deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into patch-2

Browse Source
This commit is contained in:
Andrei-George Stoica 2021-12-28 11:47:13 +02:00 committed by GitHub
commit 015b900fc6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
94 changed files with 1094 additions and 5387 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.acrolinx-config.edn
View File

@ -1,4 +1,4 @@
{:allowed-branchname-matches ["master"] {:allowed-branchname-matches ["master" "main"]
:allowed-filename-matches ["windows/"] :allowed-filename-matches ["windows/"]
:targets :targets
@ -47,12 +47,12 @@ For more information about the exception criteria and exception process, see [Mi
Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology: Click the scorecard links for each article to review the Acrolinx feedback on grammar, spelling, punctuation, writing style, and terminology:
| Article | Score | Issues | Scorecard | Processed | | Article | Score | Issues | Spelling<br>issues | Scorecard | Processed |
| ------- | ----- | ------ | --------- | --------- | | ------- | ----- | ------ | ------ | --------- | --------- |
" "
:template-change :template-change
"| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | [link](${acrolinx/scorecard}) | ${s/status} | "| ${s/file} | ${acrolinx/qualityscore} | ${acrolinx/flags/issues} | ${acrolinx/flags/spelling} | [link](${acrolinx/scorecard}) | ${s/status} |
" "
:template-footer :template-footer

93
.openpublishing.redirection.json
View File

@ -1,5 +1,90 @@
{ {
"redirections": [ "redirections": [
{
"source_path": "windows/client-management/mdm/windowssecurityauditing-ddf-file.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/windowssecurityauditing-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/remotelock-ddf-file.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/remotelock-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/registry-ddf-file.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/registry-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/maps-ddf-file.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/maps-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/hotspot-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/filesystem-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/EnterpriseExtFileSystem-ddf.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/EnterpriseExtFileSystem-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enterpriseext-ddf.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enterpriseext-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enterpriseassignedaccess-xsd.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enterpriseassignedaccess-ddf.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{
"source_path": "windows/client-management/mdm/enterpriseassignedaccess-csp.md",
"redirect_url": "https://support.microsoft.com/windows/windows-10-mobile-end-of-support-faq-8c2dd1cf-a571-00f0-0881-bb83926d05c5",
"redirect_document_id": false
},
{ {
"source_path": "windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md", "source_path": "windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md",
"redirect_url": "https://support.microsoft.com/windows/windows-phone-8-1-end-of-support-faq-7f1ef0aa-0aaf-0747-3724-5c44456778a3", "redirect_url": "https://support.microsoft.com/windows/windows-phone-8-1-end-of-support-faq-7f1ef0aa-0aaf-0747-3724-5c44456778a3",
@ -16411,7 +16496,7 @@
"redirect_document_id": false "redirect_document_id": false
}, },
{ {
"source_path": "windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md.md", "source_path": "windows/security/threat-protection/microsoft-defender-atp/commercial-gov.md",
"redirect_url": "/microsoft-365/security/defender-endpoint/gov", "redirect_url": "/microsoft-365/security/defender-endpoint/gov",
"redirect_document_id": false "redirect_document_id": false
}, },
@ -19201,7 +19286,11 @@
"source_path": "windows/client-management/mdm/policy-csp-admx-skydrive.md", "source_path": "windows/client-management/mdm/policy-csp-admx-skydrive.md",
"redirect_url": "/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools", "redirect_url": "/windows/client-management/mdm/policy-csp-admx-shellcommandpromptregedittools",
"redirect_document_id": true "redirect_document_id": true
},
{
"source_path": "windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md",
"redirect_url": "/legal/windows/license-terms-windows-diagnostic-data-for-powershell",
"redirect_document_id": false
} }
] ]
} }

9
education/includes/education-content-updates.md
View File

@ -2,6 +2,15 @@
## Week of December 13, 2021
| Published On |Topic title | Change |
|------|------------|--------|
| 12/13/2021 | [What is Windows 11 SE](/education/windows/windows-11-se-overview) | modified |
| 12/13/2021 | [Windows 11 SE settings list](/education/windows/windows-11-se-settings-list) | modified |
## Week of November 29, 2021 ## Week of November 29, 2021

5
smb/includes/smb-content-updates.md
View File

@ -2,10 +2,9 @@
## Week of October 25, 2021 ## Week of December 13, 2021
| Published On |Topic title | Change | | Published On |Topic title | Change |
|------|------------|--------| |------|------------|--------|
| 10/28/2021 | [Deploy and manage a full cloud IT solution for your business](/windows/smb/cloud-mode-business-setup) | modified | | 12/14/2021 | [Deploy and manage a full cloud IT solution for your business](/windows/smb/cloud-mode-business-setup) | modified |
| 10/28/2021 | [Windows 10/11 for small to midsize businesses](/windows/smb/index) | modified |

11
store-for-business/includes/store-for-business-content-updates.md
View File

@ -2,6 +2,17 @@
## Week of December 13, 2021
| Published On |Topic title | Change |
|------|------------|--------|
| 12/13/2021 | [Microsoft Store for Business and Education release history](/microsoft-store/release-history-microsoft-store-business-education) | modified |
| 12/13/2021 | [Change history for Microsoft Store for Business and Education](/microsoft-store/sfb-change-history) | modified |
| 12/14/2021 | [Manage user accounts in Microsoft Store for Business and Microsoft Store for Education (Windows 10)](/microsoft-store/manage-users-and-groups-microsoft-store-for-business) | modified |
| 12/14/2021 | [Troubleshoot Microsoft Store for Business (Windows 10)](/microsoft-store/troubleshoot-microsoft-store-for-business) | modified |
## Week of November 15, 2021 ## Week of November 15, 2021

42
windows/client-management/advanced-troubleshooting-boot-problems.md
View File

@ -150,49 +150,19 @@ If you receive BCD-related errors, follow these steps:
2. Restart the computer to check whether the problem is fixed. 2. Restart the computer to check whether the problem is fixed.
3. If the problem is not fixed, run the following command: 3. If the problem is not fixed, run the following commands:
```console
Bootrec /rebuildbcd
```
4. You might receive one of the following outputs:
```console
Scanning all disks for Windows installations. Please wait, since this may take a while ...
Successfully scanned Windows installations. Total identified Windows installations: 0
The operation completed successfully.
```
```console
Scanning all disks for Windows installations. Please wait, since this may take a while ...
Successfully scanned Windows installations. Total identified Windows installations: 1
D:\Windows
Add installation to boot list? Yes/No/All:
```
If the output shows **windows installation: 0**, run the following commands:
```console ```console
bcdedit /export c:\bcdbackup bcdedit /export c:\bcdbackup
attrib c:\\boot\\bcd -r s -h attrib c:\boot\bcd -r -s -h
ren c:\\boot\\bcd bcd.old ren c:\boot\bcd bcd.old
bootrec /rebuildbcd bootrec /rebuildbcd
``` ```
After you run the command, you receive the following output: 4. Restart the system.
```console
Scanning all disks for Windows installations. Please wait, since this may take a while ...
Successfully scanned Windows installations. Total identified Windows installations: 1
{D}:\Windows
Add installation to boot list? Yes/No/All: Y
```
5. Try restarting the system.
### Method 4: Replace Bootmgr ### Method 4: Replace Bootmgr
@ -206,7 +176,7 @@ If methods 1, 2 and 3 do not fix the problem, replace the Bootmgr file from driv
attrib -r -s -h attrib -r -s -h
``` ```
3. Run the same **attrib** command on the Windows (system drive): 3. Navigate to the system drive and run the same command:
```console ```console
attrib -r -s -h attrib -r -s -h
@ -394,7 +364,7 @@ If the dump file shows an error that is related to a driver (for example, window
- To do this, open WinRE, open a command prompt, and then run the following command: - To do this, open WinRE, open a command prompt, and then run the following command:
```console ```console
SFC /Scannow /OffBootDir=C:\ /OffWinDir=E:\Windows SFC /Scannow /OffBootDir=C:\ /OffWinDir=C:\Windows
``` ```
For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues) For more information, see [Using System File Checker (SFC) To Fix Issues](/archive/blogs/askcore/using-system-file-checker-sfc-to-fix-issues)

649
windows/client-management/mdm/configuration-service-provider-reference.md
View File

File diff suppressed because it is too large Load Diff

6
windows/client-management/mdm/devdetail-csp.md
View File

@ -77,7 +77,7 @@ For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it r
Supported operation is Get. Supported operation is Get.
<a href="" id="swv"></a>**SwV** <a href="" id="swv"></a>**SwV**
Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge. Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the client device. In the future, the build numbers may converge.
Supported operation is Get. Supported operation is Get.
@ -114,6 +114,8 @@ Supported operation is Get.
This value is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length. This value is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length.
<!-- 12.15.2021 (mandia): Based on the description, I'm assuming this ID is specific to Windows 10 Mobile. Commented out as Windows 10 Mobile is past EoL.
<a href="" id="ext-microsoft-mobileid"></a>**Ext/Microsoft/MobileID** <a href="" id="ext-microsoft-mobileid"></a>**Ext/Microsoft/MobileID**
Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that don't have a cellular network support. Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that don't have a cellular network support.
@ -121,6 +123,8 @@ Supported operation is Get.
The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element. The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element.
-->
<a href="" id="ext-microsoft-radioswv"></a>**Ext/Microsoft/RadioSwV** <a href="" id="ext-microsoft-radioswv"></a>**Ext/Microsoft/RadioSwV**
Required. Returns the radio stack software version number. Required. Returns the radio stack software version number.

6
windows/client-management/mdm/devicelock-csp.md
View File

@ -14,6 +14,9 @@ ms.date: 06/26/2017
# DeviceLock CSP # DeviceLock CSP
This policy is deprecated. Use [Policy CSP](policy-configuration-service-provider.md) instead.
<!-- 12.16.2021 mandia: Commenting out, as this CSP is specific to Windows Phone 8.1.
The DeviceLock configuration service provider is used by the enterprise management server to configure device lock related policies. This configuration service provider is supported by an enterprise management server. The DeviceLock configuration service provider is used by the enterprise management server to configure device lock related policies. This configuration service provider is supported by an enterprise management server.
@ -304,7 +307,10 @@ All node values under the **ProviderID** interior node represent the policy valu
The value applied to the device can be queried via the nodes under the **DeviceValue** interior node. The value applied to the device can be queried via the nodes under the **DeviceValue** interior node.
-->
## Related articles ## Related articles
[Policy CSP](policy-configuration-service-provider.md)
[Configuration service provider reference](configuration-service-provider-reference.md) [Configuration service provider reference](configuration-service-provider-reference.md)

15
windows/client-management/mdm/devicelock-ddf-file.md
View File

@ -14,6 +14,9 @@ ms.date: 06/26/2017
# DeviceLock DDF file # DeviceLock DDF file
This policy is deprecated. Use [Policy CSP](policy-configuration-service-provider.md) instead.
<!-- 12.16.2021 mandia: Commenting out, as this CSP is specific to Windows Phone 8.1.
This topic shows the OMA DM device description framework (DDF) for the **DeviceLock** configuration service provider. DDF files are used only with OMA DM provisioning XML. This topic shows the OMA DM device description framework (DDF) for the **DeviceLock** configuration service provider. DDF files are used only with OMA DM provisioning XML.
@ -496,18 +499,10 @@ This topic shows the OMA DM device description framework (DDF) for the **DeviceL
</Node> </Node>
</MgmtTree> </MgmtTree>
``` ```
-->
## Related topics ## Related topics
[Policy CSP](policy-configuration-service-provider.md)
[DeviceLock configuration service provider](devicelock-csp.md) [DeviceLock configuration service provider](devicelock-csp.md)
 
 

3
windows/client-management/mdm/enterpriseappmanagement-csp.md
View File

@ -18,8 +18,7 @@ ms.date: 06/26/2017
The EnterpriseAppManagement enterprise configuration service provider is used to handle enterprise application management tasks such as installing an enterprise application token, the first auto-downloadable app link, querying installed enterprise applications (name and version), auto updating already installed enterprise applications, and removing all installed enterprise apps (including the enterprise app token) during unenrollment. The EnterpriseAppManagement enterprise configuration service provider is used to handle enterprise application management tasks such as installing an enterprise application token, the first auto-downloadable app link, querying installed enterprise applications (name and version), auto updating already installed enterprise applications, and removing all installed enterprise apps (including the enterprise app token) during unenrollment.
> [!NOTE] > [!NOTE]
> The EnterpriseAppManagement CSP is only supported in Windows 10 Mobile. > The EnterpriseAppManagement CSP is only supported in Windows 10 IoT Core.
The following shows the EnterpriseAppManagement configuration service provider in tree format. The following shows the EnterpriseAppManagement configuration service provider in tree format.

1116
windows/client-management/mdm/enterpriseassignedaccess-csp.md
View File

File diff suppressed because it is too large Load Diff

328
windows/client-management/mdm/enterpriseassignedaccess-ddf.md
View File

@ -1,328 +0,0 @@
---
title: EnterpriseAssignedAccess DDF
description: Utilize the OMA DM device description framework (DDF) for the EnterpriseAssignedAccess configuration service provider.
ms.assetid: 8BD6FB05-E643-4695-99A2-633995884B37
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/05/2017
---
# EnterpriseAssignedAccess DDF
This topic shows the OMA DM device description framework (DDF) for the **EnterpriseAssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>EnterpriseAssignedAccess</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.1/MDM/EnterpriseAssignedAccess</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>AssignedAccess</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>AssignedAccessXml</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>LockScreenWallpaper</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>BGFileName</NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Theme</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ThemeBackground</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ThemeAccentColorID</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ThemeAccentColorValue</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Clock</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>TimeZone</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Locale</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Language</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
 
 

270
windows/client-management/mdm/enterpriseassignedaccess-xsd.md
View File

@ -1,270 +0,0 @@
---
title: EnterpriseAssignedAccess XSD
description: This XSD can be used to validate that the lockdown XML in the \<Data\> block of the AssignedAccessXML node.
ms.assetid: BB3B633E-E361-4B95-9D4A-CE6E08D67ADA
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# EnterpriseAssignedAccess XSD
This XSD can be used to validate that the lockdown XML in the \<Data\> block of the AssignedAccessXML node.
```xml
<?xml version="1.0" encoding="utf-16LE" ?>
<!--
In-memory format is Little Endian and
hence the encoding of this file has to be little endian
to be in the native format. Make sure that this file's
encoding is Unicode-16 LE (Unicode Codepage 1200)
-->
<xs:schema
xmlns:xs="http://www.w3.org/2001/XMLSchema"
elementFormDefault="qualified"
>
<!-- COMPLEX TYPE: ROLE LIST TYPE -->
<xs:complexType name="role_list_t">
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="Role" type="role_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: START SCREEN SIZE TYPE -->
<xs:simpleType name="startscreen_size_t">
<xs:restriction base="xs:string">
<!-- Small: 4 columns-->
<xs:enumeration value="Small"/>
<!-- Large: 6 columns-->
<xs:enumeration value="Large"/>
</xs:restriction>
</xs:simpleType>
<!-- COMPLEX TYPE: APPLICATION LIST TYPE -->
<xs:complexType name="application_list_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="Application" type="application_t" minOccurs="0" maxOccurs="unbounded" >
<xs:key name="productIdOrfolderId">
<xs:selector xpath="."/>
<xs:field xpath="@productId|@folderId"/>
</xs:key>
</xs:element>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: BUTTON LIST TYPE -->
<xs:complexType name="button_list_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="Button" minOccurs="0" maxOccurs="unbounded" type="button_t">
<xs:unique name="ButtonEventUnique">
<xs:selector xpath="ButtonEvent" />
<xs:field xpath="@name" />
</xs:unique>
</xs:element>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: MENU ITEM LIST TYPE -->
<xs:complexType name="menu_item_list_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="DisableMenuItems" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: START SCREEN TILE MANIPULATION TYPE -->
<xs:complexType name="tile_manipulation_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="EnableTileManipulation" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: DEFAULT TYPE -->
<xs:complexType name="default_basic_t">
<xs:sequence minOccurs="1">
<xs:element name="ActionCenter" type="actioncenter_t" minOccurs="1"/>
<xs:element name="WLANSSID" type="wlanssid_t" minOccurs="0"/>
<xs:element name="Apps" type="application_list_t" minOccurs="1">
<xs:unique name="duplicateAppsForbidden">
<xs:selector xpath="Application"/>
<xs:field xpath="@productId"/>
<xs:field xpath="@aumid"/>
</xs:unique>
</xs:element>
<xs:element name="Buttons" minOccurs="1">
<xs:complexType>
<xs:all>
<xs:element name="ButtonLockdownList" type="button_list_t" minOccurs="0">
<xs:unique name="ButtonLockdownUnique">
<xs:selector xpath="Button" />
<xs:field xpath="@name" />
</xs:unique>
</xs:element>
<xs:element name="ButtonRemapList" type="button_list_t" minOccurs="0">
<xs:unique name="ButtonRemapUnique">
<xs:selector xpath="Button" />
<xs:field xpath="@name" />
</xs:unique>
</xs:element>
</xs:all>
</xs:complexType>
</xs:element>
<xs:element name="CSPRunner" minOccurs="0"/>
<xs:element name="MenuItems" type="menu_item_list_t" minOccurs="1"/>
<xs:element name="Settings" minOccurs="1">
<xs:complexType>
<xs:sequence>
<xs:element name="System" type="setting_t" minOccurs="0" maxOccurs="unbounded" />
<xs:element name="Application" type="setting_t" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Tiles" type="tile_manipulation_t" minOccurs="0" ></xs:element>
</xs:sequence>
</xs:complexType>
<!-- COMPLEX TYPE: ROLE TYPE -->
<xs:complexType name="role_t">
<xs:complexContent>
<xs:extension base="default_basic_t">
<xs:attribute name="guid" type="guid_t" use="required"/>
<xs:attribute name="name" type="xs:string" use="required"/>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<!-- COMPLEX TYPE: DEFAULT ROLE TYPE -->
<xs:complexType name="default_role_t">
<xs:complexContent>
<xs:extension base="default_basic_t">
<xs:sequence minOccurs="1">
<xs:element name="StartScreenSize" type="startscreen_size_t" minOccurs="1"/>
</xs:sequence>
</xs:extension>
</xs:complexContent>
</xs:complexType>
<!-- COMPLEX TYPE: Action Center -->
<xs:complexType name="actioncenter_t">
<xs:attribute type="xs:boolean" name="enabled" use="required"/>
<xs:attribute type="xs:integer" name="actionCenterNotificationEnabled" use="optional"/>
<xs:attribute type="xs:integer" name="aboveLockToastEnabled" use="optional"/>
</xs:complexType>
<!-- COMPLEX TYPE: APPLICATION TYPE -->
<xs:complexType name="application_t">
<xs:all minOccurs="0">
<xs:element name="PinToStart" type="start_tile_t" />
</xs:all>
<xs:attribute name="productId" type="guid_t"/>
<xs:attribute name="aumid" type="xs:string" use="optional"/>
<xs:attribute name="folderName" type="xs:string" use="optional"/>
<xs:attribute name="folderId" type="xs:integer"/>
<xs:attribute name="parameters" type="xs:string" use="optional"/>
<xs:attribute name="autoRun" type="xs:boolean" use="optional"/>
</xs:complexType>
<!-- COMPLEX TYPE: START SCREEN TILE CONFIGURATION TYPE-->
<xs:complexType name="start_tile_t">
<xs:all minOccurs="1" maxOccurs="1">
<xs:element name="Size" type="tile_size_t" minOccurs="1" />
<xs:element name="Location" type="tile_location_t" minOccurs="1" />
<xs:element name="ParentFolderId" type="xs:unsignedLong" minOccurs="0" maxOccurs="1" />
</xs:all>
</xs:complexType>
<!-- COMPLEX TYPE: SETTING TYPE -->
<xs:complexType name="setting_t">
<xs:attribute name="name" type="xs:string" use="required"/>
</xs:complexType>
<!-- COMPLEX TYPE: BUTTON TYPE -->
<xs:complexType name="button_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="ButtonEvent" type="button_event_t" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="name" type="supported_button_t" use="required"/>
</xs:complexType>
<!-- COMPLEX TYPE: BUTTON EVENT TYPE -->
<xs:complexType name="button_event_t">
<xs:all minOccurs="0" maxOccurs="1">
<xs:element name="Application" type="application_t" minOccurs="0" maxOccurs="1" >
<xs:key name="productIdOnly">
<xs:selector xpath="."/>
<xs:field xpath="@productId"/>
</xs:key>
</xs:element>
</xs:all>
<xs:attribute name="name" type="supported_button_event_t" use="required"/>
</xs:complexType>
<!--COMPLEX TYPE: START TILE TYPE-->
<xs:complexType name="tile_location_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="LocationX" type="xs:unsignedLong"/>
<xs:element name="LocationY" type="xs:unsignedLong"/>
</xs:sequence>
</xs:complexType>
<!-- SIMPLE TYPE: SUPPORTED BUTTON TYPE -->
<xs:simpleType name="supported_button_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Back"/>
<xs:enumeration value="Start"/>
<xs:enumeration value="Search"/>
<xs:enumeration value="Camera"/>
<xs:enumeration value="Custom1"/>
<xs:enumeration value="Custom2"/>
<xs:enumeration value="Custom3"/>
</xs:restriction>
</xs:simpleType>
<!-- SIMPLE TYPE: SUPPORTED BUTTON EVENT TYPE -->
<xs:simpleType name="supported_button_event_t">
<xs:restriction base="xs:string">
<xs:enumeration value="All"/>
<xs:enumeration value="Press"/>
<xs:enumeration value="PressAndHold"/>
</xs:restriction>
</xs:simpleType>
<!-- SIMPLE TYPE: GUID -->
<xs:simpleType name="guid_t">
<xs:restriction base="xs:string">
<xs:pattern value="\{[0-9a-fA-F]{8}\-([0-9a-fA-F]{4}\-){3}[0-9a-fA-F]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<!--SIMPLE TYPE: TILE SIZE-->
<xs:simpleType name="tile_size_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Small"/>
<xs:enumeration value="Medium"/>
<xs:enumeration value="Large"/>
</xs:restriction>
</xs:simpleType>
<!-- COMPLEX TYPE: WLANSSID -->
<xs:complexType name="wlanssid_t">
<xs:sequence minOccurs="0" maxOccurs="1">
<xs:element name="Data" type="xs:string"/>
<xs:element name="Exclusive" type="xs:boolean"/>
</xs:sequence>
</xs:complexType>
<!-- SCHEMA -->
<xs:element name="HandheldLockdown">
<xs:complexType>
<xs:all minOccurs="1">
<xs:element name="Default" type="default_role_t"/>
<xs:element name="RoleList" type="role_list_t" minOccurs="0">
<xs:unique name="duplicateRolesForbidden">
<xs:selector xpath="Role"/>
<xs:field xpath="@guid"/>
</xs:unique>
</xs:element>
</xs:all>
<xs:attribute name="version" use="required" type="xs:decimal"/>
</xs:complexType>
</xs:element>
</xs:schema>
```
 
 

23
windows/client-management/mdm/enterprisedataprotection-csp.md
View File

@ -38,7 +38,6 @@ EnterpriseDataProtection
--------EDPEnforcementLevel --------EDPEnforcementLevel
--------EnterpriseProtectedDomainNames --------EnterpriseProtectedDomainNames
--------AllowUserDecryption --------AllowUserDecryption
--------RequireProtectionUnderLockConfig
--------DataRecoveryCertificate --------DataRecoveryCertificate
--------RevokeOnUnenroll --------RevokeOnUnenroll
--------RMSTemplateIDForEDP --------RMSTemplateIDForEDP
@ -95,24 +94,6 @@ The following list shows the supported values:
Most restricted value is 0. Most restricted value is 0.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-requireprotectionunderlockconfig"></a>**Settings/RequireProtectionUnderLockConfig**
Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. A PIN must be configured on the device before you can apply this policy.
The following list shows the supported values:
- 0 (default) Not required.
- 1 Required.
Most restricted value is 1.
The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware.
> [!Note]
> This setting is only supported in Windows 10 Mobile.
Supported operations are Add, Get, Replace, and Delete. Value type is integer. Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-datarecoverycertificate"></a>**Settings/DataRecoveryCertificate** <a href="" id="settings-datarecoverycertificate"></a>**Settings/DataRecoveryCertificate**
@ -250,7 +231,7 @@ For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate
Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate. Supported operations are Add, Get, Replace, and Delete. Value type is base-64 encoded certificate.
<a href="" id="settings-revokeonunenroll"></a>**Settings/RevokeOnUnenroll** <a href="" id="settings-revokeonunenroll"></a>**Settings/RevokeOnUnenroll**
This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don&#39;t revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1. This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1.
The following list shows the supported values: The following list shows the supported values:
@ -260,7 +241,7 @@ The following list shows the supported values:
Supported operations are Add, Get, Replace, and Delete. Value type is integer. Supported operations are Add, Get, Replace, and Delete. Value type is integer.
<a href="" id="settings-revokeonmdmhandoff"></a>**Settings/RevokeOnMDMHandoff** <a href="" id="settings-revokeonmdmhandoff"></a>**Settings/RevokeOnMDMHandoff**
Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don&#39;t revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.
- 0 - Don't revoke keys - 0 - Don't revoke keys
- 1 (default) - Revoke keys - 1 (default) - Revoke keys

23
windows/client-management/mdm/enterprisedataprotection-ddf-file.md
View File

@ -141,29 +141,6 @@ The XML below is the current version for this CSP.
</DFType> </DFType>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>RequireProtectionUnderLockConfig</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node> <Node>
<NodeName>DataRecoveryCertificate</NodeName> <NodeName>DataRecoveryCertificate</NodeName>
<DFProperties> <DFProperties>

386
windows/client-management/mdm/enterpriseext-csp.md
View File

@ -1,386 +0,0 @@
---
title: EnterpriseExt CSP
description: Learn how the EnterpriseExt CSP allows OEMs to set their own unique ID for their devices, set display brightness values, and set the LED behavior.
ms.assetid: ACA5CD79-BBD5-4DD1-86DA-0285B93982BD
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# EnterpriseExt CSP
The EnterpriseExt configuration service provider allows OEMs to set their own unique ID for their devices, set display brightness values, and set the LED behavior.
> **Note**   The EnterpriseExt CSP is only supported in Windows 10 Mobile.
 
The following shows the EnterpriseExt configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
```
./Vendor/MSFT
EnterpriseExt
----DeviceCustomData
--------CustomID
--------CustomString
----Brightness
--------Default
--------MaxAuto
----LedAlertNotification
--------State
--------Intensity
--------Period
--------DutyCycle
--------Cyclecount
```
The following list shows the characteristics and parameters.
<a href="" id="--vendor-msft-enterpriseext"></a>**./Vendor/MSFT/EnterpriseExt**
The root node for the EnterpriseExt configuration service provider. Supported operations is Get.
<a href="" id="devicecustomdata"></a>**DeviceCustomData**
Node for setting the custom device ID and string.
<a href="" id="devicecustomdata-customid"></a>**DeviceCustomData/CustomID**
Any string value as the device ID. This value appears in **Settings** > **About** > **Info**.
Here's an example for getting custom data.
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/DeviceCustomData/CustomID</LocURI>
</Target>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/DeviceCustomData/CustomString</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="devicecustomdata-customstring"></a>**DeviceCustomData/CustomString**
Any string value that is associated with the device.
Here's an example for setting custom data.
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/DeviceCustomData/CustomID</LocURI>
</Target>
<Data>urn:uuid:130CCE0D-0187-5866-855A-DE7406F76046</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/DeviceCustomData/CustomString</LocURI>
</Target>
<Data>{"firstName":"John","lastName":"Doe"}</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="brightness"></a>**Brightness**
Node for setting device brightness values.
<a href="" id="brightness-default"></a>**Brightness/Default**
Default display brightness value. For example, you can maximize battery life by reducing the default value or set it to medium in a facility that is generally darker.
The valid values are:
- Automatic - the device determines the brightness
- Low
- Medium
- High
The supported operations are Get and Replace.
Here's an example for getting the current default value.
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/Brightness/Default</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
Here's an example for setting the default value to medium.
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/Brightness/Default</LocURI>
</Target>
<Data>medium</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="brightness-maxauto"></a>**Brightness/MaxAuto**
Maximum display brightness value when the device is set to automatic mode. The device brightness will never be higher than the MaxAuto value. The value values are:
- Low
- Medium
- High
The supported operations are Get and Replace.
Here's an example for setting the maximum auto-brightness to medium.
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/Brightness/MaxAuto</LocURI>
</Target>
<Data>medium</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="ledalertnotification"></a>**LedAlertNotification**
Node for setting LED behavior of the device.
<a href="" id="ledalertnotification-state"></a>**LedAlertNotification/State**
LED state. The valid values are:
- 0 - off
- 1 - on
- 2 - blink
Example: LED On
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Intensity</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>100</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/State</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
Example: LED Off
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/State</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="ledalertnotification-intensity"></a>**LedAlertNotification/Intensity**
Intensity of the LED brightness. You can set the value between 1 - 100.
Example: LED blink
```xml
<?xml version="1.0"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Period</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>500</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Dutycycle</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>70</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Intensity</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>100</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Cyclecount</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>543210</Data>
</Item>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExt/LedAlertNotification/State</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>2</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="ledalertnotification-period"></a>**LedAlertNotification/Period**
Duration of each blink, which is the time of ON + OFF. The value is in milliseconds. This is valid only for blink.
<a href="" id="ledalertnotification-dutycycle"></a>**LedAlertNotification/DutyCycle**
LED ON duration during one blink cycle. You can set the value between 1 - 100. This is valid only for blink.
<a href="" id="ledalertnotification-cyclecount"></a>**LedAlertNotification/Cyclecount**
Number of blink cycles. The data type is a 4-byte signed integer. Any negative value or zero results in an error. This node is only valid for blink.
<a href="" id="devicereboot"></a>**DeviceReboot**
Removed in Windows 10.
<a href="" id="devicereboot-waittime"></a>**DeviceReboot/WaitTime**
Removed in Windows 10.
<a href="" id="maintenancewindow"></a>**MaintenanceWindow**
Removed in Windows 10.
<a href="" id="maintenancewindow-maintenanceallowed"></a>**MaintenanceWindow/MaintenanceAllowed**
Removed in Windows 10.
<a href="" id="maintenancewindow-mwmandatory"></a>**MaintenanceWindow/MWMandatory**
Removed in Windows 10.
<a href="" id="maintenancewindow-schedulexml"></a>**MaintenanceWindow/ScheduleXML**
Removed in Windows 10.
<a href="" id="maintenancewindow-mwnotificationduration"></a>**MaintenanceWindow/MWNotificationDuration**
Removed in Windows 10.
<a href="" id="maintenancewindow-mwminimumduration"></a>**MaintenanceWindow/MWminimumDuration**
Removed in Windows 10.
<a href="" id="deviceupdate"></a>**DeviceUpdate**
Removed in Windows 10.
<a href="" id="deviceupdate-datetimestamp"></a>**DeviceUpdate/DateTimeStamp**
Removed in Windows 10.
<a href="" id="deviceupdate-updateresultxml"></a>**DeviceUpdate/UpdateResultXml**
Removed in Windows 10.
<a href="" id="mdm"></a>**MDM**
Removed in Windows 10.
<a href="" id="mdm-server"></a>**MDM/Server**
Removed in Windows 10.
<a href="" id="mdm-username"></a>**MDM/Username**
Removed in Windows 10.
<a href="" id="mdm-password"></a>**MDM/Password**
Removed in Windows 10.
<a href="" id="mdm-enabledeviceenrollment"></a>**MDM/EnableDeviceEnrollment**
Removed in Windows 10.
<a href="" id="pfx"></a>**Pfx**
Removed in Windows 10.
<a href="" id="disableenterprisevalidation"></a>**DisableEnterpriseValidation**
Removed in Windows 10.
 
