From 00af39a1528d2735f648d0a8bea8ff108d2b3988 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 11 Apr 2023 11:36:23 -0400 Subject: [PATCH] older windows version cleanup --- .openpublishing.redirection.json | 5 + .../appv-deploy-and-config.md | 488 ------------------ ...e-active-directory-integration-with-mdm.md | 2 +- ...ficate-authentication-device-enrollment.md | 4 +- .../certificate-renewal-windows-mdm.md | 3 - .../enable-admx-backed-policies-in-mdm.md | 6 +- ...device-automatically-using-group-policy.md | 8 +- .../enterprise-app-management.md | 6 +- ...rver-side-mobile-application-management.md | 8 +- .../manage-corporate-devices.md | 18 +- ...-in-your-organization-modern-management.md | 4 +- windows/client-management/mdm-collect-logs.md | 14 +- .../mdm-diagnose-enrollment.md | 2 +- .../mdm-enrollment-of-windows-devices.md | 28 +- windows/client-management/mdm-known-issues.md | 14 +- windows/client-management/mdm-overview.md | 8 +- .../mobile-device-enrollment.md | 4 +- ...ew-in-windows-mdm-enrollment-management.md | 10 +- .../oma-dm-protocol-support.md | 8 +- ...remise-authentication-device-enrollment.md | 4 +- .../understanding-admx-backed-policies.md | 103 ++-- ...and-centennial-app-policy-configuration.md | 70 +-- .../wmi-providers-supported-in-windows.md | 244 ++++----- 23 files changed, 285 insertions(+), 776 deletions(-) delete mode 100644 windows/client-management/appv-deploy-and-config.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 74ac00f780..d418d33847 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6700,6 +6700,11 @@ "redirect_url": "/microsoft-365/compliance/use-your-free-azure-ad-subscription-in-office-365", "redirect_document_id": false }, + { + "source_path": "windows/client-management/appv-deploy-and-config.md", + "redirect_url": "/windows/application-management/app-v/appv-for-windows", + "redirect_document_id": false + }, { "source_path": "windows/client-management/diagnose-mdm-failures-in-windows-10.md", "redirect_url": "/windows/client-management/mdm-collect-logs", diff --git a/windows/client-management/appv-deploy-and-config.md b/windows/client-management/appv-deploy-and-config.md deleted file mode 100644 index 6b89d95acc..0000000000 --- a/windows/client-management/appv-deploy-and-config.md +++ /dev/null @@ -1,488 +0,0 @@ ---- -title: Deploy and configure App-V apps using MDM -description: Configure, deploy, and manage Microsoft Application Virtualization (App-V) apps using Microsoft Intune or App-V server. -ms.author: vinpa -ms.topic: article -ms.prod: windows-client -ms.technology: itpro-manage -author: vinaypamnani-msft -ms.date: 06/26/2017 -ms.reviewer: -manager: aaroncz -appliesto: -- ✅ Windows 11 -- ✅ Windows 10 ---- - -# Deploy and configure App-V apps using MDM - -## Executive summary - -

Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premises group policies or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premises counterparts.

- -

MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.

- -### EnterpriseAppVManagement CSP node structure - -[EnterpriseAppVManagement CSP reference](mdm/enterpriseappvmanagement-csp.md) - -The following example shows the EnterpriseAppVManagement configuration service provider in tree format. - -```console -./Vendor/MSFT -EnterpriseAppVManagement -----AppVPackageManagement ---------EnterpriseID -------------PackageFamilyName ----------------PackageFullName -------------------Name -------------------Version -------------------Publisher -------------------InstallLocation -------------------InstallDate -------------------Users -------------------AppVPackageID -------------------AppVVersionId -------------------AppVPackageUri -----AppVPublishing ---------LastSync -------------LastError -------------LastErrorDescription -------------SyncStatusDescription -------------SyncProgress ---------Sync -------------PublishXML -----AppVDynamicPolicy ---------ConfigurationId -------------Policy -``` - -

(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following subnodes.

- -

AppVPublishing - An exec action node that contains the App-V publishing configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.

- -- EnterpriseAppVManagement - - AppVPackageManagement - - **AppVPublishing** - - LastSync - - LastError - - LastErrorDescription - - SyncStatusDescription - - SyncProgress - - Sync - - PublishXML - - AppVDynamicPolicy - -

Sync command:

- -[App-V Sync protocol reference](https://msdn.microsoft.com/enus/library/mt739986.aspx) - -

AppVDynamicPolicy - A read/write node that contains the App-V dynamic configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.

- -- EnterpriseAppVManagement - - AppVPackageManagement - - AppVPublishing - - **AppVDynamicPolicy** - - [ConfigurationId] - - Policy - -

Dynamic policy examples:

- -[Dynamic configuration processing](/windows/application-management/app-v/appv-application-publishing-and-client-interaction#dynamic-configuration-processing) - -

AppVPackageManagement - Primarily read-only App-V package inventory data for MDM servers to query current packages.

- -- EnterpriseAppVManagement - - **AppVPackageManagement** - - [EnterpriseID] - - [PackageFamilyName] - - [PackageFullName] - - Name - - Version - - Publisher - - InstallLocation - - InstallDate - - Users - - AppVPackageID - - AppVVersionId - - AppVPackageUri - - AppVPublishing - - AppVDynamicPolicy - -

The examples in the scenarios section demonstrate how the publishing document should be created to successfully publish packages, dynamic policies, and connection groups.

- -## Scenarios addressed in App-V MDM functionality - -

All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premises App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.

- -

A complete list of App-V policies can be found here:

- -[ADMX-backed policy reference](mdm/policy-configuration-service-provider.md) - -[EnterpriseAppVManagement CSP reference](mdm/enterpriseappvmanagement-csp.md) - -### SyncML examples - -

The following SyncML examples address specific App-V client scenarios.

- -#### Enable App-V client - -

This example shows how to enable App-V on the device.

- -```xml - - $CmdID$ - - - chr - text/plain - - - ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppvClient - - - - -``` - -#### Configure App-V client - -

This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts helps package deployments (add and publish of App-V apps).

- -```xml - - $CmdID$ - - - chr - text/plain - - - ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts - - - - -``` - -

Complete list of App-V policies can be found here:

- -[Policy CSP](mdm/policy-configuration-service-provider.md) - -#### SyncML with package published for a device (global to all users for that device) - -

This SyncML example shows how to publish a package globally on an MDM enrolled device for all device users.

- -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L - - - xml - text/plain - - - - - - - - - - - - - -``` - -

*PackageUrl can be a UNC or HTTP/HTTPS endpoint.

- -#### SyncML with package (with dynamic configuration policy) published for a device (global to all users on that device) - -

This SyncML example shows how to publish a package globally, with a policy that adds two shortcuts for the package, on an MDM enrolled device.

- -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/38/Policy - - - xml - text/plain - - - - - - - - - - - [{ThisPCDesktopFolder}]\Skype_FromMDM.lnk - [{ProgramFilesX86}]\Skype\Phone\Skype.exe - [{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico - - [{ProgramFilesX86}]\Skype\ - Skype.Desktop.Application - Launch Skype - 1 - [{ProgramFilesX86}]\Skype\Phone\Skype.exe - - - - - [{Common Desktop}]\Skype_FromMDMAlso.lnk - [{ProgramFilesX86}]\Skype\Phone\Skype.exe - [{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico - - [{ProgramFilesX86}]\Skype\ - Skype.Desktop.Application - Launch Skype - 1 - [{ProgramFilesX86}]\Skype\Phone\Skype.exe - - - - - - - - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L - - - xml - text/plain - - - - - - - - - - - - - - -``` - -

*PackageUrl can be a UNC or HTTP/HTTPS endpoint.

- -#### SyncML with package (using user config deployment) published for a specific user - -

This SyncML example shows how to publish a package for a specific MDM user.

- -```xml - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI> - - - xml - text/plain - - - - - - - - - - - - - -``` - -#### SyncML for publishing mixed-mode connection group containing global and user-published packages - -

This SyncML example shows how to publish a connection group, and group applications and plugins together.

- -> [!NOTE] -> The user connection group has the user-only package as optional in this example, which implies users without the optional package can continue to launch the global package within the same connection group. - -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L - - - xml - text/plain - - - - - - - - - - - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI> - - - xml - text/plain - - - - - - - - - - - - - - - - - - - - -``` - -#### Unpublish example SyncML for all global packages - -

This SyncML example shows how to unpublish all global packages on the device by sending an empty package and connection group list in the SyncML.

- -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync - - - node - - - - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML - - - xml - text/plain - - - - - - - - - -``` - -#### Query packages on a device - -

These SyncML examples return all global, and user-published packages on the device.

