2 | ForcedOff. |
| 1 | ForcedOn. |
| 0 (Default) | DefaultToUserChoice. |
<!-- ForcePrivacyScreen-AllowedValues-End -->
<!-- ForcePrivacyScreen-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ForcePrivacyScreen |
| Path | Sensors > AT > WindowsComponents > HumanPresence |
<!-- ForcePrivacyScreen-GpMapping-End -->
<!-- ForcePrivacyScreen-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ForcePrivacyScreen-Examples-End -->
<!-- ForcePrivacyScreen-End -->
<!-- ForcePrivacyScreenDim-Begin -->
## ForcePrivacyScreenDim
<!-- ForcePrivacyScreenDim-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ForcePrivacyScreenDim-Applicability-End -->
<!-- ForcePrivacyScreenDim-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenDim
```
<!-- ForcePrivacyScreenDim-OmaUri-End -->
<!-- ForcePrivacyScreenDim-Description-Begin -->
<!-- Description-Source-DDF -->
Determines whether dim the screen when other people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
<!-- ForcePrivacyScreenDim-Description-End -->
<!-- ForcePrivacyScreenDim-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ForcePrivacyScreenDim-Editable-End -->
<!-- ForcePrivacyScreenDim-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ForcePrivacyScreenDim-DFProperties-End -->
<!-- ForcePrivacyScreenDim-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 2 | ForcedUnchecked. |
| 1 | ForcedChecked. |
| 0 (Default) | DefaultToUserChoice. |
<!-- ForcePrivacyScreenDim-AllowedValues-End -->
<!-- ForcePrivacyScreenDim-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ForcePrivacyScreenDim |
| Path | Sensors > AT > WindowsComponents > HumanPresence |
<!-- ForcePrivacyScreenDim-GpMapping-End -->
<!-- ForcePrivacyScreenDim-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ForcePrivacyScreenDim-Examples-End -->
<!-- ForcePrivacyScreenDim-End -->
<!-- ForcePrivacyScreenNotification-Begin -->
## ForcePrivacyScreenNotification
<!-- ForcePrivacyScreenNotification-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ❌ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ForcePrivacyScreenNotification-Applicability-End -->
<!-- ForcePrivacyScreenNotification-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/HumanPresence/ForcePrivacyScreenNotification
```
<!-- ForcePrivacyScreenNotification-OmaUri-End -->
<!-- ForcePrivacyScreenNotification-Description-Begin -->
<!-- Description-Source-DDF -->
Determines whether providing alert when people are looking at my screen checkbox is forced checked/unchecked by the MDM policy. The user won't be able to change this setting and the checkbox in the UI will be greyed out.
<!-- ForcePrivacyScreenNotification-Description-End -->
<!-- ForcePrivacyScreenNotification-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ForcePrivacyScreenNotification-Editable-End -->
<!-- ForcePrivacyScreenNotification-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `int` |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ForcePrivacyScreenNotification-DFProperties-End -->
<!-- ForcePrivacyScreenNotification-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 2 | ForcedUnchecked. |
| 1 | ForcedChecked. |
| 0 (Default) | DefaultToUserChoice. |
<!-- ForcePrivacyScreenNotification-AllowedValues-End -->
<!-- ForcePrivacyScreenNotification-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | ForcePrivacyScreenNotification |
| Path | Sensors > AT > WindowsComponents > HumanPresence |
<!-- ForcePrivacyScreenNotification-GpMapping-End -->
<!-- ForcePrivacyScreenNotification-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ForcePrivacyScreenNotification-Examples-End -->
<!-- ForcePrivacyScreenNotification-End -->
<!-- HumanPresence-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- HumanPresence-CspMoreInfo-End -->

15
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -9,7 +9,7 @@ ms.date: 11/05/2024
<!-- LocalPoliciesSecurityOptions-Begin -->
# Policy CSP - LocalPoliciesSecurityOptions
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
[!INCLUDE [Windows Windows Insider Preview tip](includes/mdm-insider-csp-note.md)]
<!-- LocalPoliciesSecurityOptions-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
@ -517,7 +517,7 @@ Audit: Shut down system immediately if unable to log security audits This securi
<!-- Devices_AllowedToFormatAndEjectRemovableMedia-Description-Begin -->
<!-- Description-Source-DDF -->
Devices: Allowed to format and eject removable media This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators Administrators and Interactive Users Default: This policy isn't defined and only Administrators have this ability.
Devices: Allowed to format and eject removable media This security setting determines who is allowed to format and eject removable NTFS media. This capability can be given to: Administrators and Interactive Users Default: This policy isn't defined and only Administrators have this ability.
<!-- Devices_AllowedToFormatAndEjectRemovableMedia-Description-End -->
<!-- Devices_AllowedToFormatAndEjectRemovableMedia-Editable-Begin -->
@ -1117,7 +1117,7 @@ Domain member: Require strong (Windows 2000 or later) session key This security
<!-- InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked-Description-Begin -->
<!-- Description-Source-DDF -->
Interactive Logon:Display user information when the session is locked User display name, domain and user names (1) User display name only (2) Don't display user information (3) Domain and user names only (4)
Interactive Logon: Display user information when the session is locked User display name, domain and user names (1) User display name only (2) Don't display user information (3) Domain and user names only (4)
<!-- InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked-Description-End -->
<!-- InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked-Editable-Begin -->
@ -1556,7 +1556,7 @@ Interactive logon: Message title for users attempting to log on This security se
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 11, version 24H2 [10.0.26100] and later |
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Applicability-End -->
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-OmaUri-Begin -->
@ -1568,6 +1568,9 @@ Interactive logon: Message title for users attempting to log on This security se
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Description-Begin -->
<!-- Description-Source-DDF -->
Interactive logon: Number of previous logons to cache (in case domain controller isn't available) Each unique user's logon information is cached locally so that, in the event that a domain controller is unavailable during subsequent logon attempts, they're able to log on. The cached logon information is stored from the previous logon session. If a domain controller is unavailable and a user's logon information isn't cached, the user is prompted with this message: There are currently no logon servers available to service the logon request. In this policy setting, a value of 0 disables logon caching. Any value above 50 only caches 50 logon attempts. Windows supports a maximum of 50 cache entries and the number of entries consumed per user depends on the credential. For example, a maximum of 50 unique password user accounts can be cached on a Windows system, but only 25 smart card user accounts can be cached because both the password information and the smart card information are stored. When a user with cached logon information logs on again, the user's individual cached information is replaced. Default: Windows Server 2008: 25 All Other Versions: 10.
> [!NOTE]
> This setting previously showed as applicable to Windows 11, version 24H2 [10.0.26100] and later in error. MDM solutions may show as applicable to that version until a future release.
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Description-End -->
<!-- InteractiveLogon_NumberOfPreviousLogonsToCache-Editable-Begin -->
@ -1780,7 +1783,7 @@ Microsoft network client: Digitally sign communications (if server agrees) This
- If this setting is enabled, the Microsoft network client will ask the server to perform SMB packet signing upon session setup. If packet signing has been enabled on the server, packet signing will be negotiated.
- If this policy is disabled, the SMB client will never negotiate SMB packet signing. Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
- If this policy is disabled, the SMB client will never negotiate SMB packet signing. Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing are enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
<!-- MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees-Description-End -->
<!-- MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees-Editable-Begin -->
@ -2021,7 +2024,7 @@ Microsoft network server: Digitally sign communications (if client agrees) This
- If this policy is disabled, the SMB client will never negotiate SMB packet signing. on domain controllers only.
> [!IMPORTANT]
> For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
> For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature Notes All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing are enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference:< https://go.microsoft.com/fwlink/?LinkID=787136>.
<!-- MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees-Description-End -->
<!-- MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees-Editable-Begin -->

54
windows/client-management/mdm/policy-csp-printers.md
View File

@ -1,7 +1,7 @@
---
title: Printers Policy CSP
description: Learn more about the Printers Area in Policy CSP.
ms.date: 09/27/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -11,6 +11,8 @@ ms.date: 09/27/2024
[!INCLUDE [ADMX-backed CSP tip](includes/mdm-admx-csp-note.md)]
[!INCLUDE [Windows Insider tip](includes/mdm-insider-csp-note.md)]
<!-- Printers-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Printers-Editable-End -->
@ -348,6 +350,56 @@ The following are the supported values:
<!-- ConfigureIppPageCountsPolicy-End -->
<!-- ConfigureIppTlsCertificatePolicy-Begin -->
## ConfigureIppTlsCertificatePolicy
<!-- ConfigureIppTlsCertificatePolicy-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| ✅ Device <br> ❌ User | ✅ Pro <br> ✅ Enterprise <br> ✅ Education <br> ✅ Windows SE <br> ✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows Insider Preview |
<!-- ConfigureIppTlsCertificatePolicy-Applicability-End -->
<!-- ConfigureIppTlsCertificatePolicy-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/Printers/ConfigureIppTlsCertificatePolicy
```
<!-- ConfigureIppTlsCertificatePolicy-OmaUri-End -->
<!-- ConfigureIppTlsCertificatePolicy-Description-Begin -->
<!-- Description-Source-Not-Found -->
<!-- ConfigureIppTlsCertificatePolicy-Description-End -->
<!-- ConfigureIppTlsCertificatePolicy-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigureIppTlsCertificatePolicy-Editable-End -->
<!-- ConfigureIppTlsCertificatePolicy-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | `chr` (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- ConfigureIppTlsCertificatePolicy-DFProperties-End -->
<!-- ConfigureIppTlsCertificatePolicy-AdmxBacked-Begin -->
<!-- ADMX-Not-Found -->
[!INCLUDE [ADMX-backed policy note](includes/mdm-admx-policy-note.md)]
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | ConfigureIppTlsCertificatePolicy |
| ADMX File Name | Printing.admx |
<!-- ConfigureIppTlsCertificatePolicy-AdmxBacked-End -->
<!-- ConfigureIppTlsCertificatePolicy-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureIppTlsCertificatePolicy-Examples-End -->
<!-- ConfigureIppTlsCertificatePolicy-End -->
<!-- ConfigureRedirectionGuardPolicy-Begin -->
## ConfigureRedirectionGuardPolicy

14
windows/client-management/mdm/vpnv2-csp.md
View File

@ -1,7 +1,7 @@
---
title: VPNv2 CSP
description: Learn more about the VPNv2 CSP.
ms.date: 01/18/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -863,11 +863,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa
<!-- Device-{ProfileName}-ByPassForLocal-Description-Begin -->
<!-- Description-Source-DDF -->
False: Don't Bypass for Local traffic.
True: ByPass VPN Interface for Local Traffic.
Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
Not supported.
<!-- Device-{ProfileName}-ByPassForLocal-Description-End -->
<!-- Device-{ProfileName}-ByPassForLocal-Editable-Begin -->
@ -5160,11 +5156,7 @@ Returns the type of App/Id. This value can be either of the following: PackageFa
<!-- User-{ProfileName}-ByPassForLocal-Description-Begin -->
<!-- Description-Source-DDF -->
False: Don't Bypass for Local traffic.
True: ByPass VPN Interface for Local Traffic.
Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
Not supported.
<!-- User-{ProfileName}-ByPassForLocal-Description-End -->
<!-- User-{ProfileName}-ByPassForLocal-Editable-Begin -->

12
windows/client-management/mdm/vpnv2-ddf-file.md
View File

@ -1,7 +1,7 @@
---
title: VPNv2 DDF file
description: View the XML file containing the device description framework (DDF) for the VPNv2 configuration service provider.
ms.date: 06/28/2024
ms.date: 01/14/2025
---
<!-- Auto-Generated CSP Document -->
@ -1156,10 +1156,7 @@ The following XML file contains the device description framework (DDF) for the V
<Replace />
</AccessType>
<Description>
False : Do not Bypass for Local traffic
True : ByPass VPN Interface for Local Traffic
Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
Not supported.
</Description>
<DFFormat>
<bool />
@ -4425,10 +4422,7 @@ A device tunnel profile must be deleted before another device tunnel profile can
<Replace />
</AccessType>
<Description>
False : Do not Bypass for Local traffic
True : ByPass VPN Interface for Local Traffic
Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
Not supported.
</Description>
<DFFormat>
<bool />

2
windows/client-management/toc.yml
View File

@ -48,7 +48,7 @@ items:
href: enterprise-app-management.md
- name: Manage updates
href: device-update-management.md
- name: Updated Windows and Microsoft Copilot experience
- name: Updated Windows and Microsoft 365 Copilot Chat experience
href: manage-windows-copilot.md
- name: Manage Recall
href: manage-recall.md

BIN
windows/configuration/custom-logon/images/customlogoncad.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

133
windows/configuration/custom-logon/index.md Normal file
View File

@ -0,0 +1,133 @@
---
title: Custom Logon
description: Custom Logon
ms.date: 03/05/2024
ms.topic: overview
---
# Custom Logon
You can use the Custom Logon feature to suppress Windows UI elements that relate to the Welcome screen and shutdown screen. For example, you can suppress all elements of the Welcome screen UI and provide a custom logon UI. You can also suppress the Blocked Shutdown Resolver (BSDR) screen and automatically end applications while the OS waits for applications to close before a shutdown.
Custom Logon settings don't modify the credential behavior of **Winlogon**, so you can use any credential provider that is compatible with Windows 10 to provide a custom sign-in experience for your device. For more information about creating a custom logon experience, see [Winlogon and Credential Providers](/windows/win32/secauthn/winlogon-and-credential-providers).
## Requirements
Custom Logon can be enabled on:
- Windows 10 Enterprise
- Windows 10 IoT Enterprise
- Windows 10 Education
- Windows 11 Enterprise
- Windows 11 IoT Enterprise
- Windows 11 Education
## Terminology
**Turn on, enable:** To make the feature available and optionally apply settings to the device. Generally *turn on* is used in the user interface or control panel, whereas *enable* is used for command line.
**Configure:** To customize the setting or subsettings.
**Embedded Logon:** This feature is called Embedded Logon in Windows 10, version 1511.
**Custom Logon:** This feature is called Custom Logon in Windows 10, version 1607 and later.
## Turn on Custom Logon
Custom Logon is an optional component and isn't turned on by default in Windows 10. It must be turned on prior to configuring. You can turn on and configure Custom Logon in a customized Windows 10 image (.wim) if Microsoft Windows hasn't been installed. If Windows has already been installed and you're applying a provisioning package to configure Custom Logon, you must first turn on Custom Logon in order for a provisioning package to be successfully applied.
The Custom Logon feature is available in the Control Panel. You can set Custom Logon by following these steps:
### Turn on Custom Logon in Control Panel
1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window.
1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Custom Logon**.
1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
### Turn on Custom Logon using DISM
1. Open a command prompt with administrator rights.
1. Enable the feature using the following command.
```cmd
dism /online /enable-feature /featureName:Client-EmbeddedLogon
```
## Configure Custom Logon
### Configure Custom Logon settings using Unattend
You can configure the Unattend settings in the [Microsoft-Windows-Embedded-EmbeddedLogon](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-embeddedlogon) component to add custom logon features to your image during the design or imaging phase. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the custom logon settings and XML examples, see the settings in Microsoft-Windows-Embedded-EmbeddedLogon.
The following example shows how to disable all Welcome screen UI elements and the **Switch user** button.
```xml
<settings pass="specialize">
<component name="Microsoft-Windows-Embedded-EmbeddedLogon" processorArchitecture="x86" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<BrandingNeutral>17</BrandingNeutral>
<AnimationDisabled>1</AnimationDisabled>
<NoLockScreen>1</NoLockScreen>
<UIVerbosityLevel>1</UIVerbosityLevel>
<HideAutoLogonUI>1</HideAutoLogonUI>
</component>
</settings>
```
### Remove buttons from Logon screen
To remove buttons from the Welcome screen, set the appropriate value for **BrandingNeutral** in the following registry key:
```text
HKLM\Software\Microsoft\Windows Embedded\EmbeddedLogon
```
1. Make sure you have enabled Custom Logon following the instructions in [Turn on Custom Logon](#turn-on-custom-logon).
1. In the Windows search bar, type "Registry Editor" to open the **Registry Editor** window.
1. Use the file navigation in the left pane to access **HKLM\Software\Microsoft\Windows Embedded\EmbeddedLogon**.
1. In the right pane, right click on **BrandingNeutral** and select **Modify**.
1. Select the correct **Base** and enter the value for your desired customizations according to the following table, and click **OK** to apply the changes.
> [!NOTE]
> Changing the **Base** of **BrandingNeutral** will automatically convert the value field to the selected base. To ensure you are getting the correct value, select the base before entering the value.
The following table shows the possible values. To disable multiple Logon screen UI elements together, you can select the **Decimal** base when modifying the **BrandingNeutral** value, and combine actions by adding the decimal values of the desired actions and inputting the sum as the value of **BrandingNeutral**. For example, to disable the Power button and the Language button, select the decimal option for the base, then add the decimal values of each, in this case 2 and 4 respectively, and input the total (6) as the value for **BrandingNeutral**.
| Action |Description| Registry value (Hexadecimal) | Registry value (Decimal)|
|--------|------------|----|---|
| Disable all Logon screen UI elements |Disables the Power, Language, and Ease of Access buttons on the Logon and Ctrl+Alt+Del screens. |`0x1` | 1|
| Disable the Power button |Disables the Power button on the Logon and Ctrl+Alt+Del screens.|`0x2` |2|
| Disable the Language button |Disables the Language button on the Logon and Ctrl+Alt+Del screens.|`0x4` |4|
| Disable the Ease of Access button |Disables the Ease of Access button on the Logon and Ctrl+Alt+Del screens.|`0x8` |8|
| Disable the Switch user button |Disables the Switch User button from the Ctrl+Alt+Del screen, preventing a user from switching accounts. | `0x10` |16|
|Disable the Blocked Shutdown Resolver (BSDR) screen|Disables the Blocked Shutdown Resolver (BSDR) screen so that restarting or shutting down the system causes the OS to immediately force close any open applications that are blocking system shut down. No UI is displayed, and users aren't given a chance to cancel the shutdown process. | `0x20` |32|
In the following image of the `[ctrl + alt + del]` screen, you can see the Switch user button highlighted by a light green outline, the Language button highlighted by an orange outline, the Ease of Access button highlighted by a red outline, and the power button highlighted by a yellow outline. If you disable these buttons, they're hidden from the UI.
![custom logon screen](images/customlogoncad.jpg)
You can remove the Wireless UI option from the Welcome screen by using Group Policy.
### Remove Wireless UI from Logon screen
You use the following steps to remove Wireless UI from the Welcome screen
1. From a command prompt, run gpedit.msc to open the Local Group Policy Editor.
1. In the Local Group Policy Editor, under **Computer Configuration**, expand **Administrative Templates**, expand **System**, and then tap or click **Logon**.
1. Double-tap or click **Do not display network selection UI**.
## Additional Customizations
The following table shows additional customizations that can be made using registry keys.
|Action |Path |Registry Key and Value |
|---------|---------|---------|
|Hide Autologon UI |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Embedded\EmbeddedLogon |`HideAutoLogonUI = 1`|
|Hide First Logon Animation |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Embedded\EmbeddedLogon |`HideFirstLogonAnimation = 1` |
|Disable Authentication Animation |HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Authentication\LogonUI |`AnimationDisabled = 1` |
|Disable Lock Screen | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization |`NoLockScreen = 1` |
## Related articles
- [Troubleshooting Custom Logon](troubleshoot.md)
- [Unbranded Boot](../unbranded-boot/index.md)
- [Shell Launcher](../shell-launcher/index.md)

105
windows/configuration/custom-logon/troubleshoot.md Normal file
View File

@ -0,0 +1,105 @@
---
title: Troubleshooting Custom Logon
description: Troubleshooting Custom Logon
ms.date: 05/02/2017
ms.topic: troubleshooting
---
# Troubleshooting Custom Logon
This section highlights some common issues that you may encounter when using Custom Logon.
## When automatic sign-in is enabled, the device asks for a password when resuming from sleep or hibernate
This can occur when your device is configured to require a password when waking up from a sleep state.
### To disable password protection on wake-up
1. If you have write filters enabled on your device, perform the following steps to disable them so that you can save setting changes:
1. At an administrator command prompt, type the following command:
```cmd
uwfmgr.exe filter disable
```
1. To restart the device, type the following command:
```cmd
uwfmgr.exe restart
```
1. In **Contol Panel**, search for **Power Options** , and then select the Power Options heading.
1. Under the **Power Options** heading, select **Require a password on wake up**.
1. On the **Define power buttons and turn on password protection** page, under **Password protection on wakeup**, select **Don't require a password**.
1. If you have disabled write filters, perform the following steps to enable them again:
1. At an administrator command prompt, type the following command:
```cmd
uwfmgr.exe filter enable
```
1. To restart the device, type the following command:
```cmd
uwfmgr.exe restart
```
## The device displays a black screen during setup
Set the **HideAutoLogonUI** and **AnimationDisabled** settings to **0** (zero). The device will then display a default screen during setup.
## The device displays a black screen when Ctrl+Alt+Del is pressed
**HideAutoLogonUI** and**ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you use Keyboard Filter to block this key combination.
## The device displays a black screen when Windows key + L is used to lock the device
**HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you use Keyboard Filter to block this key combination.
### The device displays a black screen when Notepad is opened, any characters are typed and the current user signs out, or the device is rebooted, or the device is shut down
**HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you disable the Blocked Shutdown Resolver Screen (BSDR).
> [!WARNING]
> When the BSDR screen is disabled, restarting, or shutting down the device causes the OS to immediately force close any open applications that are blocking system shutdown. No UI is displayed, and users aren't given a chance to cancel the shutdown process. This can result in lost data if any open applications have unsaved data.
## The device displays a black screen when the device is suspended and then resumed
**HideAutoLogonUI** and **ForceAutoLogon** have known issues when used together. To avoid a black screen, we recommend you disable the password protection on wake-up.
### To disable password protection on wake-up
1. In **Control Panel**, select **Power Options**.
1. In the **Power Options** item, select **Require a password on wake up**.
1. On the **Define power buttons and turn on password protection** page, under **Password protection on wake up**, select **Don't require a password**.
### The device displays a black screen when a password expiration screen is displayed
**HideAutoLogonUI** has a known issue. To avoid a black screen, we recommend you set the password to never expire.
### To set a password to never expire on an individual user account
1. On your device, open a command prompt with administrator privileges.
1. Type the following, replacing *&lt;accountname&gt;* with the name of the account you want to remove the password expiration from.
```cmd
net accounts <accountname> /expires:never
```
### To set passwords to never expire on all user accounts
1. On your device, open a command prompt with administrator privileges.
1. Type the following
```cmd
net accounts /MaxPWAge:unlimited
```

20
windows/configuration/docfx.json
View File

@ -80,12 +80,18 @@
"assigned-access//**/*.yml": "paolomatarazzo",
"cellular//**/*.md": "paolomatarazzo",
"cellular//**/*.yml": "paolomatarazzo",
"custom-logon//**/*.md": "terrywarwick",
"custom-logon//**/*.yml": "terrywarwick",
"keyboard-filter//**/*.md": "terrywarwick",
"keyboard-filter//**/*.yml": "terrywarwick",
"lock-screen//**/*.md": "paolomatarazzo",
"lock-screen//**/*.yml": "paolomatarazzo",
"provisioning-packages//**/*.md": "vinaypamnani-msft",
"provisioning-packages//**/*.yml": "vinaypamnani-msft",
"shared-pc//**/*.md": "paolomatarazzo",
"shared-pc//**/*.yml": "paolomatarazzo",
"shell-launcher//**/*.md": "terrywarwick",
"shell-launcher//**/*.yml": "terrywarwick",
"start//**/*.md": "paolomatarazzo",
"start//**/*.yml": "paolomatarazzo",
"store//**/*.md": "paolomatarazzo",
@ -94,6 +100,10 @@
"taskbar//**/*.yml": "paolomatarazzo",
"tips//**/*.md": "paolomatarazzo",
"tips//**/*.yml": "paolomatarazzo",
"unbranded-boot//**/*.md": "terrywarwick",
"unbranded-boot//**/*.yml": "terrywarwick",
"unified-write-filter//**/*.md": "terrywarwick",
"unified-write-filter//**/*.yml": "terrywarwick",
"wcd//**/*.md": "vinaypamnani-msft",
"wcd//**/*.yml": "vinaypamnani-msft"
},
@ -104,12 +114,18 @@
"assigned-access//**/*.yml": "paoloma",
"cellular//**/*.md": "paoloma",
"cellular//**/*.yml": "paoloma",
"custom-logon//**/*.md": "twarwick",
"custom-logon//**/*.yml": "twarwick",
"lock-screen//**/*.md": "paoloma",
"keyboard-filter//**/*.md": "twarwick",
"keyboard-filter//**/*.yml": "twarwick",
"lock-screen//**/*.yml": "paoloma",
"provisioning-packages//**/*.md": "vinpa",
"provisioning-packages//**/*.yml": "vinpa",
"shared-pc//**/*.md": "paoloma",
"shared-pc//**/*.yml": "paoloma",
"shell-launcher//**/*.md": "twarwick",
"shell-launcher//**/*.yml": "twarwick",
"start//**/*.md": "paoloma",
"start//**/*.yml": "paoloma",
"store//**/*.md": "paoloma",
@ -118,6 +134,10 @@
"taskbar//**/*.yml": "paoloma",
"tips//**/*.md": "paoloma",
"tips//**/*.yml": "paoloma",
"unbranded-boot//**/*.md": "twarwick",
"unbranded-boot//**/*.yml": "twarwick",
"unified-write-filter//**/*.md": "twarwick",
"unified-write-filter//**/*.yml": "twarwick",
"wcd//**/*.md": "vinpa",
"wcd//**/*.yml": "vinpa"
},

74
windows/configuration/keyboard-filter/disable-all-blocked-key-combinations.md Normal file
View File

@ -0,0 +1,74 @@
---
title: Disable all blocked key combinations
description: Disable all blocked key combinations
ms.date: 01/13/2025
ms.topic: reference
---
# Disable all blocked key combinations
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
The following sample Windows PowerShell script uses the WMI providers to disable all blocked key combinations for Keyboard Filter by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter. The key combination configurations aren't removed, but Keyboard Filter stops blocking any keys.
## Disable-all-rules.ps1
```powershell
#
# Copyright (C) Microsoft. All rights reserved.
#
<#
.Synopsis
This Windows PowerShell script shows how to enumerate all existing keyboard filter
rules and how to disable them by setting the Enabled property directly.
.Description
For each instance of WEKF_PredefinedKey, WEKF_CustomKey, and WEKF_Scancode,
set the Enabled property to false/0 to disable the filter rule, thus
allowing all key sequences through the filter.
.Parameter ComputerName
Optional parameter to specify the remote computer that this script should
manage. If not specified, the script will execute all WMI operations
locally.
#>
param(
[String]$ComputerName
)
$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
$CommonParams += $PSBoundParameters
Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
foreach {
if ($_.Enabled) {
$_.Enabled = 0;
$_.Put() | Out-Null;
Write-Host Disabled $_.Id
}
}
Get-WMIObject -class WEKF_CustomKey @CommonParams |
foreach {
if ($_.Enabled) {
$_.Enabled = 0;
$_.Put() | Out-Null;
Write-Host Disabled $_.Id
}
}
Get-WMIObject -class WEKF_Scancode @CommonParams |
foreach {
if ($_.Enabled) {
$_.Enabled = 0;
$_.Put() | Out-Null;
"Disabled {0}+{1:X4}" -f $_.Modifiers,$_.Scancode
}
}
```
## Related articles
- [Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
- [Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
- [Keyboard filter](index.md)

144
windows/configuration/keyboard-filter/index.md Normal file
View File

@ -0,0 +1,144 @@
---
title: Keyboard Filter
description: Keyboard Filter
ms.date: 01/13/2025
ms.topic: overview
---
# Keyboard Filter
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
You can use Keyboard Filter to suppress undesirable key presses or key combinations. Normally, a customer can use certain Microsoft Windows key combinations like Ctrl+Alt+Delete or Ctrl+Shift+Tab to alter the operation of a device by locking the screen or using Task Manager to close a running application. This behavior might not be desirable if your device is intended for a dedicated purpose.