 
10/10/2016

320
windows/client-management/mdm/enterpriseext-ddf.md
View File

@ -1,320 +0,0 @@
---
title: EnterpriseExt DDF
description: Learn about the OMA DM device description framework (DDF) for the EnterpriseExt configuration service provider (CSP).
ms.assetid: 71BF81D4-FBEC-4B03-BF99-F7A5EDD4F91B
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/05/2017
---
# EnterpriseExt DDF
This topic shows the OMA DM device description framework (DDF) for the **EnterpriseExt** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>EnterpriseExt</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>DeviceCustomData</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>CustomID</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CustomString</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Brightness</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Default</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxAuto</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>LedAlertNotification</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>State</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Intensity</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Period</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>DutyCycle</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Cyclecount</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
 
 

140
windows/client-management/mdm/enterpriseextfilessystem-csp.md
View File

@ -1,140 +0,0 @@
---
title: EnterpriseExtFileSystem CSP
description: Add, retrieve, or change files through the Mobile Device Management (MDM) service using the EnterpriseExtFileSystem CSP.
ms.assetid: F773AD72-A800-481A-A9E2-899BA56F4426
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# EnterpriseExtFileSystem CSP
The EnterpriseExtFileSystem configuration service provider (CSP) allows IT administrators to add, retrieve, or change files in the file system through the Mobile Device Management (MDM) service. For example, you can use this configuration service provider to push a provisioning XML file or a new lock screen background image file to a device through the MDM service, and also retrieve logs from the device in the enterprise environment.
> **Note**  The EnterpriseExtFileSystem CSP is only supported in Windows 10 Mobile.
File contents are embedded directly into the syncML message, so there is a limit to the size of the file that can be retrieved from the device. The default limit is 0x100000 (1 MB). You can configure this limit by using the following registry key: **Software\\Microsoft\\Provisioning\\CSPs\\.\\Vendor\\MSFT\\EnterpriseExtFileSystem\\MaxFileReadSize**.
The following shows the EnterpriseExtFileSystem configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
```
./Vendor/MSFT
EnterpriseExtFileSystem
----Persistent
--------Files_abc1
--------Directory_abc2
----NonPersistent
--------Files_abc3
--------Directory_abc4
----OemProfile
--------Directory_abc5
--------Files_abc6
```
The following list describes the characteristics and parameters.
<a href="" id="--vendor-msft-enterpriseextfilesystem"></a>**./Vendor/MSFT/EnterpriseExtFileSystem**
<p>The root node for the EnterpriseExtFileSystem configuration service provider. Supported operations are Add and Get.</p>
<a href="" id="persistent"></a>**Persistent**
<p>The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Persistent folder, it accesses that data from the EnterpriseExtFileSystem\Persistent node. Files written to the Persistent folder persists over ordinary power cycles.</p>
> **Important**  There is a limit to the amount of data that can be persisted, which varies depending on how much disk space is available on one of the partitions. This data cap amount (that can be persisted) varies by manufacturer.
>
>
>
> **Note**   When the IT admin triggers a **doWipePersistProvisionedData** action using [RemoteWipe CSP](remotewipe-csp.md), items stored in the Persistent folder are persisted over wipe and restored when the device boots again. The contents are not persisted if a **doWipe** action is triggered.
<a href="" id="nonpersistent"></a>**NonPersistent**
<p>The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Non-Persistent folder, it accesses that data from the EnterpriseExtFileSystem\NonPersistent node. Files written to the NonPersistent folder will persist over ordinary power cycles.</p>
<p>When the device is wiped, any data stored in the NonPersistent folder is deleted.</p>
<a href="" id="oemprofile"></a>**OemProfile**
<p>Added in Windows 10, version 1511. The EnterpriseExtFileSystem CSP allows an enterprise to deploy an OEM profile on the device, such as a barcode scanner profile then can be consumed by the OEM barcode scanner driver. The file is placed into the \data\shareddata\oem\public\profile\ folder of the device.</p>
<a href="" id="directory"></a>***Directory***
<p>The name of a directory in the device file system. Any <em>Directory</em> node can have directories and files as child nodes.</p>
<p>Use the Add command to create a new directory. You cannot use it to add a new directory under a file system root.</p>
<p>Use the Get command to return the list of child node names under <em>Directory</em>.</p>
<p>Use the Get command with ?List=Struct to recursively return all child node names, including subdirectory names, under <em>Directory</em>.</p>
<a href="" id="filename"></a>***Filename***
<p>The name of a file in the device file system.</p>
Supported operations is Get.
## OMA DM examples
The following example shows how to retrieve a file from the device.
```xml
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExtFileSystem/Persistent/file.txt</LocURI>
</Target>
</Item>
</Get>
```
The following example shows the file name that is returned in the body of the response syncML code. In this example, the full path of the file on the device is C:/data/test/bin/filename.txt.
```xml
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Item>
<Source>
<LocURI>./Vendor/MSFT/EnterpriseExtFileSystem/Persistent/filename.txt</LocURI>
</Source>
<Meta>
<Format xmlns="syncml:metinf">b64</Format>
<Type xmlns="syncml:metinf">application/octet-stream</Type>
</Meta>
<Data>aGVsbG8gd29ybGQ=</Data>
</Item>
</Results>
```
The following example shows how to push a file to the device.
```xml
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseExtFileSystem/Persistent/new.txt</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">b64</Format>
<Type xmlns="syncml:metinf">application/octet-stream</Type>
</Meta>
<Data>aGVsbG8gd29ybGQ=</Data>
</Item>
</Add>
```

273
windows/client-management/mdm/enterpriseextfilesystem-ddf.md
View File

@ -1,273 +0,0 @@
---
title: EnterpriseExtFileSystem DDF
description: Learn about the OMA DM device description framework (DDF) for the EnterpriseExtFileSystem configuration service provider (CSP).
ms.assetid: 2D292E4B-15EE-4AEB-8884-6FEE8B92D2D1
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/05/2017
---
# EnterpriseExtFileSystem DDF
This topic shows the OMA DM device description framework (DDF) for the **EnterpriseExtFileSystem** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>EnterpriseExtFileSystem</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Persistent</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Files_abc1</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Files</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Directory_abc2</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Directory</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>NonPersistent</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Files_abc3</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Files</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Directory_abc4</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Directory</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>OemProfile</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Directory_abc5</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Directory</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Files_abc6</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Files</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[EnterpriseExtFileSystem configuration service provider](enterpriseextfilessystem-csp.md)
 
 

