diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 340a768d75..f897a39dbc 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -398,8 +398,7 @@ "branches_to_filter": [ "" ], - "git_repository_url_open_to_public_contributors": "https://github.com/Microsoft/windows-itpro-docs", - "git_repository_branch_open_to_public_contributors": "master", + "git_repository_url_open_to_public_contributors": "https://github.com/Microsoft/win-cpub-itpro-docs", "skip_source_output_uploading": false, "need_preview_pull_request": true, "dependent_repositories": [ @@ -424,7 +423,12 @@ "master": [ "Publish", "Pdf" + ], + "msesdemo": [ + "Publish", + "Pdf" ] + }, "need_generate_pdf_url_template": true, "Targets": { diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 838a6cc065..d8e96bc586 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -1,6 +1,11 @@ { "redirections": [ { +"source_path": "education/windows/windows-10-pro-to-pro-edu-upgrade.md", +"redirect_url": "/education/windows/switch-to-pro-education", +"redirect_document_id": true +}, +{ "source_path": "windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md", "redirect_url": "/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune", "redirect_document_id": false @@ -61,6 +66,31 @@ "redirect_document_id": true }, { +"source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md", +"redirect_url": "/surface-hub/finishing-your-surface-hub-meeting", +"redirect_document_id": true +}, +{ +"source_path": "devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md", +"redirect_url": "/surface-hub/provisioning-packages-for-surface-hub", +"redirect_document_id": true +}, +{ +"source_path": "devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md", +"redirect_url": "/surface-hub/admin-group-management-for-surface-hub", +"redirect_document_id": true +}, +{ +"source_path": "devices/surface-hub/surface-hub-administrators-guide.md", +"redirect_url": "/surface-hub/index", +"redirect_document_id": true +}, +{ +"source_path": "devices/surface-hub/intro-to-surface-hub.md", +"redirect_url": "/surface-hub/index", +"redirect_document_id": false +}, +{ "source_path": "windows/manage/waas-quick-start.md", "redirect_url": "/windows/deployment/update/waas-quick-start", "redirect_document_id": true diff --git a/browsers/internet-explorer/TOC.md b/browsers/internet-explorer/TOC.md index f55624a429..5991583d77 100644 --- a/browsers/internet-explorer/TOC.md +++ b/browsers/internet-explorer/TOC.md @@ -20,7 +20,7 @@ ###[Virtualization and compatibility with Internet Explorer 11](ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md) ##[Collect data using Enterprise Site Discovery](ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md) ##[Enterprise Mode for Internet Explorer 11 (IE11)](ie11-deploy-guide/enterprise-mode-overview-for-ie11.md) -###[What is Enterprise Mode?](ie11-deploy-guide/what-is-enterprise-mode.md) +###[Enterprise Mode and the Enterprise Mode Site List](ie11-deploy-guide/what-is-enterprise-mode.md) ###[Set up Enterprise Mode logging and data collection](ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md) ###[Turn on Enterprise Mode and use a site list](ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md) ###[Enterprise Mode schema v.2 guidance](ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md) @@ -40,6 +40,18 @@ ####[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md) ####[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) ####[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) +###[Use the Enterprise Mode Site List Portal](ie11-deploy-guide/use-the-enterprise-mode-portal.md) +####[Set up the Enterprise Mode Site List Portal](ie11-deploy-guide/set-up-enterprise-mode-portal.md) +#####[Use the Settings page to finish setting up the Enterprise Mode Site List Portal](ie11-deploy-guide/configure-settings-enterprise-mode-portal.md) +#####[Add employees to the Enterprise Mode Site List Portal](ie11-deploy-guide/add-employees-enterprise-mode-portal.md) +####[Workflow-based processes for employees using the Enterprise Mode Site List Portal](ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md) +#####[Create a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/create-change-request-enterprise-mode-portal.md) +#####[Verify your changes using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md) +#####[Approve a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md) +#####[Schedule approved change requests for production using the Enterprise Mode Site List Portal](ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md) +#####[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md) +#####[View the apps currently on the Enterprise Mode Site List](ie11-deploy-guide/view-apps-enterprise-mode-site-list.md) +#####[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md) ###[Using IE7 Enterprise Mode or IE8 Enterprise Mode](ie11-deploy-guide/using-enterprise-mode.md) ###[Fix web compatibility issues using document modes and the Enterprise Mode site list](ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md) ###[Remove sites from a local Enterprise Mode site list](ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md) diff --git a/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md new file mode 100644 index 0000000000..0f99fc6a7b --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md @@ -0,0 +1,64 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to add employees to the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Add employees to the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups. + +The available roles are: + +- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests. + +- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests. + +- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests. + +- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page. + +**To add an employee to the Enterprise Mode Site List Portal** +1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page. + + The **Employee management** page appears. + +2. Click **Add a new employee**. + + The **Add a new employee** page appears. + +3. Fill out the fields for each employee, including: + + - **Email.** Add the employee's email address. + + - **Name.** This box autofills based on the email address. + + - **Role.** Pick a single role for the employee, based on the list above. + + - **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers. + + - **Comments.** Add optional comments about the employee. + + - **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box. + +4. Click **Save**. + +**To export all employees to an Excel spreadsheet** +1. On the **Employee management** page, click **Export to Excel**. + +2. Save the EnterpriseModeUsersList.xlsx file. + + The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name. \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md new file mode 100644 index 0000000000..0b6cee7d40 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md @@ -0,0 +1,58 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Approve a change request using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes. + +## Approve or reject a change request +The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request. + +**To approve or reject a change request** +1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page. + + The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane. + +2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons. + +3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**. + + An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request. + + +## Send a reminder to the Approver(s) group +If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group. + +- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**. + + An email is sent to the selected Approver(s). + + +## View rejected change requests +The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request. + +**To view the rejected change request** + +- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane. + + All rejected change requests appear, with role assignment determining which ones are visible. + + +## Next steps +After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic. \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md index 4ec6a7cc70..aab097bf2f 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md @@ -12,6 +12,11 @@ author: eross-msft # Change history for Internet Explorer 11 This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile. +## April 2017 +|New or changed topic | Description | +|----------------------|-------------| +|[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)|Updates to the Enterprise Mode section to include info about the Enterprise Mode Site List Portal. | + ## March 2017 |New or changed topic | Description | |----------------------|-------------| diff --git a/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md new file mode 100644 index 0000000000..0c2fcabf27 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md @@ -0,0 +1,93 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes. +author: eross-msft +ms.prod: ie11 +title: Use the Settings page to finish setting up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Use the Settings page to finish setting up the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +The **Settings** page lets anyone with Administrator rights set up groups and roles, set up the Enterprise Mode Site List Portal environment, and choose the freeze dates for production changes. + +## Use the Environment settings area +This area lets you specify the location of your production and pre-production environments, where to store your attachments, your settings location, and the website domain for email notifications. + +**To add location info** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Environment settings** area of the page, provide the info for your **Pre-production environment**, your **Production environment**, your **Attachments location**, your **Settings location**, and your **Website domain for email notifications**. + +3. Click **Credentials** to add the appropriate domain, user name, and password for each location, and then click **OK**. + +## Use the Group and role settings area +After you set up your email credentials, you'll be able to add or edit your Group info, along with picking which roles must be Approvers for the group. + +**To add a new group and determine the required change request Approvers** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Group and role settings** area of the page, click **Group details**. + + The **Add or edit group names** box appears. + +3. Click the **Add group** tab, and then add the following info: + + - **New group name.** Type name of your new group. + + - **Group head email.** Type the email address for the primary contact for the group. + + - **Group head name.** This box automatically fills, based on the email address. + + - **Active.** Click the check box to make the group active in the system. If you want to keep the group in the system, but you want to prevent access, clear this check box. + +4. Click **Save**. + + +**To set a group's required Approvers** +1. In the **Group and role settings** area of the page, choose the group name you want to update with Approvers from the **Group name** box. + +2. In the **Required approvers** area, choose which roles are required to approve a change request for the group. You can choose one or many roles. + + - **App Manager.** All employees in the selected group must get change request approval by someone assigned this role. + + You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box. + + - **Group Head.** All employees in the selected group must get change request approval by someone assigned this role. + + You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box. + + - **Administrator.** All employees in the selected group must get change request approval by someone assigned this role. + +## Use the Freeze production changes area +This optional area lets you specify a period when your employees must stop adding changes to the current Enterprise Mode Site List. This must include both a start and an end date. + +**To add the start and end dates** +1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page. + + The **Settings** page appears. + +2. In the **Freeze production changes** area of the page, use the calendars to provide the **Freeze start date** and the **Freeze end date**. Your employees can't add apps to the production Enterprise Mode Site List during this span of time. + +3. Click **Save**. + +## Related topics +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) + +- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md new file mode 100644 index 0000000000..dee66ac9d8 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md @@ -0,0 +1,69 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to create a change request within the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Create a change request using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal. + +>[!Important] +>Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. + +**To create a new change request** +1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**. + + The **Create new request** page appears. + +2. Fill out the required fields, based on the group and the app, including: + + - **Group name.** Select the name of your group from the dropdown box. + + - **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List. + + - **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list. + + - **Add new app.** If your app isn't listed, you can click **Add new app** to add it to the list. + + - **Requested by.** Automatically filled in with your name. + + - **Description.** Add descriptive info about the app. + + - **Requested change.** Select whether you want to **Add to EMIE**, **Delete from EMIE**, or **Update to EMIE**. + + - **Reason for request.** Select the best reason for why you want to update, delete, or add the app. + + - **Business impact (optional).** An optional area where you can provide info about the business impact of this app and the change. + + - **App location (URL).** The full URL location to the app, starting with http:// or https://. + + - **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes. + + - **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/en-us/library/cc288325(v=vs.85).aspx). + +4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing. + + A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list. + +5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct. + + - **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**. + + - **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator. + +## Next steps +After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic. \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md index 1624192493..1d96ecb7cf 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md @@ -2,7 +2,7 @@ localizationpriority: low ms.mktglfcycl: deploy ms.pagetype: appcompat -description: Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. +description: Use the topics in this section to learn how to set up and use Enterprise Mode, Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal for your company. author: eross-msft ms.prod: ie11 ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e @@ -26,7 +26,7 @@ Use the topics in this section to learn how to set up and use Enterprise Mode an ## In this section |Topic |Description | |---------------------------------------------------------------|-----------------------------------------------------------------------------------| -|[What is Enterprise Mode?](what-is-enterprise-mode.md) |Includes descriptions of the features of Enterprise Mode. | +|[Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)|Includes descriptions of the features of Enterprise Mode. | |[Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) |Guidance about how to turn on local control of Enterprise Mode and how to use ASP or the GitHub sample to collect data from your local computers. | |[Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) |Guidance about how to turn on Enterprise Mode and set up a site list, using Group Policy or the registry. | |[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. | @@ -34,6 +34,7 @@ Use the topics in this section to learn how to set up and use Enterprise Mode an |[Check for a new Enterprise Mode site list xml file](check-for-new-enterprise-mode-site-list-xml-file.md) |Guidance about how the Enterprise Mode functionality looks for your updated site list. | |[Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) |Guidance about how to turn on local control of Enterprise Mode, using Group Policy or the registry.| |[Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) |Guidance about how to use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. | +|[Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) |Guidance about how to set up and use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. | |[Using Enterprise Mode](using-enterprise-mode.md) |Guidance about how to turn on either IE7 Enterprise Mode or IE8 Enterprise Mode. | |[Fix web compatibility issues using document modes and the Enterprise Mode Site List](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md) |Guidance about how to decide and test whether to use document modes or Enterprise Mode to help fix compatibility issues. | |[Remove sites from a local Enterprise Mode site list](remove-sites-from-a-local-enterprise-mode-site-list.md) |Guidance about how to remove websites from a device's local Enterprise Mode site list. | diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md index f26bdcd631..4a37a95e9a 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/index.md +++ b/browsers/internet-explorer/ie11-deploy-guide/index.md @@ -33,7 +33,7 @@ Because this content isn't intended to be a step-by-step guide, not all of the s |[List of updated features and tools - Internet Explorer 11 (IE11)](updated-features-and-tools-with-ie11.md) |IE11 includes several new features and tools. This topic includes high-level info about the each of them. | |[Install and Deploy Internet Explorer 11 (IE11)](install-and-deploy-ie11.md) |Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. You can also find more info about your virtualization options for legacy apps. | |[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Use IE to collect data on computers running Windows Internet Explorer 8 through IE11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. | -|[Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) |Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. | +|[Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) |Use the topics in this section to learn how to set up and use Enterprise Mode, the Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal in your company. | |[Group Policy and Internet Explorer 11 (IE11)](group-policy-and-ie11.md) |Use the topics in this section to learn about Group Policy and how to use it to manage IE. | |[Manage Internet Explorer 11](manage-ie11-overview.md) |Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for IE. | |[Troubleshoot Internet Explorer 11 (IE11)](troubleshoot-ie11.md) |Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with IE. | diff --git a/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md new file mode 100644 index 0000000000..6d4ae0d626 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md @@ -0,0 +1,49 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Schedule approved change requests for production using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Schedule approved change requests for production using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +After a change request is approved, the original Requester can schedule the change for the production environment. The change can be immediate or set for a future time. + +**To schedule an immediate change** +1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane. + +2. The Requester clicks the **Approved** status for the change request. + + The **Schedule changes** page appears. + +3. The Requester clicks **Now**, and then clicks **Save**. + + The update is scheduled to immediately update the production environment, and an email is sent to the Requester. After the update finishes, the Requester is asked to verify the changes. + + +**To schedule the change for a different day or time** +1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane. + +2. The Requester clicks the **Approved** status for the change request. + + The **Schedule changes** page appears. + +3. The Requester clicks **Schedule**, sets the **Preferred day**, **Preferred start time**, and the **Preferred end time**, and then clicks **Save**. + + The update is scheduled to update the production environment on that day and time and an email is sent to the Requester. After the update finishes, the Requester will be asked to verify the changes. + + +## Next steps +After the update to the production environment completes, the Requester must again test the change. If the testing succeeds, the Requester can sign off on the change request. If the testing fails, the Requester can contact the Administrator group for more help. For the production environment testing steps, see the [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md) topic. \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md new file mode 100644 index 0000000000..e23bce2182 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md @@ -0,0 +1,231 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to set up the Enterprise Mode Site List Portal for your organization. +author: eross-msft +ms.prod: ie11 +title: Set up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Set up the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +Before you can begin using the Enterprise Mode Site List Portal, you must set up your environment. + +## Step 1 - Copy the deployment folder to the web server +You must download the deployment folder (**EMIEWebPortal/**), which includes all of the source code for the website, from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) site to your web server. + +**To download the source code** +1. Download the deployment folder from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) source code to your web server. + +2. Install the Node.js® package manager, [npm](https://www.npmjs.com/). + + >[!Note] + >You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source. + +3. Open File Explorer and then open the **EMIEWebPortal/** folder. + +4. Press and hold **Shift**, right-click the window, then click **Open PowerShell window here**. + +5. Type _npm i_ into the command prompt, then press **Enter**. + + Installs the npm package manager and bulk adds all the third-party libraries back into your codebase. + +6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, and then build the entire solution. + +7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager. + +## Step 2 - Create the Application Pool and website, by using IIS +Create a new Application Pool and the website, by using the IIS Manager. + +**To create a new Application Pool** +1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Application Pools**, then click **Add Application Pool**. + + The **Add Application Pool** box appears. + +2. In the **Add Application Pool** box, enter the following info: + + - **Name.** Type the name of your new application pool. For example, _EMIEWebAppPool_. + + - **.NET CLR version.** Pick the version of .NET CLR used by your application pool from the drop-down box. It must be version 4.0 or higher. + + - **Managed pipeline mode.** Pick **Integrated** from the drop-down box. IIS uses the integrated IIS and ASP.NET request-processing pipeline for managed content. + +3. Click **OK**. + +4. Select your new application pool from the **Application Pool** pane, click **Advanced Settings** from the **Edit Application Pool** area of the **Actions** pane. + + The **Advanced Settings** box appears. + +5. Make sure your **Identity** value is **ApplicationPoolIdentity**, click **OK**, and then close the box. + +6. Open File Explorer and go to your deployment directory, created in Step 1. For example, _D:\EMIEWebApp_. + +7. Right-click on the directory, click **Properties**, and then click the **Security** tab. + +8. Add your new application pool to the list (for example, _IIS AppPool\EMIEWebAppPool_) with **Full control access**, making sure the location searches the local computer. + +9. Add **Everyone** to the list with **Read & execute access**. + +**To create the website** +1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Sites**, then click **Add Website**. + + The **Add Website** box appears. + +2. In the **Add Website** box, type the name of your website into the **Site name** box. For example, _EMIEWebApp_, and then click **Select**. + + The **Select Application Pool** box appears. + +4. Pick the name of the application pool created earlier in this step, and then click **OK**. For example, _EMIEWebAppPool_. + +5. In the **Physical path** box, browse to your folder that contains your deployment directory. For example, _D:\EMIEWebApp_. + +6. Set up your **Binding**, including your **Binding Type**, **IP address**, and **Port**, as appropriate for your organization. + +7. Clear the **Start Website immediately** check box, and then click **OK**. + +8. In IIS Manager, expand your local computer, and then double-click your new website. For example, _EMIEWebApp_. + + The **<website_name> Home** pane appears. + +9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**. + + >[!Note] + >You must also make sure that **Anonymous Authentication** is marked as **Enabled**. + +10. Return to the **<website_name> Home** pane, and double-click the **Connection Strings** icon. + +11. Open the **LOBMergedEntities Connection String** to edit: + + - **Data source.** Type the name of your local computer. + + - **Initial catalog.** The name of your database. + + >[!Note] + >Step 3 of this topic provides the steps to create your database. + +## Step 3 - Create and prep your database +Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables. + +**To create and prep your database** +1. Start SQL Server Management Studio. + +2. Open **Object Explorer** and then connect to an instance of the SQL Server Database Engine. + +3. Expand the instance, right-click on **Databases**, and then click **New Database**. + +4. Type a database name. For example, _EMIEDatabase_. + +5. Leave all default values for the database files, and then click **OK**. + +6. Open the **DatabaseScripts/Create DB Tables/1_CreateEMIETables.sql** query file, located in the deployment directory. + +7. Replace the database name placeholder with the database name you created earlier. For example, _EMIEDatabase_. + +8. Run the query. + +## Step 4 - Map your Application Pool to a SQL Server role +Map your ApplicationPoolIdentity to your database, adding the db_owner role. + +**To map your ApplicationPoolIdentity to a SQL Server role** +1. Start SQL Server Management Studio and connect to your database. + +2. Expand the database instance and then open the server-level **Security** folder. + + > [!IMPORTANT] + > Make sure you open the **Security** folder at the server level and not for the database. + +3. Right-click **Logins**, and then click **New Login**. + + The **Login-New** dialog box appears. + +4. Type the following into the **Login name** box, based on your server instance type: + + - **Local SQL Server instance.** If you have a local SQL Server instance, where IIS and SQL Server are on the same server, type the name of your Application Pool. For example, _IIS AppPool\EMIEWebAppPool_. + + - **Remote SQL Server instance.** If you have a remote SQL Server instance, where IIS and SQL Server are on different servers, type `Domain\ServerName$`. + + > [!IMPORTANT] + > Don't click **Search** in the **Login name** box. Login name searches will resolve to a ServerName\AppPool Name account and SQL Server Management Studio won't be able to resolve the account's virtual Security ID (SID). + +5. Click **User Mapping** from the **Select a page** pane, click the checkbox for your database (for example, _EMIEDatabase_) from the **Users mapped to this login** pane, and then click **db_owner** from the list of available roles in the **Database role membership** pane. + +6. Click **OK**. + +## Step 5 - Restart the Application Pool and website +Using the IIS Manager, you must restart both your Application Pool and your website. + +**To restart your Application Pool and website** +1. In IIS Manager, expand your local computer in the **Connections** pane, select your website, then click **Restart** from the **Manage Website** pane. + +2. In the **Connections** pane, select your Application Pool, and then click **Recycle** from the **Application Pool Tasks** pane. + +## Step 6 - Registering as an administrator +After you've created your database and website, you'll need to register yourself (or another employee) as an administrator for the Enterprise Mode Site List Portal. + +**To register as an administrator** +1. Open Microsoft Edge and type your website URL into the Address bar. For example, http://emieportal:8085. + +2. Click **Register now**. + +3. Type your name or alias into the **Email** box, making sure it matches the info in the drop-down box. + +4. Click **Administrator** from the **Role** box, and then click **Save**. + +5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, http://emieportal:8085/#/EMIEAdminConsole. + + A dialog box appears, prompting you for the system user name and password. The default user name is EMIEAdmin and the default password is Admin123. We strongly recommend that you change the password by using the **Change password** link as soon as you're done with your first visit. + +6. Select your name from the available list, and then click **Activate**. + +7. Go to the Enterprise Mode Site List Portal Home page and sign in. + +## Step 7 - Configure the SMTP server and port for email notification +After you've set up the portal, you need to configure your SMTP server and port for email notifications from the system. + +**To set up your SMTP server and port for emails** +1. Open Visual Studio, and then open the web.config file from your deployment directory. + +2. Update the SMTP server and port info with your info, using this format: + + ``` + + + ``` +3. Open the **Settings** page in the Enterprise Mode Site List Portal, and then update the email account and password info. + +## Step 8 - Register the scheduler service +Register the EMIEScheduler tool and service for production site list changes. + +**To register the scheduler service** + +1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\. + + >[!Important] + >If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files. + +2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_. + +3. Run the command, `InstallUtil ""`. For example, _InstallUtil "C:\EMIEService\bin\Debug\EMIEWebPortal.SchedulerService.exe"._ + + You'll be asked for your user name and password for the service. + +4. Open the **Run** command, type `Services.msc`, and then start the EMIEScheduler service. + +## Related topics +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) + +- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md new file mode 100644 index 0000000000..a478fd9557 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md @@ -0,0 +1,79 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Portal. +ms.prod: ie11 +title: Use the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Use the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +You can use IE11 and the Enterprise Mode Site List Portal to manage your Enterprise Mode Site List, hosted by the app, with multiple users. + +## Minimum system requirements for portal and test machines +Some of the components in this table might also need additional system resources. Check the component's documentation for more information. + +|Item |Description | +|-----|------------| +|Operating system |Windows 7 or later | +|Memory |16 GB RAM | +|Hard drive space |At least 8 GB of free space, formatted using the NTFS file system for better security | +|Active Directory (AD) |Devices must be domain-joined | +|SQL Server |Microsoft SQL Server Enterprise Edition 2012 or later | +|Visual Studio |Visual Studio 2015 or later | +|Node.js® package manager |npm Developer version or higher | +|Additional server infrastructure |Internet Information Service (IIS) 6.0 or later | + +## Role assignments and available actions +Admins can assign roles to employees for the Enterprise Mode Site List Portal, allowing the employees to perform specific actions, as described in this table. + +|Role assignment |Available actions | +|----------------|------------------| +|Requester |
  • Create a change request


  • Validate changes in the pre-production environment


  • Rollback pre-production and production changes in case of failure


  • Send approval requests


  • View own requests


  • Sign off and close own requests
| +|Approver

(includes the App Manager and Group Head roles) |
  • All of the Requester actions, plus:


  • Approve requests
| +|Administrator |
  • All of the Requester and Approver actions, plus:


  • Add employees to the portal


  • Assign employee roles


  • Approve registrations to the portal


  • Configure portal settings (for example, determine the freeze schedule, determine the pre-production and production XML paths, and determine the attachment upload location)


  • Use the standalone Enterprise Mode Site List Manager page


  • View reports
| + +## Enterprise Mode Site List Portal workflow by employee role +The following workflow describes how to use the Enterprise Mode Site List Portal. + +1. [The Requester submits a change request for an app](create-change-request-enterprise-mode-portal.md) + +2. [The Requester tests the change request info, verifying its accuracy](verify-changes-preprod-enterprise-mode-portal.md) + +3. [The Approver(s) group accepts the change request](approve-change-request-enterprise-mode-portal.md) + +4. [The Requester schedules the change for the production environment](schedule-production-change-enterprise-mode-portal.md) + +5. [The change is verified against the production site list and signed off](verify-changes-production-enterprise-mode-portal.md) + + +## Related topics +- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md) + +- [Workflow-based processes for employees using the Enterprise Mode Site List Portal](workflow-processes-enterprise-mode-portal.md) + +- [How to use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md) + +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) +  + +  + + + diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md new file mode 100644 index 0000000000..ad7ff7fb3e --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md @@ -0,0 +1,66 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Verify your changes using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +>[!Important] +>This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct. + +The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including: + +- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List. + +- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment. + +- **EMIE_Reset**. A batch file that when run, reverts the changes made to the pre-production registry. + +## Verify and send the change request to Approvers +The Requester tests the changes and then goes back into the Enterprise Mode Site List Portal, **Pre-production verification** page to verify whether the testing was successful. + +**To verify changes and send to the Approver(s)** +1. On the **Pre-production verification** page, the Requester clicks **Successful** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results. + +2. The Requester reviews the pre-defined Approver(s), and then clicks **Send for approval**. + + The Requester, the Approver group, and the Administrator group all get an email, stating that the change request is waiting for approval. + + +**To rollback your pre-production changes** +1. On the **Pre-production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results. + +2. Add a description about the issue into the **Issue description** box, and then click **Send failure details**. + + The change request and issue info are sent to the Administrators. + +3. The Requester clicks **Roll back** to roll back the changes in the pre-production environment. + + After the Requester rolls back the changes, the request can be updated and re-submitted. + + +## View rolled back change requests +The original Requester and the Administrator(s) group can view the rolled back change requests. + +**To view the rolled back change request** + +- In the Enterprise Mode Site List Portal, click **Rolled back** from the left pane. + + All rolled back change requests appear, with role assignment determining which ones are visible. + +## Next steps +If the change request is certified as successful, the Requester must next send it to the Approvers for approval. For the Approver-related steps, see the [Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md) topic. diff --git a/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md new file mode 100644 index 0000000000..9b17b1c55d --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md @@ -0,0 +1,41 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Verify the change request update in the production environment using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# Verify the change request update in the production environment using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +## Verify and sign off on the update in the production environment +The Requester tests the changes in the production environment and then goes back into the Enterprise Mode Site List Portal, **Production verification** page to verify whether the testing was successful. + +**To verify the changes and sign off** +- On the **Production verification** page, the Requester clicks **Successful**, optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results, optionally includes a description of the change, and then clicks **Sign off**. + + The Requester, Approver group, and Administrator group all get an email, stating that the change request has been signed off. + + +**To rollback production changes** +1. On the **Production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results. + +2. Add a description about the issue into the **Change description** box, and then click **Send failure details**. + + The info is sent to the Administrators. + +3. The Requester clicks **Roll back** to roll back the changes in the production environment. + + After the Requester rolls back the changes, the request is automatically handled in the production and pre-production environment site lists. + diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md new file mode 100644 index 0000000000..90be9b01af --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md @@ -0,0 +1,37 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Any employee with access to the Enterprise Mode Site List Portal can view the apps included in the current Enterprise Mode Site List. + +**To view the active Enterprise Mode Site List** +1. Open the Enterprise Mode Site List Portal and click the **Production sites list** icon in the upper-right area of the page. + + The **Production sites list** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site. + +2. Click any URL to view the actual site, using the compatibility mode and opening in the correct browser. + + +**To export the active Enterprise Mode Site List** +1. On the **Production sites list** page, click **Export**. + +2. Save the ProductionSiteList.xlsx file. + + The Excel file includes all apps in the current Enterprise Mode Site List, including URL, compatibility mode, and assigned browser. diff --git a/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md new file mode 100644 index 0000000000..39742890ba --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md @@ -0,0 +1,49 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Details about how an Administrator can view the available Enterprise Mode reports from the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: View the available Enterprise Mode reports from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + +# View the available Enterprise Mode reports from the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Administrators can view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal. + +**To view the reports** +1. Open the Enterprise Mode Site List Portal and click the **Enterprise Mode reports** icon in the upper-right area of the page. + + The **Enterprise Mode reports** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site. + +2. Use the calendars to provide the **From date** and **To date**, determining the span of time the report covers. + +3. Click **Apply**. + + The reports all change to reflect the appropriate timeframe and group, including: + + - **Total number of websites in the site list.** A box at the top of the reports page that tells you the total number of websites included in the Enterprise Mode Sit List. + + - **All websites by docmode.** Shows how many change requests exist, based on the different doc modes included in the **App best viewed in** field. + + - **All websites by browser.** Shows how many apps require which browser, including **IE11**, **MSEdge**, or **None**. + + - **All requests by status.** Shows how many change requests exist, based on each status. + + - **All requests by change type.** Shows how many change requests exist, based on the **Requested change** field. + + - **Request status by group.** Shows how many change requests exist, based on both group and status. + + - **Reasons for request.** Shows how many change request reasons exist, based on the **Reason for request** field. + + - **Requested changes by app name.** Shows what specific apps were **Added to site list**, **Deleted from site list**, or **Updated from site list**. \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md index 44cf261391..f803185980 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md +++ b/browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md @@ -6,12 +6,12 @@ description: Info about the features included in Enterprise Mode with Internet E author: eross-msft ms.prod: ie11 ms.assetid: 3c77e9f3-eb21-46d9-b5aa-f9b2341cfefa -title: What is Enterprise Mode (Internet Explorer 11 for IT Pros) +title: Enterprise Mode and the Enterprise Mode Site List (Internet Explorer 11 for IT Pros) ms.sitesec: library --- -# What is Enterprise Mode? +# Enterprise Mode and the Enterprise Mode Site List **Applies to:** @@ -21,28 +21,146 @@ ms.sitesec: library - Windows Server 2012 R2 - Windows Server 2008 R2 with Service Pack 1 (SP1) -Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 8.1 Update and Windows 7 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. +Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal). -Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to the latest version of IE. In particular, IE11 lets customers benefit from modern web standards, increased performance, improved security, and better reliability. +## Available dual-browser experiences +Based on the size of your legacy web app dependency, determined by the data collected with [Windows Upgrade Analytics](https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/), there are several options from which you can choose to configure your enterprise browsing environment: -## Enterprise Mode features +- Use Microsoft Edge as your primary browser. +- Use Microsoft Edge as your primary browser and use Enterprise Mode to open sites in Internet Explorer 11 (IE11) that use IE proprietary technologies. + +- Use Microsoft Edge as your primary browser and open all intranet sites in IE11. + +- Use IE11 as your primary browser and use Enterprise Mode to open sites in Microsoft Edge that use modern web technologies. + +For more info about when to use which option, and which option is best for you, see the [Continuing to make it easier for Enterprise customers to upgrade to Internet Explorer 11 — and Windows 10](https://blogs.windows.com/msedgedev/2015/11/23/windows-10-1511-enterprise-improvements) blog. + +## What is Enterprise Mode? +Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10 devices, lets websites render using a modified browser configuration that’s designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer. + +Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability. + +### Enterprise Mode features Enterprise Mode includes the following features: -- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting a number of site patterns that aren’t currently supported by existing document modes. +- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that aren’t currently supported by existing document modes. -- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode.

+- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode. Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378), based on your operating system and schema. -- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the **Tools** menu and to decide whether the Enterprise browser profile appears on the **Emulation** tab of the F12 developer tools.