- -```xml - - $CmdID$ - - - ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData - - - -``` - -```xml - - $CmdID$ - - - ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData - - - -``` diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index 6eb05d62cb..20a3fc0b42 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -383,7 +383,7 @@ For a sample that illustrates how an MDM can obtain an access token using OAuth The following sample REST API call illustrates how an MDM can use the Microsoft Graph API to report compliance status of a device being managed by it. > [!NOTE] -> This API is only applicable for approved MDM apps on Windows 10 devices. +> This API is only applicable for approved MDM apps on Windows devices. ```console Sample Graph API Request: diff --git a/windows/client-management/certificate-authentication-device-enrollment.md b/windows/client-management/certificate-authentication-device-enrollment.md index bf9d1e373f..6db2ca38a4 100644 --- a/windows/client-management/certificate-authentication-device-enrollment.md +++ b/windows/client-management/certificate-authentication-device-enrollment.md @@ -16,13 +16,13 @@ appliesto: # Certificate authentication device enrollment -This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347). +This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows devices, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](https://go.microsoft.com/fwlink/p/?LinkId=619347). > [!NOTE] > To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package). > [!NOTE] -> For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). +> For the list of enrollment scenarios not supported in Windows, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). ## Discovery Service diff --git a/windows/client-management/certificate-renewal-windows-mdm.md b/windows/client-management/certificate-renewal-windows-mdm.md index ad7e9b4500..d7c3443131 100644 --- a/windows/client-management/certificate-renewal-windows-mdm.md +++ b/windows/client-management/certificate-renewal-windows-mdm.md @@ -100,9 +100,6 @@ For more information about the parameters, see the CertificateStore configuratio Unlike manual certificate renewal, the device will not do an automatic MDM client certificate renewal if the certificate is already expired. To make sure the device has enough time to automatically renew, we recommend you set a renewal period a couple months (40-60 days) before the certificate expires. And, set the renewal retry interval to every few days, like every 4-5 days instead every 7 days (weekly). This change increases the chance that the device will try to connect at different days of the week. -> [!NOTE] -> For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval. - ## Certificate renewal response When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment): diff --git a/windows/client-management/enable-admx-backed-policies-in-mdm.md b/windows/client-management/enable-admx-backed-policies-in-mdm.md index 553ecce5d4..1983b4f76f 100644 --- a/windows/client-management/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/enable-admx-backed-policies-in-mdm.md @@ -8,7 +8,7 @@ ms.technology: itpro-manage author: vinaypamnani-msft ms.localizationpriority: medium ms.date: 11/01/2017 -ms.reviewer: +ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 11 @@ -17,9 +17,7 @@ appliesto: # Enable ADMX policies in MDM -Here's how to configure Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). - -Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](mdm/policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](mdm/policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy. +Starting in Windows 10, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](mdm/policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](mdm/policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy. Summary of steps to enable a policy: diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index 70ee1d76b6..a81c66fd6c 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -25,7 +25,7 @@ The enrollment into Intune is triggered by a group policy created on your local **Requirements**: -- The Active Directory joined device must be running Windows 10, version 1709 or later. +- The Active Directory joined device must be running a [supported version of Windows](/windows/release-health/supported-versions-windows-client). - The enterprise has configured a Mobile Device Management (MDM) service. - The on-premises Active Directory must be [integrated with Azure AD (via Azure AD Connect)](/azure/architecture/reference-architectures/identity/azure-ad). - The device shouldn't already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`). @@ -38,7 +38,7 @@ The enrollment into Intune is triggered by a group policy created on your local > - [How to plan your hybrid Azure Active Directory join implementation](/azure/active-directory/devices/hybrid-azuread-join-plan) > - [Azure Active Directory integration with MDM](./azure-active-directory-integration-with-mdm.md) -The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Starting in Windows 10, version 1607, once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD-registered. +The auto-enrollment relies on the presence of an MDM service and the Azure Active Directory registration for the PC. Once the enterprise has registered its AD with Azure AD, a Windows PC that is domain joined is automatically Azure AD-registered. > [!NOTE] > In Windows 10, version 1709, the enrollment protocol was updated to check whether the device is domain-joined. For details, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation. @@ -46,7 +46,7 @@ The auto-enrollment relies on the presence of an MDM service and the Azure Activ When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page. - Starting in Windows 10, version 1709, when the same policy is configured in Group Policy and MDM, Group Policy policy takes precedence over MDM. -- Starting in Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins). +- Starting in Windows 10, version 1803, a new setting allows you to change precedence to MDM. For more information, see [Windows Group Policy vs. Intune MDM Policy who wins?](/archive/blogs/cbernier/windows-10-group-policy-vs-intune-mdm-policy-who-wins). For this policy to work, you must verify that the MDM service provider allows Group Policy initiated MDM enrollment for domain-joined devices. @@ -99,7 +99,7 @@ This procedure is only for illustration purposes to show how the new auto-enroll :::image type="content" alt-text="MDM autoenrollment policy." source="images/autoenrollment-policy.png" lightbox="images/autoenrollment-policy.png"::: > [!NOTE] - > In Windows 10, version 1903 and later, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. The default behavior for older releases is to revert to **User Credential**. + > In Windows 10, version 1903 and later, the MDM.admx file was updated to include the **Device Credential** option to select which credential is used to enroll the device. The default behavior for older releases is to revert to **User Credential**. > > **Device Credential** is only supported for Microsoft Intune enrollment in scenarios with Co-management or [Azure Virtual Desktop multi-session host pools](/mem/intune/fundamentals/azure-virtual-desktop-multi-session) because the Intune subscription is user centric. User credentials are supported for [Azure Virtual Desktop personal host pools](/mem/intune/fundamentals/azure-virtual-desktop). diff --git a/windows/client-management/enterprise-app-management.md b/windows/client-management/enterprise-app-management.md index bde58f70ff..f21b883f35 100644 --- a/windows/client-management/enterprise-app-management.md +++ b/windows/client-management/enterprise-app-management.md @@ -30,8 +30,8 @@ Windows offers the ability for management servers to: - Inventory all apps for a user (Store and non-Store apps) - Inventory all apps for a device (Store and non-Store apps) - Uninstall all apps for a user (Store and non-Store apps) -- Provision apps so they're installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) -- Remove the provisioned app on the device running Windows 10 for desktop editions +- Provision apps so they're installed for all users of a device running Windows desktop editions (Home, Pro, Enterprise, and Education) +- Remove the provisioned app on the device running Windows desktop editions ## Inventory apps @@ -545,7 +545,7 @@ The Data field value of 0 (zero) indicates success. Otherwise it's an error code ## Uninstall your apps -You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes: +You can uninstall apps from users from Windows devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes: - AppStore - These apps are for the Microsoft Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business. - nonStore - These apps that weren't acquired from the Microsoft Store. diff --git a/windows/client-management/implement-server-side-mobile-application-management.md b/windows/client-management/implement-server-side-mobile-application-management.md index 12f7e3eb21..01cff16e92 100644 --- a/windows/client-management/implement-server-side-mobile-application-management.md +++ b/windows/client-management/implement-server-side-mobile-application-management.md @@ -16,7 +16,7 @@ appliesto: # Support for mobile application management on Windows -The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703. +The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP). [!INCLUDE [Deprecate Windows Information Protection](../security/information-protection/windows-information-protection/includes/wip-deprecation.md)] @@ -46,7 +46,7 @@ MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID ## Configuring an Azure AD tenant for MAM enrollment -MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Windows 10, version 1703 and later, the same cloud-based Management MDM app in Azure AD will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration. +MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. The same cloud-based Management MDM app in Azure AD will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration. :::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png"::: @@ -87,12 +87,12 @@ MAM on Windows supports the following configuration service providers (CSPs). Al - [AppLocker CSP](mdm/applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps. - [ClientCertificateInstall CSP](mdm/clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs. -- [DeviceStatus CSP](mdm/devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703). +- [DeviceStatus CSP](mdm/devicestatus-csp.md) required for Conditional Access support. - [DevInfo CSP](mdm/devinfo-csp.md). - [DMAcc CSP](mdm/dmacc-csp.md). - [DMClient CSP](mdm/dmclient-csp.md) for polling schedules configuration and MDM discovery URL. - [EnterpriseDataProtection CSP](mdm/enterprisedataprotection-csp.md) has Windows Information Protection policies. -- [Health Attestation CSP](mdm/healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703). +- [Health Attestation CSP](mdm/healthattestation-csp.md) required for Conditional Access support. - [PassportForWork CSP](mdm/passportforwork-csp.md) for Windows Hello for Business PIN management. - [Policy CSP](mdm/policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas. - [Reporting CSP](mdm/reporting-csp.md) for retrieving Windows Information Protection logs. diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md index 301ec1a5f7..e40844c3c1 100644 --- a/windows/client-management/manage-corporate-devices.md +++ b/windows/client-management/manage-corporate-devices.md @@ -1,6 +1,6 @@ --- title: Manage corporate devices -description: You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. +description: You can use the same management tools to manage all device types running Windows. ms.reviewer: manager: aaroncz ms.author: vinpa @@ -17,27 +17,27 @@ appliesto: # Manage corporate devices -You can use the same management tools to manage all device types running Windows 10 or Windows 11 desktops, laptops, tablets, and phones. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, System Center tools, and so on, will continue to work for Windows 10 and Windows 11. +You can use the same management tools to manage all Windows devices. And your current management tools, such as Group Policy, Windows Management Instrumentation (WMI), PowerShell scripts, and so on, will continue to work for Windows 10 and Windows 11. ## In this section | Topic | Description | | --- | --- | -| [Manage Windows 10 (and Windows 11) in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows 10 (and Windows 11), including deploying Windows 10 (and Windows 11) in a mixed environment | +| [Manage Windows in your organization - transitioning to modern management](manage-windows-10-in-your-organization-modern-management.md) | Strategies for deploying and managing Windows devices, including deploying Windows in a mixed environment | | [Connect to remote Azure Active Directory-joined PC](client-tools/connect-to-remote-aadj-pc.md) | How to use Remote Desktop Connection to connect to an Azure AD-joined PC | -| [Manage Windows 10 (and Windows 11) and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees | -| [New policies for Windows 10 (and Windows 11)](client-tools/new-policies-for-windows-10.md) | New Group Policy settings added in Windows 10 | -| [Group Policies that apply only to Windows Enterprise and Windows Education](client-tools/group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows 10 Enterprise and Windows 10 Education | -| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows 10 (and Windows 11) in their organizations | +| [Manage Windows and Microsoft Store tips, tricks, and suggestions](/windows/configuration/manage-tips-and-suggestions) | Options to manage user experiences to provide a consistent and predictable experience for employees | +| [New policies for Windows](client-tools/new-policies-for-windows-10.md) | New Group Policy settings added in Windows | +| [Group Policies that apply only to Windows Enterprise and Windows Education](client-tools/group-policies-for-enterprise-and-education-editions.md) | Group Policy settings that apply only to Windows Enterprise and Education | +| [Introduction to configuration service providers (CSPs) for IT pros](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) | How IT pros and system administrators can take advantage of many settings available through CSPs to configure devices running Windows in their organizations | ## Learn more [How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Configuration Manager](/mem/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm) -[Azure AD, Microsoft Intune and Windows 10 - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/) +[Azure AD, Microsoft Intune and Windows - Using the cloud to modernize enterprise mobility](https://blogs.technet.microsoft.com/enterprisemobility/2015/06/12/azure-ad-microsoft-intune-and-windows-10-using-the-cloud-to-modernize-enterprise-mobility/) [Microsoft Intune End User Enrollment Guide](/samples/browse/?redirectedfrom=TechNet-Gallery) -[Windows 10 (and Windows 11) and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768) +[Windows and Azure Active Directory: Embracing the Cloud](https://go.microsoft.com/fwlink/p/?LinkId=615768) Microsoft Virtual Academy course: [Configuration Manager & Windows Intune](/training/) diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index 755bf07aa0..245a61e862 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -35,7 +35,7 @@ This article offers guidance on strategies for deploying and managing Windows de - [Configuration](#settings-and-configuration) - [Updating and Servicing](#updating-and-servicing) -## Reviewing the management options with Windows 10 +## Reviewing the management options for Windows Windows offers a range of management options, as shown in the following diagram: @@ -115,7 +115,7 @@ There are various steps you can take to begin the process of modernizing device **Take incremental steps.** Moving towards modern device management doesn't have to be an overnight transformation. New operating systems and devices can be brought in while older ones remain. With this "managed diversity," users can benefit from productivity enhancements on modern Windows devices, while you continue to maintain older devices according to your standards for security and manageability. The CSP policy [MDMWinsOverGP](./mdm/policy-csp-controlpolicyconflict.md#mdmwinsovergp) allows MDM policies to take precedence over group policy when both group policy and its equivalent MDM policies are set on the device. You can start implementing MDM policies while keeping your group policy environment. For more information, including the list of MDM policies with equivalent group policies, see [Policies supported by group policy](./mdm/policies-in-policy-csp-supported-by-group-policy.md). -**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. For more information, see the following articles: +**Optimize your existing investments**. On the road from traditional on-premises management to modern cloud-based management, take advantage of the flexible, hybrid architecture of Configuration Manager and Intune. Co-management enables you to concurrently manage Windows devices by using both Configuration Manager and Intune. For more information, see the following articles: - [Co-management for Windows devices](/mem/configmgr/comanage/overview) - [Prepare Windows devices for co-management](/mem/configmgr/comanage/how-to-prepare-Win10) diff --git a/windows/client-management/mdm-collect-logs.md b/windows/client-management/mdm-collect-logs.md index 1d5fa21e4f..df8b03a6cc 100644 --- a/windows/client-management/mdm-collect-logs.md +++ b/windows/client-management/mdm-collect-logs.md @@ -37,7 +37,7 @@ To help diagnose enrollment or device management issues in Windows devices manag 1. In File Explorer, navigate to `C:\Users\Public\Documents\MDMDiagnostics` to see the report. -## Use command to collect logs directly from Windows 10 PCs +## Use command to collect logs directly from Windows devices You can also collect the MDM Diagnostic Information logs using the following command: @@ -60,9 +60,9 @@ The zip file will have logs according to the areas that were used in the command - MdmLogCollectorFootPrint.txt: mdmdiagnosticslog tool logs from running the command - *.evtx: Common event viewer logs microsoft-windows-devicemanagement-enterprise-diagnostics-provider-admin.evtx main one that contains MDM events. -## Collect logs directly from Windows 10 PCs +## Collect logs directly from Windows devices -Starting with the Windows 10, version 1511, MDM logs are captured in the Event Viewer in the following location: +MDM logs are captured in the Event Viewer in the following location: - Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider @@ -92,9 +92,9 @@ For more detailed logging, you can enable **Debug** logs. Right click on the **D 1. Choose **Display information for these languages** and then select **English**. 1. Click **Ok**. -You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC running the November 2015 update. +You can open the log files (.evtx files) in the Event Viewer on a Windows device. -## Collect logs remotely from Windows 10 PCs +## Collect logs remotely from Windows devices When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this facility. The [DiagnosticLog CSP](mdm/diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels: @@ -142,7 +142,7 @@ Example: Export the Debug logs ``` -## Collect logs remotely from Windows 10 Holographic +## Collect logs remotely from Windows Holographic For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md). @@ -270,7 +270,7 @@ For best results, ensure that the PC or VM on which you're viewing logs matches ## Collect device state data -Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md), version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files. +Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](mdm/diagnosticlog-csp.md). You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files. ```xml diff --git a/windows/client-management/mdm-diagnose-enrollment.md b/windows/client-management/mdm-diagnose-enrollment.md index d7f7ab6de7..c800d8d29d 100644 --- a/windows/client-management/mdm-diagnose-enrollment.md +++ b/windows/client-management/mdm-diagnose-enrollment.md @@ -38,7 +38,7 @@ To ensure that the auto-enrollment feature is working as expected, you must veri > > For corporate-owned devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. -1. Verify that the device OS version is Windows 10, version 1709 or later. +1. Verify that the device is running a [supported version of Windows](/windows/release-health/supported-versions-windows-client). 1. Auto-enrollment into Intune via Group Policy is valid only for devices that are hybrid Azure AD joined. This condition means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is hybrid Azure AD joined, run `dsregcmd /status` from the command line. diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index 0a0234c873..7974866d71 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -142,7 +142,7 @@ To create a local account and connect the device: If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant isn't configured for auto-enrollment, you'll have to go through the enrollment flow a second time to [connect your device to MDM](#enroll-in-device-management-only). - Starting in Windows 10, version 1709, you'll see the status page that shows the progress of your device being set up. + You'll see the status page that shows the progress of your device being set up. ![corporate sign in - screen and option](images/unifiedenrollment-rs1-26.png) @@ -188,7 +188,7 @@ All Windows devices can be connected to MDM. You can connect to an MDM through t 1. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you'll be presented with a new window that will ask you for more authentication information. - Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you'll see the enrollment progress on screen. + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. You'll see the enrollment progress on screen. ![screen to set up your device](images/unifiedenrollment-rs1-33-b.png) @@ -204,16 +204,13 @@ The deep link used for connecting your device to work will always use the follow | Parameter | Description | Supported Value for Windows | |--|--|--| -| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607 | Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory-joined. | -| username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string | -| servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string | -| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string | -| deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to pass in a unique device identifier. Added in Windows 10, version 1703. | GUID | -| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string | -| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned | - -> [!NOTE] -> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later. +| mode | Describes which mode will be executed in the enrollment app. | Mobile Device Management (MDM), Adding Work Account (AWA), and Azure Active Directory-joined. | +| username | Specifies the email address or UPN of the user who should be enrolled into MDM. | string | +| servername | Specifies the MDM server URL that will be used to enroll the device. | string | +| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used as a token to validate the enrollment request. | string | +| deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to pass in a unique device identifier. | GUID | +| tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to identify which tenant the device or user belongs to. | GUID or string | +| ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned | ### Connect to MDM using a deep link @@ -266,13 +263,10 @@ The **Info** button can be found on work or school connections involving MDM. Th Selecting the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You'll be able to view your organization's support information (if configured) on this page. You'll also be able to start a sync session that forces your device to communicate to the MDM server and fetch any updates to policies if needed. -Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here's an example screenshot. +Selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here's an example screenshot. ![work or school info.](images/unifiedenrollment-rs1-35-b.png) -> [!NOTE] -> Starting in Windows 10, version 1709, the **Manage** button is no longer available. - ### Disconnect The **Disconnect** button can be found on all work connections. Generally, selecting the **Disconnect** button will remove the connection from the device. There are a few exceptions to this functionality: @@ -287,6 +281,6 @@ The **Disconnect** button can be found on all work connections. Generally, selec You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and then selecting the **Export your management logs** link under **Related Settings**. Next, select **Export**, and follow the path displayed to retrieve your management log files. -Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you'll see the button to create a report. +You can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you'll see the button to create a report. For more information, see [Collect MDM logs](mdm-collect-logs.md). diff --git a/windows/client-management/mdm-known-issues.md b/windows/client-management/mdm-known-issues.md index 22fe7ba116..c6f5a15905 100644 --- a/windows/client-management/mdm-known-issues.md +++ b/windows/client-management/mdm-known-issues.md @@ -21,7 +21,7 @@ appliesto: ## Get command inside an atomic command isn't supported -In Windows 10 and Windows 11, a Get command inside an atomic command isn't supported. +A Get command inside an atomic command isn't supported. ## Apps installed using WMI classes are not removed @@ -29,11 +29,11 @@ Applications installed using WMI classes aren't removed when the MDM account is ## Passing CDATA in SyncML does not work -Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work in Windows 10 and Windows 11. +Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work. ## SSL settings in IIS server for SCEP must be set to "Ignore" -The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10 and Windows 11. +The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore". ![ssl settings.](images/ssl-settings.png) @@ -49,13 +49,13 @@ Remote server unenrollment is disabled for mobile devices enrolled via Azure Act ## Certificates causing issues with Wi-Fi and VPN -In Windows 10 and Windows 11, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This dual installation may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We're working to fix this issue. +When using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This dual installation may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We're working to fix this issue. ## Version information for Windows 11 The software version information from **DevDetail/Ext/Microsoft/OSPlatform** doesn't match the version in **Settings** under **System/About**. -## Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 and Windows 11 +## Multiple certificates might cause Wi-Fi connection instabilities In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned doesn't have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate. @@ -234,9 +234,9 @@ Alternatively you can use the following procedure to create an EAP Configuration After the MDM client automatically renews the WNS channel URI, the MDM client will immediately check in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. -## User provisioning failure in Azure Active Directory-joined Windows 10 and Windows 11 devices +## User provisioning failure in Azure Active Directory-joined devices -In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. +For Azure AD joined devices, provisioning `.\User` resources fails when the user isn't logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, ensure to sign out and sign in with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. ## Requirements to note for VPN certificates also used for Kerberos Authentication diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index 7136528023..ecc058a048 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -26,7 +26,7 @@ There are two parts to the Windows management component: - The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. For more information, see [Enrollment overview](mobile-device-enrollment.md). - The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT. -Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows users. MDM servers don't need to create or download a client to manage Windows 10. +Third-party MDM servers can manage Windows devices using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows users. MDM servers don't need to create or download a client to manage Windows. For details about the MDM protocols, see @@ -35,7 +35,7 @@ For details about the MDM protocols, see ## MDM security baseline -Starting with Windows 10, version 1809, Microsoft provides MDM security baselines that function like the Microsoft group policy security baseline. You can easily integrate this baseline into any MDM solution to support IT pros' operational needs, addressing security concerns for modern cloud-managed devices. +Microsoft provides MDM security baselines that function like the Microsoft group policy security baseline. You can easily integrate this baseline into any MDM solution to support IT pros' operational needs, addressing security concerns for modern cloud-managed devices. The MDM security baseline includes policies that cover the following areas: @@ -58,7 +58,7 @@ For information about the MDM policies defined in the Intune security baseline, ## Frequently Asked Questions -### Can there be more than one MDM server to enroll and manage devices in Windows 10 or 11? +### Can there be more than one MDM server to enroll and manage devices in Windows? No. Only one MDM is allowed. @@ -72,6 +72,6 @@ No. Only one MDM is allowed. | Entry | Description | | --------------- | -------------------- | -| What is dmwappushsvc? | It's a Windows service that ships in Windows 10 and Windows 11 operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | +| What is dmwappushsvc? | It's a Windows service that ships in Windows operating system as a part of the windows management platform. It's used internally by the operating system as a queue for categorizing and processing all Wireless Application Protocol (WAP) messages, which include Windows management messages, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. | | What data is handled by dmwappushsvc? | It's a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further. This service doesn't send telemetry. | | How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc) and locating *Device Management Wireless Application Protocol (WAP) Push message Routing Service*. However, since this service is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to disable the service. Disabling this service will cause your management to fail. | diff --git a/windows/client-management/mobile-device-enrollment.md b/windows/client-management/mobile-device-enrollment.md index cae59a41d2..1b1fb7c688 100644 --- a/windows/client-management/mobile-device-enrollment.md +++ b/windows/client-management/mobile-device-enrollment.md @@ -80,7 +80,7 @@ The following scenarios don't allow MDM enrollments: ## Disable MDM enrollments -In Windows 10 and Windows 11, IT admin can disable MDM enrollments for domain-joined PCs using the **Disable MDM Enrollment** group policy. +IT admin can disable MDM enrollments for domain-joined PCs using the **Disable MDM Enrollment** group policy. Group Policy Path: **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**. Corresponding registry key: `HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM\DisableRegistration (REG_DWORD)` @@ -126,7 +126,7 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma | a: | InternalServiceFault | MENROLL_E_DEVICE_INTERNALSERVICE_ERROR | There was an unhandled exception on the Mobile Device Management (MDM) server. Try again or contact your system administrator. | 80180006 | | a: | InvalidSecurity | MENROLL_E_DEVICE_INVALIDSECURITY_ERROR | The Mobile Device Management (MDM) server was not able to validate your account. Try again or contact your system administrator. | 80180007 | -In Windows 10, version 1507, `deviceenrollmentserviceerror` element was added. Here's an example: +SOAP format also includes `deviceenrollmentserviceerror` element. Here's an example: ```xml diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md index a948e85150..194c51ac66 100644 --- a/windows/client-management/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md @@ -17,9 +17,9 @@ appliesto: # What's new in mobile device enrollment and management -This article provides information about what's new in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 and Windows 11 devices. This article also provides details about the breaking changes and known issues and frequently asked questions. +This article provides information about what's new in mobile device management (MDM) enrollment and management experience across all Windows devices. This article also provides details about the breaking changes and known issues and frequently asked questions. -For details about Microsoft mobile device management protocols for Windows 10 and Windows 11, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +For details about Microsoft mobile device management protocols for Windows, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). ## What's new in MDM for Windows 11, version 22H2 @@ -52,7 +52,7 @@ For details about Microsoft mobile device management protocols for Windows 10 an | New or updated article | Description | |-----|-----| -| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • ApplicationManagement/BlockNonAdminUserInstall
  • Bluetooth/SetMinimumEncryptionKeySize
  • DeliveryOptimization/DOCacheHostSource
  • DeliveryOptimization/DOMaxBackgroundDownloadBandwidth
  • DeliveryOptimization/DOMaxForegroundDownloadBandwidth
  • Education/AllowGraphingCalculator
  • TextInput/ConfigureJapaneseIMEVersion
  • TextInput/ConfigureSimplifiedChineseIMEVersion
  • TextInput/ConfigureTraditionalChineseIMEVersion