The Keyboard Filter feature works with physical keyboards, the Windows on-screen keyboard, and the touch keyboard. Switching from one language to another might cause the location of suppressed keys on the keyboard layout to change. Keyboard Filter detects these dynamic layout changes and continues to suppress keys correctly.
> [!NOTE]
> Keyboard filter is not supported in a remote desktop session.
## Terminology
- **Turn on, enable:** Make the setting available to the device and optionally apply the settings to the device. Generally *turn on* is used in the user interface or control panel, whereas *enable* is used for command line
- **Configure:** To customize the setting or subsettings
- **Embedded Keyboard Filter:** This feature is called Embedded Keyboard Filter in Windows 10, version 1511
- **Keyboard Filter:** This feature is called Keyboard Filter in Windows 10, version 1607 and later
## Turn on Keyboard Filter
By default, Keyboard Filter isn't turned on. You can turn Keyboard Filter on or off for your device by using the following steps.
Turning on an off Keyboard Filter requires that you restart your device. Keyboard Filter is automatically enabled after the restart.
### Turn on Keyboard Filter by using Control Panel
1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window.
1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Keyboard Filter**.
1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
1. Restart your device to apply the changes.
### Configure Keyboard using Unattend
1. You can configure the Unattend settings in the [Microsoft-Windows-Embedded-KeyboardFilterService](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-keyboardfilterservice) component to add Keyboard Filter features to your image during the design or imaging phase.
1. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the keyboard filter settings and XML examples, see the settings in [Microsoft-Windows-Embedded-KeyboardFilterService](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-keyboardfilterservice).
### Turn on and configure Keyboard Filter using Windows Configuration Designer
The Keyboard Filter settings are also available as Windows provisioning settings so you can configure these settings to be applied during the image deployment time or runtime. You can set one or all keyboard filter settings by creating a provisioning package using Windows Configuration Designer and then applying the provisioning package during image deployment time or runtime.
1. Build a provisioning package in Windows Configuration Designer by following the instructions in [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package), selecting the **Advanced Provisioning** option.
> [!Note]
> In the **Choose which settings to view and configure** window, choose **Common to all Windows desktop editions**.
1. On the **Available customizations** page, select **Runtime settings** &gt; **SMISettings**, and then set the desired values for the keyboard filter settings.
1. Once you have finished configuring the settings and building the provisioning package, you can apply the package to the image deployment time or runtime. For more information, see [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package).
This example uses a Windows image called install.wim, but you can use the same procedure to apply a provisioning package. For more information on DISM, see [What Is Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/what-is-dism).
### Turn on and configure Keyboard Filter by using DISM
1. Open a command prompt with administrator privileges.
1. Enable the feature using the following command.
```cmd
Dism /online /Enable-Feature /FeatureName:Client-KeyboardFilter
```
1. Once the script completes, restart the device to apply the change.
## Keyboard Filter features
Keyboard Filter has the following features:
- Supports hardware keyboards, the standard Windows on-screen keyboard, and the touch keyboard (TabTip.exe)
- Suppresses key combinations even when they come from multiple keyboards
For example, if a user presses the Ctrl key and the Alt key on a hardware keyboard, while at the same time pressing Delete on a software keyboard, Keyboard Filter can still detect and suppress the Ctrl+Alt+Delete functionality.
- Supports numeric keypads and keys designed to access media player and browser functionality
- Can configure a key to breakout of a locked down user session to return to the Welcome screen
- Automatically handles dynamic layout changes
- Can be enabled or disabled for administrator accounts
- Can force disabling of Ease of Access functionality
- Supports x86 and x64 architectures
## Keyboard scan codes and layouts
When a key is pressed on a physical keyboard, the keyboard sends a scan code to the keyboard driver. The driver then sends the scan code to the OS and the OS converts the scan code into a virtual key based on the current active layout. The layout defines the mapping of keys on the physical keyboard, and has many variants. A key on a keyboard always sends the same scan code when pressed, however this scan code can map to different virtual keys for different layouts. For example, in the English (United States) keyboard layout, the key to the right of the P key maps to `{`. However, in the Swedish (Sweden) keyboard layout, the same key maps to `Å`.
Keyboard Filter can block keys either by the scan code or the virtual key. Blocking keys by the scan code is useful for custom keyboards that have special scan codes that don't translate into any single virtual key. Blocking keys by the virtual key is more convenient because it's easier to read and Keyboard Filter suppresses the key correctly even when the location of the key changes because of a layout change.
When you configure Keyboard Filter to block keys by using the virtual key, you must use the English names for the virtual keys. For more information about the names of the virtual keys, see keyboard filter key names.
For the Windows on-screen keyboard, keyboard filter converts each keystroke into a scan code based on the layout, and back into a virtual key. This allows keyboard filter to suppress the on-screen keyboard keys in the same manner as physical keyboard keys if they're configured with either scan code or virtual key.
## Keyboard Filter and ease of access features
By default, ease of access features are enabled and Keyboard Filter is disabled for administrator accounts.
If Sticky Keys are enabled, a user can bypass Keyboard Filter in certain situations. You can configure keyboard filter to disable all ease of access features and prevent users from enabling them.
You can enable ease of access features for administrator accounts, while still disabling them for standard user accounts, by making sure that Keyboard Filter is disabled for administrator accounts.
## Keyboard Filter configuration
You can configure the following options for Keyboard Filter:
- Set/unset predefined key combinations to be suppressed
- Add/remove custom defined key combinations to be suppressed
- Enable/disable keyboard filter for administrator accounts
- Force disabling ease of access features
- Configure a breakout key sequence to break out of a locked down account
Most configuration changes take effect immediately. Some changes, such as enabling or disabling Keyboard Filter for administrators, don't take effect until the user signs out of the account and then back in. If you change the breakout key scan code, you must restart the device before the change take effect.
You can configure keyboard filter by using Windows Management Instrumentation (WMI) providers. You can use the Keyboard Filter WMI providers directly in a PowerShell script or in an application.
For more information about Keyboard Filter WMI providers, see [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md).
## Keyboard breakout
You may need to sign in to a locked down device with a different account in order to service or configure the device. You can configure a breakout key to break out of a locked down account by specifying a key scan code. A user can press this key consecutively five times to switch to the Welcome screen so that you can sign in to a different account.
The breakout key is set to the scan code for the left Windows logo key by default. You can use the [WEKF_Settings](wekf-settings.md) WMI class to change the breakout key scan code. If you change the breakout key scan code, you must restart the device before the change takes effect.
## Keyboard Filter considerations
Starting a device in Safe Mode bypasses keyboard filter. The Keyboard Filter service isn't loaded in Safe Mode, and keys aren't blocked in Safe Mode.
Keyboard filter can't block the Sleep key.
Some hardware keys, such as rotation lock, don't have a defined virtual key. You can still block these keys by using the scan code of the key.
The add (+), multiply (\*), subtract (-), divide (/), and decimal (.) keys have different virtual keys and scan codes on the numeric keypad than on the main keyboard. You must block both keys to block these keys. For example, to block the multiply key, you must add a rule to block "\*" and a rule to block Multiply.
When locking the screen by using the on-screen keyboard, or a combination of a physical keyboard and the on-screen keyboard, the on-screen keyboard sends an extra Windows logo key keystroke to the OS. If your device is using the Windows 10 shell and you use keyboard filter to block Windows logo key+L, the extra Windows logo key keystroke causes the shell to switch between the **Start** screen and the last active app when a user attempts to lock the device by using the on-screen keyboard, which may be unexpected behavior.
Some custom keyboard software, such as Microsoft IntelliType Pro, can install Keyboard Filter drivers that prevent Keyboard Filter from being able to block some or all keys, typically extended keys like BrowserHome and Search.
## In this section
- [Keyboard Filter key names](keyboardfilter-key-names.md)
- [Predefined key combinations](predefined-key-combinations.md)
- [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
- [Windows PowerShell script samples for Keyboard Filter](keyboardfilter-powershell-script-samples.md)

160
windows/configuration/keyboard-filter/keyboardfilter-add-blocked-key-combinations.md Normal file
View File

@ -0,0 +1,160 @@
---
title: Add blocked key combinations
description: Add blocked key combinations
ms.date: 01/13/2025
ms.topic: reference
---
# Add blocked key combinations
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
The following sample Windows PowerShell script uses the Windows Management Instrumentation (WMI) providers for Keyboard Filter to create three functions to configure Keyboard Filter so that Keyboard Filter blocks key combinations. It demonstrates several ways to use each function.
The first function, `Enable-Predefine-Key`, blocks key combinations that are predefined for Keyboard Filter.
The second function, `Enable-Custom-Key`, blocks custom key combinations by using the English key names.
The third function, `Enable-Scancode`, blocks custom key combinations by using the keyboard scan code for the key.
## Enable-rules.ps1
```powershell
#
# Copyright (C) Microsoft. All rights reserved.
#
<#
.Synopsis
This script shows how to use the built in WMI providers to enable and add
keyboard filter rules through Windows PowerShell on the local computer.
.Parameter ComputerName
Optional parameter to specify a remote machine that this script should
manage. If not specified, the script will execute all WMI operations
locally.
#>
param (
[String] $ComputerName
)
$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
$CommonParams += $PSBoundParameters
function Enable-Predefined-Key($Id) {
<#
.Synopsis
Toggle on a Predefined Key keyboard filter Rule
.Description
Use Get-WMIObject to enumerate all WEKF_PredefinedKey instances,
filter against key value "Id", and set that instance's "Enabled"
property to 1/true.
.Example
Enable-Predefined-Key "Ctrl+Alt+Del"
Enable CAD filtering
#>
$predefined = Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
where {
$_.Id -eq "$Id"
};
if ($predefined) {
$predefined.Enabled = 1;
$predefined.Put() | Out-Null;
Write-Host Enabled $Id
} else {
Write-Error "$Id is not a valid predefined key"
}
}
function Enable-Custom-Key($Id) {
<#
.Synopsis
Toggle on a Custom Key keyboard filter Rule
.Description
Use Get-WMIObject to enumerate all WEKF_CustomKey instances,
filter against key value "Id", and set that instance's "Enabled"
property to 1/true.
In the case that the Custom instance does not exist, add a new
instance of WEKF_CustomKey using Set-WMIInstance.
.Example
Enable-Custom-Key "Ctrl+V"
Enable filtering of the Ctrl + V sequence.
#>
$custom = Get-WMIObject -class WEKF_CustomKey @CommonParams |
where {
$_.Id -eq "$Id"
};
if ($custom) {
# Rule exists. Just enable it.
$custom.Enabled = 1;
$custom.Put() | Out-Null;
"Enabled Custom Filter $Id.";
} else {
Set-WMIInstance `
-class WEKF_CustomKey `
-argument @{Id="$Id"} `
@CommonParams | Out-Null
"Added Custom Filter $Id.";
}
}
function Enable-Scancode($Modifiers, [int]$Code) {
<#
.Synopsis
Toggle on a Scancode keyboard filter Rule
.Description
Use Get-WMIObject to enumerate all WEKF_Scancode instances,
filter against key values of "Modifiers" and "Scancode", and set
that instance's "Enabled" property to 1/true.
In the case that the Scancode instance does not exist, add a new
instance of WEKF_Scancode using Set-WMIInstance.
.Example
Enable-Scancode "Ctrl" 37
Enable filtering of the Ctrl + keyboard scancode 37 (base-10)
sequence.
#>
$scancode =
Get-WMIObject -class WEKF_Scancode @CommonParams |
where {
($_.Modifiers -eq $Modifiers) -and ($_.Scancode -eq $Code)
}
if($scancode) {
$scancode.Enabled = 1
$scancode.Put() | Out-Null
"Enabled Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code
} else {
Set-WMIInstance `
-class WEKF_Scancode `
-argument @{Modifiers="$Modifiers"; Scancode=$Code} `
@CommonParams | Out-Null
"Added Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code
}
}
# Some example uses of the functions defined above.
Enable-Predefined-Key "Ctrl+Alt+Del"
Enable-Predefined-Key "Ctrl+Esc"
Enable-Custom-Key "Ctrl+V"
Enable-Custom-Key "Numpad0"
Enable-Custom-Key "Shift+Numpad1"
Enable-Custom-Key "%"
Enable-Scancode "Ctrl" 37
```
## Related topics
[Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
[Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
[Keyboard filter](index.md)

179
windows/configuration/keyboard-filter/keyboardfilter-key-names.md Normal file
View File

@ -0,0 +1,179 @@
---
title: Keyboard Filter key names
description: Keyboard Filter key names
ms.date: 01/13/2025
ms.topic: reference
---
# Keyboard Filter key names
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
You can configure Keyboard Filter to block keys or key combinations. A key combination consists of one or more modifier keys, separated by a plus sign (+), and either a key name or a key scan code. In addition to the keys listed in the following tables, you can use the predefined key combinations names as custom key combinations. However, we recommend using the predefined key settings when enabling or disabling predefined key combinations.
The key names are grouped as follows:
- [Modifier keys](#modifier-keys)
- [System keys](#system-keys)
- [Cursor and edit keys](#cursor-and-edit-keys)
- [State keys](#state-keys)
- [OEM keys](#oem-keys)
- [Function keys](#function-keys)
- [Numeric keypad keys](#numeric-keypad-keys)
## Modifier keys
You can use the modifier keys listed in the following table when you configure keyboard filter. Multiple modifiers are separated by a plus sign (+). You can also configure Keyboard Filter to block any modifier key even if it's not part of a key combination.
| Modifier key name | Virtual key | Description |
| ----------------- | ----------- | ----------- |
| `Ctrl` | VK_CONTROL | The <kbd>Ctrl</kbd> key |
| `LCtrl` | VK_LCONTROL | The left <kbd>Ctrl</kbd> key |
| `RCtrl` | VK_RCONTROL | The right <kbd>Ctrl</kbd> key |
| `Control` | VK_CONTROL | The <kbd>Ctrl</kbd> key |
| `LControl` | VK_LCONTROL | The left <kbd>Ctrl</kbd> key |
| `RControl` | VK_RCONTROL | The right <kbd>Ctrl</kbd> key |
| `Alt` | VK_MENU | The <kbd>Alt</kbd> key |
| `LAlt` | VK_LMENU | The left <kbd>Alt</kbd> key |
| `RAlt` | VK_RMENU | The right <kbd>Alt</kbd> key |
| `Shift` | VK_SHIFT | The <kbd>Shift</kbd> key |
| `LShift` | VK_LSHIFT | The left <kbd>Shift</kbd> key |
| `RShift` | VK_RSHIFT | The right <kbd>Shift</kbd> key |
| `Win` | VK_WIN | The <kbd>Windows</kbd> logo key |
| `LWin` | VK_LWIN | The left <kbd>Windows</kbd> logo key |
| `RWin` | VK_RWIN | The right <kbd>Windows</kbd> logo key |
| `Windows` | VK_WIN | The <kbd>Windows</kbd> logo key |
| `LWindows` | VK_LWIN | The left <kbd>Windows</kbd> logo key |
| `RWindows` | VK_RWIN | The right <kbd>Windows</kbd> key |
## System keys
| Modifier key name | Virtual key | Description |
| ----------------- | ----------- | ----------- |
| `Ctrl` | VK_CONTROL | The <kbd>Ctrl</kbd> key |
| `LCtrl` | VK_LCONTROL | The left <kbd>Ctrl</kbd> key |
| `RCtrl` | VK_RCONTROL | The right <kbd>Ctrl</kbd> key |
| `Control` | VK_CONTROL | The <kbd>Ctrl</kbd> key |
| `LControl` | VK_LCONTROL | The left <kbd>Ctrl</kbd> key |
| `RControl` | VK_RCONTROL | The right <kbd>Ctrl</kbd> key |
| `Alt` | VK_MENU | The <kbd>Alt</kbd> key |
| `LAlt` | VK_LMENU | The left <kbd>Alt</kbd> key |
| `RAlt` | VK_RMENU | The right <kbd>Alt</kbd> key |
| `Shift` | VK_SHIFT | The <kbd>Shift</kbd> key |
| `LShift` | VK_LSHIFT | The left <kbd>Shift</kbd> key |
| `RShift` | VK_RSHIFT | The right <kbd>Shift</kbd> key |
| `Win` | VK_WIN | The <kbd>Windows</kbd> logo key |
| `LWin` | VK_LWIN | The left <kbd>Windows</kbd> logo key |
| `RWin` | VK_RWIN | The right <kbd>Windows</kbd> logo key |
| `Windows` | VK_WIN | The <kbd>Windows</kbd> logo key |
| `LWindows` | VK_LWIN | The left <kbd>Windows</kbd> logo key |
| `RWindows` | VK_RWIN | The right <kbd>Windows</kbd> logo key |
## Cursor and edit keys
| Key name | Virtual key | Description |
| ----------------- | ----------- | ----------- |
| `PageUp` | VK_PRIOR | The <kbd>Page Up</kbd> key |
| `Prior` | VK_PRIOR | The <kbd>Page Up</kbd> key |
| `PgUp` | VK_PRIOR | The <kbd>Page Up</kbd> key |
| `PageDown` | VK_NEXT | The <kbd>Page Down</kbd> key |
| `PgDown` | VK_NEXT | The <kbd>Page Down</kbd> key |
| `Next` | VK_NEXT | The <kbd>Page Down</kbd> key |
| `End` | VK_END | The <kbd>End</kbd> key |
| `Home` | VK_HOME | The <kbd>Home</kbd> key |
| `Left` | VK_LEFT | The <kbd>Left Arrow</kbd> key |
| `Up` | VK_UP | The <kbd>Up Arrow</kbd> key |
| `Right` | VK_RIGHT | The <kbd>Right Arrow</kbd> key |
| `Down` | VK_DOWN | The <kbd>Down Arrow</kbd> key |
| `Insert` | VK_INSERT | The <kbd>Insert</kbd> key |
| `Delete` | VK_DELETE | The <kbd>Delete</kbd> key |
| `Del` | VK_DELETE | The <kbd>Delete</kbd> key |
| `Separator` | VK_SEPARATOR | The <kbd>Separator</kbd> key |
## State keys
| Key name | Virtual key | Description |
| ----------------- | ----------- | ----------- |
| `NumLock` | VK_NUMLOCK | The <kbd>Num Lock</kbd> key |
| `ScrollLock` | VK_SCROLL | The <kbd>Scroll Lock</kbd> key |
| `Scroll` | VK_SCROLL | The <kbd>Scroll Lock</kbd> key |
| `CapsLock` | VK_CAPITAL | The <kbd>Caps Lock</kbd> key |
| `Capital` | VK_CAPITAL | The <kbd>Caps Lock</kbd> key |
## OEM keys
| Key name | Virtual key | Description |
| ----------------- | ----------- | ----------- |
| `KeypadEqual` | VK_OEM_NEC_EQUAL | The <kbd>Equals (=)</kbd> key on the numeric keypad (OEM-specific) |
| `Dictionary` | VK_OEM_FJ_JISHO | The Dictionary key (OEM-specific) |
| `Unregister` | VK_OEM_FJ_MASSHOU | The Unregister Word key (OEM-specific) |
| `Register` | VK_OEM_FJ_TOUROKU | The Register Word key (OEM-specific) |
| `LeftOyayubi` | VK_OEM_FJ_LOYA | The Left OYAYUBI key (OEM-specific) |
| `RightOyayubi` | VK_OEM_FJ_ROYA | The Right OYAYUBI key (OEM-specific) |
| `OemPlus` | VK_OEM_PLUS | For any country/region, the <kbd>Plus Sign (+)</kbd> key |
| `OemComma` | VK_OEM_COMMA | For any country/region, the <kbd>Comma (,)</kbd> key |
| `OemMinus` | VK_OEM_MINUS | For any country/region, the <kbd>Minus Sign (-)</kbd> key |
| `OemPeriod` | VK_OEM_PERIOD | For any country/region, the <kbd>Period (.)</kbd> key |
| `Oem1` | VK_OEM_1 | Varies by keyboard |
| `Oem2` | VK_OEM_2 | Varies by keyboard |
| `Oem3` | VK_OEM_3 | Varies by keyboard |
| `Oem4` | VK_OEM_4 | Varies by keyboard |
| `Oem5` | VK_OEM_5 | Varies by keyboard |
| `Oem6` | VK_OEM_6 | Varies by keyboard |
| `Oem7` | VK_OEM_7 | Varies by keyboard |
| `Oem8` | VK_OEM_8 | Varies by keyboard |
| `OemAX` | VK_OEM_AX | The <kbd>AX</kbd> key on a Japanese AX keyboard |
| `Oem102` | VK_OEM_102 | Either the angle bracket key or the backslash key on the RT 102-key keyboard |
## Function keys
| Key name | Virtual key | Description |
| ----------------- | ----------- | ----------- |
| `F1` | VK_F1 | The <kbd>F1</kbd> key |
| `F2` | VK_F2 | The <kbd>F2</kbd> key |
| `F3` | VK_F3 | The <kbd>F3</kbd> key |
| `F4` | VK_F4 | The <kbd>F4</kbd> key |
| `F5` | VK_F5 | The <kbd>F5</kbd> key |
| `F6` | VK_F6 | The <kbd>F6</kbd> key |
| `F7` | VK_F7 | The <kbd>F7</kbd> key |
| `F8` | VK_F8 | The <kbd>F8</kbd> key |
| `F9` | VK_F9 | The <kbd>F9</kbd> key |
| `F10` | VK_F10 | The <kbd>F10</kbd> key |
| `F11` | VK_F11 | The <kbd>F11</kbd> key |
| `F12` | VK_F12 | The <kbd>F12</kbd> key |
| `F13` | VK_F13 | The <kbd>F13</kbd> key |
| `F14` | VK_F14 | The <kbd>F14</kbd> key |
| `F15` | VK_F15 | The <kbd>F15</kbd> key |
| `F16` | VK_F16 | The <kbd>F16</kbd> key |
| `F17` | VK_F17 | The <kbd>F17</kbd> key |
| `F18` | VK_F18 | The <kbd>F18</kbd> key |
| `F19` | VK_F19 | The <kbd>F19</kbd> key |
| `F20` | VK_F20 | The <kbd>F20</kbd> key |
| `F21` | VK_F21 | The <kbd>F21</kbd> key |
| `F22` | VK_F22 | The <kbd>F22</kbd> key |
| `F23` | VK_F23 | The <kbd>F23</kbd> key |
| `F24` | VK_F24 | The <kbd>F24</kbd> key |
## Numeric keypad keys
| Key name | Virtual key | Description |
| ----------------- | ----------- | ----------- |
| `Numpad0` | VK_NUMPAD0 | The <kbd>0</kbd> key on the numeric keypad |
| `Numpad1` | VK_NUMPAD1 | The <kbd>1</kbd> key on the numeric keypad |
| `Numpad2` | VK_NUMPAD2 | The <kbd>2</kbd> key on the numeric keypad |
| `Numpad3` | VK_NUMPAD3 | The <kbd>3</kbd> key on the numeric keypad |
| `Numpad4` | VK_NUMPAD4 | The <kbd>4</kbd> key on the numeric keypad |
| `Numpad5` | VK_NUMPAD5 | The <kbd>5</kbd> key on the numeric keypad |
| `Numpad6` | VK_NUMPAD6 | The <kbd>6</kbd> key on the numeric keypad |
| `Numpad7` | VK_NUMPAD7 | The <kbd>7</kbd> key on the numeric keypad |
| `Numpad8` | VK_NUMPAD8 | The <kbd>8</kbd> key on the numeric keypad |
| `Numpad9` | VK_NUMPAD9 | The <kbd>9</kbd> key on the numeric keypad |
| `Multiply` | VK_MULTIPLY | The <kbd>Multiply (*)</kbd> key on the numeric keypad |
| `Add` | VK_ADD | The <kbd>Add (+)</kbd> key on the numeric keypad |
| `Subtract` | VK_SUBTRACT | The <kbd>Subtract (-)</kbd> key on the numeric keypad |
| `Decimal` | VK_DECIMAL | The <kbd>Decimal (.)</kbd> key on the numeric keypad |
| `Divide` | VK_DIVIDE | The <kbd>Divide (/)</kbd> key on the numeric keypad |
## Related articles
- [Keyboard filter](index.md)

71
windows/configuration/keyboard-filter/keyboardfilter-list-all-configured-key-combinations.md Normal file
View File

@ -0,0 +1,71 @@
---
title: List all configured key combinations
description: List all configured key combinations
ms.date: 01/13/2025
ms.topic: reference
---
# List all configured key combinations
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
The following sample Windows PowerShell script uses the Windows Management Instrumentation (WMI) providers for Keyboard Filter to displays all key combination configurations for Keyboard Filter.
## List-rules.ps1
```powershell
#
# Copyright (C) Microsoft. All rights reserved.
#
<#
.Synopsis
Enumerate all active keyboard filter rules on the system.
.Description
For each instance of WEKF_PredefinedKey, WEKF_CustomKey, and WEKF_Scancode,
get the Enabled property. If Enabled, then output a short description
of the rule.
.Parameter ComputerName
Optional parameter to specify the remote machine that this script should
manage. If not specified, the script will execute all WMI operations
locally.
#>
param (
[String] $ComputerName
)
$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
$CommonParams += $PSBoundParameters
write-host Enabled Predefined Keys -foregroundcolor cyan
Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
foreach {
if ($_.Enabled) {
write-host $_.Id
}
}
write-host Enabled Custom Keys -foregroundcolor cyan
Get-WMIObject -class WEKF_CustomKey @CommonParams |
foreach {
if ($_.Enabled) {
write-host $_.Id
}
}
write-host Enabled Scancodes -foregroundcolor cyan
Get-WMIObject -class WEKF_Scancode @CommonParams |
foreach {
if ($_.Enabled) {
"{0}+{1:X4}" -f $_.Modifiers, $_.Scancode
}
}
```
## Related articles
[Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
[Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
[Keyboard filter](index.md)

26
windows/configuration/keyboard-filter/keyboardfilter-powershell-script-samples.md Normal file
View File

@ -0,0 +1,26 @@
---
title: Windows PowerShell script samples for Keyboard Filter
description: Windows PowerShell script samples for Keyboard Filter
ms.date: 01/13/2025
ms.topic: reference
---
# Windows PowerShell script samples for Keyboard Filter
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
The list below describes sample Windows PowerShell scripts that demonstrate how to use the Windows Management Instrumentation (WMI) providers for Keyboard Filter.
| Script | Description |
| ------ | ----------- |
| [Add blocked key combinations](keyboardfilter-add-blocked-key-combinations.md) | Demonstrates how to block key combinations for Keyboard Filter.|
| [Disable all blocked key combinations](disable-all-blocked-key-combinations.md) | Demonstrates how to disable all blocked key combinations for Keyboard Filter. |
| [List all configured key combinations](keyboardfilter-list-all-configured-key-combinations.md) | Demonstrates how to list all defined key combination configurations for Keyboard Filter. |
| [Modify global settings](modify-global-settings.md) | Demonstrates how to modify global settings for Keyboard Filter. |
| [Remove key combination configurations](remove-key-combination-configurations.md) | Demonstrates how to remove a custom defined key combination configuration for Keyboard Filter. |
## Related articles
[Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
[Keyboard Filter](index.md)

23
windows/configuration/keyboard-filter/keyboardfilter-wmi-provider-reference.md Normal file
View File

@ -0,0 +1,23 @@
---
title: Keyboard Filter WMI provider reference
description: Keyboard Filter WMI provider reference
ms.date: 01/13/2025
ms.topic: reference
---
# Keyboard Filter WMI provider reference
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
Describes the Windows Management Instrumentation (WMI) provider classes that you use to configure Keyboard Filter during run time.
| WMI Provider Class | Description |
| ------------------ | ----------- |
| [WEKF_CustomKey](wekf-customkey.md) | Blocks or unblocks custom defined key combinations. |
| [WEKF_PredefinedKey](wekf-predefinedkey.md) | Blocks or unblocks predefined key combinations. |
| [WEKF_Scancode](wekf-scancode.md) | Blocks or unblocks key combinations by using keyboard scan codes. |
| [WEKF_Settings](wekf-settings.md) | Enables or disables settings for Keyboard Filter. |
## Related topics
[Keyboard filter](index.md)

172
windows/configuration/keyboard-filter/modify-global-settings.md Normal file
View File

@ -0,0 +1,172 @@
---
title: Modify global settings
description: Modify global settings
ms.date: 01/13/2025
ms.topic: how-to
---
# Modify global settings
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
The following sample Windows PowerShell scripts use the Windows Management Instrumentation (WMI) providers to modify global settings for Keyboard Filter.