**Important**
All centrally-made decisions override any locally-made choices.  +- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools. -- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites. + >[!Important] + >All centrally-made decisions override any locally-made choices. -- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list. +- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites. -  +- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list. -  +## Enterprise Mode and the Enterprise Mode Site List XML file +The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11. +Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge. +### Site list xml file +This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location. +```xml + + + + EnterpriseSiteListManager + 10586 + 20150728.135021 + + + + IE8Enterprise + IE11 + + + default + IE11 + + + IE7Enterprise + IE11 + + + + + IE8Enterprise" + IE11 + + + IE7 + IE11 + + + IE7 + IE11 + + + +``` + +## Enterprise Mode Site List Manager and the Enterprise Mode Site List Portal tools +You can build and manage your Enterprise Mode Site List is by using any generic text editor. However, we’ve also provided a couple tools that can make that process even easier. + +### Enterprise Mode Site List Manager +This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. For more info about this tool, see the Use the [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics. + +There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10: + +- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema. + + We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md). + +- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema. + + If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). + +If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal. + +### Enterprise Mode Site List Portal +The [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. + +In addition to all the functionality of the Enterprise Mode Site List Manager tool, the Enterprise Mode Site List Portal helps you: + +- Manage site lists from any device supporting Windows 7 or greater. + +- Submit change requests. + +- Operate offline through an on-premise solution. + +- Provide role-based governance. + +- Test configuration settings before releasing to a live environment. + +Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later. + +Because the tool is open-source, the source code is readily available for examination and experimentation. We encourage you to [fork the code, submit pull requests, and send us your feedback](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)! For more info about the Enterprise Mode Site List Portal, see the [Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) topics. + +## Related topics + +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Technical guidance, tools, and resources on Enterprise browsing](https://technet.microsoft.com/ie) + +- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501) + +- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974) + +- [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) + +- [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) + +- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx) + +- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx) + +- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search) \ No newline at end of file diff --git a/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md new file mode 100644 index 0000000000..6c23ee0748 --- /dev/null +++ b/browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md @@ -0,0 +1,42 @@ +--- +localizationpriority: low +ms.mktglfcycl: deploy +ms.pagetype: appcompat +description: Use the topics in this section to learn how to perform all of the workflow-related processes in the Enterprise Mode Site List Portal. +author: eross-msft +ms.prod: ie11 +title: Workflow-based processes for employees using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros) +ms.sitesec: library +--- + + +# Workflow-based processes for employees using the Enterprise Mode Site List Portal + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 +- Windows Server 2012 R2 +- Windows Server 2008 R2 with Service Pack 1 (SP1) + +Use the topics in this section to learn how to perform the available Enterprise Mode Site List Portal processes, based on workflow. + +## In this section +|Topic |Description | +|---------------------------------------------------------------|-----------------------------------------------------------------------------------| +|[Create a change request using the Enterprise Mode Site List Portal](create-change-request-enterprise-mode-portal.md)|Details about how the Requester creates a change request in the Enterprise Mode Site List Portal.| +|[Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md)|Details about how the Requester tests a change request in the pre-production environment of the Enterprise Mode Site List Portal.| +|[Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md)|Details about how the Approver(s) approve a change request in the Enterprise Mode Site List Portal.| +|[Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md)|Details about how the Requester schedules the approved change request update in the Enterprise Mode Site List Portal.| +|[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md)|Details about how the Requester tests an update in the production environment of the Enterprise Mode Site List Portal.| +|[View the apps currently on the Enterprise Mode Site List](view-apps-enterprise-mode-site-list.md)|Details about how anyone with access to the portal can review the apps already on the active Enterprise Mode Site List.| +|[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](view-enterprise-mode-reports-for-portal.md) |Details about how the Administrator can view the view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal. | + + +## Related topics +- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md) + +- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) + +- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md) \ No newline at end of file diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md index 8377e9a846..757d5d4376 100644 --- a/devices/hololens/change-history-hololens.md +++ b/devices/hololens/change-history-hololens.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/devices/hololens/hololens-enroll-mdm.md b/devices/hololens/hololens-enroll-mdm.md index 813109b1c5..e9b51e6b8d 100644 --- a/devices/hololens/hololens-enroll-mdm.md +++ b/devices/hololens/hololens-enroll-mdm.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: hololens, devices ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/devices/hololens/hololens-install-apps.md b/devices/hololens/hololens-install-apps.md index 3b340395d8..fa7479c5ef 100644 --- a/devices/hololens/hololens-install-apps.md +++ b/devices/hololens/hololens-install-apps.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: hololens, devices ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md index 4674584a48..42ce78887a 100644 --- a/devices/hololens/hololens-kiosk.md +++ b/devices/hololens/hololens-kiosk.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: hololens, devices ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md index 149636b0ac..53f90a2f31 100644 --- a/devices/hololens/hololens-provisioning.md +++ b/devices/hololens/hololens-provisioning.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: hololens, devices ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md index d8a6a6fb4e..d364082e8d 100644 --- a/devices/hololens/hololens-requirements.md +++ b/devices/hololens/hololens-requirements.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: hololens, devices ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/devices/hololens/hololens-setup.md b/devices/hololens/hololens-setup.md index 711052c786..d6ead976b2 100644 --- a/devices/hololens/hololens-setup.md +++ b/devices/hololens/hololens-setup.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: hololens, devices ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md index 8963cea7f3..82583e43cd 100644 --- a/devices/hololens/hololens-upgrade-enterprise.md +++ b/devices/hololens/hololens-upgrade-enterprise.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: hololens, devices ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 15d7cafd87..a340332cc7 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: hololens, devices ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index 742423081c..8e368555cc 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -1,43 +1,44 @@ # [Microsoft Surface Hub](index.md) -## [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) -### [Intro to Microsoft Surface Hub](intro-to-surface-hub.md) -### [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) -#### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md) -#### [Create and test a device account](create-and-test-a-device-account-surface-hub.md) -##### [Online deployment](online-deployment-surface-hub-device-accounts.md) -##### [On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md) -##### [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) -##### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) -##### [Online or hybrid deployment using Skype Hybrid Voice environment](skype-hybrid-voice.md) -##### [Create a device account using UI](create-a-device-account-using-office-365.md) -##### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) -##### [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md) -##### [Password management](password-management-for-surface-hub-device-accounts.md) -#### [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) -#### [Admin group management](admin-group-management-for-surface-hub.md) -### [Set up Microsoft Surface Hub](set-up-your-surface-hub.md) -#### [Setup worksheet](setup-worksheet-surface-hub.md) -#### [First-run program](first-run-program-surface-hub.md) -### [Manage Microsoft Surface Hub](manage-surface-hub.md) -#### [Remote Surface Hub management](remote-surface-hub-management.md) -##### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) -##### [Monitor your Surface Hub](monitor-surface-hub.md) -##### [Windows updates](manage-windows-updates-for-surface-hub.md) -#### [Manage Surface Hub settings](manage-surface-hub-settings.md) -##### [Local management for Surface Hub settings](local-management-surface-hub-settings.md) -##### [Accessibility](accessibility-surface-hub.md) -##### [Change the Surface Hub device account](change-surface-hub-device-account.md) -##### [Device reset](device-reset-surface-hub.md) -##### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md) -##### [Wireless network management](wireless-network-management-for-surface-hub.md) -#### [Install apps on your Surface Hub](install-apps-on-surface-hub.md) -#### [End a Surface Hub meeting with I'm Done](i-am-done-finishing-your-surface-hub-meeting.md) -#### [Save your BitLocker key](save-bitlocker-key-surface-hub.md) -#### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) -#### [Using a room control system](use-room-control-system-with-surface-hub.md) -### [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) -### [Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md) -## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) +## [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md) ## [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) +## [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) +### [Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md) +### [Create and test a device account](create-and-test-a-device-account-surface-hub.md) +#### [Online deployment](online-deployment-surface-hub-device-accounts.md) +#### [On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md) +#### [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) +#### [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) +#### [Online or hybrid deployment using Skype Hybrid Voice environment](skype-hybrid-voice.md) +#### [Create a device account using UI](create-a-device-account-using-office-365.md) +#### [Microsoft Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) +#### [Applying ActiveSync policies to device accounts](apply-activesync-policies-for-surface-hub-device-accounts.md) +#### [Password management](password-management-for-surface-hub-device-accounts.md) +### [Create provisioning packages](provisioning-packages-for-surface-hub.md) +### [Admin group management](admin-group-management-for-surface-hub.md) +## [Set up Microsoft Surface Hub](set-up-your-surface-hub.md) +### [Setup worksheet](setup-worksheet-surface-hub.md) +### [First-run program](first-run-program-surface-hub.md) +## [Manage Microsoft Surface Hub](manage-surface-hub.md) +### [Remote Surface Hub management](remote-surface-hub-management.md) +#### [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) +#### [Monitor your Surface Hub](monitor-surface-hub.md) +#### [Windows updates](manage-windows-updates-for-surface-hub.md) +### [Manage Surface Hub settings](manage-surface-hub-settings.md) +#### [Local management for Surface Hub settings](local-management-surface-hub-settings.md) +#### [Accessibility](accessibility-surface-hub.md) +#### [Change the Surface Hub device account](change-surface-hub-device-account.md) +#### [Device reset](device-reset-surface-hub.md) +#### [Use fully qualified domain name with Surface Hub](use-fully-qualified-domain-name-surface-hub.md) +#### [Wireless network management](wireless-network-management-for-surface-hub.md) +### [Install apps on your Surface Hub](install-apps-on-surface-hub.md) +### [End a Surface Hub meeting with End session](i-am-done-finishing-your-surface-hub-meeting.md) +### [Save your BitLocker key](save-bitlocker-key-surface-hub.md) +### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) +### [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) +### [Using a room control system](use-room-control-system-with-surface-hub.md) +## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) ## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) +## [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) +## [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md) +## [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) ## [Change history for Surface Hub](change-history-surface-hub.md) \ No newline at end of file diff --git a/devices/surface-hub/accessibility-surface-hub.md b/devices/surface-hub/accessibility-surface-hub.md index 46348c087d..85230643d9 100644 --- a/devices/surface-hub/accessibility-surface-hub.md +++ b/devices/surface-hub/accessibility-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: surfacehub ms.sitesec: library -author: TrudyHa +author: jdeckerms localizationpriority: medium --- @@ -30,7 +30,7 @@ The full list of accessibility settings are available to IT admins in the **Sett | Mouse | Defaults selected for **Pointer size**, **Pointer color** and **Mouse keys**. | | Other options | Defaults selected for **Visual options** and **Touch feedback**. | -Additionally, these accessibility features and apps are returned to default settings when users press [I'm Done](i-am-done-finishing-your-surface-hub-meeting.md): +Additionally, these accessibility features and apps are returned to default settings when users press [End session](finishing-your-surface-hub-meeting.md): - Narrator - Magnifier - High contrast diff --git a/devices/surface-hub/admin-group-management-for-surface-hub.md b/devices/surface-hub/admin-group-management-for-surface-hub.md index 7607199209..1e55a9eb16 100644 --- a/devices/surface-hub/admin-group-management-for-surface-hub.md +++ b/devices/surface-hub/admin-group-management-for-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, security -author: TrudyHa +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md index 76275e3ec8..4a098672fb 100644 --- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -1,5 +1,5 @@ --- -title: Appendix PowerShell (Surface Hub) +title: PowerShell for Surface Hub (Surface Hub) description: PowerShell scripts to help set up and manage your Microsoft Surface Hub . ms.assetid: 3EF48F63-8E4C-4D74-ACD5-461F1C653784 keywords: PowerShell, set up Surface Hub, manage Surface Hub @@ -7,14 +7,14 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- -# Appendix: PowerShell (Surface Hub) +# PowerShell for Surface Hub -PowerShell scripts to help set up and manage your Microsoft Surface Hub . +PowerShell scripts to help set up and manage your Microsoft Surface Hub. - [PowerShell scripts for Surface Hub admins](#scripts-for-admins) - [Create an on-premise account](#create-on-premise-ps-scripts) @@ -43,7 +43,8 @@ What do you need in order to run the scripts? - Remote PowerShell access to your organization's domain or tenant, Exchange servers, and Skype for Business servers. - Admin credentials for your organization's domain or tenant, Exchange servers, and Skype for Business servers. ->**Note**  Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub. +>[!NOTE] +>Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub.   diff --git a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md index f6cad56654..59d826d7f7 100644 --- a/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/apply-activesync-policies-for-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index fa4ab118de..598c4e9807 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- @@ -14,12 +14,25 @@ localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). + + + +## RELEASE: Windows 10, version 1703 + +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added: + +- [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) + +>[Looking for the Surface Hub admin guide for Windows 10, version 1607?](http://download.microsoft.com/download/7/2/5/7252051B-7E97-4781-B5DF-58D4B1A4BB88/surface-hub-admin-guide-1607.pdf) + + ## May 2017 | New or changed topic | Description | | --- | --- | | [Online or hybrid deployment using Skype Hybrid Voice environment](skype-hybrid-voice.md) | New | + ## February 2017 | New or changed topic | Description | diff --git a/devices/surface-hub/change-surface-hub-device-account.md b/devices/surface-hub/change-surface-hub-device-account.md index 6dc6bf7016..a0b6b56c7e 100644 --- a/devices/surface-hub/change-surface-hub-device-account.md +++ b/devices/surface-hub/change-surface-hub-device-account.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/connect-and-display-with-surface-hub.md b/devices/surface-hub/connect-and-display-with-surface-hub.md index 3febb60ff6..284bc892cf 100644 --- a/devices/surface-hub/connect-and-display-with-surface-hub.md +++ b/devices/surface-hub/connect-and-display-with-surface-hub.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md index 914b6136e6..292db720ca 100644 --- a/devices/surface-hub/create-a-device-account-using-office-365.md +++ b/devices/surface-hub/create-a-device-account-using-office-365.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md index 3223d5d81b..e4e0e5ed95 100644 --- a/devices/surface-hub/create-and-test-a-device-account-surface-hub.md +++ b/devices/surface-hub/create-and-test-a-device-account-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md index f2cb38c5f2..59d90772cc 100644 --- a/devices/surface-hub/device-reset-surface-hub.md +++ b/devices/surface-hub/device-reset-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- @@ -49,21 +49,49 @@ If you see a blank screen for long periods of time during the **Reset device** p ![Image showing Update & Security group in Settings app for Surface Hub.](images/sh-settings-update-security.png) -3. Click **Recovery**, and then click **Get started**. +3. Click **Recovery**, and then, under **Reset device**, click **Get started**. ![Image showing Reset device option in Settings app for Surface Hub.](images/sh-settings-reset-device.png) -## Reset a Surface Hub from Windows Recovery Environment + +## Recover a Surface Hub from the cloud -On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset the device from [Windows Recovery Environment](https://technet.microsoft.com/library/cc765966.aspx) (Windows RE). +In the Windows Recovery Environment (Windows RE), you can recover your device by downloading a factory build from the cloud and installing it on the Surface Hub. This allows devices in an unusable state to recover without requiring assistance from Microsoft Support. -**To reset a Surface Hub from Windows Recovery Environment** +### Recover a Surface Hub in a bad state + +If the device account gets into an unstable state or the Admin account is running into issues, you can use cloud recovery in **Settings**. You should only use cloud recovery when [reset](#reset-a-surface-hub-from-settings) doesn't fix the problem. + +1. On your Surface Hub, go to **Settings** > **Update & security** > **Recovery**. + +2. Under **Recover from the cloud**, click **Restart now**. + + ![recover from the cloud](images/recover-from-the-cloud.png) + +### Recover a locked Surface Hub + +On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset or recover the device from [Windows RE](https://technet.microsoft.com/library/cc765966.aspx). 1. From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch. -2. The device should automatically boot into Windows RE. Select **Advanced Repair**. -3. Select **Reset**. -4. If prompted, enter your device's BitLocker key. +2. The device should automatically boot into Windows RE. +3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.) + >[!NOTE] + >When using **Recover from the cloud**, an ethernet connection is recommended. + + ![Recover from the cloud](images/recover-from-cloud.png) + +4. Enter the Bitlocker key (if prompted). +5. When prompted, select **Reinstall**. + ![Reinstall](images/reinstall.png) + +6. Select **Yes** to repartition the disk. + + ![Repartition](images/repartition.png) + +Reset will begin after the image is downloaded from the cloud. You will see progress indicators. + +![downloading 97&](images/recover-progress.png) ## Related topics diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md index 73557c1f2c..e6d812ea78 100644 --- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md +++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md @@ -33,7 +33,7 @@ Surface Hub doesn't have a lock screen or a screen saver, but it has a similar f Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without logging on. The system always runs as a local, auto logged-in, low-privilege user. It doesn't support logging in any additional users - including admin users. > [!NOTE] -> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **I'm done**. +> Surface Hub supports signing in to Microsoft Edge and other apps. However, these credentials are deleted when users press **End session**. *Organization policies that this may affect:*
Generally, Surface Hub uses lockdown features rather than user access control to enforce security. Policies related to password requirements, interactive logon, user accounts, and access control don't apply for Surface Hub. @@ -46,7 +46,7 @@ Users have access to a limited set of directories on the Surface Hub: - Pictures - Downloads -Files saved locally in these directories are deleted when users press **I'm done**. To save content created during a meeting, users should save files to a USB drive or to OneDrive. +Files saved locally in these directories are deleted when users press **End session**. To save content created during a meeting, users should save files to a USB drive or to OneDrive. *Organization policies that this may affect:*
Policies related to access permissions and ownership of files and folders don't apply for Surface Hub. Users can't browse and save files to system directories and network folders. diff --git a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md index 3e9df023a1..2aa8921e31 100644 --- a/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/exchange-properties-for-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/finishing-your-surface-hub-meeting.md b/devices/surface-hub/finishing-your-surface-hub-meeting.md new file mode 100644 index 0000000000..1761472886 --- /dev/null +++ b/devices/surface-hub/finishing-your-surface-hub-meeting.md @@ -0,0 +1,92 @@ +--- +title: End session - ending a Surface Hub meeting +description: To end a Surface Hub meeting, tap End session. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting. +keywords: I am Done, end Surface Hub meeting, finish Surface Hub meeting, clean up Surface Hub meeting +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: surfacehub +author: jdeckerms +localizationpriority: medium +--- + +# End a Surface Hub meeting with End session +Surface Hub is a collaboration device designed to be used in meeting spaces by different groups of people. At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting. Surface Hub will clean up, or reset, the following states: +- Applications +- Operating system +- User interface + +This topic explains what **End session** resets for each of these states. + +## Applications +When you start apps on Surface Hub, they are stored in memory and data is stored at the application level. Data is available to all users during that session (or meeting) until date is removed or overwritten. When **End session** is selected, Surface Hub application state is cleared out by closing applications, deleting browser history, resetting applications, and removing Skype logs. + +### Close applications +Surface Hub closes all visible windows, including Win32 and Universal Windows Platform (UWP) applications. The application close stage uses the multitasking view to query the visible windows. Win32 windows that do not close within a certain timeframe are closed using **TerminateProcess**. + +### Delete browser history +Surface Hub uses Delete Browser History (DBH) in Edge to clear Edge history and cached data. This is similar to how a user can clear out their browser history manually, but **End session** also ensures that application states are cleared and data is removed before the next session, or meeting, starts. + +### Reset applications +**End session** resets the state of each application that is installed on the Surface Hub. Resetting an application clears all background tasks, application data, notifications, and user consent dialogs. Applications are returned to their first-run state for the next people that use Surface Hub. + +### Remove Skype logs +Skype does not store personally-identifiable information on Surface Hub. Information is stored in the Skype service to meet existing Skype for Business guidance. Local Skype logging information is the only data removed when **End session** is selected. This includes Unified Communications Client Platform (UCCP) logs and media logs. + +## Operating System +The operating system hosts a variety of information about the state of the sessions that needs to be cleared after each Surface Hub meeting. + +### File System +Meeting attendees have access to a limited set of directories on the Surface Hub. When **End session** is selected, Surface Hub clears these directories:
+- Music +- Videos +- Documents +- Pictures +- Downloads + +Surface Hub also clears these directories, since many applications often write to them: +- Desktop +- Favorites +- Recent +- Public Documents +- Public Music +- Public Videos +- Public Downloads + +### Credentials +User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap **End session**. + +## User interface +User interface (UI) settings are returned to their default values when **End session** is selected. + +### UI items +- Reset Quick Actions to default state +- Clear Toast notifications +- Reset volume levels +- Reset sidebar width +- Reset tablet mode layout +- Sign user out of Office 365 meetings and files + +### Accessibility +Accessibility features and apps are returned to default settings when **End session** is selected. +- Filter keys +- High contrast +- Sticky keys +- Toggle keys +- Mouse keys +- Magnifier +- Narrator + +### Clipboard +The clipboard is cleared to remove data that was copied to the clipboard during the session. + +## Frequently asked questions +**What happens if I forget to tap End session at the end of a meeting, and someone else uses the Surface Hub later?**
+Surface Hub only cleans up meeting content when users tap **End session**. If you leave the meeting without tapping **End session**, the device will return to the welcome screen after some time. From the welcome screen, users have the option to resume the previous session or start a new one. You can also disable the ability to resume a session if **End session** is not pressed. + +**Are documents recoverable?**
+Removing files from the hard drive when **End session** is selected is just like any other file deletion from a hard disk drive. Third-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. To prevent data loss, always save the data you need before leaving a meeting. + +**Do the clean-up actions from End session comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**
+No. Currently, the clean-up actions from **End session** do not comply with this standard. + diff --git a/devices/surface-hub/first-run-program-surface-hub.md b/devices/surface-hub/first-run-program-surface-hub.md index 6ee36023cc..996a6eb1fd 100644 --- a/devices/surface-hub/first-run-program-surface-hub.md +++ b/devices/surface-hub/first-run-program-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- @@ -34,7 +34,8 @@ The normal procedure goes through six steps: Each of these sections also contains information about paths you might take when something is different. For example, most Surface Hubs will use a wired network connection, but some of them will be set up with wireless instead. Details are described where appropriate. ->**Note**  You should have the separate keyboard that came with your Surface Hub set up and ready before beginning. See the Surface Hub Setup Guide for details. +>[!NOTE] +>You should have the separate keyboard that came with your Surface Hub set up and ready before beginning. See the Surface Hub Setup Guide for details.   @@ -43,9 +44,10 @@ Each of these sections also contains information about paths you might take when This is the first screen you'll see when you power up the Surface Hub for the first time. It's where you input localization information for your device. ->**Note**  This is also where you begin the optional process of deploying a provisioning package. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) if that's what you're doing. +>[!NOTE] +>This is also where you begin the optional process of deploying a provisioning package. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) if that's what you're doing. -  + Select a language and the initial setup options are displayed. ![Image showing ICD options checklist.](images/setuplocale.png) @@ -82,7 +84,8 @@ This screen is shown only if the device fails to detect a wired network. If you - You can select one of the wireless networks shown. If the network is secured, you'll be taken to a login page. See [Wireless network setup](#wireless) for details. - Click **Skip this step** to skip connecting to a network. You'll be taken to the [Set up for you page](#set-up-for-you). - **Note**  If you skip this, the device will not have a network connection, and nothing that requires a network connection will work on your Surface Hub, including system updates and email and calendar synchronization. You can connect to a wireless network later using Settings (see [Wireless network managment](wireless-network-management-for-surface-hub.md)). + >[!NOTE] + >If you skip this, the device will not have a network connection, and nothing that requires a network connection will work on your Surface Hub, including system updates and email and calendar synchronization. You can connect to a wireless network later using Settings (see [Wireless network managment](wireless-network-management-for-surface-hub.md)).   @@ -142,7 +145,8 @@ When you click **Next**, the device will attempt to connect to the proxy server. You can skip connecting to a network by selecting **Skip this step**. You'll be taken to the [Set up for you page](#set-up-for-you). ->**Note**  If you skip this, the device will not have a network connection, and nothing that requires a network connection will work on your Surface Hub, including things like email and calendar synchronization. You can connect to a wireless network later using Settings (see [Wireless network managment](wireless-network-management-for-surface-hub.md)). +>[!NOTE] +>If you skip this, the device will not have a network connection, and nothing that requires a network connection will work on your Surface Hub, including things like email and calendar synchronization. You can connect to a wireless network later using Settings (see [Wireless network managment](wireless-network-management-for-surface-hub.md)).   @@ -168,7 +172,8 @@ The settings shown on the page have already been made, and can't be changed unti On this page, the Surface Hub will ask for credentials for the device account that you previously configured. (See [Create and test a device account](create-and-test-a-device-account-surface-hub.md).) The Surface Hub will attempt to discover various properties of the account, and may ask for more information on another page if it does not succeed. ->**Note**  This section does not cover specific errors that can happen during first run. See [Troubleshoot Surface Hub](troubleshoot-surface-hub.md) for more information on errors. +>[!NOTE] +>This section does not cover specific errors that can happen during first run. See [Troubleshoot Surface Hub](troubleshoot-surface-hub.md) for more information on errors. ![Image showing Enter device account info page.](images/setupdeviceacct.png) @@ -298,6 +303,9 @@ While either of the names can be changed later, keep in mind that: - The friendly name should be recognizable and different so that people can distinguish one Surface Hub from another when trying to wirelessly connect. - If you decide to domain join the device, the device name must not be the same as any other device on the account’s Active Directory domain. The device can't join the domain if it is using the same name as another domain-joined device. +>[!NOTE] +>If you want to enable [Miracast over Infrastructure](miracast-over-infrastructure.md), the device name needs to be discoverable via DNS. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's device name. + ## Set up admins for this device page @@ -305,7 +313,8 @@ On this page, you will choose from several options for how you want to set up ad Because every Surface Hub can be used by any number of authenticated employees, settings are locked down so that they can't change from session to session. Only admins can configure the settings on the device, and on this page, you’ll choose which type of admins have that privilege. ->**Note**  The purpose of this page is primarily to determine who can configure the device from the device’s UI; that is, who can actually visit a device, log in, open up the Settings app, and make changes to the Settings. +>[!NOTE] +>The purpose of this page is primarily to determine who can configure the device from the device’s UI; that is, who can actually visit a device, log in, open up the Settings app, and make changes to the Settings.   @@ -326,6 +335,9 @@ This is what happens when you choose an option. - **Use Microsoft Azure Active Directory** Clicking this option allows you to join the device to Azure AD. Once you click **Next**, the device will restart to apply some settings, and then you’ll be taken to the [Use Microsoft Azure Active Directory](#use-microsoft-azure) page and asked to enter credentials that can allow you to join Azure AD. After joining, admins from the joined organization will be able to use the Settings app. The specific people that will be allowed depends on your Azure AD subscription and how you’ve configured the settings for your Azure AD organization. + + >[!IMPORTANT] + >If you join Surface Hub to Azure AD during first-run setup, single sign-on (SSO) for Office apps will not work properly. Users will have to sign in to each Office app individually. - **Use Active Directory Domain Services** @@ -337,7 +349,8 @@ This is what happens when you choose an option. Note that a local admin must have physical access to the Surface Hub to log in. ->**Note**  After you finish this process, you won't be able to change the device's admin option unless you reset the device. +>[!NOTE] +>After you finish this process, you won't be able to change the device's admin option unless you reset the device.   @@ -382,7 +395,7 @@ Once the device has been domain joined, you must specify a security group from t The following input is required: - **Domain:** This is the fully qualified domain name (FQDN) of the domain that you want to join. A security group from this domain can be used to manage the device. -- **User name:** The user name of an account that has sufficient permission to join the specified domain. +- **User name:** The user name of an account that has sufficient permission to join the specified domain. This account must be a computer object. - **Password:** The password for the account. After the credentials are verified, you will be asked to type a security group name. This input is required. @@ -395,7 +408,8 @@ Using the provided domain, account credentials from the [Use Active Directory Do If the join is successful, you'll see the **Enter a security group** page. When you click the **Select** button on this page, the device will search for the specified security group on your domain. If found, the group will be verified. Click **Finish** to complete the first run process. ->**Note**  If you domain join the Surface Hub, you can't unjoin the device without resetting it. +>[!NOTE] +>If you domain join the Surface Hub, you can't unjoin the device without resetting it.   @@ -420,7 +434,8 @@ This page will attempt to create a new admin account using the credentials that ## Update the Surface Hub ->**Important**  Before you do the updates, make sure you read [Save your BitLocker key](save-bitlocker-key-surface-hub.md) in order to make sure you have a backup of the key. +>[!IMPORTANT] +>Before you do the updates, make sure you read [Save your BitLocker key](save-bitlocker-key-surface-hub.md) in order to make sure you have a backup of the key.   diff --git a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md index f7ae7893c5..296d5c330d 100644 --- a/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/hybrid-deployment-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md b/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md deleted file mode 100644 index ccf99db112..0000000000 --- a/devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md +++ /dev/null @@ -1,91 +0,0 @@ ---- -title: I am done - ending a Surface Hub meeting -description: To end a Surface Hub meeting, tap I am Done. Surface Hub cleans up the application state, operating system state, and the user interface so that Surface Hub is ready for the next meeting. -keywords: I am Done, end Surface Hub meeting, finish Surface Hub meeting, clean up Surface Hub meeting -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: surfacehub -author: TrudyHa -localizationpriority: medium ---- - -# End a Surface Hub meeting with I'm Done -Surface Hub is a collaboration device designed to be used in meeting spaces by different groups of people. At the end of a meeting, users can tap **I'm Done** to clean up any sensitive data and prepare the device for the next meeting. Surface Hub will clean up, or reset, the following states: -- Applications -- Operating system -- User interface - -This topic explains what **I'm Done** resets for each of these states. - -## Applications -When you start apps on Surface Hub, they are stored in memory and data is stored at the application level. Data is available to all users during that session (or meeting) until date is removed or overwritten. When **I'm done** is selected, Surface Hub application state is cleared out by closing applications, deleting browser history, resetting applications, and removing Skype logs. - -### Close applications -Surface Hub closes all visible windows, including Win32 and Universal Windows Platform (UWP) applications. The application close stage uses the multitasking view to query the visible windows. Win32 windows that do not close within a certain timeframe are closed using **TerminateProcess**. - -### Delete browser history -Surface Hub uses Delete Browser History (DBH) in Edge to clear Edge history and cached data. This is similar to how a user can clear out their browser history manually, but **I'm Done** also ensures that application states are cleared and data is removed before the next session, or meeting, starts. - -### Reset applications -**I'm Done** resets the state of each application that is installed on the Surface Hub. Resetting an application clears all background tasks, application data, notifications, and user consent dialogs. Applications are returned to their first-run state for the next people that use Surface Hub. - -### Remove Skype logs -Skype does not store personally-identifiable information on Surface Hub. Information is stored in the Skype service to meet existing Skype for Business guidance. Local Skype logging information is the only data removed when **I'm Done** is selected. This includes Unified Communications Client Platform (UCCP) logs and media logs. - -## Operating System -The operating system hosts a variety of information about the state of the sessions that needs to be cleared after each Surface Hub meeting. - -### File System -Meeting attendees have access to a limited set of directories on the Surface Hub. When **I'm Done** is selected, Surface Hub clears these directories:
-- Music -- Videos -- Documents -- Pictures -- Downloads - -Surface Hub also clears these directories, since many applications often write to them: -- Desktop -- Favorites -- Recent -- Public Documents -- Public Music -- Public Videos -- Public Downloads - -### Credentials -User credentials that are stored in **TokenBroker**, **PasswordVault**, or **Credential Manager** are cleared when you tap **I’m done**. - -## User interface -User interface (UI) settings are returned to their default values when **I'm Done** is selected. - -### UI items -- Reset Quick Actions to default state -- Clear Toast notifications -- Reset volume levels -- Reset sidebar width -- Reset tablet mode layout - -### Accessibility -Accessibility features and apps are returned to default settings when **I'm Done** is selected. -- Filter keys -- High contrast -- Sticky keys -- Toggle keys -- Mouse keys -- Magnifier -- Narrator - -### Clipboard -The clipboard is cleared to remove data that was copied to the clipboard during the session. - -## Frequently asked questions -**What happens if I forget to tap I'm Done at the end of a meeting, and someone else uses the Surface Hub later?**
-Surface Hub only cleans up meeting content when users tap **I'm Done**. If you leave the meeting without tapping **I'm Done**, the device will return to the welcome screen after some time. From the welcome screen, users have the option to resume the previous session or start a new one. - -**Are documents recoverable?**
-Removing files from the hard drive when **I'm Done** is selected is just like any other file deletion from a hard disk drive. Third-party software might be able to recover data from the hard disk drive, but file recovery is not a supported feature on Surface Hub. To prevent data loss, always save the data you need before leaving a meeting. - -**Do the clean-up actions from I'm Done comply with the US Department of Defense clearing and sanitizing standard: DoD 5220.22-M?**
-No. Currently, the clean-up actions from **I'm Done** do not comply with this standard. - diff --git a/devices/surface-hub/images/OOBE-2.jpg b/devices/surface-hub/images/OOBE-2.jpg new file mode 100644 index 0000000000..0c615a2ec4 Binary files /dev/null and b/devices/surface-hub/images/OOBE-2.jpg differ diff --git a/devices/surface-hub/images/account-management-details.PNG b/devices/surface-hub/images/account-management-details.PNG new file mode 100644 index 0000000000..66712394ec Binary files /dev/null and b/devices/surface-hub/images/account-management-details.PNG differ diff --git a/devices/surface-hub/images/account-management.PNG b/devices/surface-hub/images/account-management.PNG new file mode 100644 index 0000000000..34165dfcd6 Binary files /dev/null and b/devices/surface-hub/images/account-management.PNG differ diff --git a/devices/surface-hub/images/add-applications-details.PNG b/devices/surface-hub/images/add-applications-details.PNG new file mode 100644 index 0000000000..2efd3483ae Binary files /dev/null and b/devices/surface-hub/images/add-applications-details.PNG differ diff --git a/devices/surface-hub/images/add-applications.PNG b/devices/surface-hub/images/add-applications.PNG new file mode 100644 index 0000000000..2316deb2fd Binary files /dev/null and b/devices/surface-hub/images/add-applications.PNG differ diff --git a/devices/surface-hub/images/add-certificates-details.PNG b/devices/surface-hub/images/add-certificates-details.PNG new file mode 100644 index 0000000000..78cd783282 Binary files /dev/null and b/devices/surface-hub/images/add-certificates-details.PNG differ diff --git a/devices/surface-hub/images/add-certificates.PNG b/devices/surface-hub/images/add-certificates.PNG new file mode 100644 index 0000000000..24cb605d1c Binary files /dev/null and b/devices/surface-hub/images/add-certificates.PNG differ diff --git a/devices/surface-hub/images/add-config-file-details.PNG b/devices/surface-hub/images/add-config-file-details.PNG new file mode 100644 index 0000000000..c7b4db97e6 Binary files /dev/null and b/devices/surface-hub/images/add-config-file-details.PNG differ diff --git a/devices/surface-hub/images/add-config-file.PNG b/devices/surface-hub/images/add-config-file.PNG new file mode 100644 index 0000000000..5b779509d9 Binary files /dev/null and b/devices/surface-hub/images/add-config-file.PNG differ diff --git a/devices/surface-hub/images/apps.png b/devices/surface-hub/images/apps.png new file mode 100644 index 0000000000..5cb3b7ec8f Binary files /dev/null and b/devices/surface-hub/images/apps.png differ diff --git a/devices/surface-hub/images/developer-setup.PNG b/devices/surface-hub/images/developer-setup.PNG new file mode 100644 index 0000000000..8c93d5ed91 Binary files /dev/null and b/devices/surface-hub/images/developer-setup.PNG differ diff --git a/devices/surface-hub/images/end-session.png b/devices/surface-hub/images/end-session.png new file mode 100644 index 0000000000..4b28583af4 Binary files /dev/null and b/devices/surface-hub/images/end-session.png differ diff --git a/devices/surface-hub/images/enroll-mdm-details.PNG b/devices/surface-hub/images/enroll-mdm-details.PNG new file mode 100644 index 0000000000..f3a7fea8da Binary files /dev/null and b/devices/surface-hub/images/enroll-mdm-details.PNG differ diff --git a/devices/surface-hub/images/enroll-mdm.PNG b/devices/surface-hub/images/enroll-mdm.PNG new file mode 100644 index 0000000000..b7cfdbc767 Binary files /dev/null and b/devices/surface-hub/images/enroll-mdm.PNG differ diff --git a/devices/surface-hub/images/finish-details.png b/devices/surface-hub/images/finish-details.png new file mode 100644 index 0000000000..727efac696 Binary files /dev/null and b/devices/surface-hub/images/finish-details.png differ diff --git a/devices/surface-hub/images/finish.PNG b/devices/surface-hub/images/finish.PNG new file mode 100644 index 0000000000..7c65da1799 Binary files /dev/null and b/devices/surface-hub/images/finish.PNG differ diff --git a/devices/surface-hub/images/five.png b/devices/surface-hub/images/five.png new file mode 100644 index 0000000000..961f0e15b7 Binary files /dev/null and b/devices/surface-hub/images/five.png differ diff --git a/devices/surface-hub/images/four.png b/devices/surface-hub/images/four.png new file mode 100644 index 0000000000..0fef213b37 Binary files /dev/null and b/devices/surface-hub/images/four.png differ diff --git a/devices/surface-hub/images/icd-simple-edit.png b/devices/surface-hub/images/icd-simple-edit.png new file mode 100644 index 0000000000..aea2e24c8a Binary files /dev/null and b/devices/surface-hub/images/icd-simple-edit.png differ diff --git a/devices/surface-hub/images/one.png b/devices/surface-hub/images/one.png new file mode 100644 index 0000000000..42b4742c49 Binary files /dev/null and b/devices/surface-hub/images/one.png differ diff --git a/devices/surface-hub/images/ppkg-config.png b/devices/surface-hub/images/ppkg-config.png new file mode 100644 index 0000000000..10a2b7de58 Binary files /dev/null and b/devices/surface-hub/images/ppkg-config.png differ diff --git a/devices/surface-hub/images/ppkg-csv.png b/devices/surface-hub/images/ppkg-csv.png new file mode 100644 index 0000000000..0648f555e1 Binary files /dev/null and b/devices/surface-hub/images/ppkg-csv.png differ diff --git a/devices/surface-hub/images/proxy-details.PNG b/devices/surface-hub/images/proxy-details.PNG new file mode 100644 index 0000000000..fcc7b06a41 Binary files /dev/null and b/devices/surface-hub/images/proxy-details.PNG differ diff --git a/devices/surface-hub/images/proxy.PNG b/devices/surface-hub/images/proxy.PNG new file mode 100644 index 0000000000..cdfc02c454 Binary files /dev/null and b/devices/surface-hub/images/proxy.PNG differ diff --git a/devices/surface-hub/images/recover-from-cloud.png b/devices/surface-hub/images/recover-from-cloud.png new file mode 100644 index 0000000000..7d409edc5f Binary files /dev/null and b/devices/surface-hub/images/recover-from-cloud.png differ diff --git a/devices/surface-hub/images/recover-from-the-cloud.png b/devices/surface-hub/images/recover-from-the-cloud.png new file mode 100644 index 0000000000..07c1e22851 Binary files /dev/null and b/devices/surface-hub/images/recover-from-the-cloud.png differ diff --git a/devices/surface-hub/images/recover-progress.png b/devices/surface-hub/images/recover-progress.png new file mode 100644 index 0000000000..316d830a57 Binary files /dev/null and b/devices/surface-hub/images/recover-progress.png differ diff --git a/devices/surface-hub/images/reinstall.png b/devices/surface-hub/images/reinstall.png new file mode 100644 index 0000000000..2f307841aa Binary files /dev/null and b/devices/surface-hub/images/reinstall.png differ diff --git a/devices/surface-hub/images/repartition.png b/devices/surface-hub/images/repartition.png new file mode 100644 index 0000000000..26725a8c54 Binary files /dev/null and b/devices/surface-hub/images/repartition.png differ diff --git a/devices/surface-hub/images/set-up-device-admins-details.PNG b/devices/surface-hub/images/set-up-device-admins-details.PNG new file mode 100644 index 0000000000..42c04b4b3b Binary files /dev/null and b/devices/surface-hub/images/set-up-device-admins-details.PNG differ diff --git a/devices/surface-hub/images/set-up-device-admins.PNG b/devices/surface-hub/images/set-up-device-admins.PNG new file mode 100644 index 0000000000..e0e037903c Binary files /dev/null and b/devices/surface-hub/images/set-up-device-admins.PNG differ diff --git a/devices/surface-hub/images/set-up-device-details.PNG b/devices/surface-hub/images/set-up-device-details.PNG new file mode 100644 index 0000000000..be565ac8d9 Binary files /dev/null and b/devices/surface-hub/images/set-up-device-details.PNG differ diff --git a/devices/surface-hub/images/set-up-device.PNG b/devices/surface-hub/images/set-up-device.PNG new file mode 100644 index 0000000000..0c9eb0e3ff Binary files /dev/null and b/devices/surface-hub/images/set-up-device.PNG differ diff --git a/devices/surface-hub/images/set-up-network-details.PNG b/devices/surface-hub/images/set-up-network-details.PNG new file mode 100644 index 0000000000..7e1391326c Binary files /dev/null and b/devices/surface-hub/images/set-up-network-details.PNG differ diff --git a/devices/surface-hub/images/set-up-network.PNG b/devices/surface-hub/images/set-up-network.PNG new file mode 100644 index 0000000000..a0e856c103 Binary files /dev/null and b/devices/surface-hub/images/set-up-network.PNG differ diff --git a/devices/surface-hub/images/sh-quick-action.png b/devices/surface-hub/images/sh-quick-action.png index cb072a9793..3003e464b3 100644 Binary files a/devices/surface-hub/images/sh-quick-action.png and b/devices/surface-hub/images/sh-quick-action.png differ diff --git a/devices/surface-hub/images/sh-settings-reset-device.png b/devices/surface-hub/images/sh-settings-reset-device.png index b3e35bb385..f3a9a6dc5c 100644 Binary files a/devices/surface-hub/images/sh-settings-reset-device.png and b/devices/surface-hub/images/sh-settings-reset-device.png differ diff --git a/devices/surface-hub/images/sh-settings-update-security.png b/devices/surface-hub/images/sh-settings-update-security.png index a10d4ffb51..59212d1805 100644 Binary files a/devices/surface-hub/images/sh-settings-update-security.png and b/devices/surface-hub/images/sh-settings-update-security.png differ diff --git a/devices/surface-hub/images/sh-settings.png b/devices/surface-hub/images/sh-settings.png index 03125b3419..0134fda740 100644 Binary files a/devices/surface-hub/images/sh-settings.png and b/devices/surface-hub/images/sh-settings.png differ diff --git a/devices/surface-hub/images/six.png b/devices/surface-hub/images/six.png new file mode 100644 index 0000000000..2816328ec3 Binary files /dev/null and b/devices/surface-hub/images/six.png differ diff --git a/devices/surface-hub/images/surfacehub.png b/devices/surface-hub/images/surfacehub.png new file mode 100644 index 0000000000..1b9b484ab8 Binary files /dev/null and b/devices/surface-hub/images/surfacehub.png differ diff --git a/devices/surface-hub/images/three.png b/devices/surface-hub/images/three.png new file mode 100644 index 0000000000..887fa270d7 Binary files /dev/null and b/devices/surface-hub/images/three.png differ diff --git a/devices/surface-hub/images/two.png b/devices/surface-hub/images/two.png new file mode 100644 index 0000000000..b8c2d52eaf Binary files /dev/null and b/devices/surface-hub/images/two.png differ diff --git a/devices/surface-hub/images/wcd-wizard.PNG b/devices/surface-hub/images/wcd-wizard.PNG new file mode 100644 index 0000000000..706771f756 Binary files /dev/null and b/devices/surface-hub/images/wcd-wizard.PNG differ diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md index 22e94d2746..31928b1a07 100644 --- a/devices/surface-hub/index.md +++ b/devices/surface-hub/index.md @@ -1,30 +1,51 @@ --- -title: Microsoft Surface Hub +title: Microsoft Surface Hub admin guide description: Documents related to the Microsoft Surface Hub. ms.assetid: 69C99E91-1441-4318-BCAF-FE8207420555 ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: surfacehub -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- -# Microsoft Surface Hub +# Microsoft Surface Hub admin guide + +>[Looking for the Surface Hub admin guide for Windows 10, version 1607?](http://download.microsoft.com/download/7/2/5/7252051B-7E97-4781-B5DF-58D4B1A4BB88/surface-hub-admin-guide-1607.pdf) + +>[Looking for the user's guide for Surface Hub?](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) -Documents related to deploying and managing the Microsoft Surface Hub in your organization. +
Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. The documentation in this library describes what needs to be done both before and during setup in order to help you optimize your use of the device.![image of a Surface Hub](images/surfacehub.png)
+  + +## Surface Hub setup process + +In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Here are the next topics you'll need: + +1. [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) +2. [Gather the information listed in the Setup worksheet](setup-worksheet-surface-hub.md) +2. [Physically install your Surface Hub device](physically-install-your-surface-hub-device.md) +3. [Run the Surface Hub first-run setup program (OOBE)](first-run-program-surface-hub.md) + ->[Looking for the user's guide for Surface Hub?](https://www.microsoft.com/surface/support/surface-hub) ## In this section | Topic | Description | | --- | --- | -| [Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) | This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers.| +| [What's new in Windows 10, version 1703 for Surface Hub?](surfacehub-whats-new-1703.md) | Discover the changes and improvements for Microsoft Surface Hub in the Windows 10, version 1703 release (also known as Creators Update). | | [Differences between Surface Hub and Windows 10 Enterprise](differences-between-surface-hub-and-windows-10-enterprise.md) | This topic explains the differences between the operating system on Surface Hub and Windows 10 Enterprise. | -| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. | +| [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) | This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment. | +| [Set up Microsoft Surface Hub](set-up-your-surface-hub.md) | Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program. | +| [Manage Microsoft Surface Hub](manage-surface-hub.md) | How to manage your Surface Hub after finishing the first-run program. | +| [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) | +| [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) | This topic provides guidance on Wi-Fi Direct security risks, how the Surface Hub has addressed those risks, and how Surface Hub administrators can configure the device for the highest level of security. | PowerShell scripts to help set up and manage your Surface Hub. | +| [Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md) | Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. | +| [Troubleshoot Miracast on Surface Hub](miracast-troubleshooting.md) | Learn how to resolve Miracast issues. | | [Useful downloads for Surface Hub administrators](surface-hub-downloads.md) | This topic provides links to useful Surface Hub documents, such as product datasheets, the site readiness guide, and user's guide. | -| [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation. | +| [Change history for Surface Hub](change-history-surface-hub.md) | This topic lists new and updated topics in the Surface Hub documentation library. | + diff --git a/devices/surface-hub/install-apps-on-surface-hub.md b/devices/surface-hub/install-apps-on-surface-hub.md index 6ad60e6f25..f38f6f73a7 100644 --- a/devices/surface-hub/install-apps-on-surface-hub.md +++ b/devices/surface-hub/install-apps-on-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub, store -author: TrudyHa +author: jdeckerms localizationpriority: medium --- @@ -16,7 +16,7 @@ localizationpriority: medium You can install additional apps on your Surface Hub to fit your team or organization's needs. There are different methods for installing apps depending on whether you are developing and testing an app, or deploying a released app. This topic describes methods for installing apps for either scenario. A few things to know about apps on Surface Hub: -- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). See a [list of apps that work with Surface Hub](https://www.microsoft.com/surface/support/surface-hub/surface-hub-apps). +- Surface Hub only runs [Universal Windows Platform (UWP) apps](https://msdn.microsoft.com/windows/uwp/get-started/whats-a-uwp). Apps created using the [Desktop App Converter](https://docs.microsoft.com/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) will not run on Surface Hub. See a [list of apps that work with Surface Hub](https://www.microsoft.com/surface/support/surface-hub/surface-hub-apps). - Apps must be targeted for the [Universal device family](https://msdn.microsoft.com/library/windows/apps/dn894631). - By default, apps must be Store-signed to be installed. During testing and development, you can also choose to run developer-signed UWP apps by placing the device in developer mode.- When submitting an app to the Microsoft Store, developers need to set Device family availability and Organizational licensing options to make sure an app will be available to run on Surface Hub. - You need admin credentials to install apps on your Surface Hub. Since the device is designed to be used in communal spaces like meeting rooms, people can't access the Microsoft Store to download and install apps. diff --git a/devices/surface-hub/intro-to-surface-hub.md b/devices/surface-hub/intro-to-surface-hub.md deleted file mode 100644 index eb48a1fb78..0000000000 --- a/devices/surface-hub/intro-to-surface-hub.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: Intro to Microsoft Surface Hub -description: Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. -ms.assetid: 5DAD4489-81CF-47ED-9567-A798B90C7E76 -keywords: Surface Hub, productivity, collaboration, presentations, setup -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: surfacehub -author: TrudyHa -localizationpriority: medium ---- - -# Intro to Microsoft Surface Hub - - -Microsoft Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. This guide describes what needs to be done both before and during setup in order to help you optimize your use of the device. -  -You’ll need to understand how each of these services interacts with Surface Hub. See [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) for details. - -## Surface Hub setup process - -In some ways, adding your new Surface Hub is just like adding any other Microsoft Windows-based device to your network. However, in order to get your Surface Hub up and running at its full capacity, there are some very specific requirements. Here are the next topics you'll need: - -1. [Prepare your environment for Surface Hub](prepare-your-environment-for-surface-hub.md) -2. [Physically install your Surface Hub device](physically-install-your-surface-hub-device.md) -3. [Run the Surface Hub first-run setup program (OOBE)](first-run-program-surface-hub.md) - diff --git a/devices/surface-hub/local-management-surface-hub-settings.md b/devices/surface-hub/local-management-surface-hub-settings.md index bf717480b2..fec4a3e0b9 100644 --- a/devices/surface-hub/local-management-surface-hub-settings.md +++ b/devices/surface-hub/local-management-surface-hub-settings.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- @@ -16,29 +16,38 @@ After initial setup of Microsoft Surface Hub, the device’s settings can be loc ## Surface Hub settings -Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs. This table lists settings only cofigurable on Surface Hubs. +Surface Hubs have many settings that are common to other Windows devices, but also have settings which are only configurable on Surface Hubs. This table lists settings only configurable on Surface Hubs. | Setting | Location | Description | | ------- | -------- | ----------- | -| Device account | This device > Accounts | Set or change the Surface Hub's device account. | -| Device account sync status | This device > Accounts | Check the sync status of the device account’s mail and calendar on the Surface Hub. | -| Password rotation | This device > Accounts | Choose whether to let the Surface Hub automatically rotate the device account's password. | -| Change admin account password | This device > Accounts | Change the password for the local admin account. This is only available if you configured the device to use a local admin during first run. | -| Configure Operations Management Suite (OMS) | This device > Device management | Set up monitoring for your Surface Hub using OMS. | -| Open the Microsoft Store app | This device > Apps & features | The Microsoft Store app is only available to admins through the Settings app. | -| Skype for Business domain name | This device > Calling | Configure a domain name for your Skype for Business server. | -| Default microphone and speaker settings | This device > Calling | Configure a default microphone and speaker for calls, and a default speaker for media playback. | -| Turn off wireless projection using Miracast | This device > Wireless projection | Choose whether presenters can wirelessly project to the Surface Hub using Miracast. | -| Require a PIN for wireless projection | This device > Wireless projection | Choose whether people are required to enter a PIN before they use wireless projection. | -| Wireless projection (Miracast) channel | This device > Wireless projection | Set the channel for Miracast projection. | -| Meeting info shown on the welcome screen | This device > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. | -| Welcome screen background | This device > Welcome screen | Choose a background image for the welcome screen. | -| Turn on screen with motion sensors | This device > Session & clean up | Choose whether the screen turns on when motion is detected. | -| Session time out | This device > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. | -| Sleep time out | This device > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. | -| Friendly name | This device > About | Set the Surface Hub name that people will see when connecting wirelessly. | +| Device account | Surface Hub > Accounts | Set or change the Surface Hub's device account. | +| Device account sync status | Surface Hub > Accounts | Check the sync status of the device account’s mail and calendar on the Surface Hub. | +| Password rotation | Surface Hub > Accounts | Choose whether to let the Surface Hub automatically rotate the device account's password.| +| Change admin account password | Surface Hub > Accounts | Change the password for the local admin account. This is only available if you configured the device to use a local admin during first run. | +| Device Management | Surface Hub > Device management | Manage policies and business applications using mobile device management (MDM). | +| Provisioning packages | Surface Hub > Device management | Set or change provisioning packages installed on the Surface Hub. | +| Configure Operations Management Suite (OMS) | Surface Hub > Device management | Set up monitoring for your Surface Hub using OMS. | +| Open the Microsoft Store app | Surface Hub > Apps & features | The Microsoft Store app is only available to admins through the Settings app. | +| Skype for Business domain name | Surface Hub > Calling & Audio | Configure a domain name for your Skype for Business server. | +| Default Speaker volume | Surface Hub > Calling & Audio | Configure the default speaker volume for the Surface Hub when it starts a session. | +| Default microphone and speaker settings | Surface Hub > Calling & Audio | Configure a default microphone and speaker for calls, and a default speaker for media playback. | +| Enable Dolby Audio X2 | Surface Hub > Calling & Audio | Configure the Dolby Audio X2 speaker enhancements. | +| Open Connect App automatically | Surface Hub > Projection | Choose whether projection will automatically open the Connect app or wait for user input before opening. | +| Turn off wireless projection using Miracast | Surface Hub > Projection | Choose whether presenters can wirelessly project to the Surface Hub using Miracast. | +| Require a PIN for wireless projection | Surface Hub > Projection | Choose whether people are required to enter a PIN before they use wireless projection. | +| Wireless projection (Miracast) channel | Surface Hub > Projection | Set the channel for Miracast projection. | +| Meeting info shown on the welcome screen | Surface Hub > Welcome screen | Choose whether meeting organizer, time, and subject show up on the welcome screen. | +| Welcome screen background | Surface Hub > Welcome screen | Choose a background image for the welcome screen. | +| Idle timeout to Welcome screen | Surface Hub > Session & Power | Choose how long until the Surface Hub returns to the welcome screen after no motion is detected. | +| Resume session | Surface Hub > Session & Power | Choose to allow users to resume a session after no motion is detected or to automatically clean up a session. | +| Access to Office 365 meetings and files | Surface Hub > Session & Power | Choose whether a user can sign in to Office 365 to get access to their meetings and files. | +| Turn on screen with motion sensors | Surface Hub > Session & clean up | Choose whether the screen turns on when motion is detected. | +| Session time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before returning to the welcome screen. | +| Sleep time out | Surface Hub > Session & clean up | Choose how long the device needs to be inactive before going to sleep mode. | +| Friendly name | Surface Hub > About | Set the Surface Hub name that people will see when connecting wirelessly. | | Maintenance hours | Update & security > Windows Update > Advanced options | Configure when updates can be installed. | | Configure Windows Server Update Services (WSUS) server | Update & security > Windows Update > Advanced options | Change whether Surface Hub receives updates from a WSUS server instead of Windows Update. | +| Recover from the cloud | Update & security > Recovery | Reinstall the operating system on Surface Hub to a manufacturer build from the cloud. | | Save BitLocker key | Update & security > Recovery | Backup your Surface Hub's BitLocker key to a USB drive. | | Collect logs | Update & security > Recovery | Save logs to a USB drive to send to Microsoft later. | diff --git a/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md b/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md deleted file mode 100644 index db9230f9ad..0000000000 --- a/devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: Manage settings with a local admin account (Surface Hub) -description: A local admin account will be set up on every Microsoft Surface Hub as part of the first run program. The only way to change the local admin options that you chose at that time is to reset the device. -ms.assetid: B4B3668B-985D-427E-8495-E30ABEECA679 -redirect_url: https://technet.microsoft.com/itpro/surface-hub/admin-group-management-for-surface-hub -keywords: local admin account, Surface Hub, change local admin options -ms.prod: w10 -ms.mktglfcycl: manage -ms.sitesec: library -ms.pagetype: surfacehub -author: TrudyHa -localizationpriority: medium ---- diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index 8cadcb7309..d50f750484 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, mobility -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- @@ -59,19 +59,29 @@ You can configure the Surface Hub settings in the following table using MDM. The For more information, see [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323). -| Setting | Node in the SurfaceHub CSP | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | -| -------------------- | ---------------------------------- | ------------------------- | ---------------------------------------- | ------------------------- | +| Setting | Node in the SurfaceHub CSP | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | +| ---- | --- | --- | --- | --- | | Maintenance hours | MaintenanceHoursSimple/Hours/StartTime
MaintenanceHoursSimple/Hours/Duration | Yes | Yes | Yes | | Automatically turn on the screen using motion sensors | InBoxApps/Welcome/AutoWakeScreen | Yes | Yes | Yes | | Require a pin for wireless projection | InBoxApps/WirelessProjection/PINRequired | Yes | Yes | Yes | | Enable wireless projection | InBoxApps/WirelessProjection/Enabled | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.
Use a custom setting. | Yes | +| Miracast channel to use for wireless projection | InBoxApps/WirelessProjection/Channel | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | | Connect to your Operations Management Suite workspace | MOMAgent/WorkspaceID
MOMAgent/WorkspaceKey | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | | Welcome screen background image | InBoxApps/Welcome/CurrentBackgroundPath | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | | Meeting information displayed on the welcome screen | InBoxApps/Welcome/MeetingInfoOption | Yes | Yes.
[Use a custom setting.](#example-sccm) | Yes | -| Friendly name for wireless projection | Properties/FriendlyName | Yes.
[Use a custom policy.](#example-intune)) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Friendly name for wireless projection | Properties/FriendlyName | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | | Device account, including password rotation | DeviceAccount/*``*
See [SurfaceHub CSP](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). | No | No | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +| Specify Skype domain | InBoxApps/SkypeForBusiness/DomainName | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Auto launch Connect App when projection is initiated | InBoxApps/Connect/AutoLaunch | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Set default volume | Properties/DefaultVolume | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Set screen timeout | Properties/ScreenTimeout | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Set session timeout | Properties/SessionTimeout | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Set sleep timeout | Properties/SleepTimeout | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow session to resume after screen is idle | Properties/AllowSessionResume | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow device account to be used for proxy authentication | Properties/AllowAutoProxyAuth | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. ### Supported Windows 10 settings @@ -81,77 +91,92 @@ The following tables include info on Windows 10 settings that have been validate #### Security settings | Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | -| -------- | -------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- | -| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +| --- | --- | --- |---- | --- | --- | +| Allow Bluetooth | Keep this enabled to support Bluetooth peripherals. | [Connectivity/AllowBluetooth](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Connectivity_AllowBluetooth) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Bluetooth policies | Use to set the Bluetooth device name, and block advertising, discovery, and automatic pairing. | Bluetooth/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow camera | Keep this enabled for Skype for Business. | [Camera/AllowCamera](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Camera_AllowCamera) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow location | Keep this enabled to support apps such as Maps. | [System/AllowLocation](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowLocation) | Yes.
. | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow telemetry | Keep this enabled to help Microsoft improve Surface Hub. | [System/AllowTelemetry](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#System_AllowTelemetry) | Yes.
| Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow USB Drives | Keep this enabled to support USB drives on Surface Hub | [System/AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Browser settings -| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | -| -------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- | -| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | +| --- | --- | --- |---- | --- | --- | +| Homepages | Use to configure the default homepages in Microsoft Edge. | [Browser/Homepages](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_Homepages) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow cookies | Surface Hub automatically deletes cookies at the end of a session. Use this to block cookies within a session. | [Browser/AllowCookies](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowCookies) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow developer tools | Use to stop users from using F12 Developer Tools. | [Browser/AllowDeveloperTools](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDeveloperTools) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow Do Not Track | Use to enable Do Not Track headers. | [Browser/AllowDoNotTrack](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowDoNotTrack) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow pop-ups | Use to block pop-up browser windows. | [Browser/AllowPopups](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowPopups) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow search suggestions | Use to block search suggestions in the address bar. | [Browser/AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSearchSuggestionsinAddressBar) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Allow SmartScreen | Keep this enabled to turn on SmartScreen. | [Browser/AllowSmartScreen](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_AllowSmartScreen) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Prevent ignoring SmartScreen Filter warnings for websites | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from accessing potentially malicious websites. | [Browser/PreventSmartScreenPromptOverride](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverride) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Prevent ignoring SmartScreen Filter warnings for files | For extra security, use to stop users from ignoring SmartScreen Filter warnings and block them from downloading unverified files from Microsoft Edge. | [Browser/PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Browser_PreventSmartScreenPromptOverrideForFiles) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Windows Update settings -| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML*? | -| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- | -| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes. Use a custom policy. | Yes. Use a custom setting. | Yes | -| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes| -| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML*? | +| --- | --- | --- |---- | --- | --- | +| Use Current Branch or Current Branch for Business | Use to configure Windows Update for Business – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/BranchReadinessLevel](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_BranchReadinessLevel) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Defer feature updates| See above. | [Update/ DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferFeatureUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Defer quality updates | See above. | [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Pause feature updates | See above. | [Update/PauseFeatureUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Pause quality updates | See above. | [Update/PauseQualityUpdates](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes| +| Configure device to use WSUS| Use to connect your Surface Hub to WSUS instead of Windows Update – see [Windows updates](manage-windows-updates-for-surface-hub.md). | [Update/UpdateServiceUrl](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Delivery optimization | Use peer-to-peer content sharing to reduce bandwidth issues during updates. See [Configure Delivery Optimization for Windows 10](https://technet.microsoft.com/itpro/windows/manage/waas-delivery-optimization) for details. | DeliveryOptimization/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Windows Defender settings -| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | -| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- | -| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | +| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | +| --- | --- | --- |---- | --- | --- | +| Defender policies | Use to configure various Defender settings, including a scheduled scan time. | Defender/*``*
See [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | | Defender status | Use to initiate a Defender scan, force a signature update, query any threats detected. | [Defender CSP](https://msdn.microsoft.com/library/windows/hardware/mt187856.aspx) | No. | No. | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Remote reboot -| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | -| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- | +| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | +| --- | --- | --- |---- | --- | --- | | Reboot the device immediately | Use in conjunction with OMS to minimize support costs – see [Monitor your Microsoft Surface Hub](monitor-surface-hub.md). | ./Vendor/MSFT/Reboot/RebootNow
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | No | No | Yes | -| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes.
Use a custom policy. | Yes.
Use a custom setting. | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +| Reboot the device at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/Single
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Reboot the device daily at a scheduled date and time | See above. | ./Vendor/MSFT/Reboot/Schedule/DailyRecurrent
See [Reboot CSP](https://msdn.microsoft.com/library/windows/hardware/mt720802.aspx) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Install certificates -| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | -| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- | +| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML\*? | +| --- | --- | --- |---- | --- | --- | | Install trusted CA certificates | Use to deploy trusted root and intermediate CA certificates. | [RootCATrustedCertificates CSP](https://msdn.microsoft.com/library/windows/hardware/dn904970.aspx) | Yes.
See [Configure Intune certificate profiles](https://docs.microsoft.com/en-us/intune/deploy-use/configure-intune-certificate-profiles). | Yes.
See [How to create certificate profiles in System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-certificate-profiles). | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. #### Collect logs -| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML*? | -| ----------- | ---------------- | ------------- |-------------------------- | ---------------------------------------- | ------------------------- | +| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML*? | +| --- | --- | --- |---- | --- | --- | | Collect ETW logs | Use to remotely collect ETW logs from Surface Hub. | [DiagnosticLog CSP](https://msdn.microsoft.com/library/windows/hardware/mt219118.aspx) | No | No | Yes | -\*Settings supported with SyncML can also be configured in a Windows Imaging and Configuration Designer (Windows ICD) provisioning package. +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. + +#### Set network quality of service (QoS) policy + +| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML*? | +| --- | --- | --- |--- | --- | ---- | +| Set Network QoS Policy | Use to set a QoS policy to perform a set of actions on network traffic. This is useful for prioritizing Skype network packets. | [NetworkQoSPolicy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. + +#### Set network proxy + +| Setting | Details | CSP reference | Supported with
Intune? | Supported with
Configuration Manager? | Supported with
SyncML*? | +| --- | ---- | --- |---- | --- | --- | +| Set Network proxy | Use to configure a proxy server for ethernet and Wi-Fi connections. | [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +\*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. ### Generate OMA URIs for settings You need to use a setting’s OMA URI to create a custom policy in Intune, or a custom setting in System Center Configuration Manager. @@ -252,7 +277,7 @@ For more information, see [Create configuration items for Windows 8.1 and Window [Manage Microsoft Surface Hub](manage-surface-hub.md) -[Microsoft Surface Hub administrator's guide](surface-hub-administrators-guide.md) +   diff --git a/devices/surface-hub/manage-surface-hub-settings.md b/devices/surface-hub/manage-surface-hub-settings.md index 5413d28a30..fe030602b9 100644 --- a/devices/surface-hub/manage-surface-hub-settings.md +++ b/devices/surface-hub/manage-surface-hub-settings.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md index def0816f4c..56340d14d0 100644 --- a/devices/surface-hub/manage-surface-hub.md +++ b/devices/surface-hub/manage-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- @@ -30,8 +30,9 @@ Learn about managing and updating Surface Hub. | [Remote Surface Hub management](remote-surface-hub-management.md) |Topics related to managing your Surface Hub remotely. Include install apps, managing settings with MDM and monitoring with Operations Management Suite. | | [Manage Surface Hub settings](manage-surface-hub-settings.md) |Topics related to managing Surface Hub settings: accessibility, device account, device reset, fully qualified domain name, Windows Update settings, and wireless network | | [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Microsoft Store or the Microsoft Store for Business.| -| [End a meeting with I’m done](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap I'm Done to clean up any sensitive data and prepare the device for the next meeting.| +| [End a meeting with End session](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting.| | [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.| | [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.| +| [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) | You can use Miracast on your wireless network or LAN to connect to Surface Hub. | | [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.| diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index 659e2a6ae5..f2a401a497 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/miracast-over-infrastructure.md b/devices/surface-hub/miracast-over-infrastructure.md new file mode 100644 index 0000000000..e83c80a62a --- /dev/null +++ b/devices/surface-hub/miracast-over-infrastructure.md @@ -0,0 +1,43 @@ +--- +title: Miracast on existing wireless network or LAN +description: Monitoring for Microsoft Surface Hub devices is enabled through Microsoft Operations Management Suite (OMS). +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: surfacehub +author: jdeckerms +localizationpriority: medium +--- + +# Miracast on existing wireless network or LAN + +In the Windows 10, version 1703, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx). + +Miracast over Infrastructure offers a number of benefits: + +- Windows automatically detects when sending the video stream over this path is applicable. +- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. +- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. +- No changes to current wireless drivers or PC hardware are required. +- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. +- It leverages an existing connection which both reduces the time to connect and provides a very stable stream. + + +## How it works + +Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. + + +## Enabling Miracast over Infrastructure + +If you have a Surface Hub that has been updated to Windows 10, version 1703, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: + +- The Surface Hub needs to be running Windows 10, version 1703. +- The Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. +- The DNS Hostname (device name) of the Surface Hub needs to be resolvable via your DNS servers. You can achieve this by either allowing your Surface Hub to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the Surface Hub's hostname. +- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. +- PCs need to be running Windows 10, version 1703. + +It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. + +The **InBoxApps/WirelessProjection/PinRequired** setting in the [SurfaceHub configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/surfacehub-csp) is not required for Miracast over Infrastructure. This is because Miracast over Infrastructure only works when both devices are connected to the same enterprise network. This removes the security restriction that was previously missing from Miracast. We recommend that you continue using this setting (if you used it previously) as Miracast will fall back to regular Miracast if the infrastructure connection does not work. diff --git a/devices/surface-hub/miracast-troubleshooting.md b/devices/surface-hub/miracast-troubleshooting.md new file mode 100644 index 0000000000..fae1f30463 --- /dev/null +++ b/devices/surface-hub/miracast-troubleshooting.md @@ -0,0 +1,78 @@ +--- +title: Troubleshoot Miracast on Surface Hub +description: Learn how to resolve issues with Miracast on Surface Hub. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: surfacehub +author: jdeckerms +localizationpriority: medium +--- + +# Troubleshoot Miracast on Surface Hub + +Surface Hub supports wireless projection through the Miracast protocol. Most wireless monitors and adapters available today use the original implementation of Miracast. Surface Hub uses a slightly different version of Miracast known as **Miracast Autonomous Group Owner (AGO)**. A common troubleshooting step when projecting wirelessly to Surface Hub fails is to test projecting to another wireless monitor or adapter. However, in most cases, these devices are not using Miracast AGO and do not handle wireless projection the same way that Surface Hub does. + +In traditional Miracast, the projecting device will connect the access point set up by the Miracast-enabled monitor, and then the monitor will send traffic back to the projecting device using the network channel of the projecting device. Miracast AGO is a two-step connection process: + +- The first step is an initial connection using 2.4GHz. +- After that initial handshake, the projecting device sends traffic to the monitor using the wireless channel settings on the monitor. If Surface Hub is connected to a Wi-Fi network, the access point, it will use the same channel as the connected network, otherwise it will use the Miracast channel from Settings. + +There are generally two types of issues with Miracast to Surface Hub: [connection](#connect-issues) and [performance](#performance-issues). In either case, it is a good idea to get a general picture of wireless network activity in the Surface Hub’s location. Running a network scanning tool will show you the available networks and channel usage in the environment. + +## Connect issues + +Ensure both Wi-Fi and Miracast are both enabled in Settings on Surface Hub. + +If you ran a network scan, you should see Surface Hub Miracast listed as an access point. If Surface Hub’s Miracast network shows up on the scan, but you cannot not see it as an available device, you can try to adjust the Miracast channel used by Surface Hub. + +When Surface Hub is connected to a Wi-Fi network it will use the same channel settings as the Wi-Fi access point for its Miracast access point. For troubleshooting purposes, disconnect Surface Hub from any Wi-Fi networks (but keep Wi-Fi enabled), so you can control the channel used for Miracast. You can manually select the Miracast channel in Settings. You will need to restart Surface Hub after each change. Generally speaking, you will want to use channels that do not show heavy utilization from the network scan. + +It is also possible that the connect issue can be the result of a problem on the connecting device. If the projecting device is running Windows, it should be Windows 8.1 or newer for full Miracast support. Again, for troubleshooting, disconnect the projecting device from any Wi-Fi networks. This will eliminate any channel switching between the access point channel and the Miracast channel set on Surface Hub. Also, some Group Policy and firewall settings may be tied to a Wi-Fi network. + +### Check drivers + +It is also a good idea to ensure the latest drivers and updates are installed on the projecting device. In Device Manager, open the Wi-Fi adapter and video adapter and check for an updated driver version. [Hotfix 3120232](https://support.microsoft.com/help/3120232/poor-wireless-performance-on-5-ghz-connections-on-surface-pro-3-and-surface-3) is highly recommended for Surface Pro 3 and Surface Pro 4 if they are on an older Wi-Fi driver. + +### Check for Miracast support + +Next, ensure Miracast is supported on the device. + +1. Press Windows Key + R and type `dxdiag`. +2. Click “Save all information”. +3. Open the saved dxdiag.txt and find **Miracast**. It should say **Available, with HDCP**. + +### Check firewall + +The Windows firewall can block Miracast traffic. The simplest test is to disable the firewall and test projection. If Miracast works with the firewall disabled, add an exception for + + C:\Windows\System32\WUDFHost.exe + Allow In/Out connections for TCP and UDP, Ports: All. + +### Check Group Policy settings + +On domain-joined devices, Group Policy can also block Miracast. + +1. Use the Windows Key + R and type `rsop.msc` to execute the **Resultant Set of Policy** snap-in. This will show the current policies applied to the PC. +2. Review **Computer Configuration** > **Windows Settings** > **Security Settings** > **Wireless Network (IEEE 802.11) Policies**. There should be a setting for wireless policies. +3. Double click the setting for wireless policies and a dialog box will appear. +4. Open the **Network Permissions** tab and select **Allow everyone to create all user profiles**. + +### Check event logs + +The last place to check is in the Event logs. Miracast events will be logged to **Wlanautoconfig**. This is true on both Surface Hub and the projecting device. If you export Surface Hub logs, you can view Surface Hub’s Wlanautoconfig in the **WindowsEventLog** folder. Errors in the event log can provide some additional details on where the connection fails. + +## Performance issues + +After wireless projection is connected, it is possible to see performance issues causing latency. This is generally a result of overall channel saturation or a situation that causes channel switching. + +For channel saturation, refer to the network scan and try to use channels with less traffic. + +Channel switching is caused when the Wi-Fi adapter needs to send traffic to multiple channels. Certain channels support Dynamic Frequency Selection (DFS). DFS is used on channels 49 through 148. Some Wi-Fi drivers will show poor performance when connected to a DFS channel. If you are seeing poor Miracast performance while connected to a DFS channel, try the projection on a non-DFS channel. Both Surface Hub and projecting device should use non-DFS channels. + +If Surface Hub and the projecting device are both connected to Wi-Fi but using different access points with different channels, this will force Surface Hub and the projecting device to channel switch while Miracast is connected. This will result in both poor wireless project and poor network performance over Wi-Fi. The channel switching will affect the performance of all wireless traffic, not just wireless projection. + +Channel switching will also occur if the projecting device is connected to an Wi-Fi network using a different channel than the channel that Surface Hub uses for Miracast. So, a best practice is to set Surface Hub’s Miracast channel to the same channel as the most commonly used access point. + +If there are multiple Wi-Fi networks or access points in the environment, some channel switching is unavoidable. This is best addressed by ensuring all Wi-Fi drivers are up to date. + diff --git a/devices/surface-hub/monitor-surface-hub.md b/devices/surface-hub/monitor-surface-hub.md index 4b96956704..93b9b743e0 100644 --- a/devices/surface-hub/monitor-surface-hub.md +++ b/devices/surface-hub/monitor-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index 8914899056..40f04195dd 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md index d3d6ab6871..bba5bfaa28 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md index 6510d41971..e33fd2889a 100644 --- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md index c6c3db5d36..87823e452f 100644 --- a/devices/surface-hub/password-management-for-surface-hub-device-accounts.md +++ b/devices/surface-hub/password-management-for-surface-hub-device-accounts.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, security -author: TrudyHa +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/physically-install-your-surface-hub-device.md b/devices/surface-hub/physically-install-your-surface-hub-device.md index 489e6a03a3..e187e19cb7 100644 --- a/devices/surface-hub/physically-install-your-surface-hub-device.md +++ b/devices/surface-hub/physically-install-your-surface-hub-device.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, readiness -author: TrudyHa +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index bacd9b4c7f..36062f36a4 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: plan ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- @@ -27,11 +27,12 @@ Review these dependencies to make sure Surface Hub features will work in your IT | Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.