26
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -20,7 +20,8 @@ The EnterpriseModernAppManagement configuration service provider (CSP) is used f
> Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP. > Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP.
The following shows the EnterpriseModernAppManagement configuration service provider in tree format. The following shows the EnterpriseModernAppManagement configuration service provider in tree format.
```
```console
./Vendor/MSFT ./Vendor/MSFT
EnterpriseModernAppManagement EnterpriseModernAppManagement
----AppManagement ----AppManagement
@ -68,7 +69,7 @@ EnterpriseModernAppManagement
For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path. For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path.
> [!Note] > [!Note]
> Windows Holographic and Windows 10 Mobile only support per-user configuration of the EnterpriseModernAppManagement CSP. > Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP.
<a href="" id="appmanagement"></a>**AppManagement** <a href="" id="appmanagement"></a>**AppManagement**
Required. Used for inventory and app management (post-install). Required. Used for inventory and app management (post-install).
@ -120,7 +121,7 @@ Query parameters:
- Bundle - returns installed bundle packages. - Bundle - returns installed bundle packages.
- Framework - returns installed framework packages. - Framework - returns installed framework packages.
- Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They are parts of a bundle. - Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They are parts of a bundle.
- XAP - returns XAP package types. This filter is not supported on devices other than Windows Mobile. - XAP - returns XAP package types. This filter is only supported on Windows Mobile.
- All - returns all package types. - All - returns all package types.
If no value is specified, the combination of Main, Bundle, and Framework are returned. If no value is specified, the combination of Main, Bundle, and Framework are returned.
@ -451,7 +452,8 @@ Valid values:
**Examples:** **Examples:**
Add an app to the nonremovable app policy list Add an app to the nonremovable app policy list
```
```xml
<SyncML xmlns="SYNCML:SYNCML1.2"> <SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody> <SyncBody>
<Add> <Add>
@ -472,7 +474,8 @@ Add an app to the nonremovable app policy list
``` ```
Get the status for a particular app Get the status for a particular app
```
```xml
<SyncML xmlns="SYNCML:SYNCML1.2"> <SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody> <SyncBody>
<Get> <Get>
@ -491,7 +494,8 @@ Get the status for a particular app
Replace an app in the nonremovable app policy list Replace an app in the nonremovable app policy list
Data 0 = app is not in the app policy list Data 0 = app is not in the app policy list
Data 1 = app is in the app policy list Data 1 = app is in the app policy list
```
```xml
<SyncML xmlns="SYNCML:SYNCML1.2"> <SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody> <SyncBody>
<Replace> <Replace>
@ -678,13 +682,3 @@ Subsequent query for a specific app for its properties.
## Related topics ## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md) [Configuration service provider reference](configuration-service-provider-reference.md)

107
windows/client-management/mdm/filesystem-csp.md
View File

@ -1,107 +0,0 @@
---
title: FileSystem CSP
description: Learn how the FileSystem CSP is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device.
ms.assetid: 9117ee16-ca7a-4efa-9270-c9ac8547e541
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# FileSystem CSP
The FileSystem configuration service provider is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device. It can retrieve information about or manage files in ROM, files in persistent store and files on any removable storage card that is present in the device. It works for files that are hidden from the user as well as those that are visible to the user.
> [!NOTE]
> FileSystem CSP is only supported in Windows 10 Mobile.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
The following shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
```console
./Vendor/MSFT
FileSystem
----file name
----file directory
--------file name
--------file directory
```
<a href="" id="filesystem"></a>**FileSystem**
Required. Defines the root of the file system management object. It functions as the root directory for file system queries.
Recursive queries or deletes are not supported for this element. Add commands will add a new file or directory under the root path.
The following properties are supported for the root node:
- `Name`: The root node name. The Get command is the only supported command.
- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command.
- `Format`: The format, which is `node`. The Get command is the only supported command.
- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
- `Size`: Not supported.
- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command.
<a href="" id="file-directory"></a>***file directory***
Optional. Returns the name of a directory in the device file system. Any *file directory* element can contain directories and files as child elements.
The Get command returns the name of the file directory. The Get command with `?List=Struct` will recursively return all child element names (including sub-directory names). The Get command with `?list=StructData` query is not supported and returns a 406 error code.
The Add command is used to create a new directory. Adding a new directory under the file system root is not supported and returns a 405 error code.
The Replace command is not supported.
The Delete command is used to delete all files and subfolders under this *file directory*.
The following properties are supported for file directories:
- `Name`: The file directory name. The Get command is the only supported command.
- `Type`: The MIME type of the file, which is an empty string for directories that are not the root node. The Get command is the only supported command.
- `Format`: The format, which is `node`. The Get command is the only supported command.
- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
- `Size`: Not supported.
- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file `winnt.h`. This supports the Get command and the Replace command.
<a href="" id="file-name"></a>***file name***
Optional. Return a file in binary format. If the file is too large for the configuration service to return, it returns error code 413 (Request entity too large) instead.
The Delete command deletes the file.
The Replace command updates an entire file with new file contents.
The Add command adds the file to the file directory
The Get command is not supported on a *file name* element, only on the properties of the element.
The following properties are supported for files:
- `Name`: The file name. The Get command is the only supported command.
- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command.
- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over WBXML. The Get command is the only supported command.
- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command.
- `Size`: The unencoded file content size in bytes. The Get command is the only supported command.
- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

2
windows/client-management/mdm/healthattestation-csp.md
View File

@ -1075,7 +1075,7 @@ If a device is expected to use a third-party antivirus program, ignore the repor
If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access. If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.
If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device: If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow all access
- Disallow access to HBI assets - Disallow access to HBI assets

200
windows/client-management/mdm/hotspot-csp.md
View File

@ -1,200 +0,0 @@
---
title: HotSpot CSP
description: Learn how HotSpot configuration service provider (CSP) is used to configure and enable Internet sharing on a device.
ms.assetid: ec49dec1-fa79-420a-a9a7-e86668b3eebf
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# HotSpot CSP
The HotSpot configuration service provider is used to configure and enable Internet sharing on the device, in which the device can be configured to share its cellular connection over Wi-Fi with up to eight client devices or computers.
> [!Note]
> HotSpot CSP is only supported in Windows 10 Mobile.
>
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application.
The following shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
```console
./Vendor/MSFT
HotSpot
-------Enabled
-------DedicatedConnections
-------TetheringNAIConnection
-------MaxUsers
-------MaxBluetoothUsers
-------MOHelpNumber
-------MOInfoLink
-------MOAppLink
-------MOHelpMessage
-------EntitlementRequired
-------EntitlementDll
-------EntitlementInterval
-------PeerlessTimeout
-------PublicConnectionTimeout
```
<a href="" id="enabled"></a>**Enabled**
Required. Specifies whether to enable Internet sharing on the device. The default is false.
If this is initially set to false, the feature is turned off and the Internet sharing screen is removed from Settings so that the user cannot access it. Configuration changes or connection sharing state changes will not be possible.
When this is set to true, the Internet sharing screen is added to Settings, though sharing is turned off by default until the user turns it on.
This setting can be provisioned over the air, but it may require a reboot if Settings was open when this was enabled for the first time.
<a href="" id="dedicatedconnections"></a>**DedicatedConnections**
Optional. Specifies the semicolon separated list of Connection Manager cellular connections that Internet sharing will use as the public connections.
By default, any available connection will be used as a public connection. However, this node allows a mobile operator to specify one or more connection names to use as public connections.
Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.
> [!Note]
> The mapping policy will also include the connection specified in the **TetheringNAIConnection** value as well.
If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share
If the Internet sharing service is already in a sharing state, setting this node will not take effect until sharing is stopped and restarted.
<a href="" id="tetheringnaiconnection"></a>**TetheringNAIConnection**
Optional. Specifies the CDMA TetheringNAI Connection Manager cellular connection that Internet sharing will use as a public connection.
If a CDMA mobile operator requires using a Tethering NAI during Internet sharing, they must use the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md) to provision a TetheringNAI connection and then specify the provisioned connection in this node.
Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections.
> [!Note]
> The mapping policy will also include the connections specified in the **DedicatedConnections** as well.
If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share
If the Internet sharing service is already in a sharing state, setting this node will not take effect until sharing is stopped and restarted.
<a href="" id="maxusers"></a>**MaxUsers**
Optional. Specifies the maximum number of simultaneous users that can be connected to a device while in a sharing state. The value must be between 1 and 8 inclusive. The default value is 5.
If the Internet sharing service is already in a sharing state, setting this node will not take effect until sharing is stopped and restarted.
<a href="" id="maxbluetoothusers"></a>**MaxBluetoothUsers**
Optional. Specifies the maximum number of simultaneous Bluetooth users that can be connected to a device while sharing over Bluetooth. The value must be between 1 and 7 inclusive. The default value is 7.
<a href="" id="mohelpnumber"></a>**MOHelpNumber**
Optional. A mobile operatorspecified device number that is displayed to the user when the Internet sharing service fails to start. The user interface displays a message informing the user that they can call the specified number for help.
<a href="" id="moinfolink"></a>**MOInfoLink**
Optional. A mobile operatorspecified HTTP link that is displayed to the user when Internet sharing is disabled or the device is not entitled. The user interface displays a message informing the user that they can visit the specified link for more information about how to enable the feature.
<a href="" id="moapplink"></a>**MOAppLink**
Optional. A Windows device application link that points to a preinstalled application, provided by the mobile operator, that will help a user to subscribe to the mobile operators Internet sharing service when Internet sharing is not provisioned or entitlement fails. The general format for the link is `app://MOapp`.
<a href="" id="mohelpmessage"></a>**MOHelpMessage**
Optional. Reference to a localized string, provided by the mobile operator, that is displayed when Internet sharing is not enabled due to entitlement failure. The node takes a language-neutral registry value string, which has the following form:
`@<path_to_res_dll>,-<str_id>`
Where `<path_to_res_dll>` is the path to the resource dll that contains the string and `<str_id>` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](/windows/win32/intl/using-registry-string-redirection) on MSDN.
> [!Note]
> MOAppLink is required to use the MOHelpMessage setting.
<a href="" id="entitlementrequired"></a>**EntitlementRequired**
Optional. Specifies whether the device requires an entitlement check to determine if Internet sharing should be enabled. This node is set to a Boolean value. The default value is **True**.
By default the Internet sharing service will check entitlement every time an attempt is made to enable Internet sharing. Internet sharing should be set to **False** for carrier-unlocked devices.
<a href="" id="entitlementdll"></a>**EntitlementDll**
Required if `EntitlementRequired` is set to true. The path to the entitlement DLL used to make entitlement checks that verify that the device is entitled to use the Internet sharing service on a mobile operators network. The value is a string that represents a valid file system path to the entitlement DLL. By default, the Internet sharing service fails entitlement checks if this setting is missing or empty. For more information, see [Creating an Entitlement DLL](#creating-entitlement-dll) later in this topic.
<a href="" id="entitlementinterval"></a>**EntitlementInterval**
Optional. The time interval, in seconds, between entitlement checks. The default value is 86,400 seconds (24 hours).
If a periodic entitlement check fails, Internet sharing is automatically disabled.
<a href="" id="peerlesstimeout"></a>**PeerlessTimeout**
Optional. The time-out period, in minutes, after which Internet sharing should automatically turn off if there are no longer any active clients. This node can be set to any value between 1 and 120 inclusive. A value of 0 is not supported. The default value is 5 minutes.
A reboot may be required before changes to this node take effect.
<a href="" id="publicconnectiontimeout"></a>**PublicConnectionTimeout**
Optional. The time-out value, in minutes, after which Internet sharing is automatically turned off if a cellular connection is not available. This node can be set to any value between 1 and 60 inclusive. The default value is 20 minutes. A time-out is required, so a value of 0 is not supported.
Changes to this node require a reboot.
<a href="" id="minwifikeylength"></a>**MinWifiKeyLength**
> [!Important]
> This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi key is 8.
<a href="" id="minwifissidlength"></a>**MinWifiSSIDLength**
> [!Important]
> This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi SSID is 1.
## Additional requirements for CDMA networks
For CDMA networks that use a separate Network Access Identity (NAI) for Internet sharing, a new parm, TetheringNAI, has been added in the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md) configuration service provider. The following sample demonstrates how to specify the connection.
```xml
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="TetheringNAIConn">
<parm name="Version" value="1"/>
<parm name="UserName" value=""/>
<parm name="Password" value=""/>
<parm name="TetheringNAI" value="1"/>
</characteristic>
</characteristic>
<characteristic type="HotSpot">
<parm name="Enabled" value="true" datatype="boolean"/>
<parm name="EntitlementRequired" value="false" datatype="boolean"/>
<parm name="TetheringNAIConnection" value="TetheringNAIConn" datatype="string"/>
</characteristic>
</wap-provisioningdoc>
```
> [!Note]
> CDMA devices are limited to one active data connection at a time. This means any application or service (such as email or MMS) that is bound to another connection may not work while Internet sharing is turned on.
## <a href="" id="creating-entitlement-dll"></a>Creating an Entitlement DLL
For mobile operator networks that require an entitlement check, the OEM must provide a DLL in the device image that implements a function with the following signature:
`ICS_ENTITLEMENT_RESULT IsEntitled(void);`
The `EntitlementDll` parm of the HotSpot configuration service provider must be set to a string that is the path to this DLL.
The DLL must be code signed in a specific way, see [Sign binaries and packages](/previous-versions/windows/hardware/code-signing/dn789217(v=vs.85)).
During an entitlement check the Internet Sharing service loads the specified DLL and then call the `IsEntitled` function. The function must connect to the server to perform any required validation, then return one of the following **ICS\_ENTITLEMENT\_RESULT** enumeration values.
|Value|Description|
|--- |--- |
|**ENTITLEMENT_SUCCESS**|The device is allowed to connect to the server.|
|**ENTITLEMENT_FAILED**|The device is not allowed to connect to the server|
|**ENTITLEMENT_UNAVAILABLE**|The entitlement check failed because the device could not contact the server or acquire a connection to verify entitlement.|
The definition for the **ICS\_ENTITLEMENT\_RESULT** is in the header file `IcsEntitlementh`, which ships with the Windows Adaptation Kit.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

39
windows/client-management/mdm/management-tool-for-windows-store-for-business.md
View File

@ -21,49 +21,52 @@ The Microsoft Store for Business has a new web service designed for the enterpri
Here's the list of the available capabilities: Here's the list of the available capabilities:
- Support for enterprise identities Enables end users within an organization to use the identity that has been provided to them within the organization. This enables an organization to retain control of the application and eliminates the need for an organization to maintain another set of identities for their users. - Support for enterprise identities Enables end users within an organization to use the identity that has been provided to them within the organization. This feature enables an organization to keep control of the application and eliminates the need for an organization to maintain another set of identities for their users.
- Bulk acquisition support of applications Enables an IT administrator to acquire applications in bulk. IT departments can now take control over the procurement and distribution of applications. Previously, users acquire applications manually. - Bulk acquisition support of applications Enables an IT administrator to acquire applications in bulk. IT departments can now take control over the procurement and distribution of applications. Previously, users acquire applications manually.
- License reclaim and re-use Enables an enterprise to retain value in their purchases by allowing the ability to un-assign access to an application, and then reassign the application to another user. In Microsoft Store today, when a user with a Microsoft account leaves the organization he retains ownership of the application. - License reclaim and reuse Enables an enterprise to keep value in their purchases by allowing the ability to unassign access to an application, and then reassign the application to another user. In Microsoft Store today, when a user with a Microsoft account leaves the organization, they keep ownership of the application.
- Flexible distribution models for Microsoft Store apps Allows the enterprise to integrate with an organization's infrastructure the processes to distribute applications to devices that are connected to Store for Business services and to devices without connectivity to the Store for Business services. - Flexible distribution models for Microsoft Store apps Allows enterprises to integrate with an organization's infrastructure. It also allows the processes to distribute applications to devices that are connected to Store for Business services and to devices without connectivity to the Store for Business services.
- Custom Line of Business app support Enables management and distribution of enterprise applications through the Store for Business. - Custom Line of Business app support Enables management and distribution of enterprise applications through the Store for Business.
- Support for Windows desktop and mobile devices - The Store for Business supports both desktop and mobile devices. - Support for Windows client devices - The Store for Business supports client devices.
For additional information about Store for Business, see the TechNet topics in [Microsoft Store for Business](/microsoft-store/). For more information, see [Microsoft Store for Business and Education](/microsoft-store/).
## Management services ## Management services
The Store for Business provides services that enable a management tool to synchronize new and updated applications on behalf of an organization. Once synchronized, you can distribute new and updated applications using the Windows Management framework. The services provides several capabilities including providing application data, the ability to assign and reclaim applications, and the ability to download offline-licensed application packages. The Store for Business provides services that enable a management tool to synchronize new and updated applications for an organization. Once synchronized, you can distribute new and updated applications using the Windows Management framework. The services provide several features, including providing application data, can assign and reclaim applications, and can download offline-licensed application packages.
- **Application data**: The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications. - **Application data**: The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This metadata includes:
- The application identifier that's used to deploy online license applications
- Artwork for an application that's used to create a company portal
- Localized descriptions for applications
- **Licensing models**: - **Licensing models**:
- **Online-licensed** applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services. - **Online-licensed** applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity, and rely on the store services on the device to get an application from the store. It's similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
- **Offline-licensed** applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store. - **Offline-licensed** applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed applications don't require connectivity to the store. It can be updated directly from the store if the device has connectivity, and the app update policies allow updates to be distributed using the store.
### Offline-licensed application distribution ### Offline-licensed application distribution
The following diagram provides an overview of app distribution from acquisition of an offline-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. The following diagram is an overview of app distribution, from getting an offline-licensed application to distributing to clients. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices.
![business store offline app distribution.](images/businessstoreportalservices2.png) ![business store offline app distribution.](images/businessstoreportalservices2.png)
### Online-licensed application distribution ### Online-licensed application distribution
The following diagram provides an overview of app distribution from acquisition of an online-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application prior to issuing the policy to install the application. The following diagram is an overview of app distribution, from getting an online-licensed application to distributing to clients. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application before issuing the policy to install the application.
![business store online app distribution.](images/businessstoreportalservices3.png) ![business store online app distribution.](images/businessstoreportalservices3.png)
## Integrate with Azure Active Directory ## Integrate with Azure Active Directory
The Store for Business services rely on Azure Active Directory for authentication. The management tool must be registered as an Azure AD application within an organization tenant to authenticate against the Store for Business. The Store for Business services use Azure Active Directory for authentication. The management tool must be registered as an Azure AD application within an organization tenant to authenticate against the Store for Business.
To learn more about Azure AD and how to register your application within Azure AD, here are some topics to get you started: The following articles have more information about Azure AD, and how to register your application within Azure AD:
- Adding an application to Azure Active Directory - [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md) - Adding an application to Azure Active Directory - [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
- Accessing other Web applications and configuring your application to access other APIs - [Integrating Applications with Azure Active Directory](/azure/active-directory/develop/quickstart-register-app) - Accessing other Web applications and configuring your application to access other APIs - [Integrating Applications with Azure Active Directory](/azure/active-directory/develop/quickstart-register-app)
- Authenticating to the Store for Business services via Azure AD - [Authentication Scenarios for Azure Active Directory](/azure/active-directory/develop/authentication-vs-authorization) - Authenticating to the Store for Business services via Azure AD - [Authentication Scenarios for Azure Active Directory](/azure/active-directory/develop/authentication-vs-authorization)
For code samples, see [Microsoft Azure Active Directory Samples and Documentation](https://go.microsoft.com/fwlink/p/?LinkId=623024) in GitHub. Patterns are very similar to [Daemon-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623025) and [ConsoleApp-GraphAPI-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623026). For code samples, see [Microsoft Azure Active Directory Samples and Documentation](https://go.microsoft.com/fwlink/p/?LinkId=623024) in GitHub. Patterns are similar to [Daemon-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623025) and [ConsoleApp-GraphAPI-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623026).
## Configure your Azure AD application ## Configure your Azure AD application
@ -76,9 +79,9 @@ MTS requires calls to be authenticated using an Azure AD OAuth bearer token. The
Here are the details for requesting an authorization token: Here are the details for requesting an authorization token:
- Login Authority = `https://login.windows.net/<TargetTenantId>` - Login Authority = `https://login.windows.net/<TargetTenantId>`
- Resource/audience = `https://onestore.microsoft.com`: The token audience URI is meant as an identifier of the application for which the token is being generated, and it is not a URL for a service endpoint or a web-page. - Resource/audience = `https://onestore.microsoft.com`: The token audience URI is an application identifier for which the token is being generated. It's not a URL for a service endpoint or a web page.
- ClientId = your AAD application client id - ClientId = your Azure AD application client ID
- ClientSecret = your AAD application client secret/key - ClientSecret = your Azure AD application client secret/key
## Using the management tool ## Using the management tool

175
windows/client-management/mdm/maps-csp.md
View File

@ -1,175 +0,0 @@
---
title: Maps CSP
description: The Maps configuration service provider (CSP) is used to configure the maps to download to the device. This CSP was added in Windows 10, version 1511.
ms.assetid: E5157296-7C31-4B08-8877-15304C9F6F26
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# Maps CSP
The Maps configuration service provider (CSP) is used to configure the maps to download to the device. This CSP was added in Windows 10, version 1511.
> **Note**  The Maps CSP is only supported in Windows 10 Mobile.
The following shows the Maps configuration service provider in tree format.
```
./Vendor/MSFT
Maps
----Packages
--------Package
------------Status
```
<a href="" id="maps"></a>**Maps**
Root node.
<a href="" id="packages"></a>**Packages**
Represents the map packages installed on the device.
<a href="" id="packages-package"></a>**Packages/**<strong>*Package*</strong>
A GUID that represents a map package. When you add a *Package* node, Windows adds it to the queue for download to the device. See the table below for the list of various maps and corresponding GUIDS.
<a href="" id="packages-package-status"></a>**Packages/*Package*/Status**
Represents the stat of the package installed on the device.
Valid values:
- 1 - the specified map package is queued for download.
- 2 - the specified map package is downloading or installed.
Supported operation is Get. If the map is neither queued, downloading, or installed, then you will get a 404 from a Get request.
## Examples
Here is a list of GUIDs of the most downloaded reqions.
| Region | GUID |
|-------------------------------|--------------------------------------|
| **Germany** | |
| Baden-Wuerttemberg | bab02b93-31c4-413a-b0fe-95a43e186d8c |
| Bavaria | dceea482-12e9-458e-9f0f-21def9a70ed7 |
| Berlin/Brandenburg | d8a80d64-07ef-4145-82e5-97910f1012df |
| Hesse | b28e2071-678b-4671-8eff-97e1c124f2fb |
| Lower Saxony/Bremen | e3ac0f21-7209-4f42-93bf-a0d12c7df2e5 |
| Mecklenburg-Western Pomerania | 75760c3d-e651-4b4a-abfb-c22e2bf1ed93 |
| North Rhine-Westphalia | 3846905a-891e-46a9-bc6a-53ec43edcab0 |
| Rhineland-Palatinate/Saarland | b4c18bb5-1bfe-4da8-a951-833046e37c90 |
| Saxony | 8899e1a8-fc79-4f3a-a591-85f15dfb1adb |
| Saxony-Anhalt | fdd9a3eb-4253-4c4b-b34d-66265775518d |
| Schleswig-Holstein/Hamburg | 74d868dd-99a7-492f-93ee-2b9c0a6b7ebc |
| Thuringia | 399a3387-a545-4249-9925-04660426ef1c |
| **United Kingdom** | |
| England | bf612bb8-4094-4158-ac06-96171fa7ffdf |
| Northern Ireland | 07f1d10f-cd72-4801-912a-7ba75ef5a627 |
| Scotland | cade44ea-4421-4023-9498-bf1f92025c9e |
| Wales | 869f9131-e3c7-41df-b106-9d787c633a10 |
| **USA** | |
| Alabama | 4fdaabf4-0160-4075-b7ad-7a8a71e69e7e |
| Alaska | f691e35f-a6b9-4d6c-b657-0f092d5f2f0e |
| Arizona | 4a179b8e-c993-4c4b-a242-51f69068d73b |
| Arkansas | 4d152d48-92aa-4696-b8b2-c0bbacd421b6 |
| California | 1859bd60-854a-40e3-9216-6e9cf1fcfdce |
| Colorado | d7b4de3d-370c-44dc-8dc7-dcafe676d5ff |
| Connecticut | 47fbdbe0-6c4d-4966-9a02-8decc94a5a1c |
| Delaware | b2882156-e75c-4bdf-8f9f-45cbfac6b915 |
| Florida | 1769c37c-f22a-4212-bd4b-47036693b034 |
| Georgia | ad34ec5d-d84c-42fa-bec1-fe6143d2e68d |
| Hawaii | 4019c8a1-0d8f-43c6-baa6-7ff5a7888f21 |
| Idaho | 008d318b-5004-4e13-a4a4-f520e7969026 |
| Illinois | a2c35505-daf5-432d-a4df-544a5c2987c2 |
| Indiana | 4c3b6963-e380-45a9-8b25-2bdc4ce1ab26 |
| Iowa | e07df1bc-01e6-4ffb-9a20-a142a6d38218 |
| Kansas | 3397467d-3fb9-4ded-b6ad-3ab7313f8ff1 |
| Kentucky | bc751324-a591-4ecd-b27a-af15b5518051 |
| Louisiana | d11a119c-9e25-40d9-aef9-ed2f161113b0 |
| Maine | db5e6077-f4dd-4548-b50e-ebd147d20c37 |
| Maryland | 17739d09-a70a-4a23-859c-eabc57418d2f |
| Massachusetts | d168d0d5-7683-45a4-afd4-767fd1359ad8 |
| Michigan | 0abd961b-9602-4a2e-b093-c43a2a80aab5 |
| Minnesota | 2946ed46-b171-4e38-9278-e33a6967f143 |
| Mississippi | 78a38671-a8e8-48f1-a23b-3576df370437 |
| Missouri | 5c885acb-5fdc-4305-84f1-e18d3163724b |
| Montana | baf84353-89cf-4abd-9226-b932fd2294a4 |
| Nebraska | e389c2f8-41a0-4121-a654-77c52fbd61ed |
| Nevada | 8c321bdc-8e37-4be6-96e0-1d85c77c89f0 |
| New Hampshire | 38c35895-98ce-4ee4-bb47-7291b5e8543a |
| New Jersey | 70b1d647-ff93-415f-b2be-da06ee800516 |
| New Mexico | b434ea36-03ca-405c-8332-044b602e7b49 |
| New York | 93f2ba61-e03d-4b30-9be3-6e10728302d4 |
| North Carolina | d07208ed-50da-42f2-bade-cb26f283e113 |
| North Dakota | 8c6f0ebb-f282-431e-b4be-8faca5f12be0 |
| Ohio | 36553594-8197-497f-911e-f1cd976c2e00 |
| Oklahoma | 4e3a77ff-9dca-4add-93e9-2a9d6bc244a6 |
| Oregon | cf99c8ce-1b11-4972-9e12-f8c2717ade98 |
| Pennsylvania | cb7c0dea-1f9d-41ae-b81c-e683488d260c |
| Rhode Island | 737c2fca-efd3-4f5a-9359-0c301ecc0813 |
| South Carolina | c0a5542f-5efb-49ae-9d80-3914faa4cf77 |
| South Dakota | dbd8268b-7502-4f71-ba1c-2d452d496b18 |
| Tennessee | b51f7ae4-9eac-4a2b-b605-c2f9736b3481 |
| Texas | 4cc26a23-596f-4164-b9c2-ce0267b1ada7 |
| Utah | 50b2e947-e7b3-41b2-b595-8446f3f425ca |
| Vermont | a888d9cc-9f2a-4f18-a00a-15fa860d355d |
| Virginia | bfb4cce0-8fa5-4e70-a3c7-a69adce17fc9 |
| Washington | 1734acf4-3f87-47db-aec2-2b24c08f5a60 |
| Washington D.C. | 271328d6-8409-4975-ba8c-ba44e02fd3e0 |
| West Virginia | 638b6499-749b-4908-bfe6-1b9dcf5eb675 |
| Wisconsin | 0b5a98f7-489d-4a07-859b-4e01fe9e1b32 |
| Wyoming | 360e0c25-a3bb-4e29-939a-3631eae46e9a |
Here is an example queuing a map package of New York for download.
```xml
<SyncML>
<SyncBody>
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Maps/Packages/93f2ba61-e03d-4b30-9be3-6e10728302d4</LocURI>
</Target>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
Here is an example that gets the status of the New York map package on the device.
```xml
<SyncML>
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/Maps/Packages/93f2ba61-e03d-4b30-9be3-6e10728302d4/Status</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```

125
windows/client-management/mdm/maps-ddf-file.md
View File

@ -1,125 +0,0 @@
---
title: Maps DDF file
description: This topic shows the OMA DM device description framework (DDF) for the Maps configuration service provider. This CSP was added in Windows 10, version 1511.
ms.assetid: EF22DBB6-0578-4FD0-B8A6-19DC03288FAF
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/05/2017
---
# Maps DDF file
This topic shows the OMA DM device description framework (DDF) for the Maps configuration service provider. This CSP was added in Windows 10, version 1511.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>Maps</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Packages</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Package</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Status</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
 
 

36
windows/client-management/mdm/networkproxy-csp.md
View File

@ -15,21 +15,16 @@ manager: dansimp
The NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. These settings do not apply to VPN connections. This CSP was added in Windows 10, version 1703. The NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. These settings do not apply to VPN connections. This CSP was added in Windows 10, version 1703.
> [!NOTE]
> In Windows 10 Mobile, the NetworkProxy CSP only works in ethernet connections. Use the WiFi CSP to configure per-network proxy for Wi-Fi connections in mobile devices.
How the settings work: How the settings work:
<ol> - If auto-detect is enabled, the system tries to find the path to a proxy auto config (PAC) script and download it.
<li>If auto-detect is enabled, the system tries to find the path to a proxy auto config (PAC) script and download it.</li> - If #1 fails and a setup script is specified, the system tries to download the explicitly configured PAC script.
<li>If #1 fails and a setup script is specified, the system tries to download the explicitly configured PAC script.</li> - If #2 fails and a proxy server is specified, the system tries to use the explicitly configured proxy server.
<li>If #2 fails and a proxy server is specified, the system tries to use the explicitly configured proxy server.</li> - Otherwise, the system tries to reach the site directly.
<li>Otherwise, the system tries to reach the site directly.</li>
</ol>
The following shows the NetworkProxy configuration service provider in tree format. The following shows the NetworkProxy configuration service provider in tree format.
```
```console
./Vendor/MSFT ./Vendor/MSFT
NetworkProxy NetworkProxy
----ProxySettingsPerUser ----ProxySettingsPerUser
@ -40,8 +35,9 @@ NetworkProxy
--------Exceptions --------Exceptions
--------UseProxyForLocalAddresses --------UseProxyForLocalAddresses
``` ```
<a href="" id="networkproxy"></a>**./Vendor/MSFT/NetworkProxy** <a href="" id="networkproxy"></a>**./Vendor/MSFT/NetworkProxy**
The root node for the NetworkProxy configuration service provider.. The root node for the NetworkProxy configuration service provider.
<a href="" id="proxysettingsperuser"></a>**ProxySettingsPerUser** <a href="" id="proxysettingsperuser"></a>**ProxySettingsPerUser**
Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide. Added in Windows 10, version 1803. When set to 0, it enables proxy configuration as global, machine wide.
@ -55,10 +51,9 @@ Supported operations are Add, Get, Replace, and Delete.
Automatically detect settings. If enabled, the system tries to find the path to a PAC script. Automatically detect settings. If enabled, the system tries to find the path to a PAC script.
Valid values: Valid values:
<ul>
<li>0 - Disabled</li> - 0 - Disabled
<li>1 (default) - Enabled</li> - 1 (default) - Enabled
</ul>
The data type is integer. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported. The data type is integer. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
@ -84,17 +79,18 @@ The data type is string. Supported operations are Get and Replace. Starting in W
<a href="" id="useproxyforlocaladdresses"></a>**UseProxyForLocalAddresses** <a href="" id="useproxyforlocaladdresses"></a>**UseProxyForLocalAddresses**
Specifies whether the proxy server should be used for local (intranet) addresses.  Specifies whether the proxy server should be used for local (intranet) addresses. 
Valid values: Valid values:
<ul>
<li>0 (default) - Use proxy server for local addresses</li> - 0 (default) - Use proxy server for local addresses
<li>1 - Do not use proxy server for local addresses</li> - 1 - Do not use proxy server for local addresses
</ul>
The data type is integer. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported. The data type is integer. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported.
## Configuration Example ## Configuration Example
These generic code portions for the options **ProxySettingsPerUser**, **Autodetect**, and **SetupScriptURL** can be used for a specific operation, for example Replace. Only enter the portion of code needed in the **Replace** section. These generic code portions for the options **ProxySettingsPerUser**, **Autodetect**, and **SetupScriptURL** can be used for a specific operation, for example Replace. Only enter the portion of code needed in the **Replace** section.
```xml ```xml
<Replace> <Replace>
<CmdID>1</CmdID> <CmdID>1</CmdID>

2
windows/client-management/mdm/oma-dm-protocol-support.md
View File

@ -52,7 +52,7 @@ Common elements are used by other OMA DM element types. The following table list
|MsgID|Specifies a unique identifier for an OMA DM session message.| |MsgID|Specifies a unique identifier for an OMA DM session message.|
|MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.| |MsgRef|Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.|
|RespURI|Specifies the URI that the recipient must use when sending a response to this message.| |RespURI|Specifies the URI that the recipient must use when sending a response to this message.|
|SessionID|Specifies the identifier of the OMA DM session associated with the containing message.<div class="alert">**Note**<br> If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.</div>| |SessionID|Specifies the identifier of the OMA DM session associated with the containing message.<div class="alert">**Note**<br> If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the client returns the SessionID in integer in decimal format. If the server supports DM session sync version 2.0, which is used in Windows 10, the device client returns 2 bytes.</div>|
|Source|Specifies the message source address.| |Source|Specifies the message source address.|
|SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.| |SourceRef|Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.|
|Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.| |Target|Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.|

2
windows/client-management/mdm/passportforwork-csp.md
View File

@ -96,7 +96,7 @@ Node for defining the Windows Hello for Business policy settings.
<a href="" id="tenantid-policies-usepassportforwork"></a>***TenantId*/Policies/UsePassportForWork** <a href="" id="tenantid-policies-usepassportforwork"></a>***TenantId*/Policies/UsePassportForWork**
Boolean value that sets Windows Hello for Business as a method for signing into Windows. Boolean value that sets Windows Hello for Business as a method for signing into Windows.
Default value is true. If you set this policy to false, the user cannot provision Windows Hello for Business except on Azure Active Directory joined mobile phones where provisioning is required. Default value is true. If you set this policy to false, the user cannot provision Windows Hello for Business.
Supported operations are Add, Get, Delete, and Replace. Supported operations are Add, Get, Delete, and Replace.

6
windows/client-management/mdm/policy-csp-accounts.md
View File

@ -47,8 +47,6 @@ manager: dansimp
|Pro|Yes|Yes| |Pro|Yes|Yes|
|Enterprise|Yes|Yes| |Enterprise|Yes|Yes|
|Education|Yes|Yes| |Education|Yes|Yes|
|Mobile|Yes|Yes|
|Mobile Enterprise|Yes|Yes|
<!--/SupportedSKUs--> <!--/SupportedSKUs-->
<hr/> <hr/>
@ -94,8 +92,6 @@ The following list shows the supported values:
|Business|Yes|Yes| |Business|Yes|Yes|
|Enterprise|Yes|Yes| |Enterprise|Yes|Yes|
|Education|Yes|Yes| |Education|Yes|Yes|
|Mobile|Yes|Yes|
|Mobile Enterprise|Yes|Yes|
<!--/SupportedSKUs--> <!--/SupportedSKUs-->
<hr/> <hr/>
@ -138,8 +134,6 @@ The following list shows the supported values:
|Business|Yes|Yes| |Business|Yes|Yes|
|Enterprise|Yes|Yes| |Enterprise|Yes|Yes|
|Education|Yes|Yes| |Education|Yes|Yes|
|Mobile|Yes|Yes|
|Mobile Enterprise|Yes|Yes|
<!--/SupportedSKUs--> <!--/SupportedSKUs-->
<hr/> <hr/>

4
windows/client-management/mdm/policy-csp-admx-terminalserver.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10 ms.prod: w10
ms.technology: windows ms.technology: windows
author: dansimp author: dansimp
ms.date: 09/23/2020 ms.date: 12/21/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
--- ---
@ -78,7 +78,7 @@ Time zone redirection is possible only when connecting to at least a Microsoft W
<!--ADMXBacked--> <!--ADMXBacked-->
ADMX Info: ADMX Info:
- GP Friendly name: *Allow time zone redirection* - GP Friendly name: *Allow time zone redirection*
- GP name: *TS_GATEWAY_POLICY_ENABLE* - GP name: *TS_TIME_ZONE*
- GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection* - GP path: *Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection*
- GP ADMX file name: *TerminalServer.admx* - GP ADMX file name: *TerminalServer.admx*

30
windows/client-management/mdm/policy-csp-browser.md
View File

@ -415,7 +415,7 @@ Most restricted value: 0
<!--Validation--> <!--Validation-->
To verify AllowCookies is set to 0 (not allowed): To verify AllowCookies is set to 0 (not allowed):
1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. 1. Open Microsoft Edge.
2. In the upper-right corner of the browser, click **…**. 2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the setting **Cookies** is disabled. 4. Verify the setting **Cookies** is disabled.
@ -453,8 +453,6 @@ To verify AllowCookies is set to 0 (not allowed):
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
[!INCLUDE [allow-developer-tools-shortdesc](../includes/allow-developer-tools-shortdesc.md)] [!INCLUDE [allow-developer-tools-shortdesc](../includes/allow-developer-tools-shortdesc.md)]
@ -530,7 +528,7 @@ Most restricted value: 1
<!--Validation--> <!--Validation-->
To verify AllowDoNotTrack is set to 0 (not allowed): To verify AllowDoNotTrack is set to 0 (not allowed):
1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. 1. Open Microsoft Edge.
2. In the upper-right corner of the browser, click **…**. 2. In the upper-right corner of the browser, click **…**.
3. Click **Settings** in the drop down list, and select **View Advanced Settings**. 3. Click **Settings** in the drop down list, and select **View Advanced Settings**.
4. Verify the setting **Send Do Not Track requests** is grayed out. 4. Verify the setting **Send Do Not Track requests** is grayed out.
@ -2223,11 +2221,6 @@ Most restricted value: 0
[!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../includes/configure-enterprise-mode-site-list-shortdesc.md)] [!INCLUDE [configure-enterprise-mode-site-list-shortdesc](../includes/configure-enterprise-mode-site-list-shortdesc.md)]
> [!NOTE]
> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
@ -2314,9 +2307,6 @@ Supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy is only available for Windows for desktop and not supported in Windows Mobile.
[!INCLUDE [configure-start-pages-shortdesc](../includes/configure-start-pages-shortdesc.md)] [!INCLUDE [configure-start-pages-shortdesc](../includes/configure-start-pages-shortdesc.md)]
@ -2813,8 +2803,6 @@ Supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
[!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)] [!INCLUDE [prevent-using-localhost-ip-address-for-webrtc-shortdesc](../includes/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md)]
@ -2931,10 +2919,6 @@ ADMX Info:
[!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../includes/send-all-intranet-sites-to-ie-shortdesc.md)] [!INCLUDE [send-all-intranet-sites-to-ie-shortdesc](../includes/send-all-intranet-sites-to-ie-shortdesc.md)]
> [!NOTE]
> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
@ -3163,10 +3147,6 @@ Supported values:
<!--Description--> <!--Description-->
[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../includes/show-message-when-opening-sites-in-ie-shortdesc.md)] [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../includes/show-message-when-opening-sites-in-ie-shortdesc.md)]
> [!NOTE]
> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
@ -3221,9 +3201,6 @@ This policy allows Enterprise Admins to turn off the notification for company de
By default, a notification will be presented to the user informing them of this upon application startup. By default, a notification will be presented to the user informing them of this upon application startup.
With this policy, you can either allow (default) or suppress this notification. With this policy, you can either allow (default) or suppress this notification.
> [!NOTE]
> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:
@ -3273,9 +3250,6 @@ Supported values:
[!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)] [!INCLUDE [keep-favorites-in-sync-between-ie-and-edge-shortdesc](../includes/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md)]
> [!NOTE]
> This policy is only enforced in Windows for desktop and not supported in Windows Mobile.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
ADMX Info: ADMX Info:

4
windows/client-management/mdm/policy-csp-connectivity.md
View File

@ -105,7 +105,7 @@ manager: dansimp
Allows the user to enable Bluetooth or restrict access. Allows the user to enable Bluetooth or restrict access.
> [!NOTE] > [!NOTE]
>  This value is not supported in Windows Phone 8.1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile. >  This value is not supported in Windows 10.
If this is not set or it is deleted, the default value of 2 (Allow) is used. If this is not set or it is deleted, the default value of 2 (Allow) is used.
@ -217,7 +217,7 @@ The following list shows the supported values:
<!--Validation--> <!--Validation-->
To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy. To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy.
To validate on mobile devices, do the following: To validate on devices, do the following:
1. Go to Cellular & SIM. 1. Go to Cellular & SIM.
2. Click on the SIM (next to the signal strength icon) and select **Properties**. 2. Click on the SIM (next to the signal strength icon) and select **Properties**.

34
windows/client-management/mdm/policy-csp-deliveryoptimization.md
View File

@ -152,7 +152,7 @@ manager: dansimp
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space.
@ -201,7 +201,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network.
@ -585,7 +585,7 @@ The following list shows the supported values as number of seconds:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates.
@ -607,8 +607,8 @@ The following list shows the supported values:
- 1 (default) HTTP blended with peering behind the same NAT. - 1 (default) HTTP blended with peering behind the same NAT.
- 2 HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. - 2 HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
- 3 HTTP blended with Internet peering. - 3 HTTP blended with Internet peering.
- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. - 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. Note that this value is deprecated and will be removed in a future release. - 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. Note that this value is deprecated and will be removed in a future release.
<!--/SupportedValues--> <!--/SupportedValues-->
<!--/Policy--> <!--/Policy-->
@ -642,13 +642,13 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity. This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity.
> [!NOTE] > [!NOTE]
> You must use a GUID as the group ID. > You must use a GUID as the group ID.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
@ -799,10 +799,10 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607. Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607.
The default value is 259200 seconds (3 days). The default value is 259200 seconds (3 days).
@ -848,7 +848,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100).
@ -984,7 +984,7 @@ This policy is deprecated because it only applies to uploads to Internet peers (
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set.
@ -1033,7 +1033,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions.
Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery.
@ -1081,7 +1081,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions.
Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. Recommended values: 64 GB to 256 GB.
@ -1133,7 +1133,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions.
Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB. Specifies the minimum content file size in MB enabled to use Peer Caching. Recommended values: 1 MB to 100,000 MB.
@ -1182,7 +1182,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. > This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions.
Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. Specifies the minimum RAM size in GB required to use Peer Caching. For example, if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB.
@ -1231,7 +1231,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path.
@ -1280,7 +1280,7 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. > This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions.
Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.

49
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -146,7 +146,7 @@ The following list shows the supported values:
Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords.
> [!NOTE] > [!NOTE]
> This policy must be wrapped in an Atomic command. > This policy must be wrapped in an Atomic command.
@ -194,14 +194,14 @@ The following list shows the supported values:
Determines the type of PIN required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required). Determines the type of PIN required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required).
> [!NOTE] > [!NOTE]
> This policy must be wrapped in an Atomic command. > This policy must be wrapped in an Atomic command.
> >
> Always use the Replace command instead of Add for this policy in Windows for desktop editions (Home, Pro, Enterprise, and Education). > Always use the Replace command instead of Add for this policy in Windows for desktop editions (Home, Pro, Enterprise, and Education).
> [!NOTE] > [!NOTE]
> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1. > If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1.
> >
> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2. > If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2.
@ -248,7 +248,7 @@ The following list shows the supported values:
Specifies whether device lock is enabled. Specifies whether device lock is enabled.
> [!NOTE] > [!NOTE]
> This policy must be wrapped in an Atomic command. > This policy must be wrapped in an Atomic command.
> >
> Always use the Replace command instead of Add for this policy in Windows for desktop editions. > Always use the Replace command instead of Add for this policy in Windows for desktop editions.
@ -277,12 +277,12 @@ Specifies whether device lock is enabled.
> - MinDevicePasswordComplexCharacters > - MinDevicePasswordComplexCharacters
> [!Important] > [!Important]
> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below: > **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below:
> - **DevicePasswordEnabled** is the parent policy of the following: > - **DevicePasswordEnabled** is the parent policy of the following:
> - AllowSimpleDevicePassword > - AllowSimpleDevicePassword
> - MinDevicePasswordLength > - MinDevicePasswordLength
> - AlphanumericDevicePasswordRequired > - AlphanumericDevicePasswordRequired
> - MinDevicePasswordComplexCharacters  > - MinDevicePasswordComplexCharacters
> - DevicePasswordExpiration > - DevicePasswordExpiration
> - DevicePasswordHistory > - DevicePasswordHistory
> - MaxDevicePasswordFailedAttempts > - MaxDevicePasswordFailedAttempts
@ -330,7 +330,7 @@ The following list shows the supported values:
Specifies when the password expires (in days). Specifies when the password expires (in days).
> [!NOTE] > [!NOTE]
> This policy must be wrapped in an Atomic command. > This policy must be wrapped in an Atomic command.
@ -380,7 +380,7 @@ The following list shows the supported values:
Specifies how many passwords can be stored in the history that cant be used. Specifies how many passwords can be stored in the history that cant be used.
> [!NOTE] > [!NOTE]
> This policy must be wrapped in an Atomic command. > This policy must be wrapped in an Atomic command.
The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords. The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords.
@ -430,7 +430,7 @@ The following list shows the supported values:
Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image.
> [!NOTE] > [!NOTE]
> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro. > This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro.
Value type is a string, which is the full image filepath and filename. Value type is a string, which is the full image filepath and filename.
@ -470,13 +470,10 @@ Value type is a string, which is the full image filepath and filename.
The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality.
> [!NOTE] > [!NOTE]
> This policy must be wrapped in an Atomic command. > This policy must be wrapped in an Atomic command.
This policy has different behaviors on the mobile device and desktop. On a client device, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced.
- On a mobile device, when the user reaches the value set by this policy, then the device is wiped.
- On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced.
Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key.
@ -489,7 +486,7 @@ For additional information about this policy, see [Exchange ActiveSync Policy En
<!--SupportedValues--> <!--SupportedValues-->
The following list shows the supported values: The following list shows the supported values:
- An integer X where 4 &lt;= X &lt;= 16 for desktop and 0 &lt;= X &lt;= 999 for mobile devices. - An integer X where 4 &lt;= X &lt;= 16 for client devices.
- 0 (default) - The device is never wiped after an incorrect PIN or password is entered. - 0 (default) - The device is never wiped after an incorrect PIN or password is entered.
<!--/SupportedValues--> <!--/SupportedValues-->
@ -526,11 +523,10 @@ The following list shows the supported values:
<!--Description--> <!--Description-->
Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app.
* On Mobile, the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy. On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy.
* On HoloLens, this timeout is controlled by the device's system sleep timeout, regardless of the value set by this policy.
> [!NOTE] > [!NOTE]
> This policy must be wrapped in an Atomic command. > This policy must be wrapped in an Atomic command.
@ -578,11 +574,11 @@ The following list shows the supported values:
The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
> [!NOTE] > [!NOTE]
> This policy must be wrapped in an Atomic command. > This policy must be wrapped in an Atomic command.
> >
> Always use the Replace command instead of Add for this policy in Windows for desktop editions. > Always use the Replace command instead of Add for this policy in Windows for desktop editions.
PIN enforces the following behavior for desktop and mobile devices: PIN enforces the following behavior for client devices:
- 1 - Digits only - 1 - Digits only
- 2 - Digits and lowercase letters are required - 2 - Digits and lowercase letters are required
@ -593,10 +589,9 @@ The default value is 1. The following list shows the supported values and actual
|Account Type|Supported Values|Actual Enforced Values| |Account Type|Supported Values|Actual Enforced Values|
|--- |--- |--- | |--- |--- |--- |
|Mobile|1,2,3,4|Same as the value set| |Local Accounts|1,2,3|3|
|Desktop Local Accounts|1,2,3|3| |Microsoft Accounts|1,2|&lt;p2|
|Desktop Microsoft Accounts|1,2|&lt;p2| |Domain Accounts|Not supported|Not supported|
|Desktop Domain Accounts|Not supported|Not supported|
Enforced values for Local and Microsoft Accounts: Enforced values for Local and Microsoft Accounts:
@ -652,7 +647,7 @@ For additional information about this policy, see [Exchange ActiveSync Policy En
Specifies the minimum number or characters required in the PIN or password. Specifies the minimum number or characters required in the PIN or password.
> [!NOTE] > [!NOTE]
> This policy must be wrapped in an Atomic command. > This policy must be wrapped in an Atomic command.
> >
> Always use the Replace command instead of Add for this policy in Windows for desktop editions. > Always use the Replace command instead of Add for this policy in Windows for desktop editions.
@ -666,9 +661,9 @@ For additional information about this policy, see [Exchange ActiveSync Policy En
<!--SupportedValues--> <!--SupportedValues-->
The following list shows the supported values: The following list shows the supported values:
- An integer X where 4 &lt;= X &lt;= 16 for mobile devices and desktop. However, local accounts will always enforce a minimum password length of 6. - An integer X where 4 &lt;= X &lt;= 16 for client devices. However, local accounts will always enforce a minimum password length of 6.
- Not enforced. - Not enforced.
- The default value is 4 for mobile devices and desktop devices. - The default value is 4 for client devices.
<!--/SupportedValues--> <!--/SupportedValues-->
<!--Example--> <!--Example-->

19
windows/client-management/mdm/policy-csp-experience.md
View File

@ -1,6 +1,6 @@
--- ---
title: Policy CSP - Experience title: Policy CSP - Experience
description: Learn how to use the Policy CSP - Experience setting to allow history of clipboard items to be stored in memory. description: Learn how to use the Policy CSP - Experience setting to allow history of clipboard items to be stored in memory.
ms.author: dansimp ms.author: dansimp
ms.topic: article ms.topic: article
ms.prod: w10 ms.prod: w10
@ -332,7 +332,7 @@ The following list shows the supported values:
Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g., auto-enrolled), then disabling the MDM unenrollment has no effect. Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g., auto-enrolled), then disabling the MDM unenrollment has no effect.
> [!NOTE] > [!NOTE]
> The MDM server can always remotely delete the account. > The MDM server can always remotely delete the account.
Most restricted value is 0. Most restricted value is 0.
@ -439,8 +439,6 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them.
@ -498,7 +496,7 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. > This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services. Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services.
@ -550,8 +548,7 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. > Prior to Windows 10, version 1803, this policy had User scope.
> Prior to Windows 10, version 1803, this policy had User scope.
This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles. This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles.
@ -605,7 +602,7 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy is only available for Windows 10 Enterprise and Windows 10 Education. > This policy is only available for Windows 10 Enterprise and Windows 10 Education.
Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings. Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings.
@ -658,8 +655,6 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows.
@ -763,8 +758,6 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature.
The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested. The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested.
@ -909,7 +902,7 @@ The values for this policy are 0, 1, 2, and 3. This policy defaults to 0 if not
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy is only available for Windows 10 Enterprise and Windows 10 Education. > This policy is only available for Windows 10 Enterprise and Windows 10 Education.
Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1. Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1.

53
windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows ms.technology: windows
author: dansimp author: dansimp
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 09/29/2021 ms.date: 12/16/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
--- ---
@ -23,6 +23,9 @@ manager: dansimp
<dd> <dd>
<a href="#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts">LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</a> <a href="#localpoliciessecurityoptions-accounts-blockmicrosoftaccounts">LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</a>
</dd> </dd>
<dd>
<a href="#localpoliciessecurityoptions-accounts-enableadministratoraccountstatus">LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</a>
</dd>
<dd> <dd>
<a href="#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly">LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</a> <a href="#localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly">LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</a>
</dd> </dd>
@ -222,6 +225,54 @@ The following list shows the supported values:
<hr/> <hr/>
<!--Policy-->
<a href="" id="localpoliciessecurityoptions-accounts-enableadministratoraccountstatus"></a>**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This setting allows the administrator to enable the local Administrator account.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
<!--/Description-->
<!--RegistryMapped-->
GP Info:
- GP Friendly name: *Accounts: Enable Administrator Account Status*
- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
<!--/RegistryMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 0 - disabled (local Administrator account is disabled).
- 1 - enabled (local Administrator account is enabled).
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--Policy--> <!--Policy-->
<a href="" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly"></a>**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly** <a href="" id="localpoliciessecurityoptions-accounts-limitlocalaccountuseofblankpasswordstoconsolelogononly"></a>**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**

18
windows/client-management/mdm/policy-csp-networklistmanager.md
View File

@ -1,13 +1,13 @@
--- ---
title: Policy CSP - NetworkListManager title: Policy CSP - NetworkListManager
description: The Policy CSP - NetworkListManager setting creates a new MDM policy that allows admins to configure a list of URIs of HTTPS endpoints that are considered secure. description: Policy CSP - NetworkListManager is a setting creates a new MDM policy. This setting allows admins to configure a list of URIs of HTTPS endpoints that are considered secure.
ms.author: v-nsatapathy ms.author: v-nsatapathy
ms.topic: article ms.topic: article
ms.prod: w10 ms.prod: w10
ms.technology: windows ms.technology: windows
author: nimishasatapathy author: nimishasatapathy
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 7/10/2021 ms.date: 12/16/2021
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
--- ---
@ -60,7 +60,17 @@ manager: dansimp
<!--Description--> <!--Description-->
This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated. This policy setting provides the list of URLs (separated by Unicode character 0xF000) to endpoints accessible only within an enterprise's network. If any of the URLs can be resolved over HTTPS, the network would be considered authenticated.
<hr/> When entering a list of TLS endpoints in Microsoft Endpoint Manager, you must follow this format, even in the UI:
`<![CDATA[https://nls.corp.contoso.com&#xF000;https://nls.corp.fabricam.com]]>`
- The HTTPS endpoint must not have any more authentication checks, such as login or multi-factor authentication.
- The HTTPS endpoint must be an internal address not accessible from outside the corporate network.
- The client must trust the server certificate. So the CA certificate that the HTTPS server certificate chains to must be present in the client machine's root certificate store.
- A certificate should not be a public certificate.
<hr/> <hr/>
@ -91,7 +101,7 @@ This policy setting provides the list of URLs (separated by Unicode character 0x
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
This policy setting provides the string to be used to name the network authenticated against one of the endpoints listed in NetworkListManager/AllowedTlsAuthenticationEndpoints policy. This policy setting provides the string that is to be used to name a network. That network is authenticated against one of the endpoints that are listed in NetworkListManager/AllowedTlsAuthenticationEndpoints policy. If this setting is used for Trusted Network Detection in an _Always On_ VPN profile, it must be the DNS suffix that is configured in the TrustedNetworkDetection attribute.
<hr/> <hr/>

14
windows/client-management/mdm/policy-csp-security.md
View File

@ -102,8 +102,7 @@ The following list shows the supported values:
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> >
> - This policy is deprecated in Windows 10, version 1607.<br/> > - This policy is deprecated in Windows 10, version 1607.
> - This policy is only enforced in Windows 10 for desktop.
Specifies whether to allow automatic [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined. Specifies whether to allow automatic [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined.
@ -185,8 +184,6 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart. Admin access is required. The prompt will appear on first admin logon after a reboot when the TPM is in a non-ready state that can be remediated with a TPM Clear. The prompt will have a description of what clearing the TPM does and that it requires a reboot. The user can dismiss it, but it will appear on next admin logon after restart.
@ -280,11 +277,8 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.
Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.
Specifies whether to allow automatic [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined. Specifies whether to allow automatic [device encryption](/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined.
@ -492,8 +486,8 @@ Setting this policy to 1 (Required):
- Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification. - Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification.
> [!NOTE] > [!NOTE]
> We recommend that this policy is set to Required after MDM enrollment. > We recommend that this policy is set to Required after MDM enrollment.
 
Most restricted value is 1. Most restricted value is 1.

58
windows/client-management/mdm/policy-csp-settings.md
View File

@ -90,14 +90,11 @@ manager: dansimp
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Allows the user to change Auto Play settings. Allows the user to change Auto Play settings.
> [!NOTE] > [!NOTE]
> Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected. > Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected.
<!--/Description--> <!--/Description-->
<!--SupportedValues--> <!--SupportedValues-->
@ -140,7 +137,7 @@ The following list shows the supported values:
Allows the user to change Data Sense settings. Allows the user to change Data Sense settings.
> [!NOTE] > [!NOTE]
> The **AllowDataSense** policy is not supported on Windows 10, version 2004 and later. > The **AllowDataSense** policy is not supported on Windows 10, version 2004 and later.
<!--/Description--> <!--/Description-->
<!--SupportedValues--> <!--SupportedValues-->
@ -220,9 +217,6 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Allows the user to change the language settings. Allows the user to change the language settings.
@ -266,7 +260,7 @@ The following list shows the supported values:
<!--Description--> <!--Description-->
Enables or disables the retrieval of online tips and help for the Settings app. Enables or disables the retrieval of online tips and help for the Settings app.
If disabled, Settings will not contact Microsoft content services to retrieve tips and help content. If disabled, Settings won't contact Microsoft content services to retrieve tips and help content.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
@ -308,9 +302,6 @@ ADMX Info:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Allows the user to change power and sleep settings. Allows the user to change power and sleep settings.
@ -352,9 +343,6 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Allows the user to change the region settings. Allows the user to change the region settings.
@ -396,11 +384,8 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Allows the user to change sign in options.
Allows the user to change sign-in options.
<!--/Description--> <!--/Description-->
<!--SupportedValues--> <!--SupportedValues-->
@ -480,9 +465,6 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Allows user to change workplace settings. Allows user to change workplace settings.
@ -564,7 +546,7 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale. Allows IT Admins to configure the default setting for showing more calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. Other supported calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale.
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->
@ -615,31 +597,41 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. For additional information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference). Allows IT Admins to either:
The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively: - Prevent specific pages in the System Settings app from being visible or accessible
showonly:about;bluetooth OR
If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (that is, treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list. - To do so for all pages except the pages you enter
The mode will be specified by the policy string beginning with either the string `showonly:` or `hide:`. Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix.
For example, if the URI for a settings page is "ms-settings:bluetooth", the page identifier used in the policy will be just "bluetooth". Multiple page identifiers are separated by semicolons. For more information on the URI reference scheme used for the various pages of the System Settings app, see [ms-settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference).
The following example shows a policy that allows access only to the **about** and **bluetooth** pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively:
`showonly:about;bluetooth`
If the policy isn't specified, then the behavior is that no pages are affected. If the policy string is formatted incorrectly, then it's ignored (that is, treated as not set). It's ignored to prevent the machine from becoming unserviceable if data corruption occurs. If a page is already hidden for another reason, then it stays hidden, even if the page is in a `showonly:` list.
The format of the PageVisibilityList value is as follows: The format of the PageVisibilityList value is as follows:
- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity. - The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity.
- There are two variants: one that shows only the given pages and one that hides the given pages. - There are two variants: one that shows only the given pages and one that hides the given pages.
- The first variant starts with the string "showonly:" and the second with the string "hide:". - The first variant starts with the string `showonly:` and the second with the string "hide:".
- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace. - Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace.
- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi". - Each page identifier is the `ms-settings:xyz` URI for the page, minus the `ms-settings:` prefix. So the identifier for the page with the `ms-settings:network-wifi` URI would be `network-wifi`.
The default value for this setting is an empty string, which is interpreted as show everything. The default value for this setting is an empty string, which is interpreted as show everything.
Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:network-wifi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden: **Example 1**: Only the wifi and bluetooth pages should be shown. They have URIs `ms-settings:network-wifi` and `ms-settings:bluetooth`. All other pages (and the categories they're in) will be hidden:
showonly:network-wifi;bluetooth `showonly:network-wifi;bluetooth`
Example 2, specifies that the wifi page should not be shown: **Example 2**: The wifi page shouldn't be shown:
hide:network-wifi `hide:network-wifi`
<!--/Description--> <!--/Description-->
<!--ADMXMapped--> <!--ADMXMapped-->

21
windows/client-management/mdm/policy-csp-start.md
View File

@ -608,9 +608,6 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Forces the start screen size. Forces the start screen size.
@ -658,7 +655,7 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy requires reboot to take effect. > This policy requires reboot to take effect.
Allows IT Admins to configure Start by collapsing or removing the all apps list. Allows IT Admins to configure Start by collapsing or removing the all apps list.
@ -762,7 +759,7 @@ To validate on Desktop, do the following:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy requires reboot to take effect. > This policy requires reboot to take effect.
Allows IT Admins to configure Start by hiding most used apps. Allows IT Admins to configure Start by hiding most used apps.
@ -819,7 +816,7 @@ Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the
> [!NOTE] > [!NOTE]
> This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's. > This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's.
<!--/Description--> <!--/Description-->
<!--SupportedValues--> <!--SupportedValues-->
@ -964,7 +961,7 @@ The following list shows the supported values:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy requires reboot to take effect. > This policy requires reboot to take effect.
Allows IT Admins to configure Start by hiding the Power button from appearing. Allows IT Admins to configure Start by hiding the Power button from appearing.
@ -1014,7 +1011,7 @@ To validate on Desktop, do the following:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy requires reboot to take effect. > This policy requires reboot to take effect.
Allows IT Admins to configure Start by hiding recently opened items in the jump lists from appearing. Allows IT Admins to configure Start by hiding recently opened items in the jump lists from appearing.
@ -1072,7 +1069,7 @@ To validate on Desktop, do the following:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy requires reboot to take effect. > This policy requires reboot to take effect.
Allows IT Admins to configure Start by hiding recently added apps. Allows IT Admins to configure Start by hiding recently added apps.
@ -1369,7 +1366,7 @@ To validate on Desktop, do the following:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy requires reboot to take effect. > This policy requires reboot to take effect.
Allows IT Admins to configure Start by hiding the user tile. Allows IT Admins to configure Start by hiding the user tile.
@ -1420,7 +1417,7 @@ To validate on Desktop, do the following:
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
> [!NOTE] > [!NOTE]
> This policy requires reboot to take effect. > This policy requires reboot to take effect.
Here is additional SKU support information: Here is additional SKU support information:
@ -1433,7 +1430,7 @@ Here is additional SKU support information:
This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files. This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files.
> [!IMPORTANT] > [!IMPORTANT]
> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy. > Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy.
The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](/windows/configuration/start-secondary-tiles). The value set for this policy is an XML string containing Edge assets. For an example XML string, see [Add image for secondary Microsoft Edge tiles](/windows/configuration/start-secondary-tiles).

10
windows/client-management/mdm/policymanager-csp.md
View File

@ -14,14 +14,16 @@ ms.date: 06/28/2017
# PolicyManager CSP # PolicyManager CSP
PolicyManager CSP is deprecated. Use [Policy CSP](policy-configuration-service-provider.md) instead. PolicyManager CSP is deprecated. Use [Policy CSP](policy-configuration-service-provider.md) instead.
<!-- 12.16.2021 mandia: Commenting out, as this CSP is specific to Windows 10 Mobile and Windows Phone 8.1
> **Note**   The PolicyManager CSP is supported in Windows 10 Mobile for backward compatibility. For Windows 10 devices you should use [Policy CSP](policy-configuration-service-provider.md), which replaces PolicyManager CSP. You can continue to use PolicyManager CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices. > **Note**   The PolicyManager CSP is supported in Windows 10 Mobile for backward compatibility. For Windows 10 devices you should use [Policy CSP](policy-configuration-service-provider.md), which replaces PolicyManager CSP. You can continue to use PolicyManager CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices.
-->
## Related articles
[Policy CSP](policy-configuration-service-provider.md)
[Configuration service provider reference](configuration-service-provider-reference.md)

77
windows/client-management/mdm/registry-csp.md
View File

@ -1,77 +0,0 @@
---
title: Registry CSP
description: In this article, learn how to use the Registry configuration service provider (CSP) to update registry settings.
ms.assetid: 2307e3fd-7b61-4f00-94e1-a639571f2c9d
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# Registry CSP
The Registry configuration service provider is used to update registry settings. However, if there is configuration service provider that is specific to the settings that need to be updated, use the specific configuration service provider.
> [!NOTE]
> The Registry CSP is only supported in Windows 10 Mobile for OEM configuration. Do not use this CSP for enterprise remote management.
For Windows 10 Mobile only, this configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.
 
For the Registry CSP, you cannot use the Replace command unless the node already exists.
The Registry configuration service provider can be managed over both the OMA Client Provisioning and the OMA DM protocol. When using OMA DM to add a registry key, a child registry value must also be added in the XML code.
For OMA Client Provisioning, the follows notes apply:
- Querying the registry at the top level is not allowed. All parameters must be queried individually. The underlying data store of the Registry is typed. Be sure to use the **datatype** attribute of the *&lt;parm&gt;* tag.
- This documentation describes the default characteristics. Additional characteristics may be added.
- Because the **Registry** configuration service provider uses the backslash (\\) character as a separator between key names, backslashes, which occur in the name of a registry key must be escaped. Backslashes can be escaped by using two sequential backslashes (\\\\).
The default security role maps to each subnode unless specific permission is granted to the subnode. The security role for subnodes is implementation specific, and can be changed by OEMs and mobile operators.
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
|Elements|Available|
|--- |--- |
|Parm-query|Yes|
|Noparm|Yes|
|Uncharacteristic|Yes|
|Characteristic-query|Yes<br/><br/>Recursive query: Yes<br/><br/>Top-level query: No|
 
Use these elements to build standard OMA Client Provisioning configuration XML. For information about specific elements, see MSPROV DTD elements.
## Supported Data Types
The following table shows the data types this configuration service provider supports.
|XML Data Type|Native Registry Type|XML Format|
|--- |--- |--- |
|Integer|REG_DWORD|Integer. A query of this parameter returns an integer type.|
|Boolean|REG_DWORD|Integer value of 1 or 0. A query of this parameter returns an integer type.|
|Float|REG_SZ|Float. A query of this parameter returns a string type.|
|String|REG_SZ|String. A query of this parameter returns a string type.|
|multiple string|REG_MULTI_SZ|Multiple strings are separated by **&#xF000** and ended with two **&#xF000** - A query of this parameter returns a multi-string type.|
|Binary|REG_BINARY|Base64 encoded. A query of this parameter returns a binary type.|
|Time|FILETIME in REG_BINARY|The time format conforms to the ISO8601 standard, with the date portion optional. If the date portion is omitted, also omit the "T" delimiter. A query of this parameter returns a binary type.|
|Date|FILETIME in REG_BINARY|The date format conforms to the ISO8601 standard, with the time portion optional. If the time portion is omitted, also omit the "T" delimiter. A query of this parameter returns a binary type.|
 
It is not possible to access registry keys nested under the current path by using the Registry configuration service provider. Instead, the values of the subkey must be accessed separately by using a new characteristic.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

130
windows/client-management/mdm/registry-ddf-file.md
View File

@ -1,130 +0,0 @@
---
title: Registry DDF file
description: Learn about the OMA DM device description framework (DDF) for the Registry configuration service provider (CSP).
ms.assetid: 29b5cc07-f349-4567-8a77-387d816a9d15
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# Registry DDF file
This topic shows the OMA DM device description framework (DDF) for the **Registry** configuration service provider. DDF files are used only with OMA DM provisioning XML.
```xml
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>Registry</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<Description>The root node of registry</Description>
</DFProperties>
<Node>
<NodeName>HKCR</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<Description>HK_CLASSES_ROOT portion of device registry.</Description>
</DFProperties>
</Node>
<Node>
<NodeName>HKCU</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<Description>HK_CURRENT_USER portion of device registry.</Description>
</DFProperties>
</Node>
<Node>
<NodeName>HKLM</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<Description>HK_LOCAL_MACHINE portion of device registry.</Description>
</DFProperties>
</Node>
<Node>
<NodeName>HKU</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<Description>HK_USERS portion of device registry.</Description>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[Registry configuration service provider](registry-csp.md)
 