The function **Get-Setting** retrieves the value of a global setting for Keyboard Filter.
In the first script, the function **Set-DisableKeyboardFilterForAdministrators** modifies the value of the **DisableKeyboardFilterForAdministrators** setting.
In the second script, the function **Set-ForceOffAccessibility** modifies the value of the **ForceOffAccessibility** setting.
## Set-DisableKeyboardFilterForAdministrators.ps1
```powershell
#
# Copyright (C) Microsoft. All rights reserved.
#
<#
.Synopsis
This script shows how to enumerate WEKF_Settings to find global settings
that can be set on the keyboard filter. In this specific script, the
global setting to be set is "DisableKeyboardFilterForAdministrators".
.Parameter ComputerName
Optional parameter to specify a remote computer that this script should
manage. If not specified, the script will execute all WMI operations
locally.
.Parameter On
Switch if present that sets "DisableKeyboardFilterForAdministrators" to
true. If not present, sets the setting to false.
#>
param (
[Switch] $On = $False,
[String] $ComputerName
)
$CommonParams = @{"namespace"="root\standardcimv2\embedded"};
if ($PSBoundParameters.ContainsKey("ComputerName")) {
$CommonParams += @{"ComputerName" = $ComputerName};
}
function Get-Setting([String] $Name) {
<#
.Synopsis
Get a WMIObject by name from WEKF_Settings
.Parameter Name
The name of the setting, which is the key for the WEKF_Settings class.
#>
$Entry = Get-WMIObject -class WEKF_Settings @CommonParams |
where {
$_.Name -eq $Name
}
return $Entry
}
function Set-DisableKeyboardFilterForAdministrators([Bool] $Value) {
<#
.Synopsis
Set the DisableKeyboardFilterForAdministrators setting to true or
false.
.Description
Set DisableKeyboardFilterForAdministrators to true or false based
on $Value
.Parameter Value
A Boolean value
#>
$Setting = Get-Setting("DisableKeyboardFilterForAdministrators")
if ($Setting) {
if ($Value) {
$Setting.Value = "true"
} else {
$Setting.Value = "false"
}
$Setting.Put() | Out-Null;
} else {
Write-Error "Unable to find DisableKeyboardFilterForAdministrators setting";
}
}
Set-DisableKeyboardFilterForAdministrators $On
```
## Set-ForceOffAccessibility.ps1
```powershell
#
# Copyright (C) Microsoft. All rights reserved.
#
<#
.Synopsis
This script shows how to enumerate WEKF_Settings to find global settings
that can be set on the keyboard filter. In this specific script, the
global setting to be set is "ForceOffAccessibility".
.Parameter ComputerName
Optional parameter to specify a remote computer that this script should
manage. If not specified, the script will execute all WMI operations
locally.
.Parameter Enabled
Switch if present that sets "ForceOffAccessibility" to true. If not
present, sets the setting to false.
#>
param (
[Switch] $Enabled = $False,
[String] $ComputerName
)
$CommonParams = @{"namespace"="root\standardcimv2\embedded"};
if ($PSBoundParameters.ContainsKey("ComputerName")) {
$CommonParams += @{"ComputerName" = $ComputerName};
}
function Get-Setting([String] $Name) {
<#
.Synopsis
Get a WMIObject by name from WEKF_Settings
.Parameter Name
The name of the setting, which is the key for the WEKF_Settings class.
#>
$Entry = Get-WMIObject -class WEKF_Settings @CommonParams |
where {
$_.Name -eq $Name
}
return $Entry
}
function Set-ForceOffAccessibility([Bool] $Value) {
<#
.Synopsis
Set the ForceOffAccessibility setting to true or false.
.Description
Set ForceOffAccessibility to true or false based on $Value
.Parameter Value
A Boolean value
#>
$Setting = Get-Setting("ForceOffAccessibility")
if ($Setting) {
if ($Value) {
$Setting.Value = "true"
} else {
$Setting.Value = "false"
}
$Setting.Put() | Out-Null;
} else {
Write-Error "Unable to find ForceOffAccessibility setting";
}
}
Set-ForceOffAccessibility $Enabled
```
## Related topics
[Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
[WEKF_Settings](wekf-settings.md)
[Keyboard filter](index.md)

160
windows/configuration/keyboard-filter/predefined-key-combinations.md Normal file
View File

@ -0,0 +1,160 @@
---
title: Predefined key combinations
description: Predefined key combinations
ms.date: 01/13/2025
ms.topic: reference
---
# Predefined key combinations
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
This topic lists a set of key combinations that are predefined by a keyboard filter. You can list the value of the WEKF_PredefinedKey.Id to get a complete list of key combinations defined by a keyboard filter.
You can use the values in the WEKF_PredefinedKey.Id column to configure the Windows Management Instrumentation (WMI) class [WEKF_PredefinedKey](wekf-predefinedkey.md).
## Accessibility keys
The following table contains predefined key combinations for accessibility:
| Key combination | WEKF_PredefinedKey.Id | Blocked behavior |
|:-------------------------------------|:--------------------------|:----------------------------|
| Left Alt + Left Shift + Print Screen | **LShift+LAlt+PrintScrn** | Open High Contrast. |
| Left Alt + Left Shift + Num Lock | **LShift+LAlt+NumLock** | Open Mouse Keys. |
| Windows logo key + U | **Win+U** | Open Ease of Access Center. |
## Application keys
The following table contains predefined key combinations for controlling application state:
| Key combination | WEKF_PredefinedKey.Id | Blocked behavior |
|:----------------------|:----------------------|:-------------------|
| Alt + F4 | **Alt+F4** | Close application. |
| Ctrl + F4 | **Ctrl+F4** | Close window. |
| Windows logo key + F1 | **Win+F1** | Open Windows Help. |
## Shell keys
The following table contains predefined key combinations for general UI control:
| Key combination | WEKF_PredefinedKey.Id | Blocked behavior |
|:---------------------------------------|:----------------------|:-------------------------------------------------------------------------------------------------------------------------------------|
| Alt + Spacebar | **Alt+Space** | Open shortcut menu for the active window. |
| Ctrl + Esc | **Ctrl+Esc** | Open the Start screen. |
| Ctrl + Windows logo key + F | **Ctrl+Win+F** | Open Find Computers. |
| Windows logo key + Break | **Win+Break** | Open System dialog box. |
| Windows logo key + E | **Win+E** | Open Windows Explorer. |
| Windows + F | **Win+F** | Open Search. |
| Windows logo key + P | **Win+P** | Cycle through Presentation Mode. Also blocks the Windows logo key + Shift + P and the Windows logo key + Ctrl + P key combinations. |
| Windows logo key + R | **Win+R** | Open Run dialog box. |
| Alt + Tab | **Alt+Tab** | Switch task. Also blocks the Alt + Shift + Tab key combination. |
| Ctrl + Tab | **Ctrl+Tab** | Switch window. |
| Windows logo key + Tab | **Win+Tab** | Cycle through Microsoft Store apps. Also blocks the Windows logo key + Ctrl + Tab and Windows logo key + Shift + Tab key combinations. |
| Windows logo key + D | **Win+D** | Show desktop. |
| Windows logo key + M | **Win+M** | Minimize all windows. |
| Windows logo key + Home | **Win+Home** | Minimize or restore all inactive windows. |
| Windows logo key + T | **Win+T** | Set focus on taskbar and cycle through programs. |
| Windows logo key + B | **Win+B** | Set focus in the notification area. |
| Windows logo key + Minus Sign | **Win+-** | Zoom out. |
| Windows logo key + Plus Sign | **Win++** | Zoom in. |
| Windows logo key + Esc | **Win+Esc** | Close Magnifier application. |
| Windows logo key + Up Arrow | **Win+Up** | Maximize the active window. |
| Windows logo key + Down Arrow | **Win+Down** | Minimize the active window. |
| Windows logo key + Left Arrow | **Win+Left** | Snap the active window to the left half of screen. |
| Windows logo key + Right Arrow | **Win+Right** | Snap the active window to the right half of screen. |
| Windows logo key + Shift + Up Arrow | **Win+Shift+Up** | Maximize the active window vertically. |
| Windows logo key + Shift + Down Arrow | **Win+Shift+Down** | Minimize the active window. |
| Windows logo key + Shift + Left Arrow | **Win+Shift+Left** | Move the active window to left monitor. |
| Windows logo key + Shift + Right Arrow | **Win+Shift+Right** | Move the active window to right monitor. |
| Windows logo key + Spacebar | **Win+Space** | Switch layout. |
| Windows logo key + O | **Win+O** | Lock device orientation. |
| Windows logo key + Page Up | **Win+PageUp** | Move a Microsoft Store app to the left monitor. |
| Windows logo key + Page Down | **Win+PageDown** | Move a Microsoft Store app to right monitor. |
| Windows logo key + Period | **Win+.** | Snap the current screen to the left or right gutter. Also blocks the Windows logo key + Shift + Period key combination. |
| Windows logo key + C | **Win+C** | Activate Cortana in listening mode (after user has enabled the shortcut through the UI). |
| Windows logo key + I | **Win+I** | Open Settings charm. |
| Windows logo key + K | **Win+K** | Open Connect charm. |
| Windows logo key + H | **Win+H** | Start dictation. |
| Windows logo key + Q | **Win+Q** | Open Search charm. |
| Windows logo key + W | **Win+W** | Open Windows Ink workspace. |
| Windows logo key + Z | **Win+Z** | Open app bar. |
| Windows logo key + / | **Win+/** | Open input method editor (IME). |
| Windows logo key + J | **Win+J** | Swap between snapped and filled applications. |
| Windows logo key + Comma | **Win+,** | Peek at the desktop. |
| Windows logo key + V | **Win+V** | Cycle through toasts in reverse order. |
## Modifier keys
The following table contains predefined key combinations for modifier keys (such as Shift and Ctrl):
| Key combination | WEKF_PredefinedKey.Id | Blocked key |
|:-----------------|:----------------------|:-----------------------|
| Alt | **Alt** | Both Alt keys |
| Application | **Application** | Application key |
| Ctrl | **Ctrl** | Both Ctrl keys |
| Shift | **Shift** | Both Shift keys |
| Windows logo key | **Windows** | Both Windows logo keys |
## Security keys
The following table contains predefined key combinations for OS security:
| Key combination | WEKF_PredefinedKey.Id | Blocked behavior |
|:-----------------------|:----------------------|:----------------------------------|
| Ctrl + Alt + Delete | **Ctrl+Alt+Del** | Open the Windows Security screen. |
| Ctrl + Shift + Esc | **Shift+Ctrl+Esc** | Open Task Manager. |
| Windows logo key + L | **Win+L** | Lock the device. |
## Extended shell keys
The following table contains predefined key combinations for extended shell functions (such as automatically opening certain apps):
| Key combination | WEKF_PredefinedKey.Id | Blocked key |
|:--------------------|:----------------------|:------------------------|
| LaunchMail | **LaunchMail** | Start Mail key |
| LaunchMediaSelect | **LaunchMediaSelect** | Select Media key |
| LaunchApp1 | **LaunchApp1** | Start Application 1 key |
| LaunchApp2 | **LaunchApp2** | Start Application 2 key |
## Browser keys
The following table contains predefined key combinations for controlling the browser:
| Key combination | WEKF_PredefinedKey.Id | Blocked key |
|:-----------------|:----------------------|:---------------------------|
| BrowserBack | **BrowserBack** | Browser Back key |
| BrowserForward | **BrowserForward** | Browser Forward key |
| BrowserRefresh | **BrowserRefresh** | Browser Refresh key |
| BrowserStop | **BrowserStop** | Browser Stop key |
| BrowserSearch | **BrowserSearch** | Browser Search key |
| BrowserFavorites | **BrowserFavorites** | Browser Favorites key |
| BrowserHome | **BrowserHome** | Browser Start and Home key |
## Media keys
The following table contains predefined key combinations for controlling media playback:
| Key combination | WEKF_PredefinedKey.Id | Blocked key |
|:----------------|:----------------------|:---------------------|
| VolumeMute | **VolumeMute** | Volume Mute key |
| VolumeDown | **VolumeDown** | Volume Down key |
| VolumeUp | **VolumeUp** | Volume Up key |
| MediaNext | **MediaNext** | Next Track key |
| MediaPrev | **MediaPrev** | Previous Track key |
| MediaStop | **MediaStop** | Stop Media key |
| MediaPlayPause | **MediaPlayPause** | Play/Pause Media key |
## Microsoft Surface keyboard keys
The following table contains predefined key combinations for Microsoft Surface devices:
| Key combination | WEKF_PredefinedKey.Id | Blocked key |
|:------------------------------|:----------------------|:-------------|
| Left Alt + Windows logo key | **AltWin** | Share key |
| Left Ctrl + Windows logo key | **CtrlWin** | Devices key |
| Left Shift + Windows logo key | **ShiftWin** | Search key |
| F21 | **F21** | Settings key |
## Related topics
[Keyboard filter](index.md)

106
windows/configuration/keyboard-filter/remove-key-combination-configurations.md Normal file
View File

@ -0,0 +1,106 @@
---
title: Remove key combination configurations
description: Remove key combination configurations
ms.date: 01/13/2025
ms.topic: reference
---
# Remove key combination configurations
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
The following sample Windows PowerShell script uses the Windows Management Instrumentation (WMI) providers for Keyboard Filter to create two functions to remove custom-defined key combination configurations from Keyboard Filter. It demonstrates several ways to use each function.
The first function, **Remove-Custom-Key**, removes custom key combination configurations.
The second function, **Remove-Scancode**, removes custom scan code configurations.
You can't remove the predefined key combination configurations for Keyboard Filter, but you can disable them.
## Remove-rules.ps1
```powershell
#
# Copyright (C) Microsoft. All rights reserved.
#
<#
.Synopsis
This script shows how to use the build in WMI providers to remove keyboard filter rules. Rules of type WEKF_PredefinedKey cannot be removed.
.Parameter ComputerName
Optional parameter to specify the remote computer that this script should
manage. If not specified, the script will execute all WMI operations
locally.
#>
param(
[string] $ComputerName
)
$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
$CommonParams += $PSBoundParameters
function Remove-Custom-Key($Id) {
<#
.Synopsis
Remove an instance of WEKF_CustomKey
.Description
Enumerate all instances of WEKF_CustomKey. When an instance has an
Id that matches $Id, delete it.
.Example
Remove-Custom-Key "Ctrl+V"
This removes the instance of WEKF_CustomKey with a key Id of "Ctrl+V"
#>
$customInstance = Get-WMIObject -class WEKF_CustomKey @CommonParams |
where {$_.Id -eq $Id}
if ($customInstance) {
$customInstance.Delete();
"Removed Custom Filter $Id.";
} else {
"Custom Filter $Id does not exist.";
}
}
function Remove-Scancode($Modifiers, [int]$Code) {
<#
.Synopsis
Remove and instance of WEKF_Scancode
.Description
Enumerate all instances of WEKF_Scancode. When an instance has a
matching modifiers and code, delete it.
.Example
Remove-Scancode "Ctrl" 37
This removes the instance of WEKF_Scancode with Modifiers="Ctrl" and
Scancode=37.
#>
$scancodeInstance = Get-WMIObject -class WEKF_Scancode @CommonParams |
where {($_.Modifiers -eq $Modifiers) -and ($_.Scancode -eq $Code)}
if ($scancodeInstance) {
$scancodeInstance.Delete();
"Removed Scancode $Modifiers+$Code.";
} else {
"Scancode $Modifiers+$Code does not exist.";
}
}
# Some example uses of the functions defined above.
Remove-Custom-Key "Ctrl+V"
Remove-Custom-Key "Numpad0"
Remove-Custom-Key "Shift+Numpad1"
Remove-Custom-Key "%"
Remove-Scancode "Ctrl" 37
```
## Related articles
[Windows PowerShell script samples for keyboard filter](keyboardfilter-powershell-script-samples.md)
[Keyboard filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
[Keyboard filter](index.md)

53
windows/configuration/keyboard-filter/toc.yml Normal file
View File

@ -0,0 +1,53 @@
items:
- name: Keyboard Filter
items:
- name: About keyboard filter
href: index.md
- name: Key Names
href: keyboardfilter-key-names.md
- name: Predefined Key Combinations
href: keyboardfilter-list-all-configured-key-combinations.md
- name: WMI Provider Reference
items:
- name: Overview
href: keyboardfilter-wmi-provider-reference.md
- name: Class WEKF_CustomKey
items:
- name: Overview
href: wekf-customkey.md
- name: Add
href: wekf-customkeyadd.md
- name: Remove
href: wekf-customkeyremove.md
- name: Class WEKF_PredefinedKey
items:
- name: Overview
href: wekf-predefinedkey.md
- name: Disable
href: wekf-predefinedkeydisable.md
- name: Enable
href: wekf-predefinedkeyenable.md
- name: Class WEKF_Scancode
items:
- name: Overview
href: wekf-scancode.md
- name: Add
href: wekf-scancodeadd.md
- name: Remove
href: wekf-scancoderemove.md
- name: Class WEKF-Settings
href: wekf-settings.md
- name: PowerShell script samples
items:
- name: Overview
href: keyboardfilter-powershell-script-samples.md
- name: Add blocked key Combinations
href: keyboardfilter-add-blocked-key-combinations.md
- name: Disable all blocked key Combinations
href: disable-all-blocked-key-combinations.md
- name: List all configured key combinations
href: keyboardfilter-list-all-configured-key-combinations.md
- name: Modify global settings
href: modify-global-settings.md
- name: Remove key combination configurations
href: remove-key-combination-configurations.md

128
windows/configuration/keyboard-filter/wekf-customkey.md Normal file
View File

@ -0,0 +1,128 @@
---
title: WEKF_CustomKey
description: WEKF_CustomKey
ms.date: 01/13/2025
ms.topic: reference
---
# WEKF_CustomKey
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
Adds or removes custom-defined key combinations.
## Syntax
```powershell
class WEKF_CustomKey {
[Static] uint32 Add(
[In] string CustomKey
);
[Static] uint32 Remove(
[In] string CustomKey
);
[Key] string Id;
[Read, Write] boolean Enabled;
};
```
## Members
The following tables list any methods and properties that belong to this class.
### Methods
| Methods | Description |
|---------|-------------|
| [WEKF_CustomKey.Add](wekf-customkeyadd.md) | Creates a new custom key combination and enables Keyboard Filter to block the new key combination. |
| [WEKF_CustomKey.Remove](wekf-customkeyremove.md) | Removes the specified custom key combination. Keyboard Filter stops blocking the key combination that was removed. |
### Properties
| Property | Data&nbsp;type | Qualifiers | Description |
|----------|----------------|------------|--------------|
| **Id** | string | [key] | The name of the custom key combination. |
| **Enabled** | Boolean | [read, write] | Indicates if the key is blocked or unblocked. This property can be one of the following values </br>- **true** Indicates that the key is blocked.</br>- **false** Indicates that the key isn't blocked. |
### Remarks
You can specify key combinations by including the modifier keys in the name. The most common modifier names are <kbd>>Ctrl</kbd>, <kbd>>Shift</kbd>, <kbd>>Alt</kbd>, and <kbd>>Win</kbd>. You can't block a combination of non-modifier keys. For example, you can block a key combination of <kbd>>Ctrl</kbd>+<kbd>>Shift</kbd>+<kbd>>F</kbd>, but you can't block a key combination of <kbd>>A</kbd>+<kbd>>D</kbd>.
When you block a <kbd>>Shift</kbd>-modified key, you must enter the key as <kbd>>Shift</kbd> + the unmodified key. For example, to block the <kbd>>%</kbd> key on an English keyboard layout, you must specify the key as <kbd>>Shift</kbd>+<kbd>>5</kbd>. Attempting to block <kbd>>%</kbd>, results in Keyboard Filter blocking <kbd>>5</kbd> instead.
When you specify the key combination to block, you must use the English names for the keys. For a list of the key names you can specify, see Keyboard Filter key names.
## Example
The following code demonstrates how to add or enable a custom key combination that Keyboard Filter will block by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter. This example modifies the properties directly and doesn't call any of the methods defined in **WEKF_CustomKey**.
```powershell
<#
.Synopsis
This script shows how to use the WMI provider to enable and add
Keyboard Filter rules through Windows PowerShell on the local computer.
.Parameter ComputerName
Optional parameter to specify a remote machine that this script should
manage. If not specified, the script will execute all WMI operations
locally.
#>
param (
[String] $ComputerName
)
$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
$CommonParams += $PSBoundParameters
function Enable-Custom-Key($Id) {
<#
.Synopsis
Toggle on a Custom Key Keyboard Filter Rule
.Description
Use Get-WMIObject to enumerate all WEKF_CustomKey instances,
filter against key value "Id", and set that instance's "Enabled"
property to 1/true.
In the case that the Custom instance does not exist, add a new
instance of WEKF_CustomKey using Set-WMIInstance.
.Example
Enable-Custom-Key "Ctrl+V"
Enable filtering of the Ctrl + V sequence.
#>
$custom = Get-WMIObject -class WEKF_CustomKey @CommonParams |
where {
$_.Id -eq "$Id"
};
if ($custom) {
# Rule exists. Just enable it.
$custom.Enabled = 1;
$custom.Put() | Out-Null;
"Enabled Custom Filter $Id.";
} else {
Set-WMIInstance `
-class WEKF_CustomKey `
-argument @{Id="$Id"} `
@CommonParams | Out-Null
"Added Custom Filter $Id.";
}
}
# Some example uses of the function defined above.
Enable-Custom-Key "Ctrl+V"
Enable-Custom-Key "Numpad0"
Enable-Custom-Key "Shift+Numpad1"
```
## Related articles
[Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
[Keyboard Filter key names](keyboardfilter-key-names.md)

94
windows/configuration/keyboard-filter/wekf-customkeyadd.md Normal file
View File

@ -0,0 +1,94 @@
---
title: WEKF_CustomKey.Add
description: WEKF_CustomKey.Add
ms.date: 01/13/2025
ms.topic: reference
---
# WEKF_CustomKey.Add
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
Creates a new custom key combination and enables Keyboard Filter to block the new key combination.
## Syntax
```powershell
[Static] uint32 Add(
[In] string CustomKey
);
```
## Parameters
**CustomKey**</br>\[in\] The custom key combination to add. For a list of valid key names, see [Keyboard Filter key names](keyboardfilter-key-names.md).
## Return Value
Returns an HRESULT value that indicates a [WMI Non-Error Constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI Error Constant](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
**WEKF_CustomKey.Add** creates a new **WEKF_CustomKey** object and sets the **Enabled** property of the new object to **true**, and the **Id** property to *CustomKey*.
If a **WEKF_CustomKey** object already exists with the **Id** property equal to *CustomKey*, then **WEKF_CustomKey.Add** returns an error code and doesn't create a new object or modify any properties of the existing object. If the existing **WEKF_CustomKey** object has the **Enabled** property set to **false**, Keyboard Filter does not block the custom key combination.
## Example
The following code demonstrates how to add or enable a custom key that Keyboard Filter will block by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter.
```powershell
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Create a handle to the class instance so we can call the static methods
$classCustomKey = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WEKF_CustomKey"
# Create a function to add or enable a key combination for Keyboard Filter to block
function Enable-Custom-Key($KeyId) {
# Check to see if the custom key object already exists
$objCustomKey = Get-WMIObject -namespace $NAMESPACE -class WEKF_CustomKey |
where {$_.Id -eq "$KeyId"};
if ($objCustomKey) {
# The custom key already exists, so just enable it
$objCustomKey.Enabled = 1;
$objCustomKey.Put() | Out-Null;
"Enabled ${KeyId}.";
} else {
# Create a new custom key object by calling the static Add method
$retval = $classCustomKey.Add($KeyId);
# Check the return value to verify that the Add is successful
if ($retval.ReturnValue -eq 0) {
"Added ${KeyID}."
} else {
"Unknown Error: " + "{0:x0}" -f $retval.ReturnValue
}
}
}
# Enable Keyboard Filter to block several custom keys
Enable-Custom-Key "Ctrl+v"
Enable-Custom-Key "Ctrl+v"
Enable-Custom-Key "Shift+4"
Enable-Custom-Key "Ctrl+Alt+w"
# List all the currently existing custom keys
$objCustomKeyList = get-WMIObject -namespace $NAMESPACE -class WEKF_CustomKey
foreach ($objCustomKeyItem in $objCustomKeyList) {
"Custom key: " + $objCustomKeyItem.Id
" enabled: " + $objCustomKeyItem.Enabled
}
```
## Related articles
- [WEKF_CustomKey](wekf-customkey.md)
- [Keyboard Filter](index.md)

86
windows/configuration/keyboard-filter/wekf-customkeyremove.md Normal file
View File

@ -0,0 +1,86 @@
---
title: WEKF_CustomKey.Remove
description: WEKF_CustomKey.Remove
ms.date: 01/13/2025
ms.topic: reference
---
# WEKF_CustomKey.Remove
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
Removes a custom key combination, causing Keyboard Filter to stop blocking the removed key combination.
## Syntax
```powershell
[Static] uint32 Remove(
[In] string CustomKey
);
```
## Parameters
**CustomKey**</br>\[in\] The custom key combination to remove.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
**WEKF_CustomKey.Remove** removes an existing **WEKF_CustomKey** object. If the object doesn't exist, **WEKF_CustomKey.Remove** returns an error with the value 0x8007007B.
Because this method is static, you can't call it on an object instance, but must instead call it at the class level.
## Example
The following code demonstrates how to remove a custom key from Keyboard Filter so it's no longer blocked by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter.
```powershell
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Create a handle to the class instance so we can call the static methods
$classCustomKey = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WEKF_CustomKey"
# Create a function to remove a key combination
function Remove-Custom-Key($KeyId) {
# Call the static Remove() method on the class reference
$retval = $classCustomKey.Remove($KeyId)
# Check the return value for status
if ($retval.ReturnValue -eq 0) {
# Custom key combination removed successfully
"Removed ${KeyID}."
} elseif ($retval.ReturnValue -eq 2147942523) {
# No object exists with the specified custom key
"Failed to remove ${KeyID}. No object found."
} else {
# Unknown error, report error code in hexadecimal
"Failed to remove ${KeyID}. Unknown Error: " + "{0:x0}" -f $retval.ReturnValue
}
}
# Example of removing a custom key so that Keyboard Filter stops blocking it
Remove-Custom-Key "Ctrl+Alt+w"
# Example of removing all custom keys that have the Enabled property set to false
$objDisabledCustomKeys = Get-WmiObject -Namespace $NAMESPACE -Class WEKF_CustomKey;
foreach ($objCustomKey in $objDisabledCustomKeys) {
if (!$objCustomKey.Enabled) {
Remove-Custom-Key($objCustomKey.Id);
}
}
```
## Related topics
- [WEKF_CustomKey](wekf-customkey.md)
- [Keyboard Filter](index.md)

112
windows/configuration/keyboard-filter/wekf-predefinedkey.md Normal file
View File

@ -0,0 +1,112 @@
---
title: WEKF_PredefinedKey
description: WEKF_PredefinedKey
ms.date: 01/13/2025
ms.topic: reference
---
# WEKF_PredefinedKey
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
This class blocks or unblocks predefined key combinations, such as Ctrl+Alt+Delete.
## Syntax
```powershell
class WEKF_PredefinedKey {
[Static] uint32 Enable (
[In] string PredefinedKey
);
[Static] uint32 Disable (
[In] string PredefinedKey
);
[Key] string Id;
[Read, Write] boolean Enabled;
};
```
## Members
The following tables list any constructors, methods, fields, and properties that belong to this class.