If screen sharing on a Surface Hub fails and the error message **An error occurred during the screen presentation** is displayed, see [Video Based Screen Sharing not working on Surface Hub](https://support.microsoft.com/help/3179272/video-based-screen-sharing-not-working-on-surface-hub) for help. | | Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. | | Microsoft Operations Managmement Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. | -| Network and Internet access |

In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred.

**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.

**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. | +| Network and Internet access | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1x Authentication is supported for both wired and wireless connections.

**802.1x authentication:** In Windows 10, version 1703, 802.1x authentication for wired and wireless connections is enabled by default in Surface Hub. If your organization doesn't use 802.1x authentication, there is no configuration required and Surface Hub will continue to function as normal. If you use 802.1x authentication, you must ensure that the authentication certification is installed on Surface Hub. You can deliver the certificate to Surface Hub using the [ClientCertificateInstall CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/clientcertificateinstall-csp) in MDM, or you can [create a provisioning package](provisioning-packages-for-surface-hub.md) and install it during first run or through the Settings app. After the certificate is applied to Surface Hub, 802.1x authentication will start working automatically.

**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.

**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. | Additionally, note that Surface Hub requires the following open ports: - HTTPS: 443 - HTTP: 80 +- NTP: 123 Depending on your environment, access to additional ports may be needed: - For online environments, see [Office 365 IP URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US). @@ -41,6 +42,20 @@ Microsoft collects telemetry to help improve your Surface Hub experience. Add th - Telemetry client endpoint: `https://vortex.data.microsoft.com/` - Telemetry settings endpoint: `https://settings.data.microsoft.com/` +### Proxy configuration + +If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Store for Business. Some of the Store for Business features use Windows Store app and Windows Store services. Devices using Store for Business – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy server to block traffic, your configuration needs to allow these URLs: + +- login.live.com +- login.windows.net +- account.live.com +- clientconfig.passport.net +- windowsphone.com +- *.wns.windows.com +- *.microsoft.com +- www.msftncsi.com (prior to Windows 10, version 1607) +- www.msftconnecttest.com/connecttest.txt (replaces www.msftncsi.com starting with Windows 10, version 1607) + ## Work with other admins @@ -49,7 +64,7 @@ Surface Hub interacts with a few different products and services. Depending on t ## Create and verify device account -A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, and send email. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. +A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. After you've created your device account, there are a couple of ways to verify that it's setup correctly. - Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. diff --git a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md b/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md deleted file mode 100644 index 7b002d0345..0000000000 --- a/devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md +++ /dev/null @@ -1,221 +0,0 @@ ---- -title: Create provisioning packages (Surface Hub) -description: For Windows 10, settings that use the registry or a content services platform (CSP) can be configured using provisioning packages. You can also add certificates during first run using provisioning. -ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345 -keywords: add certificate, provisioning package -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: surfacehub -author: TrudyHa -localizationpriority: medium ---- - -# Create provisioning packages (Surface Hub) - -This topic explains how to create a provisioning package using the Windows Imaging and Configuration Designer (ICD), and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings. - -You can apply a provisioning package using a USB during first run, or through the **Settings** app. - - -## Advantages -- Quickly configure devices without using a MDM provider. - -- No network connectivity required. - -- Simple to apply. - -[Learn more about the benefits and uses of provisioning packages.](https://technet.microsoft.com/itpro/windows/whats-new/new-provisioning-packages) - - -## Requirements - -To create and apply a provisioning package to a Surface Hub, you'll need the following: - -- Windows Imaging and Configuration Designer (ICD), which is installed as a part of the [Windows 10 Assessment and Deployment Kit (ADK)](http://go.microsoft.com/fwlink/p/?LinkId=526740). -- A PC running Windows 10. -- A USB flash drive. -- If you apply the package using the **Settings** app, you'll need device admin credentials. - -You'll create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub. - - -## Supported items for Surface Hub provisioning packages - -Currently, you can add these items to provisioning packages for Surface Hub: -- **Certificates** - You can add certificates, if needed, to authenticate to Microsoft Exchange. -- **Universal Windows Platform (UWP) apps** - You can install UWP apps. This can be an offline-licensed app from the Microsoft Store for Business, or an app created by an in-house dev. -- **Policies** - Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD. -- **Settings** - You can configure any setting in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). - - -## Create the provisioning package - -Use the Windows Imaging and Configuration Designer (ICD) tool included in the Windows Assessment and Deployment Kit (ADK) for Windows 10 to create a provisioning package. When you install the ADK, you can choose to install only the Imaging and Configuration Designer (ICD). [Install the ADK.](http://go.microsoft.com/fwlink/p/?LinkId=526740) - -1. Open Windows ICD (by default, `%windir%\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe`). - -2. Click **Advanced provisioning**. - - ![ICD start options](images/ICDstart-option.PNG) - -3. Name your project and click **Next**. - -4. Select **Common to Windows 10 Team edition**, click **Next**, and then click **Finish**. - - ![ICD new project](images/icd-new-project.png) - -5. In the project, under **Available customizations**, select **Common Team edition settings**. - - ![ICD common settings](images/icd-common-settings.png) - - -### Add a certificate to your package -You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange. - -> [!NOTE] -> Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details. - -1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. - -2. Enter a **CertificateName** and then click **Add**. - -2. Enter the **CertificatePassword**. - -3. For **CertificatePath**, browse and select the certificate. - -4. Set **ExportCertificate** to **False**. - -5. For **KeyLocation**, select **Software only**. - - -### Add a Universal Windows Platform (UWP) app to your package -Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Microsoft Store for Business, you will also need the *unencoded* app license. See [Distribute offline apps](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app) to learn how to download these items from the Microsoft Store for Business. - -1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextApp**. - -2. Enter a **PackageFamilyName** for the app and then click **Add**. For consistency, use the app's package family name. If you acquired the app from the Microsoft Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the \...\ tags. - -3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). - -4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. For Surface Hub, you will only need the x64 versions of these dependencies. - -If you acquired the app from the Microsoft Store for Business, you will also need to add the app license to your provisioning package. - -1. Make a copy of the app license, and rename it to use a **.ms-windows-store-license** extension. For example, "example.xml" becomes "example.ms-windows-store-license". - -2. In ICD, in the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextAppLicense**. - -3. Enter a **LicenseProductId** and then click **Add**. For consistency, use the app's license ID from the app license. Open the license file using a text editor. Then, in the \ tag, use the value in the **LicenseID** attribute. - -4. Select the new **LicenseProductId** node. For **LicenseInstall**, click **Browse** to find and select the license file that you renamed in Step 1. - - -### Add a policy to your package -Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD. - -1. In the **Available customizations** pane, go to **Runtime settings** > **Policies**. - -2. Select one of the available policy areas. - -3. Select and set the policy you want to add to your provisioning package. - - -### Add Surface Hub settings to your package - -You can add settings from the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) to your provisioning package. - -1. In the **Available customizations** pane, go to **Runtime settings** > **WindowsTeamSettings**. - -2. Select one of the available setting areas. - -3. Select and set the setting you want to add to your provisioning package. - - -## Build your package - -1. When you are done configuring the provisioning package, on the **File** menu, click **Save**. - -2. Read the warning that project files may contain sensitive information, and click **OK**. - - > [!IMPORTANT] - > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. - -3. On the **Export** menu, click **Provisioning package**. - -4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources. - -5. Set a value for **Package Version**, and then select **Next.** - - > [!TIP] - > You can make changes to existing packages and change the version number to update previously applied packages. - -6. Optional: You can choose to encrypt the package and enable package signing. - - - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. - - - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse...** and choosing the certificate you want to use to sign the package. - - > [!IMPORTANT] - > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.  - -7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

-Optionally, you can click **Browse** to change the default output location. - -8. Click **Next**. - -9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

-If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. - -10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

-If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. - - - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. - - - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. - -11. Select the **output location** link to go to the location of the package. Copy the .ppkg to an empty USB flash drive. - - -## Apply a provisioning package to Surface Hub - -There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings). - - -### Apply a provisioning package during first run - -> [!IMPORTANT] -> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings. - -1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding. - -2. Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select **Set up**. - - ![Set up device?](images/provisioningpackageoobe-01.png) - -3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. - - ![Provision this device](images/provisioningpackageoobe-02.png) - -4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. Note that you can only install one package during first run. - - ![Choose a package](images/provisioningpackageoobe-03.png) - -5. The first-run program will show you a summary of the changes that the provisioning package will apply. Select **Yes, add it**. The package will be applied, and you'll be taken to the next page in the first-run program. - - ![Do you trust this package?](images/provisioningpackageoobe-04.png) - - -### Apply a package using Settings - -1. Insert the USB flash drive containing the .ppkg file into the Surface Hub. - -2. From the Surface Hub, start **Settings** and enter the admin credentials when prompted. - -3. Navigate to **This device** > **Device management**. Under **Provisioning packages**, select **Add or remove a provisioning package**. - -4. Select **Add a package**. - -5. Choose your provisioning package and select **Add**. You may have to re-enter the admin credentials if prompted. - -6. You'll see a summary of the changes that the provisioning package will apply. Select **Yes, add it**. diff --git a/devices/surface-hub/provisioning-packages-for-surface-hub.md b/devices/surface-hub/provisioning-packages-for-surface-hub.md new file mode 100644 index 0000000000..5bd004e345 --- /dev/null +++ b/devices/surface-hub/provisioning-packages-for-surface-hub.md @@ -0,0 +1,319 @@ +--- +title: Create provisioning packages (Surface Hub) +description: For Windows 10, settings that use the registry or a configuration service provider (CSP) can be configured using provisioning packages. +ms.assetid: 8AA25BD4-8A8F-4B95-9268-504A49BA5345 +keywords: add certificate, provisioning package +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: surfacehub +author: jdeckerms +localizationpriority: medium +--- + +# Create provisioning packages (Surface Hub) + +This topic explains how to create a provisioning package using the Windows Configuration Designer, and apply it to Surface Hub devices. For Surface Hub, you can use provisioning packages to add certificates, install Universal Windows Platform (UWP) apps, and customize policies and settings. + +You can apply a provisioning package using a USB stick during first-run setup, or through the **Settings** app. + + +## Advantages +- Quickly configure devices without using a mobile device management (MDM) provider. + +- No network connectivity required. + +- Simple to apply. + +[Learn more about the benefits and uses of provisioning packages.](https://technet.microsoft.com/itpro/windows/configure/provisioning-packages) + + +## Requirements + +To create and apply a provisioning package to a Surface Hub, you'll need the following: + +- Windows Configuration Designer, which can be installed from Microsoft Store or from the Windows 10 Assessment and Deployment Kit (ADK). [Learn how to install Windows Configuration Designer.](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd) +- A USB stick. +- If you apply the package using the **Settings** app, you'll need device admin credentials. + +You create the provisioning package on a PC running Windows 10, save the package to a USB drive, and then deploy it to your Surface Hub. + + +## Supported items for Surface Hub provisioning packages + +Using the **Provision Surface Hub devices** wizard, you can: + +- Enroll in Active Directory, Azure Active Directory, or MDM +- Create an device administrator account +- Add applications and certificates +- Configure proxy settings +- Add a Surface Hub configuration file + +>[!WARNING] +>You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using the wizard. + +Using the advanced provisioning editor, you can add these items to provisioning packages for Surface Hub: + +- **Policies** - Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx#surfacehubpolicies). +- **Settings** - You can configure any setting in the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx). + +>[!TIP] +> Use the wizard to create a package with the common settings, then switch to the advanced editor to add other settings. +> +>![open advanced editor](images/icd-simple-edit.png) + +## Use the Surface Hub provisioning wizard + +After you [install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd), you can create a provisioning package. + +### Create the provisioning package + +1. Open Windows Configuration Designer: + - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, + + or + + - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. + +2. Click **Provision Surface Hub devices**. + +3. Name your project and click **Next**. + +### Configure settings + + + + + + + + + +
![step one](images/one.png) ![add certificates](images/add-certificates.png)

To provision the device with a certificate, click **Add a certificate**. Enter a name for the certificate, and then browse to and select the certificate to be used.		![add a certificate](images/add-certificates-details.png)
![step two](images/two.png) ![configure proxy settings](images/proxy.png)

Toggle **Yes** or **No** for proxy settings. The default configuration for Surface Hub is to automatically detect proxy settings, so you can select **No** if that is the setting that you want. However, if your infrastructure previously required using a proxy server and has changed to not require a proxy server, you can use a provisioning package to revert your Surface Hub devices to the default settings by selecting **Yes** and **Automatically detect settings**.

If you toggle **Yes**, you can select to automatically detect proxy settings, or you can manually configure the settings by entering a URL to a setup script, or a static proxy server address. You can also identify whether to use the proxy server for local addresses, and enter exceptions (addresses that Surface Hub should connect to directly without using the proxy server). 		![configure proxy settings](images/proxy-details.png)
![step three](images/three.png) ![device admins](images/set-up-device-admins.png)

You can enroll the device in Active Directory and specify a security group to use the Settings app, enroll in Azure Active Directory to allow global admins to use the Settings app, or create a local administrator account on the device.

To enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain, and specify the security group to have admin credentials on Surface Hub. If a provisioning package that enrolls a device in Active Directory is going to be applied to a Surface Hub that was reset, the same domain account can only be used if the account listed is a domain administrator or is the same account that set up the Surface Hub initially. Otherwise, a different domain account must be used in the provisioning package.

Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup). The **maximum number of devices per user** setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 30 days from the date you get the token). Click **Get bulk token**. In the **Let's get you signed in** window, enter an account that has permissions to join a device to Azure AD, and then the password. Click **Accept** to give Windows Configuration Designer the necessary permissions.

To create a local administrator account, select that option and enter a user name and password.

**Important:** If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 		![join Active Directory, Azure AD, or create a local admin account](images/set-up-device-admins-details.png)
![step four](images/four.png) ![enroll in device management](images/enroll-mdm.png)

Toggle **Yes** or **No** for enrollment in MDM.

If you toggle **Yes**, you must provide a service account and password or certificate thumbprint that is authorized to enroll the device, and also specify the authentication type. If required by your MDM provider, also enter the URLs for the discovery service, enrollment service, and policy service. [Learn more about managing Surface Hub with MDM.](manage-settings-with-mdm-for-surface-hub.md)		![enroll in mobile device management](images/enroll-mdm-details.png)
![step five](images/five.png) ![add applications](images/add-applications.png)

You can install multiple Universal Windows Platform (UWP) apps in a provisioning package. For help with the settings, see [Provision PCs with apps](https://technet.microsoft.com/itpro/windows/configure/provision-pcs-with-apps).

**Important:** Although the wizard interface allows you to select a Classic Win32 app, only include UWP apps in a provisioning package that will be applied to Surface Hub. If you include a Classic Win32 app, provisioning will fail. 		![add an application](images/add-applications-details.png)
![step six](images/six.png) ![Add configuration file](images/add-config-file.png)

You don't configure any settings in this step. It provides instructions for including a configuration file that contains a list of device accounts. The configuration file must not contain column headers. When you apply the provisioning package to Surface Hub, if a Surface Hub configuration file is included on the USB drive, you can select the account and friendly name for the device from the file. See [Sample configuration file](#sample-configuration-file) for an example.

**Important:** The configuration file can only be applied during the out-of-box setup experience (OOBE) and can only be used with provisioning packages created using the Windows Configuration Designer released with Windows 10, version 1703. 		![Add a Surface Hub configuration file](images/add-config-file-details.png)
![finish](images/finish.png)

You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.		![Protect your package](images/finish-details.png)
+ +After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page. + +## Sample configuration file + +A Surface Hub configuration file contains a list of device accounts that your device can use to connect to Exchange and Skype for Business. When you apply a provisioning package to Surface Hub, you can include a configuration file in the root directory of the USB flash drive, and then select the desired account to apply to that device. The configuration file can only be applied during the out-of-box setup experience (OOBE) and can only be used with provisioning packages created using the Windows Configuration Designer released with Windows 10, version 1703. + +Use Microsoft Excel or other CSV editor to create a CSV file named `SurfaceHubConfiguration.csv`. In the file, enter a list of device accounts and friendly names in this format: + +``` +,, +``` +>[!IMPORTANT] +>Because the configuration file stores the device account passwords in plaintext, we recommend that you update the passwords after you've applied the provisioning package to your devices. You can use the [DeviceAccount node](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/surfacehub-csp#deviceaccount) in the [Surface Hub configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/surfacehub-csp) to update the passwords via MDM. + + +The following is an example of `SurfaceHubConfiguration.csv`. + +``` +Rainier@contoso.com,password,Rainier Surface Hub +Adams@contoso.com,password,Adams Surface Hub +Baker@contoso.com,password,Baker Surface Hub +Glacier@constoso.com,password,Glacier Surface Hub +Stuart@contoso.com,password,Stuart Surface Hub +Fernow@contoso.com,password,Fernow Surface Hub +Goode@contoso.com,password,Goode Surface Hub +Shuksan@contoso.com,password,Shuksan Surface Hub +Buckner@contoso.com,password,Buckner Surface Hub +Logan@contoso.com,password,Logan Surface Hub +Maude@consoto.com,password,Maude Surface hub +Spickard@contoso.com,password,Spickard Surface Hub +Redoubt@contoso.com,password,Redoubt Surface Hub +Dome@contoso.com,password,Dome Surface Hub +Eldorado@contoso.com,password,Eldorado Surface Hub +Dragontail@contoso.com,password,Dragontail Surface Hub +Forbidden@contoso.com,password,Forbidden Surface Hub +Oval@contoso.com,password,Oval Surface Hub +StHelens@contoso.com,password,St Helens Surface Hub +Rushmore@contoso.com,password,Rushmore Surface Hub +``` + +## Use advanced provisioning + +After you [install Windows Configuration Designer](https://technet.microsoft.com/itpro/windows/configure/provisioning-install-icd), you can create a provisioning package. + +### Create the provisioning package (advanced) + +1. Open Windows Configuration Designer: + - From either the Start screen or Start menu search, type 'Windows Configuration Designer' and click on the Windows Configuration Designer shortcut, + + or + + - If you installed Windows Configuration Designer from the ADK, navigate to `C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86` (on an x64 computer) or `C:\Program Files\Windows Kits\10\Assessment and Deployment Kit\Imaging and Configuration Designer\x86\ICD.exe` (on an x86 computer), and then double-click **ICD.exe**. + +2. Click **Advanced provisioning**. + +3. Name your project and click **Next**. + +4. Select **Common to Windows 10 Team edition**, click **Next**, and then click **Finish**. + + ![ICD new project](images/icd-new-project.png) + +5. In the project, under **Available customizations**, select **Common Team edition settings**. + + ![ICD common settings](images/icd-common-settings.png) + + +### Add a certificate to your package +You can use provisioning packages to install certificates that will allow the device to authenticate to Microsoft Exchange. + +> [!NOTE] +> Provisioning packages can only install certificates to the device (local machine) store, and not to the user store. If your organization requires that certificates must be installed to the user store, use Mobile Device Management (MDM) to deploy these certificates. See your MDM solution documentation for details. + +1. In the **Available customizations** pane, go to **Runtime settings** > **Certificates** > **ClientCertificates**. + +2. Enter a **CertificateName** and then click **Add**. + +2. Enter the **CertificatePassword**. + +3. For **CertificatePath**, browse and select the certificate. + +4. Set **ExportCertificate** to **False**. + +5. For **KeyLocation**, select **Software only**. + + +### Add a Universal Windows Platform (UWP) app to your package +Before adding a UWP app to a provisioning package, you need the app package (either an .appx, or .appxbundle) and any dependency files. If you acquired the app from the Microsoft Store for Business, you will also need the *unencoded* app license. See [Distribute offline apps](https://technet.microsoft.com/itpro/windows/manage/distribute-offline-apps#download-an-offline-licensed-app) to learn how to download these items from the Microsoft Store for Business. + +1. In the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextApp**. + +2. Enter a **PackageFamilyName** for the app and then click **Add**. For consistency, use the app's package family name. If you acquired the app from the Microsoft Store for Business, you can find the package family name in the app license. Open the license file using a text editor, and use the value between the \...\ tags. + +3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle). + +4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. For Surface Hub, you will only need the x64 versions of these dependencies. + +If you acquired the app from the Microsoft Store for Business, you will also need to add the app license to your provisioning package. + +1. Make a copy of the app license, and rename it to use a **.ms-windows-store-license** extension. For example, "example.xml" becomes "example.ms-windows-store-license". + +2. In ICD, in the **Available customizations** pane, go to **Runtime settings** > **UniversalAppInstall** > **DeviceContextAppLicense**. + +3. Enter a **LicenseProductId** and then click **Add**. For consistency, use the app's license ID from the app license. Open the license file using a text editor. Then, in the \ tag, use the value in the **LicenseID** attribute. + +4. Select the new **LicenseProductId** node. For **LicenseInstall**, click **Browse** to find and select the license file that you renamed in Step 1. + + +### Add a policy to your package +Surface Hub supports a subset of the policies in the [Policy configuration service provider](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). Some of those policies can be configured with ICD. + +1. In the **Available customizations** pane, go to **Runtime settings** > **Policies**. + +2. Select one of the available policy areas. + +3. Select and set the policy you want to add to your provisioning package. + + +### Add Surface Hub settings to your package + +You can add settings from the [SurfaceHub configuration service provider](https://msdn.microsoft.com/library/windows/hardware/mt608323.aspx) to your provisioning package. + +1. In the **Available customizations** pane, go to **Runtime settings** > **WindowsTeamSettings**. + +2. Select one of the available setting areas. + +3. Select and set the setting you want to add to your provisioning package. + + +## Build your package + +1. When you are done configuring the provisioning package, on the **File** menu, click **Save**. + +2. Read the warning that project files may contain sensitive information, and click **OK**. + + > [!IMPORTANT] + > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed. + +3. On the **Export** menu, click **Provisioning package**. + +4. Change **Owner** to **IT Admin**, which will set the precedence of this provisioning package higher than provisioning packages applied to this device from other sources. + +5. Set a value for **Package Version**, and then select **Next.** + + > [!TIP] + > You can make changes to existing packages and change the version number to update previously applied packages. + +6. Optional: You can choose to encrypt the package and enable package signing. + + - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen. + + - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse...** and choosing the certificate you want to use to sign the package. + + > [!IMPORTANT] + > We recommend that you include a trusted provisioning certificate in your provisioning package. When the package is applied to a device, the certificate is added to the system store and any package signed with that certificate thereafter can be applied silently.  + +7. Click **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.

+Optionally, you can click **Browse** to change the default output location. + +8. Click **Next**. + +9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.

+If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**. + +10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.