    Updated the following policy in Windows 10, version 2004:
  • DeliveryOptimization/DOCacheHost

    Deprecated the following policies in Windows 10, version 2004:
  • DeliveryOptimization/DOMaxDownloadBandwidth
  • DeliveryOptimization/DOMaxUploadBandwidth
  • DeliveryOptimization/DOPercentageMaxDownloadBandwidth | +| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • ApplicationManagement/BlockNonAdminUserInstall
  • Bluetooth/SetMinimumEncryptionKeySize
  • DeliveryOptimization/DOCacheHostSource
  • DeliveryOptimization/DOMaxBackgroundDownloadBandwidth
  • DeliveryOptimization/DOMaxForegroundDownloadBandwidth
  • Education/AllowGraphingCalculator
  • TextInput/ConfigureJapaneseIMEVersion
  • TextInput/ConfigureSimplifiedChineseIMEVersion
  • TextInput/ConfigureTraditionalChineseIMEVersion

    Updated the following policy:
  • DeliveryOptimization/DOCacheHost

    Deprecated the following policies:
  • DeliveryOptimization/DOMaxDownloadBandwidth
  • DeliveryOptimization/DOMaxUploadBandwidth
  • DeliveryOptimization/DOPercentageMaxDownloadBandwidth | | [DevDetail CSP](mdm/devdetail-csp.md) | Added the following new node:
  • Ext/Microsoft/DNSComputerName | | [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md) | Added the following node:
  • IsStub | | [SUPL CSP](mdm/supl-csp.md) | Added the following node:
  • FullVersion | @@ -71,7 +71,7 @@ For details about Microsoft mobile device management protocols for Windows 10 an | [Policy CSP - Audit](mdm/policy-csp-audit.md) | Added the new Audit policy CSP. | | [ApplicationControl CSP](mdm/applicationcontrol-csp.md) | Added the new CSP. | | [Defender CSP](mdm/defender-csp.md) | Added the following new nodes:
  • Health/TamperProtectionEnabled
  • Health/IsVirtualMachine
  • Configuration
  • Configuration/TamperProtection
  • Configuration/EnableFileHashComputation | -| [DiagnosticLog CSP](mdm/diagnosticlog-csp.md)
    [DiagnosticLog DDF](mdm/diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903.
    Added the new 1.4 version of the DDF.
    Added the following new nodes:
  • Policy
  • Policy/Channels
  • Policy/Channels/ChannelName
  • Policy/Channels/ChannelName/MaximumFileSize
  • Policy/Channels/ChannelName/SDDL
  • Policy/Channels/ChannelName/ActionWhenFull
  • Policy/Channels/ChannelName/Enabled
  • DiagnosticArchive
  • DiagnosticArchive/ArchiveDefinition
  • DiagnosticArchive/ArchiveResults | +| [DiagnosticLog CSP](mdm/diagnosticlog-csp.md)
    [DiagnosticLog DDF](mdm/diagnosticlog-ddf.md) | Added version 1.4 of the CSP.
    Added the new 1.4 version of the DDF.
    Added the following new nodes:
  • Policy
  • Policy/Channels
  • Policy/Channels/ChannelName
  • Policy/Channels/ChannelName/MaximumFileSize
  • Policy/Channels/ChannelName/SDDL
  • Policy/Channels/ChannelName/ActionWhenFull
  • Policy/Channels/ChannelName/Enabled
  • DiagnosticArchive
  • DiagnosticArchive/ArchiveDefinition
  • DiagnosticArchive/ArchiveResults | | [EnrollmentStatusTracking CSP](mdm/enrollmentstatustracking-csp.md) | Added the new CSP. | | [PassportForWork CSP](mdm/passportforwork-csp.md) | Added the following new nodes:
  • SecurityKey
  • SecurityKey/UseSecurityKeyForSignin | @@ -80,7 +80,7 @@ For details about Microsoft mobile device management protocols for Windows 10 an | New or updated article | Description | |-----|-----| |[Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • ApplicationManagement/LaunchAppAfterLogOn
  • ApplicationManagement/ScheduleForceRestartForUpdateFailures
  • Authentication/EnableFastFirstSignIn (Preview mode only
  • Authentication/EnableWebSignIn (Preview mode only
  • Authentication/PreferredAadTenantDomainName
  • Browser/AllowFullScreenMode
  • Browser/AllowPrelaunch
  • Browser/AllowPrinting
  • Browser/AllowSavingHistory
  • Browser/AllowSideloadingOfExtensions
  • Browser/AllowTabPreloading
  • Browser/AllowWebContentOnNewTabPage
  • Browser/ConfigureFavoritesBar
  • Browser/ConfigureHomeButton
  • Browser/ConfigureKioskMode
  • Browser/ConfigureKioskResetAfterIdleTimeout
  • Browser/ConfigureOpenMicrosoftEdgeWith
  • Browser/ConfigureTelemetryForMicrosoft365Analytics
  • Browser/PreventCertErrorOverrides
  • Browser/SetHomeButtonURL
  • Browser/SetNewTabPageURL
  • Browser/UnlockHomeButton
  • Defender/CheckForSignaturesBeforeRunningScan
  • Defender/DisableCatchupFullScan
  • Defender/DisableCatchupQuickScan
  • Defender/EnableLowCPUPriority
  • Defender/SignatureUpdateFallbackOrder
  • Defender/SignatureUpdateFileSharesSources
  • DeviceGuard/ConfigureSystemGuardLaunch
  • DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
  • DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
  • DeviceInstallation/PreventDeviceMetadataFromNetwork
  • DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
  • DmaGuard/DeviceEnumerationPolicy
  • Experience/AllowClipboardHistory
  • Experience/DoNotSyncBrowserSettings
  • Experience/PreventUsersFromTurningOnBrowserSyncing
  • Kerberos/UPNNameHints
  • Privacy/AllowCrossDeviceClipboard
  • Privacy/DisablePrivacyExperience
  • Privacy/UploadUserActivities
  • Security/RecoveryEnvironmentAuthentication
  • System/AllowDeviceNameInDiagnosticData
  • System/ConfigureMicrosoft365UploadEndpoint
  • System/DisableDeviceDelete
  • System/DisableDiagnosticDataViewer
  • Storage/RemovableDiskDenyWriteAccess
  • TaskManager/AllowEndTask
  • Update/DisableWUfBSafeguards
  • Update/EngagedRestartDeadlineForFeatureUpdates
  • Update/EngagedRestartSnoozeScheduleForFeatureUpdates
  • Update/EngagedRestartTransitionScheduleForFeatureUpdates
  • Update/SetDisablePauseUXAccess
  • Update/SetDisableUXWUAccess
  • WindowsDefenderSecurityCenter/DisableClearTpmButton
  • WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning
  • WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl
  • WindowsLogon/DontDisplayNetworkSelectionUI | -| [BitLocker CSP](mdm/bitlocker-csp.md) | Added a new node AllowStandardUserEncryption.
  • Added support for Windows 10 Pro. | +| [BitLocker CSP](mdm/bitlocker-csp.md) | Added a new node AllowStandardUserEncryption.
  • Added support for Pro edition. | | [Defender CSP](mdm/defender-csp.md) | Added a new node Health/ProductStatus. | | [DevDetail CSP](mdm/devdetail-csp.md) | Added a new node SMBIOSSerialNumber. | | [EnterpriseModernAppManagement CSP](mdm/enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node. | diff --git a/windows/client-management/oma-dm-protocol-support.md b/windows/client-management/oma-dm-protocol-support.md index 1c8a92786b..521d15c082 100644 --- a/windows/client-management/oma-dm-protocol-support.md +++ b/windows/client-management/oma-dm-protocol-support.md @@ -1,7 +1,7 @@ --- title: OMA DM protocol support description: See how the OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -32,9 +32,8 @@ The following table shows the OMA DM standards that Windows uses. |Nodes|In the OMA DM tree, the following rules apply for the node name:
  • "." can be part of the node name.
  • The node name can't be empty.
  • The node name can't be only the asterisk (`*`) character.| |Provisioning Files|Provisioning XML must be well formed and follow the definition in [SyncML Representation Protocol](https://www.openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf).