### Methods
| Methods | Description |
|:-----------------------------------------------------------|:---------------------------------------|
| [WEKF_PredefinedKey.Enable](wekf-predefinedkeyenable.md) | Blocks the specified predefined key. |
| [WEKF_PredefinedKey.Disable](wekf-predefinedkeydisable.md) | Unblocks the specified predefined key. |
### Properties
| Property | Data type | Qualifiers | Description |
|:------------|:----------|:--------------|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Id** | string | [key] | The name of the predefined key combination. |
| **Enabled** | Boolean | [read, write] | Indicates whether the key is blocked or unblocked. To indicate that the key is blocked, specify **true**. To indicate that the key isn't blocked, specify **false**. |
### Remarks
All accounts have read access to the **WEKF_PRedefinedKey** class, but only administrator accounts can modify the class.
For a list of predefined key combinations for Keyboard Filter, see [Predefined key combinations](predefined-key-combinations.md).
## Example
The following sample Windows PowerShell script blocks the Ctrl+Alt+Delete and the Ctrl+Esc key combinations when the Keyboard Filter service is running.
```powershell
<#
.Synopsis
This script shows how to use the built in WMI providers to enable and add
Keyboard Filter rules through Windows PowerShell on the local computer.
.Parameter ComputerName
Optional parameter to specify a remote machine that this script should
manage. If not specified, the script will execute all WMI operations
locally.
#>
param (
[String] $ComputerName
)
$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
$CommonParams += $PSBoundParameters
function Enable-Predefined-Key($Id) {
<#
.Synposis
Toggle on a Predefined Key Keyboard Filter Rule
.Description
Use Get-WMIObject to enumerate all WEKF_PredefinedKey instances,
filter against key value "Id", and set that instance's "Enabled"
property to 1/true.
.Example
Enable-Predefined-Key "Ctrl+Alt+Delete"
Enable CAD filtering
#>
$predefined = Get-WMIObject -class WEKF_PredefinedKey @CommonParams |
where {
$_.Id -eq "$Id"
};
if ($predefined) {
$predefined.Enabled = 1;
$predefined.Put() | Out-Null;
Write-Host Enabled $Id
} else {
Write-Error $Id is not a valid predefined key
}
}
# Some example uses of the function defined above.
Enable-Predefined-Key "Ctrl+Alt+Delete"
Enable-Predefined-Key "Ctrl+Esc"
```
## Related articles
- [Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
- [Keyboard Filter](index.md)

34
windows/configuration/keyboard-filter/wekf-predefinedkeydisable.md Normal file
View File

@ -0,0 +1,34 @@
---
title: WEKF_PredefinedKey.Disable
description: WEKF_PredefinedKey.Disable
ms.date: 01/13/2025
ms.topic: reference
---
# WEKF_PredefinedKey.Disable
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
Unblocks the specified predefined key combination.
## Syntax
```powershell
[Static] uint32 Disable(
[In] string PredefinedKey
);
```
## Parameters
**PredefinedKey**</br>\[in\] The predefined key combination to unblock. For a list of predefined keys, see [Predefined key combinations](predefined-key-combinations.md).
## Return Value
Returns an HRESULT value that indicates [WMI Non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
## Related articles
- [WEKF_PredefinedKey](wekf-predefinedkey.md)
- [Keyboard Filter](index.md)

33
windows/configuration/keyboard-filter/wekf-predefinedkeyenable.md Normal file
View File

@ -0,0 +1,33 @@
---
title: WEKF_PredefinedKey.Enable
description: WEKF_PredefinedKey.Enable
ms.date: 01/13/2025
ms.topic: reference
---
# WEKF_PredefinedKey.Enable
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
This method blocks the specified predefined key combination.
## Syntax
```powershell
[Static] uint32 Enable(
[In] string PredefinedKey
);
```
## Parameters
**PredefinedKey**</br>The predefined key combination to block. For a list of predefined keys, see [Predefined key combinations](predefined-key-combinations.md).
## Return Value
Returns an HRESULT value that indicates [WMI non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
## Related articles
- [WEKF_PredefinedKey](wekf-predefinedkey.md)
- [Keyboard Filter](index.md)

126
windows/configuration/keyboard-filter/wekf-scancode.md Normal file
View File

@ -0,0 +1,126 @@
---
title: WEKF_Scancode
description: WEKF_Scancode
ms.date: 01/13/2025
ms.topic: reference
---
# WEKF_Scancode
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
Blocks or unblocks key combinations by using the keyboard scan code, which is an integer number that is generated whenever a key is pressed or released.
## Syntax
```powershell
class WEKF_Scancode {
[Static] uint32 Add(
[In] string Modifiers,
[In] uint16 scancode
);
[Static] uint32 Remove(
[In] string Modifiers,
[In] uint16 Scancode
);
[Key] string Modifiers;
[Key] uint16 Scancode;
[Read, Write] boolean Enabled;
}
```
## Members
The following tables list any constructors, methods, fields, and properties that belong to this class.
### Methods
| Methods | Description |
|---------|-------------|
| [WEKF_Scancode.Add](wekf-scancodeadd.md) | Adds a new custom scan code combination and enables Keyboard Filter to block the new scan code combination. |
| [WEKF_Scancode.Remove](wekf-scancoderemove.md) | Removes the specified custom scan code combination. Keyboard Filter stops blocking the scan code combination that was removed. |
### Properties
| Property | Data&nbsp;type | Qualifiers | Description |
|----------|----------------|------------|-------------|
| **Modifiers** | string | [key] | The modifier keys that are part of the key combination to block. |
| **Scancode** | uint16 | [key] | The scan code part of the key combination to block. |
| **Enabled** | Boolean | [read, write] | Indicates whether the scan code is blocked or unblocked. This property can be one of the following values:</br>- **true** Indicates that the scan code is blocked.</br>- **false** Indicates that the scan code isn't blocked. |
### Remarks
Scan codes are generated by the keyboard whenever a key is pressed. The same physical key will always generate the same scan code, regardless of which keyboard layout is currently being used by the system.
You can specify key combinations by including the modifier keys in the *Modifiers* parameter of the **Add** method or by modifying the **Modifiers** property. The most common modifier names are <kbd>>Ctrl</kbd>, <kbd>>Shift</kbd>, <kbd>>Alt</kbd>, and <kbd>>Win</kbd>.
## Example
The following code demonstrates how to add or enable a keyboard scan code that Keyboard Filter will block by using the Windows Management Instrumentation (WMI) providers for Keyboard Filter. This example modifies the properties directly, and doesn't call any of the methods defined in **WEKF_Scancode**.
```powershell
<#
.Synopsis
This script shows how to use the WMI provider to enable and add
Keyboard Filter rules through Windows Powershell on the local computer.
.Parameter ComputerName
Optional parameter to specify a remote machine that this script should
manage. If not specified, the script will execute all WMI operations
locally.
#>
param (
[String] $ComputerName
)
$CommonParams = @{"namespace"="root\standardcimv2\embedded"}
$CommonParams += $PSBoundParameters
function Enable-Scancode($Modifiers, [int]$Code) {
<#
.Synopsis
Toggle on a Scancode Keyboard Filter Rule
.Description
Use Get-WMIObject to enumerate all WEKF_Scancode instances,
filter against key values of "Modifiers" and "Scancode", and set
that instance's "Enabled" property to 1/true.
In the case that the Scancode instance does not exist, add a new
instance of WEKF_Scancode using Set-WMIInstance.
.Example
Enable-Predefined-Key "Ctrl+V"
Enable filtering of the Ctrl + V sequence.
#>
$scancode =
Get-WMIObject -class WEKF_Scancode @CommonParams |
where {
($_.Modifiers -eq $Modifiers) -and ($_.Scancode -eq $Code)
}
if($scancode) {
$scancode.Enabled = 1
$scancode.Put() | Out-Null
"Enabled Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code
} else {
Set-WMIInstance `
-class WEKF_Scancode `
-argument @{Modifiers="$Modifiers"; Scancode=$Code} `
@CommonParams | Out-Null
"Added Custom Scancode {0}+{1:X4}" -f $Modifiers, $Code
}
}
# Some example uses of the function defined above.
Enable-Scancode "Ctrl" 37
```
## Related articles
[Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
[Keyboard Filter](index.md)

42
windows/configuration/keyboard-filter/wekf-scancodeadd.md Normal file
View File

@ -0,0 +1,42 @@
---
title: WEKF_Scancode.Add
description: WEKF_Scancode.Add
ms.date: 01/13/2025
ms.topic: reference
---
# WEKF_Scancode.Add
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
This method adds a new custom scan code combination and enables Keyboard Filter to block the new combination.
## Syntax
```powershell
[Static] uint32 Add(
[In] string Modifiers,
[In] uint16 Scancode
);
```
## Parameters
**Modifers**</br>The modifier keys that are part of the key combination to block.
**Scancode**</br>The hardware scan code of the key to block.
## Return Value
Returns an HRESULT value that indicates [WMI non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
**WEKF_Scancode.Add** creates a new **WEKF_Scancode** object and sets the **Enabled** property of the new object to **true**.
If a **WEKF_Scancode** object already exists with same *Modifiers* and *Scancode* properties, then **WEKF_Scancode.Add** returns an error code and doesn't create a new object or modify any properties of the existing object. If the existing **WEKF_Scancode** object has the **Enabled** property set to **false**, Keyboard Filter doesn't block the scan code.
## Related articles
- [WEKF_Scancode](wekf-scancode.md)
- [Keyboard Filter](index.md)

42
windows/configuration/keyboard-filter/wekf-scancoderemove.md Normal file
View File

@ -0,0 +1,42 @@
---
title: WEKF_Scancode.Remove
description: WEKF_Scancode.Remove
ms.date: 01/13/2025
ms.topic: reference
---
# WEKF_Scancode.Remove
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
This method removes a custom scan code key combination, causing Keyboard Filter to stop blocking the removed combination.
## Syntax
```powershell
[Static] uint32 Remove(
[In] string Modifiers,
[In] uint16 Scancode
);
```
## Parameters
**Modifiers**</br>The modifier keys of the combination to remove.
**Scancode**</br>The scan code of the combination to remove.
## Return Value
Returns an HRESULT value that indicates [WMI non-error constant](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error constant](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
**WEKF_Scancode.Remove** removes an existing **WEKF_Scancode** object. If the object doesn't exist, **WEKF_Scancode.Remove** returns an error with the value 0x8007007B.
Because this method is static, you can't call it on an object instance, but must instead call it at the class level.
## Related articles
- [WEKF_Scancode](wekf-scancode.md)
- [Keyboard Filter](index.md)

95
windows/configuration/keyboard-filter/wekf-settings.md Normal file
View File

@ -0,0 +1,95 @@
---
title: WEKF_Settings
description: WEKF_Settings
ms.date: 01/13/2025
ms.topic: reference
---
# WEKF_Settings
[!INCLUDE [supported-os-enterprise-plus](../../../includes/iot/supported-os-enterprise-plus.md)]
Enables or disables settings for Keyboard Filter.
## Syntax
```powershell
class WEKF_Settings {
[Key] string Name;
[Read, Write] string Value;
};
```
## Members
The following tables list any methods and properties that belong to this class.
### Properties
| Property | Data&nbsp;type | Qualifiers | Description |
|----------|----------------|------------|-------------|
| **Name** | string | [key] | Indicates the name of the Keyboard Filter setting that this object represents. See the Remarks section for a list of valid setting names. |
| **Value** | string | [read,&nbsp;write] | Represents the value of the **Name** setting. The value isn't case-sensitive. </br> See the Remarks section for a list of valid values for each setting. |
### Remarks
You must be signed in to an administrator account to make any changes to this class.
Each **WEKF_Settings** object represents a single Keyboard Filter setting. You can enumerate across all **WEKF_Settings** objects to see the value of all Keyboard Filter settings.
The following table lists all settings available for Keyboard Filter.
| Setting name | Description |
|--------------|-------------|
| **DisableKeyboardFilterForAdministrators** | This setting specifies whether Keyboard Filter is enabled or disabled for administrator accounts. Set to **true** to disable Keyboard Filter for administrator accounts; otherwise, set to **false**. Set to **true** by default. |
| **ForceOffAccessibility** | This setting specifies whether Keyboard Filter blocks users from enabling Ease of Access features. Set to **true** to force disabling the Ease of Access features. Set to **false** to allow enabling the Ease of Access features. Set to **false** by default.</br>Changing this setting to **false** doesn't automatically enable Ease of Access features; you must manually enable them. |
| **BreakoutKeyScanCode** | This setting specifies the scan code of the key that enables a user to break out of an account that is locked down with Keyboard Filter. A user can press this key consecutively five times to switch to the Welcome screen.</br>By default, the BreakoutKeyScanCode is set to the scan code for the left Windows logo key. |
One instance of the **WEKF_Settings** class exists for each valid setting.
Changes to the **DisableKeyboardFilterForAdministrator** setting are applied when an administrator account signs in, and applies to all applications run during the user session. If a user without an administrator account runs an application as an administrator, Keyboard Filter is still enabled, regardless of the **DisableKeyboardFilterForAdministrator** setting.
Changes to the **BreakoutKeyScanCode** setting don't take effect until you restart the device.
If the **BreakoutKeyScanCode** is set to the scan code for either the left Windows logo key or the right Windows logo key, both Windows Logo keys will work as the breakout key.
The **BreakoutKeyScanCode** setting only applies to accounts where Keyboard Filter is active. If the scan code is set to a value that doesn't map to any key, such as 0 (zero), then you must use another method to access the Welcome screen if you need to service the device, such as remotely connecting, or restarting the device if automatic sign-in isn't enabled.
> [!IMPORTANT]
> On some devices, if the breakout key is pressed too rapidly, the key presses may not register. We recommend that you include a slight pause between each breakout key press.
> [!WARNING]
> When setting the **BreakoutKeyScanCode**, be sure to use the scan code of the key, and not the virtual key value.
### Example
The following Windows PowerShell script demonstrates how to use this class to modify the breakout mode key for Keyboard Filter. This example sets the **BreakoutKeyScanCode** setting to the scan code for the Home key on a standard keyboard.
```powershell
#---Define variables---
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Define the decimal scan code of the Home key
$HomeKeyScanCode = 71
# Get the BreakoutKeyScanCode setting from WEKF_Settings
$BreakoutMode = get-wmiobject -class wekf_settings -namespace $NAMESPACE | where {$_.name -eq "BreakoutKeyScanCode"}
# Set the breakout key to the Home key.
$BreakoutMode.value = $HomeKeyScanCode
# Push the change into the WMI configuration. You must restart your device before this change takes effect.
$BreakoutMode.put()
```
## Related articles
[Keyboard Filter WMI provider reference](keyboardfilter-wmi-provider-reference.md)
[Keyboard Filter](index.md)

47
windows/configuration/shell-launcher/browser-support.md Normal file
View File

@ -0,0 +1,47 @@
---
title: Browser Support
ms.date: 03/30/2023
ms.topic: concept-article
description: Learn about browser support in Kiosk Mode
---
# Browser Support
Today, you can use two browsers, Internet Explorer 11 and [Microsoft Edge](/deployedge/microsoft-edge-configure-kiosk-mode) to create an assigned access single-app or multi-app kiosk experience.
## Microsoft Edge Kiosk Mode
> Available for LTSC starting in [Windows 10 IoT Enterprise 2021 LTSC](/windows/iot/iot-enterprise/whats-new/Windows-10-IoT-Enterprise-LTSC-2021)
[Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode) offers two lockdown experiences of the browser so organizations can create, manage, and provide the best experience for their customers. The following lockdown experiences are available:
* Digital/Interactive Signage experience - Displays a specific site in full-screen mode.
* Public-Browsing experience - Runs a limited multi-tab version of Microsoft Edge.
Both experiences are running a Microsoft Edge InPrivate session, which protects user data.
## Internet Explorer 11
[Internet Explorer 11](/internet-explorer/internet-explorer) is considered a legacy browser, in subsequent releases.
In anticipation of that, you can use [Internet Explorer (IE) mode](/deployedge/edge-ie-mode) on Microsoft Edge. IE mode allows you to run legacy web apps and modern web apps in a single browser.
> [!NOTE]
> For in-support Windows 10 IoT Enterprise [Semi-Annual Channel (SAC) releases](/lifecycle/products/windows-10-iot-enterprise), Internet Explorer 11 will reach end of support on June 15, 2022.
>
> Internet Explorer 11 follows the Long-Term-Servicing-Channel (LTSC) Lifecycle for [Windows 10 IoT Enterprise LTSC](/lifecycle/products/?terms=Windows%2010%20IoT%20Enterprise%20LTSC) products.
## Supported Versions
| Browser | Internet Explorer 11 | Microsoft Edge Legacy | Microsoft Edge |
|--|--|--|--|
| OS Release | [IE11 App](/internet-explorer/internet-explorer) | [Edge Browser - Legacy](/deployedge/microsoft-edge-kiosk-mode-transition-plan) | [New Edge Browser](/deployedge/microsoft-edge-configure-kiosk-mode) |
| Windows 10 IoT Enterprise LTSC 2019 | [Follows OS Release Support Lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2019) | No browser security updates after March, 9, 2021 (removed where applicable). In-box engine supported until OS end of service | Microsoft Edge and WebView2 Runtime not in-box (requires app migration from EdgeHTML) |
| Windows 10 IoT Enterprise, version 21H2 | End of support June 15, 2022 | Removed & replaced with New Microsoft Edge Browser in May 2021 Update | Included in-box or installed with May 2021 Update |
| Windows 10 IoT Enterprise LTSC 2021 | [Follows OS Release Support Lifecycle](/lifecycle/products/windows-10-iot-enterprise-ltsc-2021) | Not included | Microsoft Edge included in-box and follows [Modern Lifecycle Policy](/lifecycle/policies/modern) |
| Windows 11 IoT Enterprise | N/A | N/A | Microsoft Edge included in-box and follows [Modern Lifecycle Policy](/lifecycle/policies/modern) |
## Additional Resources
* [Configure Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode)
* [Plan your kiosk mode transition](/deployedge/microsoft-edge-kiosk-mode-transition-plan)

344
windows/configuration/shell-launcher/index.md Normal file
View File

@ -0,0 +1,344 @@
---
title: Shell Launcher
description: Shell Launcher
ms.date: 06/07/2018
ms.topic: overview
---
# Shell Launcher
Using Shell Launcher, you can configure a kiosk device to use almost any application or executable as your custom shell. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
You can also configure Shell Launcher to launch different shell applications for different users or user groups.
There are a few exceptions to the applications and executables you can use as a custom shell:
- You can't use the following executable as a custom shell: `C:\\Windows\\System32\\Eshell.exe`. Using Eshell.exe as the default shell will result in a blank screen after user signs in.
- You can't use a Universal Windows app as a custom shell.
- You can't use a custom shell to launch Universal Windows apps, for example, the Settings app.
- You can't use an application that launches a different process and exits as a custom shell. For example, you can't specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher isn't aware of the newly created wordpad.exe process, Shell Launcher takes action based on the exit code of **Write.exe**, and restart the custom shell.
- You can't prevent the system from shutting down. For Shell Launcher V1 and V2, you can't block the session ending by returning FALSE upon receiving the [WM_QUERYENDSESSION](/windows/win32/shutdown/wm-queryendsession) message in a graphical application or returning FALSE in the [handler routine](/windows/console/handlerroutine) that is added through the [SetConsoleCtrlHandler](/windows/console/setconsolectrlhandler) function in a console application.
> [!NOTE]
> You cannot configure both Shell Launcher and assigned access on the same system.
>
> Use **Shell Launcher V2**, you can specify a Universal Windows app as a custom shell. Check [Use Shell Launcher to create a Windows 10 kiosk](/windows/configuration/kiosk-shelllauncher) for the differences between Shell Launcher v1 and Shell Launcher V2.
Shell Launcher processes the **Run** and **RunOnce** registry keys before starting the custom shell, so your custom shell doesn't need to handle the automatic startup of other applications and services.
Shell Launcher also handles the behavior of the system when your custom shell exits. You can configure the shell exit behavior if the default behavior doesn't meet your needs.
Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher such as, [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250), [AppLocker](/windows/iot/iot-enterprise/customize/application-control#applocker), and [Mobile Device Management](/windows/client-management/mdm/)
> [!NOTE]
>
> In Shell Launcher v1, available in Windows 10, you can only specify a Windows desktop application as the replacement shell. In Shell Launcher v2, available in Windows 10, version 1809 and above, you can also specify a UWP app as the replacement shell.
>
> To use Shell Launcher v2 in version 1809, you need to install the [KB4551853 update](https://support.microsoft.com/topic/may-12-2020-kb4551853-os-build-17763-1217-c2ea33f7-4506-dd13-2739-d9c7bb80b26d).
## Differences between Shell Launcher v1 and Shell Launcher v2
Shell Launcher v1 replaces ```explorer.exe```, the default shell, with ```eshell.exe```, which can launch a Windows desktop application.
Shell Launcher v2 replaces ```explorer.exe``` with ```customshellhost.exe```. This new executable file can launch a Windows desktop application or a UWP app.
In addition to allowing you to use a UWP app for your replacement shell, Shell Launcher v2 offers more enhancements:
- You can use a custom Windows desktop application that can then launch UWP apps, such as Settings and Touch Keyboard.
- From a custom UWP shell, you can launch secondary views and run on multiple monitors.
- The custom shell app runs in full screen, and can run other apps in full screen on user's demand.
For sample XML configurations for the different app combinations, see [Samples for Shell Launcher v2](https://github.com/microsoft/Windows-IoT-Samples/tree/master/samples/ShellLauncher/ShellLauncherV2).
## Requirements
Windows 10 Enterprise or Windows 10 Education.
## Terminology
- **Turn on, enable:** To make the setting available to the device and optionally apply the settings to the device.
- **Configure:** To customize the setting or subsettings.
- **Embedded Shell Launcher:** This feature is called Embedded Shell Launcher in Windows 10, version 1511.
- **Custom Shell Launcher:** This feature is called Shell Launcher in Windows 10, version 1607 and later.
## Turn on Shell Launcher
Shell Launcher is an optional component and isn't turned on by default in Windows 10. It must be turned on prior to configuring. You can turn on and configure Shell Launcher in a customized Windows 10 image (.wim) if Microsoft Windows hasn't been installed. If Windows has already been installed, you must turn on Shell Launcher before applying a provisioning package to configure Shell Launcher.
### Enable Shell Launcher using Control Panel
1. In the **Search the web and Windows** field, type **Programs and Features** and either press **Enter** or tap or select **Programs and Features** to open it.
1. In the **Programs and Features** window, select **Turn Windows features on or off**.
1. In the **Windows Features** window, expand the **Device Lockdown** node, select or clear the checkbox for **Shell Launcher**, and then select **OK.**
1. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
1. Select **Close** to close the **Windows Features** window.
> [!NOTE]
> Turning on Shell Launcher does not require a device restart.
### Enable Shell Launcher by calling WESL_UserSetting
1. Enable or disable Shell Launcher by calling the WESL_UserSetting.SetEnabled function in the Windows Management Instrumentation (WMI) class WESL_UserSetting.
1. If you enable or disable Shell Launcher using WESL_UserSetting, the changes don't affect any sessions that are currently signed in; you must sign out and sign back in.
This example uses a Windows image called install.wim, but you can use the same procedure to apply a provisioning package (for more information on DISM, see [What Is Deployment Image Servicing and Management](/windows-hardware/manufacture/desktop/what-is-dism).
### Enable Shell Launcher using DISM
1. Open a command prompt with administrator privileges.
1. Copy install.wim to a temporary folder on hard drive (in the following steps, we assume it's called C:\\wim).
1. Create a new directory.
```CMD
md c:\wim
```
1. Mount the image.
```CMD
dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim
```
1. Enable the feature.
```CMD
dism /image:c:\wim /enable-feature /all /featureName:Client-EmbeddedShellLauncher
```
1. Commit the change.
```CMD
dism /unmount-wim /MountDir:c:\wim /Commit
```
### Enable Shell Launcher using Windows Configuration Designer
The Shell Launcher settings are also available as Windows provisioning settings so you can configure these settings to be applied during the image runtime. You can set one or all Shell Launcher settings by creating a provisioning package using Windows Configuration Designer and then applying the provisioning package during image deployment time or runtime. If Windows hasn't been installed and you're using Windows Configuration Designer to create installation media with settings for Shell Launcher included in the image or you're applying a provisioning package during setup, you must enable Shell Launcher on the installation media with DISM in order for a provisioning package to successfully apply.
Use the following steps to create a provisioning package that contains the ShellLauncher settings.
1. Build a provisioning package in Windows Configuration Designer by following the instructions in [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package).
1. In the **Available customizations** page, select **Runtime settings** > **SMISettings** > **ShellLauncher**.
1. Set the value of **Enable** to **ENABLE**. More options to configure Shell Launcher appears, and you can set the values as desired.
1. Once you have finished configuring the settings and creating the provisioning package, you can apply the package to the image deployment time or runtime. See the [Apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-apply-package) for more information. The process for applying the package to a Windows 10 Enterprise image is the same.
## Configure Shell Launcher
There are two ways you can configure Shell Launcher:
1. In Windows 10, version 1803, you can configure Shell Launcher using the **ShellLauncher** node of the Assigned Access Configuration Service Provider (CSP). See [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp) for details. Configuring Shell Launcher using this method also automatically enables Shell Launcher on the device, if the device supports it.
1. Use the Shell Launcher WMI providers directly in a PowerShell script or application.
You can configure the following options for Shell Launcher:
- Enable or disable Shell Launcher.
- Specify a shell configuration for a specific user or group.
- Remove a shell configuration for a specific user or group.
- Change the default shell configuration.
- Get information on a shell configuration for a specific user or group.
Any changes don't take effect until a user signs in.
## Launch different shells for different user accounts
By default, Shell Launcher runs the default shell, which is specified when you create the OS image at design time. The default shell is set to Cmd.exe, but you can specify any executable file to be the default shell.
You can configure Shell Launcher to launch a different shell for specific users or groups if you don't want to run the default shell. For example, you might configure a device to run a custom application shell for guest accounts, but run the standard Windows Explorer shell for administrator accounts in order to service the device.
If you use the WMI providers to configure Shell Launcher for a user or group at run time, you must use the security identifier (SID) for that user or group; you can't use the user name or group name.
For more information about common security identifiers, see [Well-known SIDs](/windows/win32/secauthz/well-known-sids).
When the current signed in account belongs to two or more groups that have different configurations defined for each group, Shell Launcher uses the first configuration it finds. The search order isn't defined, so we recommend that you avoid assigning a user to multiple groups with different Shell Launcher configurations.
## Perform an action when the shell exits
When a custom shell exits, Shell Launcher can perform one of four actions:
|Action|Description|
|:---:|:---|
|0|Restart the shell.|
|1|Restart the device.|
|2|Shut down the device.|
|3|Do nothing.|
> [!IMPORTANT]
> Make sure that your shell application does not automatically exit and is not automatically closed by any features such as Dialog Filter, as this can lead to an infinite cycle of exiting and restarting, unless the return code action is set to do nothing.
### Default return code action
You can define a default return code action for Shell Launcher with the DefaultReturnCodeAction setting. If you don't change the initial value, the default return code action is set to 0 (zero), which indicates that Shell Launcher restarts the shell when the shell exits.
### Map the exit code to a Shell Launcher action
Shell Launcher can take a specific action based on the exit code returned by the shell. For any given exit code returned by the shell, you can configure the action that Shell Launcher takes by mapping that exit code to one of the shell exit actions.
If the exit code doesn't match a defined value, Shell Launcher performs the default return code action.
For example, your shell might return exit code values of -1, 0, 1, or 255 depending on how the shell exits. You can configure Shell Launcher to:
- restart the device (1) when the shell returns an exit code of value -1
- restart the shell (0) when the shell returns an exit code of value 0
- do nothing (3) when the shell returns an exit code of value 1
- shut down the device (2) when the shell returns an exit code of value 255
Your custom return code action mapping would look like this:
|Exit code|Action|
|:----:|----|
|-1|1 (restart the device)|
|0|0 (restart the shell)|
|1|3 (do nothing)|
|255|2 (shut down the device)|
## Set your custom shell
Modify the following PowerShell script as appropriate and run the script on the device.