 

108
windows/client-management/mdm/remotelock-csp.md
View File

@ -1,108 +0,0 @@
---
title: RemoteLock CSP
description: Learn how RemoteLock CSP supports the ability to lock a device that has a PIN set on the device or reset the PIN on a device that may or may not have a PIN set.
ms.assetid: c7889331-5aa3-4efe-9a7e-20d3f433659b
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# RemoteLock CSP
The RemoteLock CSP supports the ability to lock a device that has a PIN set on the device or reset the PIN on a device that may or may not have a PIN set.
> [!Note]
> The RemoteLock CSP is only supported in Windows 10 Mobile.
<a href="" id="--vendor-msft-remotelock"></a>**./Vendor/MSFT/RemoteLock**
<p>Defines the root node for the RemoteLock configuration service provider.</p>
<a href="" id="lock"></a>**Lock**
Required. The setting accepts requests to lock the device screen. The device screen will lock immediately if a PIN has been set. If no PIN is set, the lock request is ignored and the OMA DM (405) Forbidden error is returned over the management channel. All OMA DM errors are listed [here](https://go.microsoft.com/fwlink/p/?LinkId=522607) in the protocol specification. The supported operations are Get and Exec.
|Status|Description|Meaning [Standard]|
|--- |--- |--- |
|(200) OK|The device was successfully locked.|The command and the associated Alert action are completed successfully.|
|(405)|The device could not be locked because there is no PIN currently set on the device.|The requested command is not allowed on the target.|
|(500) Command failed|The device was not locked for some unknown reason.|Non-specific errors were created by the recipient while attempting to complete the command.|
<a href="" id="lockandresetpin"></a>**LockAndResetPIN**
This setting can be used to lock and reset the PIN on the device. It is used in conjunction with the NewPINValue node. After the **Exec** operation is called successfully on this node, the previous PIN will no longer work and cannot be recovered. The supported operation is Exec.
This node will return the following status. All OMA DM errors are listed [here](https://go.microsoft.com/fwlink/p/?LinkId=522607) in the protocol specification.
|Status|Description|Meaning|
|--- |--- |--- |
|(200) OK|The device has been locked with a new password which has been reset.|The command and the associated Alert action are completed successfully.|
|(500) Command failed|N/A|Non-specific errors were created by the recipient while attempting to complete the command.|
<a href="" id="lockandrecoverpin"></a>**LockAndRecoverPIN**
Added in Windows 10, version 1703. This setting performs a similar function to the LockAndResetPIN node. With LockAndResetPIN any Windows Hello keys associated with the PIN gets deleted, but with LockAndRecoverPIN those keys are saved. After the Exec operation is called successfully on this setting, the new PIN can be retrieved from the NewPINValue setting. The previous PIN will no longer work.
Executing this node requires a ticket from the Microsoft credential reset service. Additionally, the execution of this setting is only supported when the [EnablePinRecovery](./passportforwork-csp.md#tenantid-policies-enablepinrecovery) policy is set on the client.
<a href="" id="newpinvalue"></a>**NewPINValue**
This setting contains the PIN after Exec has been called on /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin. If LockAndResetPIN or LockAndResetPIN has never been called, the value will be null. If Get is called on this node after a successful Exec call on /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin, then the new PIN will be provided. If another Get command is called on this node, the value will be null. If you need to reset the PIN again, then another LockAndResetPIN Exec can be communicated to the device to generate a new PIN. The PIN value will conform to the minimum PIN complexity requirements of the merged policies that are set on the device. If no PIN policy has been set on the device, the generated PIN will conform to the default policy of the device.
The data type returned is a string.
The supported operation is Get.
A Get operation on this node must follow an Exec operation on the /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin node in the proper order and in the same SyncML message. The Sequence tag can be used to guarantee the order in which commands are processed.
## Examples
Initiate a remote lock of the device.
```xml
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/RemoteLock/Lock </LocURI>
</Target>
</Item>
</Exec>
```
Initiate a remote lock and PIN reset of the device. To successfully retrieve the new device-generated PIN, the commands must be executed together and in the proper sequence as shown below.
```xml
<Sequence>
<CmdID>1</CmdID>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/RemoteLock/LockAndResetPIN </LocURI>
</Target>
</Item>
</Exec>
<Get>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/RemoteLock/NewPINValue </LocURI>
</Target>
</Item>
</Get>
</Sequence>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

153
windows/client-management/mdm/remotelock-ddf-file.md
View File

@ -1,153 +0,0 @@
---
title: RemoteLock DDF file
description: Learn about the OMA DM device description framework (DDF) for the RemoteLock configuration service provider (CSP).
ms.assetid: A301AE26-1BF1-4328-99AB-1ABBA4960797
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/05/2017
---
# RemoteLock DDF file
This topic shows the OMA DM device description framework (DDF) for the **RemoteLock** configuration service provider. DDF files are used only with OMA DM provisioning XML.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC "-//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[
<?oma-dm-ddf-ver supported-versions="1.2"?>
]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>RemoteLock</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Lock</NodeName>
<DFProperties>
<AccessType>
<Get />
<Exec />
</AccessType>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LockAndResetPIN</NodeName>
<DFProperties>
<AccessType>
<Get />
<Exec />
</AccessType>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>LockAndRecoverPIN</NodeName>
<DFProperties>
<AccessType>
<Get />
<Exec />
</AccessType>
<DFFormat>
<null />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>NewPINValue</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[RemoteLock configuration service provider](remotelock-csp.md)
 
 

24
windows/client-management/mdm/reporting-csp.md
View File

@ -15,10 +15,11 @@ ms.date: 06/26/2017
# Reporting CSP # Reporting CSP
The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs. This CSP was added in Windows 10, version 1511. The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs. This CSP was added in Windows 10, version 1511.
The following DDF format shows the Reporting configuration service provider in tree format. The following DDF format shows the Reporting configuration service provider in tree format.
```
```console
./Vendor/MSFT ./Vendor/MSFT
Reporting Reporting
----EnterpriseDataProtection ----EnterpriseDataProtection
@ -33,14 +34,18 @@ Reporting
------------StartTime ------------StartTime
------------Type ------------Type
``` ```
<a href="" id="reporting"></a>**Reporting** <a href="" id="reporting"></a>**Reporting**
Root node. Root node.
<a href="" id="reporting-enterprisedataprotection"></a>**Reporting/EnterpriseDataProtection** <a href="" id="reporting-enterprisedataprotection"></a>**Reporting/EnterpriseDataProtection**
Interior node for retrieving the Windows Information Protection (formerly known as Enterprise Data Protection) logs. Interior node for retrieving the Windows Information Protection (formerly known as Enterprise Data Protection) logs.
<!-- 12.16.2021 mandia: Commenting out, as this CSP is specific to Windows 10 Mobile.
<a href="" id="reporting-securityauditing--for-mobile-only-"></a>**Reporting/SecurityAuditing** (for mobile only) <a href="" id="reporting-securityauditing--for-mobile-only-"></a>**Reporting/SecurityAuditing** (for mobile only)
Interior node for retrieving the security auditing logs. This node is only for mobile devices. Interior node for retrieving the security auditing logs. This node is only for mobile devices.
-->
<a href="" id="retrievebytimerange"></a>**RetrieveByTimeRange** <a href="" id="retrievebytimerange"></a>**RetrieveByTimeRange**
Returns the logs that exist within the StartTime and StopTime. The StartTime and StopTime are expressed in ISO 8601 format. If the StartTime and StopTime are not specified, then the values are interpreted as either first existing or last existing time. Returns the logs that exist within the StartTime and StopTime. The StartTime and StopTime are expressed in ISO 8601 format. If the StartTime and StopTime are not specified, then the values are interpreted as either first existing or last existing time.
@ -89,7 +94,7 @@ Value type is int.
Supported operations are Get and Replace. Supported operations are Get and Replace.
## Examples ## Example
Retrieve all available Windows Information Protection (formerly known as Enterprise Data Protection) logs starting from the specified StartTime. Retrieve all available Windows Information Protection (formerly known as Enterprise Data Protection) logs starting from the specified StartTime.
@ -114,6 +119,8 @@ Retrieve all available Windows Information Protection (formerly known as Enterpr
</SyncML> </SyncML>
``` ```
<!-- 12.16.2021 mandia: Commenting out, as this CSP example is specific to Windows 10 Mobile.
Retrieve a specified number of security auditing logs starting from the specified StartTime. Retrieve a specified number of security auditing logs starting from the specified StartTime.
```xml ```xml
@ -163,13 +170,4 @@ Retrieve a specified number of security auditing logs starting from the specifie
</SyncBody> </SyncBody>
</SyncML> </SyncML>
``` ```
-->
 
 

16
windows/client-management/mdm/storage-csp.md
View File

@ -14,6 +14,9 @@ ms.date: 06/26/2017
# Storage CSP # Storage CSP
Storage CSP is deprecated. Use System/AllowStorageCard in [Policy CSP](policy-configuration-service-provider.md) instead.
<!-- 12.16.2021 mandia: Commenting out, as this CSP is specific to Windows 10 Mobile.
The Storage enterprise configuration service provider is used to configure the storage card settings. Currently, the only setting that needs to be configured is to enable or disable storage cards. The Storage enterprise configuration service provider is used to configure the storage card settings. Currently, the only setting that needs to be configured is to enable or disable storage cards.
@ -34,19 +37,10 @@ The supported operations are Get and Replace.
> **Note**   If the device returns a 404 error code when the server applies the Get command to ./Vendor/MSFT/Storage/Disable, it means that the device does not have an SD card. > **Note**   If the device returns a 404 error code when the server applies the Get command to ./Vendor/MSFT/Storage/Disable, it means that the device does not have an SD card.
  -->
## Related topics ## Related topics
System/AllowStorageCard in [Policy CSP](policy-configuration-service-provider.md)
[Configuration service provider reference](configuration-service-provider-reference.md) [Configuration service provider reference](configuration-service-provider-reference.md)
 
 

13
windows/client-management/mdm/storage-ddf-file.md
View File

@ -14,6 +14,9 @@ ms.date: 12/05/2017
# Storage DDF file # Storage DDF file
Storage CSP is deprecated. Use System/AllowStorageCard in [Policy CSP](policy-configuration-service-provider.md) instead.
<!-- 12.16.2021 mandia: Commenting out, as this CSP is specific to Windows 10 Mobile.
This topic shows the OMA DM device description framework (DDF) for the **Storage** configuration service provider. DDF files are used only with OMA DM provisioning XML. This topic shows the OMA DM device description framework (DDF) for the **Storage** configuration service provider. DDF files are used only with OMA DM provisioning XML.
@ -77,12 +80,12 @@ The XML below is the current version for this CSP.
</MgmtTree> </MgmtTree>
``` ```
  -->
 