+If your build is successful, the name of the provisioning package, output directory, and project directory will be shown. + + - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build. + + - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**. + +11. Select the **output location** link to go to the location of the package. Copy the .ppkg to an empty USB flash drive. + + +## Apply a provisioning package to Surface Hub + +There are two options for deploying provisioning packages to a Surface Hub. You can apply a provisioning packing [during the first run wizard](#apply-a-provisioning-package-during-first-run), or using [Settings](#apply-a-package-using-settings). + + +### Apply a provisioning package during first run + +> [!IMPORTANT] +> Only use provisioning packages to install certificates during first run. Use the **Settings** app to install apps and apply other settings. + +1. When you turn on the Surface Hub for the first time, the first-run program will display the [**Hi there page**](first-run-program-surface-hub.md#first-page). Make sure that the settings are properly configured before proceeding. + +2. Insert the USB flash drive containing the .ppkg file into the Surface Hub. If the package is in the root directory of the drive, the first-run program will recognize it and ask if you want to set up the device. Select **Set up**. + + ![Set up device?](images/provisioningpackageoobe-01.png) + +3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**. + + ![Provision this device](images/provisioningpackageoobe-02.png) + +4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**. Note that you can only install one package during first run. + + ![Choose a package](images/provisioningpackageoobe-03.png) + +5. The first-run program will show you a summary of the changes that the provisioning package will apply. Select **Yes, add it**. + + ![Do you trust this package?](images/provisioningpackageoobe-04.png) + +6. If a configuration file is included in the root directory of the USB flash drive, you will see **Select a configuration**. The first device account in the configuration file will be shown with a summary of the account information that will be applied to the Surface Hub. + + ![select a configuration](images/ppkg-config.png) + +7. In **Select a configuration**, select the device name to apply, and then click **Next**. + + ![select a friendly device name](images/ppkg-csv.png) + +The settings from the provisioning package will be applied to the device and OOBE will be complete. After the device restarts, you can remove the USB flash drive. + +### Apply a package using Settings + +1. Insert the USB flash drive containing the .ppkg file into the Surface Hub. + +2. From the Surface Hub, start **Settings** and enter the admin credentials when prompted. + +3. Navigate to **Surface Hub** > **Device management**. Under **Provisioning packages**, select **Add or remove a provisioning package**. + +4. Select **Add a package**. + +5. Choose your provisioning package and select **Add**. You may have to re-enter the admin credentials if prompted. + +6. You'll see a summary of the changes that the provisioning package will apply. Select **Yes, add it**. + + diff --git a/devices/surface-hub/remote-surface-hub-management.md b/devices/surface-hub/remote-surface-hub-management.md index 41588251fe..f1369c5c26 100644 --- a/devices/surface-hub/remote-surface-hub-management.md +++ b/devices/surface-hub/remote-surface-hub-management.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md index 2354de0f40..27ca1f3ef9 100644 --- a/devices/surface-hub/save-bitlocker-key-surface-hub.md +++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, security -author: TrudyHa +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/set-up-your-surface-hub.md b/devices/surface-hub/set-up-your-surface-hub.md index 95b7c2c92f..15231f9a9d 100644 --- a/devices/surface-hub/set-up-your-surface-hub.md +++ b/devices/surface-hub/set-up-your-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/setup-worksheet-surface-hub.md b/devices/surface-hub/setup-worksheet-surface-hub.md index a77cf5850f..49ef04d184 100644 --- a/devices/surface-hub/setup-worksheet-surface-hub.md +++ b/devices/surface-hub/setup-worksheet-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/surface-hub-administrators-guide.md b/devices/surface-hub/surface-hub-administrators-guide.md deleted file mode 100644 index 4786082d45..0000000000 --- a/devices/surface-hub/surface-hub-administrators-guide.md +++ /dev/null @@ -1,76 +0,0 @@ ---- -title: Microsoft Surface Hub administrator's guide -description: This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers. -ms.assetid: e618aab7-3a94-4159-954e-d455ef7b8839 -keywords: Surface Hub, installation, administration, administrator's guide -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: surfacehub -author: TrudyHa -localizationpriority: medium ---- - -# Microsoft Surface Hub administrator's guide - - -This guide covers the installation and administration of devices running Surface Hub, and is intended for use by anyone responsible for these tasks, including IT administrators and developers. - -Before you power on Microsoft Surface Hub for the first time, make sure you've [completed preparation items](prepare-your-environment-for-surface-hub.md), and that you have the information listed in the [Setup worksheet](setup-worksheet-surface-hub.md). When you do power it on, the device will walk you through a series of setup screens. If you haven't properly set up your environment, or don't have the required information, you'll have to do extra work afterward making sure the settings are correct. - -## In this section - - - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
TopicDescription

[Intro to Microsoft Surface Hub](intro-to-surface-hub.md)

Surface Hub is an all-in-one productivity device that is intended for brainstorming, collaboration, and presentations. In order to get the maximum benefit from Surface Hub, your organization’s infrastructure and the Surface Hub itself must be properly set up and integrated. This guide describes what needs to be done both before and during setup in order to help you optimize your use of the device.

[Physically install Microsoft Surface Hub](physically-install-your-surface-hub-device.md)

The Surface Hub Readiness Guide will help make sure that your site is ready for the installation. You can download the Guide from the [Microsoft Download Center](https://go.microsoft.com/fwlink/?LinkId=718144). It includes planning information for both the 55" and 84" devices, as well as info on moving the Surface Hub from receiving to the installation location, mounting options, and a list of what's in the box.

[Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md)

This section contains an overview of the steps required to prepare your environment so that you can use all of the features of Surface Hub. See [Intro to Surface Hub](intro-to-surface-hub.md) for a description of how the device and its features interact with your IT environment.

[Set up Microsoft Surface Hub](set-up-your-surface-hub.md)

Set up instructions for Surface Hub include a setup worksheet, and a walkthrough of the first-run program.

[Manage Microsoft Surface Hub](manage-surface-hub.md)

How to manage your Surface Hub after finishing the first-run program.

[Troubleshoot Microsoft Surface Hub](troubleshoot-surface-hub.md)

Troubleshoot common problems, including setup issues, Exchange ActiveSync errors.

[Appendix: PowerShell](appendix-a-powershell-scripts-for-surface-hub.md)

PowerShell scripts to help set up and manage your Surface Hub .

- -  - -  - -  - - - - - diff --git a/devices/surface-hub/surface-hub-downloads.md b/devices/surface-hub/surface-hub-downloads.md index eb0886cce1..f5b6fa0c35 100644 --- a/devices/surface-hub/surface-hub-downloads.md +++ b/devices/surface-hub/surface-hub-downloads.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: surfacehub -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/surface-hub-wifi-direct.md b/devices/surface-hub/surface-hub-wifi-direct.md index 6a76d310ab..e4ce72ed1d 100644 --- a/devices/surface-hub/surface-hub-wifi-direct.md +++ b/devices/surface-hub/surface-hub-wifi-direct.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/devices/surface-hub/surfacehub-whats-new-1703.md b/devices/surface-hub/surfacehub-whats-new-1703.md new file mode 100644 index 0000000000..b658a09d5d --- /dev/null +++ b/devices/surface-hub/surfacehub-whats-new-1703.md @@ -0,0 +1,64 @@ +--- +title: What's new in Windows 10, version 1703 for Surface Hub +description: Windows 10, version 1703 (Creators Update) brings new features to Microsoft Surface Hub. +ms.prod: w10 +ms.mktglfcycl: manage +ms.pagetype: devices +ms.sitesec: library +author: jdeckerms +localizationpriority: medium +--- + +# What's new in Windows 10, version 1703 for Microsoft Surface Hub? + +Windows 10, version 1703 (also called the Creators Update), introduces the following changes for Microsoft Surface Hub: + +## New settings + +Settings have been added to mobile device management (MDM) and configuration service providers (CSPs) to expand the Surface Hub management capabilities. [New settings include](manage-settings-with-mdm-for-surface-hub.md): + +- InBoxApps/SkypeForBusiness/DomainName +- InBoxApps/Connect/AutoLaunch +- Properties/DefaultVolume +- Properties/ScreenTimeout +- Properties/SessionTimeout +- Properties/SleepTimeout +- Properties/AllowSessionResume +- Properties/AllowAutoProxyAuth +- Properties/DisableSigninSuggestions +- Properties/DoNotShowMyMeetingsAndFiles +- System/AllowStorageCard + +Plus settings based on the new [NetworkQoSPolicy CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/networkqospolicy-csp) and [NetworkProxy CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/networkproxy-csp). +
+ +## Provizioning wizard + +An easy-to-use wizard helps you quickly create provisioning packages that you can apply to multiple Surface Hub devices, and includes bulk join to Azure Active Directory. [Learn how to create a provisioning package for Surface Hub.](provisioning-packages-for-certificates-surface-hub.md) + +![steps in the provision Surface Hub devices wizard](images/wcd-wizard.png) + +## Miracast on your existing wireless network or LAN + +Microsoft has extended the ability to [send a Miracast stream over a local network](miracast-over-infrastructure.md) rather than over a direct wireless link. + +## Cloud recovery + +When you reset a Surface Hub device, you now have the ability to download and install a factory build of the operating system from the cloud. [Learn more about cloud recovery.](device-reset-surface-hub.md#cloud-recovery) + +>[!NOTE] +>Cloud recovery doesn't work if you use proxy servers. + +![Reinstall](images/reinstall.png) + +## End session + +**I'm done** is now **End session**. [Learn how to use End session.](i-am-done-finishing-your-surface-hub-meeting.md) + +![end session](images/end-session.png) + + + + + + diff --git a/devices/surface-hub/troubleshoot-surface-hub.md b/devices/surface-hub/troubleshoot-surface-hub.md index cc3bd57b95..5e1c0977a8 100644 --- a/devices/surface-hub/troubleshoot-surface-hub.md +++ b/devices/surface-hub/troubleshoot-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: support ms.sitesec: library ms.pagetype: surfacehub -author: TrudyHa +author: jdeckerms localizationpriority: medium --- @@ -417,29 +417,7 @@ Possible fixes for issues with Surface Hub first-run program.   -### Skype for Business - ----- - - - - - - - - - - - - - - -
IssueCausesPossible fixes

Can't call a Skype consumer from my Surface Hub.

Outgoing calls aren't supported yet.

None currently.

  @@ -622,7 +600,9 @@ This section lists status codes, mapping, user messages, and actions an admin ca     +## Related content +- [Troubleshooting Miracast connection to the Surface Hub](https://blogs.msdn.microsoft.com/surfacehub/2017/01/30/troubleshooting-miracast-connection-to-the-surface-hub/)   diff --git a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md index 3347918660..6d0b8bbda7 100644 --- a/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md +++ b/devices/surface-hub/use-fully-qualified-domain-name-surface-hub.md @@ -2,7 +2,7 @@ title: Use fully qualified doman name with Surface Hub description: Troubleshoot common problems, including setup issues, Exchange ActiveSync errors. keywords: ["Troubleshoot common problems", "setup issues", "Exchange ActiveSync errors"] -author: TrudyHa +author: jdeckerms localizationpriority: medium ms.prod: w10 ms.mktglfcycl: support @@ -19,7 +19,7 @@ There are a few scenarios where you need to specify the domain name of your Skyp **To configure the domain name for your Skype for Business server**
1. On Surface Hub, open **Settings**. -2. Click **This device**, and then click **Calling**. +2. Click **Surface Hub**, and then click **Calling & Audio**. 3. Under **Skype for Business configuration**, click **Configure domain name**. 4. Type the domain name for your Skype for Business server, and then click **Ok**. > [!TIP] diff --git a/devices/surface-hub/wireless-network-management-for-surface-hub.md b/devices/surface-hub/wireless-network-management-for-surface-hub.md index 0ccd6ad70d..22a91e040a 100644 --- a/devices/surface-hub/wireless-network-management-for-surface-hub.md +++ b/devices/surface-hub/wireless-network-management-for-surface-hub.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: surfacehub, networking -author: TrudyHa +author: jdeckerms localizationpriority: medium --- @@ -24,7 +24,7 @@ If a wired network connection is not available, the Surface Hub can use a wirele ### Choose a wireless access point 1. On the Surface Hub, open **Settings** and enter your admin credentials. -2. Click **System**, and then click **Network & Internet**. Under **Wi-Fi**, choose an access point. If you want Surface Hub to automatically connect to this access point, click **Connect automatically**. Click **Connect**. +2. Click **Network & Internet**. Under **Wi-Fi**, choose an access point. If you want Surface Hub to automatically connect to this access point, click **Connect automatically**. Click **Connect**. ![Image showing Wi-Fi settings, Network & Internet page.](images/networkmgtwireless-01.png) @@ -35,7 +35,7 @@ If a wired network connection is not available, the Surface Hub can use a wirele ### Review wireless settings 1. On the Surface Hub, open **Settings** and enter your admin credentials. -2. Click **System**, click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**. +2. Click **Network & Internet**, then **Wi-Fi**, and then click **Advanced options**. 3. Surface Hub shows you the properties for the wireless network connection. ![Image showing properties for connected Wi-Fi.](images/networkmgtwireless-04.png) diff --git a/devices/surface/change-history-for-surface.md b/devices/surface/change-history-for-surface.md index 09cfde4e61..1dd7b983ea 100644 --- a/devices/surface/change-history-for-surface.md +++ b/devices/surface/change-history-for-surface.md @@ -4,7 +4,7 @@ description: This topic lists new and updated topics in the Surface documentatio ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms --- # Change history for Surface documentation diff --git a/devices/surface/ltsb-for-surface.md b/devices/surface/ltsb-for-surface.md index 5482418741..a2836613a7 100644 --- a/devices/surface/ltsb-for-surface.md +++ b/devices/surface/ltsb-for-surface.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: surface, devices ms.sitesec: library -author: jdeckerMS +author: jdeckerms --- # Long-Term Servicing Branch (LTSB) for Surface devices diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md index fd891a0750..d82cbe9b63 100644 --- a/education/get-started/get-started-with-microsoft-education.md +++ b/education/get-started/get-started-with-microsoft-education.md @@ -174,20 +174,22 @@ To learn more about the CSV files that are required and the info you need to inc **Assign Classroom license** -The Classroom application is retired, but you will need to assign the Classroom Preview license to yourself and other global admins so that you can access the services. The single license will allow global admins to access both Classroom Preview and School Data Sync. +The Classroom application is retired, but you will need to assign the Classroom Preview license to global admin accounts that will be used to administer SDS. The single license allows global admins to access both Classroom Preview and School Data Sync. 1. In the Office 365 admin center, select **Users > Active users**. 2. Select the checkbox for your global admin account. 3. In the account details window, under **Product licenses**, click **Edit**. 4. In the **Product licenses** page, turn on **Microsoft Classroom** and then click **Save**. -5. Confirm that you can access SDS. To do this, log in to https://sds.microsoft.com. +5. Confirm that you can access SDS. To do this: + - Navigate to https://sds.microsoft.com and click **Sign in**. When prompted, enter your global admin username and password to access the SDS portal. Or, + - From the Office 365 admin portal, go to **Admin centers** and click on **School Data Sync** to go to the SDS portal. > [!NOTE] > Only global admins can access SDS. **Use SDS to import student data** -1. If you haven't done so already, To do this, go to https://sds.microsoft.com. +1. If you haven't done so already, go to the SDS portal, https://sds.microsoft.com. 2. Click **Sign in**. You will see the **Settings** option for **Manage School Data Sync**. **Figure 6** - Settings for managing SDS @@ -211,7 +213,7 @@ The Classroom application is retired, but you will need to assign the Classroom ![New SDS profile setup wizard](images/sds_updated_addnewprofile.png) 6. For the new profile, in the **Before you begin...** screen: - 1. Enter a name for your profile, such as *ContosoElementarySchool*. + 1. Enter a name for your profile, such as *Contoso_Profile_1*. 2. Select a sync method for your profile. For this walkthrough, select **CSV Files**. Note that for any sync method that you choose, you can click the **View steps** link to get more information about the steps you need to take depending on the sync method of your choosing. @@ -219,11 +221,8 @@ The Classroom application is retired, but you will need to assign the Classroom 3. Click **Start**. 7. In the **Sync options** screen: - 1. Select the domain for the schools/sections. If you have more than one domain, make sure you select the domain that corresponds to the profile you're creating. - 2. In the **Select school and section properties** section, select the properties you want to sync. If you select additional properties, make sure you have these properties and values added in the CSV files. For the walkthrough, we're not changing the default values. These are: - - **School properties:** SIS ID, Name - - **Section properties:** SIS ID, School SIS ID, Section Name - 3. In the **Select new or existing users** section, select either **New users** or **Existing users** based on the scenaro that applies to you. + 1. In the **Select new or existing users** section, you can select either **New users** or **Existing users** based on the scenaro that applies to you. For this walkthrough, select **New users**. + + 2. In the **Import data** section: + 1. Click **Upload Files** to bring up the **Select data files to be uploaded** window. + 2. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import. + 3. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**. + 4. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**. + 4. After all the files are successfully uploaded, click **OK**. + 3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created. + 4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default. + 5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files. + 6. In the **License Options** section, check the box to allow users being created to receive an Office 365 license. + 7. Check the **Intune for Education** checkbox to allow users to receive the Intune for Education license and to create the SDS dynamic groups and security groups, which be used within Intune for Education. + 8. Click **Next**. **Figure 9** - Sync options for the new profile - ![Specify sync options for the new SDS profile](images/sds_addnewprofile_syncoptions.png) + ![Specify sync options for the new SDS profile](images/sds_profile_syncoptions.png) 8. In the **Teacher options** screen: - 1. Select the domain for the teachers. SDS uses this to match teachers from your source data to their existing accounts in Office 365/Azure Active Directory. In the walkthrough, the CSV files are our source data. - 2. In the **Select teacher properties** section, you can add optional teacher properties to sync. For this walkthrough, you don't have to change the default. + 1. Select the domain for the teachers. SDS appends the selected domain suffix to the teacher's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The teacher will log in to Office 365 with the UserPrincipalName once the account is created. + 2. In the **Select teacher properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default. 3. In the **Teacher licenses** section, choose the SKU to assign licenses for teachers. For this walkthrough, choose **STANDARDWOFFPACK_FACULTY**. 4. Click **Next**. **Figure 10** - Specify options for teacher mapping - ![Specify options for teacher mapping](images/sds_addnewprofile_teacheroptions.png) + ![Specify options for teacher mapping](images/sds_profile_teacheroptions.png) 9. In the **Student options** screen: - 1. Select the domain for the students. SDS uses this to match students from your source data to their existing accounts in Office 365/Azure Active Directory. In the walkthrough, the CSV files are our source data. - 2. In the **Select student properties** section, you can add optional student properties to sync. For this walkthrough, you don't have to change the default. + 1. Select the domain for the students. SDS appends the selected domain suffix to the student's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The student will log in to Office 365 with the UserPrincipalName once the account is created. + 2. In the **Select student properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default. 3. In the **Student licenses** section, choose the SKU to assign licenses for students. For this walkthrough, choose **STANDARDWOFFPACK_STUDENT**. 4. Click **Next**. **Figure 11** - Specify options for student mapping - ![Specify options for student mapping](images/sds_addnewprofile_studentoptions.png) + ![Specify options for student mapping](images/sds_profile_studentoptions.png) -10. In the profile **Review** page, review the summary and confirm that the values matches with the data you entered. Click **Create profile**. +10. In the profile **Review** page, review the summary and confirm that the options selected are correct. Click **Create profile**. You will see a notification that your profile is being created. @@ -268,29 +276,22 @@ The Classroom application is retired, but you will need to assign the Classroom **Figure 12** - SDS profile page - ![SDS profile page](images/sds_profilepage.png) + ![SDS profile page](images/sds_profile_profilepage.png) -12. After the profile name at the top, confirm that the status for your profile now says **Ready to sync**. +12. After the profile is created and finished **Setting up**, confirm that the status for your profile now says **Sync enabled**. - If the status still indicates that the profile is being set up, try refreshing the page until you see the status change to **Ready to sync**. + If the status still indicates that the profile is being set up, try refreshing the page until you see the status change to **Sync enabled**. - **Figure 13** - New profile is ready to sync + **Figure 13** - New profile is sync enabled - ![Confirm that the new profile is ready](images/sds_profile_readytosync.png) + ![Confirm that the new profile is sync enabled](images/sds_profile_syncenabled.png) -11. On the profile page, below the profile name and profile status, there are four options: **Upload Files**, **Start Sync**, **Edit**, and **Delete**. Click **Upload Files** and then follow these steps: - 1. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import. - 2. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**. - 3. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**. - 4. After all the files are successfully uploaded, click **OK**. -12. On the profile page, click **Start Sync** and then follow these steps: - 1. In the **Would you like to start sync for *Profile_Name?*** window, click **Start Sync**. *Profile_Name* should match the name you entered for your profile in the **Before you begin...** screen. - 2. Confirm that sync successfully started for the file and then click **OK**. + > [!TIP] + > If you get errors during the pre-sync validation process, your profile status will change to **x Error**. To continue, review or resolve any pre-sync validation errors, and then click **Resume Sync** to start the synchronization cycle. - > [!NOTE] - > Sync times, like file download times, can vary widely depending on when you start the sync, how much data you are syncing, the complexity of your data (such as the number of users, schools, and class enrollments), overall system/network load, and other factors. Two people who start a sync at the same time may not have their syncs complete at the same time. - > - > You can refresh the page to confirm that your profile synced successfully. + Sync times, like file download times, can vary widely depending on when you start the sync, how much data you are syncing, the complexity of your data (such as the number of users, schools, and class enrollments), overall system/network load, and other factors. Two people who start a sync at the same time may not have their syncs complete at the same time. + + You can refresh the page to confirm that your profile synced successfully. That's it for importing sample school data using SDS. @@ -401,15 +402,15 @@ Intune for Education provides an **Express configuration** option so you can get **Figure 22** - Expand the settings group to get more details - ![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped.png) + ![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.png) 9. For this walkthrough, set the following settings: - - In the **Internet browser settings** group, change the **Send Do Not Track requests to help protect users' privacy** setting to **Block**. - - In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Private Microsoft Store for Business apps** to **Allow**. + - In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**. + - In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**. **Figure 23** - Set some additional settings - ![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettingsconfigured_cropped.png) + ![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.png) 10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply. @@ -517,6 +518,30 @@ We recommend using the latest build of Windows 10, version 1703 on your educatio **Option 1: Set up a device using the Set up School PCs app** +IT administrators and technical teachers can use the Set up School PCs app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. + +![Set up School PCs app](images/suspc_getstarted_050817.png) + +Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recommended education settings, using a quick USB setup. This app guides you through the creation of a student PC provisioning package and helps you save it to a USB drive. From there, just plug the USB drive into student PCs running Windows 10 Creators Update (version 1703). It automatically: +- Joins each student PC to your organization's Office 365 and Azure Active Directory tenant +- Enrolls each student PC into a mobile device management (MDM) provider, like Intune for Education, if licensed in your tenant. You can manage all the settings Set up School PCs sets later through MDM. +- Removes OEM preinstalled software from each student PC +- Auto-configures and saves a wireless network profile on each student PC +- Gives a friendly and unique name to each student device for future management +- Sets Microsoft-recommended school PC settings, including shared PC mode which provides faster sign-in and automatic account cleanup +- Enables optional guest account for younger students, lost passwords, or visitors +- Enables optional secure testing account +- Locks down the student PC to prevent mischievous activity: + * Prevents students from removing the PC from the school's device management system + * Prevents students from removing the Set up School PCs settings +- Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours +- Customizes the Start layout with Office +- Installs OneDrive for storing cloud-based documents and Sway for creating interactive reports, presentations, and more +- Uninstalls apps not specific to education, such as Solitaire +- Prevents students from adding personal Microsoft accounts to the PC + +**To set up a device using the Set up School PCs app** + 1. Follow the steps in Use the Set up School PCs app to quickly set up one or more student PCs. 2. Follow the steps in [5.2 Verify correct device setup](#52-verify-correct-device-setup). @@ -606,8 +631,8 @@ When a device is owned by the school, you may need to have a single persion addi Follow the steps in this section to enable a single person to add many devices to your cloud infrastructure. 1. Sign in to the Office 365 admin center. -2. Click **Admin centers** and select **Azure AD** to go to the Azure portal. -3. Configure the device settings for the school's Active Directory. From the new Azure portal, https://portal.azure.com, select **Azure Active Directory > Users and groups > Device settings**. +2. Configure the device settings for the school's Active Directory. To do this, go to the new Azure portal, https://portal.azure.com. +3. Select **Azure Active Directory > Users and groups > Device settings**. **Figure 40** - Device settings in the new Azure portal @@ -622,8 +647,8 @@ When students move from using one device to another, they may need to have their Follow the steps in this section to ensure that settings for the each user follow them when they move from one device to another. 1. Sign in to the Office 365 admin center. -2. Click **Admin centers** and select **Azure AD** to go to the Azure portal. -3. Configure the device settings for the school's Active Directory. From the new Azure portal, https://portal.azure.com, select **Azure Active Directory > Users and groups > Device settings**. +3. Go to the new Azure portal, https://portal.azure.com. +3. Select **Azure Active Directory > Users and groups > Device settings**. 4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**. **Figure 41** - Enable settings to roam with users diff --git a/education/get-started/images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.PNG b/education/get-started/images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.PNG new file mode 100644 index 0000000000..96e1e0452b Binary files /dev/null and b/education/get-started/images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.PNG differ diff --git a/education/get-started/images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.PNG b/education/get-started/images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.PNG new file mode 100644 index 0000000000..e223b5a94c Binary files /dev/null and b/education/get-started/images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.PNG differ diff --git a/education/get-started/images/sds_profile_profilepage.PNG b/education/get-started/images/sds_profile_profilepage.PNG new file mode 100644 index 0000000000..04e2193189 Binary files /dev/null and b/education/get-started/images/sds_profile_profilepage.PNG differ diff --git a/education/get-started/images/sds_profile_studentoptions.PNG b/education/get-started/images/sds_profile_studentoptions.PNG new file mode 100644 index 0000000000..87558a3881 Binary files /dev/null and b/education/get-started/images/sds_profile_studentoptions.PNG differ diff --git a/education/get-started/images/sds_profile_syncenabled.PNG b/education/get-started/images/sds_profile_syncenabled.PNG new file mode 100644 index 0000000000..197d2f0851 Binary files /dev/null and b/education/get-started/images/sds_profile_syncenabled.PNG differ diff --git a/education/get-started/images/sds_profile_syncoptions.PNG b/education/get-started/images/sds_profile_syncoptions.PNG new file mode 100644 index 0000000000..f7cd01262f Binary files /dev/null and b/education/get-started/images/sds_profile_syncoptions.PNG differ diff --git a/education/get-started/images/sds_profile_teacheroptions.PNG b/education/get-started/images/sds_profile_teacheroptions.PNG new file mode 100644 index 0000000000..0a01ed2f96 Binary files /dev/null and b/education/get-started/images/sds_profile_teacheroptions.PNG differ diff --git a/education/get-started/images/suspc_getstarted_050817.PNG b/education/get-started/images/suspc_getstarted_050817.PNG new file mode 100644 index 0000000000..124905676a Binary files /dev/null and b/education/get-started/images/suspc_getstarted_050817.PNG differ diff --git a/education/windows/TOC.md b/education/windows/TOC.md index 51cbe0a694..a121e92d2e 100644 --- a/education/windows/TOC.md +++ b/education/windows/TOC.md @@ -17,6 +17,6 @@ ### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md) ## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) ## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) -## [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md) +## [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md) ## [Chromebook migration guide](chromebook-migration-guide.md) ## [Change history for Windows 10 for Education](change-history-edu.md) diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index f4a79c2366..00af76258b 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -12,6 +12,12 @@ author: CelesteDG This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation. +## May 2017 + +| New or changed topic | Description | +| --- | ---- | +| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education. | + ## RELEASE: Windows 10, version 1703 (Creators Update) | New or changed topic | Description| @@ -35,7 +41,7 @@ This topic lists new and updated topics in the [Windows 10 for Education](index. | New or changed topic | Description | | --- | --- | -| [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md) | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. | +| [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business] | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md). | ## November 2016 diff --git a/education/windows/images/1_howtosetup.png b/education/windows/images/1_howtosetup.png new file mode 100644 index 0000000000..7eb8222ed3 Binary files /dev/null and b/education/windows/images/1_howtosetup.png differ diff --git a/education/windows/images/2_signinwithms.png b/education/windows/images/2_signinwithms.png new file mode 100644 index 0000000000..e4b5f27f12 Binary files /dev/null and b/education/windows/images/2_signinwithms.png differ diff --git a/education/windows/images/i4e_editionupgrade.png b/education/windows/images/i4e_editionupgrade.png new file mode 100644 index 0000000000..ed5b281086 Binary files /dev/null and b/education/windows/images/i4e_editionupgrade.png differ diff --git a/education/windows/images/msfe_clickemaillink_switchtoproedu.png b/education/windows/images/msfe_clickemaillink_switchtoproedu.png new file mode 100644 index 0000000000..ca70e35a6a Binary files /dev/null and b/education/windows/images/msfe_clickemaillink_switchtoproedu.png differ diff --git a/education/windows/images/msfe_manage.png b/education/windows/images/msfe_manage.png new file mode 100644 index 0000000000..0fd5802786 Binary files /dev/null and b/education/windows/images/msfe_manage.png differ diff --git a/education/windows/images/msfe_manage_benefits_checktoconfirm.png b/education/windows/images/msfe_manage_benefits_checktoconfirm.png new file mode 100644 index 0000000000..90df941e00 Binary files /dev/null and b/education/windows/images/msfe_manage_benefits_checktoconfirm.png differ diff --git a/education/windows/images/msfe_manage_benefits_switchtoproedu.png b/education/windows/images/msfe_manage_benefits_switchtoproedu.png new file mode 100644 index 0000000000..12ba470cc9 Binary files /dev/null and b/education/windows/images/msfe_manage_benefits_switchtoproedu.png differ diff --git a/education/windows/images/msfe_manage_reverttowin10pro.png b/education/windows/images/msfe_manage_reverttowin10pro.png new file mode 100644 index 0000000000..30d0313f9b Binary files /dev/null and b/education/windows/images/msfe_manage_reverttowin10pro.png differ diff --git a/education/windows/images/msfe_switchtoproedu_globaladminsemail_cancelswitch.png b/education/windows/images/msfe_switchtoproedu_globaladminsemail_cancelswitch.png new file mode 100644 index 0000000000..581a1c1e8c Binary files /dev/null and b/education/windows/images/msfe_switchtoproedu_globaladminsemail_cancelswitch.png differ diff --git a/education/windows/images/settings_connectedtoazuread_3.png b/education/windows/images/settings_connectedtoazuread_3.png new file mode 100644 index 0000000000..7311392405 Binary files /dev/null and b/education/windows/images/settings_connectedtoazuread_3.png differ diff --git a/education/windows/images/settings_setupworkorschoolaccount_2.png b/education/windows/images/settings_setupworkorschoolaccount_2.png new file mode 100644 index 0000000000..78237cfa31 Binary files /dev/null and b/education/windows/images/settings_setupworkorschoolaccount_2.png differ diff --git a/education/windows/images/settings_workorschool_1.png b/education/windows/images/settings_workorschool_1.png new file mode 100644 index 0000000000..4c53e6b3e2 Binary files /dev/null and b/education/windows/images/settings_workorschool_1.png differ diff --git a/education/windows/images/suspc_createpackage_configurestudentpcsettings.png b/education/windows/images/suspc_createpackage_configurestudentpcsettings.png new file mode 100644 index 0000000000..99a4f8c5fd Binary files /dev/null and b/education/windows/images/suspc_createpackage_configurestudentpcsettings.png differ diff --git a/education/windows/images/suspc_createpackage_recommendedapps.png b/education/windows/images/suspc_createpackage_recommendedapps.png new file mode 100644 index 0000000000..e1e2fdaa46 Binary files /dev/null and b/education/windows/images/suspc_createpackage_recommendedapps.png differ diff --git a/education/windows/images/suspc_createpackage_signin.png b/education/windows/images/suspc_createpackage_signin.png new file mode 100644 index 0000000000..1d05636ed6 Binary files /dev/null and b/education/windows/images/suspc_createpackage_signin.png differ diff --git a/education/windows/images/suspc_createpackage_skipwifi_modaldialog.png b/education/windows/images/suspc_createpackage_skipwifi_modaldialog.png new file mode 100644 index 0000000000..294c970e85 Binary files /dev/null and b/education/windows/images/suspc_createpackage_skipwifi_modaldialog.png differ diff --git a/education/windows/images/suspc_createpackage_summary.PNG b/education/windows/images/suspc_createpackage_summary.PNG index 3740cc9aef..2699f6e222 100644 Binary files a/education/windows/images/suspc_createpackage_summary.PNG and b/education/windows/images/suspc_createpackage_summary.PNG differ diff --git a/education/windows/images/suspc_createpackage_takeatest.png b/education/windows/images/suspc_createpackage_takeatest.png new file mode 100644 index 0000000000..0be05a727d Binary files /dev/null and b/education/windows/images/suspc_createpackage_takeatest.png differ diff --git a/education/windows/images/suspc_savepackage_insertusb.PNG b/education/windows/images/suspc_savepackage_insertusb.PNG index e5f9968d7e..6c36d04e88 100644 Binary files a/education/windows/images/suspc_savepackage_insertusb.PNG and b/education/windows/images/suspc_savepackage_insertusb.PNG differ diff --git a/education/windows/images/suspc_savepackage_ppkgisready.png b/education/windows/images/suspc_savepackage_ppkgisready.png new file mode 100644 index 0000000000..7f8ca446f5 Binary files /dev/null and b/education/windows/images/suspc_savepackage_ppkgisready.png differ diff --git a/education/windows/images/wcd_productkey.png b/education/windows/images/wcd_productkey.png new file mode 100644 index 0000000000..fbbfda7eb9 Binary files /dev/null and b/education/windows/images/wcd_productkey.png differ diff --git a/education/windows/index.md b/education/windows/index.md index 1228691020..49ea89c1eb 100644 --- a/education/windows/index.md +++ b/education/windows/index.md @@ -37,16 +37,17 @@ author: CelesteDG

[Take tests in Windows 10](take-tests-in-windows-10.md)
Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.

[Chromebook migration guide](chromebook-migration-guide.md)
Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.

-## ![Deploy Windows 10 for education](images/PCicon.png) Deploy +## ![Deploy Windows 10 for Education](images/PCicon.png) Deploy

[Set up Windows devices for education](set-up-windows-10.md)
Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.

[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
Get step-by-step guidance to help you deploy Windows 10 in a school environment.

[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.

Try it out: Windows 10 deployment (for education)
Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.

For the best experience, use this guide in tandem with the TechNet Virtual Lab: IT Pro Try-It-Out.

-## ![Upgrade to Windows 10 for education](images/windows.png) Upgrade +### ![Switch to Windows 10 for Education](images/windows.png) Switch + +

[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)
If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.

-

[Switch Windows 10 Pro to Pro Education from Microsoft Store for Education](windows-10-pro-to-pro-edu-upgrade.md)
If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free switch to Windows 10 Pro Education.