```PowerShell
# Check if shell launcher license is enabled
function Check-ShellLauncherLicenseEnabled
{
[string]$source = @"
using System;
using System.Runtime.InteropServices;
static class CheckShellLauncherLicense
{
const int S_OK = 0;
public static bool IsShellLauncherLicenseEnabled()
{
int enabled = 0;
if (NativeMethods.SLGetWindowsInformationDWORD("EmbeddedFeature-ShellLauncher-Enabled", out enabled) != S_OK) {
enabled = 0;
}
return (enabled != 0);
}
static class NativeMethods
{
[DllImport("Slc.dll")]
internal static extern int SLGetWindowsInformationDWORD([MarshalAs(UnmanagedType.LPWStr)]string valueName, out int value);
}
}
"@
$type = Add-Type -TypeDefinition $source -PassThru
return $type[0]::IsShellLauncherLicenseEnabled()
}
[bool]$result = $false
$result = Check-ShellLauncherLicenseEnabled
"`nShell Launcher license enabled is set to " + $result
if (-not($result))
{
"`nThis device doesn&#39;t have required license to use Shell Launcher"
exit
}
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Create a handle to the class instance so we can call the static methods.
try {
$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
} catch [Exception] {
write-host $_.Exception.Message;
write-host "Make sure Shell Launcher feature is enabled"
exit
}
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
$Admins_SID = "S-1-5-32-544"
# Create a function to retrieve the SID for a user account on a machine.
function Get-UsernameSID($AccountName) {
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
return $NTUserSID.Value
}
# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
$Cashier_SID = Get-UsernameSID("Cashier")
# Define actions to take when the shell program exits.
$restart_shell = 0
$restart_device = 1
$shutdown_device = 2
$do_nothing = 3
# Examples. You can change these examples to use the program that you want to use as the shell.
# This example sets the command prompt as the default shell, and restarts the device if the command prompt is closed.
$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
# Display the default shell to verify that it was added correctly.
$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
# Set Internet Explorer as the shell for "Cashier", and restart the machine if Internet Explorer is closed.
$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
# Set Explorer as the shell for administrators.
$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
# View all the custom shells defined.
"`nCurrent settings for custom shells:"
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
# Enable Shell Launcher
$ShellLauncherClass.SetEnabled($TRUE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
# Remove the new custom shells.
$ShellLauncherClass.RemoveCustomShell($Admins_SID)
$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
# Disable Shell Launcher
$ShellLauncherClass.SetEnabled($FALSE)
$IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
"`nEnabled is set to " + $IsShellLauncherEnabled.Enabled
```
> [!NOTE]
> The previous script includes examples of multiple configuration options, including removing a custom shell and disabling Shell Launcher. It is not intended to be run as-is.
## Shell Launcher user rights
A custom shell is launched with the same level of user rights as the account that is signed in. This means that a user with administrator rights can perform any system action that requires administrator rights, including launching other applications with administrator rights, while a user without administrator rights can't.
> [!WARNING]
> If your shell application requires administrator rights and needs to be elevated, and User Account Control (UAC) is present on your device, you must disable UAC in order for Shell Launcher to launch the shell application.
## Related articles
- [Unbranded Boot](../unbranded-boot/index.md)
- [Custom Logon](../custom-logon/index.md)
- [Use Shell Launcher to create a Windows 10 Kiosk](/windows/configuration/kiosk-shelllauncher)
- [Launch different shells for different user accounts](/windows-hardware/customize/enterprise/shell-launcher#launch-different-shells-for-different-user-accounts)
- [Perform an action when the shell exits](/windows-hardware/customize/enterprise/shell-launcher#perform-an-action-when-the-shell-exits)
- [Shell Launcher user rights](/windows-hardware/customize/enterprise/shell-launcher#shell-launcher-user-rights)

61
windows/configuration/shell-launcher/kiosk-mode.md Normal file
View File

@ -0,0 +1,61 @@
---
title: Kiosk Mode
ms.date: 01/18/2024
ms.topic: overview
description: Learn about Kiosk Mode in Windows IoT Enterprise.
---
# Kiosk mode
Windows IoT Enterprise allows you to build fixed purpose devices such as ATM machines, point-of-sale terminals, medical devices, digital signs, or kiosks. Kiosk mode helps you create a dedicated and locked down user experience on these fixed purpose devices. Windows IoT Enterprise offers a set of different locked-down experiences for public or specialized use: [assigned access single-app kiosks](single-app-kiosk.md), [assigned access multi-app kiosks](multi-app-kiosk.md), or [shell launcher](index.md).
Kiosk configurations are based upon either [assigned access](../assigned-access/overview.md) or [shell launcher](index.md). There are several kiosk configuration methods that you can choose from, depending on your answers to the following questions.
> [!NOTE]
>
> A benefit of using an assigned access kiosk mode is [these policies](/windows/configuration/kiosk-policies) are automatically applied to the device to optimize the lock-down experience.
## Which type of app will your kiosk run?
Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](/windows/configuration/setup-digital-signage), select a digital sign player as your kiosk app. Check out the [Guidelines for Kiosk Apps](/windows/configuration/guidelines-for-assigned-access-app).
## Which type of kiosk do you need?
If you want your kiosk to run a single app for anyone to see or use, consider an [assigned-access single-app kiosk](/windows/configuration/shell-launcher/single-app-kiosk) that runs either a [Universal Windows Platform (UWP) app](/windows/configuration/kiosk-methods#uwp) or a [Windows desktop application](/windows/configuration/kiosk-methods#classic).
For a kiosk that people can sign in to with their accounts or that runs more than one app, consider an [assigned access multi-app kiosk](/windows/configuration/kiosk-methods#desktop).
## Which type of user account will be the kiosk account?
The kiosk account can be a local standard user account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use an assigned access multi-app kiosk configuration. The assigned access single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
## Kiosk capabilities for Windows 10 IoT Enterprise
| Mode | Features | Description | Customer Usage |
|------|----------|------------ |-----------------|
| Assigned access | Single-app kiosk (UWP) | Auto launches a UWP app in full screen and prevents access to other system functions, while monitoring the lifecycle of the kiosk app. Only supports one single-app kiosk profile under one account per device. | Digital signs & single function devices
| Assigned access | Single-app kiosk (Microsoft Edge) | Auto launches Microsoft Edge and prevents access to other system functions, while monitoring the lifecycle of browser. Only supports one single-app kiosk profile under one account per device. | Public browsing kiosks & digital signs |
| Assigned access | Multi-app kiosk (Restricted User Experience) | Windows 10: Always auto launches a restricted Start menu in full screen with the list of allowed app tiles. <br/> Windows 11: Presents the familiar Windows desktop experience with a restricted set of apps. | Frontline Worker shared devices |
| Shell launcher | Shell launcher | Auto launches an app that the customer specifies and monitors the lifecycle of this app. App can be used as a "shell" if desired. No default lockdown policies like hotkey blocking are enforced in Shell Launcher. | Fixed purpose devices with a custom shell experience |
## How to configure your device for kiosk mode?
Visit the following documentation to set up a kiosk according to your scenario:
* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods)
* [Set up a single-app kiosk](/windows/configuration/kiosk-single-app)
* [Set up a multi-app kiosk](/windows/configuration/lock-down-windows-10-to-specific-apps)
* [Configure Microsoft Edge kiosk mode](/deployedge/microsoft-edge-configure-kiosk-mode)
## Additional Resources
* [Find the Application User Model ID of an installed app](/windows/configuration/find-the-application-user-model-id-of-an-installed-app)
* [Validate your kiosk configuration](/windows/configuration/kiosk-validate)
* [Guidelines for choosing an app for assigned access (kiosk mode)](/windows/configuration/guidelines-for-assigned-access-app)
* [Policies enforced on kiosk devices](/windows/configuration/kiosk-policies)
* [Assigned access XML reference](/windows/configuration/kiosk-xml)
* [Use AppLocker to create a Windows 10 kiosk](/windows/configuration/lock-down-windows-10-applocker)
* [Use Shell Launcher to create a Windows 10 kiosk](/windows/configuration/kiosk-shelllauncher)
* [Use MDM Bridge WMI Provider to create a Windows 10 kiosk](/windows/configuration/kiosk-mdm-bridge)
* [Troubleshoot kiosk mode issues](/windows/configuration/kiosk-troubleshoot)
* [Plan your kiosk mode transition to Microsoft Edge](/deployedge/microsoft-edge-kiosk-mode-transition-plan)

39
windows/configuration/shell-launcher/multi-app-kiosk.md Normal file
View File

@ -0,0 +1,39 @@
---
title: Multi-App Kiosk
ms.date: 08/16/2023
ms.topic: concept-article
description: Learn about the Multi-App Kiosk in Windows IoT Enterprise.
---
# Assigned access multi-app kiosk
An assigned access multi-app kiosk runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. Here's a [guide](/windows/configuration/lock-down-windows-10-to-specific-apps) on how to set up a multi-app kiosk.
> [!NOTE]
> Multi-app kiosk mode isn't available for Windows 11 IoT Enterprise, version 21H2, or 22H2. Refer to [What's new for subsequent releases](/windows/iot/iot-enterprise/whats-new/release-history#windows-11-iot-enterprise) for information about its return.
>
> **Update** - [Multi-app kiosk mode is now available in Windows 11](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/multi-app-kiosk-mode-now-available-in-windows-11/ba-p/3845558)., version 22H2 as part of the Windows continuous innovation releases. To learn how you can take advantage of features introduced via Windows continuous innovation, see more about how you can access this feature in Windows 11 IoT Enterprise, version 22H2, see [Delivering continuous innovation in Windows 11](https://support.microsoft.com/windows/delivering-continuous-innovation-in-windows-11-b0aa0a27-ea9a-4365-9224-cb155e517f12).
## Benefits of using a multi-app kiosk
The benefit of a kiosk that runs multiple specified apps is to provide an easy-to-understand experience for individuals by showing them only the things they need to use, and removing the things they don't need to access.
A multi-app kiosk is appropriate for devices that are shared by multiple people. Each user can authenticate with the device and receive a customized lockdown experience based on the configuration.
## Configuring your multi-app kiosk
* [Configure a kiosk in Microsoft Intune](/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-in-microsoft-intune)
* [Configure a kiosk using a provisioning package](/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-using-a-provisioning-package)
> [!NOTE]
>
> When you configure a multi-app kiosk, [specific policies](/windows/configuration/kiosk-policies) are enforced that affects all nonadministrator users on the device.
## More Resources
* [New features and improvements](/windows/configuration/lock-down-windows-10-to-specific-apps)
* [Set up a multi-app kiosk](/windows/configuration/lock-down-windows-10-to-specific-apps)
* [Kiosk apps for assigned access: Best practices](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access)
* [Guidelines for choosing an app for assigned access](/windows/configuration/guidelines-for-assigned-access-app)
* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods)
* [More kiosk methods and reference information](/windows/configuration/kiosk-additional-reference)

38
windows/configuration/shell-launcher/single-app-kiosk.md Normal file
View File

@ -0,0 +1,38 @@
---
title: Assigned access Single-App Kiosk
ms.date: 03/30/2023
ms.topic: concept-article
description: Learn about the Single-App Kiosk in Windows IoT Enterprise.
---
# Assigned access single-app kiosk
A single-app kiosk uses the assigned access feature to run a single app above the lock screen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk can't do anything on the device outside of the kiosk app.
> [!NOTE]
>
> Assigned access single-app kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
## Benefits of using a single-app kiosk
A single-app kiosk is ideal for public use. Using [shell launcher](./index.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk runs above the lock screen, and users have access to only this app and nothing else on the system. This experience is often used for public-facing kiosk machines. Check out [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions) for more information.
## Configuring your single-app kiosks
You have several options for configuring your single-app kiosk.
* [Settings App](/windows/configuration/kiosk-single-app#local)
* [PowerShell](/windows/configuration/kiosk-single-app#powershell)
* [Kiosk Wizard in Windows Configuration Designer](/windows/configuration/kiosk-single-app#wizard)
* [Microsoft Intune or other MDM providers](/windows/configuration/kiosk-single-app#mdm)
> [!TIP]
> You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](/windows/configuration/lock-down-windows-10-to-specific-apps) by using a [kiosk profile](/windows/configuration/lock-down-windows-10-to-specific-apps#profile).
## Additional Resources
* [Set up a single-app kiosk](/windows/configuration/kiosk-single-app)
* [Guidelines for choosing an app for assigned access](/windows/configuration/guidelines-for-assigned-access-app)
* [Kiosk apps for assigned access: Best practices](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access)
* [Configure kiosks and digital signs](/windows/configuration/kiosk-methods)
* [More kiosk methods and reference information](/windows/configuration/kiosk-additional-reference)

25
windows/configuration/shell-launcher/toc.yml Normal file
View File

@ -0,0 +1,25 @@
items:
- name: Shell Launcher
items:
- name: Overview
href: index.md
- name: WMI Provider Reference
items:
- name: Class WESL_UserSetting
href: wesl-usersetting.md
- name: GetCustomShell
href: wesl-usersettinggetcustomshell.md
- name: GetDefaultShell
href: wesl-usersettinggetdefaultshell.md
- name: IsEnabled
href: wesl-usersettingisenabled.md
- name: RemoveCustomShell
href: wesl-usersettingremovecustomshell.md
- name: SetCustomShell
href: wesl-usersettingsetcustomshell.md
- name: SetDefaultShell
href: wesl-usersettingsetdefaultshell.md
- name: SetEnabled
href: wesl-usersettingsetenabled.md

141
windows/configuration/shell-launcher/wedl-assignedaccess.md Normal file
View File

@ -0,0 +1,141 @@
---
title: WEDL\_AssignedAccess
description: WEDL\_AssignedAccess
ms.date: 05/20/2024
ms.topic: reference
---
# WEDL\_AssignedAccess
This Windows Management Instrumentation (WMI) provider class configures settings for assigned access.
## Syntax
```powershell
class WEDL_AssignedAccess {
[Key] string UserSID;
[Read, Write] string AppUserModelId;
[Read] sint32 Status;
};
```
## Members
The following tables list any methods and properties that belong to this class.
### Methods
This class contains no methods.
### Properties
| Property | Data&nbsp;type | Qualifiers | Description |
|----------|----------------|------------|-------------|
| **UserSID** | string | [key] | The security identifier (SID) for the user account that you want to use as the assigned access account. |
| **AppUserModelId** | string | [read, write] | The Application User Model ID (AUMID) of the Windows app to launch for the assigned access account. |
| **Status** | Boolean | none | Indicates the current status of the assigned access configuration |
| Value | Description |
|:-----:|-------------|
| 0 | A valid account is configured, but no Windows app is specified. Assigned access is not enabled. |
| 1 | Assigned access is enabled. |
| 0x100 | UserSID error: cannot find the account. |
| 0x103 | UserSID error: the account profile does not exist. |
| 0x200 | AppUserModelID error: cannot find the Windows app. |
| 0x201 | Task Scheduler error: Could not schedule task. Make sure that the Task Scheduler service is running. |
| 0xffffffff | Unspecified error.|
### Remarks
Changes to assigned access do not affect any sessions that are currently signed in; you must sign out and sign back in.
## Example
The following Windows PowerShell script demonstrates how to use this class to set up an assigned access account.
```powershell
#
#---Define variables---
#
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Define the assigned access account.
# To use a different account, change $AssignedAccessAccount to a user account that is present on your device.
$AssignedAccessAccount = "KioskAccount"
# Define the Windows app to launch, in this example, use the Application Model User ID (AUMID) for Windows Calculator.
# To use a different Windows app, change $AppAUMID to the AUMID of the Windows app to launch.
# The Windows app must be installed for the account.
$AppAUMID = "Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"
#
#---Define helper functions---
#
function Get-UsernameSID($AccountName) {
# This function retrieves the SID for a user account on a machine.
# This function does not check to verify that the user account actually exists.
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
return $NTUserSID.Value
}
#
#---Set up the new assigned access account---
#
# Get the SID for the assigned access account.
$AssignedAccessUserSID = Get-UsernameSID($AssignedAccessAccount)
# Check to see if an assigned access account is already set up, and if so, clear it.
$AssignedAccessConfig = get-WMIObject -namespace $NAMESPACE -computer $COMPUTER -class WEDL_AssignedAccess
if ($AssignedAccessConfig) {
# Configuration already exists. Delete it so that we can create a new one, since only one assigned access account can be set up at a time.
$AssignedAccessConfig.delete();
}
# Configure assigned access to launch the specified Windows app for the specified account.
Set-WmiInstance -class WEDL_AssignedAccess -ComputerName $COMPUTER -Namespace $NAMESPACE -Arguments @{
UserSID = $AssignedAccessUserSID;
AppUserModelId = $AppAUMID
} | Out-Null;
# Confirm that the settings were created properly.
$AssignedAccessConfig = get-WMIObject -namespace $NAMESPACE -computer $COMPUTER -class WEDL_AssignedAccess
if ($AssignedAccessConfig) {
"Set up assigned access for the " + $AssignedAccessAccount + " account."
" UserSID = " + $AssignedAccessConfig.UserSid
" AppModelId = " + $AssignedAccessConfig.AppUserModelId
} else {
"Could not set up assigned access account."
}
```
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |

174
windows/configuration/shell-launcher/wesl-usersetting.md Normal file
View File

@ -0,0 +1,174 @@
---
title: WESL_UserSetting
description: WESL_UserSetting
ms.date: 05/02/2017
ms.topic: reference
---
# WESL_UserSetting
This class configures which application Shell Launcher starts based on the security identifier (SID) of the signed in user, and also configures the set of return codes and return actions that Shell Launcher performs when the application exits.
## Syntax
```powershell
class WESL_UserSetting {
[read, write, Required] string Sid;
[read, write, Required] string Shell;
[read, write] Sint32 CustomReturnCodes[];
[read, write] Sint32 CustomReturnCodesAction[];
[read, write] sint32 DefaultAction;
[Static] uint32 SetCustomShell(
[In, Required] string Sid,
[In, Required] string Shell,
[In] sint32 CustomReturnCodes[],
[In] sint32 CustomReturnCodesAction[],
[In] sint32 DefaultAction
);
[Static] uint32 GetCustomShell(
[In, Required] string Sid,
[Out, Required] string Shell,
[Out, Required] sint32 CustomReturnCodes[],
[Out, Required] sint32 CustomReturnCodesAction[],
[Out, Required] sint32 DefaultAction
);
[Static] uint32 RemoveCustomShell(
[In, Required] string Sid
);
[Static] uint32 GetDefaultShell(
[Out, Required] string Shell,
[Out, Required] sint32 DefaultAction
);
[Static] uint32 SetDefaultShell(
[In, Required] string Shell,
[In, Required] sint32 DefaultAction
);
[Static] uint32 IsEnabled(
[Out, Required] boolean Enabled
);
[Static] uint32 SetEnabled(
[In, Required] boolean Enabled);
);
};
```
## Members
The following tables list any methods and properties that belong to this class.
### Methods
| Methods | Description |
|---------|-------------|
| [WESL_UserSetting.SetCustomShell](wesl-usersettingsetcustomshell.md) | Configures Shell Launcher for a specific user or group, based on SID. |
| [WESL_UserSetting.GetCustomShell](wesl-usersettinggetcustomshell.md) | Retrieves the Shell Launcher configuration for a specific user or group, based on the SID. |
| [WESL_UserSetting.RemoveCustomShell](wesl-usersettingremovecustomshell.md) | Removes a Shell Launcher configuration for a specific user or group, based on the SID. |
| [WESL_UserSetting.GetDefaultShell](wesl-usersettinggetdefaultshell.md) | Retrieves the default Shell Launcher configuration. |
| [WESL_UserSetting.SetDefaultShell](wesl-usersettingsetdefaultshell.md) | Sets the default Shell Launcher configuration. |
| [WESL_UserSetting.IsEnabled](wesl-usersettingisenabled.md) | Retrieves a value that indicates if Shell Launcher is enabled or disabled. |
| [WESL_UserSetting.SetEnabled](wesl-usersettingsetenabled.md) | Enables or disables Shell Launcher. |
### Properties
| Property | Data&nbsp;type | Qualifiers | Description |
|----------|----------------|------------|-------------|
| **Sid** | string | [read, write, required] | User or group SID. |
| **shell** | string | [read, write, required] | The application to start as the shell.</br>The **shell** property can be a filename in the *Path* environment variable, or it can contain a fully qualified path to the application. You can also use environment variables in the path.</br>Any spaces in the **shell** property must be part of a quote-delimited string. |
| **CustomReturnCodes** | Sint32[] |[read, write] | An array of custom return codes that can be returned by the shell. |
| **CustomReturnCodesAction** | Sint32[] | [read, write] | An array of custom return code actions that determine what action Shell Launcher takes when the shell exits. The custom actions map to the array of **CustomReturnCodes**.</br>The possible actions are:</br>0 - Restart the shell.</br>1 - Restart the device.</br>2 - Shut down the device.</br>3 - Do nothing. |
| **DefaultAction** | Sint32 | [read, write] | The default action Shell Launcher takes when the shell exits.</br>The possible actions are defined as follows:</br>0 - Restart the shell.</br>1 - Restart the device.</br>2 - Shut down the device.</br>3 - Do nothing. |
### Remarks
Only one **WESL_UserSetting** instance exists on a device with Shell Launcher.
Shell Launcher uses the custom configuration defined for the SID of the user currently signed in, if one exists. Otherwise, Shell Launcher uses a custom configuration defined for a group SID that the user is a member of, if any exist. If multiple group custom configurations for the user exist, Shell Launcher uses the first valid configuration it finds. The search order is not defined.
If there is no custom configuration for the user's SID or any group SIDs that the user is a member of, Shell Launcher uses the default configuration.
You can find the SID for a user and any groups that the user is a member of by using the [whoami](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771299(v=ws.10)) command-line tool.
## Example
The following Windows PowerShell script demonstrates how to add and remove custom shell configurations for Shell Launcher by using the Windows Management Instrumentation (WMI) providers for Shell Launcher.
```powershell
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Create a handle to the class instance so we can call the static methods.
$ShellLauncherClass = [wmiclass]"\\$COMPUTER\${NAMESPACE}:WESL_UserSetting"
# This well-known security identifier (SID) corresponds to the BUILTIN\Administrators group.
$Admins_SID = "S-1-5-32-544"
# Create a function to retrieve the SID for a user account on a machine.
function Get-UsernameSID($AccountName) {
$NTUserObject = New-Object System.Security.Principal.NTAccount($AccountName)
$NTUserSID = $NTUserObject.Translate([System.Security.Principal.SecurityIdentifier])
return $NTUserSID.Value
}
# Get the SID for a user account named "Cashier". Rename "Cashier" to an existing account on your system to test this script.
$Cashier_SID = Get-UsernameSID("Cashier")
# Define actions to take when the shell program exits.
$restart_shell = 0
$restart_device = 1
$shutdown_device = 2
$do_nothing = 3
# Examples
# Set the command prompt as the default shell, and restart the device if it's closed.
$ShellLauncherClass.SetDefaultShell("cmd.exe", $restart_device)
# Display the default shell to verify that it was added correctly.
$DefaultShellObject = $ShellLauncherClass.GetDefaultShell()
"`nDefault Shell is set to " + $DefaultShellObject.Shell + " and the default action is set to " + $DefaultShellObject.defaultaction
# Set Internet Explorer as the shell for "Cashier", and restart the machine if it's closed.
$ShellLauncherClass.SetCustomShell($Cashier_SID, "c:\program files\internet explorer\iexplore.exe www.microsoft.com", ($null), ($null), $restart_shell)
# Set Explorer as the shell for administrators.
$ShellLauncherClass.SetCustomShell($Admins_SID, "explorer.exe")
# View all the custom shells defined.
"`nCurrent settings for custom shells:"
Get-WmiObject -namespace $NAMESPACE -computer $COMPUTER -class WESL_UserSetting | Select Sid, Shell, DefaultAction
# Remove the new custom shells.
$ShellLauncherClass.RemoveCustomShell($Admins_SID)
$ShellLauncherClass.RemoveCustomShell($Cashier_SID)
```
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related topics
- [Shell Launcher](index.md)

77
windows/configuration/shell-launcher/wesl-usersettinggetcustomshell.md Normal file
View File

@ -0,0 +1,77 @@
---
title: WESL_UserSetting.GetCustomShell
description: WESL_UserSetting.GetCustomShell
ms.date: 05/20/2024
ms.topic: reference
---
# WESL_UserSetting.GetCustomShell
This method retrieves the Shell Launcher configuration for a specific user or group, based on the security identifier (SID).
## Syntax
```powershell
[Static] uint32 GetCustomShell (
[In, Required] string Sid,
[Out, Required] string Shell,
[Out, Required] sint32 CustomReturnCodes[],
[Out, Required] sint32 CustomReturnCodesAction[],
[Out, Required] sint32 DefaultAction
);
```
## Parameters
**Sid**</br>\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is configured for.
**Shell**</br>\[out, required\] The application or executable that Shell Launcher starts as the shell.
**CustomReturnCodes**</br>\[out, required\] An array of custom return codes returned by the shell application.
**CustomReturnCodesAction**</br>\[out, required\] An array of custom return code actions that determine the action that Shell Launcher takes when the shell application exits. The custom actions map to the array of *CustomReturnCodes*.
The possible actions are defined in the following table:
| Value | Description |
|:-----:|-------------|
| 0 | Restart the shell. |
| 1 | Restart the device. |
| 2 | Shut down the device. |
| 3 | Do nothing. |
**DefaultAction**</br>\[out, required\] The default action that Shell Launcher takes when the shell application exits.
The possible actions are defined in the following table:
| Value | Description |
|:------:|-------------|
| 0 | Restart the shell. |
| 1 | Restart the device. |
| 2 | Shut down the device. |
| 3 | Do nothing. |
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
Shell Launcher uses the *CustomReturnCodes* and *CustomReturnCodesAction* arrays to determine the system behavior when the shell application exits, based on the return value of the application.
If the return value does not exist in *CustomReturnCodes*, or if the corresponding action defined in *CustomReturnCodesAction* is not a valid value, Shell Launcher uses *DefaultAction* to determine system behavior. If *DefaultAction* is not defined, or is not a valid value, Shell Launcher restarts the shell application.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related topics
- [WESL_UserSetting](wesl-usersetting.md)
- [Shell Launcher](index.md)

57
windows/configuration/shell-launcher/wesl-usersettinggetdefaultshell.md Normal file
View File

@ -0,0 +1,57 @@
---
title: WESL_UserSetting.GetDefaultShell
description: WESL_UserSetting.GetDefaultShell
ms.date: 05/20/2024
ms.topic: reference
---
# WESL_UserSetting.GetDefaultShell
This method retrieves the default Shell Launcher configuration.
## Syntax
```powershell
[Static] uint32 GetDefaultShell (
[Out, Required] string Shell,
[Out, Required] sint32 DefaultAction
);
```
## Parameters
**Shell**</br>\[out, required\] The application or executable that Shell Launcher starts as the shell.
**DefaultAction**</br>\[out, required\] The default action Shell Launcher takes when the shell application exits.
The possible actions are defined in the following table:
| Value | Description |
|:-----:|-------------|
| 0 | Restart the shell. |
| 1 | Restart the device. |
| 2 | Shut down the device. |
| 3 | Do nothing. |
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
Shell Launcher uses the default configuration when the security identifier (SID) of the user who is currently signed in does not match any custom defined Shell Launcher configurations.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related topics
- [WESL_UserSetting](wesl-usersetting.md)
- [Shell Launcher](index.md)

41
windows/configuration/shell-launcher/wesl-usersettingisenabled.md Normal file
View File

@ -0,0 +1,41 @@
---
title: WESL_UserSetting.IsEnabled
description: WESL_UserSetting.IsEnabled
ms.date: 05/20/2024
ms.topic: reference
---
# WESL_UserSetting.IsEnabled
This method retrieves a value that indicates if Shell Launcher is enabled or disabled.
## Syntax
```powershell
[Static] uint32 IsEnabled(
[Out, Required] boolean Enabled
);
```
## Parameters
**Enabled**</br>\[out, required\] A Boolean value that indicates if Shell Launcher is enabled.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related topics
- [WESL_UserSetting](wesl-usersetting.md)
- [Shell Launcher](index.md)

45
windows/configuration/shell-launcher/wesl-usersettingremovecustomshell.md Normal file
View File

@ -0,0 +1,45 @@
---
title: WESL_UserSetting.RemoveCustomShell
description: WESL_UserSetting.RemoveCustomShell
ms.date: 05/20/2024
ms.topic: reference
---
# WESL_UserSetting.RemoveCustomShell
This method removes a Shell Launcher configuration for a specific user or group, based on the security identifier (SID).