    If an XML element that isn't a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
    **Note**
    To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
    | |WBXML support|Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This dual-format support is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://www.openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification.| -|Handling of large objects|In Windows 10, version 1511, client support for uploading large objects to the server was added.| +|Handling of large objects|In Windows 10, client support for uploading large objects to the server was added.| - ## OMA DM protocol common elements Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1_1_2-20030613-A) available from the [OMA website](https://www.openmobilealliance.org/release/DM/V1_1_2-20031209-A/). @@ -52,7 +51,7 @@ Common elements are used by other OMA DM element types. The following table list |MsgID|Specifies a unique identifier for an OMA DM session message.| |MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.| |RespURI|Specifies the URI that the recipient must use when sending a response to this message.| -|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.
    **Note**
    If the server doesn't notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows 10, the device client returns 2 bytes.
    | +|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.
    **Note**
    If the server doesn't notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows, the device client returns 2 bytes.
    | |Source|Specifies the message source address.| |SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.| |Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.| @@ -131,7 +130,6 @@ The following LocURL shows a per user CSP node configuration: `./user/vendor/MSF The following LocURL shows a per device CSP node configuration: `./device/vendor/MSFT/RemoteWipe/DoWipe` - ## SyncML response status codes When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you're likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://openmobilealliance.org/release/Common/V1_2_2-20090724-A/OMA-TS-SyncML-RepPro-V1_2_2-20090724-A.pdf) specification. diff --git a/windows/client-management/on-premise-authentication-device-enrollment.md b/windows/client-management/on-premise-authentication-device-enrollment.md index 362b0467bb..8e72627af0 100644 --- a/windows/client-management/on-premise-authentication-device-enrollment.md +++ b/windows/client-management/on-premise-authentication-device-enrollment.md @@ -16,10 +16,10 @@ appliesto: # On-premises authentication device enrollment -This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). > [!NOTE] -> For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). +> For the list of enrollment scenarios not supported in Windows, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). ## Discovery service diff --git a/windows/client-management/understanding-admx-backed-policies.md b/windows/client-management/understanding-admx-backed-policies.md index 1dd76ad9e8..dd0861e26c 100644 --- a/windows/client-management/understanding-admx-backed-policies.md +++ b/windows/client-management/understanding-admx-backed-policies.md @@ -7,7 +7,7 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 03/23/2020 -ms.reviewer: +ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 11 @@ -18,9 +18,9 @@ appliesto: Due to increased simplicity and the ease with which devices can be targeted, enterprise businesses are finding it increasingly advantageous to move their PC management to a cloud-based device management solution. Unfortunately, the modern Windows PC device-management solutions lack the critical policy and app settings configuration capabilities that are supported in a traditional PC management solution. -Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support expanded to allow access of selected set of Group Policy administrative templates (ADMX policies) for Windows PCs via the Policy configuration service provider (CSP). This expanded access ensures that enterprises can keep their devices compliant and prevent the risk on compromising security of their devices managed through the cloud. +Mobile Device Management (MDM) policy configuration support expanded to allow access of selected set of Group Policy administrative templates (ADMX policies) for Windows PCs via the Policy configuration service provider (CSP). This expanded access ensures that enterprises can keep their devices compliant and prevent the risk on compromising security of their devices managed through the cloud. -## Background +## Background In addition to standard MDM policies, the Policy CSP can also handle selected set of ADMX policies. In an ADMX policy, an administrative template contains the metadata of a Windows Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753471(v=ws.10)). @@ -39,7 +39,7 @@ Windows maps the name and category path of a Group Policy to an MDM policy area -## ADMX files and the Group Policy Editor +## ADMX files and the Group Policy Editor To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrator must use a UI, such as the Group Policy Editor (gpedit.msc), to gather the necessary data. The MDM ISV console UI determines how to gather the needed Group Policy data from the IT administrator. ADMX Group Policies are organized in a hierarchy and can have a scope of machine, user, or both. The Group Policy example in the next section uses a machine-wide Group Policy named "Publishing Server 2 Settings." When this Group Policy is selected, its available states are **Not Configured**, **Enabled**, and **Disabled**. @@ -48,16 +48,16 @@ The ADMX file that the MDM ISV uses to determine what UI to display to the IT ad Group Policy option button setting: - If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur: - - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data. - - The MDM client stack receives this data, which causes the Policy CSP to update the device's registry per the ADMX policy definition. + - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data. + - The MDM client stack receives this data, which causes the Policy CSP to update the device's registry per the ADMX policy definition. - If **Disabled** is selected and you click **Apply**, the following events occur: - - The MDM ISV server sets up a Replace SyncML command with a payload set to ``. - - The MDM client stack receives this command, which causes the Policy CSP to either delete the device's registry settings, set the registry keys, or both, per the state change directed by the ADMX policy definition. + - The MDM ISV server sets up a Replace SyncML command with a payload set to ``. + - The MDM client stack receives this command, which causes the Policy CSP to either delete the device's registry settings, set the registry keys, or both, per the state change directed by the ADMX policy definition. - If **Not Configured** is selected and you click **Apply**, the following events occur: - - MDM ISV server sets up a Delete SyncML command. - - The MDM client stack receives this command, which causes the Policy CSP to delete the device's registry settings per the ADMX policy definition. + - MDM ISV server sets up a Delete SyncML command. + - The MDM client stack receives this command, which causes the Policy CSP to delete the device's registry settings per the ADMX policy definition. The following diagram shows the main display for the Group Policy Editor. @@ -77,23 +77,26 @@ For more information about the Group Policy description format, see [Administrat For example, if you search for the string, "Publishing_Server2_Name_Prompt" in both the *Enabling a policy* example and its corresponding ADMX policy definition in the appv.admx file, you'll find the following occurrences: Enabling a policy example: + ```XML `` ``` Appv.admx file: + ```XML ``` -## ADMX policy examples +## ADMX policy examples The following SyncML examples describe how to set an MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. The functionality that this Group Policy manages isn't important; it's used to illustrate only how an MDM ISV can set an ADMX policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. The payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). -### Enabling a policy +### Enabling a policy + +**Payload**: -**Payload** ```XML @@ -107,7 +110,9 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -**Request SyncML** + +**Request SyncML**: + ```XML @@ -141,7 +146,8 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -**Response SyncML** +**Response SyncML**: + ```XML 2 @@ -152,14 +158,16 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -### Disabling a policy +### Disabling a policy + +**Payload**: -**Payload** ```XML ``` -**Request SyncML** +**Request SyncML**: + ```XML @@ -180,9 +188,10 @@ The following SyncML examples describe how to set an MDM policy that is defined -'''' +``` + +**Response SyncML**: -**Response SyncML** ```XML 2 @@ -193,13 +202,13 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -### Setting a policy to not configured +### Setting a policy to not configured -**Payload** +**Payload**: (None) -**Request SyncML** +**Request SyncML**: ```XML @@ -218,7 +227,7 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -**Response SyncML** +**Response SyncML**: ```XML @@ -230,11 +239,11 @@ The following SyncML examples describe how to set an MDM policy that is defined ``` -## Sample SyncML for various ADMX elements +## Sample SyncML for various ADMX elements This section describes sample SyncML for the various ADMX elements like Text, Multi-Text, Decimal, Boolean, and List. -### How a Group Policy policy category path and name are mapped to an MDM area and policy name +### How a Group Policy policy category path and name are mapped to an MDM area and policy name Below is the internal OS mapping of a Group Policy to an MDM area and name. This mapping is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store. ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User. @@ -242,23 +251,19 @@ Below is the internal OS mapping of a Group Policy to an MDM area and name. This The data payload of the SyncML needs to be encoded so that it doesn't conflict with the boilerplate SyncML XML tags. Use this online tool for encoding and decoding the policy data [Coder's Toolbox](https://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii). -**Snippet of manifest for AppVirtualization area:** +**Snippet of manifest for AppVirtualization area**: ```XML -. -. -. + ... -. -. -. + ... ``` The **LocURI** for the above GP policy is: @@ -267,11 +272,11 @@ The **LocURI** for the above GP policy is: To construct SyncML for your area/policy using the samples below, you need to update the **data id** and the **value** in the `` section of the SyncML. The items prefixed with an '&' character are the escape characters needed and can be retained as shown. -### Text Element +### Text Element The `text` element simply corresponds to a string and correspondingly to an edit box in a policy panel display by gpedit.msc. The string is stored in the registry of type REG_SZ. -**ADMX file: inetres.admx** +**ADMX file: inetres.admx**: ```XML @@ -283,7 +288,7 @@ The `text` element simply corresponds to a string and correspondingly to an edit ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -307,7 +312,7 @@ The `text` element simply corresponds to a string and correspondingly to an edit ``` -### MultiText Element +### MultiText Element The `multiText` element simply corresponds to a REG_MULTISZ registry string and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. It's expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: ``) @@ -324,7 +329,7 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -348,7 +353,7 @@ The `multiText` element simply corresponds to a REG_MULTISZ registry string and ``` -### List Element (and its variations) +### List Element (and its variations) The `list` element simply corresponds to a hive of REG_SZ registry strings and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. How this element is represented in SyncML is as a string containing pairs of strings. Each pair is a REG_SZ name/value key. It's best to apply the policy through gpedit.msc (run as Administrator) and go to the registry hive location and see how the list values are stored. This location will give you an idea of the way the name/value pairs are stored to express it through SyncML. @@ -357,7 +362,7 @@ The `list` element simply corresponds to a hive of REG_SZ registry strings and c Variations of the `list` element are dictated by attributes. These attributes are ignored by the Policy Manager runtime. It's expected that the MDM server manages the name/value pairs. See below for a simple write-up of Group Policy List. -**ADMX file: inetres.admx** +**ADMX file: inetres.admx**: ```XML @@ -369,7 +374,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -392,7 +397,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -### No Elements +### No Elements ```XML @@ -401,7 +406,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -424,7 +429,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -### Enum +### Enum ```XML @@ -458,7 +463,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -480,7 +485,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -### Decimal Element +### Decimal Element ```XML ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML @@ -517,7 +522,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -### Boolean Element +### Boolean Element ```XML @@ -543,7 +548,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar ``` -#### Corresponding SyncML: +**Corresponding SyncML**: ```XML diff --git a/windows/client-management/win32-and-centennial-app-policy-configuration.md b/windows/client-management/win32-and-centennial-app-policy-configuration.md index b07babe5e8..5af3714a87 100644 --- a/windows/client-management/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/win32-and-centennial-app-policy-configuration.md @@ -1,13 +1,13 @@ --- title: Win32 and Desktop Bridge app ADMX policy Ingestion -description: Starting in Windows 10, version 1703, you can ingest ADMX files and set those ADMX policies for Win32 and Desktop Bridge apps. +description: Ingest ADMX files and set ADMX policies for Win32 and Desktop Bridge apps. ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 03/23/2020 -ms.reviewer: +ms.reviewer: manager: aaroncz appliesto: - ✅ Windows 11 @@ -16,21 +16,12 @@ appliesto: # Win32 and Desktop Bridge app ADMX policy Ingestion -## In this section +## Overview -- [Overview](#overview) -- [Ingesting an app ADMX file](#ingesting-an-app-admx-file) -- [URI format for configuring an app policy](#uri-format-for-configuring-an-app-policy) -- [ADMX app policy examples](#admx-backed-app-policy-examples) - - [Enabling an app policy](#enabling-an-app-policy) - - [Disabling an app policy](#disabling-an-app-policy) - - [Setting an app policy to not configured](#setting-an-app-policy-to-not-configured) +You can ingest ADMX files (ADMX ingestion) and set those ADMX policies for Win32 and Desktop Bridge apps by using Windows Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. -## Overview +NOTE: Starting from the following Windows versions Replace command is supported: -Starting in Windows 10, version 1703, you can ingest ADMX files (ADMX ingestion) and set those ADMX policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. - -NOTE: Starting from the following Windows 10 version Replace command is supported - Windows 10, version 1903 with KB4512941 and KB4517211 installed - Windows 10, version 1809 with KB4512534 and KB installed - Windows 10, version 1803 with KB4512509 and KB installed @@ -66,11 +57,12 @@ When the ADMX policies are ingested, the registry keys to which each policy is w > [!NOTE] > Settings that cannot be configured using custom policy ingestion have to be set by pushing the appropriate registry keys directly (for example, by using PowerShell script). -## Ingesting an app ADMX file +## Ingesting an app ADMX file The following ADMX file example shows how to ingest a Win32 or Desktop Bridge app ADMX file and set policies from the file. The ADMX file defines eight policies. -**Payload** +**Payload**: + ```XML @@ -204,7 +196,7 @@ The following ADMX file example shows how to ingest a Win32 or Desktop Bridge ap ``` -**Request Syncml** +**Request Syncml**: The ADMX file is escaped and sent in SyncML format through the Policy CSP URI, `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{FileUid or AdmxFileName}`. When the ADMX file is imported, the policy states for each new policy are the same as those in a regular MDM policy: Enabled, Disabled, or Not Configured. @@ -363,12 +355,13 @@ The following example shows an ADMX file in SyncML format: ``` -**Response Syncml** +**Response Syncml**: + ```XML 21102Add200 ``` -### URI format for configuring an app policy +### URI format for configuring an app policy The following example shows how to derive a Win32 or Desktop Bridge app policy name and policy area name: @@ -397,10 +390,9 @@ The following example shows how to derive a Win32 or Desktop Bridge app policy n ``` -As documented in [Policy CSP](mdm/policy-configuration-service-provider.md), the URI format to configure a policy via Policy CSP is: -'./{user or device}/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}'. +As documented in [Policy CSP](mdm/policy-configuration-service-provider.md), the URI format to configure a policy via Policy CSP is: `./{user or device}/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}`. -**User or device policy** +**User or device policy**: In the policy class, the attribute is defined as "User" and the URI is prefixed with `./user`. If the attribute value is "Machine", the URI is prefixed with `./device`. @@ -418,20 +410,22 @@ Therefore, from the example: - Policy area name: ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3 - URI: `./user/Vendor/MSFT/Policy/Config/ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3/L_PolicyPreventRun_1` -## ADMX-backed app policy examples +## ADMX-backed app policy examples The following examples describe how to set an ADMX-ingested app policy. -### Enabling an app policy +### Enabling an app policy + +**Payload**: -**Payload** ```XML ``` -**Request Syncml** +**Request Syncml**: + ```XML @@ -453,19 +447,22 @@ The following examples describe how to set an ADMX-ingested app policy. ``` -**Response SyncML** +**Response SyncML**: + ```XML 21103Replace200 ``` -### Disabling an app policy +### Disabling an app policy + +**Payload**: -**Payload** ```XML ``` -**Request SyncML** +**Request SyncML**: + ```XML @@ -487,18 +484,20 @@ The following examples describe how to set an ADMX-ingested app policy. ``` -**Response SyncML** +**Response SyncML**: + ```XML 21104Replace200 ``` -### Setting an app policy to not configured +### Setting an app policy to not configured -**Payload** +**Payload**: (None) -**Request SyncML** +**Request SyncML**: + ```XML @@ -515,7 +514,8 @@ The following examples describe how to set an ADMX-ingested app policy. ``` -**Response SyncML** +**Response SyncML**: + ```XML 21105Delete200 ``` diff --git a/windows/client-management/wmi-providers-supported-in-windows.md b/windows/client-management/wmi-providers-supported-in-windows.md index 1441ff5fcd..79a3785540 100644 --- a/windows/client-management/wmi-providers-supported-in-windows.md +++ b/windows/client-management/wmi-providers-supported-in-windows.md @@ -1,7 +1,7 @@ --- -title: WMI providers supported in Windows 10 +title: WMI providers supported in Windows description: Manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service with Windows Management Infrastructure (WMI). -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -14,9 +14,9 @@ appliesto: - ✅ Windows 10 --- -# WMI providers supported in Windows 10 +# WMI providers supported in Windows -Windows Management Infrastructure (WMI) providers (and the classes they support) are used to manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service. The following subsections show the list WMI MDM classes that are supported in Windows 10. +Windows Management Infrastructure (WMI) providers (and the classes they support) are used to manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service. The following subsections show the list WMI MDM classes that are supported in Windows. > [!NOTE] > Applications installed using WMI classes are not removed when the MDM account is removed from device. @@ -53,130 +53,130 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw ## MDM WMI classes -|Class|Test completed in Windows 10 for desktop| -|--- |--- | -|[**MDM_AppInstallJob**](/previous-versions/windows/desktop/mdmappprov/mdm-appinstalljob)|Currently testing.| -|[**MDM_Application**](/previous-versions/windows/desktop/mdmappprov/mdm-application)|Currently testing.| -|[**MDM_ApplicationFramework**](/previous-versions/windows/desktop/mdmappprov/mdm-applicationframework)|Currently testing.| -|[**MDM_ApplicationSetting**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-applicationsetting)|Currently testing.| -|[**MDM_BrowserSecurityZones**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersecurityzones)|Yes| -|[**MDM_BrowserSettings**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersettings)|Yes| -|[**MDM_Certificate**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificate)|Yes| -|[**MDM_CertificateEnrollment**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificateenrollment)|Yes| -|[**MDM_Client**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-client)|Currently testing.| -|[**MDM_ConfigSetting**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-configsetting)|Yes| -|[**MDM_DeviceRegistrationInfo**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-deviceregistrationinfo)|| -|[**MDM_EASPolicy**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-easpolicy)|Yes| -|[**MDM_MgMtAuthority**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-mgmtauthority)|Yes| -|**MDM_MsiApplication**|| -|**MDM_MsiInstallJob**|| -|[**MDM_RemoteApplication**](/previous-versions/windows/desktop/mdmappprov/mdm-remoteapplication)|Test not started.| -|[**MDM_RemoteAppUseCookie**](/previous-versions/windows/desktop/mdmappprov/mdm-remoteappusercookie)|Test not started.| -|[**MDM_Restrictions**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictions)|Yes| -|[**MDM_RestrictionsUser**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictionsuser)|Test not started.| -|[**MDM_SecurityStatus**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatus)|Yes| -|[**MDM_SideLoader**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-sideloader)|| -|[**MDM_SecurityStatusUser**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatususer)|Currently testing.| -|[**MDM_Updates**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-updates)|Yes| -|[**MDM_VpnApplicationTrigger**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-vpnapplicationtrigger)|Yes| -|**MDM_VpnConnection**|| -|[**MDM_WebApplication**](/previous-versions/windows/desktop/mdmappprov/mdm-webapplication)|Currently testing.