## Windows 8.1 diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md index f385bbbcd2..a07b93cce8 100644 --- a/education/windows/school-get-minecraft.md +++ b/education/windows/school-get-minecraft.md @@ -15,12 +15,12 @@ author: trudyha - Windows 10 -When you sign up for a [Minecraft: Education Edition](http://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](http://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Windows Store for Business, a private version of Windows Store associated with your Azure Active Directory (Azure AD) tenant. Your Store for Business is only displayed to members of your organization. +When you sign up for a [Minecraft: Education Edition](http://education.minecraft.net) trial, or purchase a [Minecraft: Education Edition](http://education.minecraft.net) subscription. Minecraft will be added to the inventory in your Microsoft Store for Education which is associated with your Azure Active Directory (Azure AD) tenant. Your Microsoft Store for Education is only displayed to members of your organization. >[!Note] >If you don't have an Azure AD or Office 365 tenant, you can set up a free Office 365 Education subscription when you request Minecraft: Education Edition. For more information see [Office 365 Education plans and pricing](https://products.office.com/academic/compare-office-365-education-plans). -## Add Minecraft to your Windows Store for Business +## Add Minecraft to your Windows Store for Education You can start with the Minecraft: Education Edition trial to get individual copies of the app. For more information, see [Minecraft: Education Edition - direct purchase](#individual-copies). @@ -36,40 +36,36 @@ If you’ve been approved and are part of the Enrollment for Education Solutions -3. Select **Get the app**. This will take you to the Windows Store for Business to download the app. You will also receive an email with instructions and a link to the Store. +3. Select **Get the app**. This will take you to the Microsoft Store for Education to download the app. You will also receive an email with instructions and a link to the Store. -4. Sign in to Windows Store for Business with your email address. +4. Sign in to Microsoft Store for Education with your email address. -5. Read and accept the Windows Store for Business Service Agreement, and then select **Next**. +5. Read and accept the Microsoft Store for Education Service Agreement, and then select **Next**. -6. **Minecraft: Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory. +6. **Minecraft: Education Edition** opens in the Microsoft Store for Education. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory. -Now that the app is in your Store for Business inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft). +Now that the app is in your Microsoft Store for Education inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft). If you need additional licenses for **Minecraft: Education Edition**, see [Purchase additional licenses](https://technet.microsoft.com/edu/windows/education-scenarios-store-for-business#purchase-additional-licenses). ### Minecraft: Education Edition - volume licensing - Qualified education institutions can purchase Minecraft: Education Edition licenses through their Microsoft channel partner. Schools need to be part of the Enrollment for Education Solutions (EES) volume licensing program. Educational institutions should work with their channel partner to determine which Minecraft: Education Edition licensing offer is best for their institution. The process looks like this: -- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Windows Store for Business](https://www.microsoft.com/business-store) inventory. -- You’ll receive an email with a link to Windows Store for Business. -- Sign in to [Windows Store for Business](https://www.microsoft.com/business-store) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft) +- Your channel partner will submit and process your volume license order, your licenses will be shown on [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), and the licenses will be available in your [Microsoft Store for Education](https://www.microsoft.com/business-store) inventory. +- You’ll receive an email with a link to Microsoft Store for Education. +- Sign in to [Windows Store for Education](https://educationstore.microsoft.com) to distribute and manage the Minecraft: Education Edition licenses. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft) ## Minecraft: Education Edition payment options You can pay for Minecraft: Education Edition with a debit or credit card, or with an invoice. - ### Debit or credit cards - During the purchase, click **Get started! Add a way to pay.** Provide the info needed for your debit or credit card. ### Invoices - Invoices are now a supported payment method for Minecraft: Education Edition. There are a few requirements: - Admins only (not supported for Teachers) - $500 invoice minimum for your initial purchase @@ -87,12 +83,13 @@ Invoices are now a supported payment method for Minecraft: Education Edition. Th ### Find your invoice -After you've finished the purchase, you can find your invoice by checking **Minecraft: Education Edition** in your **Inventory**. +After you've finished the purchase, you can find your invoice by checking **Minecraft: Education Edition** in your **Apps & software**. -> **Note**: After you complete a purchase, it can take up to twenty-four hours for the app to appear in **Inventory**. +> [!NOTE] +> After you complete a purchase, it can take up to twenty-four hours for the app to appear in **Apps & software**. **To view your invoice** -1. In Windows Store for Business, click **Manage** and then click **Inventory**. +1. In Microsoft Store for Education, click **Manage** and then click **Apps & software**. 2. Click **Minecraft: Education Edition** in the list of apps. 3. On **Minecraft: Education Edition**, click **View Bills**. @@ -104,10 +101,8 @@ After you've finished the purchase, you can find your invoice by checking **Mine The **Payment Instructions** section on the first page of the invoice has information on invoice amount, due date, and how to pay with electronic funds transfer, or with a check. - ## Distribute Minecraft - -After Minecraft: Education Edition is added to your Windows Store for Business inventory, you have three options: +After Minecraft: Education Edition is added to your Microsoft Store for Education inventory, you have three options: - You can install the app on your PC. - You can assign the app to others. @@ -131,10 +126,10 @@ For Minecraft: Education Edition, you can use auto assign subscription to contro **How to turn off automatic subscription assignment** ->[!Note] ->The version of the Minecraft: Education Edition page in the Store for Business will be different depending on which Store for Business flight you are using. +> [!Note] +> The version of the Minecraft: Education Edition page in the Microsoft Store will be different depending on which Microsoft Store for Education flight you are using. -1. Sign in to Microsoft Store for Business +1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com) 2. Click Manage. You'll see Minecraft: Education Edition product page. @@ -150,7 +145,7 @@ For Minecraft: Education Edition, you can use auto assign subscription to contro ### Install for me You can install the app on your PC. This gives you a chance to test the app and know how you might help others in your organization use the app. -1. Sign in to Microsoft Store for Business. +1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then click **Install**. ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png) @@ -162,7 +157,7 @@ Enter email addresses for your students, and each student will get an email with **To assign to others** -1. Sign in to Windows Store for Business. +1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**. ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png) @@ -234,7 +229,7 @@ You'll download a .zip file, extract the files, and then use one of the files to - ## Learn more -[Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md)
-Learn about overall Windows Store for Business management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history. - -[Roles and permissions in Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business) - -[Troubleshoot Windows Store for Business](https://technet.microsoft.com/itpro/windows/manage/troubleshoot-windows-store-for-business) +[Working with Microsoft Store for Education – education scenarios](education-scenarios-store-for-business.md)
+Learn about overall Microsoft Store for Education management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history. +[Roles and permissions in Microsoft Store for Business and Education](https://technet.microsoft.com/itpro/windows/manage/roles-and-permissions-windows-store-for-business) +[Troubleshoot Microsoft Store for Business and Education](https://technet.microsoft.com/itpro/windows/manage/troubleshoot-windows-store-for-business) ## Related topics [Get Minecraft: Education Edition](get-minecraft-for-education.md) - [For teachers get Minecraft: Education Edition](teacher-get-minecraft.md) diff --git a/education/windows/switch-to-pro-education.md b/education/windows/switch-to-pro-education.md new file mode 100644 index 0000000000..e5affe8444 --- /dev/null +++ b/education/windows/switch-to-pro-education.md @@ -0,0 +1,378 @@ +--- +title: Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S +description: Learn how IT Pros can opt into switching to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S. +keywords: switch, free switch, Windows 10 Pro to Windows 10 Pro Education, Windows 10 S to Windows 10 Pro Education, education customers, Windows 10 Pro Education, Windows 10 Pro, Windows 10 S +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: edu +localizationpriority: high +author: CelesteDG +--- + +# Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S +Windows 10 Pro Education is a new offering in Windows 10, version 1607. This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings. + +If you have an education tenant and use devices with Windows 10 Pro or Windows 10 S, global administrators can opt-in to a free switch to Windows 10 Pro Education depending on your scenario. +- [Switch from Windows 10 S to Windows 10 Pro Education](#switch-from-windows-10-s-to-windows-10-pro-education) +- [Switch from Windows 10 Pro to Windows 10 Pro Education](#switch-from-windows-10-pro-to-windows-10-pro-education) + +To take advantage of this offering, make sure you meet the [requirements for switching](#requirements-for-switching). For academic customers who are eligible to switch to Windows 10 Pro Education, but are unable to use the above methods, contact Microsoft Support for assistance. + +## Requirements for switching +Before you switch to Windows 10 Pro Education, make sure you meet these requirements: +- Devices must be running Windows 10 Pro, version 1607 or higher; or running Windows 10 S, version 1703 +- Devices must be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices). + + If you haven't domain joined your devices already, [prepare for deployment of Windows 10 Pro Education licenses](#preparing-for-deployment-of-windows-10-pro-education-licenses). + +- The Azure AD tenant must be recognized as an education approved tenant. +- You must have a Microsoft Store for Education account. +- The user making the changes must be a member of the Azure AD global administrator group. + +## Compare Windows 10 Pro and Pro Education editions +You can [compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10. + +For more info about Windows 10 default settings and recommendations for education customers, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md). + + +## Switch from Windows 10 S to Windows 10 Pro Education +There are two ways to switch from Windows 10 S to Windows 10 Pro Education, outlined below. Regardless of how you switch to Windows 10 Pro Education, note that you can only switch devices back to Windows 10 S through reimaging. + +1. **Bulk switch through Microsoft Store for Education** + + In this scenario, the global admin for the Azure AD education tenant can use Microsoft Store to switch all Windows 10 S devices on the tenant to Windows 10 Pro Education. See [Switch using Microsoft Store for Education](#switch-using-microsoft-store-for-education) for details on how to do this. + +2. **Asynchronous switch** + + In this scenario, the global admin must acquire the necessary keys and then select a method for key distribution. + + **Key acquisition options:** + + - Volume Licensing customers - For schools with active Microsoft Volume Licensing agreements, global admins can obtain free MAK keys for Windows 10 Pro Education. + + > [!NOTE] + > Windows 10 S is a Qualified OS (QOS) for Academic Volume Licensing only. + + - Non-Volume Licensing customers - For schools without an active Microsoft Volume Licensing agreement, the global admin can contact CSS, fill out a form and provide a proof of purchase to receive MAK keys for Windows 10 Pro Education. + + **Key distribution options:** + + - Bulk key distribution - You can apply MAK keys to switch the operating system on select devices or groups of devices using one of these methods: + - Use Microsoft Intune for Education. See [Switch using Intune for Education](#switch-using-intune-for-education) for details on how to do this. + - Use Windows Configuration Designer to create a provisioning package that will provision the switch on the device(s). See [Switch using Windows Configuration Designer](#switch-using-windows-configuration-designer) for details on how to do this. + - Use the mobile device management (MDM) policy, **UpgradeEditionWithProductKey**. See [Switch using MDM](#switch-using-mdm) for details on how to do this. + - Use scripting. See [Switch using scripting](#switch-using-scripting) for details on how to do this. + + - Manual key entry - You can also manually apply the MAK key using one of these methods: + - Enter the MAK key in the Windows **Settings > Activation** page. See [Switch using the Activation page](#switch-using-the-activation-page) for details on how to do this. + - Install with a media and key through Windows setup. We don't recommend this option due to the potential for multi-reboot requirements. + + +## Switch from Windows 10 Pro to Windows 10 Pro Education + +For schools that want to standardize all their Windows 10 Pro devices to Windows 10 Pro Education, a global admin for the school can opt-in to a free switch through the Microsoft Store for Education. + +In this scenario: + +- The IT admin of the tenant chooses to turn on the switch for all Azure AD joined devices. +- Any device that joins the Azure AD will switch automatically to Windows 10 Pro Education. +- The IT admin has the option to automatically roll back to Windows 10 Pro, if desired. See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro). + +See [Switch using Microsoft Store for Education](#switch-using-microsoft-store-for-education) for details on how to do this. + +## Switch options from Windows 10 S to Windows 10 Pro Education +If you want to switch only a few or a select group of Windows 10 S devices to Windows 10 Pro Education, you can use one of the following key distribution options once you've obtained the MAK keys for Windows 10 Pro Education. See [Switch from Windows 10 S to Windows 10 Pro Education](#switch-from-windows-10-s-to-windows-10-pro-education) for more info. + +### Switch using Intune for Education + +1. In Intune for Education, select **Groups** and then choose the group that you want to apply the MAK license key to. + + For example, to apply the switch for all teachers, select **All Teachers** and then select **Settings**. + +2. In the settings page, find **Edition upgrade** and then: + 1. Select the edition in the **Edition to upgrade to** field + 2. Enter the MAK license key in the **Product key** field + + **Figure 1** - Enter the details for the Windows edition switch + + ![Enter the details for the Windows edition switch](images/i4e_editionupgrade.png) + +3. The switch will automatically be applied to the group you selected. + + +### Switch using Windows Configuration Designer +You can use Windows Configuration Designer to create a provisioning package that you can use to switch the Windows edition for your device(s). [Install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) to create a provisioning package. + +1. In Windows Configuration Designer, select **Provision desktop devices** to open the simple editor and create a provisioning package for Windows desktop editions. +2. In the **Set up device** page, enter the MAK license key in the **Enter product key** field to switch to Windows 10 Pro Education. + + **Figure 2** - Enter the license key + + ![Enter the license key to switch to Windows 10 Pro Education](images/wcd_productkey.png) + +3. Complete the rest of the process for creating a provisioning package and then apply the package to the devices you want to switch to Windows 10 Pro Education. + + For more information about using Windows Configuration Designer, see [Set up student PCs to join domain](https://technet.microsoft.com/en-us/edu/windows/set-up-students-pcs-to-join-domain). + +### Switch using MDM + +To switch Windows 10 S to Windows 10 Pro Education, enter the product key for the Windows 10 Pro Education edition in the **UpgradeEditionWithProductKey** policy setting of the [WindowsLicensing CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/windowslicensing-csp). + +### Switch using scripting + +You can switch from Windows 10 S to Windows 10 Pro Education by running the changepk.exe command-line tool. To do this, run the following command: + +``` +changepk.exe /ProductKey MAK_key_or_product_key +``` + +Replace *MAK_key_or_product_key* with the MAK key that you obtained for the Windows 10 edition switch. + + +### Switch using the Activation page + +1. On the Windows device that you want to switch, open the **Settings** app. +2. Select **Update & security** > **Activation**, and then click **Change product key**. +3. In the **Enter a product key** window, enter the MAK key for Windows 10 Pro Education and click **Next**. + + +## Education customers with Azure AD joined devices + +Academic institutions can easily move from Windows 10 S or Windows 10 Pro to Windows 10 Pro Education without using activation keys or reboots. When one of your users enters their Azure AD credentials associated with a Windows 10 Pro Education license, the operating system switches to Windows 10 Pro Education and all the appropriate Windows 10 Pro Education features are unlocked. Previously, only schools or organizations purchasing devices as part of the Shape the Future K-12 program or with a Microsoft Volume Licensing Agreement could deploy Windows 10 Pro Education to their users. Now, if you have an Azure AD for your organization, you can take advantage of the Windows 10 Pro Education features. + +When you switch to Windows 10 Pro Education, you get the following benefits: + +- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703, can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB). +- **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have. +- **Roll back options to Windows 10 Pro** + - When a user leaves the domain or you turn off the setting to automatically switch to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days). + - For devices that originally had Windows 10 Pro edition installed, when a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro. + + See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro) for more info. + + For devices that originally had Windows 10 S installed, Windows 10 Pro Education cannot step back down to Windows 10 S. You will need to reimage these devices with Windows 10 S if you need to step down from Windows 10 Pro Education to Windows 10 S. + + +### Switch using Microsoft Store for Education +Once you enable the setting to switch to Windows 10 Pro Education, the switch will begin only after a user signs in to their device. The setting applies to the entire organization or tenant, so you cannot select which users will receive the switch. The switch will only apply to Windows 10 S and Windows 10 Pro devices. + +**To turn on the automatic switch to Windows 10 Pro Education** + +1. Sign in to [Microsoft Store for Education](https://businessstore.microsoft.com/) with your work or school account. + + If this is the first time you're signing into the Microsoft Store for Education, you'll be prompted to accept the Microsoft Store for Education Terms of Use. + +2. Click **Manage** from the top menu and then select the **Benefits tile**. +3. In the **Benefits** tile, look for the **Switch to Windows 10 Pro Education for free** link and then click it. + + You will see the following page informing you that your school is eligible to switch free to Windows 10 Pro Education from Windows 10 S or Windows 10 Pro. + + **Figure 3** - Switch Windows 10 Pro to Windows 10 Pro Education + + ![Eligible for free Windows 10 Pro to Windows 10 Pro Education switch](images/msfe_manage_benefits_switchtoproedu.png) + +4. In the **Switch all your devices to Windows 10 Pro Education for free** page, check box next to **I understand enabling this setting will switch all domain-joined devices running Windows 10 Pro or Windows 10 S in my organization**. + + **Figure 4** - Check the box to confirm + + ![Check the box to confirm](images/msfe_manage_benefits_checktoconfirm.png) + +5. Click **Switch all my devices**. + + A confirmation window pops up to let you know that an email has been sent to you to enable the switch. + +6. Close the confirmation window and check the email to proceed to the next step. +7. In the email, click the link to **Switch to Windows 10 Pro Education**. Once you click the link, this will take you back to the Microsoft Store for Education portal. + + **Figure 5** - Click the link in the email to switch to Windows 10 Pro Education + + ![Click the email link to switch to Windows 10 Pro Education](images/msfe_clickemaillink_switchtoproedu.png) + +8. Click **Switch now** in the **Switching your device to Windows 10 Pro Education for free** page in the Microsoft Store. + + You will see a window that confirms you've successfully switched all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro or Windows 10 S will automatically switch the next time someone in your organization signs in to the device. + +9. Click **Close** in the **Success** window. + +Enabling the automatic switch also triggers an email message notifying all global administrators in your organization about the switch. It also contains a link that enables any global administrators to cancel the switch if they choose. For more info about rolling back or canceling the switch, see [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro).\ + +**Figure 6** - Email notifying all global admins about the switch + +![Email notifying all global admins about the switch](images/msfe_switchtoproedu_globaladminsemail_cancelswitch.png) + + +## Explore the switch experience + +So what will users experience? How will they switch their devices? + +### For existing Azure AD joined devices +Existing Azure AD domain joined devices will be switched to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed. + +### For new devices that are not Azure AD joined +Now that you've turned on the setting to automatically switch to Windows 10 Pro Education, the users are ready to switch their devices running Windows 10 Pro, version 1607 or higher or Windows 10 S, version 1703 to Windows 10 Pro Education edition. + +#### Step 1: Join users’ devices to Azure AD + +Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703. + +**To join a device to Azure AD the first time the device is started** + +There are different methods you can use to join a device to Azure AD: +- For multiple devices, we recommend using the [Set up School PCs app](use-set-up-school-pcs-app.md) to create a provisioning package to quickly provision and set up Windows 10 devices for education. +- For individual devices, you can use the Set up School PCs app or go through the Windows 10 device setup experience. If you choose this option, see the following steps. + +**To join a device to Azure AD using Windows device setup** + +If the Windows device is running Windows 10, version 1703, follow these steps. + +1. During initial device setup, on the **How would you like to set up?** page, select **Set up for an organization**, and then click **Next**. + + **Figure 7** - Select how you'd like to set up the device + + ![Select how you'd like to set up the device](images/1_howtosetup.png) + +2. On the **Sign in with Microsoft** page, enter the username and password to use with Office 365 or other services from Microsoft, and then click **Next**. + + **Figure 8** - Enter the account details + + ![Enter the account details you use with Office 365 or other Microsoft services](images/2_signinwithms.png) + +3. Go through the rest of Windows device setup. Once you're done, the device will be Azure AD joined to your school's subscription. + + +**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 or Windows 10 S, version 1703 installed and set up** + +If the Windows device is running Windows 10, version 1703, follow these steps. + +1. Go to **Settings > Accounts > Access work or school**. + + **Figure 9** - Go to **Access work or school** in Settings + + ![Go to Access work or school in Settings](images/settings_workorschool_1.png) + +2. In **Access work or school**, click **Connect**. +3. In the **Set up a work or school account** window, click the **Join this device to Azure Active Directory** option at the bottom. + + **Figure 10** - Select the option to join the device to Azure Active Directory + + ![Select the option to join the device to Azure Active Directory](images/settings_setupworkorschoolaccount_2.png) + +4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. This will join the device to the school's Azure AD. +5. To verify that the device was successfully joined to Azure AD, go back to **Settings > Accounts > Access work or school**. You should now see a connection under the **Connect to work or school** section that indicates the device is connected to Azure AD. + + **Figure 11** - Verify the device connected to Azure AD + + ![Verify the device is connected to Azure AD](images/settings_connectedtoazuread_3.png) + + +#### Step 2: Sign in using Azure AD account + +Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account. The Windows 10 Pro Education license associated with the user will enable Windows 10 Pro Education edition capabilities on the device. + + +#### Step 3: Verify that Pro Education edition is enabled + +You can verify the Windows 10 Pro Education in **Settings > Update & Security > Activation**. + +**Figure 12** - Windows 10 Pro Education in Settings + +Windows 10 activated and subscription active + +If there are any problems with the Windows 10 Pro Education license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. + +### Troubleshoot the user experience + +In some instances, users may experience problems with the Windows 10 Pro Education switch. The most common problems that users may experience are as follows: + +- The existing operating system (Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703) is not activated. +- The Windows 10 Pro Education switch has lapsed or has been removed. + +Use the following figures to help you troubleshoot when users experience these common problems: + +**Figure 13** - Illustrates a device in a healthy state, where the existing operating system is activated, and the Windows 10 Pro Education switch is active. + +Windows 10 activated and subscription active

+ + +**Figure 14** - Illustrates a device on which the existing operating system is not activated, but the Windows 10 Pro Education switch is active. + +Windows 10 not activated and subscription active

+ + +### Review requirements on devices + +Devices must be running Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703 and be Azure AD joined, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. You can use the following procedures to review whether a particular device meets requirements. + +**To determine if a device is Azure AD joined** + +1. Open a command prompt and type the following: + + ``` + dsregcmd /status + ``` + +2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined. + +**To determine the version of Windows 10** + +- At a command prompt, type: + + ``` + winver + ``` + + A popup window will display the Windows 10 version number and detailed OS build information. + + > [!NOTE] + > If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be switched to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license. + +### Roll back Windows 10 Pro Education to Windows 10 Pro + +If your organization has the Windows 10 Pro to Windows 10 Pro Education switch enabled, and you decide to roll back to Windows 10 Pro or to cancel the switch, you can do this by: + +- Logging into Microsoft Store for Education page and turning off the automatic switch. +- Selecting the link to turn off the automatic switch from the notification email sent to all global administrators. + +Once the automatic switch to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were switched will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was switched may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that a switch was enabled and then turned off will never see their device change from Windows 10 Pro. + +> [!NOTE] +> Devices that were switched from Windows 10 S to Windows 10 Pro Education cannot roll back to Windows 10 S. + +**To roll back Windows 10 Pro Education to Windows 10 Pro** + +1. Log in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your school or work account, or follow the link from the notification email to turn off the automatic switch. +2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link. +3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**. + + **Figure 15** - Revert to Windows 10 Pro + + ![Revert to Windows 10 Pro](images/msfe_manage_reverttowin10pro.png) + +4. You will be asked if you're sure that you want to turn off automatic switches to Windows 10 Pro Education. Click **Yes**. +5. Click **Close** in the **Success** page. + + All global admins get a confirmation email that a request was made to roll back your organization to Windows 10 Pro. If you, or another global admin, decide later that you want to turn on automatic switches again, you can do this by selecting **Switch to Windows 10 Pro Education for free** from the **Manage > Benefits** in the Microsoft Store for Education. + + +## Preparing for deployment of Windows 10 Pro Education licenses + +If you have on-premises Active Directory Domain Services (AD DS) domains, users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Pro Education to users, you need to synchronize the identities in the on-premises AD DS domain with Azure AD. + +You need to synchronize these identities so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Pro Education). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. + +Figure 11 illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. + +**Figure 16** - On-premises AD DS integrated with Azure AD + +![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png) + +For more information about integrating on-premises AD DS domains with Azure AD, see these resources: +- [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/) +- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) + +## Related topics + +[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) +[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) +[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md index e5ce0def1b..36de86549d 100644 --- a/education/windows/teacher-get-minecraft.md +++ b/education/windows/teacher-get-minecraft.md @@ -17,7 +17,7 @@ author: trudyha Learn how teachers can get and distribute Minecraft: Education Edition. -## Add Minecraft to your Windows Store for Business +## Add Minecraft to your Microsoft Store for Education 1. Go to [http://education.minecraft.net/](http://education.minecraft.net/) and select **GET STARTED**. @@ -27,15 +27,15 @@ Learn how teachers can get and distribute Minecraft: Education Edition. -3. Select **Get the app**. This will take you to the Windows Store for Business to download the app. You will also receive an email with instructions and a link to the Store. +3. Select **Get the app**. This will take you to Microsoft Store for Ecucation to download the app. You will also receive an email with instructions and a link to the Store. -4. Sign in to Windows Store for Business with your email address. +4. Sign in to Microsoft Store for Education with your email address. -5. Read and accept the Windows Store for Business Service Agreement, and then select **Next**. +5. Read and accept the Microsoft Store for Business and Education Service Agreement, and then select **Next**. -6. **Minecraft: Education Edition** opens in the Windows Store for Business. Select **Get the app**. This places **Minecraft: Education Edition** in your Windows Store for Business inventory. +6. **Minecraft: Education Edition** opens in the Microsoft Store for Education. Select **Get the app**. This places **Minecraft: Education Edition** in your Microsoft Store inventory. ![Get Minecraft app in Store](images/minecraft-get-the-app.png) @@ -43,7 +43,7 @@ If you need additional licenses for **Minecraft: Education Edition**, see [Purch ## Distribute Minecraft -After Minecraft: Education Edition is added to your Windows Store for Business inventory, you have three options: +After Minecraft: Education Edition is added to your Microsoft Store for Education inventory, you have three options: - You can install the app on your PC. - You can assign the app to others. @@ -54,7 +54,7 @@ After Minecraft: Education Edition is added to your Windows Store for Business i ### Install for me You can install the app on your PC. This gives you a chance to work with the app before using it with your students. -1. Sign in to Windows Store for Business. +1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then click **Install**. ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png) @@ -65,7 +65,7 @@ You can install the app on your PC. This gives you a chance to work with the app Enter email addresses for your students, and each student will get an email with a link to install the app. This option is best for older, more tech-savvy students who will always use the same PC at school. **To assign to others** -1. Sign in to Windows Store for Business. +1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**. ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png) @@ -95,7 +95,7 @@ Students will receive an email with a link that will install the app on their PC ![Windows Store app showing access to My Library](images/minecraft-private-store.png) - When students click **My Libarary** they'll find apps assigned to them. + When students click **My Library** they'll find apps assigned to them. ![My Library for example student](images/minecraft-my-library.png) @@ -131,7 +131,6 @@ You'll download a .zip file, extract the files, and then use one of the files to ![Windows Store app showing access to My Library](images/mc-dnld-others-teacher.png) - 2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**. 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC. 4. **Install app**. Use the USB drive to copy the Minecraft folder to each Windows 10 PC where you want to install Minecraft: Education Edition. Open Minecraft: Education Edition folder, right-click **InstallMinecraftEducationEdition.bat** and click **Run as administrator**. @@ -155,11 +154,9 @@ If you are still having trouble installing the app, you can get more help on our ## Related topics -[Working with Windows Store for Business – education scenarios](education-scenarios-store-for-business.md)
-Learn about overall Windows Store for Business management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history. - +[Working with Microsoft Store for Education](education-scenarios-store-for-business.md)
+Learn about overall Microsoft Store for Business management: manage settings, shop for apps, distribute apps, manage inventory, and manage order history. [Get Minecraft: Education Edition](get-minecraft-for-education.md) - [For IT admins: get Minecraft: Education Edition](school-get-minecraft.md) diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 597919abca..7338cfbdc0 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -34,13 +34,10 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm * Prevents students from removing the PC from the school's device management system * Prevents students from removing the Set up School PCs settings - Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours - -A student PC that's set up using the Set up School PCs provisioning package is tailored to provide students with the tools they need for learning while removing apps and features that they don't need. - * Customizes the Start layout with Office - * Installs OneDrive for cloud-based documents and places it on the Start menu and taskbar - * Uninstalls apps not specific to education, such as Solitaire - * [Gets the student PC ready for use in an education environment](configure-windows-for-education.md) - * Prevents students from adding personal Microsoft accounts to the PC +- Customizes the Start layout with Office +- Installs OneDrive for storing cloud-based documents and Sway for creating interactive reports, presentations, and more +- Uninstalls apps not specific to education, such as Solitaire +- Prevents students from adding personal Microsoft accounts to the PC ## Tips for success @@ -132,13 +129,21 @@ The **Set up School PCs** app guides you through the configuration choices for t **Figure 2** - Verify that the account you selected shows up - ![Verify that the account you selected shows up](images/suspc_choosesettings_signin_final.png) + ![Verify that the account you selected shows up](images/suspc_createpackage_signin.png) 5. Click **Next**. 4. To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page: 1. Select the school's Wi-Fi network from the list of available wireless networks or manually add a wireless network. - 2. Click **Next**. + 2. Click **Next** if you added or selected a wireless network, or **Skip** to skip configuring a wireless network. + + If you click **Skip**, you will see the following dialog. + * If you select **Got it**, you will go to the next page without Wi-Fi set up. + * If you select **Add Wi-Fi**, you will go back to the Wi-Fi page to add a wireless network. + + **Figure 3** - Only skip Wi-Fi if you have a wired Ethernet connection + + ![Only skip Wi-Fi if you have a wired Ethernet connection](images/suspc_createpackage_skipwifi_modaldialog.png) 5. To assign a name to the student PCs, in the **Assign a name to these student PCs** page: 1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client. @@ -168,9 +173,9 @@ The **Set up School PCs** app guides you through the configuration choices for t - To change the default lock screen background or to use your school's custom lock screen background, click **Browse** to select a new lock screen background. - **Figure 3** - Configure student PC settings + **Figure 4** - Configure student PC settings - ![Configure student PC settings](images/suspc_createpackage_settingspage.png) + ![Configure student PC settings](images/suspc_createpackage_configurestudentpcsettings.png) When you're doing configuring the student PC settings, click **Next**. @@ -180,50 +185,49 @@ The **Set up School PCs** app guides you through the configuration choices for t If you set up Take a Test, this adds a **Take a Test** button on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test. - **Figure 4** - Configure the Take a Test app + **Figure 5** - Configure the Take a Test app - ![Configure the Take a Test app](images/suspc_createpackage_takeatestpage.png) + ![Configure the Take a Test app](images/suspc_createpackage_takeatest.png) 3. Click **Next** or **Skip** depending on whether you want to set up Take a Test. - - -8. In the **Review package summary** page, make sure that all the settings you configured appear correctly. +9. In the **Review package summary** page, make sure that all the settings you configured appear correctly. 1. If you need to change any of the settings, you can on the sections to go back to that page and make your changes. - **Figure 5** - Review your settings and change them as needed + **Figure 7** - Review your settings and change them as needed ![Review your settings and change them as needed](images/suspc_createpackage_summary.png) 2. Click **Accept**. -9. In the **Insert a USB drive now** page: +10. In the **Insert a USB drive now** page: 1. Insert a USB drive to save your settings and create a provisioning package on the USB drive. 2. Set up School PCs will automatically detect the USB drive after it's inserted. Choose the USB drive from the list. 3. Click **Save** to save the provisioning package to the USB drive. - **Figure 6** - Select the USB drive and save the provisioning package + **Figure 8** - Select the USB drive and save the provisioning package - ![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb_050817.png) + ![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb.png) -10. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive. +11. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive. - **Figure 7** - Provisioning package is ready + **Figure 9** - Provisioning package is ready - ![Provisioning package is ready](images/suspc_ppkgisready_050817.png) + ![Provisioning package is ready](images/suspc_savepackage_ppkgisready.png) 12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs. - **Figure 8** - Line up the student PCs and get them ready for setup + **Figure 10** - Line up the student PCs and get them ready for setup ![Line up the student PCs and get them ready for setup](images/suspc_runpackage_getpcsready.png) @@ -232,7 +236,7 @@ The **Set up School PCs** app guides you through the configuration choices for t Select **Create new package** if you need to create a new provisioning package. Otherwise, you can remove the USB drive if you're completely done creating the package. - **Figure 9** - Install the provisioning package on the student PCs + **Figure 11** - Install the provisioning package on the student PCs ![Install the provisioning package on the student PCs](images/suspc_runpackage_installpackage.png) @@ -250,19 +254,19 @@ The provisioning package on your USB drive is named `Set up School PCs.ppkg`. A If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**. - **Figure 10** - The first screen during first-run setup in Windows 10 Creators Update (version 1703) + **Figure 12** - The first screen during first-run setup in Windows 10 Creators Update (version 1703) ![The first screen to set up a new PC in Windows 10 Creators Update](images/win10_1703_oobe_firstscreen.png) 2. Insert the USB drive. Windows will recognize the drive and automatically install the provisioning package. - **Figure 11** - Windows automatically detects the provisioning package and installs it + **Figure 13** - Windows automatically detects the provisioning package and installs it ![Windows automatically detects the provisioning package and installs it](images/suspc_studentpcsetup_installingsetupfile.png) 3. You can remove the USB drive when you see the message that you can remove the removable media. You can then use the USB drive to start provisioning another student PC. - **Figure 12** - Remove the USB drive when you see the message that the media can be removed + **Figure 14** - Remove the USB drive when you see the message that the media can be removed ![You can remove the USB drive when you see the message that the media can be removed](images/suspc_setup_removemediamessage.png) diff --git a/education/windows/windows-10-pro-to-pro-edu-upgrade.md b/education/windows/windows-10-pro-to-pro-edu-upgrade.md deleted file mode 100644 index 373293b8ac..0000000000 --- a/education/windows/windows-10-pro-to-pro-edu-upgrade.md +++ /dev/null @@ -1,263 +0,0 @@ ---- -title: Switch Windows 10 Pro to Pro Education -description: Describes how IT Pros can opt into switching from Windows 10 Pro to Windows 10 Pro Education from the Microsoft Store for Education. -keywords: switch, Pro to Pro Education, education customers -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: edu -localizationpriority: high -author: CelesteDG ---- - -# Switch Windows 10 Pro to Pro Education from Microsoft Store for Education - -Windows 10 Pro Education is a new offering in Windows 10 Anniversary Update (Windows 10, version 1607). This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings. - -If you have an education tenant and use Windows 10 Pro in your schools now, global administrators can opt-in to a free switch to Windows 10 Pro Education through the Microsoft Store for Education. To take advantage of this offering, make sure you meet the [requirements for switching](#requirements-for-switching). - -Starting with Windows 10, version 1607, academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Education—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Pro Education license, the operating system turns from Windows 10 Pro to Windows 10 Pro Education and all the appropriate Windows 10 Pro Education features are unlocked. When a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro. - -Previously, only schools or organizations purchasing devices as part of the Shape the Future K-12 program or with a Microsoft Volume Licensing Agreement could deploy Windows 10 Pro Education to their users. Now, if you have a Azure AD for your organization, you can take advantage of the Windows 10 Pro Education features. - -When you switch to Windows 10 Pro Education, you get the following benefits: - -- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB). -- **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have. -- **Roll back to Windows 10 Pro at any time**. When a user leaves the domain or you turn off the setting to automatic switch to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days). - -In summary, the Windows 10 Pro Education free switch through the Microsoft Store for Education is an offering that provides organizations easier, more flexible access to the benefits of Windows 10 Pro Education edition. - -## Compare Windows 10 Pro and Pro Education editions - -In Windows 10, version 1607, the Windows 10 Pro Education edition contains the same features as the Windows 10 Pro edition except for the following differences: - -- Cortana is removed from Windows 10 Pro Education -- Options to manage Windows 10 tips and tricks and Windows Store suggestions - -See [Windows 10 editions for education customers](windows-editions-for-education-customers.md) for more info about Windows 10 Pro Education and you can also [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10. - -## Requirements for switching - -Before you switch from Windows 10 Pro to Windows 10 Pro Education, make sure you meet these requirements: -- Devices must be: - - Running Windows 10 Pro, version 1607 - - Must be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices). - - If you haven't domain joined your devices already, [prepare for deployment of Windows 10 Pro Education licenses](#preparing-for-deployment-of-windows-10-pro-education-licenses). -- The user making the changes must be a member of the Azure AD global administrator group. -- The Azure AD tenant must be recognized as an education approved tenant. -- You must have a Microsoft Store for Education account. - -## Switch from Windows 10 Pro to Windows 10 Pro Education -Once you enable the setting to switch Windows 10 Pro to Windows 10 Pro Education, the switch will begin only after a user signs in to their device. The setting applies to the entire organization so you cannot select which users will receive the switch. - -**To turn on the automatic switch from Windows 10 Pro to Windows 10 Pro Education** - -1. Sign in to [Microsoft Store for Education](https://businessstore.microsoft.com/en-us/Store/Apps) with your work or school account. - - If this is the first time you're signing into the Microsoft Store, you'll be prompted to accept the Microsoft Store for Business and Education License Agreement. - -2. Go to **Manage > Account information**. -3. In the **Account information** page, look for the **Automatic Windows 10 Pro Education upgrade** section and follow the link. - - You will see the following page informing you that your school is eligible for a free automatic switch from Windows 10 Pro to Windows 10 Pro Education. - - ![Eligible for free Windows 10 Pro to Windows 10 Pro Education switch](images/wsfb_win10_pro_to proedu_upgrade_eligibility_page.png) - - **Figure 1** - Switch Windows 10 Pro to Windows 10 Pro Education - -4. Select **I understand enabling this setting will impact all devices running Windows 10 Pro in my organization**. -5. Click **Send me email with a link to enable this upgrade** to receive an email with a link to the switch. - - ![Email with Windows 10 Pro to Pro Education switch link](images/wsfb_win10_pro_to_proedu_email_upgrade_link.png) - - **Figure 2** - Email notification with a link to enable the switch - -6. Click **Enable the automatic upgrade now** to turn on automatic switches. - - ![Enable the automatic switch](images/wsfb_win10_pro_to proedu_upgrade_enable.png). - - **Figure 3** - Enable the automatic switch - - Enabling the automatic switch also triggers an email message notifying all global administrators in your organization about the switch. It also contains a link that enables any global administrators to cancel the switch, if they choose. For more info about rolling back or canceling the switch, see [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro). - - ![Email informing other global admins about the switch](images/wsfb_win10_pro_to proedu_upgrade_email_global_admins.png). - - **Figure 4** - Notification email sent to all global administrators - -7. Click **Close** in the **Success** page. - - In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see a message informing you when the switch was enabled and the name of the admin who enabled the switch. - - ![Summary page about the switch](images/wsfb_win10_pro_to proedu_upgrade_summary.png) - - **Figure 5** - Details about the automatic switch - - -## Explore the switch experience - -So what will the users experience? How will they switch their devices? - -### For existing Azure AD domain joined devices -Existing Azure AD domain joined devices will be switched from Windows 10 Pro to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed. - -### For new devices that are not Azure AD domain joined -Now that you've turned on the setting to automatically switch Windows 10 Pro to Windows 10 Pro Education, the users are ready to switch their devices running Windows 10 Pro, version 1607 edition to Windows 10 Pro Education edition. - -#### Step 1: Join users’ devices to Azure AD - -Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607. - -**To join a device to Azure AD the first time the device is started** - -1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 6**. - - Who owns this PC? page in Windows 10 setup - - **Figure 6** - The “Who owns this PC?” page in initial Windows 10 setup - -2. On the **Choose how you’ll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 7**. - - Choose how you'll connect - page in Windows 10 setup - - **Figure 7** - The “Choose how you’ll connect” page in initial Windows 10 setup - -3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 8**. - - Let's get you signed in - page in Windows 10 setup - - **Figure 8** - The “Let’s get you signed in” page in initial Windows 10 setup - -Now the device is Azure AD joined to the company’s subscription. - -**To join a device to Azure AD when the device already has Windows 10 Pro, version 1607 installed and set up** - -1. Go to **Settings > Accounts > Access work or school**, as illustrated in **Figure 9**. - - Connect to work or school configuration - - **Figure 9** - Connect to work or school configuration in Settings - -2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 10**. - - Set up a work or school account - - **Figure 10** - Set up a work or school account - -3. On the **Let’s get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 11**. - - Let's get you signed in - dialog box - - **Figure 11** - The “Let’s get you signed in” dialog box - -Now the device is Azure AD joined to the company’s subscription. - -#### Step 2: Sign in using Azure AD account - -Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 12**. The Windows 10 Pro Education license associated with the user will enable Windows 10 Pro Education edition capabilities on the device. - -Sign in, Windows 10 - -**Figure 12** - Sign in by using Azure AD account - -#### Step 3: Verify that Pro Education edition is enabled - -You can verify the Windows 10 Pro Education in **Settings > Update & Security > Activation**, as illustrated in **Figure 13**. - - - -**Figure 13** - Windows 10 Pro Education in Settings - -Windows 10 activated and subscription active - -If there are any problems with the Windows 10 Pro Education license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process. - -## Troubleshoot the user experience - -In some instances, users may experience problems with the Windows 10 Pro Education switch. The most common problems that users may experience are as follows: - -- The existing Windows 10 Pro, version 1607 operating system is not activated. - -- The Windows 10 Pro Education switch has lapsed or has been removed. - -Use the following figures to help you troubleshoot when users experience these common problems: - - - -**Figure 13** - Illustrates a device in a healthy state, where Windows 10 Pro, version 1607 is activated and the Windows 10 Pro Education switch is active. - -Windows 10 activated and subscription active - - - -**Figure 14** - Illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Pro Education switch is active. - -Windows 10 not activated and subscription active