## Syntax
```powershell
[Static] uint32 RemoveCustomShell (
[In, Required] string Sid
);
```
## Parameters
**Sid**</br>\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is configured for.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
You must restart your device for the changes to take effect.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related topics
- [WESL_UserSetting](wesl-usersetting.md)
- [Shell Launcher](index.md)

77
windows/configuration/shell-launcher/wesl-usersettingsetcustomshell.md Normal file
View File

@ -0,0 +1,77 @@
---
title: WESL_UserSetting.SetCustomShell
description: WESL_UserSetting.SetCustomShell
ms.date: 05/20/2024
ms.topic: reference
---
# WESL_UserSetting.SetCustomShell
This method configures Shell Launcher for a specific user or group, based on the security identifier (SID).
## Syntax
```powershell
[Static] uint32 SetCustomShell (
[In, Required] string Sid,
[In, Required] string Shell,
[In] sint32 CustomReturnCodes[],
[In] sint32 CustomReturnCodesAction[],
[In] sint32 DefaultAction
);
```
## Parameters
**Sid**</br>\[in, required\] A string containing the security identifier (SID) of the user or group that Shell Launcher is being configured for.
**Shell**</br>\[in, required\] The application or executable that Shell Launcher starts as the shell.
**CustomReturnCodes**</br>\[in\] An array of custom return codes that can be returned by the shell application.
**CustomReturnCodesAction**</br>\[in\] An array of custom return code actions that determine the action that Shell Launcher takes when the shell application exits. The custom actions map to the array of *CustomReturnCodes*.
The possible actions are defined in the following table:
| Value | Description |
|:-----:|-------------|
| 0 | Restart the shell. |
| 1 | Restart the device. |
| 2 | Shut down the device. |
| 3 | Do nothing. |
**DefaultAction**</br>\[In\] The default action that Shell Launcher takes when the shell application exits.
The possible actions are defined in the following table:
| Value | Description |
|:-----:|-------------|
| 0 | Restart the shell.|
| 1 | Restart the device. |
| 2 | Shut down the device. |
| 3 | Do nothing. |
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
Shell Launcher uses the *CustomReturnCodes* and *CustomReturnCodesAction* arrays to determine the system behavior when the shell application exits, based on the return value of the shell application.
If the return value does not exist in *CustomReturnCodes*, or if the corresponding action defined in *CustomReturnCodesAction* is not a valid value, Shell Launcher uses *DefaultAction* to determine system behavior. If *DefaultAction* is not defined, or is not a valid value, Shell Launcher restarts the shell application.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related topics
- [WESL_UserSetting](wesl-usersetting.md)
- [Shell Launcher](index.md)

57
windows/configuration/shell-launcher/wesl-usersettingsetdefaultshell.md Normal file
View File

@ -0,0 +1,57 @@
---
title: WESL_UserSetting.SetDefaultShell
description: WESL_UserSetting.SetDefaultShell
ms.date: 05/20/2024
ms.topic: reference
---
# WESL_UserSetting.SetDefaultShell
This method sets the default Shell Launcher configuration.
## Syntax
```powershell
[Static] uint32 SetDefaultShell (
[In, Required] string Shell,
[In, Required] sint32 DefaultAction
);
```
## Parameters
**Shell**</br>\[in, required\] The application or executable that Shell Launcher starts as the shell.
**DefaultAction**</br>\[in, required\] The default action that Shell Launcher takes when the *Shell* application exits.
The possible actions are defined in the following table:
| Value | Description |
|:-------:|-------------|
| 0 | Restart the shell. |
| 1 | Restart the device. |
| 2 | Shut down the device. |
| 3 | Do nothing. |
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
Shell Launcher uses the default configuration when the security identifier (SID) of the user who is currently signed in does not match any custom defined Shell Launcher configurations.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related topics
- [WESL_UserSetting](wesl-usersetting.md)
- [Shell Launcher](index.md)

47
windows/configuration/shell-launcher/wesl-usersettingsetenabled.md Normal file
View File

@ -0,0 +1,47 @@
---
title: WESL_UserSetting.SetEnabled
description: WESL_UserSetting.SetEnabled
ms.date: 05/20/2024
ms.topic: reference
---
# WESL_UserSetting.SetEnabled
This method enables or disables Shell Launcher.
## Syntax
```powershell
[Static] uint32 SetEnabled(
[In, Required] boolean Enabled
);
```
## Parameters
**Enabled**</br>\[in, required\] A Boolean value that indicates whether to enable or disable Shell Launcher.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
This method enables or disables Shell Launcher by modifying the **Shell** value in the registry key `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon`. If Unified Write Filter (UWF) is enabled, you may need to disable UWF or commit this registry key by using [UWF_RegistryFilter.CommitRegistry](../unified-write-filter/uwf-registryfiltercommitregistry.md) in order to enable or disable Shell Launcher.
Enabling or disabling Shell Launcher does not take effect until a user signs in.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related topics
- [WESL_UserSetting](wesl-usersetting.md)
- [Shell Launcher](index.md)

2
windows/configuration/taskbar/pinned-apps.md
View File

@ -193,7 +193,7 @@ Alternatively, you can configure devices using a [custom policy][MEM-1] with the
- **Value:** content of the XML file
> [!NOTE]
> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines*.
> The content of the file must be entered as a single line in the `Value` field. Use a text editor to remove any line breaks from the XML file, usually with a function called *join lines* or *linearize*. If customizations.xml is being modified directly instead of using the WCD editor, the XML brackets need to be escaped / replaced with \&lt; and \&gt; entity encodings. Single and double quote characters do not need to be escaped.
[!INCLUDE [provisioning-package-2](../../../includes/configure/provisioning-package-2.md)]

BIN
windows/configuration/unbranded-boot/images/boot.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

160
windows/configuration/unbranded-boot/index.md Normal file
View File

@ -0,0 +1,160 @@
---
title: Unbranded Boot
description: Unbranded Boot
ms.date: 09/10/2024
ms.topic: overview
---
# Unbranded Boot
You can suppress Windows elements that appear when Windows starts or resumes and can suppress the crash screen when Windows encounters an error that it can't recover from. This feature is known as Unbranded Boot.
> [!IMPORTANT]
> The first user to sign in to the device must be an administrator. This ensures that the **RunOnce** registry settings correctly apply the settings. Also, when using auto sign-in, you must not configure auto sign-in on your device at design time. Instead, auto sign-in should be configured manually after first signing in as an administrator.
## Requirements
Unbranded Boot can be enabled on:
- Windows 10 Enterprise
- Windows 10 IoT Enterprise
- Windows 10 Education
- Windows 11 Enterprise
- Windows 11 IoT Enterprise
- Windows 11 Education
## Terminology
- **Turn on, Enable:** To make the setting available to the device and optionally apply the settings to the device. Generally "turn on" is used in the user interface or control panel, whereas "enable" is used for command line.
- **Configure:** To customize the setting or subsettings.
- **Embedded Boot Experience:** this feature is called "Embedded Boot Experience" in Windows 10, build 1511.
- **Custom Boot Experience:** this feature is called "Custom Boot Experience" in Windows 10, build 1607 and later.
## Turn on Unbranded Boot settings
Unbranded Boot is an optional component and isn't enabled by default in Windows. It must be enabled prior to configuring.
If Windows has already been installed, you can't apply a provisioning package to configure Unbranded Boot; instead you must use BDCEdit to configure Unbranded boot if Windows is installed.
BCDEdit is the primary tool for editing the Boot Configuration Database (BCD) of Windows and is included in Windows in the %WINDIR%\\System32 folder. Administrator privileges are required to use BCDEdit to modify the BCD.
### Turn on Unbranded Boot by using Control Panel
1. In the Windows search bar, type **Turn Windows features on or off** and either press **Enter** or tap or select **Turn Windows features on or off** to open the **Windows Features** window.
1. In the **Windows Features** window, expand the **Device Lockdown** node, and select (to turn on) or clear (to turn off) the checkbox for **Unbranded Boot**.
1. Select **OK**. The **Windows Features** window indicates that Windows is searching for required files and displays a progress bar. Once found, the window indicates that Windows is applying the changes. When completed, the window indicates the requested changes are completed.
1. Restart your device to apply the changes.
## Configure Unbranded Boot settings at runtime using BCDEdit
1. Open a command prompt as an administrator.
1. Run the following command to disable the F8 key during startup to prevent access to the **Advanced startup options** menu.
```cmd
bcdedit.exe -set {globalsettings} advancedoptions false
```
1. Run the following command to disable the F10 key during startup to prevent access to the **Advanced startup options** menu.
```cmd
bcdedit.exe -set {globalsettings} optionsedit false
```
1. Run the following command to suppress all Windows UI elements (logo, status indicator, and status message) during startup.
```cmd
bcdedit.exe -set {globalsettings} bootuxdisabled on
```
1. Run the following command to suppress any error screens that are displayed during boot. If **noerrordisplay** is on and the boot manager hits a *WinLoad Error* or *Bad Disk Error*, the system displays a black screen.
```cmd
bcdedit.exe -set {bootmgr} noerrordisplay on
```
## Configure Unbranded Boot using Unattend
You can also configure the Unattend settings in the [Microsoft-Windows-Embedded-BootExp](/windows-hardware/customize/desktop/unattend/microsoft-windows-embedded-bootexp) component to add Unbranded Boot features to your image during the design or imaging phase. You can manually create an Unattend answer file or use Windows System Image Manager (Windows SIM) to add the appropriate settings to your answer file. For more information about the Unbranded Boot settings and XML examples, see the settings in Microsoft-Windows-Embedded-BootExp.
### Unbranded Boot settings
The following table shows Unbranded Boot settings and their values.
| Setting | Description | Value |
|---------|-------------|-------|
| DisableBootMenu | Contains an integer that disables the F8 and F10 keys during startup to prevent access to the Advanced startup options menu. | Set to 1 to disable the menu; otherwise; set to 0 (zero). The default value is 0. |
| DisplayDisabled | Contains an integer that configures the device to display a blank screen when Windows encounters an error that it can't recover from. | Set to 1 to display a blank screen on error; otherwise; set to 0 (zero). The default value is 0. |
| HideAllBootUI | Contains an integer that suppresses all Windows UI elements (logo, status indicator, and status message) during startup. | Set to 1 to suppress all Windows UI elements during startup; otherwise; set to 0 (zero). The default value is 0. |
| HideBootLogo | Contains an integer that suppresses the default Windows logo that displays during the OS loading phase. | Set to 1 to suppress the default Windows logo; otherwise; set to 0 (zero). The default value is 0. |
| HideBootStatusIndicator | Contains an integer that suppresses the status indicator that displays during the OS loading phase. | Set to 1 to suppress the status indicator; otherwise; set to 0 (zero). The default value is 0. |
| HideBootStatusMessage | Contains an integer that suppresses the startup status text that displays during the OS loading phase. | Set to 1 to suppress the startup status text; otherwise; set to 0 (zero). The default value is 0. |
## Customize the boot screen using Windows Configuration Designer and Deployment Image Servicing and Management (DISM)
You must enable Unbranded boot on the installation media with DISM before you can apply settings for Unbranded boot using either Windows Configuration Designer or applying a provisioning package during setup.
1. Create a provisioning package or create a new Windows image in Windows Configuration Designer by following the instructions in [Create a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package).
1. In the Available customizations page, select **Runtime settings** &gt; **SMISettings** and then set the value for the boot screen settings. The following values are just examples.
- **HideAllBootUI**=FALSE
- **HideBootLogo**=FALSE
- **HideBootStatusIndicator**=TRUE
- **HideBootStatusMessage**=TRUE
- **CrashDumpEnabled**=Full dump
> [!TIP]
> For more information, see [SMISettings](/windows/configuration/wcd/wcd-smisettings) in the Windows Configuration Designer reference.
1. Once you have finished configuring the settings and building the package or image, you use DISM to apply the settings.
1. Open a command prompt with administrator privileges.
1. Copy install.wim to a temporary folder on hard drive (in the following steps, it assumes it's called c:\\wim).
1. Create a new directory.
```cmd
md c:\wim
```
1. Mount the image.
```cmd
dism /mount-wim /wimfile:c:\bootmedia\sources\install.wim /index:1 /MountDir:c:\wim
```
1. Enable the feature.
```cmd
dism /image:c:\wim /enable-feature /featureName:Client-EmbeddedBootExp
```
1. Commit the change.
```cmd
dism /unmount-wim /MountDir:c:\wim /Commit
```
In the following image, the BootLogo is outlined in green, the BootStatusIndicator is outlined in red, and the BootStatusMessage is outlined in blue.
![unbranded boot screen](images/boot.jpg)
## Replace the startup logo
The only supported way to replace the startup logo with a custom logo is to modify the Boot Graphics Resource Table (BGRT) on a device that uses UEFI as the firmware interface. If your device uses the BGRT to include a custom logo, it's always displayed and you can't suppress the custom logo.
## Suppress Errors During Boot
Errors that occur during early Windows Boot are typically a sign of bad device configuration or failing hardware and require user intervention to recover. You can suppress all error screens during early boot by enabling the **noerrordisplay** BCD setting.
1. Open a command prompt as an administrator.
1. Run the following command to suppress error screens during boot.
```cmd
bcdedit.exe -set {bootmgr} noerrordisplay on
```
## Related articles
- [Custom Logon](../custom-logon/index.md)

165
windows/configuration/unified-write-filter/hibernate-once-resume-many-horm.md Normal file
View File

@ -0,0 +1,165 @@
---
title: Hibernate Once/Resume Many (HORM)
description: Hibernate Once/Resume Many (HORM)
ms.date: 04/12/2018
ms.topic: concept-article
---
# Hibernate Once/Resume Many (HORM)
You can use the Hibernate Once/Resume Many (HORM) feature with Unified Write Filter (UWF) to start your device in a preconfigured state. When HORM is enabled, your system always resumes and restarts from the last saved hibernation file (hiberfil.sys).
A device with HORM enabled can quickly be turned off or shut down, and then restarted into the preconfigured state, even if a sudden power loss.
> [!NOTE]
> HORM can be used on Unified Extensible Firmware Interface (UEFI) devices running Windows 10, version 1709, or newer versions of Windows, only. In previous Windows versions, the installation procedure for UEFI creates a hidden system partition. Because UWF can't protect hidden partitions, HORM can't be used on any devices that contain a hidden partition, including UEFI-capable devices on older versions of Windows.
## Requirements
Windows 10 Enterprise, Windows 10 Education, or Windows IoT Core (IoT Core). Supported on x86-based and x64-based devices.
On Windows 10, version 21H2 or newer versions of Windows, Read-Only Media mode must be implemented to enable HORM.
## UWF configuration
UWF must be enabled before you can enable or disable HORM. UWF must be configured in the following ways to protect the hibernation file from becoming invalid:
- All fixed volumes that are mounted on the system are protected by UWF.
- Your system must not have any file, folder, or registry exclusions configured for UWF.
- The UWF overlay must be configured to use RAM mode. HORM doesn't support disk-backed overlays.
UWF doesn't filter hibernation files from being written to disk. If you want to protect the preconfigured state of your device, lock down any functionality that can modify the hibernation file. For example, disable hibernation, hybrid sleep, and fast startup for standard user accounts to prevent the saved hibernation file from being overwritten when entering sleep, hibernate, or shutdown state.
To disable hybrid sleep and fast startup on your device, follow these steps.
### How to disable hybrid sleep
1. Open the Local Group Policy Editor (gpedit.msc) and navigate to the following path.
Computer Configuration\Administrative Templates\System\Power Management\Sleep settings
1. Enable the following two settings under the path:
Turn off hybrid sleep (plugged in)
Turn off hybrid sleep (on battery)
### How to disable fast startup
To disable fast startup, set the following registry value:
> [!IMPORTANT]
> Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, [back up the registry for restoration](https://support.microsoft.com/help/322756) in case problems occur.
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Power
Name: HiberbootEnabled
Type: DWORD
Value: 0 (0 = Disabled、1 = Enabled)
### How to prevent Windows from entering hibernation due to the system idle time-out or user operations
Configure the following two policies in Local Group Policy Editor (gpedit.msc):
Policy to prevent Windows from entering hibernation by the system idle time:
1. Under the following path:
Computer Configuration\Administrative Templates\System\Power Management\Sleep settings
1. Enable these two settings and set the value to 0.
Specify the system hibernate timeout (plugged in)
Specify the system hibernate timeout (on battery)
Disable the policy to show "Hibernation" in the power options menu:
1. Under the following path:
Computer Configuration\Windows Components\File Explorer
1. Disable the following setting:
Show hibernate in the power options menu
> [!NOTE]
>
> - Don't disable hibernate (i.e. powercfg /h off) because it deletes the hiberfil.sys which HORM requires.
> - Even after you set all these settings, the timestamp of hiberfil.sys is updated after the system reboot. This is because UWF can't filter the hiberfil.sys file, and the file needs to be compressed and decompressed during the system reboot. However, this doesn't change the content of hiberfil.sys so the preconfigured state of the device is protected.
## Configure HORM
1. On the device, open a command prompt as an administrator.
1. To enable hibernation on the device, type the following command:
`powercfg /h on`
1. To enable UWF on your device, type the following command:
`uwfmgr.exe filter enable`
1. To protect all volumes on your device, type the following command:
`uwfmgr.exe volume protect all`
> [!Note]
> DVD RW and floppy drives throw an expected error that can be safely ignored.
1. To restart your device to enable UWF, type the following command:
`uwfmgr.exe filter restart`
1. After the device restarts, to verify the UWF changes that you made on your device, type the following command:
`uwfmgr.exe get-config`
1. To enable HORM on your device, type the following command:
`uwfmgr.exe filter enable-horm`
> [!Note]
> Remove all file and registry exclusions before you enable HORM.
1. (Optional) In Control Panel, set the Power Option **When I press the power button** to avoid displaying the command prompt when resuming from hibernation, or use a script to close the command prompt on startup.
1. To hibernate the system one time to create an initial hibernation file, at the command prompt, type the following command:
`shutdown /h`
1. Press the power button to wake the system from hibernation.
1. After the system starts from hibernation to create an initial hibernation file, to shut down and restart the system, type the following command:
`uwfmgr.exe restart`
1. When HORM is enabled, you can't change the UWF configuration. To make changes, you must first disable HORM. To disable HORM, type the following command:
`uwfmgr.exe filter disable-horm`
1. To restart the system to finish disabling HORM, type the following command:
`uwfmgr.exe restart`
The system restarts normally with HORM disabled.
> [!WARNING]
> Don't uninstall UWF when the filter is enabled or when HORM is enabled, either online or offline by using Windows PE.
## Fix an issue when you can't disable HORM
In rare circumstances, your device can enter a state where you can't disable HORM normally.
If you can't disable HORM on your device, use following procedure to resolve this issue:
1. Start your device in Windows PE.
1. Type the following command:
`bcdedit.exe /set {bootmgr} custom:26000024 0`
1. Restart the device:
`shutdown /r/t 0`
1. Disable HORM:
`uwfmgr.exe filter disable-horm`
1. Enable HORM:
`uwfmgr.exe filter enable-horm`
1. Hibernate the device:
`shutdown /h`

BIN
windows/configuration/unified-write-filter/images/administratorcommandprompt.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 143 KiB

BIN
windows/configuration/unified-write-filter/images/administratorcompactprompt.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 194 KiB

BIN
windows/configuration/unified-write-filter/images/administratorprompt.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 191 KiB

BIN
windows/configuration/unified-write-filter/images/fullvolumecommit.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 132 KiB

BIN
windows/configuration/unified-write-filter/images/overlaysettings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 93 KiB

124
windows/configuration/unified-write-filter/index.md Normal file
View File

@ -0,0 +1,124 @@
---
title: Unified Write Filter (UWF) feature (unified-write-filter)
description: Unified Write Filter (UWF) feature (unified-write-filter)
ms.date: 10/02/2018
ms.topic: overview
---
# Unified Write Filter (UWF) feature
Unified Write Filter (UWF) is an optional Windows 10 feature that helps to protect your drives by intercepting and redirecting any writes to the drive (app installations, settings changes, saved data) to a virtual overlay. The virtual overlay is a temporary location that is cleared during a reboot or when a guest user logs off.
## Benefits
- Provides a clean experience for thin clients and workspaces that have frequent guests, like school, library or hotel computers. Guests can work, change settings, and install software. After the device reboots, the next guest receives a clean experience.
- Increases security and reliability where new apps aren't frequently added.
- Can be used to reduce wear on solid-state drives and other write-sensitive media.
- Optimizing Application load timing on boot it can be faster to resume from a HORM file on every boot rather than reloading the system on each boot
UWF replaces the Windows 7 Enhanced Write Filter (EWF) and the File Based Write Filter (FBWF).
## Features
- UWF can protect most supported writable storage types, including physical hard disks, solid-state drives, internal USB devices, and external SATA devices. You can't use UWF to protect external removable drives, USB devices or flash drives. Supports both master boot record (MBR) and GUID partition table (GPT) volumes.
- You can use UWF to make read-only media appear to the OS as a writable volume.
- You can manage UWF directly on a Windows 10 device using [uwfmgr.exe](uwfmgrexe.md), or remotely using MDM tools with the [UnifiedWriteFilter CSP](/windows/client-management/mdm/unifiedwritefilter-csp) or the [UWF WMI](uwf-wmi-provider-reference.md).
- You can [update and service UWF-protected devices](service-uwf-protected-devices.md) by using UWF servicing mode or adding file and registry exclusions to specific system areas.
- On Windows 10, version 1803, you can use a [persistent overlay](uwfoverlay.md#persistent-overlay) to allow data saved in the virtual overlay to remain even after a reboot.
- On devices with a disk overlay, you can use [free space passthrough)](uwfoverlay.md#freespace-passthrough-recommended) to access your drive's free space.
- UWF supports paging to increase virtual memory, if the page file exists on an unprotected volume. When paging is used together with a RAM-based overlay, the uptime of the system can be increased.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Limitations
- File systems:
- FAT: fully supported.
- NTFS: fully supported. However, during device startup, NTFS file system journal files can write to a protected volume before UWF has started protecting the volume.
- Other file systems (example: exFAT): You can protect the volume, but can't create file exclusions or do file commit operations on the volume. Writes to excluded files still influence the growth of the Overlay.
- The overlay doesn't mirror the entire volume, but dynamically grows to keep track of redirected writes.
- UWF supports up to 16 terabytes of protected volumes.
- UWF doesn't support the use of fast startup when shutting down your device. If fast startup is turned on, shutting down the device doesn't clear the overlay. You can disable fast startup in Control Panel by navigating to **Control Panel** &gt; **All Control Panel Items** &gt; **Power Options** &gt; **System Settings** and clearing the checkbox next to **Turn on fast startup (recommended)**.
- UWF doesn't support [Storage Spaces](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831739(v=ws.11)).
- On a computer on which [UWF is enabled and used to protect drive C](./uwf-turnonuwf.md#turn-on-uwf-on-a-running-pc), you can't permanently set the date and time to a past time. If you make such a change, the original date and time settings will be restored after the computer restarts.
To work around this issue, you must disable UWF before you change the date and time with th the following command.
```cmd
uwfmgr.exe filter disable
```
> [!NOTE]
> Do not add the file that retains date and time settings ("%windir%\bootstat.dat") to the [write filter exclusions](./uwfexclusions.md) to work around this issue. Doing this causes Stop error 0x7E (SYSTEM_THREAD_EXCEPTION_NOT_HANDLED) to occur.
## Turn on and configure UWF
UWF is an optional component and isn't enabled by default in Windows 10. You must [turn on UWF](uwf-turnonuwf.md) before you can configure it.
## UWF overlay
You can choose the type of overlay, reserved space and persistence after a reboot.
To increase uptime, set up monitoring to check if your overlay is filling up. At certain levels, your device can warn users and/or reboot the device.
To learn more, see [UWF Overlay location and size](uwfoverlay.md).
## Volumes
A volume is a logical unit that represents an area of persistent storage to the file system that is used by the OS such as:
- A single physical storage device, such as a hard disk
- A single partition on a physical storage device with multiple partitions
- Span across multiple physical storage devices
For example, a collection of hard disks in a RAID array can be represented as a single volume to the OS.
When you configure UWF to protect a volume, you can specify the volume by using either a drive letter or the volume device identifier. To determine the device identifier for a volume, query the **DeviceID** property in the **Win32_Volume** WMI class.
If you specify a volume using a drive letter, UWF uses *loose binding* to recognize the volume. With *loose binding*, drive letters are assigned dynamically as the volume configuration changes.
If you specify a volume using the volume device identifier, UWF uses *tight binding* to recognize the volume. With *tight binding*, the device identifier is unique to the storage volume and is independent from the drive letter assigned to the volume by the file system.
## Exclusions
You can add specific files, folders, and registry keys to the [write filter exclusion](uwfexclusions.md) list to prevent them from being filtered.
## UWF servicing mode
When a device is protected with UWF, you must use UWF servicing mode commands to service the device and apply updates to an image. You can use UWF servicing mode to apply Windows updates, antimalware signature file updates, and custom software or third-party software updates.
For more information about how to use UWF servicing mode to apply software updates to your device, see [Service UWF-protected devices](service-uwf-protected-devices.md).
## Troubleshooting UWF
UWF uses Windows Event Log to log events, errors and messages related to overlay consumption, configuration changes, and servicing.
For more information about how to find event log information for troubleshooting problems with Unified Write Filter (UWF), see [Troubleshooting Unified Write Filter (UWF)](uwftroubleshooting.md).
## Related articles
- [Unbranded Boot](../unbranded-boot/index.md)
- [Custom Logon](../custom-logon/index.md)
- [Shell Launcher](../shell-launcher/index.md)

35
windows/configuration/unified-write-filter/service-uwf-protected-devices.md Normal file
View File

@ -0,0 +1,35 @@
---
title: Service UWF-protected devices
description: Service UWF-protected devices
ms.date: 10/02/2018
ms.topic: reference
---
# Service UWF-protected devices
To update your devices, use UWF servicing mode. UWF servicing mode allows you to apply Windows updates, anti-malware signature file updates, and custom software or third-party software updates.
Normally, when the Unified Write Filter (UWF) is active, system updates are disabled, as they would be erased when the overlay is cleared.
When UWF servicing mode is triggered, Windows does the following:
1. Clears the UWF overlay
1. Reboots the devices
1. Triggers a system maintenance hour
1. Disables the UWF filter
1. Scans for and applies Windows updates
1. Scans for and applies app updates from the Microsoft store
1. After servicing is complete, it re-enables the UWF filter and resumes UWF protection
>[!NOTE]
> Servicing mode requires that all user accounts on the system have a password. If there's a user account that doesn't include a password, UWF servicing fails.