## Related topics
System/AllowStorageCard in [Policy CSP](policy-configuration-service-provider.md)
[Storage CSP (deprecated)](storage-csp.md)
[Configuration service provider reference](configuration-service-provider-reference.md)

41
windows/client-management/mdm/toc.yml
View File

@ -264,13 +264,6 @@ items:
items: items:
- name: EnterpriseAppVManagement DDF file - name: EnterpriseAppVManagement DDF file
href: enterpriseappvmanagement-ddf.md href: enterpriseappvmanagement-ddf.md
- name: EnterpriseAssignedAccess CSP
href: enterpriseassignedaccess-csp.md
items:
- name: EnterpriseAssignedAccess DDF file
href: enterpriseassignedaccess-ddf.md
- name: EnterpriseAssignedAccess XSD
href: enterpriseassignedaccess-xsd.md
- name: EnterpriseDataProtection CSP - name: EnterpriseDataProtection CSP
href: enterprisedataprotection-csp.md href: enterprisedataprotection-csp.md
items: items:
@ -283,16 +276,6 @@ items:
href: enterprisedesktopappmanagement-ddf-file.md href: enterprisedesktopappmanagement-ddf-file.md
- name: EnterpriseDesktopAppManagement XSD - name: EnterpriseDesktopAppManagement XSD
href: enterprisedesktopappmanagement2-xsd.md href: enterprisedesktopappmanagement2-xsd.md
- name: EnterpriseExt CSP
href: enterpriseext-csp.md
items:
- name: EnterpriseExt DDF file
href: enterpriseext-ddf.md
- name: EnterpriseExtFileSystem CSP
href: enterpriseextfilessystem-csp.md
items:
- name: EnterpriseExtFileSystem DDF file
href: enterpriseextfilesystem-ddf.md
- name: EnterpriseModernAppManagement CSP - name: EnterpriseModernAppManagement CSP
href: enterprisemodernappmanagement-csp.md href: enterprisemodernappmanagement-csp.md
items: items:
@ -305,8 +288,6 @@ items:
items: items:
- name: eUICCs DDF file - name: eUICCs DDF file
href: euiccs-ddf-file.md href: euiccs-ddf-file.md
- name: FileSystem CSP
href: filesystem-csp.md
- name: Firewall CSP - name: Firewall CSP
href: firewall-csp.md href: firewall-csp.md
items: items:
@ -317,13 +298,6 @@ items:
items: items:
- name: HealthAttestation DDF - name: HealthAttestation DDF
href: healthattestation-ddf.md href: healthattestation-ddf.md
- name: HotSpot CSP
href: hotspot-csp.md
- name: Maps CSP
href: maps-csp.md
items:
- name: Maps DDF
href: maps-ddf-file.md
- name: Messaging CSP - name: Messaging CSP
href: messaging-csp.md href: messaging-csp.md
items: items:
@ -866,21 +840,11 @@ items:
items: items:
- name: Reboot DDF file - name: Reboot DDF file
href: reboot-ddf-file.md href: reboot-ddf-file.md
- name: Registry CSP
href: registry-csp.md
items:
- name: Registry DDF file
href: registry-ddf-file.md
- name: RemoteFind CSP - name: RemoteFind CSP
href: remotefind-csp.md href: remotefind-csp.md
items: items:
- name: RemoteFind DDF file - name: RemoteFind DDF file
href: remotefind-ddf-file.md href: remotefind-ddf-file.md
- name: RemoteLock CSP
href: remotelock-csp.md
items:
- name: RemoteLock DDF file
href: remotelock-ddf-file.md
- name: RemoteRing CSP - name: RemoteRing CSP
href: remotering-csp.md href: remotering-csp.md
items: items:
@ -1001,11 +965,6 @@ items:
items: items:
- name: WindowsLicensing DDF file - name: WindowsLicensing DDF file
href: windowslicensing-ddf-file.md href: windowslicensing-ddf-file.md
- name: WindowsSecurityAuditing CSP
href: windowssecurityauditing-csp.md
items:
- name: WindowsSecurityAuditing DDF file
href: windowssecurityauditing-ddf-file.md
- name: WiredNetwork CSP - name: WiredNetwork CSP
href: wirednetwork-csp.md href: wirednetwork-csp.md
items: items:

10
windows/client-management/mdm/vpn-csp.md
View File

@ -14,6 +14,9 @@ ms.date: 04/02/2017
# VPN CSP # VPN CSP
The VPN CSP is deprecated. Use [VPNv2 CSP](vpnv2-csp.md) instead.
<!-- 12.16.2021 mandia: Commenting out, as this CSP is specific to Windows 10 Mobile.
The VPN configuration service provider allows the MDM server to configure the VPN profile of the device. Windows 10 supports both IKEv2 VPN and SSL VPN profiles. For information about IKEv2, see [Configure IKEv2-based Remote Access](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687731(v=ws.10)). The VPN configuration service provider allows the MDM server to configure the VPN profile of the device. Windows 10 supports both IKEv2 VPN and SSL VPN profiles. For information about IKEv2, see [Configure IKEv2-based Remote Access](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687731(v=ws.10)).
@ -339,11 +342,10 @@ Value type is chr.
An example is corp.contoso.com. An example is corp.contoso.com.
-->
## Related topics ## Related topics
[VPNv2 CSP](vpnv2-csp.md)
[Configuration service provider reference](configuration-service-provider-reference.md) [Configuration service provider reference](configuration-service-provider-reference.md)
 
 

18
windows/client-management/mdm/vpn-ddf-file.md
View File

@ -14,6 +14,9 @@ ms.date: 06/26/2017
# VPN DDF file # VPN DDF file
The VPN CSP is deprecated. Use [VPNv2 CSP](vpnv2-csp.md) instead.
<!-- 12.16.2021 mandia: Commenting out, as this CSP is specific to Windows 10 Mobile.
This topic shows the OMA DM device description framework (DDF) for the **VPN** configuration service provider. DDF files are used only with OMA DM provisioning XML. This topic shows the OMA DM device description framework (DDF) for the **VPN** configuration service provider. DDF files are used only with OMA DM provisioning XML.
@ -1383,17 +1386,12 @@ This topic shows the OMA DM device description framework (DDF) for the **VPN** c
</MgmtTree> </MgmtTree>
``` ```
-->
## Related topics ## Related topics
[VPNv2 CSP](vpnv2-csp.md)
[VPN configuration service provider](vpn-csp.md) [VPN configuration service provider (deprecated)](vpn-csp.md)
 
 
[Configuration service provider reference](configuration-service-provider-reference.md)

42
windows/client-management/mdm/wifi-csp.md
View File

@ -22,12 +22,11 @@ The WiFi configuration service provider provides the functionality to add or del
Programming considerations: Programming considerations:
- If the authentication method needs a certificate, for example, EAP-TLS requires client certificates, you must configure it through the CertificateStore configuration service provider. The WiFi configuration service provider does not provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it is not supported in EAP-TLS. - If the authentication method needs a certificate, for example, EAP-TLS requires client certificates, you must configure it through the CertificateStore configuration service provider. The WiFi configuration service provider does not provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it is not supported in EAP-TLS.
- Because the Windows 10 Mobile emulator does not support Wi-Fi, you cannot test the Wi-Fi configuration with an emulator. You can still provision a Wi-Fi network using the WiFi CSP, then check it in the Wi-Fi settings page, but you cannot test the network connectivity in the emulator.
- For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it is stored on the device. - For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it is stored on the device.
- The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported. - The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported.
- The \<name>*name\_goes\_here*\</name>\<SSIDConfig> must match \<SSID>\<name> *name\_goes\_here*\</name>\</SSID>. - The \<name>*name\_goes\_here*\</name>\<SSIDConfig> must match \<SSID>\<name> *name\_goes\_here*\</name>\</SSID>.
- For the WiFi CSP, you cannot use the Replace command unless the node already exists. - For the WiFi CSP, you cannot use the Replace command unless the node already exists.
- Using Proxyis only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) will result in failure. - Using Proxyis in Windows 10 client editions (Home, Pro, Enterprise, and Education) will result in failure.
The following shows the WiFi configuration service provider in tree format. The following shows the WiFi configuration service provider in tree format.
@ -39,9 +38,6 @@ WiFi
---Profile ---Profile
------SSID ------SSID
---------WlanXML ---------WlanXML
---------Proxy
---------ProxyPacUrl
---------ProxyWPAD
---------WiFiCost ---------WiFiCost
``` ```
@ -74,11 +70,16 @@ The profile XML must be escaped, as shown in the examples below.
If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](/windows/win32/nativewifi/wpa2-personal-profile-sample). If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](/windows/win32/nativewifi/wpa2-personal-profile-sample).
> **Note**  If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](./eap-configuration.md). > [!NOTE]
> If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](./eap-configuration.md).
The supported operations are Add, Get, Delete, and Replace. The supported operations are Add, Get, Delete, and Replace.
<a href="" id="proxy"></a>**Proxy** <a href="" id="proxy"></a>**Proxy**
Don't use. Using this configuration in Windows 10 client editions will result in failure.
<!-- 12.16.2021 mandia: Commenting out, as this CSP is specific to Windows 10 Mobile.
Optional. Specifies the configuration of the network proxy. A proxy server host and port can be specified per connection for Windows 10 Mobile. This proxy configuration is only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions will result in failure. Optional. Specifies the configuration of the network proxy. A proxy server host and port can be specified per connection for Windows 10 Mobile. This proxy configuration is only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions will result in failure.
The format is *host:port*, where host can be one of the following: The format is *host:port*, where host can be one of the following:
@ -90,12 +91,13 @@ The format is *host:port*, where host can be one of the following:
If it is an IPvFuture address, then it must be specified as an IP literal as "\[" (IP v6 address / IPvFuture ) "\]", such as "\[2441:4880:28:3:204:76ff:f43f:6eb\]:8080". If it is an IPvFuture address, then it must be specified as an IP literal as "\[" (IP v6 address / IPvFuture ) "\]", such as "\[2441:4880:28:3:204:76ff:f43f:6eb\]:8080".
Supported operations are Get, Add, Delete, and Replace. Supported operations are Get, Add, Delete, and Replace.
-->
<a href="" id="disableinternetconnectivitychecks"></a>**DisableInternetConnectivityChecks** <a href="" id="disableinternetconnectivitychecks"></a>**DisableInternetConnectivityChecks**
> [!Note] > [!Note]
> This node has been deprecated since Windows 10, version 1607. > This node has been deprecated since Windows 10, version 1607.
Added in Windows 10, version 1511. Optional. Disable the internet connectivity check for the profile. Added in Windows 10, version 1511. Optional. Disable the internet connectivity check for the profile.
Value type is chr. Value type is chr.
@ -105,14 +107,24 @@ Value type is chr.
Supported operations are Get, Add, Delete, and Replace. Supported operations are Get, Add, Delete, and Replace.
<a href="" id="proxypacurl"></a>**ProxyPacUrl** <a href="" id="proxypacurl"></a>**ProxyPacUrl**
Don't use. Using this configuration in Windows 10 client editions will result in failure.
<!-- 12.16.2021 mandia: Commenting out, as this CSP is specific to Windows 10 Mobile.
Added in Windows 10, version 1607. Optional. Specifies the value of the URL to the Proxy auto-config (PAC) file location. This proxy configuration is only supported in Windows 10 Mobile. Added in Windows 10, version 1607. Optional. Specifies the value of the URL to the Proxy auto-config (PAC) file location. This proxy configuration is only supported in Windows 10 Mobile.
Value type is chr, e.g. http://www.contoso.com/wpad.dat. Value type is chr, e.g. http://www.contoso.com/wpad.dat.
-->
<a href="" id="proxywpad"></a>**ProxyWPAD** <a href="" id="proxywpad"></a>**ProxyWPAD**
Added in Windows 10, version 1607. Optional. When set to true it enables Web Proxy Auto-Discovery Protocol (WPAD) for proxy lookup.This proxy configuration is only supported in Windows 10 Mobile. Don't use. Using this configuration in Windows 10 client editions will result in failure.
<!-- 12.16.2021 mandia: Commenting out, as this CSP is specific to Windows 10 Mobile.
Added in Windows 10, version 1607. Optional. When set to true it enables Web Proxy Auto-Discovery Protocol (WPAD) for proxy lookup.This proxy configuration is only supported in Windows 10 Mobile.
Value type is bool. Value type is bool.
-->
<a href="" id="wificost"></a>**WiFiCost** <a href="" id="wificost"></a>**WiFiCost**
Added in Windows 10, version 1809. Optional. This policy sets the cost of WLAN connection for the Wi-Fi profile. Default behavior: Unrestricted. Added in Windows 10, version 1809. Optional. This policy sets the cost of WLAN connection for the Wi-Fi profile. Default behavior: Unrestricted.
@ -132,7 +144,7 @@ These XML examples show how to perform various tasks using OMA DM.
### Add a network ### Add a network
The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwork,' a proxy URL 'testproxy,' and port 80. The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwork,'.
```xml ```xml
<SyncML xmlns="SYNCML:SYNCML1.2"> <SyncML xmlns="SYNCML:SYNCML1.2">
@ -151,18 +163,6 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwor
<Data><?xml version="1.0"?><WLANProfile xmlns="http://contoso.com/networking/WLAN/profile/v1"><name>MyNetwork</name><SSIDConfig><SSID><hex>412D4D534654574C414E</hex><name>MyNetwork</name></SSID><nonBroadcast>false</nonBroadcast></SSIDConfig><connectionType>ESS</connectionType><connectionMode>manual</connectionMode><MSM><security><authEncryption><authentication>WPA2</authentication><encryption>AES</encryption><useOneX>true</useOneX></authEncryption><OneX xmlns="http://contoso.com/networking/OneX/v1"><authMode>user</authMode><EAPConfig><EapHostConfig xmlns="http://contoso.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://contoso.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://contoso.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://contoso.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://contoso.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://contoso.com/provisioning/EapHostConfig"><Eap xmlns="http://contoso.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://contoso.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://contoso.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></WLANProfile> </Data> <Data><?xml version="1.0"?><WLANProfile xmlns="http://contoso.com/networking/WLAN/profile/v1"><name>MyNetwork</name><SSIDConfig><SSID><hex>412D4D534654574C414E</hex><name>MyNetwork</name></SSID><nonBroadcast>false</nonBroadcast></SSIDConfig><connectionType>ESS</connectionType><connectionMode>manual</connectionMode><MSM><security><authEncryption><authentication>WPA2</authentication><encryption>AES</encryption><useOneX>true</useOneX></authEncryption><OneX xmlns="http://contoso.com/networking/OneX/v1"><authMode>user</authMode><EAPConfig><EapHostConfig xmlns="http://contoso.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://contoso.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://contoso.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://contoso.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://contoso.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://contoso.com/provisioning/EapHostConfig"><Eap xmlns="http://contoso.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://contoso.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://contoso.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></WLANProfile> </Data>
</Item> </Item>
</Add> </Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/WiFi/Profile/MyNetwork/Proxy</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>testproxy:80</Data>
</Item>
</Add>
</Atomic> </Atomic>
<Final/> <Final/>
</SyncBody> </SyncBody>

89
windows/client-management/mdm/wifi-ddf-file.md
View File

@ -120,84 +120,6 @@ The XML below is for Windows 10, version 1809.
</DFType> </DFType>
</DFProperties> </DFProperties>
</Node> </Node>
<Node>
<NodeName>Proxy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Optional node. The format is url:port. Configuration of the network proxy (if any).</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ProxyPacUrl</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>Optional node. URL to the PAC file location.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ProxyWPAD</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Delete />
<Replace />
</AccessType>
<Description>Optional node: The presence of the field enables WPAD for proxy lookup.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node> </Node>
</Node> </Node>
</Node> </Node>
@ -206,15 +128,4 @@ The XML below is for Windows 10, version 1809.
## Related topics ## Related topics
[WiFi configuration service provider](wifi-csp.md) [WiFi configuration service provider](wifi-csp.md)
 
 

52
windows/client-management/mdm/windowslicensing-csp.md
View File

@ -17,17 +17,17 @@ ms.date: 08/15/2018
> [!WARNING] > [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The WindowsLicensing configuration service provider is designed for licensing related management scenarios. Currently the scope is limited to edition upgrades of Windows 10 desktop and mobile devices, such as Windows 10 Pro to Windows 10 Enterprise. In addition, this CSP provides the capability to activate or change the product key of Windows 10 desktop devices. The WindowsLicensing configuration service provider is designed for licensing related management scenarios. Currently the scope is limited to edition upgrades of Windows 10 client devices, such as Windows 10 Pro to Windows 10 Enterprise. In addition, this CSP provides the capability to activate or change the product key of Windows 10 client devices.
The following shows the WindowsLicensing configuration service provider in tree format. The following shows the WindowsLicensing configuration service provider in tree format.
```
```console
./Vendor/MSFT ./Vendor/MSFT
WindowsLicensing WindowsLicensing
----UpgradeEditionWithProductKey ----UpgradeEditionWithProductKey
----ChangeProductKey ----ChangeProductKey
----Edition ----Edition
----Status ----Status
----UpgradeEditionWithLicense
----LicenseKeyType ----LicenseKeyType
----CheckApplicability ----CheckApplicability
----ChangeProductKey (Added in Windows 10, version 1703) ----ChangeProductKey (Added in Windows 10, version 1703)
@ -92,14 +92,14 @@ Activation or changing a product key can be carried out on the following edition
- Windows 10 Pro - Windows 10 Pro
<a href="" id="edition"></a>**Edition** <a href="" id="edition"></a>**Edition**
Returns a value that maps to the Windows 10 edition running on desktop or mobile devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information. Returns a value that maps to the Windows 10 edition. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.
The data type is an Int. The data type is an Int.
The supported operation is Get. The supported operation is Get.
<a href="" id="status"></a>**Status** <a href="" id="status"></a>**Status**
Returns the status of an edition upgrade on Windows 10 desktop or mobile devices. The status corresponds to one of the following values: Returns the status of an edition upgrade on Windows devices. The status corresponds to one of the following values:
- 0 = Failed - 0 = Failed
- 1 = Pending - 1 = Pending
@ -111,14 +111,14 @@ The data type is an Int.
The supported operation is Get. The supported operation is Get.
<!-- 12.16.2021 mandia: Commenting out this section, as it appears specific to Windows 10 Mobile.
<a href="" id="upgradeeditionwithlicense"></a>**UpgradeEditionWithLicense** <a href="" id="upgradeeditionwithlicense"></a>**UpgradeEditionWithLicense**
Provides a license for an edition upgrade of Windows 10 mobile devices. Provides a license for an edition upgrade of Windows 10 devices.
> [!NOTE] > [!NOTE]
> This upgrade process does not require a system restart. > This upgrade process does not require a system restart.
The date type is XML. The date type is XML.
The supported operation is Execute. The supported operation is Execute.
@ -126,8 +126,6 @@ The supported operation is Execute.
> [!IMPORTANT] > [!IMPORTANT]
> The XML license file contents must be properly escaped (that is, it should not simply be a copied XML), otherwise the edition upgrade on Windows 10 mobile devices will fail. For more information on proper escaping of the XML license file, see Section 2.4 of the [W3C XML spec](http://www.w3.org/TR/xml/) . The XML license file is acquired from the Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal. > The XML license file contents must be properly escaped (that is, it should not simply be a copied XML), otherwise the edition upgrade on Windows 10 mobile devices will fail. For more information on proper escaping of the XML license file, see Section 2.4 of the [W3C XML spec](http://www.w3.org/TR/xml/) . The XML license file is acquired from the Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal.
The following are valid edition upgrade paths when using this node through an MDM or provisioning package: The following are valid edition upgrade paths when using this node through an MDM or provisioning package:
- Windows 10 Mobile to Windows 10 Mobile Enterprise - Windows 10 Mobile to Windows 10 Mobile Enterprise
@ -135,11 +133,12 @@ The following are valid edition upgrade paths when using this node through an MD
> [!Warning] > [!Warning]
> Edition upgrades do not support Volume Licence (VL) keys. > Edition upgrades do not support Volume Licence (VL) keys.
-->
<a href="" id="licensekeytype"></a>**LicenseKeyType** <a href="" id="licensekeytype"></a>**LicenseKeyType**
Returns the parameter type used by Windows 10 devices for an edition upgrade, activation, or product key change. Returns the parameter type used by Windows 10 devices for an edition upgrade, activation, or product key change.
- Windows 10 for desktop devices require a product key. - Windows 10 client devices require a product key.
- Windows 10 Mobile devices require a XML license file for an edition upgrade.
The data type is a chr. The data type is a chr.
@ -317,7 +316,7 @@ Values:
> [!NOTE] > [!NOTE]
> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key. > `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key.
<!-- 12.16.2021 mandia: Commenting out this section, as it appears specific to Windows 10 Mobile.
**UpgradeEditionWithLicense** **UpgradeEditionWithLicense**
@ -333,17 +332,18 @@ Values:
<Meta> <Meta>
<Format xmlns="syncml:metinf">chr</Format> <Format xmlns="syncml:metinf">chr</Format>
</Meta> </Meta>
<Data><!-- XML ENCODED LICENSE GOES HERE --></Data> <Data>YOUR XML ENCODED LICENSE GOES HERE</Data>
</Item> </Item>
</Exec> </Exec>
<Final/> <Final/>
</SyncBody> </SyncBody>
</SyncML> </SyncML>
``` ```
-->
<a href="" id="smode-status-example"></a>**Get S mode status** <a href="" id="smode-status-example"></a>**Get S mode status**
``` ```xml
<SyncML xmlns="SYNCML:SYNCML1.2"> <SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody> <SyncBody>
<Get> <Get>
@ -363,7 +363,7 @@ Values:
<a href="" id="smode-switchfromsmode-execute"></a>**Execute SwitchFromSMode** <a href="" id="smode-switchfromsmode-execute"></a>**Execute SwitchFromSMode**
``` ```xml
<SyncML xmlns="SYNCML:SYNCML1.2"> <SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody> <SyncBody>
<Exec> <Exec>
@ -388,7 +388,7 @@ Values:
<a href="" id="smode-switchingpolicy-add"></a>**Add S mode SwitchingPolicy** <a href="" id="smode-switchingpolicy-add"></a>**Add S mode SwitchingPolicy**
``` ```xml
<SyncML xmlns="SYNCML:SYNCML1.2"> <SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody> <SyncBody>
<Add> <Add>
@ -413,7 +413,7 @@ Values:
<a href="" id="smode-switchingpolicy-get"></a>**Get S mode SwitchingPolicy** <a href="" id="smode-switchingpolicy-get"></a>**Get S mode SwitchingPolicy**
``` ```xml
<SyncML xmlns="SYNCML:SYNCML1.2"> <SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody> <SyncBody>
<Get> <Get>
@ -433,7 +433,7 @@ Values:
<a href="" id="smode-switchingpolicy-replace"></a>**Replace S mode SwitchingPolicy** <a href="" id="smode-switchingpolicy-replace"></a>**Replace S mode SwitchingPolicy**
``` ```xml
<SyncML xmlns="SYNCML:SYNCML1.2"> <SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody> <SyncBody>
<Replace> <Replace>
@ -458,7 +458,7 @@ Values:
<a href="" id="smode-switchingpolicy-delete"></a>**Delete S mode SwitchingPolicy** <a href="" id="smode-switchingpolicy-delete"></a>**Delete S mode SwitchingPolicy**
``` ```xml
<SyncML xmlns="SYNCML:SYNCML1.2"> <SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody> <SyncBody>
<Delete> <Delete>
@ -475,17 +475,7 @@ Values:
</SyncBody> </SyncBody>
</SyncML> </SyncML>
``` ```
## Related topics ## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md) [Configuration service provider reference](configuration-service-provider-reference.md)

4
windows/client-management/mdm/windowslicensing-ddf-file.md
View File

@ -104,7 +104,7 @@ The XML below is for Windows 10, version 1809.
<AccessType> <AccessType>
<Get /> <Get />
</AccessType> </AccessType>
<Description>Returns a value that maps to the Windows 10 edition running on desktop or mobile devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.</Description> <Description>Returns a value that maps to the Windows 10 edition running on devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information.</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>
@ -128,7 +128,7 @@ The XML below is for Windows 10, version 1809.
<AccessType> <AccessType>
<Get /> <Get />
</AccessType> </AccessType>
<Description>Returns the status of an edition upgrade on Windows 10 desktop and mobile devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown</Description> <Description>Returns the status of an edition upgrade on Windows 10 client devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown</Description>
<DFFormat> <DFFormat>
<int /> <int />
</DFFormat> </DFFormat>

72
windows/client-management/mdm/windowssecurityauditing-csp.md
View File

@ -1,72 +0,0 @@
---
title: WindowsSecurityAuditing CSP
description: The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511.
ms.assetid: 611DF7FF-21CE-476C-AAB5-3D09C1CDF08A
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 06/26/2017
---
# WindowsSecurityAuditing CSP
The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511 for Mobile and Mobile Enterprise. Make sure to consult the [Configuration service provider reference](./configuration-service-provider-reference.md) to see if this CSP and others are supported on your Windows installation.
The following shows the WindowsSecurityAuditing configuration service provider in tree format.
```
./Vendor/MSFT
WindowsSecurityAuditing
----ConfigurationSettings
--------EnableSecurityAuditing
```
<a href="" id="windowssecurityauditing"></a>**WindowsSecurityAuditing**
Root node.
<a href="" id="configurationsettings"></a>**ConfigurationSettings**
Interior node for handling all the audit configuration settings. Do not use the Get operation in this node. It is only used of grouping configuration settings.
<a href="" id="configurationsettings-enablesecurityauditing"></a>**ConfigurationSettings/EnableSecurityAuditing**
Specifies whether to enable or disable auditing for the device.
Value type is boolean. If true, a default set of audit events will be captured to a log file for upload; if false, auditing is disabled and events are not logged. Default value is false.
Supported operations are Get and Replace.
## Examples
Enable logging of audit events.
```xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/WindowsSecurityAuditing/ConfigurationSettings/EnableSecurityAuditing
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
<Type>text/plain</Type>
</Meta>
<Data>true</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
For more information about Windows security auditing, see [What's new in security auditing](/windows/whats-new/whats-new-windows-10-version-1507-and-1511).
 