- - -### Review requirements on devices - -Devices must be running Windows 10 Pro, version 1607, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements. - -**To determine if a device is Azure Active Directory joined** - -1. Open a command prompt and type **dsregcmd /status**. - -2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined. - -**To determine the version of Windows 10** - -- At a command prompt, type: - **winver** - - A popup window will display the Windows 10 version number and detailed OS build information. - - If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be switched to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license. - -## Roll back Windows 10 Pro Education to Windows 10 Pro - -If your organization has the Windows 10 Pro to Windows 10 Pro Education switch enabled, and you decide to roll back to Windows 10 Pro or to cancel the switch, you can do this by: -- Logging into Microsoft Store for Education page and turning off the automatic switch. -- Selecting the link to turn off the automatic switch from the notification email sent to all global administrators. - -Once the automatic switch to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were switched will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was switched may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that an switch was enabled and then turned off will never see their device change from Windows 10 Pro. - -**To roll back Windows 10 Pro Education to Windows 10 Pro** -1. Log in to [Microsoft Store for Education](https://businessstore.microsoft.com/en-us/Store/Apps) with your school or work account, or follow the link from the notification email to turn off the automatic switch. -2. Select **Manage > Account information** and locate the section **Automatic Windows 10 Pro Education upgrade** and follow the link. -3. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, select **Turn off the automatic upgrade to Windows 10 Pro Education**. - - ![Turn off automatic switch to Windows 10 Pro Education](images/wsfb_win10_pro_to proedu_upgrade_disable.png) - - **Figure 15** - Link to turn off the automatic switch - -4. You will be asked if you're sure that you want to turn off automatic switches to Windows 10 Pro Education. Click **Yes**. -5. Click **Close** in the **Success** page. -6. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see information on when the switch was disabled. - - If you decide later that you want to turn on automatic switches again, you can do this from the **Upgrade Windows 10 Pro to Windows 10 Pro Education**. - -## Preparing for deployment of Windows 10 Pro Education licenses - -If you have on-premises Active Directory Domain Services (AD DS) domains, users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Pro Education to users, you need to synchronize the identities in the on-premises AD DS domain with Azure AD. - -You need to synchronize these identities so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Pro Education). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them. - -**Figure 16** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure. - -![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png) - -**Figure 16** - On-premises AD DS integrated with Azure AD - -For more information about integrating on-premises AD DS domains with Azure AD, see these resources: -- [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/) -- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/) - -## Related topics - -[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md) - -[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md) - -[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) diff --git a/education/windows/windows-editions-for-education-customers.md b/education/windows/windows-editions-for-education-customers.md index db3fb46f6a..b798212e27 100644 --- a/education/windows/windows-editions-for-education-customers.md +++ b/education/windows/windows-editions-for-education-customers.md @@ -39,7 +39,7 @@ Existing devices running Windows 10 Pro, currently activated with the original O Customers with Academic Volume Licensing agreements with rights for Windows can get Windows 10 Pro Education through the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx). -Customers who deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment. +Customers who deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment. ## Windows 10 Education diff --git a/store-for-business/acquire-apps-windows-store-for-business.md b/store-for-business/acquire-apps-windows-store-for-business.md index 77563b064c..a0af9518aa 100644 --- a/store-for-business/acquire-apps-windows-store-for-business.md +++ b/store-for-business/acquire-apps-windows-store-for-business.md @@ -43,7 +43,7 @@ There are a couple of things we need to know when you pay for apps. You can add You’ll also need to have your business address saved on **Account information** or **Payments & billing**. The address is used to generate tax rates. For more information on taxes for apps, see [organization tax information](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#organization-tax-information). -Microsoft Store adds the app to your inventory. From **Inventory**or **Apps & software**, you can: +Microsoft Store adds the app to your inventory. From **Inventory** or **Apps & software**, you can: - Distribute the app: add to private store, or assign licenses - View app licenses: review current licenses, reclaim and reassign licenses - View app details: review the app details page and purchase more licenses diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md index 491172a16d..46c453edf1 100644 --- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md +++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md @@ -77,13 +77,13 @@ After you're done, the files are saved to your desktop. You still need to sign t ## Catalog signing with Device Guard signing portal -To sign catalog files with the Device Guard signing portal, you need to be signed up with the Windows Store for Business. For more information, see [Sign up for the Windows Store for Business](sign-up-windows-store-for-business.md). +To sign catalog files with the Device Guard signing portal, you need to be signed up with the Microsoft Store for Business. For more information, see [Sign up for the Microsoft Store for Business](sign-up-windows-store-for-business.md). Catalog signing is a vital step to adding your unsigned apps to your code integrity policy. **To sign a catalog file with Device Guard signing portal** -1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). +1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). 2. Click **Settings**, click **Store settings**, and then click **Device Guard**. 3. Click **Upload** to upload your unsigned catalog files. These are the catalog files you created earlier in [Create catalog files for your unsigned app](#create-catalog-files). 4. After the files are uploaded, click **Sign** to sign the catalog files. diff --git a/store-for-business/app-inventory-management-windows-store-for-business.md b/store-for-business/app-inventory-management-windows-store-for-business.md index 71dceb3427..379618509a 100644 --- a/store-for-business/app-inventory-management-windows-store-for-business.md +++ b/store-for-business/app-inventory-management-windows-store-for-business.md @@ -31,7 +31,7 @@ Microsoft Store for Business and Education shows this info for each app in your - Access to actions for the app The last modified date tracks changes about the app as an item in your inventory. The last modified date changes when one of the following happens: -- First purchase (the date you acquire the app from Windows Store for Business) +- First purchase (the date you acquire the app from Microsoft Store for Business) - Purchase additional licenses - Assign license - Reclaim license @@ -45,14 +45,14 @@ There are a couple of ways to find specific apps, or groups of apps in your inve **Search** - Use the Search box to search for an app.
**Refine results** - Use **Refine results** to scope your list of apps by one or more of these app attributes: -- **License type** - Online or offline licenses. For more info, see [Apps in Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model). +- **License type** - Online or offline licenses. For more info, see [Apps in Microsoft Store for Business](apps-in-windows-store-for-business.md#licensing-model). - **Supported devices** - Lists the devices that apps in your inventory were originally written to support. This list is cumulative for all apps in your inventory. - **Source** - **Store**, for apps acquired from Store for Business, or LOB, for line-of-business apps. - **Product type** - Product categories, such as app, or game. - **Private store** - Whether or not the app is in the private store, or status if the app is being added or removed from private store. ## Manage apps in your inventory -Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Windows Store for Business](apps-in-windows-store-for-business.md#licensing-model). There are different actions you can take depending on the app license type. They're summarized in this table. +Each app in the Store for Business has an online, or an offline license. For more information on Store for Business licensing model, see [Apps in the Microsoft Store for Business](apps-in-windows-store-for-business.md#licensing-model). There are different actions you can take depending on the app license type. They're summarized in this table. | Action | Online-licensed app | Offline-licensed app | | ------ | ------------------- | -------------------- | @@ -77,7 +77,7 @@ Once an app is in your private store, people in your org can install the app on **To make an app in Apps & software available in your private store** -1. Sign in to the [Store for Business](https://businessstore.microsoft.com) or [Micrososft Store for Education](https://businessstore.microsoft.com). +1. Sign in to the [Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com). 2. Click **Manage**, and then choose **Apps & software**. 3. Use **Refine results** to search for online-licensed apps under **License type**. 4. From the list of online-licensed apps, click the ellipses for the app you want, and then choose **Add to private store**. @@ -97,7 +97,7 @@ If you decide that you don't want an app available for employees to install on t **To remove an app from the private store** -1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Micrososft Store for Education](https://businessstore.microsoft.com). +1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com). 2. Click **Manage**, and then choose **Apps & software**. 3. Find an app, click the ellipses under **Action**, choose **Remove from private store**, and then click **Remove**. @@ -105,7 +105,7 @@ The app will still be in your inventory, but your employees will not have access **To assign an app to an employee** -1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Micrososft Store for Education](https://businessstore.microsoft.com). +1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://businessstore.microsoft.com). 2. Click **Manage**, and then choose **Inventory**. 3. Find an app, click the ellipses under **Action**, and then choose **Assign to people**. 4. Type the email address for the employee that you're assigning the app to, and click **Confirm**. @@ -118,7 +118,7 @@ For each app in your inventory, you can view and manage license details. This gi **To view license details** -1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Micrososft Store for Education](https://businessstore.microsoft.com). +1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Microsoft Store for Education](https://businessstore.microsoft.com). 2. Click **Manage**, and then choose **Apps & software**. 3. Click an app you want to manage. 4. On the app page, you'll see the names of people in your organization who have installed the app and are using one of the licenses. From here, you can: @@ -134,7 +134,7 @@ You can assign the app to more people in your organization, or reclaim licenses. - On the app page, click **Assign users**, type the email address for the person that you're assigning the app to, and click **Assign**. -Micrososft Store updates the list of assigned licenses. +Microsoft Store updates the list of assigned licenses. **To reclaim licenses** @@ -147,7 +147,7 @@ You can purchase additional licenses for apps in your Inventory. **To purchase additional app licenses** -1. Sign in to [Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Micrososft Store for Education](https://businessstore.microsoft.com) +1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Microsoft Store for Education](https://businessstore.microsoft.com) 2. Click **Manage**, and then choose **Apps & software**. 3. From **Apps & software**, click an app. 4. On the app page, click **Buy more** for additional licenses, or click **Assign users** to manage your current licenses. diff --git a/store-for-business/apps-in-windows-store-for-business.md b/store-for-business/apps-in-windows-store-for-business.md index da6eb860b6..4c037486e6 100644 --- a/store-for-business/apps-in-windows-store-for-business.md +++ b/store-for-business/apps-in-windows-store-for-business.md @@ -36,17 +36,17 @@ Apps in your inventory will have at least one of these supported platforms liste - Windows 10 Surface Hub - Windows 10 HoloLens -Apps that you acquire from the Microsoft Store only work on Windows 10-based devices. Even though an app might list Windows 8 as its supported platform, that tells you what platform the app was originally written for. Apps developed for Windows 8, or Windows Phone 8 will work on Windows 10. +Apps that you acquire from Microsoft Store only work on Windows 10-based devices. Even though an app might list Windows 8 as its supported platform, that tells you what platform the app was originally written for. Apps developed for Windows 8, or Windows Phone 8 will work on Windows 10. Some apps are free, and some apps charge a price. Currently, you can pay for apps with a credit card. We'll be adding more payment options over time. -Some apps which are available to consumers in the Windows Store might not be available to organizations in the Microsoft Store for Business and Education. App developers can opt-out their apps, and they also need to meet eligibility requirements for Microsoft Store for Business and Education. For more information, see [Organizational licensing options](https://msdn.microsoft.com/windows/uwp/publish/organizational-licensing). +Some apps which are available to consumers in the Windows Store might not be available to organizations in Microsoft Store for Business and Education. App developers can opt-out their apps, and they also need to meet eligibility requirements for Microsoft Store for Business and Education. For more information, see [Organizational licensing options](https://msdn.microsoft.com/windows/uwp/publish/organizational-licensing). -Line-of-business (LOB) apps are also supported using the Micrososft Store. Admins can invite IT devs and ISVs to be LOB publishers. Apps developed by your LOB publishers that are submitted to Microsoft Store are only available to your organization. Once an administrator accepts an app submitted by one of their LOB publishers, the app can be distributed just like any other app. For more information, see [Working with Line-of-Business apps](working-with-line-of-business-apps.md). +Line-of-business (LOB) apps are also supported using Microsoft Store. Admins can invite IT devs and ISVs to be LOB publishers. Apps developed by your LOB publishers that are submitted to Microsoft Store are only available to your organization. Once an administrator accepts an app submitted by one of their LOB publishers, the app can be distributed just like any other app. For more information, see [Working with Line-of-Business apps](working-with-line-of-business-apps.md). ## In-app purchases -Some apps offer you the option to make in-app purchases. In-app purchases are not currently supported for apps that are acquired through Micrososft Store and distributed to employees. +Some apps offer you the option to make in-app purchases. In-app purchases are not currently supported for apps that are acquired through Microsoft Store and distributed to employees. If an employee makes an in-app purchase, they'll make it with their personal Microsoft account and pay for it with a personal payment method. The employee will own the item purchased, and it cannot be transferred to your organization’s inventory. @@ -55,7 +55,7 @@ If an employee makes an in-app purchase, they'll make it with their personal Mic Microsoft Store supports two options to license apps: online and offline. ### Online licensing -Online licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require customers and devices to connect to the Microsoft Store service to acquire an app and its license. License management is enforced based on the user’s Azure AD identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update. +Online licensing is the default licensing model and is similar to the Windows Store. Online licensed apps require customers and devices to connect to Microsoft Store service to acquire an app and its license. License management is enforced based on the user’s Azure AD identity and maintained by Microsoft Store as well as the management tool. By default app updates are handled by Windows Update. Distribution options for online-licensed apps include the ability to: @@ -64,11 +64,11 @@ Distribution options for online-licensed apps include the ability to: - Distribute through a management tool. ### Offline licensing -Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store. This model means organizations can deploy apps when users or devices do not have connectivity to Microsost Store. Admins control whether or not offline apps are available in Microsost Store with an offline app visibility setting. For more information, see [offline license visibility](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#offline-licensing). +Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store. This model means organizations can deploy apps when users or devices do not have connectivity to Microsoft Store. Admins control whether or not offline apps are available in Microsoft Store with an offline app visibility setting. For more information, see [offline license visibility](https://technet.microsoft.com/itpro/windows/manage/update-windows-store-for-business-account-settings#offline-licensing). You have the following distribution options for offline-licensed apps: - Include the app in a provisioning package, and then use it as part of imaging a device. - Distribute the app through a management tool. -For more information, see [Distribute apps to your employees from the Microsoft Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md). \ No newline at end of file +For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md). \ No newline at end of file diff --git a/store-for-business/assign-apps-to-employees.md b/store-for-business/assign-apps-to-employees.md index cffba1a162..b2c821a77a 100644 --- a/store-for-business/assign-apps-to-employees.md +++ b/store-for-business/assign-apps-to-employees.md @@ -18,7 +18,7 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -Adminis, Purchasers, and Basic Purchasers can assign online-licensed apps to employees in their organization. +Admins, Purchasers, and Basic Purchasers can assign online-licensed apps to employees or students in their organization. **To assign an app to an employee** diff --git a/store-for-business/configure-mdm-provider-windows-store-for-business.md b/store-for-business/configure-mdm-provider-windows-store-for-business.md index c11269d2f5..455c12dea0 100644 --- a/store-for-business/configure-mdm-provider-windows-store-for-business.md +++ b/store-for-business/configure-mdm-provider-windows-store-for-business.md @@ -16,7 +16,7 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -For companies or organizations using mobile device management (MDM) tools,those tools can synchronize with Windows Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content. +For companies or organizations using mobile device management (MDM) tools, those tools can synchronize with Windows Store for Business inventory to manage apps with offline licenses. Store for Business management tool services work with your third-party management tool to manage content. Your management tool needs to be installed and configured with Azure AD, in the same directory that you are using for Store for Business. Once that's done, you can configure it to work with Store for Business @@ -34,7 +34,7 @@ After your management tool is added to your Azure AD directory, you can configur 2. Click **Manage**, click **Store settings**, and then click **Management tools**. 3. From the list of MDM tools, select the one you want to synchronize with Microsoft Store, and then click **Activate.** -Your MDM tool is ready to use with Microsoft Store. To learn how to configure synchroniztion and deploy apps, see these topics: +Your MDM tool is ready to use with Microsoft Store. To learn how to configure synchronization and deploy apps, see these topics: - [Manage apps you purchased from Windows Store for Business with Microsoft Intune](https://technet.microsoft.com/library/mt676514.aspx) - [Manage apps from Windows Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index de51622611..4365cacfe3 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -18,7 +18,7 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -Device Guard signing is a Device Guard feature that is available in Microsoft Store for Business and Education. It gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files,they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files. +Device Guard signing is a Device Guard feature that is available in Microsoft Store for Business and Education. It gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files. Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features use new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called configurable code integrity, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines. Also, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing allows organizations to trust individual third-party applications. For more information, see [Device Guard deployment guide](https://technet.microsoft.com/library/mt463091.aspx). diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md index 608cfdca5f..f93a4ac288 100644 --- a/store-for-business/distribute-apps-from-your-private-store.md +++ b/store-for-business/distribute-apps-from-your-private-store.md @@ -24,7 +24,7 @@ You can make an app available in your private store when you acquire the app, or **To acquire an app and make it available in your private store** -1. Sign in to [Micrososft Store for Business](https://businessstore.microsoft.com) or [Micrososft Store for Education](https://educationstore.microsoft.com). +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click an app, choose the license type, and then click **Get the app** to acquire the app for your organization. @@ -34,7 +34,7 @@ Microsoft Store adds the app to **Apps & software**. Click **Manage**, **Apps & **To make an app in Apps & software available in your private store** -1. Sign in to the [Store for Business](https://businessstore.microsoft.com) or [Micrososft Store for Education](https://educationstore.microsoft.com). +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then choose **Apps & software**. diff --git a/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md b/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md index b72519ba89..21a610dc18 100644 --- a/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md +++ b/store-for-business/distribute-apps-to-your-employees-windows-store-for-business.md @@ -25,7 +25,7 @@ Distribute apps to your employees from Microsoft Store for Business and Microsof | Topic | Description | | ----- | ----------- | | [Distribute apps using your private store](distribute-apps-from-your-private-store.md) | The private store is a feature in Microsoft Store that organizations and schools receive during the signup process. When admins add apps to the private store, all people in the organization can view and download the apps. Only apps with online licenses can be added to the private store. | -| [Assign apps to employees](assign-apps-to-employees.md) | Adminis can assign online-licensed apps to people in their organization. | +| [Assign apps to employees](assign-apps-to-employees.md) | Admins can assign online-licensed apps to people in their organization. | | [Distribute apps with a management tool](distribute-apps-with-management-tool.md) | Admins can configure a mobile device management (MDM) tool to synchronize your Microsoft Store inventory. Microsoft Store management tool services work with MDM tools to manage content. | | [Distribute offline apps](distribute-offline-apps.md) | Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. This allows organizations to deploy apps to devices without connectivity to the Store. | diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index 2e540c478f..72078b74da 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -18,7 +18,7 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in the Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store. +Offline licensing is a new licensing option for Windows 10 with Microsoft Store for Business and Microsoft Store for Education. With offline licenses, organizations can download apps and their licenses to deploy within their network, or on devices that are not connected to the Internet. ISVs or devs can opt-in their apps for offline licensing when they submit them to the Windows Dev Center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business and Microsoft Store for Education. This model allows organizations to deploy apps when users or devices do not have connectivity to the Store. ## Why offline-licensed apps? @@ -32,15 +32,15 @@ Offline-licensed apps offer an alternative to online apps, and provide additiona ## Distribution options for offline-licensed apps -You can't distribute offline-licensed apps directly from the Microsoft Store. Once you download the items for the offline-licensed app, you have options for distributing the apps: +You can't distribute offline-licensed apps directly from Microsoft Store. Once you download the items for the offline-licensed app, you have options for distributing the apps: - **Deployment Image Servicing and Management**. DISM is a command-line tool that is used to mount and service Microsoft Windows images before deployment. You can also use DISM to install, uninstall, configure, and update Windows features, packages, drivers, and international settings in a .wim file or VHD using the DISM servicing commands. DISM commands are used on offline images. For more information, see [Deployment Image Servicing and Management](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/dism---deployment-image-servicing-and-management-technical-reference-for-windows). - **Create provisioning package**. You can use Windows Imaging and Configuration Designer (ICD) to create a provisioning package for your offline app. Once you have the package, there are options to [apply the provisioning package](https://technet.microsoft.com/itpro/windows/deploy/provisioning-apply-package). For more information, see [Provisioning Packages for Windows 10](https://technet.microsoft.com/itpro/windows/deploy/provisioning-packages). - **Mobile device management provider or management server.** You can use a mobile device management (MDM) provider or management server to distribute offline apps. For more information, see these topics: - - [Manage apps from Windows Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) - - [Manage apps from Windows Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)
+ - [Manage apps from Microsoft Store for Business with System Center Configuration Manager](https://docs.microsoft.com/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business) + - [Manage apps from Microsoft Store for Business with Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/manage-apps-you-purchased-from-the-windows-store-for-business-with-microsoft-intune)
For third-party MDM providers or management servers, check your product documentation. diff --git a/store-for-business/manage-access-to-private-store.md b/store-for-business/manage-access-to-private-store.md index 36e3b78d0b..e6f9bc8157 100644 --- a/store-for-business/manage-access-to-private-store.md +++ b/store-for-business/manage-access-to-private-store.md @@ -19,9 +19,9 @@ author: TrudyHa You can manage access to your private store in Microsoft Store for Business and Microsoft Store for Education. -You can control the set of apps that are available to your employees and students, and not show the full set of applications that are in the Windows Store. Using the private store with the Micrososft Store for Business and Eduction, admins can curate the set of apps that are available. +You can control the set of apps that are available to your employees and students, and not show the full set of applications that are in Windows Store. Using the private store with the Microsoft Store for Business and Education, admins can curate the set of apps that are available. -The private store is a feature in Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in the Windows Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. Your private store looks something like this: +The private store is a feature in Store for Business that organizations receive during the sign up process. When admins add apps to the private store, all employees in the organization can view and download the apps. Your private store is available as a tab in Windows Store, and is usually named for your company or organization. Only apps with online licenses can be added to the private store. Your private store looks something like this: @@ -29,7 +29,7 @@ Organizations can use either an MDM policy, or Group Policy to show only their p ## Show private store only using MDM policy -Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports the Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx). More specifically, the [ApplicationManagement/RequirePrivateStoreOnly](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#ApplicationManagement_RequirePrivateStoreOnly) policy. +Organizations using an MDM to manage apps can use a policy to show only the private store. When your MDM supports Microsoft Store for Business, the MDM can use the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx). More specifically, the [ApplicationManagement/RequirePrivateStoreOnly](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#ApplicationManagement_RequirePrivateStoreOnly) policy. **ApplicationManagement/RequirePrivateStoreOnly** policy is supported on the following Windows 10 editions: - Enterprise @@ -43,7 +43,7 @@ For more information on configuring an MDM provider, see [Configure an MDM provi If you're using Microsoft Store and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. -**Only display the private store within the Windows Store app** group policy is supported on the following Windows 10 editions: +**Only display the private store within Windows Store app** group policy is supported on the following Windows 10 editions: - Enterprise - Education @@ -53,13 +53,13 @@ If you're using Microsoft Store and you want employees to only see apps you're m 2. In the console tree of the snap-in, go to **User Configuration** or **Computer Configuration** > **Administrative Templates** > **Windows Components**, and then click **Store**. -3. Right-click **Only display the private store within the Windows Store app** in the right pane, and click **Edit**. +3. Right-click **Only display the private store within Windows Store app** in the right pane, and click **Edit**. This opens the **Only display the private store within the Windows Store app** policy settings. 4. On the **Only display the private store within the Windows Store app** setting page, click **Enabled**, and then click **OK**. -You can also prevent employees from using the Windows Store. For more information, see [Configure access to Windows Store](/windows/configuration/stop-employees-from-using-the-windows-store). +You can also prevent employees from using Windows Store. For more information, see [Configure access to Windows Store](/windows/configuration/stop-employees-from-using-the-windows-store). ## Related topics diff --git a/store-for-business/manage-orders-windows-store-for-business.md b/store-for-business/manage-orders-windows-store-for-business.md index ee1a065e82..eb5218d9ec 100644 --- a/store-for-business/manage-orders-windows-store-for-business.md +++ b/store-for-business/manage-orders-windows-store-for-business.md @@ -29,7 +29,7 @@ Click to expand an order, and the following info is available: ## Invoices -Invoices for orders are available approximatley 24 hours after your purchase. The link opens a .pdf that you can save for your records. +Invoices for orders are available approximately 24 hours after your purchase. The link opens a .pdf that you can save for your records. ## Refund an order @@ -43,13 +43,13 @@ Refunds work a little differently for free apps, and apps that have a price. In There are a few requirements for apps that have a price: - **Timing** - Refunds are available for the first 30 days after you place your order. For example, if your order is placed on June 1, you can self-refund through June 30. - - **Avaialble licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization. + - **Avaialable licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization. - **Whole order refunds only** - You must refund the complete amount of apps in an order. You can't refund a part of an order. For example, if you purchased 10 copies of an app, but later found you only needed 5 copies, you'll need to request a refund for the 10 apps, and then make a separate order for 5 apps. If you have had multiple orders of the same app, you can refund one order but still keep the rest of the inventory. **To refund an order** Reclaim licenses, and then request a refund. If you haven't assigned licenses, start on step 5. -1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). +1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, and then choose **Apps & software**. 3. Find the app you want to refund, click the ellipses under **Actions**, and then choose **View license details**. 4. Select the the people who you want to reclaim license from, click the ellipses under **Actions**, and then choose **Reclaim licenses**. diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md index 5f93dc0e99..470e99fbed 100644 --- a/store-for-business/manage-private-store-settings.md +++ b/store-for-business/manage-private-store-settings.md @@ -17,9 +17,9 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -The private store is a feature in the Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all people in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store. +The private store is a feature in Microsoft Store for Business and Education that organizations receive during the sign up process. When admins add apps to the private store, all people in the organization can view and download the apps. Only online-licensed apps can be distributed from your private store. -The name of your private store is shown on a tab in the Windows Store app, or on [Microsoft Store for Business](https://businessstore.microsoft.com), or [Microsoft Store for Education](https://educationstore.microsoft.com). +The name of your private store is shown on a tab in Windows Store app, or on [Microsoft Store for Business](https://businessstore.microsoft.com), or [Microsoft Store for Education](https://educationstore.microsoft.com). ![Image showing Windows Store app with private store tab highlighted.](images/wsfb-wsappprivatestore.png) @@ -28,18 +28,9 @@ You can change the name of your private store in Microsoft Store. ## Change private store name **To change the name of your private store** -1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com) +1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com) 2. Click **Manage**, click **Permissions**. 3. On the **Private store ** tab, click **Change**. 4. Type a new display name for your private store, and click **Save**. - ![Image showing Private store dialog used to change private store display name.](images/wsfb-renameprivatestore.png) - -  - -  - - - - - + ![Image showing Private store dialog used to change private store display name.](images/wsfb-renameprivatestore.png) \ No newline at end of file diff --git a/store-for-business/manage-settings-windows-store-for-business.md b/store-for-business/manage-settings-windows-store-for-business.md index e7c764ce7d..906f3174a0 100644 --- a/store-for-business/manage-settings-windows-store-for-business.md +++ b/store-for-business/manage-settings-windows-store-for-business.md @@ -1,5 +1,5 @@ --- -title: Manage settings for the Microsoft Store for Business and Microsoft Store for Education (Windows 10) +title: Manage settings for Microsoft Store for Business and Microsoft Store for Education (Windows 10) description: You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant. ms.assetid: E3283D77-4DB2-40A9-9479-DDBC33D5A895 ms.prod: w10 @@ -10,7 +10,7 @@ author: TrudyHa localizationpriority: high --- -# Manage settings for the Microsoft Store for Business and Education +# Manage settings for Microsoft Store for Business and Education **Applies to** @@ -18,13 +18,13 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant +You can add users and groups, as well as update some of the settings associated with the Azure Active Directory (AD) tenant. ## In this section | Topic | Description | | ----- | ----------- | | [Update Microsoft Store for Business and Education account settings](update-windows-store-for-business-account-settings.md) | The **Account information** page in Microsoft Store for Business shows information about your organization that you can update, including: organization information, payment options, and offline licensing settings. | -| [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md) | Store for Business manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-windows-store-for-business.md), but not to groups. | +| [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md) | Microsoft Store for Business manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-windows-store-for-business.md), but not to groups. | diff --git a/store-for-business/manage-users-and-groups-windows-store-for-business.md b/store-for-business/manage-users-and-groups-windows-store-for-business.md index 83baed4cea..f2cc141ca7 100644 --- a/store-for-business/manage-users-and-groups-windows-store-for-business.md +++ b/store-for-business/manage-users-and-groups-windows-store-for-business.md @@ -21,7 +21,7 @@ localizationpriority: high Microsoft Store for Business and Education manages permissions with a set of roles. Currently, you can [assign these roles to individuals in your organization](roles-and-permissions-windows-store-for-business.md), but not to groups. ## Why Azure AD accounts? -For organizations planning to use the private store feature with Store for Business, we recommend that you also configure cloud domain join. This provides a seamless integration between the identity your admin and employees will use to sign in to Windows and the Store for Business. +For organizations planning to use the private store feature with Store for Business, we recommend that you also configure cloud domain join. This provides a seamless integration between the identity your admin and employees will use to sign in to Windows and Microsoft Store for Business. Azure AD is an Azure service that provides identity and access management capabilities using the cloud. It is primarily designed to provide this service for cloud- or web-based applications that need to access your local Active Directory information. Azure AD identity and access management includes: diff --git a/store-for-business/prerequisites-windows-store-for-business.md b/store-for-business/prerequisites-windows-store-for-business.md index 2bd8d40451..c76035ac35 100644 --- a/store-for-business/prerequisites-windows-store-for-business.md +++ b/store-for-business/prerequisites-windows-store-for-business.md @@ -27,7 +27,7 @@ You'll need this software to work with Microsoft Store for Business or Education ### Required - IT Pros that are administering Microsoft Store for Business and Education need a browser compatible with Microsoft Store for Business and Education running on a PC or mobile device. Supported browsers include: Internet Explorer 10 or later, Microsoft Edge, or current versions of Chrome or Firefox. Javascript needs to be supported and enabled. -- Employees using apps from Micrsoft Store for Business and Education need at least Windows 10, version 1511 running on a PC or mobile device. +- Employees using apps from Microsoft Store for Business and Education need at least Windows 10, version 1511 running on a PC or mobile device. Microsoft Azure Active Directory (AD) or Office 365 accounts for your employees: - IT Pros need Azure AD or Office 365 accounts to sign up for Microsoft Store for Business and Education, and then to sign in, get apps, distribute apps, and manage app licenses. @@ -41,9 +41,9 @@ For more information on Azure AD, see [About Office 365 and Azure Active Directo While not required, you can use a management tool to distribute and manage apps. Using a management tool allows you to distribute content, scope app availability, and control when app updates are installed. This might make sense for larger organizations that already use a management tool. If you're considering using management tools, check with the management tool vendor to see if they support Microsoft Store for Business and Education. The management tool will need to: - Integrate with the Windows 10 management framework and Azure AD. -- Sync with the Microsoft Store for Business and Education inventory to distribute apps. +- Sync with Microsoft Store for Business and Education inventory to distribute apps. -### Proxy configuration +## Proxy configuration If your organization restricts computers on your network from connecting to the Internet, there is a set of URLs that need to be available for devices to use Microsoft Store. Some of the Microsoft Store features use Windows Store app and Microsoft Store services. Devices using Microsoft Store – either to acquire, install, or update apps – will need access to these URLs. If you use a proxy sever to block traffic, your configuration needs to allow these URLs: diff --git a/store-for-business/roles-and-permissions-windows-store-for-business.md b/store-for-business/roles-and-permissions-windows-store-for-business.md index fc3fbae54c..7a3cd37936 100644 --- a/store-for-business/roles-and-permissions-windows-store-for-business.md +++ b/store-for-business/roles-and-permissions-windows-store-for-business.md @@ -34,7 +34,7 @@ This table lists the global user accounts and the permissions they have in Micro | Distribute apps | X | X |   -- **Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for the Microsoft Store. +- **Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store. - **Billing Administrator** - IT Pros with this account have the same permissions as Microsoft Store Purchaser role. @@ -91,5 +91,5 @@ These permissions allow people to: -4. If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in the Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md). +4. If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md). diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md index 75d490b304..28adabcee9 100644 --- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md +++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md @@ -29,7 +29,7 @@ Before you get started, be sure to review these best practices: **To sign a code integrity policy** -1. Sign in to the [Store for Business](http://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com). +1. Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**, click **Store settings**, and then click **Device Guard**. 3. Click **Upload** to upload your code integrity policy. 4. After the files are uploaded, click **Sign** to sign the code integrity policy. diff --git a/store-for-business/sign-up-windows-store-for-business-overview.md b/store-for-business/sign-up-windows-store-for-business-overview.md index b96261fb90..8b61671bfe 100644 --- a/store-for-business/sign-up-windows-store-for-business-overview.md +++ b/store-for-business/sign-up-windows-store-for-business-overview.md @@ -17,7 +17,7 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -IT admins can sign up for the Microsoft Store for Business and Education, and get started working with apps. +IT admins can sign up for Microsoft Store for Business and Education, and get started working with apps. ## In this section @@ -26,8 +26,8 @@ IT admins can sign up for the Microsoft Store for Business and Education, and ge | [Microsoft Store for Business and Education overview](windows-store-for-business-overview.md) | Learn about Microsoft Store for Business. | | [Prerequisites for Microsoft Store for Business and Education](prerequisites-windows-store-for-business.md) | There are a few prerequisites for using Microsoft Store for Business and Education. | | [Sign up for Microsoft Store for Business or Microsoft Store for Education](sign-up-windows-store-for-business.md) | Before you sign up for Store for Business and Education, at a minimum, you'll need an Azure Active Directory (AD) or Office 365 account for your organization, and you'll need to be the global administrator for your organization. If your organization is already using Azure AD, you can go ahead and sign up for Store for Business. If not, we'll help you create an Azure AD or Office 365 account and directory as part of the sign up process. | -| [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-windows-store-for-business.md) | The first person to sign in to Microsoft Store for Business and Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees. | -| [Settings reference: Microsoft Store for Business and Education](settings-reference-windows-store-for-business.md) | The Microsoft Store for Business and Education has a group of settings that admins use to manage the store. | +| [Roles and permissions in Microsoft Store for Business and Education](roles-and-permissions-windows-store-for-business.md) | The first person to sign in to Microsoft Store for Business and Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees. | +| [Settings reference: Microsoft Store for Business and Education](settings-reference-windows-store-for-business.md) | Microsoft Store for Business and Education has a group of settings that admins use to manage the store. | diff --git a/store-for-business/sign-up-windows-store-for-business.md b/store-for-business/sign-up-windows-store-for-business.md index adccdea373..f716149cbc 100644 --- a/store-for-business/sign-up-windows-store-for-business.md +++ b/store-for-business/sign-up-windows-store-for-business.md @@ -29,7 +29,7 @@ Before signing up for Microsoft Store, make sure you're the global administrator 1. Go to [https://www.microsoft.com/business-store](https://www.microsoft.com/business-store), or [https://www.microsoft.com/education-store](https://www.microsoft.com/education-store) and click **Sign up**. - - If you start the Microsoft Store sign-up process, and don't have an Azure AD directory for your organization, we'll help you create one. For more info, see [Sign up for Azure AD accounts](#o365-welcome). + - If you start Microsoft Store sign-up process, and don't have an Azure AD directory for your organization, we'll help you create one. For more info, see [Sign up for Azure AD accounts](#o365-welcome). @@ -88,7 +88,7 @@ Before signing up for Microsoft Store, make sure you're the global administrator After signing up for Microsoft Store for Business or Microsoft Store for Education, you can: - **Add users to your Azure AD directory**. If you created your Azure AD directory during sign up, additional user accounts are required for employees to install apps you assign to them, or to browse the private store in Store app. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-windows-store-for-business.md). -- **Assign roles to employees**. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-windows-store-for-business.md). +- **Assign roles to employees**. For more information, see [Roles and permissions in Microsoft Store for Business and Education](roles-and-permissions-windows-store-for-business.md).   diff --git a/store-for-business/troubleshoot-windows-store-for-business.md b/store-for-business/troubleshoot-windows-store-for-business.md index 5ea7623579..b12f94afae 100644 --- a/store-for-business/troubleshoot-windows-store-for-business.md +++ b/store-for-business/troubleshoot-windows-store-for-business.md @@ -48,13 +48,9 @@ The private store for your organization is a page in the Windows Store app that ## Still having trouble? -If you are still having trouble using WSfB or installing the app, you can get more help on our [Support page](https://go.microsoft.com/fwlink/?LinkID=799386). - -  - -  - - - - +If you are still having trouble using Microsoft Store or installing an app, Admins can sign in and look for topics on our **Support** page. + +**To view Support page**  +1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) +2. Click **Manage**, and then click **Support**. \ No newline at end of file diff --git a/store-for-business/update-windows-store-for-business-account-settings.md b/store-for-business/update-windows-store-for-business-account-settings.md index 56aaa46e30..e2266ea8a6 100644 --- a/store-for-business/update-windows-store-for-business-account-settings.md +++ b/store-for-business/update-windows-store-for-business-account-settings.md @@ -26,7 +26,7 @@ We need your business address, email contact, and tax-exemption certificates tha Before purchasing apps that have a fee, you need to add or update your organization's business address, and contact email address. -We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through the Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we’ll use the same address in the Microsoft Store for Business and Microsoft Store for Education. If we don’t have an address, we’ll ask you to enter it during your first purchase. +We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we’ll use the same address in Microsoft Store for Business and Microsoft Store for Education. If we don’t have an address, we’ll ask you to enter it during your first purchase. We need an email address in case we need to contact you about your Microsoft Store for Business and Education account. This email account should reach the admin for your organization’s Office 365 or Azure AD tenant that is used with Microsoft Store. @@ -35,7 +35,7 @@ We need an email address in case we need to contact you about your Microsoft Sto 2. Click **Manage**, click **Payments & billing**, and then click **Edit**. ## Organization tax information -Taxes for Windows Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent: +Taxes for Microsoft Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent: - Austria - Belgium - Croatia @@ -99,7 +99,7 @@ For example:
($1.29 X .095) X 100 = $12.25 ## Payment options -You can purchase apps from the Windows Store for Business using your credit card. You can enter your credit card information on Account Information, or when you purchase an app. We currently accept these credit cards: +You can purchase apps from Microsoft Store for Business using your credit card. You can enter your credit card information on Account Information, or when you purchase an app. We currently accept these credit cards: 1. VISA 2. MasterCard 3. Discover @@ -136,7 +136,7 @@ Once you click **Next**, the information you provided will be validated with a Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. For more information on the Store for Business licensing model, see [licensing model](https://technet.microsoft.com/itpro/windows/manage/apps-in-windows-store-for-business#licensing-model). -Admins can decide whether or not offline licenses are shown for apps in Windows Store for Business. +Admins can decide whether or not offline licenses are shown for apps in Microsoft Store. **To set offline license visibility** @@ -147,6 +147,4 @@ Admins can decide whether or not offline licenses are shown for apps in Windows You have the following distribution options for offline-licensed apps: - Include the app in a provisioning package, and then use it as part of imaging a device. - Distribute the app through a management tool. -For more information, see [Distribute apps to your employees from the Store for Business](distribute-apps-with-management-tool.md). - - +For more information, see [Distribute apps to your employees from the Store for Business](distribute-apps-with-management-tool.md). \ No newline at end of file diff --git a/store-for-business/windows-store-for-business-overview.md b/store-for-business/windows-store-for-business-overview.md index 5640ea1f23..92902b6347 100644 --- a/store-for-business/windows-store-for-business-overview.md +++ b/store-for-business/windows-store-for-business-overview.md @@ -57,7 +57,7 @@ Microsoft Azure Active Directory (AD) accounts for your employees: - Employees need Azure AD account when they access Store for Business content from Windows devices. - If you use a management tool to distribute and manage online-licensed apps, all employees will need an Azure AD account - For offline-licensed apps, Azure AD accounts are not required for employees. -- Admins can add or remove user accounts in the Office 365 admin center, even if you don’t have an Office 365 subscrition. You can access the Office 365 admin portal directly from the Microsoft Store for Business and Eduction. +- Admins can add or remove user accounts in the Office 365 admin center, even if you don’t have an Office 365 subscription. You can access the Office 365 admin portal directly from the Microsoft Store for Business and Education. For more information on Azure AD, see [About Office 365 and Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=708612), and [Intro to Azure: identity and access](https://go.microsoft.com/fwlink/p/?LinkId=708611). @@ -79,7 +79,7 @@ For more information, see [Sign up for the Store for Business](sign-up-windows-s ## Set up -After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign WSFB roles. These are the roles and their permissions. +After your admin signs up for the Store for Business, they can assign roles to other employees in your company. The admin needs Azure AD User Admin permissions to assign Microsoft Store for Business and Education roles. These are the roles and their permissions. | Permission | Account settings | Acquire apps | Distribute apps | Device Guard signing | | ---------- | ---------------- | ------------ | --------------- | -------------------- | @@ -129,7 +129,7 @@ App distribution is handled through two channels, either through the Store for B - Scoped content distribution – Ability to scope content distribution to specific groups of employees. - Install apps for employees – Employees are not responsible for installing apps. Management tool installs apps for employees. -Management tools can synchronize content that has been acquired in the Store for Business. If an offline application has been purchased this will also include the app package, license and metadata for the app (like, icons, count, or localized product descriptions). Using the metadata,management tools can enable portals or apps as a destination for employees to acquire apps. +Management tools can synchronize content that has been acquired in the Store for Business. If an offline application has been purchased this will also include the app package, license and metadata for the app (like, icons, count, or localized product descriptions). Using the metadata, management tools can enable portals or apps as a destination for employees to acquire apps. For more information, see [Distribute apps to your employees from the Store for Business](distribute-apps-to-your-employees-windows-store-for-business.md). @@ -137,7 +137,7 @@ For more information, see [Distribute apps to your employees from the Store for Once you are signed up with the Business store and have purchased apps, Admins can manage Store for Business settings and inventory. -**Manage Store for Business settings** +**Manage Microsoft Store for Business settings** - Assign and change roles for employees or groups - Device Guard signing - Register a management server to deploy and install content @@ -155,7 +155,7 @@ For more information, see [Manage settings in the Store for Business](manage-set ## Supported markets -Store for Business is currently available in these markets. +Microsoft Store for Business and Education is currently available in these markets. diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md index f991c3a1e0..ca39d9903b 100644 --- a/store-for-business/working-with-line-of-business-apps.md +++ b/store-for-business/working-with-line-of-business-apps.md @@ -17,7 +17,7 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -Your company or school can make line-of-business (LOB) applications available through Microsoft Store for Business or Microsoft Store for Education. These apps are custom to your school or organization – they might be internal apps, or apps specific to your school,business, or industry. +Your company or school can make line-of-business (LOB) applications available through Microsoft Store for Business or Microsoft Store for Education. These apps are custom to your school or organization – they might be internal apps, or apps specific to your school, business, or industry. Developers within your organization, or ISVs that you invite, can become LOB publishers and submit apps to Microsoft Store for your company or school. Once an LOB publisher submits an app for your company, the app is only available to your company. LOB publishers submit apps through the Windows Dev Center using the same process as all apps that are in the Store, and then can be managed or deployed using the same process as any other app that has been acquired through the Store. @@ -88,7 +88,7 @@ For more information, see [Organizational licensing options]( https://go.microso ## Add app to inventory (admin) -After an ISV submits the LOB app for your company or school, someone with Microsoft Store for Business and Eduction admin permissions needs to accept the app. +After an ISV submits the LOB app for your company or school, someone with Microsoft Store for Business and Education admin permissions needs to accept the app. **To add the LOB app to your inventory** diff --git a/windows/access-protection/configure-s-mime.md b/windows/access-protection/configure-s-mime.md index bce814e3d6..61abd34c67 100644 --- a/windows/access-protection/configure-s-mime.md +++ b/windows/access-protection/configure-s-mime.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/access-protection/credential-guard/credential-guard-considerations.md b/windows/access-protection/credential-guard/credential-guard-considerations.md index 0adc21dd7f..1663325a24 100644 --- a/windows/access-protection/credential-guard/credential-guard-considerations.md +++ b/windows/access-protection/credential-guard/credential-guard-considerations.md @@ -28,9 +28,9 @@ in the Deep Dive into Credential Guard video series. - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported. -## NTLM and CHAP Considerations +## Wi-fi and VPN Considerations +When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS. -When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections. ## Kerberos Considerations diff --git a/windows/access-protection/credential-guard/credential-guard-manage.md b/windows/access-protection/credential-guard/credential-guard-manage.md index 05f08ab263..ee41c90cff 100644 --- a/windows/access-protection/credential-guard/credential-guard-manage.md +++ b/windows/access-protection/credential-guard/credential-guard-manage.md @@ -97,7 +97,7 @@ If you enable Credential Guard by using Group Policy, the steps to enable Window You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). ``` -DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot +DG_Readiness_Tool_v3.2.ps1 -Enable -AutoReboot ``` ### Credential Guard deployment in virtual machines @@ -126,7 +126,7 @@ You can view System Information to check that Credential Guard is running on a P You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). ``` -DG_Readiness_Tool_v3.0.ps1 -Ready +DG_Readiness_Tool_v3.2.ps1 -Ready ``` > [!NOTE] @@ -194,7 +194,7 @@ For more info on virtualization-based security and Device Guard, see [Device Gua You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). ``` -DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot +DG_Readiness_Tool_v3.2.ps1 -Disable -AutoReboot ``` #### Disable Credential Guard for a virtual machine diff --git a/windows/access-protection/docfx.json b/windows/access-protection/docfx.json index 627724bbe5..22574d09a4 100644 --- a/windows/access-protection/docfx.json +++ b/windows/access-protection/docfx.json @@ -32,7 +32,8 @@ "externalReference": [], "globalMetadata": { "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json" + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows" }, "fileMetadata": {}, "template": [], diff --git a/windows/access-protection/enterprise-certificate-pinning.md b/windows/access-protection/enterprise-certificate-pinning.md index 26876a7fac..130251d4b2 100644 --- a/windows/access-protection/enterprise-certificate-pinning.md +++ b/windows/access-protection/enterprise-certificate-pinning.md @@ -6,7 +6,7 @@ author: MikeStephens-MS description: Enterprise certificate pinning is a Windows feature for remembering, or “pinning” a root, issuing certificate authority, or end entity certificate to a given domain name. manager: alanth ms.prod: w10 -ms.technology: security +ms.technology: windows ms.sitesec: library ms.pagetype: security localizationpriority: high @@ -71,141 +71,41 @@ Each PinRule element contains a sequence of one or more Site elements and a sequ The PinRules element can have the following attributes. For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml) or [Representing a Duration in XML](#representing-a-duration-in-xml). -- **Duration** or **NextUpdate** - - Specifies when the Pin Rules will expire. - Either is required. - **NextUpdate** takes precedence if both are specified. - - **Duration**, represented as an XML TimeSpan data type, does not allow years and months. - You represent the **NextUpdate** attribute as a XML DateTime data type in UTC. - - **Required?** Yes. At least one is required. - -- **LogDuration** or **LogEndDate** - - Configures auditing only to extend beyond the expiration of enforcing the Pin Rules. - - **LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified. - - You represent **LogDuration** as an XML TimeSpan data type, which does not allow years and months. - - If neither attribute is specified, auditing expiration uses **Duration** or **NextUpdate** attributes. - - **Required?** No. - -- **ListIdentifier** - - Provides a friendly name for the list of pin rules. - Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL). - - **Required?** No. +| Attribute | Description | Required | +|-----------|-------------|----------| +| **Duration** or **NextUpdate** | Specifies when the Pin Rules will expire. Either is required. **NextUpdate** takes precedence if both are specified.