## In this section
| Article | Description |
|:------------------------------------------|:-----------------------------------------------------------------------------------|
| [Anti-malware support on UWF-protected devices](uwf-antimalware-support.md) |Describes the procedures to add support for Microsoft Defender and System Center Endpoint Protection (SCEP/Forefront) anti-malware to your UWF-protected devices. |
| [Apply OEM updates to UWF-protected devices](uwf-apply-windows-updates.md) |Provides information about how to apply OEM updates to a UWF-protected device. |
| [Apply Windows updates to UWF-protected devices](uwf-apply-windows-updates.md) | Describes the procedures to apply Windows updates to your UWF-protected devices. |
| [UWF master servicing script](uwf-master-servicing-script.md) | Provides information about the UWF master servicing script (UwfServicingMasterScript.cmd). |
| [UWF servicing screen saver](uwf-servicing-screen-saver.md) | Provides information about how to modify the default UWF servicing screen saver. |

126
windows/configuration/unified-write-filter/toc.yml Normal file
View File

@ -0,0 +1,126 @@
items:
- name: Unified Write Filter
items:
- name: Overview
href: index.md
- name: Hibernate Once/Resume Many (HORM)
href: hibernate-once-resume-many-horm.md
- name: Exclusions
href: uwfexclusions.md
- name: Overlay
href: uwfoverlay.md
- name: Enable
href: uwf-turnonuwf.md
- name: Command Line Utility (uwfmgr.exe)
href: uwfmgrexe.md
- name: Servicing
items:
- name: Servicing protected devices
href: service-uwf-protected-devices.md
- name: Antimalware support
href: uwf-antimalware-support.md
- name: Windows Updates
href: uwf-apply-windows-updates.md
- name: OEM Updates
href: uwf-apply-oem-updates.md
- name: Servicing master script
href: uwf-master-servicing-script.md
- name: Servicing screen saver
href: uwf-servicing-screen-saver.md
- name: Troubleshooting
href: uwftroubleshooting.md
- name: WMI Provider Reference
items:
- name: Overview
href: uwf-wmi-provider-reference.md
- name: Class UWF_ExcludedFile
href: uwf-excludedfile.md
- name: Class UWF_ExcludedRegistryKey
href: uwf-excludedregistrykey.md
- name: Class UWF_Filter
items:
- name: Overview
href: uwf-filter.md
- name: Disable
href: uwf-filterdisable.md
- name: Enable
href: uwf-filterdisable.md
- name: ResetSettings
href: uwf-filterresetsettings.md
- name: RestartSystem
href: uwf-filterrestartsystem.md
- name: ShutdownSystem
href: uwf-filtershutdownsystem.md
- name: Class UWF_Overlay
items:
- name: Overview
href: uwf-overlay.md
- name: GetOverlayFiles
href: uwf-overlaygetoverlayfiles.md
- name: OverlayFile
href: uwf-overlayfile.md
- name: SetCriticalThreshold
href: uwf-overlaysetcriticalthreshold.md
- name: SetWarningThreshold
href: uwf-overlaysetwarningthreshold.md
- name: Class UWF_OverlayConfig
items:
- name: Overview
href: uwf-overlayconfig.md
- name: SetMaximumSize
href: uwf-overlayconfigsetmaximumsize.md
- name: SetType
href: uwf-overlayconfigsettype.md
- name: Class UWF_RegistryFilter
items:
- name: Overview
href: uwf-registryfilter.md
- name: AddExclusion
href: uwf-registryfilteraddexclusion.md
- name: CommitRegistry
href: uwf-registryfiltercommitregistry.md
- name: CommitRegistryDeletion
href: uwf-registryfiltercommitregistrydeletion.md
- name: FindExclusion
href: uwf-registryfilterfindexclusion.md
- name: GetExclusions
href: uwf-registryfiltergetexclusions.md
- name: RemoveExclusion
href: uwf-registryfilterremoveexclusion.md
- name: Class UWF_Servicing
items:
- name: Overview
href: uwf-servicing.md
- name: Disable
href: uwf-servicingdisable.md
- name: Enable
href: uwf-servicingenable.md
- name: UpdateWindows
href: uwf-servicingupdatewindows.md
- name: Class UWF_Volume
items:
- name: Overview
href: uwf-volume.md
- name: AddExclusion
href: uwf-volumeaddexclusion.md
- name: CommitFile
href: uwf-volumecommitfile.md
- name: CommitFileDeletion
href: uwf-volumecommitfiledeletion.md
- name: FindExclusion
href: uwf-volumefindexclusion.md
- name: GetExclusions
href: uwf-volumegetexclusions.md
- name: protect
href: uwf-volumeprotect.md
- name: RemoveAllExclusions
href: uwf-volumeremoveallexclusions.md
- name: RemoveExclusion
href: uwf-volumeremoveexclusion.md
- name: SetBindByDriveLetter
href: uwf-volumesetbindbydriveletter.md
- name: Unprotect
href: uwf-volumeunprotect.md
- name: Migration from Enhanced Write Filter
href: uwf-wes7-ewf-to-win10-uwf.md

73
windows/configuration/unified-write-filter/uwf-antimalware-support.md Normal file
View File

@ -0,0 +1,73 @@
---
title: Antimalware support on UWF-protected devices
description: Antimalware support on UWF-protected devices
ms.date: 05/02/2017
ms.topic: reference
---
# Antimalware support on UWF-protected devices
Learn how to enable antimalware support on your USB Filter-enabled Windows 10 Enterprise device.
When using antimalware software on your Unified Write Filter (UWF)-protected device, you must add the required file and registry exclusions that enable the software to apply updates to signature files and persist changes to the device after a system restart.
## Add support for Microsoft Defender on UWF-protected devices
Add these exclusions to UWF:
1. File exclusions
```text
C:\Program Files\Windows Defender
C:\ProgramData\Microsoft\Windows Defender
C:\Windows\WindowsUpdate.log
C:\Windows\Temp\MpCmdRun.log
```
1. Registry exclusions
```reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdBoot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdFilter
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisSvc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WdNisDrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend
```
> [!NOTE]
> If a Windows IoT Enterprise computer stops responding during Windows startup, see [Windows doesn't start after you exclude UWF from Microsoft Defender](/troubleshoot/windows-client/performance/windows-hangs-on-startup-after-excluding-uwf-from-microsoft-defender) for a workaround. This issue impacts:
>
> - Windows 10 IoT Enterprise, version 21H1
> - Windows 10 IoT Enterprise, version 21H2
> - Windows 10 IoT Enterprise, version 22H1
> - Windows 10 IoT Enterprise LTSC 2016
> - Windows 10 IoT Enterprise LTSC 2019
> - Windows 10 IoT Enterprise LTSC 2021
> - Windows 11 IoT Enterprise
## Add support for System Center Endpoint Protection on UWF-protected devices
Add these exclusions to UWF:
1. File exclusions
```txt
C:\Program Files\Microsoft Security Client
C:\Windows\Windowsupdate.log
C:\Windows\Temp\Mpcmdrun.log
C:\ProgramData\Microsoft\Microsoft Antimalware
```
1. Registry exclusions
```reg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware
```
> [!NOTE]
> Windows 10 Enterprise doesn't include System Center Endpoint Protection. You can purchase licenses and install System Center Endpoint Protection independently.
## Related articles
- [Service UWF-protected devices](service-uwf-protected-devices.md)

42
windows/configuration/unified-write-filter/uwf-apply-oem-updates.md Normal file
View File

@ -0,0 +1,42 @@
---
title: Apply OEM updates to UWF-protected devices
description: Apply OEM updates to UWF-protected devices
ms.date: 05/02/2017
ms.topic: reference
---
# Apply OEM updates to UWF-protected devices
To apply OEM updates on a Unified Write Filter (UWF)-protected Windows 10 device, you can modify the UPDATE\_SUCCESS block of UWF master servicing script (UwfServicingMasterScript.cmd) to call a custom OEM script that applies any required OEM updates. The OEM script should return control back to the UWF Master Servicing Script when finished.
The UWF Master Servicing Script (UwfServicingMasterScript.cmd) is located in the \Windows\System32 folder.
## UPDATE_SUCCESS (UwfServicingMasterScript.cmd)
The UPDATE_SUCCESS block of the UWF master servicing script follows:
```powershell
:UPDATE_SUCCESS
echo UpdateAgent returned success.
REM
REM echo UpdateAgent executing OEM script
REM OEM can call their custom scripts
REM at this point through a "call".
REM
REM The OEM script should hand control
REM back to this script once complete.
REM
REM Any error recovery for OEM script
REM should be handled outside of this script
REM post a reboot.
REM
uwfmgr servicing disable
echo Restarting system
goto UPDATE_EXIT
```
## Related articles
- [Service UWF-protected devices](service-uwf-protected-devices.md)
- [UWF master servicing script](uwf-master-servicing-script.md)
- [Unified Write Filter]( index.md)

69
windows/configuration/unified-write-filter/uwf-apply-windows-updates.md Normal file
View File

@ -0,0 +1,69 @@
---
title: Apply Windows updates to UWF-protected devices
description: Apply Windows updates to UWF-protected devices
ms.date: 05/02/2017
ms.topic: reference
---
# Apply Windows updates to UWF-protected devices
When a device is protected with Unified Write Filter (UWF), you must use UWF servicing mode commands to service the device and apply updates to an image.
UWF servicing mode uses the following files to when it applies Windows updates to your device:
- UWFMgr.exe command-line tool
- UwfServicingScr.scr screen saver
- UwfServicingMasterScript.cmd script
> [!NOTE]
> The master servicing script can be modified to service third-party applications, service custom OEM applications, or call custom OEM servicing scripts.
UWF servicing supports the following types of Windows updates:
- Critical updates
- Security updates
- Driver updates
## Enable Servicing Mode
1. To apply Windows updates to your device, at an administrator command prompt, type the following command:
```cmd
uwfmgr.exe servicing enable
```
1. Restart the device. Use either command.
```cmd
uwfmgr.exe filter restart
```
```cmd
shutdown /r /t 0
```
On restart, the device automatically signs in to the servicing account and servicing starts.
> [!IMPORTANT]
> The default servicing account that is automatically created and used for servicing is named **UWF-Servicing**. It's important that you don't have a user account that has that same name on a device before starting UWF servicing.
Once servicing has started, no user interaction is required. The system may restart if it's required by the Windows updates that are installing. If a restart is required, the system reenters servicing mode on restart and continues until all updates are installed.
While servicing is underway, the UwfServicingScr.scr screen saver displays on the device.
> [!NOTE]
> The UwfServicingScr.scr screen saver that is included with Windows 10 Enterprise is a standard Windows screen saver and can be replaced by a custom OEM screen saver if necessary.
When Windows update servicing is finished, the system disables UWF servicing and restarts the system with UWF-protection enabled and all file and registry exclusions restored to their original pre-servicing state.
> [!NOTE]
> During UWF servicing in Windows 10 Enterprise, Windows Update automatically accepts all Microsoft Software License Terms.
> [!NOTE]
> If Windows updates can't be installed or return an error, servicing is disabled and the system restarts with UWF-protection re-enabled and all file and registry exclusions restored to their original pre-servicing state.
## Related articles
- [Unified Write Filter]( index.md)
- [UWF master servicing script](uwf-master-servicing-script.md)
- [UWF servicing screen saver](uwf-servicing-screen-saver.md)

51
windows/configuration/unified-write-filter/uwf-excludedfile.md Normal file
View File

@ -0,0 +1,51 @@
---
title: UWF_ExcludedFile
description: UWF_ExcludedFile
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_ExcludedFile
Contains the files and folders that are currently in the file exclusion list for a volume protected by Unified Write Filter (UWF).
## Syntax
```powershell
class UWF_ExcludedFile {
[Read] string FileName;
};
```
## Members
The following tables list any methods and properties that belong to this class.
### Properties
| Property | Data&nbsp;type | Qualifier | Description |
|----------|-----------|-----------|-------------|
| FileName | string | [read] | The name of the file or folder path in the file exclusion list, including the full path relative to the volume. |
### Remarks
UWF_ExcludedFile does not represent an actual WMI object, and you cannot use this class to get or set file exclusions.
You must use the [UWF_Volume.GetExclusions](uwf-volumegetexclusions.md) method to retrieve UWF_ExcludedFile objects.
You can use the [UWF_Volume.AddExclusion](uwf-volumeaddexclusion.md) and [UWF_Volume.RemoveExclusion](uwf-volumeremoveexclusion.md) methods to add or remove file and folder exclusions to a volume.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md)
- [Unified Write Filter]( index.md)

51
windows/configuration/unified-write-filter/uwf-excludedregistrykey.md Normal file
View File

@ -0,0 +1,51 @@
---
title: UWF_ExcludedRegistryKey
description: UWF_ExcludedRegistryKey
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_ExcludedRegistryKey
Contains the registry keys that are currently in the registry key exclusion list for Unified Write Filter (UWF).
## Syntax
```powershell
class UWF_ExcludedRegistryKey {
[Read] string RegistryKey;
};
```
## Members
The following tables list any methods and properties that belong to this class.
### Properties
| Property | Data&nbsp;type | Qualifier | Description |
|-------------|----------------|-----------|-------------|
| RegistryKey | string | [read] | The full path of the registry key in the registry key exclusion list. |
### Remarks
UWF_ExcludedRegistryKeydoes not represent an actual WMI object, and you cannot use this class to get or set registry key exclusions.
You can use the [UWF_RegistryFilter.GetExclusions](uwf-registryfiltergetexclusions.md) or [UWF_RegistryFilter.FindExclusion](uwf-registryfilterfindexclusion.md) methods to retrieve UWF_ExcludedRegistryKey objects.
You can use the [UWF_Volume.AddExclusion](uwf-volumeaddexclusion.md) and [UWF_Volume.RemoveExclusion](uwf-volumeremoveexclusion.md) methods to add or remove registry keys to the UWF registry key exclusion list.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md)
- [Unified Write Filter]( index.md)

169
windows/configuration/unified-write-filter/uwf-filter.md Normal file
View File

@ -0,0 +1,169 @@
---
title: UWF_Filter
description: UWF_Filter
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_Filter
Enables or disables Unified Write Filter (UWF), resets configuration settings for UWF, and shuts down or restarts your device.
## Syntax
```powershell
class UWF_Filter{
[key] string Id;
[read] boolean CurrentEnabled;
[read] boolean NextEnabled;
UInt32 Enable();
UInt32 Disable();
UInt32 ResetSettings();
UInt32 ShutdownSystem();
UInt32 RestartSystem();
};
```
## Members
The following tables list any methods and properties that belong to this class.
### Methods
| Methods | Description |
|----------|-------------|
| [UWF_Filter.Enable](uwf-filterenable.md) | Enables UWF on the next restart. |
| [UWF_Filter.Disable](uwf-filterdisable.md) | Disables UWF on the next restart. |
| [UWF_Filter.ResetSettings](uwf-filterresetsettings.md) | Restores UWF settings to the original state that was captured at install time. |
| [UWF_Filter.ShutdownSystem](uwf-filtershutdownsystem.md) |Safely shuts down a system protected by UWF, even if the overlay is full. |
| [UWF_Filter.RestartSystem](uwf-filterrestartsystem.md) | Safely restarts a system protected by UWF, even if the overlay is full. |
### Properties
| Property | Data&nbsp;type | Qualifiers | Description |
|----------|----------------|------------|-------------|
| **Id** | string | [key] | A unique ID. This is always set to **UWF_Filter** |
| **CurrentEnabled** | Boolean | [read] | Indicates if UWF is enabled for the current session. |
| **NextEnabled** | Boolean | [read] | Indicates if UWF is enabled after the next restart. |
### Remarks
You must use an administrator account to make any changes to the configuration settings for UWF. Users with any kind of account can read the current configuration settings.
## Example
The following example demonstrates how to enable or disable UWF by using the WMI provider in a PowerShell script.
The PowerShell script creates three functions to help enable or disable UWF. It then demonstrates how to use each function.
The first function, `Disable-UWF`, retrieves a WMI object for **UWF_Filter**, and calls the **Disable()** method to disable UWF after the next device restart.
The second function, `Enable-UWF`, retrieves a WMI object for **UWF_Filter**, and calls the **Enable()** method to enable UWF after the next device restart.
The third function, `Display-UWFState`, examines the properties of the **UWF_Filter** object, and prints out the current settings for **UWF_Filter**.
```powershell
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Create a function to disable the Unified Write Filter driver after the next restart.
function Disable-UWF() {
# Retrieve the UWF_Filter settings.
$objUWFInstance = Get-WMIObject -namespace $NAMESPACE -class UWF_Filter;
if(!$objUWFInstance) {
"Unable to retrieve Unified Write Filter settings."
return;
}
# Call the method to disable UWF after the next restart. This sets the NextEnabled property to false.
$retval = $objUWFInstance.Disable();
# Check the return value to verify that the disable is successful
if ($retval.ReturnValue -eq 0) {
"Unified Write Filter will be disabled after the next system restart."
} else {
"Unknown Error: " + "{0:x0}" -f $retval.ReturnValue
}
}
# Create a function to enable the Unified Write Filter driver after the next restart.
function Enable-UWF() {
# Retrieve the UWF_Filter settings.
$objUWFInstance = Get-WMIObject -namespace $NAMESPACE -class UWF_Filter;
if(!$objUWFInstance) {
"Unable to retrieve Unified Write Filter settings."
return;
}
# Call the method to enable UWF after the next restart. This sets the NextEnabled property to false.
$retval = $objUWFInstance.Enable();
# Check the return value to verify that the enable is successful
if ($retval.ReturnValue -eq 0) {
"Unified Write Filter will be enabled after the next system restart."
} else {
"Unknown Error: " + "{0:x0}" -f $retval.ReturnValue
}
}
# Create a function to display the current settings of the Unified Write Filter driver.
function Display-UWFState() {
# Retrieve the UWF_Filter object
$objUWFInstance = Get-WmiObject -Namespace $NAMESPACE -Class UWF_Filter;
if(!$objUWFInstance) {
"Unable to retrieve Unified Write Filter settings."
return;
}
# Check the CurrentEnabled property to see if UWF is enabled in the current session.
if($objUWFInstance.CurrentEnabled) {
$CurrentStatus = "enabled";
} else {
$CurrentStatus = "disabled";
}
# Check the NextEnabled property to see if UWF is enabled or disabled after the next system restart.
if($objUWFInstance.NextEnabled) {
$NextStatus = "enabled";
} else {
$NextStatus = "disabled";
}
}
# Some examples of how to call the functions
Display-UWFState
"Enabling Unified Write Filter"
Enable-UWF
Display-UWFState
"Disabling Unified Write Filter"
Disable-UWF
Display-UWFState
```
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md)
- [Unified Write Filter]( index.md)

43
windows/configuration/unified-write-filter/uwf-filterdisable.md Normal file
View File

@ -0,0 +1,43 @@
---
title: UWF_Filter.Disable
description: UWF_Filter.Disable
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_Filter.Disable
Disables Unified Write Filter (UWF) on the next restart.
## Syntax
```powershell
UInt32 Disable();
```
## Parameters
None.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
You must use an administrator account to disable UWF.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [UWF_Filter](uwf-filter.md)
- [Unified Write Filter]( index.md)

66
windows/configuration/unified-write-filter/uwf-filterenable.md Normal file
View File

@ -0,0 +1,66 @@
---
title: UWF_Filter.Enable
description: UWF_Filter.Enable
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_Filter.Enable
Enables Unified Write Filter (UWF) on the next restart.
## Syntax
```powershell
UInt32 Enable();
```
## Parameters
None.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
You must use an administrator account to enable UWF.
You must restart your device after you enable or disable UWF before the change takes effect.
The first time you enable UWF on your device, UWF makes the following changes to your system to improve the performance of UWF:
- Paging files are disabled.
- System restore is disabled.
- SuperFetch is disabled.
- File indexing service is turned off.
- Defragmentation service is turned off.
- Fast boot is disabled.
- BCD setting **bootstatuspolicy** is set to **ignoreallfailures**.
You can change these settings after you enable UWF if you want to. For example, you can move the page file location to an unprotected volume and re-enable paging files.
Additionally, after you run `uwfmgr filter enable`, restart the computer and exit the servicing mode, the following things are disabled:
- Windows Update by setting `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU\NoAutoUpdate`
- Windows Store Update by setting `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsStore\AutoDownload`
- Registry Reorganization by setting `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Configuration Manager\RegistryReorganizationLimitDays`
- Maintenance Hour by setting `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\Maintenance\MaintenanceDisabled`
After you run `uwfmgr filter disable`, restart the computer and enter the serving mode, the changes are reverted.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [UWF_Filter](uwf-filter.md)
- [Unified Write Filter]( index.md)

47
windows/configuration/unified-write-filter/uwf-filterresetsettings.md Normal file
View File

@ -0,0 +1,47 @@
---
title: UWF_Filter.ResetSettings
description: UWF_Filter.ResetSettings
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_Filter.ResetSettings
Restores UWF settings to the original configuration settings.
## Syntax
```powershell
UInt32 ResetSettings();
```
## Parameters
None.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
You must use an administrator account to reset UWF settings.
The original configuration settings are captured the first time that you enable UWF after you add UWF to your device by using **Turn Windows features on or off**. You can change the original configuration settings by using **Turn Windows features on or off** to remove and then add UWF, and then modifying the configuration to the desired state before you enable UWF.
If you added UWF to your device by using SMI settings in an unattend.xml file, the original configuration settings are captured when Windows 10 Enterprise is installed on your device.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [UWF_Filter](uwf-filter.md)
- [Unified Write Filter]( index.md)

48
windows/configuration/unified-write-filter/uwf-filterrestartsystem.md Normal file
View File

@ -0,0 +1,48 @@
---
title: UWF_Filter.RestartSystem
description: UWF_Filter.RestartSystem
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_Filter.RestartSystem
Safely restarts a system protected by UWF, even if the overlay is full.
## Syntax
```powershell
UInt32 RestartSystem();
```
## Parameters
None.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
You must use an administrator account to call this method.
You can't run on WMI providers; it's only available from Intune/CSP.
If the overlay is full, or near full, shutting down or restarting the system normally can cause the system to take a long time to shut down. This occurs when the system repeatedly tries to write files during shutdown, which constantly fail due to the overlay being full. You can call this method to safely restart a system by avoiding this scenario.
If the overlay becomes full while the system is performing a large number of writes, such as copying a large group of files, calling this method can still result in a long shutdown time.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [UWF_Filter](uwf-filter.md)
- [Unified Write Filter]( index.md)

47
windows/configuration/unified-write-filter/uwf-filtershutdownsystem.md Normal file
View File

@ -0,0 +1,47 @@
---
title: UWF_Filter.ShutdownSystem
description: UWF_Filter.ShutdownSystem
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_Filter.ShutdownSystem
Safely shuts down a system protected by UWF, even if the overlay is full.
## Syntax
```powershell
UInt32 ShutdownSystem();
```
## Parameters
None.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
You must use an administrator account to call this method.
If the overlay is full, or near full, shutting down or restarting the system normally can cause the system to take an extremely long time to shut down. This occurs when the system repeatedly tries to write files during shutdown, which constantly fail due to the overlay being full. You can call this method to safely shut down a system by avoiding this scenario.
If the overlay becomes full while the system is performing a large number of writes, such as copying a large group of files, calling this method can still result in a long shutdown time.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [UWF_Filter](uwf-filter.md)
- [Unified Write Filter]( index.md)

88
windows/configuration/unified-write-filter/uwf-master-servicing-script.md Normal file
View File

@ -0,0 +1,88 @@
---
title: UWF master servicing script
description: UWF master servicing script
ms.date: 05/02/2017
ms.topic: reference
---
# UWF master servicing script
The UWF master servicing script (UwfServicingMasterScript.cmd) is located in the \\Windows\\System32 folder.
## UwfServicingMasterScript.cmd
The full UWF master servicing script follows:
```powershell
REM servicing of the device with UWF installed. The script will
REM call UWF manager application to update the system with the
REM latest available updates.
REM The script will detect whether the update operation
REM ended successfully or requires a reboot.
REM
REM The script will change the "SERVICING" state of the device
REM only when the update operation results in a "SUCCESS".
REM A state change of the device requires a reboot.
REM
REM If the update operation requires a "REBOOT" the script will
REM reboot device without changing the "SERVICING" state. The
REM Will then run again on the following reboot until
REM the update operation either return a "SUCCESS" or a "ERROR"
REM
REM Any third-party script that needs to run before the state
REM change should run in the UPDATE_SUCCESS block
REM
REM Environment :
REM It is expected that UWF is turned "OFF", "SERVICING" mode
REM enabled and all other preconditions
REM for servicing are in place.
REM
REM
REM
echo UpdateAgent starting.
uwfmgr servicing update-windows
if ERRORLEVEL 3010 goto UPDATE_REBOOT
if ERRORLEVEL 0 goto UPDATE_SUCCESS
echo UpdateAgent returned error =%ERRORLEVEL%
:UPDATE_ERROR
uwfmgr servicing disable
echo Restarting system
goto UPDATE_EXIT
:UPDATE_REBOOT
echo UpdateAgent requires a reboot.
echo UpdateAgent restarting system
goto UPDATE_EXIT
:UPDATE_SUCCESS
echo UpdateAgent returned success.
REM
REM echo UpdateAgent executing OEM script
REM OEM can call their custom scripts
REM at this point through a "call".
REM
REM The OEM script should hand control
REM back to this script once it is done.
REM
REM Any error recovery for OEM script
REM should be handled outside of this script
REM post a reboot.
REM
uwfmgr servicing disable
echo Restarting system
goto UPDATE_EXIT
:UPDATE_EXIT
echo UpdateAgent exiting.
shutdown -r -t 5
EXIT /B
```
## Related articles
[Service UWF-protected devices](service-uwf-protected-devices.md)
[Unified Write Filter]( index.md)

164
windows/configuration/unified-write-filter/uwf-overlay.md Normal file
View File

@ -0,0 +1,164 @@
---
title: UWF_Overlay
description: UWF_Overlay
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_Overlay
Contains the current size of the Unified Write Filter (UWF) overlay and manages the critical and warning thresholds for the overlay size.
## Syntax
```powershell
class UWF_Overlay {
[key] string Id;
[read] UInt32 OverlayConsumption;
[read] UInt32 AvailableSpace;
[read] UInt32 CriticalOverlayThreshold;
[read] UInt32 WarningOverlayThreshold;
UInt32 GetOverlayFiles(
[in] string Volume,
[out, EmbeddedInstance("UWF_OverlayFile")] string OverlayFiles[]
);
UInt32 SetWarningThreshold(
UInt32 size
);
UInt32 SetCriticalThreshold(
UInt32 size
);
};
```
## Members
The following tables list any methods and properties that belong to this class.
| Methods | Description |
|---------|-------------|
| [UWF_Overlay.GetOverlayFiles](uwf-overlaygetoverlayfiles.md) | Returns a list of files of a volume that were cached in the UWF overlay. |
| [UWF_Overlay.SetWarningThreshold](uwf-overlaysetwarningthreshold.md) | Sets the warning threshold for monitoring the size of the UWF overlay. |
| [UWF_Overlay.SetCriticalThreshold](uwf-overlaysetcriticalthreshold.md) | Sets the critical warning threshold for monitoring the size of the UWF overlay. |
### Properties
| Property | Data&nbsp;type | Qualifiers | Description |
|----------|----------------|------------|-------------|
| ID | string | [key] | A unique ID. This is always set to **UWF_Overlay**. |
| OverlayConsumption | Uint32 | [read] | The current size, in megabytes, of the UWF overlay. |
| AvailableSpace | Uint32 | [read] | The amount of free space, in megabytes, available to the UWF overlay. |
| CriticalOverlayThreshold | Uint32 | [read] | The critical threshold size, in megabytes. UWF sends a critical threshold notification event when the UWF overlay size reaches or exceeds this value. |
| WarningOverlayThreshold | Uint32 | [read] | The warning threshold size, in megabytes. UWF sends a warning threshold notification event when the UWF overlay size reaches or exceeds this value. |
### Examples
The following example demonstrates how to use the UWF overlay by using the WMI provider in a PowerShell script.
```powershell
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Function to set the Unified Write Filter overlay warning threshold
function Set-OverlayWarningThreshold($ThresholdSize) {
# Retrieve the overlay WMI object
$OverlayInstance = Get-WMIObject -namespace $NAMESPACE -class UWF_Overlay;
if(!$OverlayInstance) {
"Unable to get handle to an instance of the UWF_Overlay class"
return;
}
# Call the instance method to set the warning threshold value
$retval = $OverlayInstance.SetWarningThreshold($ThresholdSize);
# Check the return value to verify that setting the warning threshold is successful
if ($retval.ReturnValue -eq 0) {
"Overlay warning threshold has been set to " + $ThresholdSize + " MB"
} else {
"Unknown Error: " + "{0:x0}" -f $retval.ReturnValue
}
}
# Function to set the Unified Write Filter overlay critical threshold
function Set-OverlayCriticalThreshold($ThresholdSize) {
# Retrieve the overlay WMI object
$OverlayInstance = Get-WMIObject -namespace $NAMESPACE -class UWF_Overlay;
if(!$OverlayInstance) {
"Unable to get handle to an instance of the UWF_Overlay class"
return;
}
# Call the instance method to set the warning threshold value
$retval = $OverlayInstance.SetCriticalThreshold($ThresholdSize);
# Check the return value to verify that setting the critical threshold is successful
if ($retval.ReturnValue -eq 0) {
"Overlay critical threshold has been set to " + $ThresholdSize + " MB"
} else {
"Unknown Error: " + "{0:x0}" -f $retval.ReturnValue
}
}
# Function to print the current overlay information
function Get-OverlayInformation() {
# Retrieve the Overlay WMI object
$OverlayInstance = Get-WMIObject -namespace $NAMESPACE -class UWF_Overlay;
if(!$OverlayInstance) {
"Unable to get handle to an instance of the UWF_Overlay class"
return;
}
# Display the current values of the overlay properties
"`nOverlay Consumption: " + $OverlayInstance.OverlayConsumption
"Available Space: " + $OverlayInstance.AvailableSpace
"Critical Overlay Threshold: " + $OverlayInstance.CriticalOverlayThreshold
"Warning Overlay Threshold: " + $OverlayInstance.WarningOverlayThreshold
}
# Examples of using these functions
"`nSetting the warning threshold to 768 MB."