 

109
windows/client-management/mdm/windowssecurityauditing-ddf-file.md
View File

@ -1,109 +0,0 @@
---
title: WindowsSecurityAuditing DDF file
description: View the OMA DM device description framework (DDF) for the WindowsSecurityAuditing configuration service provider.
ms.assetid: B1F9A5FA-185B-48C6-A7F4-0F0F23B971F0
ms.reviewer:
manager: dansimp
ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: dansimp
ms.date: 12/05/2017
---
# WindowsSecurityAuditing DDF file
This topic shows the OMA DM device description framework (DDF) for the WindowsSecurityAuditing configuration service provider. This CSP was added in Windows 10, version 1511.
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
The XML below is the current version for this CSP.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>WindowsSecurityAuditing</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/WindowsSecurityAuditing</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>ConfigurationSettings</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This branch handles all the audit configuration settings for the device. This node should not be used for a get/set but is simply a grouping interior node for all configuration functionality.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>Configuration Settings</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>EnableSecurityAuditing</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DefaultValue>false</DefaultValue>
<Description>Specifies whether to enable or disable auditing for the device. If the value is true, a default set of audit events will be captured to a log file for upload. If the value is false, auditing will be disabled and events will no longer be logged. </Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFTitle>Enable Security Auditing</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
 
 

2
windows/configuration/wcd/wcd-connectivityprofiles.md
View File

@ -198,7 +198,7 @@ Enter a SSID, click **Add**, and then configure the following settings for the S
| Settings | Description | | Settings | Description |
| --- | --- | | --- | --- |
| ProxyServerPort | (Optional) Specify the configuration of the network proxy as **host:port**. A proxy server host and port can be specified per connection for Windows 10 for mobile devices. The host can be server name, FQDN, or SLN or IPv4 or IPv6 address. This proxy configuration is only supported in Windows 10 for mobile devices. Using this configuration in Windows 10 for desktop editions will result in failure. | | ProxyServerPort | (Optional) Don't use. Using this configuration in Windows 10 client editions will result in failure. |
| AutoConnect | (Optional) Select **True** or **false** to specify whether to automatically connect to WLAN. | | AutoConnect | (Optional) Select **True** or **false** to specify whether to automatically connect to WLAN. |
| HiddenNetwork | (Optional) Select **True** or **false** to specify whether the network is hidden. | | HiddenNetwork | (Optional) Select **True** or **false** to specify whether the network is hidden. |
| SecurityType | Choose between **Open**, **WEP**, and **WPA2-Personal**. </br></br>If you select **WEP** or **WPA2-Personal**, enter the **SecurityKey** required by the WLAN. | | SecurityType | Choose between **Open**, **WEP**, and **WPA2-Personal**. </br></br>If you select **WEP** or **WPA2-Personal**, enter the **SecurityKey** required by the WLAN. |

2
windows/configuration/wcd/wcd-start.md
View File

@ -28,5 +28,5 @@ Use Start settings to apply a customized Start screen to devices.
## StartLayout ## StartLayout
Use StartLayout to select the `LayoutModification.xml` file that applies a customized Start screen to a mobile device. Use StartLayout to select the `LayoutModification.xml` file that applies a customized Start screen.

2
windows/deployment/deploy-whats-new.md
View File

@ -92,7 +92,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers
- Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy. - Intune console updates: target version is now available allowing you to specify which version of Windows 10 you want devices to move to. Additionally, this capability enables you to keep devices on their current version until they reach end of service. Check it out in Intune, also available as a Group Policy and Configuration Service Provider (CSP) policy.
- Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds. - Validation improvements: To ensure devices and end users stay productive and protected, Microsoft uses safeguard holds to block devices from updating when there are known issues that would impact that device. Also, to better enable IT administrators to validate on the latest release, we have created a new policy that enables admins to opt devices out of the built-in safeguard holds.
- [**Automatic Restart Sign-on (ARSO)**](/windows-insider/at-work-pro/wip-4-biz-whats-new#automatic-restart-and-sign-on-arso-for-enterprises-build-18305): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed. - [**Automatic Restart Sign-on (ARSO)**](/windows-server/identity/ad-ds/manage/component-updates/winlogon-automatic-restart-sign-on--arso-): Windows will automatically log on as the user and lock their device in order to complete the update, ensuring that when the user returns and unlocks the device, the update will be completed.
- [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period. - [**Windows Update for Business**](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523): There will now be a single, common start date for phased deployments (no more SAC-T designation). In addition, there will be a new notification and reboot scheduling experience for end users, the ability to enforce update installation and reboot deadlines, and the ability to provide end user control over reboots for a specific time period.
- **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally. - **Update rollback improvements**: You can now automatically recover from startup failures by removing updates if the startup failure was introduced after the installation of recent driver or quality updates. When a device is unable to start up properly after the recent installation of Quality of driver updates, Windows will now automatically uninstall the updates to get the device back up and running normally.
- **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again. - **Pause updates**: We have extended the ability to pause updates for both feature and monthly updates. This extension ability is for all editions of Windows 10, including Home. You can pause both feature and monthly updates for up to 35 days (seven days at a time, up to five times). Once the 35-day pause period is reached, you will need to update your device before pausing again.

0
windows/deployment/images/UC_workspace_overview_blade.PNG → windows/deployment/images/UC-workspace-overview-blade.PNG
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 25 KiB

After

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/deployment/update/images/UC_workspace_overview_blade.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 25 KiB

BIN
windows/deployment/update/images/uc-workspace-overview-blade.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

12
windows/deployment/update/update-compliance-using.md
View File

@ -33,30 +33,29 @@ Update Compliance:
- Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities. - Provides all of the above data in [Log Analytics](#using-log-analytics), which affords additional querying and export capabilities.
## The Update Compliance tile ## The Update Compliance tile
After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you'll see this tile: After Update Compliance is successfully [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you can navigate to your log analytics workspace, select your Update Compliance deployment in the **Solutions** section, and then select **Summary** to see this tile:
![Update Compliance tile no data.](images/UC_tile_assessing.png) :::image type="content" alt-text="Update Compliance tile no data." source="images/UC_tile_assessing.png":::
When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that belongs to the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary: When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that belongs to the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary:
![Update Compliance tile with data.](images/UC_tile_filled.png) :::image type="content" alt-text="Update Compliance tile with data." source="images/UC_tile_filled.png":::
The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was refreshed. The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was refreshed.
## The Update Compliance workspace ## The Update Compliance workspace
![Update Compliance workspace view.](images/UC_workspace_needs_attention.png) :::image type="content" alt-text="Update Compliance workspace view." source="images/UC_workspace_needs_attention.png" lightbox="images/UC_workspace_needs_attention.png":::
When you select this tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview blade providing a hub from which to navigate to different reports of your devices' data. When you select this tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview blade providing a hub from which to navigate to different reports of your devices' data.
### Overview blade ### Overview blade
![The Overview blade.](images/UC_workspace_overview_blade.png) ![The Overview blade.](images/uc-workspace-overview-blade.png)
Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items: Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items:
* Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows client. * Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows client.
* Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability. * Feature updates: A device is up to date on feature updates whenever it has the latest applicable feature update installed. Update Compliance considers [Servicing Channel](waas-overview.md#servicing-channels) when determining update applicability.
* AV Signature: A device is up to date on Antivirus Signature when the latest Windows Defender Signatures have been downloaded. This distribution only considers devices that are running Microsoft Defender Antivirus.
The blade also provides the time at which your Update Compliance workspace was [refreshed](#update-compliance-data-latency). The blade also provides the time at which your Update Compliance workspace was [refreshed](#update-compliance-data-latency).
@ -66,7 +65,6 @@ The following is a breakdown of the different sections available in Update Compl
* [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows client in your environment. * [Feature Update Status](update-compliance-feature-update-status.md) - This section lists the percentage of devices that are on the latest feature update that is applicable to a given device. Selecting this section provides blades that summarize the overall feature update status across all devices and a summary of deployment status for different versions of Windows client in your environment.
* [Delivery Optimization Status](update-compliance-delivery-optimization.md) - This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices, and summarizes bandwidth savings and utilization across multiple content types. * [Delivery Optimization Status](update-compliance-delivery-optimization.md) - This section summarizes bandwidth savings incurred by utilizing Delivery Optimization in your environment. It provides a breakdown of Delivery Optimization configuration across devices, and summarizes bandwidth savings and utilization across multiple content types.
## Update Compliance data latency ## Update Compliance data latency
Update Compliance uses Windows client diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear. Update Compliance uses Windows client diagnostic data as its data source. After you add Update Compliance and appropriately configure your devices, it could take 48-72 hours before they first appear.

2
windows/deployment/update/windows-update-overview.md
View File

@ -17,7 +17,7 @@ ms.topic: article
>Applies to: Windows 10 >Applies to: Windows 10
With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, desktop and mobile for all Windows-based operating systems, for everything from monthly quality updates to new feature updates. With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, client devices for all Windows-based operating systems, for everything from monthly quality updates to new feature updates.
Use the following information to get started with Windows Update: Use the following information to get started with Windows Update:

22
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
View File

@ -1,5 +1,5 @@
--- ---
description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. description: Learn more about the Windows 10, version 1703 diagnostic data gathered at the basic level.
title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10) title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10)
keywords: privacy, telemetry keywords: privacy, telemetry
ms.prod: m365-security ms.prod: m365-security
@ -2134,7 +2134,7 @@ This event sends basic metadata about the starting point of uninstalling a featu
### Microsoft.Windows.HangReporting.AppHangEvent ### Microsoft.Windows.HangReporting.AppHangEvent
This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
The following fields are available: The following fields are available:
@ -4511,7 +4511,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgent_FellBackToCanonical ### Update360Telemetry.UpdateAgent_FellBackToCanonical
This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -4609,7 +4609,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentCommit ### Update360Telemetry.UpdateAgentCommit
This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -4625,7 +4625,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentDownloadRequest ### Update360Telemetry.UpdateAgentDownloadRequest
This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -4656,7 +4656,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentExpand ### Update360Telemetry.UpdateAgentExpand
This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -4676,7 +4676,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentInitialize ### Update360Telemetry.UpdateAgentInitialize
This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -4742,7 +4742,7 @@ This event sends a summary of all the update agent mitigations available for an
### Update360Telemetry.UpdateAgentModeStart ### Update360Telemetry.UpdateAgentModeStart
This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -4758,13 +4758,13 @@ The following fields are available:
### Update360Telemetry.UpdateAgentOneSettings ### Update360Telemetry.UpdateAgentOneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
### Update360Telemetry.UpdateAgentSetupBoxLaunch ### Update360Telemetry.UpdateAgentSetupBoxLaunch
The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -5006,7 +5006,7 @@ This event sends a summary of all the setup mitigations available for this updat
### Setup360Telemetry.Setup360OneSettings ### Setup360Telemetry.Setup360OneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date.

26
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
View File

@ -1,5 +1,5 @@
--- ---
description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. description: Learn more about the Windows 10, version 1709 diagnostic data gathered at the basic level.
title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10) title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10)
keywords: privacy, telemetry keywords: privacy, telemetry
ms.prod: m365-security ms.prod: m365-security
@ -2217,7 +2217,7 @@ This event sends basic metadata about the starting point of uninstalling a featu
### Microsoft.Windows.HangReporting.AppHangEvent ### Microsoft.Windows.HangReporting.AppHangEvent
This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
The following fields are available: The following fields are available:
@ -4358,7 +4358,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgent_FellBackToCanonical ### Update360Telemetry.UpdateAgent_FellBackToCanonical
This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information when Express could not be used, and the update had to fall back to “canonical” during the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -4456,7 +4456,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentCommit ### Update360Telemetry.UpdateAgentCommit
This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -4472,7 +4472,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentDownloadRequest ### Update360Telemetry.UpdateAgentDownloadRequest
This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -4504,7 +4504,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentExpand ### Update360Telemetry.UpdateAgentExpand
This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -4524,7 +4524,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentFellBackToCanonical ### Update360Telemetry.UpdateAgentFellBackToCanonical
This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -4540,7 +4540,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentInitialize ### Update360Telemetry.UpdateAgentInitialize
This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -4636,7 +4636,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentModeStart ### Update360Telemetry.UpdateAgentModeStart
This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -4652,7 +4652,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentOneSettings ### Update360Telemetry.UpdateAgentOneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -4670,7 +4670,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentPostRebootResult ### Update360Telemetry.UpdateAgentPostRebootResult
This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -4687,7 +4687,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentSetupBoxLaunch ### Update360Telemetry.UpdateAgentSetupBoxLaunch
The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -5061,7 +5061,7 @@ This event sends a summary of all the setup mitigations available for this updat
### Setup360Telemetry.Setup360OneSettings ### Setup360Telemetry.Setup360OneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:

24
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
View File

@ -1,5 +1,5 @@
--- ---
description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. description: Learn more about the Windows 10, version 1803 diagnostic data gathered at the basic level.
title: Windows 10, version 1803 basic diagnostic events and fields (Windows 10) title: Windows 10, version 1803 basic diagnostic events and fields (Windows 10)
keywords: privacy, telemetry keywords: privacy, telemetry
ms.prod: m365-security ms.prod: m365-security
@ -3169,7 +3169,7 @@ This event sends basic metadata about the starting point of uninstalling a featu
### Microsoft.Windows.HangReporting.AppHangEvent ### Microsoft.Windows.HangReporting.AppHangEvent
This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
The following fields are available: The following fields are available:
@ -5581,7 +5581,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentCommit ### Update360Telemetry.UpdateAgentCommit
This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -5597,7 +5597,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentDownloadRequest ### Update360Telemetry.UpdateAgentDownloadRequest
This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -5629,7 +5629,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentExpand ### Update360Telemetry.UpdateAgentExpand
This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -5649,7 +5649,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentFellBackToCanonical ### Update360Telemetry.UpdateAgentFellBackToCanonical
This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -5665,7 +5665,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentInitialize ### Update360Telemetry.UpdateAgentInitialize
This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -5763,7 +5763,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentModeStart ### Update360Telemetry.UpdateAgentModeStart
This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -5779,7 +5779,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentOneSettings ### Update360Telemetry.UpdateAgentOneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -5797,7 +5797,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentPostRebootResult ### Update360Telemetry.UpdateAgentPostRebootResult
This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -5819,7 +5819,7 @@ This event sends information indicating that a request has been sent to suspend
### Update360Telemetry.UpdateAgentSetupBoxLaunch ### Update360Telemetry.UpdateAgentSetupBoxLaunch
The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -6263,7 +6263,7 @@ The following fields are available:
### Setup360Telemetry.Setup360OneSettings ### Setup360Telemetry.Setup360OneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:

22
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
View File

@ -1,5 +1,5 @@
--- ---
description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. description: Learn more about the Windows 10, version 1809 diagnostic data gathered at the basic level.
title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10) title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10)
keywords: privacy, telemetry keywords: privacy, telemetry
ms.prod: m365-security ms.prod: m365-security
@ -4451,7 +4451,7 @@ This event sends basic metadata about the starting point of uninstalling a featu
### Microsoft.Windows.HangReporting.AppHangEvent ### Microsoft.Windows.HangReporting.AppHangEvent
This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
The following fields are available: The following fields are available:
@ -7066,7 +7066,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentCommit ### Update360Telemetry.UpdateAgentCommit
This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -7082,7 +7082,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentDownloadRequest ### Update360Telemetry.UpdateAgentDownloadRequest
This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -7119,7 +7119,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentExpand ### Update360Telemetry.UpdateAgentExpand
This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -7139,7 +7139,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentFellBackToCanonical ### Update360Telemetry.UpdateAgentFellBackToCanonical
This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -7155,7 +7155,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentInitialize ### Update360Telemetry.UpdateAgentInitialize
This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -7254,7 +7254,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentModeStart ### Update360Telemetry.UpdateAgentModeStart
This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -7270,7 +7270,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentOneSettings ### Update360Telemetry.UpdateAgentOneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -7288,7 +7288,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentPostRebootResult ### Update360Telemetry.UpdateAgentPostRebootResult
This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -7691,7 +7691,7 @@ The following fields are available:
### Setup360Telemetry.Setup360OneSettings ### Setup360Telemetry.Setup360OneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:

22
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
View File

@ -1,5 +1,5 @@
--- ---
description: Use this article to learn more about what required Windows diagnostic data is gathered. description: Learn more about the Windows 10, version 1903 diagnostic data gathered at the basic level.
title: Windows 10, version 1909 and Windows 10, version 1903 required diagnostic events and fields (Windows 10) title: Windows 10, version 1909 and Windows 10, version 1903 required diagnostic events and fields (Windows 10)
keywords: privacy, telemetry keywords: privacy, telemetry
ms.prod: m365-security ms.prod: m365-security
@ -4553,7 +4553,7 @@ This event indicates that the uninstall was properly configured and that a syste
### Microsoft.Windows.HangReporting.AppHangEvent ### Microsoft.Windows.HangReporting.AppHangEvent
This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
The following fields are available: The following fields are available:
@ -7271,7 +7271,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentCommit ### Update360Telemetry.UpdateAgentCommit
This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -7288,7 +7288,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentDownloadRequest ### Update360Telemetry.UpdateAgentDownloadRequest
This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -7333,7 +7333,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentExpand ### Update360Telemetry.UpdateAgentExpand
This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -7355,7 +7355,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentInitialize ### Update360Telemetry.UpdateAgentInitialize
This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -7456,7 +7456,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentModeStart ### Update360Telemetry.UpdateAgentModeStart
This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -7472,7 +7472,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentOneSettings ### Update360Telemetry.UpdateAgentOneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -7490,7 +7490,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentPostRebootResult ### Update360Telemetry.UpdateAgentPostRebootResult
This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -7527,7 +7527,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentSetupBoxLaunch ### Update360Telemetry.UpdateAgentSetupBoxLaunch
The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -7859,7 +7859,7 @@ The following fields are available:
### Setup360Telemetry.Setup360OneSettings ### Setup360Telemetry.Setup360OneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:

100
windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md
View File

@ -1,100 +0,0 @@
---
title: MICROSOFT WINDOWS DIAGNOSTIC DATA FOR POWERSHELL
description: MICROSOFT SOFTWARE LICENSE TERMS
keywords: privacy, license, terms
ms.prod: m365-security
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: high
audience: ITPro
author: dansimp
ms.author: dansimp
manager: dansimp
ms.collection: M365-security-compliance
ms.topic: article
ms.date: 11/29/2021
ms.reviewer:
robots: noindex,nofollow
ms.technology: privacy
---
# Microsoft Windows diagnostic data for PowerShell license terms
MICROSOFT SOFTWARE LICENSE TERMS
MICROSOFT WINDOWS DIAGNOSTIC DATA FOR POWERSHELL
These license terms are an agreement between you and Microsoft Corporation (or one of its affiliates). They apply to the software named above and any Microsoft services or software updates (except to the extent such services or updates are accompanied by new or another terms, in which case those different terms apply prospectively and don't alter your or Microsofts rights relating to pre-updated software or services). IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW. BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS.
1. INSTALLATION AND USE RIGHTS.
a) General. You may install and use any number of copies of the software.
b) Third-Party Software. The software may include third-party applications that Microsoft, not the third party, licenses to you under this agreement. Any included notices for third-party applications are for your information only.
2. DATA COLLECTION. The software may collect information about you and your use of the software and send that to Microsoft. Microsoft may use this information to provide services and improve Microsofts products and services. Your opt-out rights, if any, are described in the product documentation. Some features in the software may enable collection of data from users of your applications that access or use the software. If you use these features to enable data collection in your applications, you must comply with applicable law, including getting any required user consent, and maintain a prominent privacy policy that accurately informs users about how you use, collect, and share their data. You can learn more about Microsofts data collection and use in the product documentation and the Microsoft Privacy Statement at https://go.microsoft.com/fwlink/?LinkId=512132. You agree to comply with all applicable provisions of the Microsoft Privacy Statement.
3. SCOPE OF LICENSE. The software is licensed, not sold. Microsoft reserves all other rights. Unless applicable law gives you more rights despite this limitation, you will not (and have no right to):
a) work around any technical limitations in the software that only allow you to use it in certain ways;
b) reverse engineer, decompile, or disassemble the software;
c) remove, minimize, block, or modify any notices of Microsoft or its suppliers in the software;
d) use the software in any way that is against the law or to create or propagate malware; or
e) share, publish, distribute, or lend the software, provide the software as a stand-alone hosted solution for others to use, or transfer the software or this agreement to any third party.
4. EXPORT RESTRICTIONS. You must comply with all domestic and international export laws and regulations that apply to the software, which include restrictions on destinations, end users, and end use.
For further information on export restrictions, visit https://aka.ms/exporting.
5. SUPPORT SERVICES. Microsoft is not obligated under this agreement to provide any support services for the software. Any support provided is “as is”, “with all faults”, and without warranty of any kind.
6. ENTIRE AGREEMENT. This agreement, and any other terms Microsoft may provide for supplements, updates, or third-party applications, is the entire agreement for the software.
7. APPLICABLE LAW AND PLACE TO RESOLVE DISPUTES. If you acquired the software in the United States or Canada, the laws of the state or province where you live (or, if a business, where your principal place of business is located) govern the interpretation of this agreement, claims for its breach, and all other claims (including consumer protection, unfair competition, and tort claims), regardless of conflict of laws principles. If you acquired the software in any other country, its laws apply. If U.S. federal jurisdiction exists, you and Microsoft consent to exclusive jurisdiction and venue in the federal court in King County, Washington for all disputes heard in court. If not, you and Microsoft consent to exclusive jurisdiction and venue in the Superior Court of King County, Washington for all disputes heard in court.
8. CONSUMER RIGHTS; REGIONAL VARIATIONS. This agreement describes certain legal rights. You may have other rights, including consumer rights, under the laws of your state, province, or country. Separate and apart from your relationship with Microsoft, you may also have rights with respect to the party from which you acquired the software. This agreement does not change those other rights if the laws of your state, province, or country do not permit it to do so. For example, if you acquired the software in one of the below regions, or mandatory country law applies, then the following provisions apply to you:
a) Australia. You have statutory guarantees under the Australian Consumer Law and nothing in this agreement is intended to affect those rights.
b) Canada. If you acquired this software in Canada, you may stop receiving updates by turning off the automatic update feature, disconnecting your device from the Internet (if and when you reconnect to the Internet, however, the software will resume checking for and installing updates), or uninstalling the software. The product documentation, if any, may also specify how to turn off updates for your specific device or software.
c) Germany and Austria.
i. Warranty. The properly licensed software will perform substantially as described in any Microsoft materials that accompany the software. However, Microsoft gives no contractual guarantee in relation to the licensed software.
ii. Limitation of Liability. In case of intentional conduct, gross negligence, claims based on the Product Liability Act, and, in case of death or personal or physical injury, Microsoft is liable according to the statutory law.
Subject to the foregoing clause ii., Microsoft will only be liable for slight negligence if Microsoft is in breach of such material contractual obligations, the fulfillment of which facilitate the due performance of this agreement, the breach of which would endanger the purpose of this agreement and the compliance with which a party may constantly trust in (so-called "cardinal obligations"). In other cases of slight negligence, Microsoft will not be liable for slight negligence.
9. DISCLAIMER OF WARRANTY. THE SOFTWARE IS LICENSED “AS IS.” YOU BEAR THE RISK OF USING IT. MICROSOFT GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. TO THE EXTENT PERMITTED UNDER APPLICABLE LAWS, MICROSOFT EXCLUDES ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.
10. LIMITATION ON AND EXCLUSION OF DAMAGES. IF YOU HAVE ANY BASIS FOR RECOVERING DAMAGES DESPITE THE PRECEDING DISCLAIMER OF WARRANTY, YOU CAN RECOVER FROM MICROSOFT AND ITS SUPPLIERS ONLY DIRECT DAMAGES UP TO U.S. $5.00. YOU CANNOT RECOVER ANY OTHER DAMAGES, INCLUDING CONSEQUENTIAL, LOST PROFITS, SPECIAL, INDIRECT OR INCIDENTAL DAMAGES.
This limitation applies to (a) anything related to the software, services, content (including code) on third-party Internet sites, or third-party applications; and (b) claims for breach of contract, warranty, guarantee, or condition; strict liability, negligence, or other tort; or any other claim; in each case to the extent permitted by applicable law.
It also applies even if Microsoft knew or should have known about the possibility of the damages. The above limitation or exclusion may not apply to you because your state, province, or country may not allow the exclusion or limitation of incidental, consequential, or other damages.
Note that as this software is distributed in Canada, some of the clauses in this agreement are provided below in French.
Remarque: Ce logiciel étant distribué au Canada, certaines des clauses dans ce contrat sont fournies ci-dessous en français.
EXONÉRATION DE GARANTIE. Le logiciel visé par une licence est offert « tel quel ». Toute utilisation de ce logiciel est à votre seule risque et péril. Microsoft naccorde aucune autre garantie expresse. Vous pouvez bénéficier de droits additionnels en vertu du droit local sur la protection des consommateurs, que ce contrat ne peut modifier. La ou elles sont permises par le droit locale, les garanties implicites de qualité marchande, dadéquation à un usage particulier et dabsence de contrefaçon sont exclues.
LIMITATION DES DOMMAGES-INTÉRÊTS ET EXCLUSION DE RESPONSABILITÉ POUR LES DOMMAGES. Vous pouvez obtenir de Microsoft et de ses fournisseurs une indemnisation en cas de dommages directs uniquement à hauteur de 5,00 $ US. Vous ne pouvez prétendre à aucune indemnisation pour les autres dommages, y compris les dommages spéciaux, indirects ou accessoires et pertes de bénéfices.
Cette limitation concerne:
• tout ce qui est relié au logiciel, aux services ou au contenu (y compris le code) figurant sur des sites Internet tiers ou dans des programmes tiers; et
• les réclamations au titre de violation de contrat ou de garantie, ou au titre de responsabilité stricte, de négligence ou dune autre faute dans la limite autorisée par la loi en vigueur.
Elle sapplique également, même si Microsoft connaissait ou devrait connaître léventualité dun tel dommage. Si votre pays nautorise pas lexclusion ou la limitation de responsabilité pour les dommages indirects, accessoires ou de quelque nature que ce soit, il se peut que la limitation ou lexclusion ci-dessus ne sappliquera pas à votre égard.
EFFET JURIDIQUE. Le présent contrat décrit certains droits juridiques. Vous pourriez avoir dautres droits prévus par les lois de votre pays. Le présent contrat ne modifie pas les droits que vous confèrent les lois de votre pays si celles-ci ne le permettent pas.