**Duration**, represented as an XML TimeSpan data type, does not allow years and months. You represent the **NextUpdate** attribute as a XML DateTime data type in UTC. | **Required?** Yes. At least one is required. | +| **LogDuration** or **LogEndDate** | Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
**LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified.
You represent **LogDuration** as an XML TimeSpan data type, which does not allow years and months.
If neither attribute is specified, auditing expiration uses **Duration** or **NextUpdate** attributes. | No. | +| **ListIdentifier** | Provides a friendly name for the list of pin rules. Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL). | No. | #### PinRule Element -The **PinRule** element can have the following attributes: +The **PinRule** element can have the following attributes. -- **Name** - - Uniquely identifies the **PinRule**. - Windows uses this attribute to identify the element for a parsing error or for verbose output. - The attribute is not included in the generated certificate trust list (CTL). - - **Required?** Yes. - -- **Error** - - Describes the action Windows performs when it encounters a PIN mismatch. - You can choose from the following string values: - - **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site. - - **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate does not match the name of the site. This typically results in prompting the user before accessing the site. - - **None** - The default value. No error is returned. You can use this setting to audit the pin rules without introducing any user friction. - - **Required?** No. - -- **Log** - - A Boolean value represent as string that equals **true** or **false**. - By default, logging is enabled (**true**). - - **Required?** No. +| Attribute | Description | Required | +|-----------|-------------|----------| +| **Name** | Uniquely identifies the **PinRule**. Windows uses this attribute to identify the element for a parsing error or for verbose output. The attribute is not included in the generated certificate trust list (CTL). | Yes.| +| **Error** | Describes the action Windows performs when it encounters a PIN mismatch. You can choose from the following string values:
- **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
- **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate does not match the name of the site. This typically results in prompting the user before accessing the site.
- **None** - The default value. No error is returned. You can use this setting to audit the pin rules without introducing any user friction. | No. | +| **Log** | A Boolean value represent as string that equals **true** or **false**. By default, logging is enabled (**true**). | No. | #### Certificate element -The **Certificate** element can have the following attributes: +The **Certificate** element can have the following attributes. -- **File** - - Path to a file containing one or more certificates. - Where the certificate(s) can be encoded as: - - single certificate - - p7b - - sst. - - These files can also be Base64 formatted. - All **Site** elements included in the same **PinRule** element can match any of these certificates. - - **Required?** Yes (File, Directory or Base64 must be present). - -- **Directory** - - Path to a directory containing one or more of the above certificate files. - Skips any files not containing any certificates. - - **Required?** Yes (File, Directory or Base64 must be present). - -- **Base64** - - Base64 encoded certificate(s). - Where the certificate(s) can be encoded as: - - single certificate - - p7b - - sst. - - This allows the certificates to be included in the XML file without a file directory dependency. - - > [!Note] - > You can use **certutil -encode** to a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. - - **Required?** Yes (File, Directory or Base64 must be present). - -- **EndDate** - - Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule. - - If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates. - - If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL. - - For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml). - - **Required?** No. +| Attribute | Description | Required | +|-----------|-------------|----------| +| **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory or Base64 must be present). | +| **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory or Base64 must be present). | +| **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst
This allows the certificates to be included in the XML file without a file directory dependency.
Note:
You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory or Base64 must be present). | +| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this element’s certificates.
If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.
For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.| #### Site element -The **Site** element can have the following attributes: +The **Site** element can have the following attributes. -- **Domain** - - Contains the DNS name to be matched for this pin rule. - When creating the certificate trust list, the parser normalizes the input name string value as follows: - - If the DNS name has a leading "*" it is removed. - - Non-ASCII DNS name are converted to ASCII Puny Code. - - Upper case ASCII characters are converted to lower case. - - If the normalized name has a leading ".", then, wildcard left hand label matching is enabled. - For example, ".xyz.com" would match "abc.xyz.com". - - **Required?** Yes. - -- **AllSubdomains** - - By default, wildcard left hand label matching is restricted to a single left hand label. - This attribute can be set to "true" to enable wildcard matching of all of the left hand labels. - - For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value. - - **Required?** No. +| Attribute | Description | Required | +|-----------|-------------|----------| +| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows:
- If the DNS name has a leading "*" it is removed.
- Non-ASCII DNS name are converted to ASCII Puny Code.
- Upper case ASCII characters are converted to lower case.
If the normalized name has a leading ".", then, wildcard left hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.| +| **AllSubdomains** | By default, wildcard left hand label matching is restricted to a single left hand label. This attribute can be set to "true" to enable wildcard matching of all of the left-hand labels.
For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.| No.| ### Create a Pin Rules Certificate Trust List @@ -302,10 +202,6 @@ Sign-in to the reference computer using domain administrator equivalent credenti To assist in constructing certificate pinning rules, you can configure the **PinRulesLogDir** setting under the certificate chain configuration registry key to include a parent directory to log pin rules. -```code -HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config -``` - | Name | Value | |------|-------| | Key | HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config | diff --git a/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md b/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md index 1e16d409a2..c6d37fa5e8 100644 --- a/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md +++ b/windows/access-protection/installing-digital-certificates-on-windows-10-mobile.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/access-protection/vpn/vpn-authentication.md b/windows/access-protection/vpn/vpn-authentication.md index e248b304f6..fa0b7a5592 100644 --- a/windows/access-protection/vpn/vpn-authentication.md +++ b/windows/access-protection/vpn/vpn-authentication.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/access-protection/vpn/vpn-auto-trigger-profile.md b/windows/access-protection/vpn/vpn-auto-trigger-profile.md index 3b63ffa494..dbbe91c8cb 100644 --- a/windows/access-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/access-protection/vpn/vpn-auto-trigger-profile.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/access-protection/vpn/vpn-conditional-access.md b/windows/access-protection/vpn/vpn-conditional-access.md index 4a4f96248d..073b24b8fd 100644 --- a/windows/access-protection/vpn/vpn-conditional-access.md +++ b/windows/access-protection/vpn/vpn-conditional-access.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/access-protection/vpn/vpn-connection-type.md b/windows/access-protection/vpn/vpn-connection-type.md index bbf5c689d1..39f933d548 100644 --- a/windows/access-protection/vpn/vpn-connection-type.md +++ b/windows/access-protection/vpn/vpn-connection-type.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/access-protection/vpn/vpn-guide.md b/windows/access-protection/vpn/vpn-guide.md index d77847b083..138b74295c 100644 --- a/windows/access-protection/vpn/vpn-guide.md +++ b/windows/access-protection/vpn/vpn-guide.md @@ -4,7 +4,7 @@ description: Use this guide to configure VPN deployment for Windows 10. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/access-protection/vpn/vpn-name-resolution.md b/windows/access-protection/vpn/vpn-name-resolution.md index a167777105..1a40cd73b6 100644 --- a/windows/access-protection/vpn/vpn-name-resolution.md +++ b/windows/access-protection/vpn/vpn-name-resolution.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/access-protection/vpn/vpn-profile-options.md b/windows/access-protection/vpn/vpn-profile-options.md index 77af3754f6..58f005e2be 100644 --- a/windows/access-protection/vpn/vpn-profile-options.md +++ b/windows/access-protection/vpn/vpn-profile-options.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/access-protection/vpn/vpn-routing.md b/windows/access-protection/vpn/vpn-routing.md index 3372161696..597d5cad4a 100644 --- a/windows/access-protection/vpn/vpn-routing.md +++ b/windows/access-protection/vpn/vpn-routing.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/access-protection/vpn/vpn-security-features.md b/windows/access-protection/vpn/vpn-security-features.md index 5fd8b19932..ed34d30dc0 100644 --- a/windows/access-protection/vpn/vpn-security-features.md +++ b/windows/access-protection/vpn/vpn-security-features.md @@ -5,7 +5,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security, networking -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/access-protection/windows-firewall/create-wmi-filters-for-the-gpo.md b/windows/access-protection/windows-firewall/create-wmi-filters-for-the-gpo.md index 80474a70be..d8344768fc 100644 --- a/windows/access-protection/windows-firewall/create-wmi-filters-for-the-gpo.md +++ b/windows/access-protection/windows-firewall/create-wmi-filters-for-the-gpo.md @@ -85,7 +85,7 @@ First, create the WMI filter and configure it to look for a specified version (o After you have created a filter with the correct query, link the filter to the GPO. Filters can be reused with many GPOs simultaneously; you do not have to create a new one for each GPO if an existing one meets your needs. -1. Open theGroup Policy Management console. +1. Open the Group Policy Management console. 2. In the navigation pane, find and then click the GPO that you want to modify. diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index a0c06828be..cc2687ac6a 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -32,7 +32,8 @@ "externalReference": [], "globalMetadata": { "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json" + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows" }, "fileMetadata": {}, "template": [], diff --git a/windows/application-management/index.md b/windows/application-management/index.md index 9fd65e3fa8..b7ce77366d 100644 --- a/windows/application-management/index.md +++ b/windows/application-management/index.md @@ -4,7 +4,7 @@ description: Windows 10 application management ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/windows/client-management/TOC.md b/windows/client-management/TOC.md index f1ecdab931..120dc8ffe8 100644 --- a/windows/client-management/TOC.md +++ b/windows/client-management/TOC.md @@ -9,4 +9,5 @@ ## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md) ## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md) ## [Windows libraries](windows-libraries.md) +## [Mobile Device Management](mdm/index.md) ## [Change history for Client management](change-history-for-client-management.md) diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index a7d5203f8a..60a5ca32e6 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -5,7 +5,7 @@ ms.assetid: FDC63933-C94C-43CB-8373-629795926DC8 ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index e67fdf2234..cb6ad29962 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: devices -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index 107c56cde2..b42d904675 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -32,7 +32,8 @@ "externalReference": [], "globalMetadata": { "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json" + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows" }, "fileMetadata": {}, "template": [], diff --git a/windows/client-management/index.md b/windows/client-management/index.md index 5ee8fc4e71..7dc6c63ae6 100644 --- a/windows/client-management/index.md +++ b/windows/client-management/index.md @@ -4,7 +4,7 @@ description: Windows 10 client management ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md index 1b2593fec1..a7c3befabe 100644 --- a/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md +++ b/windows/client-management/join-windows-10-mobile-to-azure-active-directory.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: mobile -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/client-management/manage-corporate-devices.md b/windows/client-management/manage-corporate-devices.md index a966ef1982..b5e9a331ae 100644 --- a/windows/client-management/manage-corporate-devices.md +++ b/windows/client-management/manage-corporate-devices.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: devices -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md index ed2c748110..1607cad11f 100644 --- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md +++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: devices -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index f3344f6f15..78f0c04704 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -5,7 +5,7 @@ keywords: [".man","ntuser"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms --- # Create mandatory user profiles diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md new file mode 100644 index 0000000000..3e072988e3 --- /dev/null +++ b/windows/client-management/mdm/TOC.md @@ -0,0 +1,222 @@ +# [Mobile device management](index.md) +## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md) +## [Mobile device enrollment](mobile-device-enrollment.md) +### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md) +### [Federated authentication device enrollment](federated-authentication-device-enrollment.md) +### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) +### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) +## [Understanding ADMX-backed policies](understanding-admx-backed-policies.md) +## [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md) +## [Implement server-side support for mobile application management on Windows](implement-server-side-mobile-application-management.md) +## [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md) +## [Deploy and configure App-V apps using MDM](appv-deploy-and-config.md) +## [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md) +### [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) +### [Register your free Azure Active Directory subscription](register-your-free-azure-active-directory-subscription.md) +## [Enterprise app management](enterprise-app-management.md) +## [Device update management](device-update-management.md) +## [Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md) +## [Management tool for the Windows Store for Business](management-tool-for-windows-store-for-business.md) +### [REST API reference for Windows Store for Business](rest-api-reference-windows-store-for-business.md) +#### [Data structures for Windows Store for Business](data-structures-windows-store-for-business.md) +#### [Get Inventory](get-inventory.md) +#### [Get product details](get-product-details.md) +#### [Get localized product details](get-localized-product-details.md) +#### [Get offline license](get-offline-license.md) +#### [Get product packages](get-product-packages.md) +#### [Get product package](get-product-package.md) +#### [Get seats](get-seats.md) +#### [Get seat](get-seat.md) +#### [Assign seats](assign-seats.md) +#### [Reclaim seat from user](reclaim-seat-from-user.md) +#### [Bulk assign and reclaim seats from users](bulk-assign-and-reclaim-seats-from-user.md) +#### [Get seats assigned to a user](get-seats-assigned-to-a-user.md) +## [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md) +## [Certificate renewal](certificate-renewal-windows-mdm.md) +## [Disconnecting from the management infrastructure (unenrollment)](disconnecting-from-mdm-unenrollment.md) +## [Enterprise settings, policies, and app management](windows-mdm-enterprise-settings.md) +## [Push notification support for device management](push-notification-windows-mdm.md) +## [OMA DM protocol support](oma-dm-protocol-support.md) +## [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md) +## [Server requirements for OMA DM](server-requirements-windows-mdm.md) +## [DMProcessConfigXMLFiltered](dmprocessconfigxmlfiltered.md) +## [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md) +## [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md) +## [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) +### [Design a custom configuration service provider](design-a-custom-windows-csp.md) +### [IConfigServiceProvider2](iconfigserviceprovider2.md) +#### [IConfigServiceProvider2::ConfigManagerNotification](iconfigserviceprovider2configmanagernotification.md) +#### [IConfigServiceProvider2::GetNode](iconfigserviceprovider2getnode.md) +### [ICSPNode](icspnode.md) +#### [ICSPNode::Add](icspnodeadd.md) +#### [ICSPNode::Clear](icspnodeclear.md) +#### [ICSPNode::Copy](icspnodecopy.md) +#### [ICSPNode::DeleteChild](icspnodedeletechild.md) +#### [ICSPNode::DeleteProperty](icspnodedeleteproperty.md) +#### [ICSPNode::Execute](icspnodeexecute.md) +#### [ICSPNode::GetChildNodeNames](icspnodegetchildnodenames.md) +#### [ICSPNode::GetProperty](icspnodegetproperty.md) +#### [ICSPNode::GetPropertyIdentifiers](icspnodegetpropertyidentifiers.md) +#### [ICSPNode::GetValue](icspnodegetvalue.md) +#### [ICSPNode::Move](icspnodemove.md) +#### [ICSPNode::SetProperty](icspnodesetproperty.md) +#### [ICSPNode::SetValue](icspnodesetvalue.md) +### [ICSPNodeTransactioning](icspnodetransactioning.md) +### [ICSPValidate](icspvalidate.md) +### [Samples for writing a custom configuration service provider](samples-for-writing-a-custom-configuration-service-provider.md) +## [Configuration service provider reference](configuration-service-provider-reference.md) +### [ActiveSync CSP](activesync-csp.md) +#### [ActiveSync DDF file](activesync-ddf-file.md) +### [AllJoynManagement CSP](alljoynmanagement-csp.md) +#### [AllJoynManagement DDF](alljoynmanagement-ddf.md) +### [APPLICATION CSP](application-csp.md) +### [AppLocker CSP](applocker-csp.md) +#### [AppLocker DDF file](applocker-ddf-file.md) +#### [AppLocker XSD](applocker-xsd.md) +### [AssignedAccess CSP](assignedaccess-csp.md) +#### [AssignedAccess DDF file](assignedaccess-ddf.md) +### [BitLocker CSP](bitlocker-csp.md) +#### [BitLocker DDF file](bitlocker-ddf-file.md) +### [BOOTSTRAP CSP](bootstrap-csp.md) +### [BrowserFavorite CSP](browserfavorite-csp.md) +### [CellularSettings CSP](cellularsettings-csp.md) +### [CertificateStore CSP](certificatestore-csp.md) +#### [CertificateStore DDF file](certificatestore-ddf-file.md) +### [CleanPC CSP](cleanpc-csp.md) +#### [CleanPC DDF](cleanpc-ddf.md) +### [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) +#### [ClientCertificateInstall DDF file](clientcertificateinstall-ddf-file.md) +### [CM_CellularEntries CSP](cm-cellularentries-csp.md) +### [CM_ProxyEntries CSP](cm-proxyentries-csp.md) +### [CMPolicy CSP](cmpolicy-csp.md) +### [CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md) +#### [CMPolicyEnterprise DDF file](cmpolicyenterprise-ddf-file.md) +### [CustomDeviceUI CSP](customdeviceui-csp.md) +#### [CustomDeviceUI DDF file](customdeviceui-ddf.md) +### [Defender CSP](defender-csp.md) +#### [Defender DDF file](defender-ddf.md) +### [DevDetail CSP](devdetail-csp.md) +#### [DevDetail DDF file](devdetail-ddf-file.md) +### [DeveloperSetup CSP](developersetup-csp.md) +#### [DeveloperSetup DDF](developersetup-ddf.md) +### [DeviceInstanceService CSP](deviceinstanceservice-csp.md) +### [DeviceLock CSP](devicelock-csp.md) +#### [DeviceLock DDF file](devicelock-ddf-file.md) +### [DeviceManageability CSP](devicemanageability-csp.md) +#### [DeviceManageability DDF](devicemanageability-ddf.md) +### [DeviceStatus CSP](devicestatus-csp.md) +#### [DeviceStatus DDF](devicestatus-ddf.md) +### [DevInfo CSP](devinfo-csp.md) +#### [DevInfo DDF file](devinfo-ddf-file.md) +### [DiagnosticLog CSP](diagnosticlog-csp.md) +#### [DiagnosticLog DDF file](diagnosticlog-ddf.md) +### [DMAcc CSP](dmacc-csp.md) +#### [DMAcc DDF file](dmacc-ddf-file.md) +### [DMClient CSP](dmclient-csp.md) +#### [DMClient DDF file](dmclient-ddf-file.md) +### [DMSessionActions CSP](dmsessionactions-csp.md) +#### [DMSessionActions DDF file](dmsessionactions-ddf.md) +### [DynamicManagement CSP](dynamicmanagement-csp.md) +#### [DynamicManagement DDF file](dynamicmanagement-ddf.md) +### [EMAIL2 CSP](email2-csp.md) +#### [EMAIL2 DDF file](email2-ddf-file.md) +### [EnterpriseAPN CSP](enterpriseapn-csp.md) +#### [EnterpriseAPN DDF](enterpriseapn-ddf.md) +### [EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md) +### [EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md) +#### [EnterpriseAppVManagement DDF file](enterpriseappvmanagement-ddf.md) +### [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md) +#### [EnterpriseAssignedAccess DDF file](enterpriseassignedaccess-ddf.md) +#### [EnterpriseAssignedAccess XSD](enterpriseassignedaccess-xsd.md) +### [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) +#### [EnterpriseDataProtection DDF file](enterprisedataprotection-ddf-file.md) +### [EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md) +#### [EnterpriseDesktopAppManagement DDF](enterprisedesktopappmanagement-ddf-file.md) +#### [EnterpriseDesktopAppManagement XSD](enterprisedesktopappmanagement2-xsd.md) +### [EnterpriseExt CSP](enterpriseext-csp.md) +#### [EnterpriseExt DDF file](enterpriseext-ddf.md) +### [EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md) +#### [EnterpriseExtFileSystem DDF file](enterpriseextfilesystem-ddf.md) +### [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) +#### [EnterpriseModernAppManagement DDF](enterprisemodernappmanagement-ddf.md) +#### [EnterpriseModernAppManagement XSD](enterprisemodernappmanagement-xsd.md) +### [FileSystem CSP](filesystem-csp.md) +### [Firewall CSP](firewall-csp.md) +### [HealthAttestation CSP](healthattestation-csp.md) +#### [HealthAttestation DDF](healthattestation-ddf.md) +### [HotSpot CSP](hotspot-csp.md) +### [Maps CSP](maps-csp.md) +#### [Maps DDF](maps-ddf-file.md) +### [Messaging CSP](messaging-csp.md) +#### [Messaging DDF file](messaging-ddf.md) +### [NAP CSP](nap-csp.md) +### [NAPDEF CSP](napdef-csp.md) +### [NetworkProxy CSP](networkproxy-csp.md) +#### [NetworkProxy DDF file](networkproxy-ddf.md) +### [NetworkQoSPolicy CSP](networkqospolicy-csp.md) +#### [NetworkQoSPolicy DDF file](networkqospolicy-ddf.md) +### [NodeCache CSP](nodecache-csp.md) +#### [NodeCache DDF file](nodecache-ddf-file.md) +### [Office CSP](office-csp.md) +#### [Office DDF](office-ddf.md) +### [PassportForWork CSP](passportforwork-csp.md) +#### [PassportForWork DDF file](passportforwork-ddf.md) +### [Personalization CSP](personalization-csp.md) +#### [Personalization DDF file](personalization-ddf.md) +### [Policy CSP](policy-configuration-service-provider.md) +#### [Policy DDF file](policy-ddf-file.md) +#### [ApplicationRestrictions XSD](applicationrestrictions-xsd.md) +### [PolicyManager CSP](policymanager-csp.md) +### [Provisioning CSP](provisioning-csp.md) +### [PROXY CSP](proxy-csp.md) +### [PXLOGICAL CSP](pxlogical-csp.md) +### [Reboot CSP](reboot-csp.md) +#### [Reboot DDF file](reboot-ddf-file.md) +### [Registry CSP](registry-csp.md) +#### [Registry DDF file](registry-ddf-file.md) +### [RemoteFind CSP](remotefind-csp.md) +#### [RemoteFind DDF file](remotefind-ddf-file.md) +### [RemoteLock CSP](remotelock-csp.md) +#### [RemoteLock DDF file](remotelock-ddf-file.md) +### [RemoteRing CSP](remotering-csp.md) +#### [RemoteRing DDF file](remotering-ddf-file.md) +### [RemoteWipe CSP](remotewipe-csp.md) +#### [RemoteWipe DDF file](remotewipe-ddf-file.md) +### [Reporting CSP](reporting-csp.md) +#### [Reporting DDF file](reporting-ddf-file.md) +### [RootCATrustedCertificates CSP](rootcacertificates-csp.md) +#### [RootCATrustedCertificates DDF file](rootcacertificates-ddf-file.md) +### [SecureAssessment CSP](secureassessment-csp.md) +#### [SecureAssessment DDF file](secureassessment-ddf-file.md) +### [SecurityPolicy CSP](securitypolicy-csp.md) +### [SharedPC CSP](sharedpc-csp.md) +#### [SharedPC DDF file](sharedpc-ddf-file.md) +### [Storage CSP](storage-csp.md) +#### [Storage DDF file](storage-ddf-file.md) +### [SUPL CSP](supl-csp.md) +#### [SUPL DDF file](supl-ddf-file.md) +### [SurfaceHub CSP](surfacehub-csp.md) +#### [SurfaceHub DDF file](surfacehub-ddf-file.md) +### [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md) +#### [UnifiedWriteFilter DDF file](unifiedwritefilter-ddf.md) +### [Update CSP](update-csp.md) +#### [Update DDF file](update-ddf-file.md) +### [VPN CSP](vpn-csp.md) +#### [VPN DDF file](vpn-ddf-file.md) +### [VPNv2 CSP](vpnv2-csp.md) +#### [VPNv2 DDF file](vpnv2-ddf-file.md) +#### [ProfileXML XSD](vpnv2-profile-xsd.md) +#### [EAP configuration](eap-configuration.md) +### [w4 APPLICATION CSP](w4-application-csp.md) +### [w7 APPLICATION CSP](w7-application-csp.md) +### [WiFi CSP](wifi-csp.md) +#### [WiFi DDF file](wifi-ddf-file.md) +### [Win32AppInventory CSP](win32appinventory-csp.md) +#### [Win32AppInventory DDF file](win32appinventory-ddf-file.md) +### [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) +#### [WindowsAdvancedThreatProtection DDF file](windowsadvancedthreatprotection-ddf.md) +### [WindowsLicensing CSP](windowslicensing-csp.md) +#### [WindowsLicensing DDF file](windowslicensing-ddf-file.md) +### [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md) +#### [WindowsSecurityAuditing DDF file](windowssecurityauditing-ddf-file.md) + diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md new file mode 100644 index 0000000000..a395891a14 --- /dev/null +++ b/windows/client-management/mdm/activesync-csp.md @@ -0,0 +1,265 @@ +--- +title: ActiveSync CSP +description: ActiveSync CSP +ms.assetid: c65093ef-bd36-4f32-9dab-edb7bcfb3188 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ActiveSync CSP + + +The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status. + +Configuring Windows Live ActiveSync accounts through this configuration service provider is not supported. + +> **Note**   +The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path. + +On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync path will work if the user is logged in. The CSP fails when no user is logged in. + +The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term. + +  + +The following diagram shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. + +![activesync csp (cp)](images/provisioning-csp-activesync-cp.png) + +**./User/Vendor/MSFT/ActiveSync** +The root node for the ActiveSync configuration service provider. + +> **Note**   +The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path. + +On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in. + +The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term. + +  + +The supported operation is Get. + +**Accounts** +The root node for all ActiveSync accounts. + +The supported operation is Get. + +***Account GUID*** +Defines a specific ActiveSync account. A globally unique identifier (GUID) must be generated for each ActiveSync account on the device. + +Supported operations are Get, Add, and Delete. + +When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and does not create the new account. + +Braces { } are required around the GUID. In OMA Client Provisioning, you can type the braces. For example: + +``` syntax + +``` + +For OMA DM, you must use the ASCII values of %7B and %7D for the opening and closing braces, respectively. For example, if the GUID is "C556E16F-56C4-4EDB-9C64-D9469EE1FBE0", type: + +``` syntax + + + ./Vendor/MSFT/ActiveSync/Accounts/%7BC556E16F-56C4-4EDB-9C64-D9469EE1FBE0%7D + + +``` + +***Account GUID*/EmailAddress** +Required. A character string that specifies the email address associated with the Exchange ActiveSync account. + +Supported operations are Get, Replace, and Add (cannot Add after the account is created). + +This email address is entered by the user during setup and must be in the fully qualified email address format, for example, "someone@example.com". + +***Account GUID*/Domain** +Optional for Exchange. Specifies the domain name of the Exchange server. + +Supported operations are Get, Replace, Add, and Delete. + +***Account GUID*/AccountIcon** +Required. A character string that specifies the location of the icon associated with the account. + +Supported operations are Get, Replace, and Add (cannot Add after the account is created). + +The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings > email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired. + +***Account GUID*/AccountType** +Required. A character string that specifies the account type. + +Supported operations are Get and Add (cannot Add after the account is created). + +This value is entered during setup and cannot be modified once entered. An Exchange account is indicated by the string value "Exchange". + +***Account GUID*/AccountName** +Required. A character string that specifies the name that refers to the account on the device. + +Supported operations are Get, Replace, and Add (cannot Add after the account is created). + +***Account GUID*/Password** +Required. A character string that specifies the password for the account. + +Supported operations are Get, Replace, Add, and Delete. + +For the Get command, only asterisks are returned. + +***Account GUID*/ServerName** +Required. A character string that specifies the server name used by the account. + +Supported operations are Get, Replace, and Add (cannot Add after the account is created). + +***Account GUID*/UserName** +Required. A character string that specifies the user name for the account. + +Supported operations are Get, and Add (cannot Add after the account is created). + +The user name cannot be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com". + +**Options** +Node for other parameters. + +**Options/CalendarAgeFilter** +Specifies the time window used for syncing calendar items to the device. Value type is chr. + +**Options/Logging** +Required. A character string that specifies whether diagnostic logging is enabled and at what level. The default is 0 (disabled). + +Supported operations are Get, Replace, and Add (cannot Add after the account is created). + +Valid values are one of the following: + +- 0 (default) - Logging is off. + +- 1 - Basic logging is enabled. + +- 2 - Advanced logging is enabled. + +Logging is set to off by default. The user might be asked to set this to Basic or Advanced when having a sync issue that customer support is investigating. Setting the logging level to Advanced has more of a performance impact than Basic. + +**Options/MailBodyType** +Indicates the email format. Valid values: + +- 0 - none +- 1 - text +- 2 - HTML +- 3 - RTF +- 4 - MIME + +**Options/MailHTMLTruncation** +Specifies the size beyond which HTML-formatted email messages are truncated when they are synchronized to the mobile device. The value is specified in KB. A value of -1 disables truncation. + +**Options/MailPlainTextTruncation** +This setting specifies the size beyond which text-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation. + +**Options/UseSSL** +Optional. A character string that specifies whether SSL is used. + +Supported operations are Get, Replace, and Add (cannot Add after the account is created). + +Valid values are: + +- 0 - SSL is not used. + +- 1 (default) - SSL is used. + +**Options/Schedule** +Required. A character string that specifies the time until the next sync is performed, in minutes. The default value is -1. + +Supported operations are Get and Replace. + +Valid values are one of the following: + +- -1 (default) - A sync will occur as items are received + +- 0 - All syncs must be performed manually + +- 15 - Sync every 15 minutes + +- 30 - Sync every 30 minutes + +- 60 - Sync every 60 minutes + +**Options/MailAgeFilter** +Required. A character string that specifies the time window used for syncing email items to the device. The default value is 3. + +Supported operations are Get and Replace. + +Valid values are one of the following: + +- 0 – No age filter is used, and all email items are synced to the device. + +- 2 – Only email up to three days old is synced to the device. + +- 3 (default) – Email up to a week old is synced to the device. + +- 4 – Email up to two weeks old is synced to the device. + +- 5 – Email up to a month old is synced to the device. + +**Options/ContentTypes/****_Content Type GUID_** +Defines the type of content to be individually enabled/disabled for sync. + +The *GUID* values allowed are one of the following: + +- Email: "{c6d47067-6e92-480e-b0fc-4ba82182fac7}" + +- Contacts: "{0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}" + +- Calendar: "{4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}" + +- Tasks: "{783ae4f6-4c12-4423-8270-66361260d4f1}" + +**Options/ContentTypes/*Content Type GUID*/Enabled** +Required. A character string that specifies whether sync is enabled or disabled for the selected content type. The default is "1" (enabled). + +Supported operations are Get, Replace, and Add (cannot Add after the account is created). + +Valid values are one of the following: + +- 0 - Sync for email, contacts, calendar, or tasks is disabled. +- 1 (default) - Sync is enabled. + +**Options/ContentTypes/*Content Type GUID*/Name** +Required. A character string that specifies the name of the content type. + +> **Note**  In Windows 10, this node is currently not working. + +  + +Supported operations are Get, Replace, and Add (cannot Add after the account is created). + +When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected. + +**Policies** +Node for mail body type and email age filter. + +**Policies/MailBodyType** +Required. Specifies the email body type: HTML or plain. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +**Policies/MaxMailAgeFilter** +Required. Specifies the time window used for syncing mail items to the device. + +Value type is string. Supported operations are Add, Get, Replace, and Delete. + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/activesync-ddf-file.md b/windows/client-management/mdm/activesync-ddf-file.md new file mode 100644 index 0000000000..8aa90d6d7c --- /dev/null +++ b/windows/client-management/mdm/activesync-ddf-file.md @@ -0,0 +1,693 @@ +--- +title: ActiveSync DDF file +description: ActiveSync DDF file +ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ActiveSync DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **ActiveSync** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + + +]> + + 1.2 + + ActiveSync + ./Vendor/MSFT + + + + + The root node for ActiveSync configuration. + + + + + + + + + + + com.microsoft/1.0/MDM/ActiveSync + + + + Accounts + + + + + The parent node group all active sync accounts. + + + + + + + + + + + + + + + + + + + + + + + Defines a specific ActiveSync account. A globally unique identifier (GUID) must be generated for each ActiveSync account on the device. + + + + + + + + + + Account GUID + + + + + + EmailAddress + + + + + + + + The email address the user entered during setup. This is the email address that is associated with the Exchange ActiveSync account and it is required. + + + + + + + + + + + text/plain + + + + + Domain + + + + + + + + Domain name of the Exchange server + + + + + + + + + + + text/plain + + + + + AccountIcon + + + + + + + + Specify the location of the icon associated with the account. + + + + + + + + + + + text/plain + + + + + AccountType + + + + + + + + Specify the account type. + + + + + + + + + + + text/plain + + + + + AccountName + + + + + + + + The name that refers to the account on the phone. + + + + + + + + + + + text/plain + + + + + Password + + + + + + + + A character string that specifies the password for the account. + + + + + + + + + + + text/plain + + + + + ServerName + + + + + + + + Specifies the server name used by the account. + + + + + + + + + + + text/plain + + + + + UserName + + + + + + + + Specifies the user name for the account. + + + + + + + + + + + text/plain + + + + + Options + + + + + + + + Specifies whether email, contacts, and calendar need to synchronize by default, and sets preference such as sync schedule, truncation sizes, and logging. + + + + + + + + + + + + + + + CalendarAgeFilter + + + + + + + + Specifies the time window used for syncing calendar items to the phone. + + + + + + + + + + + text/plain + + + + + Logging + + + + + + + + Specifies whether diagnostic logging is enabled and at what level. + + + + + + + + + + + text/plain + + + + + MailBodyType + + + + + + + + Indicates format type of the Email. Supported values are 0 (none), 1 (text), 2 (HTML), 3 (RTF), and 4 (MIME). + + + + + + + + + + + text/plain + + + + + MailHTMLTruncation + + + + + + + + This setting specifies the size beyond which HTML-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation. + + + + + + + + + + + text/plain + + + + + MailPlainTextTruncation + + + + + + + + This setting specifies the size beyond which text-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation. + + + + + + + + + + + text/plain + + + + + Schedule + + + + + + + + Specifies the time until the next sync is performed in minutes. + + + + + + + + + + + text/plain + + + + + UseSSL + + + + + + + + Specifies whether SSL is used. + + + + + + + + + + + text/plain + + + + + MailAgeFilter + + + + + + + + Specifies the time window used for syncing email items to the phone. + + + + + + + + + + + text/plain + + + + + ContentTypes + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Enables or disables syncing email, contacts, task, and calendar.Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1} + + + + + 1 + + + + + Content Type GUID + + + + + + Enabled + + + + + + + + Enables or disables Sync for Email, contacts, calendar, and Tasks. + + + + + + + + + + + text/plain + + + + + Name + + + + + + + + The name of the content type. + + + + + + + + + + + text/plain + + + + + + + + Policies + + + + + + + + Specifies the mail body type and email age filter. + + + + + + + + + + + + + + + MailBodyType + + + + + + + + Specifies the email body type. HTML or plain + + + + + + + + + + + text/plain + + + + + MaxMailAgeFilter + + + + + + + + Specifies the time window used for syncing mail items to the device. + + + + + + + + + + + text/plain + + + + + + + + +``` + +## Related topics + + +[ActiveSync configuration service provider](activesync-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md new file mode 100644 index 0000000000..e1c6986fe5 --- /dev/null +++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md @@ -0,0 +1,97 @@ +--- +title: Add an Azure AD tenant and Azure AD subscription +description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription. +ms.assetid: 36D94BEC-A6D8-47D2-A547-EBD7B7D163FA +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Add an Azure AD tenant and Azure AD subscription + +Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription. + +> **Note**  If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. For step-by-step guide to register this free subscription, see [Register your free Azure Active Directory subscription.](#register-your-free-azure-active-directory-subscription) + + +1. Sign-up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization. + + ![sign up for azure ad tenant](images/azure-ad-add-tenant1.png) + +2. Enter the information for your organization. Click **check availability** to verify that domain name that you selected is available. + + ![sign up for azure ad](images/azure-ad-add-tenant2.png) + +3. Complete the login and country information. You must provide a valid phone number, then click **Send text message** or **Call me**. + + ![create azure account](images/azure-ad-add-tenant3.png) + +4. Enter the code that you receive and then click **Verify code**. After the code is verified and the continue button turns green, click **continue**. + + ![add aad tenant](images/azure-ad-add-tenant3-b.png) + +5. After you finish creating your Azure account, you are ready to add an Azure AD subscription. + + If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to Office 356 portal, and then sign in using the admin account that you just created in Step 4 (for example, user1@contosoltd.onmicrosoftcom). + + ![login to office 365](images/azure-ad-add-tenant4.png) + +6. Click **Install software**. + + ![login to office 365](images/azure-ad-add-tenant5.png) + +7. In the Office 365 portal, select **Purchase Services** from the left nagivation. + + ![purchase service option in admin center menu](images/azure-ad-add-tenant6.png) + +8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then click to purchase. + + ![azure active directory option in purchase services page](images/azure-ad-add-tenant7.png) + +9. Continue with your purchase. + + ![azure active directory premium payment page](images/azure-ad-add-tenant8.png) + +10. After the purchase is completed, you can login to your Office 365 Admin Portal and you will see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint, Exchange, etc...). + + ![admin center left navigation menu](images/azure-ad-add-tenant9.png) + + When you choose Azure AD, it will take you to the Azure AD portal where you can manage your Azure AD applications. + +## Register your free Azure Active Directory subscription + +If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. Here's a step-by-step guide to register your free Azure AD subscription using an Office 365 Premium Business subscription. + +1. Sign in to the Office 365 portal at using your organization's account. + + ![register azuread](images/azure-ad-add-tenant10.png) + +2. On the **Home** page, click on the Admin tools icon. + + ![register azuread](images/azure-ad-add-tenant11.png) + +3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information. + + ![register azuread](images/azure-ad-add-tenant12.png) + +4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**. + + ![register azuread](images/azure-ad-add-tenant13.png) + +5. It may take a few minutes to process the request. + + ![register azuread](images/azure-ad-add-tenant14.png) + +6. You will see a welcome page when the process completes. + + ![register azuread](images/azure-ad-add-tenant15.png) + +  + + + + + + diff --git a/windows/client-management/mdm/alljoynmanagement-csp.md b/windows/client-management/mdm/alljoynmanagement-csp.md new file mode 100644 index 0000000000..0746ed4175 --- /dev/null +++ b/windows/client-management/mdm/alljoynmanagement-csp.md @@ -0,0 +1,147 @@ +--- +title: AllJoynManagement CSP +description: The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. +ms.assetid: 468E0EE5-EED3-48FF-91C0-89F9D159AA8C +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# AllJoynManagement CSP + + +The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (com.microsoft.alljoynmanagement.config). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration. + +> **Note**   +The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core). + +This CSP was added in Windows 10, version 1511. + +  + +For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](http://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](http://go.microsoft.com/fwlink/p/?LinkId=615877). + +The following diagram shows the AllJoynManagement configuration service provider in tree format + +![alljoynmanagement csp diagram](images/provisioning-csp-alljoynmanagement.png) + +The following list describes the characteristics and parameters. + +**./Vendor/MSFT/AllJoynManagement** +The root node for the AllJoynManagement configuration service provider. + +**Services** +List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "com.microsoft.alljoynmanagement.config" are included. + +**Services/****_Node name_** +The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects. + +**Services/*Node name*/Port** +The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it is possible to specify additional ports. + +**Services/*Node name*/Port/****_Node name_** +Port number used for communication. This is specified by the configurable AllJoyn object and reflected here. + +**Services/*Node name*/Port/*Node name*/CfgObject** +The set of configurable interfaces that are available on the port of the AllJoyn object. + +**Services/*Node name*/Port/*Node name*/CfgObject/****_Node name_** +The remainder of this URI is an escaped path to the configurable AllJoyn object hosted by the parent ServiceID and accessible by the parent PortNum. + +For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "\\FabrikamService\\BridgeConfig" would be specified in the URI as: %2FFabrikamService%2FBridgeConfig. + +**Credentials** +This is the credential store. An administrator can set credentials for each AllJoyn device that requires authentication at this node. + +When a SyncML request arrives in the CSP to replace or query a configuration item on an AllJoyn object that requires authentication, then the CSP uses the credentials stored here during the authentication phase. + +**Credentials/****_Node name_** +This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It is typically implemented as a GUID. + +**Credentials/*Node name*/Key** +An alphanumeric key value that conforms to the AllJoyn SRP KEYX authentication standard. + +**Firewall** +Firewall setting for the AllJoyn service. + +**Firewall/PublicProfile** +Boolean value to enable or disable the AllJoyn router service (AJRouter.dll) for public network profile. + +**Firewall/PrivateProfile** +Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enabled for private network profile. + +## Examples + + +Set adapter configuration + +``` syntax + +SyncML xmlns="SYNCML:SYNCML1.2"> + + + 2 + + + ./Vendor/MSFT/AllJoynManagement/Services/_ALLJOYN_DEVICE_ID_/Port/27/Configuration/%2FDSBService%2FAdapterConfig + + + b64 + PAA/AHgAbQBsACAAdgBlAHIAcwBpAG8AbgA9ACIAMQAuADAAIgA/AD4ADQAKADwAQgBhAGMATgBlAHQAQwBmAGcAPgANAAoACQA8AEIAQgBNAEQAUwBlAHIAdgBlAHIAPgANAAoACQAJADwASQBQAEEAZABkAHIAZQBzAHMAPgAxADIANwAuADAALgAwAC4AMQA8AC8ASQBQAEEAZABkAHIAZQBzAHMAPgANAAoACQAJADwAUABvAHIAdAA+ADQANwA4ADAAOAA8AC8AUABvAHIAdAA+AA0ACgAJADwALwBCAEIATQBEAFMAZQByAHYAZQByAD4ADQAKADwALwBCAGEAYwBOAGUAdABDAGYAZwA+AA0ACgAAAA== + + + + + +``` + +You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. Note that the data is base-64 encoded representation of the configuration file that you are setting. + +Get PIN data + +``` syntax + + + + + 2 + + + ./Vendor/MSFT/AllJoynManagement/Credentials?list=StructData + + + + + + +``` + +Get the firewall PrivateProfile + +``` syntax + + + + 1 + + + ./Vendor/MSFT/AllJoynManagement/Firewall/PrivateProfile + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/alljoynmanagement-ddf.md b/windows/client-management/mdm/alljoynmanagement-ddf.md new file mode 100644 index 0000000000..ebc2840da3 --- /dev/null +++ b/windows/client-management/mdm/alljoynmanagement-ddf.md @@ -0,0 +1,339 @@ +--- +title: AllJoynManagement DDF +description: AllJoynManagement DDF +ms.assetid: 540C2E60-A041-4749-A027-BBAF0BB046E4 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# AllJoynManagement DDF + + +This topic shows the OMA DM device description framework (DDF) for the **AllJoynManagement** configuration service provider. This CSP was added in Windows 10, version 1511. + +You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip). + +``` syntax + +]> + + 1.2 + + AllJoynManagement + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + + Services + + + + + This is the list of AllJoyn Objects that are discovered on the AllJoyn bus. Only AllJoyn Objects that expose the "com.microsoft.alljoynmanagement.config" will be shown here. + + + + + + + + + + + + + + + + + + + + The Unique AllJoyn About Device ID, a GUID, that Hosts one or more configurable objects +. + + + + + + + + + + + ServiceID + + + + + + Port + + + + + The set of Ports that this AllJoyn Object uses to communicate configuration settings through. + +Typically, only one port is used for communication, but it is possible that additional ports may be specified. + + + + + + + + + + + + + + + + + + + + The AllJoyn Port Number to communicate on. This is specified by the Configurable AllJoyn Object and is reflected here. + + + + + + + + + + PortNum + + + + + + CfgObject + + + + + The set of configurable interfaces that are available on the Port of the AllJoyn Object + + + + + + + + + + + + + + + + + + + + The remainder of this URI is an escaped path to the Configurable AllJoyn Object Hosted by the parent ServiceID and Accessible by the parent PortNum. + +For example an AllJoyn Bridge with the Microsoft specific AllJoyn Configuration Interface "\ASBService\BridgeConfig" would be specified in the URI as: %2FASBService%2FBridgeConfig + + + + + + + + + + + CfgObjectPath + + + + + + + + + + + + Credentials + + + + + This is the Credential Store. An Administrator can set credentials for each AllJoyn device that requires authentication at this node. +If a SYNCML request arrives in the CSP to replace or query a configuration item on an AllJoyn Object that requires authentication, then the CSP will use the Credentials stored here during the authentication phase. + + + + + + + + + + + + + + + + + + + + + + This is the same ServiceID as specified in the \AllJoynManagement\Services\ServiceID URI. + +It is typically implemented as a GUID. + + + + + + + + + + + + + ServiceID + + + + + + Key + + + + + + An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard + + + + + + + + + + + + + + text/plain + + + + + + + Firewall + + + + + Firewall setting for the AllJoyn service (AJRouter.dll). + + + + + + + + + + + + + + + PublicProfile + + + + + + Boolean value to enable or disable the AllJoyn router service (AJRouter.dll) for Public network profile. + + + + + + + + + + + text/plain + + + + + PrivateProfile + + + + + Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enabled for Private network profile. + + + + + + + + + + + text/plain + + + + + + +``` + +## Related topics + + +[AllJoynManagement configuration service provider](alljoynmanagement-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/application-csp.md b/windows/client-management/mdm/application-csp.md new file mode 100644 index 0000000000..463b2e0c07 --- /dev/null +++ b/windows/client-management/mdm/application-csp.md @@ -0,0 +1,40 @@ +--- +title: APPLICATION configuration service provider +description: APPLICATION configuration service provider +ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# APPLICATION configuration service provider + + +The APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning. + +OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider. The following list shows the supported transports. + +- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md) + +- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md) + +The APPID parameter differentiates these application transports. Each APPID must be registered with OMA, and any APPLICATION configuration service provider must be in the root of the provisioning document. + +For the device to decode correctly, provisioning XML that contains the APPLICATION characteristic must support OMA Client Provisioning version 1.1. + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/applicationrestrictions-xsd.md b/windows/client-management/mdm/applicationrestrictions-xsd.md new file mode 100644 index 0000000000..312d90524e --- /dev/null +++ b/windows/client-management/mdm/applicationrestrictions-xsd.md @@ -0,0 +1,126 @@ +--- +title: ApplicationRestrictions XSD +description: Here's the XSD for the ApplicationManagement/ApplicationRestrictions policy. +ms.assetid: A5AA2B59-3736-473E-8F70-A90FD61EE426 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ApplicationRestrictions XSD + + +Here's the XSD for the ApplicationManagement/ApplicationRestrictions policy. + +``` syntax + + + + + + + + + + + + + + + + + + + + + GUID must use lowercase letters + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md new file mode 100644 index 0000000000..a73544002c --- /dev/null +++ b/windows/client-management/mdm/applocker-csp.md @@ -0,0 +1,1410 @@ +--- +title: AppLocker CSP +description: AppLocker CSP +ms.assetid: 32FEA2C9-3CAD-40C9-8E4F-E3C69637580F +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# AppLocker CSP + + +The AppLocker configuration service provider is used to specify which applications are allowed or disallowed. There is no user interface shown for apps that are blocked. + +> **Note**   +> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. +> +> In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps. +> +> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node. + + +The following diagram shows the AppLocker configuration service provider in tree format. + +![applocker csp](images/provisioning-csp-applocker.png) + +**./Vendor/MSFT/AppLocker** +Defines the root node for the AppLocker configuration service provider. + +**ApplicationLaunchRestrictions** +Defines restrictions for applications. + +> **Note**   +> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need. +> +> In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps. + +Additional information: + +- [Find publisher and product name of apps](#productname) - step-by-step guide for getting the publisher and product names for various Windows apps. +- [Whitelist example](#whitelist-example) - example for Windows 10 Mobile that denies all apps except the ones listed. + +**EnterpriseDataProtection** +Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md). + +In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data. + +You can set the allowed list using the following URI: +- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy +- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/StoreApps/Policy + +You can set the exempt list using the following URI. The _Grouping_ string must contain the keyword "EdpExempt" anywhere to help distinguish the exempt list from the allowed list. The "EdpExempt" keyword is also evaluated in a case-insensitive manner: +- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/EXE/Policy +- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping includes "EdpExempt"_/StoreApps/Policy + +Exempt examples: +- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/ContosoEdpExempt/EXE/Policy +- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/xxxxxEdpExemptxxxxx/EXE/Policy + +Additional information: + +- [Recommended deny list for Windows Information Protection](#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. + +Each of the previously listed nodes contains a **Grouping** node. + +
++++ + + + + + + + + + + + + +
TermDescription