Set-OverlayWarningThreshold( 768 )
"`nSetting the critical threshold to 896 MB."
Set-OverlayCriticalThreshold( 896 )
"`nDisplaying the current state of the overlay."
Get-OverlayInformation
```
### Remarks
Only one **UFW\_Overlay** instance exists for a system protected with UWF.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [Unified Write Filter]( index.md)

159
windows/configuration/unified-write-filter/uwf-overlayconfig.md Normal file
View File

@ -0,0 +1,159 @@
---
title: UWF_OverlayConfig
description: UWF_OverlayConfig
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_OverlayConfig
Displays and configures global settings for the Unified Write Filter (UWF) overlay. You can modify the maximum size and the type of the UWF overlay.
## Syntax
```powershell
class UWF_OverlayConfig{
[key, Read] boolean CurrentSession;
[read] UInt32 Type;
[read] SInt32 MaximumSize;
UInt32 SetType(
UInt32 type
);
UInt32 SetMaximumSize(
UInt32 size
);
};
```
## Members
The following tables list the methods and properties that belong to this class.
### Methods
| Method | Description |
|--------|-------------|
| [UWF_OverlayConfig.SetMaximumSize](uwf-overlayconfigsetmaximumsize.md) | Sets the maximum cache size, in megabytes, of the overlay. |
| [UWF_OverlayConfig.SetType](uwf-overlayconfigsettype.md) | Sets the type of the UWF overlay to either RAM-based or disk-based. |
### Properties
| Property | Data&nbsp;type | Qualifiers | Description |
|----------|----------------|------------|-------------|
| CurrentSession | Boolean | [key, read] | Indicates which session the object contains settings for. </br>- **True** for the current session </br>- **False** for the next session that begins after a restart. |
| Type | UInt32 | [read] | Indicates the type of overlay. </br>- **0** for a RAM-based overlay</br>- **1** for a disk-based overlay. |
| MaximumSize | SInt32 | [read] | Indicates the maximum cache size, in megabytes, of the overlay. |
### Remarks
Changes to the overlay configuration take effect on the next restart in which UWF is enabled.
Before you can change the **Type** or **MaximumSize** properties, UWF must be disabled in the current session.
### Example
The following example demonstrates how to change the maximum size or the storage type of the overlay in UWF by using the Windows Management Instrumentation (WMI) provider in a PowerShell script.
The PowerShell script creates two functions to modify the overlay configuration. It then demonstrates how to use the functions. The first function, **Set-OverlaySize**, sets the maximum size of the overlay. The second function, **Set-OverlayType**, sets the type of the overlay to RAM-based or disk-based.
```powershell
$COMPUTER = "localhost"
$NAMESPACE = "root\standardcimv2\embedded"
# Define common parameters
$CommonParams = @{"namespace"=$NAMESPACE; "computer"=$COMPUTER}
function Set-OverlaySize([UInt32] $size) {
# This function sets the size of the overlay to which file and registry changes are redirected
# Changes take effect after the next restart
# $size is the maximum size in MB of the overlay
# Make sure that UWF is currently disabled
$UWFFilter = Get-WmiObject -class UWF_Filter @commonParams
if ($UWFFilter.CurrentEnabled -eq $false) {
# Get the configuration for the next session after a restart
$nextConfig = Get-WMIObject -class UWF_OverlayConfig -Filter "CurrentSession = false" @CommonParams;
if ($nextConfig) {
# Set the maximum size of the overlay
$nextConfig.SetMaximumSize($size);
write-host "Set overlay max size to $size MB."
}
} else {
write-host "UWF must be disabled in the current session before you can change the overlay size."
}
}
function Set-OverlayType([UInt32] $overlayType) {
# This function sets the type of the overlay to which file and registry changes are redirected
# Changes take effect after the next restart
# $overlayType is the type of storage that UWF uses to maintain the overlay. 0 = RAM-based; 1 = disk-based.
$overlayTypeText = @("RAM-based", "disk-based")
# Make sure that the overlay type is a valid value
if ($overlayType -eq 0 -or $overlayType -eq 1) {
# Make sure that UWF is currently disabled
$UWFFilter = Get-WmiObject -class UWF_Filter @commonParams
if ($UWFFilter.CurrentEnabled -eq $false) {
# Get the configuration for the next session after a restart
$nextConfig = Get-WMIObject -class UWF_OverlayConfig -Filter "CurrentSession = false" @CommonParams;
if ($nextConfig) {
# Set the type of the overlay
$nextConfig.SetType($overlayType);
write-host "Set overlay type to $overlayTypeText[$overlayType]."
}
} else {
write-host "UWF must be disabled in the current session before you can change the overlay type."
}
} else {
write-host "Invalid value for overlay type. Valid values are 0 (RAM-based) or 1 (disk-based)."
}
}
# The following sample commands demonstrate how to use the functions to change the overlay configuration
$RAMMode = 0
$DiskMode = 1
Set-OverlaySize 2048
Set-OverlayType $DiskMode
```
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
[Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md)
[Unified Write Filter]( index.md)

55
windows/configuration/unified-write-filter/uwf-overlayconfigsetmaximumsize.md Normal file
View File

@ -0,0 +1,55 @@
---
title: UWF_OverlayConfig.SetMaximumSize
description: UWF_OverlayConfig.SetMaximumSize
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_OverlayConfig.SetMaximumSize
Sets the maximum cache size of the Unified Write Filter (UWF) overlay.
## Syntax
```powershell
UInt32 SetMaximumSize(
UInt32 size
);
```
## Parameters
**size**</br>An integer that represents the maximum cache size, in megabytes, of the overlay.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
When the size of the overlay reaches the *size* value, UWF returns an error for any attempt to write to a protected volume.
If the overlay type is disk-based, your device must meet the following requirements to change the maximum size of the overlay.
- UWF must be disabled in the current session.
- The *size* value must be at least 1024.
- The system volume on your device must have available free space greater than the new maximum size value.
If the overlay type is RAM-based, your device must meet the following requirement to change the maximum size of the overlay.
- UWF must be disabled in the current session.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [UWF_OverlayConfig](uwf-overlayconfig.md)
- [Unified Write Filter]( index.md)

58
windows/configuration/unified-write-filter/uwf-overlayconfigsettype.md Normal file
View File

@ -0,0 +1,58 @@
---
title: UWF_OverlayConfig.SetType
description: UWF_OverlayConfig.SetType
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_OverlayConfig.SetType
Sets the type of the Unified Write Filter (UWF) overlay to either RAM-based or disk-based.
## Syntax
```powershell
UInt32 SetType(
UInt32 type
);
```
## Parameters
**type**</br>The type of overlay. Set to **0** for a RAM-based overlay; set to **1** for a disk-based overlay.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
Changes to the overlay type take effect during the next device restart in which UWF is enabled.
When you change the overlay type from RAM-based to disk-based, UWF creates a file on the system volume. The file has a size equal to the **MaximumSize** property of [UWF_OverlayConfig](uwf-overlayconfig.md).
Before you can change the overlay type to disk-based, your device must meet the following requirements.
- UWF must be disabled in the current session.
- The system volume on your device must have available free space greater than the maximum size of the overlay.
- The maximum size of the overlay must be at least 1024 MB.
Before you can change the overlay type to RAM-based, your device must meet the following requirements.
- UWF must be disabled in the current session.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [UWF_OverlayConfig](uwf-overlayconfig.md)
- [Overlay for Unified Write Filter (UWF)](uwfoverlay.md)
- [Unified Write Filter]( index.md)

51
windows/configuration/unified-write-filter/uwf-overlayfile.md Normal file
View File

@ -0,0 +1,51 @@
---
title: UWF_OverlayFile
description: UWF_OverlayFile
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_OverlayFile
Contains a file that is currently in the overlay for a volume protected by Unified Write Filter (UWF).
## Syntax
```powershell
class UWF_OverlayFile {
[read] string FileName;
[read] UInt64 FileSize;
};
```
## Members
The following table lists any properties that belong to this class.
### Properties
| Property | Data&nbsp;type | Qualifier | Description |
|----------|----------------|-----------|-------------|
| FileName | string | [read] | The name of the file in the file overlay. |
| FileSize | UInt64 | [read] | The size of the file in the file overlay. |
### Remarks
You cannot use the **UWF_ OverlayFile** class directly to get overlay files. You must use the **UWF_Overlay.GetOverlayFiles** method to retrieve **UWF_ OverlayFile** objects.
For more information about specific limitations and conditions when using the **GetOverlayFiles** method, see the **Remarks** section in the [UWF_Overlay.GetOverlayFiles](uwf-overlaygetoverlayfiles.md) topic in the UWF WMI provider technical reference.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [Unified Write Filter WMI provider reference](uwf-wmi-provider-reference.md)
- [Unified Write Filter]( index.md)

67
windows/configuration/unified-write-filter/uwf-overlaygetoverlayfiles.md Normal file
View File

@ -0,0 +1,67 @@
---
title: UWF_Overlay.GetOverlayFiles
description: UWF_Overlay.GetOverlayFiles
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_Overlay.GetOverlayFiles
Returns a list of files of a volume that were cached in the Unified Write Filter (UWF) overlay.
## Syntax
```powershell
UInt32 GetOverlayFiles(
[in] string Volume,
[out, EmbeddedInstance("UWF_OverlayFile")] string OverlayFiles[]
);
```
## Parameters
**Volume**</br>A string that specifies the drive letter or volume name.
**OverlayFiles**</br>An array of **UWF_OverlayFiles** objects embedded as strings.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
You must use an administrator account to access this method.
The **GetOverlayFiles** method is intended to be used as a diagnostic tool.
Do not base decisions about what to commit based on this methods output.
You should be aware of the following limitations:
- This method is only supported on the NTFS file system.
- This method requires a significant amount of free system memory to succeed (in a linear relationship to overlay usage). The method call fails when there is insufficient memory available to complete the call.
- This method requires significant time to complete (in an exponential relationship to overlay usage).
- This method may show files that are affected by seemingly unrelated operations to both registry and file exclusions and commits.
You should also be aware of the following items when you use the **GetOverlayFiles** method:
- Files that were committed with the `uwfmgr.exe file commit` command are also contained in the overlay files list.
- Excluded files may be contained in the overlay files list.
- Files that are smaller than the cluster size (for example, 4 KB in most cases) will not be listed even if they are cached in overlay.
- Changes and deletions in excluded directories, excluded files, or excluded registry items add to overlay usage.
- File and registry commits add to overlay usage.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [UWF_Overlay](uwf-overlay.md)
- [Unified Write Filter]( index.md)

51
windows/configuration/unified-write-filter/uwf-overlaysetcriticalthreshold.md Normal file
View File

@ -0,0 +1,51 @@
---
title: UWF_Overlay.SetCriticalThreshold
description: UWF_Overlay.SetCriticalThreshold
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_Overlay.SetCriticalThreshold
Sets the critical threshold for monitoring the size of the Unified Write Filter (UWF) overlay.
## Syntax
```powershell
UInt32 SetCriticalThreshold(
UInt32 size
);
```
## Parameters
**size**</br>An integer that represents the size, in megabytes, of the critical threshold level for the overlay. If *size* is 0 (zero), UWF does not raise critical threshold events.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
When the size of the overlay reaches or exceeds the *size* threshold value, UWF writes the following notification event to the event log.
| Message ID | Event code | Message text |
|------------|------------|--------------|
| UWF_OVERLAY_REACHED_CRITICAL_LEVEL | 0x80010002L | The UWF overlay size has reached CRITICAL level. |
The critical threshold must be higher than the warning threshold.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [UWF_Overlay](uwf-overlay.md)
- [Unified Write Filter]( index.md)

51
windows/configuration/unified-write-filter/uwf-overlaysetwarningthreshold.md Normal file
View File

@ -0,0 +1,51 @@
---
title: UWF_Overlay.SetWarningThreshold
description: UWF_Overlay.SetWarningThreshold
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_Overlay.SetWarningThreshold
Sets the warning threshold for monitoring the size of the Unified Write Filter (UWF) overlay.
## Syntax
```powershell
UInt32 SetWarningThreshold(
UInt32 size
);
```
## Parameters
**size**</br>An integer that represents the size, in megabytes, of the warning threshold level for the overlay. If *size* is set to 0 (zero), UWF does not raise warning threshold events.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
When the size of the overlay reaches or exceeds the *size* threshold value, UWF writes the following notification event to the event log.
| Message ID | Event code | Message text |
|------------|------------|--------------|
|UWF_OVERLAY_REACHED_WARNING_LEVEL | 0x80010001L | The UWF overlay size has reached WARNING level. |
The warning threshold must be lower than the critical threshold.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [UWF_Overlay](uwf-overlay.md)
- [Unified Write Filter]( index.md)

269
windows/configuration/unified-write-filter/uwf-registryfilter.md Normal file
View File

@ -0,0 +1,269 @@
---
title: UWF_RegistryFilter
description: UWF_RegistryFilter
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_RegistryFilter
Adds or removes registry exclusions from Unified Write Filter (UWF) filtering, and also commits registry changes.
## Syntax
```powershell
class UWF_RegistryFilter{
[key, Read] boolean CurrentSession;
[Read, Write] boolean PersistDomainSecretKey;
[Read, Write] boolean PersistTSCAL;
UInt32 AddExclusion(
string RegistryKey
);
UInt32 RemoveExclusion(
string RegistryKey
);
UInt32 FindExclusion(
[in] string RegistryKey,
[out] boolean bFound
);
UInt32 GetExclusions(
[out, EmbeddedInstance("UWF_ExcludedRegistryKey")] string ExcludedKeys[]
);
UInt32 CommitRegistry(
[in] string RegistryKey,
[in] string ValueName
);
UInt32 CommitRegistryDeletion(
string Registrykey,
string ValueName
);
};
```
## Members
The following tables list the methods and properties that belong to this class.
| Method | Description&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |
|--------|-------------|
| [UWF_RegistryFilter.AddExclusion](uwf-registryfilteraddexclusion.md) | Adds a registry key to the registry exclusion list for UWF. |
| [UWF_RegistryFilter.CommitRegistry](uwf-registryfiltercommitregistry.md) | Commits changes to the specified registry key and value. |
| [UWF_RegistryFilter.CommitRegistryDeletion](uwf-registryfiltercommitregistrydeletion.md) | Deletes the specified registry key or registry value and commits the deletion. |
| [UWF_RegistryFilter.FindExclusion](uwf-registryfilterfindexclusion.md) | Determines whether a specific registry key is excluded from being filtered by UWF. |
| [UWF_RegistryFilter.GetExclusions](uwf-registryfiltergetexclusions.md) | Retrieves all registry key exclusions from a system that is protected by UWF |
| [UWF_RegistryFilter.RemoveExclusion](uwf-registryfilterremoveexclusion.md) | Removes a registry key from the registry exclusion list for Unified Write Filter (UWF). |
### Properties
| Property | Data&nbsp;type | Qualifiers | Description&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |
|----------|----------------|------------|-------------|
| CurrentSession | Boolean | [key, read] | Indicates which session the object contains settings for. </br> - **True** if settings are for the current session </br>- **False** if settings are for the next session that follows a restart. |
| PersistDomainSecretKey | Boolean | [read, write] | Indicates if the domain secret registry key is in the registry exclusion list. If the registry key is not in the exclusion list, changes are not persisted after a restart.</br>- **True** to include in the exclusion list </br>- Otherwise **False**. |
| PersistTSCAL | Boolean | [read, write] | Indicates if the Terminal Server Client Access License (TSCAL) registry key is in the UWF registry exclusion list. If the registry key is not in the exclusion list, changes are not persisted after a restart. </br>- **True** to include in the exclusion list</br>- Otherwise, set to **False** |
### Remarks
Additions or removals of registry exclusions, including changes to the values of **PersistDomainSecretKey** and **PersistTSCAL**, take effect after the next restart in which UWF is enabled.
You can only add registry keys in the HKLM registry root to the UWF registry exclusion list.
You can also use **UWF_RegistryFilter** to exclude the domain secret registry key and the TSCAL registry key from UWF filtering.
### Example
The following example demonstrates how to manage UWF registry exclusions by using the Windows Management Instrumentation (WMI) provider in a PowerShell script.
The PowerShell script creates four functions, and then demonstrates how to use them.
The first function, **Get-RegistryExclusions**, displays a list of UWF registry exclusions for both the current session and the next session that follows a restart.
The second function, **Add-RegistryExclusion**, adds a registry entry to the UWF registry exclusion list after you restart the device.
The third function, **Remove-RegistryExclusion**, removes a registry entry from the UWF exclusion list after you restart the device.
The fourth function, **Clear-RegistryExclusions**, removes all UWF registry exclusions. You must restart the device before UWF stops filtering the exclusions.
```powershell
$COMPUTER = "EMBEDDEDDEVICE"
$NAMESPACE = "root\standardcimv2\embedded"
# Define common parameters
$CommonParams = @{"namespace"=$NAMESPACE; "computer"=$COMPUTER}
function Get-RegistryExclusions() {
# This function lists the UWF registry exclusions, both
# for the current session as well as the next session after a restart.
# Get the UWF_RegistryFilter configuration for the current session
$currentConfig = Get-WMIObject -class UWF_RegistryFilter @CommonParams |
where {
$_.CurrentSession -eq $true
};
# Get the UWF_RegistryFilter configuration for the next session after a restart
$nextConfig = Get-WMIObject -class UWF_RegistryFilter @CommonParams |
where {
$_.CurrentSession -eq $false
};
# Display registry exclusions for the current session
if ($currentConfig) {
Write-Host ""
Write-Host "The following registry entries are currently excluded from UWF filtering:";
$currentExcludedList = $currentConfig.GetExclusions()
if ($currentExcludedList.ExcludedKeys) {
foreach ($registryExclusion in $currentExcludedList.ExcludedKeys) {
Write-Host " " $registryExclusion.RegistryKey
}
} else {
Write-Host " None"
}
} else {
Write-Error "Could not retrieve UWF_RegistryFilter.";
}
# Display registry exclusions for the next session after a restart
if ($nextConfig) {
Write-Host ""
Write-Host "The following registry entries will be excluded from UWF filtering after the next restart:";
$nextExcludedList = $nextConfig.GetExclusions()
if ($nextExcludedList.ExcludedKeys) {
foreach ($registryExclusion in $nextExcludedList.ExcludedKeys) {
Write-Host " " $registryExclusion.RegistryKey
}
} else {
Write-Host " None"
}
Write-Host ""
}
}
function Add-RegistryExclusion($exclusion) {
# This function adds a new UWF registry exclusion.
# The new registry exclusion takes effect the next time the device is restarted and UWF is enabled.
# $exclusion is the path of the registry exclusion
# Get the UWF_RegistryFilter configuration for the next session after a restart
$nextConfig = Get-WMIObject -class UWF_RegistryFilter @CommonParams |
where {
$_.CurrentSession -eq $false
};
# Add the exclusion
if ($nextConfig) {
$nextConfig.AddExclusion($exclusion) | Out-Null;
Write-Host "Added exclusion $exclusion.";
} else {
Write-Error "Could not retrieve UWF_RegistryFilter";
}
}
function Remove-RegistryExclusion($exclusion) {
# This function removes a UWF registry exclusion.
# The registry exclusion is removed the next time the device is restarted
# $exclusion is the path of the registry exclusion
# Get the UWF_RegistryFilter configuration for the next session after a restart
$nextConfig = Get-WMIObject -class UWF_RegistryFilter @CommonParams |
where {
$_.CurrentSession -eq $false
};
# Try to remove the exclusion
if ($nextConfig) {
try {
$nextConfig.RemoveExclusion($exclusion) | Out-Null;
Write-Host "Removed exclusion $exclusion.";
} catch {
Write-Host "Could not remove exclusion $exclusion."
}
} else {
Write-Error "Could not retrieve UWF_RegistryFilter";
}
}
function Clear-RegistryExclusions() {
# This function removes all UWF registry exclusions
# The registry exclusions are removed the next time the device is restarted
# Get the configuration for the next session
$nextConfig = Get-WMIObject -class UWF_RegistryFilter @CommonParams |
where {
$_.CurrentSession -eq $false
};
# Remove all registry exclusions
if ($nextConfig) {
Write-Host "Removing all registry exclusions:";
$nextExcludedList = $nextConfig.GetExclusions()
if ($nextExcludedList) {
foreach ($registryExclusion in $nextExcludedList.ExcludedKeys) {
Write-Host "Removing:" $registryExclusion.RegistryKey
$nextConfig.RemoveExclusion($registryExclusion.RegistryKey) | Out-Null
}
} else {
Write-Host "No registry exclusions to remove."
}
Write-Host ""
}
}
# Some examples of using the functions
Clear-RegistryExclusions
Get-RegistryExclusions
Add-RegistryExclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
Add-RegistryExclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\DateTime\Servers\(Default)"
Get-RegistryExclusions
Remove-RegistryExclusion "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer"
Get-RegistryExclusions
Clear-RegistryExclusions
```
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [Unified Write Filter]( index.md)

58
windows/configuration/unified-write-filter/uwf-registryfilteraddexclusion.md Normal file
View File

@ -0,0 +1,58 @@
---
title: UWF_RegistryFilter.AddExclusion
description: UWF_RegistryFilter.AddExclusion
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_RegistryFilter.AddExclusion
Adds a registry key to the registry exclusion list for Unified Write Filter (UWF).
> [!IMPORTANT]
> Only registry subkeys under the following registry keys can be added to the exclusion list.
>
> - HKEY_LOCAL_MACHINE\BCD00000000
> - HKEY_LOCAL_MACHINE\SYSTEM
> - HKEY_LOCAL_MACHINE\SOFTWARE
> - HKEY_LOCAL_MACHINE\SAM
> - HKEY_LOCAL_MACHINE\SECURITY
> - HKEY_LOCAL_MACHINE\COMPONENTS
> [!IMPORTANT]
> Excluding a registry key from filtering also excludes all subkeys from filtering.
## Syntax
```powershell
UInt32 AddExclusion(
string RegistryKey
);
```
## Parameters
**RegistryKey**</br>A string that contains the full path of the registry key.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
You must restart the device before the registry key is excluded from UWF filtering.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [UWF_RegistryFilter](uwf-registryfilter.md)
- [Unified Write Filter]( index.md)

50
windows/configuration/unified-write-filter/uwf-registryfiltercommitregistry.md Normal file
View File

@ -0,0 +1,50 @@
---
title: UWF_RegistryFilter.CommitRegistry
description: UWF_RegistryFilter.CommitRegistry
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_RegistryFilter.CommitRegistry
Commits changes to the specified registry key and value.
## Syntax
```powershell
UInt32 CommitRegistry(
[in] string RegistryKey,
[in] string ValueName
);
```
## Parameters
**RegistryKey**</br>A string that contains the full path of the registry key to be committed.
**ValueName**</br>A string that contains the name of the value to be committed.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
This method will commit only the value specified by *ValueName* under *RegistryKey* if *ValueName* is specified.
You must use an administrator account to change any properties or call any methods that change the configuration settings.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [UWF_RegistryFilter](uwf-registryfilter.md)
- [Unified Write Filter]( index.md)

52
windows/configuration/unified-write-filter/uwf-registryfiltercommitregistrydeletion.md Normal file
View File

@ -0,0 +1,52 @@
---
title: UWF_RegistryFilter.CommitRegistryDeletion
description: UWF_RegistryFilter.CommitRegistryDeletion
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_RegistryFilter.CommitRegistryDeletion
Deletes the specified registry key or registry value and commits the deletion.
## Syntax
```powershell
UInt32 CommitRegistryDeletion(
string Registrykey,
string ValueName
);
```
## Parameters
**RegistryKey**</br>A string that contains the full path of the registry key that contains the value to be deleted. If *ValueName* is empty, the entire registry key is deleted.
**ValueName**</br>A string that contains the name of the value to be deleted.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
If *ValueName* is specified, this method will delete only the value specified by *ValueName* that is contained by *RegistryKey*. If *ValueName* is empty, the entire *RegistryKey* and all its sub keys are deleted.
This method deletes the registry key or registry value from both the overlay and the persistent storage.
You must use an administrator account to change any properties or call any methods that change the configuration settings.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [UWF_RegistryFilter](uwf-registryfilter.md)
- [Unified Write Filter]( index.md)

44
windows/configuration/unified-write-filter/uwf-registryfilterfindexclusion.md Normal file
View File

@ -0,0 +1,44 @@
---
title: UWF_RegistryFilter.FindExclusion
description: UWF_RegistryFilter.FindExclusion
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_RegistryFilter.FindExclusion
Checks if a specific registry key is excluded from being filtered by Unified Write Filter (UWF).
## Syntax
```powershell
UInt32 FindExclusion(
[in] string RegistryKey,
[out] boolean bFound
);
```
## Parameters
**RegistryKey**</br>\[in\] A string that contains the full path of the registry key.
**bFound**</br>\[out\] Indicates if the *RegistryKey* is in the exclusion list of registry keys.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [UWF_RegistryFilter](uwf-registryfilter.md)
- [Unified Write Filter]( index.md)

45
windows/configuration/unified-write-filter/uwf-registryfiltergetexclusions.md Normal file
View File

@ -0,0 +1,45 @@
---
title: UWF_RegistryFilter.GetExclusions
description: UWF_RegistryFilter.GetExclusions
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_RegistryFilter.GetExclusions
Retrieves all registry key exclusions from a device that is protected by Unified Write Filter (UWF).
## Syntax
```powershell
UInt32 GetExclusions(
[out, EmbeddedInstance("UWF_ExcludedRegistryKey")] string ExcludedKeys[]
);
```
## Parameters
**ExcludedKeys**</br>\[out\] An array of [UWF_ExcludedRegistryKey](uwf-excludedregistrykey.md) objects that represent the registry keys excluded from UWF filtering.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
If this method does not find any registry keys in the registry key exclusion list, it sets the *ExcludedKeys* parameter to null.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [UWF_RegistryFilter](uwf-registryfilter.md)
- [Unified Write Filter]( index.md)

45
windows/configuration/unified-write-filter/uwf-registryfilterremoveexclusion.md Normal file
View File

@ -0,0 +1,45 @@
---
title: UWF_RegistryFilter.RemoveExclusion
description: UWF_RegistryFilter.RemoveExclusion
ms.date: 05/20/2024
ms.topic: reference
---
# UWF_RegistryFilter.RemoveExclusion
Removes a registry key from the registry exclusion list for Unified Write Filter (UWF).
## Syntax
```powershell
UInt32 RemoveExclusion(
string RegistryKey
);
```
## Parameters
**RegistryKey**</br>A string that contains the full path of the registry key.
## Return Value
Returns an HRESULT value that indicates [WMI status](/windows/win32/wmisdk/wmi-non-error-constants) or a [WMI error](/windows/win32/wmisdk/wmi-error-constants).
## Remarks
You must restart the device before the registry key is excluded from UWF filtering.
## Requirements
| Windows Edition | Supported |
|:-----------------------|:---------:|
| Windows Home | No |
| Windows Pro | No |
| Windows Enterprise | Yes |
| Windows Education | Yes |
| Windows IoT Enterprise | Yes |
## Related articles
- [UWF_RegistryFilter](uwf-registryfilter.md)
- [Unified Write Filter]( index.md)

Some files were not shown because too many files have changed in this diff Show More