120
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -277,7 +277,7 @@ Use Group Policies to manage settings for Cortana. For more info, see [Cortana,
### <a href="" id="bkmk-cortana-gp"></a>2.1 Cortana and Search Group Policies ### <a href="" id="bkmk-cortana-gp"></a>2.1 Cortana and Search Group Policies
Find the Cortana Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Search**. Find the Cortana Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Search**.
| Policy | Description | | Policy | Description |
|------------------------------------------------------|---------------------------------------------------------------------------------------| |------------------------------------------------------|---------------------------------------------------------------------------------------|
@ -299,7 +299,7 @@ You can also apply the Group Policies using the following registry keys:
> [!IMPORTANT] > [!IMPORTANT]
> Using the Group Policy editor these steps are required for all supported versions of Windows 10 and Windows 11, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016. > Using the Group Policy editor these steps are required for all supported versions of Windows 10 and Windows 11, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016.
1. Expand **Computer Configuration** &gt; **Windows Settings** &gt; **Security Settings** &gt; **Windows Defender Firewall with Advanced Security** &gt; **Windows Defender Firewall with Advanced Security - &lt;LDAP name&gt;**, and then click **Outbound Rules**. 1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - `LDAP name`**, and then click **Outbound Rules**.
2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts. 2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts.
@ -334,7 +334,7 @@ If your organization tests network traffic, do not use a network proxy as Window
You can prevent Windows from setting the time automatically. You can prevent Windows from setting the time automatically.
- To turn off the feature in the UI: **Settings** &gt; **Time & language** &gt; **Date & time** &gt; **Set time automatically** - To turn off the feature in the UI: **Settings** > **Time & language** > **Date & time** > **Set time automatically**
-or- -or-
@ -342,7 +342,7 @@ You can prevent Windows from setting the time automatically.
After that, configure the following: After that, configure the following:
- **Disable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Windows Time Service** &gt; **Time Providers** &gt; **Enable Windows NTP Client** - **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Windows Time Service** > **Time Providers** > **Enable Windows NTP Client**
-or- -or-
@ -353,7 +353,7 @@ After that, configure the following:
To prevent Windows from retrieving device metadata from the Internet: To prevent Windows from retrieving device metadata from the Internet:
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Device Installation** &gt; **Prevent device metadata retrieval from the Internet**. - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Device Installation** > **Prevent device metadata retrieval from the Internet**.
-or - -or -
@ -402,7 +402,7 @@ Windows Insider Preview builds only apply to Windows 10 and Windows 11 and are n
To turn off Insider Preview builds for a released version of Windows 10 or Windows 11: To turn off Insider Preview builds for a released version of Windows 10 or Windows 11:
- **Disable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds** &gt; **Toggle user control over Insider builds**. - **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Toggle user control over Insider builds**.
To turn off Insider Preview builds for Windows 10 and Windows 11: To turn off Insider Preview builds for Windows 10 and Windows 11:
@ -413,7 +413,7 @@ To turn off Insider Preview builds for Windows 10 and Windows 11:
-or- -or-
- **Enable** the Group Policy **Toggle user control over Insider builds** under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds** - **Enable** the Group Policy **Toggle user control over Insider builds** under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds**
-or- -or-
@ -427,9 +427,9 @@ To turn off Insider Preview builds for Windows 10 and Windows 11:
| Policy | Description | | Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| |------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
| Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites. <br /> **Set Value to: Disabled** <br /> You can also turn this off in the UI by clearing the **Internet Options** &gt; **Advanced** &gt; **Enable Suggested Sites** check box.| | Turn on Suggested Sites| Choose whether an employee can configure Suggested Sites. <br /> **Set Value to: Disabled** <br /> You can also turn this off in the UI by clearing the **Internet Options** > **Advanced** > **Enable Suggested Sites** check box.|
| Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar. <br /> **Set Value to: Disabled**| | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar. <br /> **Set Value to: Disabled**|
| Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar. <br /> **Set Value to: Enabled** </br> You can also turn this off in the UI by clearing the <strong>Internet Options</strong> &gt; **Advanced** &gt; **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| | Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar. <br /> **Set Value to: Enabled** </br> You can also turn this off in the UI by clearing the <strong>Internet Options</strong> > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.|
| Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer. <br /> **Set Value to: Enabled**| | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer. <br /> **Set Value to: Enabled**|
| Prevent managing Microsoft Defender SmartScreen | Choose whether employees can manage the Microsoft Defender SmartScreen in Internet Explorer. <br /> **Set Value to: Enabled** and then set **Select Windows Defender SmartScreen mode** to **Off**.| | Prevent managing Microsoft Defender SmartScreen | Choose whether employees can manage the Microsoft Defender SmartScreen in Internet Explorer. <br /> **Set Value to: Enabled** and then set **Select Windows Defender SmartScreen mode** to **Off**.|
@ -533,13 +533,11 @@ To turn off Live Tiles:
- Create a REG_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a **value of 1 (one)** - Create a REG_DWORD registry setting named **NoCloudApplicationNotification** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\PushNotifications** with a **value of 1 (one)**
In Windows 10 or Windows 11 Mobile, you must also unpin all tiles that are pinned to Start.
### <a href="" id="bkmk-mailsync"></a>11. Mail synchronization ### <a href="" id="bkmk-mailsync"></a>11. Mail synchronization
To turn off mail synchronization for Microsoft Accounts that are configured on a device: To turn off mail synchronization for Microsoft Accounts that are configured on a device:
- In **Settings** &gt; **Accounts** &gt; **Your email and accounts**, remove any connected Microsoft Accounts. - In **Settings** > **Accounts** > **Your email and accounts**, remove any connected Microsoft Accounts.
-or- -or-
@ -567,7 +565,7 @@ For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile
### <a href="" id="bkmk-edgegp"></a>13.1 Microsoft Edge Group Policies ### <a href="" id="bkmk-edgegp"></a>13.1 Microsoft Edge Group Policies
Find the Microsoft Edge Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Edge**. Find the Microsoft Edge Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Edge**.
| Policy | Description | | Policy | Description |
|------------------------------------------------------|-----------------------------------------------------------------------------------------------------| |------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
@ -636,7 +634,7 @@ In versions of Windows 10 prior to version 1607 and Windows Server 2016, the URL
You can turn off NCSI by doing one of the following: You can turn off NCSI by doing one of the following:
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Internet Communication Management** &gt; **Internet Communication Settings** &gt; **Turn off Windows Network Connectivity Status Indicator active tests** - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off Windows Network Connectivity Status Indicator active tests**
> [!NOTE] > [!NOTE]
> After you apply this policy, you must restart the device for the policy setting to take effect. > After you apply this policy, you must restart the device for the policy setting to take effect.
@ -653,7 +651,7 @@ You can turn off the ability to download and update offline maps.
-or- -or-
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Maps** &gt; **Turn off Automatic Download and Update of Map Data** - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Maps** > **Turn off Automatic Download and Update of Map Data**
-or- -or-
@ -671,7 +669,7 @@ You can turn off the ability to download and update offline maps.
To turn off OneDrive in your organization: To turn off OneDrive in your organization:
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **OneDrive** &gt; **Prevent the usage of OneDrive for file storage** - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent the usage of OneDrive for file storage**
-or- -or-
@ -679,7 +677,7 @@ To turn off OneDrive in your organization:
-and- -and-
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **OneDrive** &gt; **Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)** - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **OneDrive** > **Prevent OneDrive from generating network traffic until the user signs in to OneDrive (Enable)**
-or- -or-
@ -809,9 +807,9 @@ To remove the Sticky notes app:
- Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage** - Remove the app for the current user. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxPackage Microsoft.MicrosoftStickyNotes | Remove-AppxPackage**
### <a href="" id="bkmk-settingssection"></a>18. Settings &gt; Privacy & security ### <a href="" id="bkmk-settingssection"></a>18. Settings > Privacy & security
Use Settings &gt; Privacy & security to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC. Use Settings > Privacy & security to configure some settings that may be important to your organization. Except for the Feedback & Diagnostics page, these settings must be configured for every user account that signs into the PC.
- [18.1 General](#bkmk-general) - [18.1 General](#bkmk-general)
@ -874,7 +872,7 @@ To turn off **Let apps use advertising ID to make ads more interesting to you ba
-or- -or-
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **User Profiles** &gt; **Turn off the advertising ID**. - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**.
-or- -or-
@ -911,7 +909,7 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin
-or- -or-
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **User Profiles** &gt; **Turn off the advertising ID**. - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **User Profiles** > **Turn off the advertising ID**.
-or- -or-
@ -950,7 +948,7 @@ To turn off **Let apps on my other devices open apps and continue experiences on
-or- -or-
- Disable the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Group Policy** &gt; **Continue experiences on this device**. - Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Group Policy** > **Continue experiences on this device**.
-or- -or-
@ -970,7 +968,7 @@ To turn off **Location for this device**:
-or- -or-
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Location and Sensors** &gt; **Turn off location**. - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**.
-or- -or-
@ -982,7 +980,7 @@ To turn off **Allow apps to access your location**:
-or- -or-
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access location** and set the **Select a setting** box to **Force Deny**. - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** and set the **Select a setting** box to **Force Deny**.
-or- -or-
@ -1007,7 +1005,7 @@ To turn off **Let apps use my camera**:
-or- -or-
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access the camera** - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the camera**
- Set the **Select a setting** box to **Force Deny**. - Set the **Select a setting** box to **Force Deny**.
@ -1030,7 +1028,7 @@ To turn off **Let apps use my microphone**:
-or- -or-
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access the microphone** - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the microphone**
- Set the **Select a setting** box to **Force Deny**. - Set the **Select a setting** box to **Force Deny**.
@ -1105,7 +1103,7 @@ To turn off **Let apps access my name, picture, and other account info**:
-or- -or-
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access account information** - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access account information**
- Set the **Select a setting** box to **Force Deny**. - Set the **Select a setting** box to **Force Deny**.
@ -1128,7 +1126,7 @@ To turn off **Choose apps that can access contacts**:
-or- -or-
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access contacts** - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts**
- Set the **Select a setting** box to **Force Deny**. - Set the **Select a setting** box to **Force Deny**.
@ -1146,7 +1144,7 @@ To turn off **Let apps access my calendar**:
-or- -or-
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access the calendar**. Set the **Select a setting** box to **Force Deny**. - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access the calendar**. Set the **Select a setting** box to **Force Deny**.
-or- -or-
@ -1166,7 +1164,7 @@ To turn off **Let apps access my call history**:
-or- -or-
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access call history** - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access call history**
- Set the **Select a setting** box to **Force Deny**. - Set the **Select a setting** box to **Force Deny**.
@ -1184,7 +1182,7 @@ To turn off **Let apps access and send email**:
-or- -or-
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access email** - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access email**
- Set the **Select a setting** box to **Force Deny**. - Set the **Select a setting** box to **Force Deny**.
@ -1202,7 +1200,7 @@ To turn off **Let apps read or send messages (text or MMS)**:
-or- -or-
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access messaging** - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access messaging**
- Set the **Select a setting** box to **Force Deny**. - Set the **Select a setting** box to **Force Deny**.
@ -1220,7 +1218,7 @@ To turn off **Choose apps that can read or send messages**:
-or- -or-
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Messaging** - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Messaging**
- Set the **Allow Message Service Cloud Sync** to **Disable**. - Set the **Allow Message Service Cloud Sync** to **Disable**.
@ -1234,7 +1232,7 @@ To turn off **Let apps make phone calls**:
-or- -or-
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps make phone calls** and set the **Select a setting** box to **Force Deny**. - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps make phone calls** and set the **Select a setting** box to **Force Deny**.
-or- -or-
@ -1255,7 +1253,7 @@ To turn off **Let apps control radios**:
-or- -or-
- Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps control radios** and set the **Select a setting** box to **Force Deny**. - Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps control radios** and set the **Select a setting** box to **Force Deny**.
-or- -or-
@ -1276,7 +1274,7 @@ To turn off **Let apps automatically share and sync info with wireless devices t
-or- -or-
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps communicate with unpaired devices** and set the **Select a setting** box to **Force Deny**. - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps communicate with unpaired devices** and set the **Select a setting** box to **Force Deny**.
-or- -or-
@ -1288,7 +1286,7 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
-or- -or-
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **App Privacy** &gt; **Let Windows apps access trusted devices** and set the **Select a setting** box to **Force Deny**. - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access trusted devices** and set the **Select a setting** box to **Force Deny**.
-or- -or-
@ -1308,7 +1306,7 @@ To change how frequently **Windows should ask for my feedback**:
-or- -or-
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Data Collection and Preview Builds** &gt; **Do not show feedback notifications** - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Do not show feedback notifications**
-or- -or-
@ -1533,7 +1531,7 @@ Enterprise customers can manage their Windows activation status with volume lice
**For Windows 10 and Windows 11:** **For Windows 10 and Windows 11:**
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Software Protection Platform** &gt; **Turn off KMS Client Online AVS Validation** - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
-or- -or-
@ -1541,7 +1539,7 @@ Enterprise customers can manage their Windows activation status with volume lice
**For Windows Server 2019 or later:** **For Windows Server 2019 or later:**
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Software Protection Platform** &gt; **Turn off KMS Client Online AVS Validation** - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation**
-or- -or-
@ -1560,7 +1558,7 @@ Enterprise customers can manage their Windows activation status with volume lice
Enterprise customers can manage updates to the Disk Failure Prediction Model. Enterprise customers can manage updates to the Disk Failure Prediction Model.
For Windows 10 and Windows 11: For Windows 10 and Windows 11:
- **Disable** this Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Storage Health** &gt; **Allow downloading updates to the Disk Failure Prediction Model** - **Disable** this Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Storage Health** > **Allow downloading updates to the Disk Failure Prediction Model**
-or- -or-
@ -1570,11 +1568,11 @@ For Windows 10 and Windows 11:
You can control if your settings are synchronized: You can control if your settings are synchronized:
- In the UI: **Settings** &gt; **Accounts** &gt; **Sync your settings** - In the UI: **Settings** > **Accounts** > **Sync your settings**
-or- -or-
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Sync your settings** &gt; **Do not sync**. Leave the "Allow users to turn syncing on" checkbox **unchecked**. - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Sync your settings** > **Do not sync**. Leave the "Allow users to turn syncing on" checkbox **unchecked**.
-or- -or-
@ -1594,7 +1592,7 @@ You can disable Teredo by using Group Policy or by using the netsh.exe command.
> [!NOTE] > [!NOTE]
> If you disable Teredo, some XBOX gaming features and Delivery Optimization (with Group or Internet peering) will not work. > If you disable Teredo, some XBOX gaming features and Delivery Optimization (with Group or Internet peering) will not work.
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** &gt; **TCPIP Settings** &gt; **IPv6 Transition Technologies** &gt; **Set Teredo State** and set it to **Disabled State**. - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**.
-or- -or-
@ -1614,7 +1612,7 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha
-or- -or-
- **Disable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Network** &gt; **WLAN Service** &gt; **WLAN Settings** &gt; **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**. - **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **WLAN Service** > **WLAN Settings** > **Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services**.
-or- -or-
@ -1632,7 +1630,7 @@ You can disconnect from the Microsoft Antimalware Protection Service.
> 1. Ensure Windows and Microsoft Defender Antivirus are fully up to date. > 1. Ensure Windows and Microsoft Defender Antivirus are fully up to date.
> 2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**. > 2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**.
- **Enable** the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Defender Antivirus** &gt; **MAPS** &gt; **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS** - **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS**
-OR- -OR-
@ -1645,7 +1643,7 @@ You can disconnect from the Microsoft Antimalware Protection Service.
You can stop sending file samples back to Microsoft. You can stop sending file samples back to Microsoft.
- **Enable** the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Defender Antivirus** &gt; **MAPS** &gt; **Send file samples when further analysis is required** to **Never Send**. - **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS** > **Send file samples when further analysis is required** to **Never Send**.
-or- -or-
@ -1655,14 +1653,14 @@ You can stop sending file samples back to Microsoft.
You can stop downloading **Definition Updates**: You can stop downloading **Definition Updates**:
> [!NOTE] > [!NOTE]
> The Group Policy path for 1809 and earlier builds is **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Defender Antivirus** &gt; **Signature Updates** > The Group Policy path for 1809 and earlier builds is **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Signature Updates**
- **Enable** the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Defender Antivirus** &gt; **Security Intelligence Updates** &gt; **Define the order of sources for downloading definition updates** and set it to **FileShares**. - **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
-and- -and-
- **Disable** the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Defender Antivirus** &gt; **Security Intelligence Updates** &gt; **Define file shares for downloading definition updates** and set it to **Nothing**. - **Disable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates** > **Define file shares for downloading definition updates** and set it to **Nothing**.
-or- -or-
@ -1687,7 +1685,7 @@ You can turn off **Enhanced Notifications** as follows:
-or- -or-
- **Enable** the Group Policy **Turn off enhanced notifications** under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Microsoft Defender Antivirus** &gt; **Reporting**. - **Enable** the Group Policy **Turn off enhanced notifications** under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Reporting**.
-or- -or-
@ -1759,7 +1757,7 @@ This will also turn off automatic app updates, and the Microsoft Store will be d
In addition, new email accounts cannot be created by clicking **Settings** > **Accounts** > **Email & app accounts** > **Add an account**. In addition, new email accounts cannot be created by clicking **Settings** > **Accounts** > **Email & app accounts** > **Add an account**.
On Windows Server 2016, this will block Microsoft Store calls from Universal Windows Apps. On Windows Server 2016, this will block Microsoft Store calls from Universal Windows Apps.
- **Disable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Store** &gt; **Disable all apps from Microsoft Store**. - **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Disable all apps from Microsoft Store**.
-or- -or-
@ -1767,7 +1765,7 @@ On Windows Server 2016, this will block Microsoft Store calls from Universal Win
-AND- -AND-
- **Enable** the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Store** &gt; **Turn off Automatic Download and Install of updates**. - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Store** > **Turn off Automatic Download and Install of updates**.
-or- -or-
@ -1793,15 +1791,15 @@ Use the UI, Group Policy, or Registry Keys to set up Delivery Optimization.
In Windows 10, version 1607 and above, and Windows 11 you can stop network traffic related to Delivery Optimization Cloud Service by setting **Download Mode** to **Simple Mode** (99), as described below. In Windows 10, version 1607 and above, and Windows 11 you can stop network traffic related to Delivery Optimization Cloud Service by setting **Download Mode** to **Simple Mode** (99), as described below.
### <a href="" id="bkmk-wudo-ui"></a>28.1 Settings &gt; Update & security ### <a href="" id="bkmk-wudo-ui"></a>28.1 Settings > Update & security
You can set up Delivery Optimization Peer-to-Peer from the **Settings** UI. You can set up Delivery Optimization Peer-to-Peer from the **Settings** UI.
- Go to **Settings** &gt; **Update & security** &gt; **Windows Update** &gt; **Advanced options** &gt; **Choose how updates are delivered**. - Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**.
### <a href="" id="bkmk-wudo-gp"></a>28.2 Delivery Optimization Group Policies ### <a href="" id="bkmk-wudo-gp"></a>28.2 Delivery Optimization Group Policies
You can find the Delivery Optimization Group Policy objects under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Delivery Optimization**. You can find the Delivery Optimization Group Policy objects under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization**.
| Policy | Description | | Policy | Description |
|---------------------------|-----------------------------------------------------------------------------------------------------| |---------------------------|-----------------------------------------------------------------------------------------------------|
@ -1816,7 +1814,7 @@ For a comprehensive list of Delivery Optimization Policies, see [Delivery Optimi
### <a href="" id="bkmk-wudo-mdm"></a>28.3 Delivery Optimization ### <a href="" id="bkmk-wudo-mdm"></a>28.3 Delivery Optimization
- **Enable** the **Download Mode** Group Policy under **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Delivery Optimization** and set the **Download Mode** to **"Simple Mode (99)"** to prevent traffic between peers as well as traffic back to the Delivery Optimization Cloud Service. - **Enable** the **Download Mode** Group Policy under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization** and set the **Download Mode** to **"Simple Mode (99)"** to prevent traffic between peers as well as traffic back to the Delivery Optimization Cloud Service.
-or- -or-
@ -1854,19 +1852,19 @@ You can turn off Windows Update by setting the following registry entries:
-OR- -OR-
- Set the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Update** &gt; **Do not connect to any Windows Update Internet locations** to **Enabled** - Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Do not connect to any Windows Update Internet locations** to **Enabled**
-and- -and-
- Set the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **Internet Communication Management** &gt; **Internet Communication Settings** &gt; **Turn off access to all Windows Update features** to **Enabled** - Set the Group Policy **Computer Configuration** > **Administrative Templates** > **System** > **Internet Communication Management** > **Internet Communication Settings** > **Turn off access to all Windows Update features** to **Enabled**
-and- -and-
- Set the Group Policy **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Update** &gt; **Specify intranet Microsoft update service location** to **Enabled** and ensure all Option settings (Intranet Update Service, Intranet Statistics Server, Alternate Download Server) are set to **" "** - Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Specify intranet Microsoft update service location** to **Enabled** and ensure all Option settings (Intranet Update Service, Intranet Statistics Server, Alternate Download Server) are set to **" "**
-and- -and-
- Set the Group Policy **User Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Update** &gt; **Remove access to use all Windows Update features** to **Enabled** and then set **Computer Configurations** to **0 (zero)**. - Set the Group Policy **User Configuration** > **Administrative Templates** > **Windows Components** > **Windows Update** > **Remove access to use all Windows Update features** to **Enabled** and then set **Computer Configurations** to **0 (zero)**.
You can turn off automatic updates by doing the following. This is not recommended. You can turn off automatic updates by doing the following. This is not recommended.

22
windows/privacy/required-windows-11-diagnostic-events-and-fields.md
View File

@ -1,5 +1,5 @@
--- ---
description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level. description: Learn more about the Windows 11 diagnostic data gathered at the basic level.
title: Required Windows 11 diagnostic events and fields title: Required Windows 11 diagnostic events and fields
keywords: privacy, telemetry keywords: privacy, telemetry
ms.prod: m365-security ms.prod: m365-security
@ -3347,7 +3347,7 @@ This event indicates that the uninstall was properly configured and that a syste
### Microsoft.Windows.HangReporting.AppHangEvent ### Microsoft.Windows.HangReporting.AppHangEvent
This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
The following fields are available: The following fields are available:
@ -5608,7 +5608,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentCommit ### Update360Telemetry.UpdateAgentCommit
This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -5625,7 +5625,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentDownloadRequest ### Update360Telemetry.UpdateAgentDownloadRequest
This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -5670,7 +5670,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentExpand ### Update360Telemetry.UpdateAgentExpand
This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -5692,7 +5692,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentInitialize ### Update360Telemetry.UpdateAgentInitialize
This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -5775,7 +5775,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentModeStart ### Update360Telemetry.UpdateAgentModeStart
This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -5791,7 +5791,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentOneSettings ### Update360Telemetry.UpdateAgentOneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -5809,7 +5809,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentPostRebootResult ### Update360Telemetry.UpdateAgentPostRebootResult
This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -5845,7 +5845,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentSetupBoxLaunch ### Update360Telemetry.UpdateAgentSetupBoxLaunch
The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -6159,7 +6159,7 @@ The following fields are available:
### Setup360Telemetry.Setup360OneSettings ### Setup360Telemetry.Setup360OneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:

22
windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
View File

@ -1,5 +1,5 @@
--- ---
description: Use this article to learn more about what required Windows diagnostic data is gathered. description: Learn more about the required Windows 10 diagnostic data gathered.
title: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10) title: Windows 10, version 21H2, Windows 10, version 21H1, Windows 10, version 20H2 and Windows 10, version 2004 required diagnostic events and fields (Windows 10)
keywords: privacy, telemetry keywords: privacy, telemetry
ms.prod: m365-security ms.prod: m365-security
@ -3300,7 +3300,7 @@ The following fields are available:
### Microsoft.Windows.HangReporting.AppHangEvent ### Microsoft.Windows.HangReporting.AppHangEvent
This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events. This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on client devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
The following fields are available: The following fields are available:
@ -6047,7 +6047,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentCommit ### Update360Telemetry.UpdateAgentCommit
This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -6064,7 +6064,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentDownloadRequest ### Update360Telemetry.UpdateAgentDownloadRequest
This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -6109,7 +6109,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentExpand ### Update360Telemetry.UpdateAgentExpand
This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -6131,7 +6131,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentInitialize ### Update360Telemetry.UpdateAgentInitialize
This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -6232,7 +6232,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentModeStart ### Update360Telemetry.UpdateAgentModeStart
This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile. The data collected with this event is used to help keep Windows secure and up to date. This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -6248,7 +6248,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentOneSettings ### Update360Telemetry.UpdateAgentOneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -6266,7 +6266,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentPostRebootResult ### Update360Telemetry.UpdateAgentPostRebootResult
This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -6303,7 +6303,7 @@ The following fields are available:
### Update360Telemetry.UpdateAgentSetupBoxLaunch ### Update360Telemetry.UpdateAgentSetupBoxLaunch
The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs. The data collected with this event is used to help keep Windows secure and up to date. The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:
@ -6635,7 +6635,7 @@ The following fields are available:
### Setup360Telemetry.Setup360OneSettings ### Setup360Telemetry.Setup360OneSettings
This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. The data collected with this event is used to help keep Windows secure and up to date. This event collects information regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario. The data collected with this event is used to help keep Windows secure and up to date.
The following fields are available: The following fields are available:

30
windows/privacy/windows-diagnostic-data-1703.md
View File

@ -95,17 +95,29 @@ This type of data includes software installation and update information on the d
## Browsing History data ## Browsing History data
This type of data includes details about web browsing in the Microsoft browsers. **Microsoft browser data**: This type of data includes details about web browsing, the address bar, and search box performance on the device in the Microsoft browsers, such as:
| Category Name | Description and Examples |
| - | - |
| Microsoft browser data | Information about Address bar and search box performance on the device such as:<ul><li>Text typed in address bar and search box</li><li>Text selected for Ask Cortana search</li><li>Service response time </li><li>Autocompleted text if there was an autocomplete</li><li>Navigation suggestions provided based on local history and favorites</li><li>Browser ID</li><li>URLs (which may include search terms)</li><li>Page title</li></ul>|
- Text typed in address bar and search box
- Text selected for Ask Cortana search
- Service response time
- Autocompleted text if there was an autocomplete
- Navigation suggestions provided based on local history and favorites
- Browser ID
- URLs (which may include search terms)
- Page title
## Inking Typing and Speech Utterance data ## Inking Typing and Speech Utterance data
This type of data gathers details about the voice, inking, and typing input features on the device. **Voice, inking, and typing**: This type of data gathers details about the voice, inking, and typing input features on the device, such as:
| Category Name | Description and Examples | - Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used
| - | - | - Pen gestures (click, double-click, pan, zoom, rotate)
| Voice, inking, and typing | Information about voice, inking, and typing features such as:<br><ul><li>Type of pen used (highlighter, ball point, pencil), pen color, stroke height and width, and how long it is used</li><li>Pen gestures (click, double-click, pan, zoom, rotate)</li><li>Palm Touch x,y coordinates</li><li>Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate</li><li>Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to the user.</li><li>Text input from Windows Mobile on-screen keyboards except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.</li><li>Text of speech recognition results - result codes and recognized text</li><li>Language and model of the recognizer, System Speech language</li><li>App ID using speech features</li><li>Whether user is known to be a child</li><li>Confidence and Success/Failure of speech recognition</li></ul> | - Palm Touch x,y coordinates
- Input latency, missed pen signals, number of frames, strokes, first frame commit time, sample rate
- Ink strokes written, text before and after the ink insertion point, recognized text entered, Input language - processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text input from Windows on-screen keyboards except from password fields and private sessions - processed to remove identifiers, sequencing information, and other data (such as email addresses, and numeric values) which could be used to reconstruct the original content or associate the input to the user.
- Text of speech recognition results - result codes and recognized text
- Language and model of the recognizer, System Speech language
- App ID using speech features
- Whether user is known to be a child
- Confidence and Success/Failure of speech recognition

3
windows/security/identity-protection/access-control/local-accounts.md
View File

@ -20,6 +20,7 @@ ms.date: 02/28/2019
# Local Accounts # Local Accounts
**Applies to** **Applies to**
- Windows 11
- Windows 10 - Windows 10
- Windows Server 2019 - Windows Server 2019
- Windows Server 2016 - Windows Server 2016
@ -74,7 +75,7 @@ The Administrator account has full control of the files, directories, services,
The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled. The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled.
In Windows 10 and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation. From Windows 10, Windows 11 and Windows Server 2016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation.
**Account group membership** **Account group membership**

12
windows/security/identity-protection/access-control/security-identifiers.md
View File

@ -166,7 +166,7 @@ The following table lists the universal well-known SIDs.
| S-1-5 | NT Authority | A SID that represents an identifier authority. | | S-1-5 | NT Authority | A SID that represents an identifier authority. |
| S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.| | S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.|
The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the last value is used with well-known SIDs in Windows operating systems designated in the **Applies To** list. The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest of the values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list.
| Identifier Authority | Value | SID String Prefix | | Identifier Authority | Value | SID String Prefix |
| - | - | - | | - | - | - |
@ -174,6 +174,8 @@ The following table lists the predefined identifier authority constants. The fir
| SECURITY_WORLD_SID_AUTHORITY | 1 | S-1-1 | | SECURITY_WORLD_SID_AUTHORITY | 1 | S-1-1 |
| SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1-2 | | SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1-2 |
| SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1-3 | | SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1-3 |
| SECURITY_NT_AUTHORITY | 5 | S-1-5 |
| SECURITY_AUTHENTICATION_AUTHORITY | 18 | S-1-18 |
The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID. The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID.
@ -256,14 +258,6 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
| S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.| | S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.|
| S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.| | S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.|
| S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). | | S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). |
| S-1-16-0| Untrusted Mandatory Level| A SID that represents an untrusted integrity level.|
| S-1-16-4096 | Low Mandatory Level| A SID that represents a low integrity level.|
| S-1-16-8192 | Medium Mandatory Level| This SID represents a medium integrity level.|
| S-1-16-8448 | Medium Plus Mandatory Level| A SID that represents a medium plus integrity level.|
| S-1-16-12288 | High Mandatory Level| A SID that represents a high integrity level.|
| S-1-16-16384 | System Mandatory Level| A SID that represents a system integrity level.|
| S-1-16-20480 | Protected Process Mandatory Level| A SID that represents a protected-process integrity level.|
| S-1-16-28672 | Secure Process Mandatory Level| A SID that represents a secure process integrity level.|
The following RIDs are relative to each domain. The following RIDs are relative to each domain.