| -|[**MDM_WirelessProfile**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofile)|Yes| -|[**MDM_WirelesssProfileXML**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofilexml)|Yes| -|[**MDM_WNSChannel**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnschannel)|Yes| -|[**MDM_WNSConfiguration**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnsconfiguration)|Yes| -|[**MSFT_NetFirewallProfile**](/previous-versions/windows/desktop/wfascimprov/msft-netfirewallprofile)|Yes| -|[**MSFT_VpnConnection**](/previous-versions/windows/desktop/vpnclientpsprov/msft-vpnconnection)|Yes| -|[**SoftwareLicensingProduct**](/previous-versions/windows/desktop/sppwmi/softwarelicensingproduct)|| -|[**SoftwareLicensingService**](/previous-versions/windows/desktop/sppwmi/softwarelicensingservice)|| +| Class | Test completed in Windows 10 | +|-----------------------------------------------------------------------------------------------------------------|------------------------------| +| [**MDM_AppInstallJob**](/previous-versions/windows/desktop/mdmappprov/mdm-appinstalljob) | Currently testing. | +| [**MDM_Application**](/previous-versions/windows/desktop/mdmappprov/mdm-application) | Currently testing. | +| [**MDM_ApplicationFramework**](/previous-versions/windows/desktop/mdmappprov/mdm-applicationframework) | Currently testing. | +| [**MDM_ApplicationSetting**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-applicationsetting) | Currently testing. | +| [**MDM_BrowserSecurityZones**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersecurityzones) | Yes | +| [**MDM_BrowserSettings**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-browsersettings) | Yes | +| [**MDM_Certificate**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificate) | Yes | +| [**MDM_CertificateEnrollment**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-certificateenrollment) | Yes | +| [**MDM_Client**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-client) | Currently testing. | +| [**MDM_ConfigSetting**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-configsetting) | Yes | +| [**MDM_DeviceRegistrationInfo**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-deviceregistrationinfo) | | +| [**MDM_EASPolicy**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-easpolicy) | Yes | +| [**MDM_MgMtAuthority**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-mgmtauthority) | Yes | +| **MDM_MsiApplication** | | +| **MDM_MsiInstallJob** | | +| [**MDM_RemoteApplication**](/previous-versions/windows/desktop/mdmappprov/mdm-remoteapplication) | Test not started. | +| [**MDM_RemoteAppUseCookie**](/previous-versions/windows/desktop/mdmappprov/mdm-remoteappusercookie) | Test not started. | +| [**MDM_Restrictions**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictions) | Yes | +| [**MDM_RestrictionsUser**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-restrictionsuser) | Test not started. | +| [**MDM_SecurityStatus**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatus) | Yes | +| [**MDM_SideLoader**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-sideloader) | | +| [**MDM_SecurityStatusUser**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-securitystatususer) | Currently testing. | +| [**MDM_Updates**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-updates) | Yes | +| [**MDM_VpnApplicationTrigger**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-vpnapplicationtrigger) | Yes | +| **MDM_VpnConnection** | | +| [**MDM_WebApplication**](/previous-versions/windows/desktop/mdmappprov/mdm-webapplication) | Currently testing. | +| [**MDM_WirelessProfile**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofile) | Yes | +| [**MDM_WirelesssProfileXML**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wirelessprofilexml) | Yes | +| [**MDM_WNSChannel**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnschannel) | Yes | +| [**MDM_WNSConfiguration**](/previous-versions/windows/desktop/mdmsettingsprov/mdm-wnsconfiguration) | Yes | +| [**MSFT_NetFirewallProfile**](/previous-versions/windows/desktop/wfascimprov/msft-netfirewallprofile) | Yes | +| [**MSFT_VpnConnection**](/previous-versions/windows/desktop/vpnclientpsprov/msft-vpnconnection) | Yes | +| [**SoftwareLicensingProduct**](/previous-versions/windows/desktop/sppwmi/softwarelicensingproduct) | | +| [**SoftwareLicensingService**](/previous-versions/windows/desktop/sppwmi/softwarelicensingservice) | | ### Parental control WMI classes -| Class | Test completed in Windows 10 for desktop | -|--------------------------------------------------------------------------|------------------------------------------| -| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | | -| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | -| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| Class | Test completed in Windows 10 | +|-----------------------------------------------------------------------------------------|------------------------------| +| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | | +| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | +| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema) | Yes | ### Win32 WMI classes -| Class | Test completed in Windows 10 for desktop | -|--------------------------------------------------------------------------|------------------------------------------| -[**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) | -[**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) | -[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | Yes -[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | Yes -[**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) | -[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | Yes -[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | Yes -[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | Yes -[**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) | -[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |Yes -[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | Yes -[**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) | -[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | Yes -[**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) | -[**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) | -[**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) | -[**Win32\_Environment**](/windows/win32/cimwin32prov/win32-environment) | -[**Win32\_IDEController**](/windows/win32/cimwin32prov/win32-idecontroller) | -[**Win32\_InfraredDevice**](/windows/win32/cimwin32prov/win32-infrareddevice) | -[**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) | -[**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) | -[**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) | -[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | Yes -[**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) | -[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | Yes -[**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) | -[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | Yes -[**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) | -[**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) | -[**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) | -[**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) | -[**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) | -[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | Yes -[**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) | -[**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) | -[**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) | -[**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) | -[**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) | -[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | Yes -[**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) | -[**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) | -[**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) | -[**Win32\_PortableBattery**](/windows/win32/cimwin32prov/win32-portablebattery) | -[**Win32\_PortResource**](/windows/win32/cimwin32prov/win32-portresource) | -[**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) | -[**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) | -[**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) | -[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | Yes -[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | Yes -[**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) | -[**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) | -[**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) | -[**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) | -[**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) | -[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | Yes -[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | Yes -[**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) | -[**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) | -[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | Yes -[**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) | -[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | Yes -[**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) | -[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | Yes -[**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) | -[**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) | -[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | Yes -[**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) | -**Win32\_WindowsUpdateAgentVersion** | +| Class | Test completed in Windows 10 | +|---------------------------------------------------------------------------------------------------------|------------------------------| +| [**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) | +| [**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard) | +| [**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery) | Yes | +| [**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios) | Yes | +| [**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive) | +| [**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | Yes | +| [**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | Yes | +| [**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime) | Yes | +| [**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop) | +| [**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) | Yes | +| [**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive) | Yes | +| [**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition) | +| [**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | Yes | +| [**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel) | +| [**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85)) | +| [**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) | +| [**Win32\_Environment**](/windows/win32/cimwin32prov/win32-environment) | +| [**Win32\_IDEController**](/windows/win32/cimwin32prov/win32-idecontroller) | +| [**Win32\_InfraredDevice**](/windows/win32/cimwin32prov/win32-infrareddevice) | +| [**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource) | +| [**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard) | +| [**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) | +| [**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime) | Yes | +| [**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser) | +| [**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk) | Yes | +| [**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) | +| [**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | Yes | +| [**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) | +| [**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient) | +| [**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) | +| [**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) | +| [**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85)) | +| [**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | Yes | +| [**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) | +| [**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) | +| [**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) | +| [**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) | +| [**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia) | +| [**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory) | Yes | +| [**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice) | +| [**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity) | +| [**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice) | +| [**Win32\_PortableBattery**](/windows/win32/cimwin32prov/win32-portablebattery) | +| [**Win32\_PortResource**](/windows/win32/cimwin32prov/win32-portresource) | +| [**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem) | +| [**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer) | +| [**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) | +| [**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor) | Yes | +| [**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | Yes | +| [**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry) | +| [**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller) | +| [**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport) | +| [**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) | +| [**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature) | +| [**Win32\_Service**](/windows/win32/cimwin32prov/win32-service) | Yes | +| [**Win32\_Share**](/windows/win32/cimwin32prov/win32-share) | Yes | +| [**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice) | +| [**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount) | +| [**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios) | Yes | +| [**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver) | +| [**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure) | Yes | +| [**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive) | +| [**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone) | Yes | +| [**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) | +| [**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller) | +| [**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime) | Yes | +| [**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) | +| **Win32\_WindowsUpdateAgentVersion** | ## Related topics