125
windows/security/identity-protection/access-control/special-identities.md
View File

@ -2,6 +2,7 @@
title: Special Identities (Windows 10) title: Special Identities (Windows 10)
description: Special Identities description: Special Identities
ms.prod: m365-security ms.prod: m365-security
ms.technology: windows-sec
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.pagetype: security ms.pagetype: security
@ -12,14 +13,14 @@ manager: dansimp
ms.collection: M365-identity-device-management ms.collection: M365-identity-device-management
ms.topic: article ms.topic: article
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 10/12/2021 ms.date: 12/21/2021
ms.reviewer: ms.reviewer:
--- ---
# Special Identities # Special Identities
**Applies to** **Applies to**
- Windows Server 2016 - Windows Server 2016 or later
This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control. This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control.
@ -97,6 +98,18 @@ Any user who accesses the system through an anonymous logon has the Anonymous Lo
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>| |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights|None| |Default User Rights|None|
## Attested Key Property
A SID that means the key trust object had the attestation property.
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-18-6 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights|None|
## Authenticated Users ## Authenticated Users
@ -109,6 +122,18 @@ Any user who accesses the system through a sign-in process has the Authenticated
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>| |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight<br> [Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege<br> [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| |Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight<br> [Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege<br> [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege|
## Authentication Authority Asserted Identity
A SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials.
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-18-1 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights|None|
## Batch ## Batch
@ -121,6 +146,18 @@ Any user or process that accesses the system as a batch job (or through the batc
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>| |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights| none| |Default User Rights| none|
## Console Logon
A group that includes users who are logged on to the physical console. This SID can be used to implement security policies that grant different rights based on whether a user has been granted physical access to the console.
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-2-1 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights|None|
## Creator Group ## Creator Group
@ -197,6 +234,18 @@ Membership is controlled by the operating system.
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>| |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</br> [Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege</br> [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| |Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</br> [Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege</br> [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege|
## Fresh Public Key Identity
A SID that means the client's identity is asserted by an authentication authority based on proof of current possession of client public key credentials.
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-18-3 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights|None|
## Interactive ## Interactive
@ -209,6 +258,30 @@ Any user who is logged on to the local system has the Interactive identity. This
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>| |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights| None| |Default User Rights| None|
## IUSR
Internet Information Services (IIS) uses this account by default whenever anonymous authentication is enabled.
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-17 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights|None|
## Key Trust
A SID that means the client's identity is based on proof of possession of public key credentials using the key trust object.
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-18-4 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights|None|
## Local Service ## Local Service
@ -234,6 +307,18 @@ This is a service account that is used by the operating system. The LocalSystem
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>| |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights|None| |Default User Rights|None|
## MFA Key Property
A SID that means the key trust object had the multifactor authentication (MFA) property.
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-18-5 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights|None|
## Network ## Network
This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system. This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system.
@ -279,6 +364,18 @@ This group implicitly includes all users who are logged on to the system through
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>| |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights| None | |Default User Rights| None |
## Owner Rights
A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner.
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-3-4 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights|None|
## Principal Self ## Principal Self
@ -291,6 +388,18 @@ This identity is a placeholder in an ACE on a user, group, or computer object in
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>| |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights| None | |Default User Rights| None |
## Proxy
Identifies a SECURITY_NT_AUTHORITY Proxy.
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-5-8 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights|None|
## Remote Interactive Logon ## Remote Interactive Logon
@ -338,6 +447,18 @@ Any service that accesses the system has the Service identity. This identity gro
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>| |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights| [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege<br> [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege<br>| |Default User Rights| [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege<br> [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege<br>|
## Service Asserted Identity
A SID that means the client's identity is asserted by a service.
| Attribute | Value |
| :--: | :--: |
| Well-Known SID/RID | S-1-18-2 |
|Object Class| Foreign Security Principal|
|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
|Default User Rights|None|
## Terminal Server User ## Terminal Server User

8
windows/security/identity-protection/credential-guard/credential-guard-requirements.md
View File

@ -14,17 +14,17 @@ ms.collection:
- M365-identity-device-management - M365-identity-device-management
- highpri - highpri
ms.topic: article ms.topic: article
ms.date: 09/30/2020 ms.date: 12/27/2021
--- ---
# Windows Defender Credential Guard: Requirements # Windows Defender Credential Guard: Requirements
## Applies to ## Applies to
- Windows 10
- Windows 11 - Windows 11
- Windows Server 2016 - Windows 10
- Windows Server 2019 - Windows Server 2019
- Windows Server 2016
For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations). For Windows Defender Credential Guard to provide protection, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements, which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to these requirements as [Application requirements](#application-requirements). Beyond these requirements, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
@ -105,7 +105,7 @@ The following tables describe baseline protections, plus protections for improve
|Hardware: **Trusted Platform Module (TPM)**|**Requirement**: </br> - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../information-protection/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.| |Hardware: **Trusted Platform Module (TPM)**|**Requirement**: </br> - TPM 1.2 or TPM 2.0, either discrete or firmware. [TPM recommendations](../../information-protection/tpm/tpm-recommendations.md)|A TPM provides protection for VBS encryption keys that are stored in the firmware. TPM helps protect against attacks involving a physically present user with BIOS access.|
|Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**: </br> - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.| |Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot**|**Requirements**: </br> - See the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot|UEFI Secure Boot helps ensure that the device boots only authorized code, and can prevent boot kits and root kits from installing and persisting across reboots.|
|Firmware: **Secure firmware update process**|**Requirements**: </br> - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.| |Firmware: **Secure firmware update process**|**Requirements**: </br> - UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: System.Fundamentals.Firmware.UEFISecureBoot.|UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed.|
|Software: Qualified **Windows operating system**|**Requirement**: </br> - At least Windows 10 or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.| |Software: Qualified **Windows operating system**|**Requirement**: </br> - At least Windows 10 Enterprise or Windows Server 2016.|Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard.|
> [!IMPORTANT] > [!IMPORTANT]
> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. > Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard.

18
windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md
View File

@ -51,11 +51,11 @@ If you use this Supports MFA switch with value **True**, you must verify that yo
## Use Intune to disable Windows Hello for Business enrollment ## Use Intune to disable Windows Hello for Business enrollment
We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy using the steps in [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello). We recommend that you disable or manage Windows Hello for Business provisioning behavior through an Intune policy. For more specific information, see [Integrate Windows Hello for Business with Microsoft Intune](/mem/intune/protect/windows-hello).
However, not everyone uses Intune. The following method explains how to disable Windows Hello for Business enrollment without Intune, or through a third-party mobile device management (MDM). If you aren't using Intune in your organization, you can disable Windows Hello for Business via the registry. We have provided the underlying registry subkeys for disabling Windows Hello for Business. ### Disable Windows Hello for Business using Intune Enrollment policy
## Disable Windows Hello for Business using Intune Enrollment policy The following method explains how to disable Windows Hello for Business enrollment without Intune.
1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. 1. Sign into the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center.
2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens. 2. Go to **Devices** > **Enrollment** > **Enroll devices** > **Windows enrollment** > **Windows Hello for Business**. The Windows Hello for Business pane opens.
@ -68,23 +68,19 @@ However, not everyone uses Intune. The following method explains how to disable
## Disable Windows Hello for Business enrollment without Intune ## Disable Windows Hello for Business enrollment without Intune
The information below can be pushed out to the devices through a third-party MDM, or some other method that you use to manage these devices, if you don't manage them with Intune. This push can also be set manually on the specific device(s). If you don't use Intune in your organization, then you can disable Windows Hello for Business using the registry. You can use a third-party MDM, or some other method that you use to manage these devices. Because these systems are Azure AD Joined only, and not domain joined, these settings can also be made manually in the registry.
Because these systems are Azure AD Joined only, and not domain joined, these settings could be made in the registry on the device(s) when Intune isn't used. Intune uses the following registry keys: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies`**
Here are the registry settings an Intune policy would set.
Intune Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies`**
To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant) To look up your Tenant ID, see [How to find your Azure Active Directory tenant ID](/azure/active-directory/fundamentals/active-directory-how-to-find-tenant)
These registry settings are pushed from Intune for user policies for your reference. These registry settings are pushed from Intune for user policies:
- Intune User Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\UserSid\Policies`** - Intune User Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\UserSid\Policies`**
- DWORD: **UsePassportForWork** - DWORD: **UsePassportForWork**
- Value = **0** for Disable, or Value = **1** for Enable - Value = **0** for Disable, or Value = **1** for Enable
For your reference, these registry settings can be applied from Local or Group Policies. These registry settings can be applied from Local or Group Policies:
- Local/GPO User Policy: **`HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork`** - Local/GPO User Policy: **`HKEY_USERS\UserSID\SOFTWARE\Policies\Microsoft\PassportForWork`**
- Local/GPO Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork`** - Local/GPO Device Policy: **`HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\PassportForWork`**

9
windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
View File

@ -1,6 +1,6 @@
--- ---
title: Windows Hello errors during PIN creation (Windows) title: Windows Hello errors during PIN creation (Windows)
description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step. description: When you set up Windows Hello in Windows 10/11, you may get an error during the Create a work PIN step.
ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502 ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
keywords: PIN, error, create a work PIN keywords: PIN, error, create a work PIN
ms.prod: m365-security ms.prod: m365-security
@ -26,7 +26,7 @@ ms.date: 05/05/2018
- Windows 10 - Windows 10
- Windows 11 - Windows 11
When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support. When you set up Windows Hello in Windows client, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
## Where is the error code? ## Where is the error code?
@ -37,11 +37,12 @@ The following image shows an example of an error during **Create a PIN**.
## Error mitigations ## Error mitigations
When a user encounters an error when creating the work PIN, advise the user to try the following steps. Many errors can be mitigated by one of these steps. When a user encounters an error when creating the work PIN, advise the user to try the following steps. Many errors can be mitigated by one of these steps.
1. Try to create the PIN again. Some errors are transient and resolve themselves. 1. Try to create the PIN again. Some errors are transient and resolve themselves.
2. Sign out, sign in, and try to create the PIN again. 2. Sign out, sign in, and try to create the PIN again.
3. Reboot the device and then try to create the PIN again. 3. Reboot the device and then try to create the PIN again.
4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a desktop PC, go to **Settings** &gt; **System** &gt; **About** and select **Disconnect from organization**. To unjoin a device running Windows 10 Mobile, you must [reset the device](/windows/client-management/reset-a-windows-10-mobile-device). 4. Unjoin the device from Azure Active Directory (Azure AD), rejoin, and then try to create the PIN again. To unjoin a device, go to **Settings** > **System** > **About** > select **Disconnect from organization**.
5. On mobile devices, if you are unable to setup a PIN after multiple attempts, reset your device and start over. For help on how to reset your phone go to [Reset my phone](/windows/client-management/reset-a-windows-10-mobile-device).
If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance. If the error occurs again, check the error code against the following table to see if there is another mitigation for that error. When no mitigation is listed in the table, contact Microsoft Support for assistance.
| Hex | Cause | Mitigation | | Hex | Cause | Mitigation |

2
windows/security/identity-protection/hello-for-business/hello-overview.md
View File

@ -24,7 +24,7 @@ localizationpriority: medium
- Windows 10 - Windows 10
- Windows 11 - Windows 11
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN. In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
>[!NOTE] >[!NOTE]
> When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics. > When Windows 10 first shipped, it included Microsoft Passport and Windows Hello, which worked together to provide multi-factor authentication. To simplify deployment and improve supportability, Microsoft has combined these technologies into a single solution under the Windows Hello name. Customers who have already deployed these technologies will not experience any change in functionality. Customers who have yet to evaluate Windows Hello will find it easier to deploy due to simplified policies, documentation, and semantics.

8
windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
View File

@ -49,7 +49,7 @@ When the PIN is created, it establishes a trusted relationship with the identity
   
## PIN is backed by hardware ## PIN is backed by hardware
The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. All Windows 10 Mobile phones and many modern laptops have TPM. The Hello PIN is backed by a Trusted Platform Module (TPM) chip, which is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Many modern devices have TPM.
User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised. User key material is generated and available within the Trusted Platform Module (TPM) of the user device, which protects it from attackers who want to capture the key material and reuse it. Because Hello uses asymmetric key pairs, users credentials can't be stolen in cases where the identity provider or websites the user accesses have been compromised.
@ -64,7 +64,7 @@ The Windows Hello for Business PIN is subject to the same set of IT management p
To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user's biometrics or guess his or her PIN—and all of this must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device. To compromise a Windows Hello credential that TPM protects, an attacker must have access to the physical device, and then must find a way to spoof the user's biometrics or guess his or her PIN—and all of this must be done before [TPM anti-hammering](/windows/device-security/tpm/tpm-fundamentals#anti-hammering) protection locks the device.
You can provide additional protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins. You can provide additional protection for laptops that don't have TPM by enabling BitLocker and setting a policy to limit failed sign-ins.
**Configure BitLocker without TPM** ### Configure BitLocker without TPM
1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy: 1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
@ -72,7 +72,9 @@ You can provide additional protection for laptops that don't have TPM by enablin
2. In the policy option, select **Allow BitLocker without a compatible TPM**, and then click **OK.** 2. In the policy option, select **Allow BitLocker without a compatible TPM**, and then click **OK.**
3. Go to Control Panel > **System and Security > BitLocker Drive Encryption** and select the operating system drive to protect. 3. Go to Control Panel > **System and Security > BitLocker Drive Encryption** and select the operating system drive to protect.
**Set account lockout threshold**
### Set account lockout threshold
1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy: 1. Use the Local Group Policy Editor (gpedit.msc) to enable the following policy:
**Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Account lockout threshold** **Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy > Account lockout threshold**

17
windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
View File

@ -17,9 +17,8 @@ ms.topic: article
**Applies to** **Applies to**
- Windows 10 - Windows 10
- Windows 11 - Windows 11
- Windows 10 Mobile
Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process. Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
@ -63,6 +62,7 @@ Containers can contain several types of key material:
- An authentication key, which is always an asymmetric publicprivate key pair. This key pair is generated during registration. It must be unlocked each time its accessed, by using either the users PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key. - An authentication key, which is always an asymmetric publicprivate key pair. This key pair is generated during registration. It must be unlocked each time its accessed, by using either the users PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
- Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. Theyre available whenever the users container is unlocked. - Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. Theyre available whenever the users container is unlocked.
- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways: - The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
- The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831498(v=ws.11)). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container. - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831498(v=ws.11)). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
- The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that dont have or need a PKI. - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that dont have or need a PKI.
@ -102,19 +102,6 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ
- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document. - Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document.
## Related topics ## Related topics
- [Windows Hello for Business](../hello-identity-verification.md) - [Windows Hello for Business](../hello-identity-verification.md)

2
windows/security/identity.md
View File

@ -22,6 +22,6 @@ Malicious actors launch millions of password attacks every day. Weak passwords,
| Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) | | Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) |
| Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)| | Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)|
| FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). | | FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). |
| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone.md). | | Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone). |
| Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).| | Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).|
| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).| | Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).|

27
windows/security/information-protection/tpm/tpm-fundamentals.md
View File

@ -15,7 +15,7 @@ ms.collection:
- M365-security-compliance - M365-security-compliance
- highpri - highpri
ms.topic: conceptual ms.topic: conceptual
ms.date: 09/06/2021 ms.date: 12/27/2021
--- ---
# TPM fundamentals # TPM fundamentals
@ -23,7 +23,7 @@ ms.date: 09/06/2021
**Applies to** **Applies to**
- Windows 10 - Windows 10
- Windows 11 - Windows 11
- Windows Server 2016 and above - Windows Server 2016 and later
This article for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks. This article for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks.
@ -106,11 +106,11 @@ Because many entities can use the TPM, a single authorization success cannot res
TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer and the logic varied widely throughout the industry. TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer and the logic varied widely throughout the industry.
For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts. For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every 10 minutes. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
Attempts to use a key with an authorization value for the next two hours would not return success or failure; instead the response indicates that the TPM is locked. After two hours, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next two hours. If a period of 64 hours elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again. Attempts to use a key with an authorization value for the next 10 minutes would not return success or failure; instead the response indicates that the TPM is locked. After 10 minutes, one authorization failure is forgotten and the number of authorization failures remembered by the TPM drops to 31, so the TPM leaves the locked state and returns to normal operation. With the correct authorization value, keys could be used normally if no authorization failures occur during the next 10 minutes. If a period of 320 minutes elapses with no authorization failures, the TPM does not remember any authorization failures, and 32 failed attempts could occur again.
Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows does require that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for two hours. Windows 8 Certification does not require TPM 2.0 systems to forget about authorization failures when the system is fully powered off or when the system has hibernated. Windows does require that authorization failures are forgotten when the system is running normally, in a sleep mode, or in low power states other than off. If a Windows system with TPM 2.0 is locked, the TPM leaves lockout mode if the system is left on for 10 minutes.
The anti-hammering protection for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators. The anti-hammering protection for TPM 2.0 can be fully reset immediately by sending a reset lockout command to the TPM and providing the TPM owner password. By default, Windows automatically provisions TPM 2.0 and stores the TPM owner password for use by system administrators.
@ -124,20 +124,9 @@ Originally, BitLocker allowed from 4 to 20 characters for a PIN.
Windows Hello has its own PIN for logon, which can be 4 to 127 characters. Windows Hello has its own PIN for logon, which can be 4 to 127 characters.
Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks. Both BitLocker and Windows Hello use the TPM to prevent PIN brute-force attacks.
The TPM can be configured to use Dictionary Attack Prevention parameters ([lockout threshold and lockout duration](trusted-platform-module-services-group-policy-settings.md)) to control how many failed authorizations attempts are allowed before the TPM is locked out, and how much time must elapse before another attempt can be made. Windows 10, version 1607 and earlier used Dictionary Attack Prevention parameters. The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time. A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours. This totals a maximum of about 4415 guesses per year. If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years.
The Dictionary Attack Prevention Parameters provide a way to balance security needs with usability. Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello. Increasing the PIN length requires a greater number of guesses for an attacker. Therefore, the lockout duration between each guess was shortened to allow legitimate users to retry a failed attempt sooner while maintaining a similar level of protection. In case the legacy parameters for lockout threshold and recovery time need to be used, make sure that GPO is enabled and [configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0](/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings#configure-the-system-to-use-legacy-dictionary-attack-prevention-parameters-setting-for-tpm-20).
For example, when BitLocker is used with a TPM + PIN configuration, the number of PIN guesses is limited over time.
A TPM 2.0 in this example could be configured to allow only 32 PIN guesses immediately, and then only one more guess every two hours.
This totals a maximum of about 4415 guesses per year.
If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in a little over two years.
Increasing the PIN length requires a greater number of guesses for an attacker.
In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello.
To help organizations with the transition, with Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, Windows 10, version 1709 and higher, and Windows 11, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters.
If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
### TPM-based smart cards ### TPM-based smart cards
@ -147,7 +136,7 @@ The Windows TPM-based smart card, which is a virtual smart card, can be configur
- Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements. - Hardware manufacturers and software developers have the option to use the security features of the TPM to meet their requirements.
- The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait two hours or use some other credential to sign in, such as a user name and password. - The intent of selecting 32 failures as the lock-out threshold is so users rarely lock the TPM (even when learning to type new passwords or if they frequently lock and unlock their computers). If users lock the TPM, they must to wait 10 minutes or use some other credential to sign in, such as a user name and password.
## Related topics ## Related topics

4
windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
View File

@ -35,8 +35,8 @@ The following Group Policy settings were introduced in Windows.
## Configure the level of TPM owner authorization information available to the operating system ## Configure the level of TPM owner authorization information available to the operating system
>[!IMPORTANT] > [!IMPORTANT]
>Beginning with Windows 10 version 1607 and Windows Server 2016, this policy setting is no longer used by Windows, but it continues to appear in GPEdit.msc for compatibility with previous versions. Beginning with Windows 10 version 1703, the default value is 5. This value is implemented during provisioning so that another Windows component can either delete it or take ownership of it, depending on the system configuration. For TPM 2.0, a value of 5 means keep the lockout authorization. For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization. > Beginning with Windows 10 version 1703, the default value is 5. This value is implemented during provisioning so that another Windows component can either delete it or take ownership of it, depending on the system configuration. For TPM 2.0, a value of 5 means keep the lockout authorization. For TPM 1.2, it means discard the Full TPM owner authorization and retain only the Delegated authorization.
This policy setting configured which TPM authorization values are stored in the registry of the local computer. Certain authorization values are required in order to allow Windows to perform certain actions. This policy setting configured which TPM authorization values are stored in the registry of the local computer. Certain authorization values are required in order to allow Windows to perform certain actions.

8
windows/security/threat-protection/auditing/audit-registry.md
View File

@ -11,7 +11,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
ms.localizationpriority: none ms.localizationpriority: none
author: dansimp author: dansimp
ms.date: 09/06/2021 ms.date: 12/16/2021
ms.technology: windows-sec ms.technology: windows-sec
--- ---
@ -46,6 +46,8 @@ If success auditing is enabled, an audit entry is generated each time any accoun
- [4670](event-4670.md)(S): Permissions on an object were changed. - [4670](event-4670.md)(S): Permissions on an object were changed.
> [!NOTE]
> On creating a subkey for a parent, the expectation is to see a 4656 event for the newly created subkey. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using advanced audit policy configurations for registry specific events, such as using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable". While using regedit.exe for creating subkeys you will see an additional 4663 event because you perform NtEnumerateKeys on the newly created subkey. You might additionally see a 4663 event on the newly created key if you try to rename the subkey. While using reg.exe for creating subkeys you'll see an additional 4663 event because you perform NtSetValueKey on the newly created subkey. We recommend not relying on 4663 events for subkey creation as they are dependent on the type of permissions enabled on the parent and are not consistent across regedit.exe and reg.exe.
> [!NOTE]
> On creating a subkey for a parent (RegCreateKey), the expectation is to see an event for opening a handle for the newly created object (event 4656) issued by the object manager. You will see this event only when "Audit Object Access" is enabled under **Local Policies** > **Audit Policy** in Local Security Policy. This event is not generated while using precisely defined settings for seeing only registry-related events under **Advanced Audit Policy Configurations** > **Object Access** > **Audit Registry** in Local Security Policy. For example, you will not see this event with the setting to just see the registry-related auditing events using "auditpol.exe /set /subcategory:{0CCE921E-69AE-11D9-BED3-505054503030} /success:enable".
Calls to Registry APIs to access an open key object to perform an operation such as RegSetValue, RegEnumValue, and RegRenameKey would trigger an event to access the object (event 4663). For example, creating a subkey using regedit.exe would not trigger a 4663 event, but renaming it would.

12
windows/security/threat-protection/auditing/event-4688.md
View File

@ -150,11 +150,11 @@ This event generates every time a new process starts.
- **Token Elevation Type** \[Type = UnicodeString\]**:** - **Token Elevation Type** \[Type = UnicodeString\]**:**
- **TokenElevationTypeDefault (1):** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account. - **%%1936:** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC is disabled by default), service account, or local system account.
- **TokenElevationTypeFull (2):** Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group. - **%%1937:** Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- **TokenElevationTypeLimited (3):** Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator. - **%%1938:** Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
- **Mandatory Label** \[Version 2\] \[Type = SID\]**:** SID of [integrity label](/windows/win32/secauthz/mandatory-integrity-control) which was assigned to the new process. Can have one of the following values: - **Mandatory Label** \[Version 2\] \[Type = SID\]**:** SID of [integrity label](/windows/win32/secauthz/mandatory-integrity-control) which was assigned to the new process. Can have one of the following values:
@ -203,10 +203,10 @@ For 4688(S): A new process has been created.
- It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**. - It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**.
- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. Typically this means that UAC is disabled for this account for some reason. - Monitor for **Token Elevation Type** with value **%%1936** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. Typically this means that UAC is disabled for this account for some reason.
- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. This means that a user ran a program using administrative privileges. - Monitor for **Token Elevation Type** with value **%%1937** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesn't contain the $ symbol. This means that a user ran a program using administrative privileges.
- You can also monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs. - You can also monitor for **Token Elevation Type** with value **%%1937** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs.
- If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the "**Mandatory Label**" in this event. - If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the "**Mandatory Label**" in this event.

17
windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -10,7 +10,7 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 11/29/2021 ms.date: 12/16/2021
ms.reviewer: ms.reviewer:
ms.technology: windows-sec ms.technology: windows-sec
--- ---
@ -19,8 +19,9 @@ ms.technology: windows-sec
**Applies to** **Applies to**
- Windows 10 - Windows 10
- Windows 11
This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10 and Windows 11.
Some applications, including device drivers, may be incompatible with HVCI. Some applications, including device drivers, may be incompatible with HVCI.
This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
@ -34,9 +35,9 @@ If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
* HVCI also ensures that your other trusted processes, like Credential Guard, have got a valid certificate. * HVCI also ensures that your other trusted processes, like Credential Guard, have got a valid certificate.
* Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI. * Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI.
## How to turn on HVCI in Windows 10 ## How to turn on HVCI in Windows 10 and Windows 11
To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options: To enable HVCI on Windows 10 and Windows 11 devices with supporting hardware throughout an enterprise, use any of these options:
- [Windows Security app](#windows-security-app) - [Windows Security app](#windows-security-app)
- [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune) - [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune)
- [Group Policy](#enable-hvci-using-group-policy) - [Group Policy](#enable-hvci-using-group-policy)
@ -80,7 +81,7 @@ Set the following registry keys to enable HVCI. This provides exactly the same s
> >
> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers. > - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
#### For Windows 10 version 1607 and later #### For Windows 10 version 1607 and later and for Windows 11 version 21H2
Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock): Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
@ -194,17 +195,17 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG
### Validate enabled Windows Defender Device Guard hardware-based security features ### Validate enabled Windows Defender Device Guard hardware-based security features
Windows 10 and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command: Windows 10, Windows 11, and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
```powershell ```powershell
Get-CimInstance ClassName Win32_DeviceGuard Namespace root\Microsoft\Windows\DeviceGuard Get-CimInstance ClassName Win32_DeviceGuard Namespace root\Microsoft\Windows\DeviceGuard
``` ```
> [!NOTE] > [!NOTE]
> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10. > The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10 and Windows 11.
> [!NOTE] > [!NOTE]
> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803. > Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 version 21H2.
The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.

3
windows/security/threat-protection/security-policy-settings/user-rights-assignment.md
View File

@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 04/19/2017 ms.date: 12/16/2021
ms.technology: windows-sec ms.technology: windows-sec
--- ---
@ -22,6 +22,7 @@ ms.technology: windows-sec
**Applies to** **Applies to**
- Windows 10 - Windows 10
- Windows 11
Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows. Provides an overview and links to information about the User Rights Assignment security policy settings user rights that are available in Windows.
User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the **User Rights Assignment** item. User rights govern the methods by which a user can log on to a system. User rights are applied at the local device level, and they allow users to perform tasks on a device or in a domain. User rights include logon rights and permissions. Logon rights control who is authorized to log on to a device and how they can log on. User rights permissions control access to computer and domain resources, and they can override permissions that have been set on specific objects. User rights are managed in Group Policy under the **User Rights Assignment** item.

12
windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
View File

@ -103,6 +103,9 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS
<ThresholdExtensions> <ThresholdExtensions>
<Services EnforcementMode="Enabled" /> <Services EnforcementMode="Enabled" />
</ThresholdExtensions> </ThresholdExtensions>
<RedstoneExtensions>
<SystemApps Allow="Enabled"/>
</RedstoneExtensions>
</RuleCollectionExtensions> </RuleCollectionExtensions>
</RuleCollection> </RuleCollection>
<RuleCollection Type="Exe" EnforcementMode="AuditOnly"> <RuleCollection Type="Exe" EnforcementMode="AuditOnly">
@ -115,6 +118,9 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS
<ThresholdExtensions> <ThresholdExtensions>
<Services EnforcementMode="Enabled" /> <Services EnforcementMode="Enabled" />
</ThresholdExtensions> </ThresholdExtensions>
<RedstoneExtensions>
<SystemApps Allow="Enabled"/>
</RedstoneExtensions>
</RuleCollectionExtensions> </RuleCollectionExtensions>
</RuleCollection> </RuleCollection>
``` ```
@ -133,6 +139,9 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS
<ThresholdExtensions> <ThresholdExtensions>
<Services EnforcementMode="Enabled" /> <Services EnforcementMode="Enabled" />
</ThresholdExtensions> </ThresholdExtensions>
<RedstoneExtensions>
<SystemApps Allow="Enabled"/>
</RedstoneExtensions>
</RuleCollectionExtensions> </RuleCollectionExtensions>
</RuleCollection> </RuleCollection>
<RuleCollection Type="Exe" EnforcementMode="AuditOnly"> <RuleCollection Type="Exe" EnforcementMode="AuditOnly">
@ -145,6 +154,9 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS
<ThresholdExtensions> <ThresholdExtensions>
<Services EnforcementMode="Enabled" /> <Services EnforcementMode="Enabled" />
</ThresholdExtensions> </ThresholdExtensions>
<RedstoneExtensions>
<SystemApps Allow="Enabled"/>
</RedstoneExtensions>
</RuleCollectionExtensions> </RuleCollectionExtensions>
</RuleCollection> </RuleCollection>
<RuleCollection Type="ManagedInstaller" EnforcementMode="AuditOnly"> <RuleCollection Type="ManagedInstaller" EnforcementMode="AuditOnly">