Grouping

Grouping nodes are dynamic nodes, and there may be any number of them for a given enrollment (or a given context). The actual identifiers are selected by the management endpoint, whose job it is to determine what their purpose is, and to not conflict with other identifiers that they define.

+

Different enrollments and contexts may use the same Authority identifier, even if many such identifiers are active at the same time.

+

Supported operations are Get, Add, Delete, and Replace.

+ +  + +In addition, each **Grouping** node contains one or more of the following nodes: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
TermDescription

EXE

Defines restrictions for launching executable applications.

+

Supported operations are Get, Add, Delete, and Replace.

MSI

Defines restrictions for executing Windows Installer files.

+

Supported operations are Get, Add, Delete, and Replace.

Script

Defines restrictions for running scripts.

+

Supported operations are Get, Add, Delete, and Replace.

StoreApps

Defines restrictions for running apps from the Windows Store.

+

Supported operations are Get, Add, Delete, and Replace.

DLL

Defines restrictions for processing DLL files.

+

Supported operations are Get, Add, Delete, and Replace.

CodeIntegrity

This node is only supported on the desktop. Supported operations are Get, Add, Delete, and Replace.

+ +  + +Each of the previous nodes contains one or more of the following leaf nodes: + + ++++ + + + + + + + + + + + + + + + + + + + + +
TermDescription

Policy

Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.

+

Policy nodes are a Base64-encoded blob of the binary policy representation. The binary policy may be signed or unsigned.

+

For CodeIntegrity/Policy, you can use the [certutil -encode](http://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool to encode the data to base-64.

+

Data type is string. Supported operations are Get, Add, Delete, and Replace.

EnforcementMode

The EnforcementMode node for Windows Information Protection (formerly known as Enterprise Data Protection) does not affect the behavior of EnterpriseDataProtection. The EDPEnforcementLevel from Policy CSP should be used to enable and disable Windows Information Protection (formerly known as Enterprise Data Protection).

+

The data type is a string. Supported operations are Get, Add, Delete, and Replace.

NonInteractiveProcessEnforcement

The data type is a string.

+

Supported operations are Add, Delete, Get, and Replace.

+ +  + +## Find publisher and product name of apps + + +You can pair a Windows Phone (Windows 10 Mobile, version 1511) to your desktop using the Device Portal on the phone to get the various types of information, including publisher name and product name of apps installed on the phone. This procedure describes pairing your phone to your desktop using WiFi. + +If this procedure does not work for you, try the other methods for pairing described in [Device Portal for Mobile](https://msdn.microsoft.com/windows/uwp/debug-test-perf/device-portal-mobile). + +**To find Publisher and PackageFullName for apps installed on Windows 10 Mobile** + +1. On your Windows Phone, go to **Settings**. Choose **Update & security**. Then choose **For developers**. +2. Choose **Developer mode**. +3. Turn on **Device discovery**. +4. Turn on **Device Portal** and keep **AuthenticationOn**. +5. Under the **Device Portal**, under **Connect using: WiFi**, copy the URL to your desktop browser to connect using WiFi. + + If you get a certificate error, continue to the web page. + + If you get an error about not reaching the web page, then you should try the other methods for pairing described in [Device Portal for Mobile](https://msdn.microsoft.com/windows/uwp/debug-test-perf/device-portal-mobile). + +6. On your phone under **Device discovery**, tap **Pair**. You will get a code (case sensitive). +7. On the browser on the **Set up access page**, enter the code (case sensitive) into the text box and click **Submit**. + + The **Device Portal** page opens on your browser. + + ![device portal screenshot](images/applocker-screenshot1.png) + +8. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**. +9. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps. + + ![device portal app manager](images/applocker-screenshot3.png) + +10. If you do not see the app that you want, look under **Installed apps**. Using the drop down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed. + + ![app manager](images/applocker-screenshot2.png) + +The following table show the mapping of information to the AppLocker publisher rule field. + + ++++ + + + + + + + + + + + + + + + + + + + + +
Device portal dataAppLocker publisher rule field

PackageFullName

ProductName

+

The product name is first part of the PackageFullName followed by the version number. In the Windows Camera example, the ProductName is Microsoft.WindowsCamera.

Publisher

Publisher

Version

Version

+

This can be used either in the HighSection or LowSection of the BinaryVersionRange.

+

HighSection defines the highest version number and LowSection defines the lowest version number that should be trusted. You can use a wildcard for both versions to make a version independent rule. Using a wildcard for one of the values will provide higher than or lower than a specific version semantics.

+ +  + +Here is an example AppLocker publisher rule: + +``` syntax +FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Reader" BinaryName="*"> + + +``` + +You can get the publisher name and product name of apps using a web API. + +**To find publisher and product name for Microsoft apps in Windows Store for Business** + +1. Go to the Windows Store for Business website, and find your app. For example, Microsoft OneNote. +2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https:<\span>//www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**. +3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. + + + + + + + + + + + + + + + +
Request URI

https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/{app ID}/applockerdata

+ +   + + Here is the example for Microsoft OneNote: + + Request + + ``` syntax + https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata + ``` + + Result + + ``` syntax + { + "packageFamilyName": "Microsoft.Office.OneNote_8wekyb3d8bbwe", + "packageIdentityName": "Microsoft.Office.OneNote", + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" + } + ``` + + ++++ + + + + + + + + + + + + + + + + + + + + +
Result dataAppLocker publisher rule field

packageIdentityName

ProductName

publisherCertificateName

Publisher

windowsPhoneLegacyId

Same value maps to the ProductName and Publisher name

+

This value will only be present if there is a XAP package associated with the app in the Store.

+

If this value is populated then the simple thing to do to cover both the AppX and XAP package would be to create two rules for the app. One rule for AppX using the packageIdentityName and publisherCertificateName value and anothe one using the windowsPhoneLegacyId value.

+ +  + +## Settings apps that rely on splash apps + + +When you create a list of allowed apps in Windows 10 Mobile, you must also include the subset of Settings apps that rely on splash apps in your list of allowed apps. These apps are blocked unless they are explicitly added to the list of allowed apps. The following table shows the subset of Settings apps that rely on splash apps . + +The product name is first part of the PackageFullName followed by the version number. + +| Settings app name | PackageFullName or Product name | ProductID | +|------------------------------------|-------------------------------------------------------------------------|--------------------------------------| +| Work or school account | Microsoft.AAD.BrokerPlugin | e5f8b2c4-75ae-45ee-9be8-212e34f77747 | +| Email and accounts | Microsoft.AccountsControl | 39cf127b-8c67-c149-539a-c02271d07060 | +| SettingsPageKeyboard | 5b04b775-356b-4aa0-aaf8-6491ffea5608\_1.1.0.0\_neutral\_\_cw8ffb7c56vgc | 5b04b775-356b-4aa0-aaf8-6491ffea5608 | +| SettingsPageTimeRegion | 5b04b775-356b-4aa0-aaf8-6491ffea560c\_1.0.0.0\_neutral\_\_gqhq4qhgje4fw | 5b04b775-356b-4aa0-aaf8-6491ffea560c | +| SettingsPagePCSystemBluetooth | 5b04b775-356b-4aa0-aaf8-6491ffea5620\_1.0.0.0\_neutral\_\_nvaj48k0z8te8 | 5b04b775-356b-4aa0-aaf8-6491ffea5620 | +| SettingsPageNetworkAirplaneMode | 5b04b775-356b-4aa0-aaf8-6491ffea5621\_1.0.0.0\_neutral\_\_f73kmnfsk0aj2 | 5b04b775-356b-4aa0-aaf8-6491ffea5621 | +| SettingsPageNetworkWiFi | 5b04b775-356b-4aa0-aaf8-6491ffea5623\_1.0.0.0\_neutral\_\_a3jhh70a240gm | 5b04b775-356b-4aa0-aaf8-6491ffea5623 | +| SettingsPageNetworkInternetSharing | 5b04b775-356b-4aa0-aaf8-6491ffea5629\_1.0.0.0\_neutral\_\_yqcw9dmx6t3pe | 5b04b775-356b-4aa0-aaf8-6491ffea5629 | +| SettingsPageAccountsWorkplace | 5b04b775-356b-4aa0-aaf8-6491ffea562a\_1.0.0.0\_neutral\_\_q1wjbr14bc3d0 | 5b04b775-356b-4aa0-aaf8-6491ffea562a | +| SettingsPageRestoreUpdate | 5b04b775-356b-4aa0-aaf8-6491ffea5640\_1.0.0.0\_neutral\_\_j77gbj5kz730y | 5b04b775-356b-4aa0-aaf8-6491ffea5640 | +| SettingsPageKidsCorner | 5b04b775-356b-4aa0-aaf8-6491ffea5802\_1.0.0.0\_neutral\_\_1wmss2z3sft8c | 5b04b775-356b-4aa0-aaf8-6491ffea5802 | +| SettingsPageDrivingMode | 5b04b775-356b-4aa0-aaf8-6491ffea5804\_1.0.0.0\_neutral\_\_t553967svy34g | 5b04b775-356b-4aa0-aaf8-6491ffea5804 | +| SettingsPageTimeLanguage | 5b04b775-356b-4aa0-aaf8-6491ffea5808\_1.0.0.0\_neutral\_\_ecxasj38g8ynw | 5b04b775-356b-4aa0-aaf8-6491ffea5808 | +| SettingsPageAppsCorner | 5b04b775-356b-4aa0-aaf8-6491ffea580a\_1.0.0.0\_neutral\_\_4vefaa8deck74 | 5b04b775-356b-4aa0-aaf8-6491ffea580a | +| SettingsPagePhoneNfc | b0894dfd-4671-4bb9-bc17-a8b39947ffb6\_1.0.0.0\_neutral\_\_1prqnbg33c1tj | b0894dfd-4671-4bb9-bc17-a8b39947ffb6 | + +  + +## Inbox apps and components + + +The following list shows the apps that may be included in the inbox. + +> **Note**  This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience. + +  + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
AppProduct IDProduct name
3D Viewerf41647c9-d567-4378-b2ab-7924e5a152f3Microsoft.Microsoft3DViewer

(Added in Windows 10, version 1703)

Advanced infob6e3e590-9fa5-40c0-86ac-ef475de98e88b6e3e590-9fa5-40c0-86ac-ef475de98e88
Age out worker09296e27-c9f3-4ab9-aa76-ecc4497d94bb
Alarms and clock44f7d2b4-553d-4bec-a8b7-634ce897ed5fMicrosoft.WindowsAlarms
App downloads20bf77a0-19c7-4daa-8db5-bc3dfdfa44ac
Assigned access lock appb84f4722-313e-4f85-8f41-cf5417c9c5cb
Bing lock images5f28c179-2780-41df-b966-27807b8de02c
Block and filter59553c14-5701-49a2-9909-264d034deb3d
Calculatorb58171c6-c70c-4266-a2e8-8f9c994f4456Microsoft.WindowsCalculator
Cameraf0d8fefd-31cd-43a1-a45a-d0276db069f1Microsoft.WindowsCamera
CertInstaller4c4ad968-7100-49de-8cd1-402e198d869e
Colour profileb08997ca-60ab-4dce-b088-f92e9c7994f3
Connectaf7d2801-56c0-4eb1-824b-dd91cdf7ece5Microsoft.DevicesFlow
Contact Support0db5fcff-4544-458a-b320-e352dfd9ca2bWindows.ContactSupport
Cortanafd68dcf4-166f-4c55-a4ca-348020f71b94Microsoft.Windows.Cortana
Email and accounts39cf127b-8c67-c149-539a-c02271d07060Microsoft.AccountsControl
Enterprise install appda52fa01-ac0f-479d-957f-bfe4595941cb
Equalizer373cb76e-7f6c-45aa-8633-b00e85c73261
Excelead3e7c0-fae6-4603-8699-6a448138f4dcMicrosoft.Office.Excel
Facebook82a23635-5bd9-df11-a844-00237de2db9eMicrosoft.MSFacebook
Field Medic73c58570-d5a7-46f8-b1b2-2a90024fc29c
File Explorerc5e2524a-ea46-4f67-841f-6a9465d9d515c5e2524a-ea46-4f67-841f-6a9465d9d515
FM Radiof725010e-455d-4c09-ac48-bcdef0d4b626f725010e-455d-4c09-ac48-bcdef0d4b626
Get Startedb3726308-3d74-4a14-a84c-867c8c735c3cMicrosoft.Getstarted
Glance106e0a97-8b19-42cf-8879-a8ed2598fcbb
Groove Musicd2b6a184-da39-4c9a-9e0a-8b589b03dec0Microsoft.ZuneMusic
Hands-Free Activationdf6c9621-e873-4e86-bb56-93e9f21b1d6f
Hands-Free Activation72803bd5-4f36-41a4-a349-e83e027c4722
HAP update background worker73c73cdd-4dea-462c-bd83-fa983056a4ef
Lumia motion data8fc25fd2-4e2e-4873-be44-20e57f6ec52b
Mapsed27a07e-af57-416b-bc0c-2596b622ef7dMicrosoft.WindowsMaps
Messaging27e26f40-e031-48a6-b130-d1f20388991aMicrosoft.Messaging
Microsoft account3a4fae89-7b7e-44b4-867b-f7e2772b8253Microsoft.CloudExperienceHost
Microsoft Edge395589fb-5884-4709-b9df-f7d558663ffdMicrosoft.MicrosoftEdge
Microsoft FrameworksProductID = 00000000-0000-0000-0000-000000000000 +

PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"

MiracastView906beeda-b7e6-4ddc-ba8d-ad5031223ef9906beeda-b7e6-4ddc-ba8d-ad5031223ef9
Money1e0440f1-7abf-4b9a-863d-177970eefb5eMicrosoft.BingFinance
Movies and TV6affe59e-0467-4701-851f-7ac026e21665Microsoft.ZuneVideo
Music downloads3da8a0c1-f7e5-47c0-a680-be8fd013f747
Navigation bar2cd23676-8f68-4d07-8dd2-e693d4b01279
Network services62f172d1-f552-4749-871c-2afd1c95c245
News9c3e8cad-6702-4842-8f61-b8b33cc9caf1Microsoft.BingNews
OneDrivead543082-80ec-45bb-aa02-ffe7f4182ba8Microsoft.MicrosoftSkydrive
OneNoteca05b3ab-f157-450c-8c49-a1f127f5e71dMicrosoft.Office.OneNote
Outlook Calendar and Maila558feba-85d7-4665-b5d8-a2ff9c19799bMicrosoft.WindowsCommunicationsApps
People60be1fb8-3291-4b21-bd39-2221ab166481Microsoft.People
Phone5b04b775-356b-4aa0-aaf8-6491ffea56115b04b775-356b-4aa0-aaf8-6491ffea5611
Phone (dialer)f41b5d0e-ee94-4f47-9cfe-3d3934c5a2c7Microsoft.CommsPhone
Phone reset dialog2864278d-09b5-46f7-b502-1c24139ecbdd
Photosfca55e1b-b9a4-4289-882f-084ef4145005Microsoft.Windows.Photos
Podcastsc3215724-b279-4206-8c3e-61d1a9d63ed3Microsoft.MSPodcast
Posdcast downloads063773e7-f26f-4a92-81f0-aa71a1161e30
Powerpointb50483c4-8046-4e1b-81ba-590b24935798Microsoft.Office.PowerPoint
PrintDialog0d32eeb1-32f0-40da-8558-cea6fcbec4a4Microsoft.PrintDialog
Purchase dialogc60e79ca-063b-4e5d-9177-1309357b2c3f
Rate your deviceaec3bfad-e38c-4994-9c32-50bd030730ec
RingtoneApp.WindowsPhone3e962450-486b-406b-abb5-d38b4ee7e6feMicrosoft.Tonepicker
Save ringtoned8cf8ec7-ec6d-4892-aab9-1e3a4b5fa24b
Settings2a4e62d8-8809-4787-89f8-69d0f01654fb2a4e62d8-8809-4787-89f8-69d0f01654fb
Setup wizard07d87655-e4f0-474b-895a-773790ad4a32
Sharingb0894dfd-4671-4bb9-bc17-a8b39947ffb6
Skypec3f8e570-68b3-4d6a-bdbb-c0a3f4360a51Microsoft.SkypeApp
Skype Video27e26f40-e031-48a6-b130-d1f20388991aMicrosoft.Messaging
Sports0f4c8c7e-7114-4e1e-a84c-50664db13b17Microsoft.BingSports
SSMHoste232aa77-2b6d-442c-b0c3-f3bb9788af2a
Start5b04b775-356b-4aa0-aaf8-6491ffea56025b04b775-356b-4aa0-aaf8-6491ffea5602
Storage5b04b775-356b-4aa0-aaf8-6491ffea564d5b04b775-356b-4aa0-aaf8-6491ffea564d
Store7d47d89a-7900-47c5-93f2-46eb6d94c159Microsoft.WindowsStore
Touch (gestures and touch)bbc57c87-46af-4c2c-824e-ac8104cceb38
Voice recorder7311b9c5-a4e9-4c74-bc3c-55b06ba95ad0Microsoft.WindowsSoundRecorder
Wallet587a4577-7868-4745-a29e-f996203f1462Microsoft.MicrosoftWallet
Wallet12ae577e-f8d1-4197-a207-4d24c309ff8fMicrosoft.Wallet
Weather63c2a117-8604-44e7-8cef-df10be3a57c8Microsoft.BingWeather
Windows default lock screencdd63e31-9307-4ccb-ab62-1ffa5721b503
Windows Feedback7604089d-d13f-4a2d-9998-33fc02b63ce3Microsoft.WindowsFeedback
Word258f115c-48f4-4adb-9a68-1387e634459bMicrosoft.Office.Word
Work or school accounte5f8b2c4-75ae-45ee-9be8-212e34f77747Microsoft.AAD.BrokerPlugin
Xboxb806836f-eebe-41c9-8669-19e243b81b83Microsoft.XboxApp
Xbox identity providerba88225b-059a-45a2-a8eb-d3580283e49dMicrosoft.XboxIdentityProvider
+ +  + +## Whitelist example + + +The following example for Windows 10 Mobile denies all apps and allows the following apps: + +- [settings app that rely on splash apps](#settingssplashapps) +- most of the [inbox apps](#inboxappsandcomponents), but not all. + +In this example, **MobileGroup0** is the node name. We recommend using a GUID for this node. + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/MobileGroup0 + + + + + 2 + + + ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/MobileGroup0/StoreApps + + + + + 3 + + + ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/MobileGroup0/StoreApps/Policy + + + chr + + +<RuleCollection Type="Appx" EnforcementMode="Enabled"> + + <FilePublisherRule Id="172B8ACE-AAF5-41FA-941A-93AEE126B4A9" Name="Default Rule to Deny ALL" Description="Deny all publisher" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="CN=*" ProductName="*" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*"/> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="DDCD112F-E003-4874-8B3E-14CB23851D54" Name="Whitelist Settings splash app" Description="Allow Admins to run Settings." UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="2A4E62D8-8809-4787-89F8-69D0F01654FB" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*"/> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="757D94A8-C752-4013-9896-D46EF10925E9" Name="Whitelist Settings WorkOrSchool" Description="Allow Admins to run WorkOrSchool" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA562A" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*"/> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="473BCE1A-94D2-4AE1-8CB1-064B0677CACB" Name="Whitelist WorkPlace AAD BrokerPlugin" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.AAD.BrokerPlugin" BinaryName="*" > + <BinaryVersionRange LowSection="*" HighSection="*"/> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="E13EA64B-B0D3-4257-87F4-1B522D06EA03" Name="Whitelist Start" Description="Allow Admins to run Start." UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA5602" BinaryName="*" > + <BinaryVersionRange LowSection="*" HighSection="*"/> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="2898C4B2-4B37-4BFF-8F7B-16B377EDEA88" Name="Whitelist SettingsPageKeyboard" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5608" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*"/> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="15BBA04F-3989-4FF7-9FEF-83C4DFDABA27" Name="Whitelist SettingsPageTimeRegion" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea560c" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*"/> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="C3735CB1-060D-4D40-9708-6D33B98A7A2D" Name="Whitelist SettingsPagePCSystemBluetooth" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5620" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*"/> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="AFACF5A3-2974-41EE-A31A-1486F593C145" Name="Whitelist SettingsPageNetworkAirplaneMode" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5621" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*"/> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="7B02A339-9E77-4694-AF86-119265138129" Name="Whitelist SettingsPageNetworkWiFi" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA5623" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*"/> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="F912172F-9D83-46F5-8D6C-BA7AB17063BE" Name="Whitelist SettingsPageNetworkInternetSharing" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA5629" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*"/> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="67AE8001-4E49-442A-AD72-F837129ABF63" Name="Whitelist SettingsPageRestoreUpdate" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5640" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*"/> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="7B65BCB2-4B1D-42B6-921B-B87F1474BDC5" Name="Whitelist SettingsPageKidsCorner" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5802" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*"/> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="3964A53B-E131-4ED6-88DA-71FBDBE4E232" Name="Whitelist SettingsPageDrivingMode" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5804" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*"/> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="99C4CD58-51A2-429A-B479-976ADB4EA757" Name="Whitelist SettingsPageTimeLanguage" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea5808" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*"/> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="EBA3BCBE-4651-48CE-8F94-C5AC5D8F72FB" Name="Whitelist SettingsPageAppsCorner" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="5b04b775-356b-4aa0-aaf8-6491ffea580a" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*"/> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="E16EABCC-46E7-4AB3-9F48-67FFF941BBDC" Name="Whitelist SettingsPagePhoneNfc" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="b0894dfd-4671-4bb9-bc17-a8b39947ffb6" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*"/> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="1F4C3904-9976-4FEE-A492-5708F14EABA5" Name="Whitelist MSA Cloud Experience Host" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.CloudExperienceHost" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="AA741A28-7C02-49A5-AA5C-35D53FB8A9DC" Name="Whitelist Email and Accounts" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.AccountsControl" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="863BE063-D134-4C5C-9825-9DF9A86B6B56" Name="Whitelist Calculator" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsCalculator" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="1DA2F479-3D1D-4425-9FFA-D4E6908F945A" Name="Whitelist Alarms and Clock" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsAlarms" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="18E12372-21C6-4DA5-970E-0A58739D7151" Name="Whitelist People" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.People" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="FD686D83-A829-4351-8FF4-27C7DE5755D2" Name="Whitelist Camera" Description="Allow Admins to run camera." UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsCamera" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="16875F70-1778-43CC-96BB-783C9A8E53D5" Name="Whitelist WindowsMaps" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsMaps" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="D21D6F9D-CFF6-4AD1-867A-2411CE6A388D" Name="Whitelist FileExplorer" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="c5e2524a-ea46-4f67-841f-6a9465d9d515" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="450B6D7E-1738-41C9-9241-466C3FA4AB0C" Name="Whitelist FM Radio" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="F725010E-455D-4C09-AC48-BCDEF0D4B626" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="37F4272C-F4A0-4AB8-9B5F-C9194A0EC6F3" Name="Whitelist Microsoft Edge" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MicrosoftEdge" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="253D3AEA-36C0-4877-B932-9E9C9493F3F3" Name="Whitelist Movies" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.ZuneVideo" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="9A73E081-01D1-4BFD-ADF4-5C29AD4031F7" Name="Whitelist Money" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BingFinance" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="EE4BF66C-EBF0-4565-982C-922FFDCB2E6D" Name="Whitelist News" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BingNews" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="D78E6A9D-10F8-4C23-B620-40B01B60E5EA" Name="Whitelist Onedrive" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="AD543082-80EC-45BB-AA02-FFE7F4182BA8" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="0012F35E-C242-47FF-A573-3DA06AF7E43C" Name="Whitelist Onedrive APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MicrosoftSkydrive" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="178B0D68-3498-40CE-A0C3-295C6B3DA169" Name="Whitelist OneNote" Description="Allow Admins to run onenote." UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Office.OneNote" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="673914E4-D73A-405D-8DCF-173E36EA6722" Name="Whitelist GetStarted" Description="Allow Admins to run onenote." UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Getstarted" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="4546BD28-69B6-4175-A44C-33197D48F658" Name="Whitelist Outlook Calendar" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="microsoft.windowscommunicationsapps" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="7B843572-E1AD-45E6-A1F2-C551C70E4A34" Name="Whitelist Outlook Mail" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="microsoft.windowscommunicationsapps" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="E5A1CD1A-8C23-41E4-AACF-BF82FCE775A5" Name="Whitelist Photos" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Photos" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="0A194DD1-B25B-4512-8AFC-6F560D0EC205" Name="Whitelist PodCasts" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MSPodcast" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="F5D27860-0238-4D1A-8011-9B8B263C3A33" Name="Whitelist SkypeApp" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="Microsoft.SkypeApp" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="B8BBC965-EC6D-4C16-AC68-C5F0090CB703" Name="Whitelist Store" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsStore" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="6031E1E7-A659-4B3D-87FB-3CB4C900F9D2" Name="Whitelist Sports" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BingSports" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="A6D61B56-7CF7-4E95-953C-3A5913309B4E" Name="Whitelist Wallet" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MicrosoftWallet" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="A2C44744-0627-4A52-937E-E3EC1ED476E0" Name="Whitelist Weather" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BingWeather" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="D79978B4-EFAE-4458-8FE1-0F13B5CE6764" Name="Whitelist Xbox" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.XboxApp" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="395713B9-DD39-4741-8AB3-63D0A0DCA2B0" Name="Whitelist Xbox Identity Provider" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.XboxIdentityProvider" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="7565A8BB-D50B-4237-A9E9-B0997B36BDF9" Name="Whitelist Voice recorder" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsSoundRecorder" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="409A286E-8C3D-48AB-9D7C-3225A48B30C9" Name="Whitelist Word" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Office.Word" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="F72A5DA6-CA6A-4E7F-A350-AC9FACAB47DB" Name="Whitelist Excel" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Office.Excel" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="169B3498-2A73-4D5C-8AFB-A0DE2908A07D" Name="Whitelist PowerPoint" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Office.PowerPoint" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="A483B662-3538-4D70-98A7-1312D51A0DB9" Name="Whitelist Contact Support" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Windows.ContactSupport" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="EAB1CEDC-DD8A-4311-9146-27A3C689DEAF" Name="Whitelist Cortana" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Cortana" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="01CD8E68-666B-4DE6-8849-7CE4F0C37CA8" Name="Whitelist Storage" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA564D" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="15D9AD89-58BC-458E-9B96-3A18DA63AC3E" Name="Whitelist Groove Music" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.ZuneMusic" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="E2B71B03-D759-4AE2-8526-E1A0CE2801DE" Name="Whitelist Windows Feedback" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsFeedback" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="E7A30489-A20B-44C3-91A8-19D9F61A8B5B" Name="Whitelist Messaging and Messaging Video" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Messaging" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="D2A16D0C-8CC0-4C3A-9FB5-C1DB1B380CED" Name="Whitelist Phone splash" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA5611" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="2A355478-7449-43CB-908A-A378AA59FBB9" Name="Whitelist Phone APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.CommsPhone" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="89441630-7F1C-439B-8FFD-0BEEFF400C9B" Name="Whitelist Connect APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.DevicesFlow" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="E8AF01B5-7039-44F4-8072-6A6CC71EDF2E" Name="Whitelist Miracast APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="906BEEDA-B7E6-4DDC-BA8D-AD5031223EF9" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="DA02425B-0291-4A10-BE7E-B9C7922F4EDF" Name="Whitelist Print Dialog APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.PrintDialog" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="42919A05-347B-4A5F-ACB2-73710A2E6203" Name="Whitelist Block and Filter APP" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.BlockandFilterglobal" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="6F3D8885-C15E-4D7E-8E1F-F2A560C08F9E" Name="Whitelist MSFacebook" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MSFacebook" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + + <FilePublisherRule Id="5168A5C3-5DC9-46C1-87C0-65A9DE1B4D18" Name="Whitelist Advanced Info" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"> + <Conditions> + <FilePublisherCondition PublisherName="*" ProductName="B6E3E590-9FA5-40C0-86AC-EF475DE98E88" BinaryName="*" /> + </Conditions> + </FilePublisherRule> + +</RuleCollection> + + + + + + +``` + +## Recommended deny list for Windows Information Protection +The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. + +In this example, Contoso is the node name. We recommend using a GUID for this node. + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/Contoso + + + + + 2 + + + ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/Contoso/EXE + + + + + 3 + + + ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/Contoso/EXE/Policy + + + chr + + + <RuleCollection Type="Exe" EnforcementMode="Enabled"> + <FilePublisherRule Id="b005eade-a5ee-4f5a-be45-d08fa557a4b2" Name="MICROSOFT OFFICE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + <FilePublisherRule Id="de9f3461-6856-405d-9624-a80ca701f6cb" Name="MICROSOFT OFFICE 2003, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2003" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + <FilePublisherRule Id="ade1b828-7055-47fc-99bc-432cf7d1209e" Name="2007 MICROSOFT OFFICE SYSTEM, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="2007 MICROSOFT OFFICE SYSTEM" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + <FilePublisherRule Id="f6a075b5-a5b5-4654-abd6-731dacb40d95" Name="MICROSOFT OFFICE ONENOTE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE ONENOTE" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="12.0.9999.9999" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + <FilePublisherRule Id="0ec03b2f-e9a4-4743-ae60-6d29886cf6ae" Name="MICROSOFT OFFICE OUTLOOK, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE OUTLOOK" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="12.0.9999.9999" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + <FilePublisherRule Id="7b272efd-4105-4fb7-9d40-bfa597c6792a" Name="MICROSOFT OFFICE 2013, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2013" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + </FilePublisherRule> + <FilePublisherRule Id="89d8a4d3-f9e3-423a-92ae-86e7333e2662" Name="MICROSOFT ONENOTE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT ONENOTE" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + <Exceptions> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT ONENOTE" BinaryName="ONENOTE.EXE"> + <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> + </FilePublisherCondition> + </Exceptions> + </FilePublisherRule> + <FilePublisherRule Id="5a2138bd-8042-4ec5-95b4-f990666fbf61" Name="MICROSOFT OUTLOOK, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OUTLOOK" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + <Exceptions> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OUTLOOK" BinaryName="OUTLOOK.EXE"> + <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> + </FilePublisherCondition> + </Exceptions> + </FilePublisherRule> + <FilePublisherRule Id="3fc5f9c5-f180-435b-838f-2960106a3860" Name="MICROSOFT ONEDRIVE, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT ONEDRIVE" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + <Exceptions> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT ONEDRIVE" BinaryName="ONEDRIVE.EXE"> + <BinaryVersionRange LowSection="17.3.6386.0412" HighSection="*" /> + </FilePublisherCondition> + </Exceptions> + </FilePublisherRule> + <FilePublisherRule Id="17d988ef-073e-4d92-b4bf-f477b2ecccb5" Name="MICROSOFT OFFICE 2016, from O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" Description="" UserOrGroupSid="S-1-1-0" Action="Deny"> + <Conditions> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="*"> + <BinaryVersionRange LowSection="*" HighSection="*" /> + </FilePublisherCondition> + </Conditions> + <Exceptions> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="LYNC.EXE"> + <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> + </FilePublisherCondition> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="LYNC99.EXE"> + <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> + </FilePublisherCondition> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="UCMAPI.EXE"> + <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> + </FilePublisherCondition> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="OCPUBMGR.EXE"> + <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> + </FilePublisherCondition> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="WINWORD.EXE"> + <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> + </FilePublisherCondition> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="EXCEL.EXE"> + <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> + </FilePublisherCondition> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="POWERPNT.EXE"> + <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> + </FilePublisherCondition> + <FilePublisherCondition PublisherName="O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US" ProductName="MICROSOFT OFFICE 2016" BinaryName="MSOSYNC.EXE"> + <BinaryVersionRange LowSection="16.0.7500.0000" HighSection="*" /> + </FilePublisherCondition> + </Exceptions> + </FilePublisherRule> + </RuleCollection> + + + + + + +``` + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + diff --git a/windows/client-management/mdm/applocker-ddf-file.md b/windows/client-management/mdm/applocker-ddf-file.md new file mode 100644 index 0000000000..e332216b02 --- /dev/null +++ b/windows/client-management/mdm/applocker-ddf-file.md @@ -0,0 +1,683 @@ +--- +title: AppLocker DDF file +description: AppLocker DDF file +ms.assetid: 79E199E0-5454-413A-A57A-B536BDA22496 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# AppLocker DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **AppLocker** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip). + +``` syntax + +]> + + 1.2 + + AppLocker + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + + ApplicationLaunchRestrictions + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Grouping + + + + + + EXE + + + + + + + + + + + + + + + + + + + + + + Policy + + + + + + + + + + + + + + + + + + text/plain + + + + + EnforcementMode + + + + + + + + + + + + + + + + + + text/plain + + + + + NonInteractiveProcessEnforcement + + + + + + + + + + + + + + + + + + text/plain + + + + + + MSI + + + + + + + + + + + + + + + + + + + + + + Policy + + + + + + + + + + + + + + + + + + text/plain + + + + + EnforcementMode + + + + + + + + + + + + + + + + + + text/plain + + + + + + Script + + + + + + + + + + + + + + + + + + + + + + Policy + + + + + + + + + + + + + + + + + + text/plain + + + + + EnforcementMode + + + + + + + + + + + + + + + + + + text/plain + + + + + + StoreApps + + + + + + + + + + + + + + + + + + + + + + Policy + + + + + + + + + + + + + + + + + + text/plain + + + + + EnforcementMode + + + + + + + + + + + + + + + + + + text/plain + + + + + + DLL + + + + + + + + + + + + + + + + + + + + + + Policy + + + + + + + + + + + + + + + + + + text/plain + + + + + EnforcementMode + + + + + + + + + + + + + + + + + + text/plain + + + + + NonInteractiveProcessEnforcement + + + + + + + + + + + + + + + + + + text/plain + + + + + + CodeIntegrity + + + + + + + + + + + + + + + + + + + + + + Policy + + + + + + + + + + + + + + + + + + text/plain + + + + + + + + EnterpriseDataProtection + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Grouping + + + + + + EXE + + + + + + + + + + + + + + + + + + + + + + Policy + + + + + + + + + + + + + + + + + + text/plain + + + + + + StoreApps + + + + + + + + + + + + + + + + + + + + + + Policy + + + + + + + + + + + + + + + + + + text/plain + + + + + + + + +``` + +## Related topics + + +[AppLocker configuration service provider](applocker-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/applocker-xsd.md b/windows/client-management/mdm/applocker-xsd.md new file mode 100644 index 0000000000..1d578d006d --- /dev/null +++ b/windows/client-management/mdm/applocker-xsd.md @@ -0,0 +1,1291 @@ +--- +title: AppLocker XSD +description: Here's the XSD for the AppLocker CSP. +ms.assetid: 70CF48DD-AD7D-4BCF-854F-A41BFD95F876 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# AppLocker XSD + + +Here's the XSD for the AppLocker CSP. + +``` syntax + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md new file mode 100644 index 0000000000..d7f18cf787 --- /dev/null +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -0,0 +1,453 @@ +--- +title: Deploy and configure App-V apps using MDM +description: Deploy and configure App-V apps using MDM +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Deploy and configure App-V apps using MDM + +## Executive summary + +

Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premise group policies using System Center Configuration Manager (SCCM) or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premise counterparts.

+ +

MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.

+ +### EnterpriseAppVManagement CSP node structure + +[EnterpriseAppVManagement CSP reference](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) + +![enterpriseappvmanagement csp](images/provisioning-csp-enterpriseappvmanagement.png) + +

(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.

+ +

AppVPublishing - An exec action node that contains the App-V publishing configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.

+ +- EnterpriseAppVManagement + - AppVPackageManagement + - **AppVPublishing** + - LastSync + - LastError + - LastErrorDescription + - SyncStatusDescription + - SyncProgress + - Sync + - PublishXML + - AppVDynamicPolicy + +

Sync command:

+ +[App-V Sync protocol reference]( https://msdn.microsoft.com/enus/library/mt739986.aspx) + +

AppVDynamicPolicy - A read/write node that contains the App-V dynamic configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.

+ +- EnterpriseAppVManagement + - AppVPackageManagement + - AppVPublishing + - **AppVDynamicPolicy** + - [ConfigurationId] + - Policy + +

Dynamic policy examples:

+ +[Dynamic configuration processing](https://technet.microsoft.com/en-us/itpro/windows/manage/appv-application-publishing-and-client-interaction#bkmk-dynamic-config">Dynamic configuration processing) + +

AppVPackageManagement - Primarily read-only App-V package inventory data for MDM servers to query current packages.

+ +- EnterpriseAppVManagement + - **AppVPackageManagement** + - [EnterpriseID] + - [PackageFamilyName] + - [PackageFullName] + - Name + - Version + - Publisher + - InstallLocation + - InstallDate + - Users + - AppVPackageID + - AppVVersionId + - AppVPackageUri + - AppVPublishing + - AppVDynamicPolicy + +

The examples in the scenarios section demonstrate how the publishing document should be created to successfully publish packages, dynamic policies, and connection groups.

+ +## Scenarios addressed in App-V MDM functionality + +

All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premise App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.

+ +

A complete list of App-V policies can be found here:

+ +[ADMX-backed policy reference](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-admx-backed) + +[EnterpriseAppVManagement CSP reference](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) + +### SyncML examples + +

The following SyncML examples address specific App-V client scenarios.

+ +#### Enable App-V client + +

This example shows how to enable App-V on the device.

+ +``` syntax + + $CmdID$ + + + chr + text/plain + + + ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppvClient + + <enabled/> + + +``` + +#### Configure App-V client + +

This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts assists in package deployments (add and publish of App-V apps).

+ +``` syntax + + $CmdID$ + + + chr + text/plain + + + ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts + + <enabled/> + + +``` + +

Complete list of App-V policies can be found here:

+ +[Policy CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider) + +#### SyncML with package published for a device (global to all users for that device) + +

This SyncML example shows how to publish a package globally on an MDM enrolled device for all device users.

+ +``` syntax + + $CmdID$ + + + ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync + + + node + + + + + $CmdID$ + + + ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L + + + xml + text/plain + + + + + + + + + + + + + +``` + +

*PackageUrl can be a UNC or HTTP/HTTPS endpoint.

+ +#### SyncML with package (with dynamic configuration policy) published for a device (global to all users on that device) + +

This SyncML example shows how to publish a package globally, with a policy that adds two shortcuts for the package, on an MDM enrolled device.

+ +``` syntax + + $CmdID$ + + + ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/38/Policy + + + xml + text/plain + + + + + + + + + + + [{ThisPCDesktopFolder}]\Skype_FromMDM.lnk + [{ProgramFilesX86}]\Skype\Phone\Skype.exe + [{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico + + [{ProgramFilesX86}]\Skype\ + Skype.Desktop.Application + Launch Skype + 1 + [{ProgramFilesX86}]\Skype\Phone\Skype.exe + + + + + [{Common Desktop}]\Skype_FromMDMAlso.lnk + [{ProgramFilesX86}]\Skype\Phone\Skype.exe + [{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico + + [{ProgramFilesX86}]\Skype\ + Skype.Desktop.Application + Launch Skype + 1 + [{ProgramFilesX86}]\Skype\Phone\Skype.exe + + + + + + + + + + + + $CmdID$ + + + ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync + + + node + + + + + $CmdID$ + + + ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L + + + xml + text/plain + + + + + + + + + + + + + + +``` + +

*PackageUrl can be a UNC or HTTP/HTTPS endpoint.

+ +#### SyncML with package (using user config deployment) published for a specific user + +

This SyncML example shows how to publish a package for a specific MDM user.

+ +``` syntax + + $CmdID$ + + + ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync + + + node + + + + + $CmdID$ + + + ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI> + + + xml + text/plain + + + + + + + + + + + + + +``` + +#### SyncML for publishing mixed-mode connection group containing global and user-published packages + +

This SyncML example shows how to publish a connection group, and group applications and plugins together.

+ +> [!NOTE] +> The user connection group has the user-only package as optional in this example, which implies users without the optional package can continue to launch the global package within the same connection group. + +``` syntax + + $CmdID$ + + + ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync + + + node + + + + + $CmdID$ + + + ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L + + + xml + text/plain + + + + + + + + + + + + $CmdID$ + + + ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync + + + node + + + + + $CmdID$ + + + ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI> + + + xml + text/plain + + + + + + + + + + + + + + + + + + + + +``` + +#### Unpublish example SyncML for all global packages + +

This SyncML example shows how to unpublish all global packages on the device by sending an empty package and connection group list in the SyncML.

+ +``` syntax + + $CmdID$ + + + ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync + + + node + + + + + $CmdID$ + + + ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML + + + xml + text/plain + + + + + + + + + +``` + +#### Query packages on a device + +

These SyncML examples return all global, and user-published packages on the device.

+ +``` syntax + + $CmdID$ + + + ./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData + + + +``` + +``` syntax + + $CmdID$ + + + ./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/assign-seats.md b/windows/client-management/mdm/assign-seats.md new file mode 100644 index 0000000000..b39d6d9cdf --- /dev/null +++ b/windows/client-management/mdm/assign-seats.md @@ -0,0 +1,135 @@ +--- +title: Assign seat +description: The Assign seat operation assigns seat for a specified user in the Windows Store for Business. +ms.assetid: B42BF490-35C9-405C-B5D6-0D9F0E377552 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Assign seat + +The **Assign seat** operation assigns seat for a specified user in the Windows Store for Business. + +## Request + + ++++ + + + + + + + + + + + + +
MethodRequest URI

POST

https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}

+ +  +### URI parameters + +The following parameters may be specified in the request URI. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterTypeDescription

productId

string

Required. Product identifier for an application that is used by the Store for Business.

skuId

string

Required. Product identifier that specifies a specific SKU of an application.

username

string

Requires UserPrincipalName (UPN). User name of the target user account.

+ + +## Response + +### Response body + +The response body contains [SeatDetails](data-structures-windows-store-for-business.md#seatdetails). + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Error codeDescriptionRetryData fieldDetails

400

Invalid parameters

No

Parameter name

+

Reason: Invalid parameter

+

Details: String

Invalid can include productId, skuId or userName

404

Not found

Item type: Inventory, User, Seat

+

Values: ProductId/SkuId, UserName, ProductId/SkuId/UserName

ItemType: Inventory User Seat

+

Values: ProductId/SkuId UserName ProductId/SkuId/UserName

409

Conflict

Reason: Not online

+ +  + +  + + + + + + diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md new file mode 100644 index 0000000000..aad87ff0e5 --- /dev/null +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -0,0 +1,141 @@ +--- +title: AssignedAccess CSP +description: The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. +ms.assetid: 421CC07D-6000-48D9-B6A3-C638AAF83984 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# AssignedAccess CSP + + +The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device in the kiosk mode running the application specified in the CSP configuration. + +For step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211) + +> **Note**  The AssignedAccess CSP is only supported in Windows 10 Enterprise and Windows 10 Education. + +  + +The following diagram shows the AssignedAccess configuration service provider in tree format + +![assignedaccess csp diagram](images/provisioning-csp-assignedaccess.png) + +**./Vendor/MSFT/AssignedAccess** +Root node for the CSP. + +**AssignedAccess/KioskModeApp** +A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, follow the information in [this Microsoft website](http://go.microsoft.com/fwlink/p/?LinkId=404220). + +In Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md). + +Here's an example: + +``` syntax +{"Account":"redmond\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"} +``` + +When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name. + +> **Note**  The domain name can be optional if the user name is unique across the system. + +  + +For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output. + +The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same. + +## Examples + + +KioskModeApp Add + +``` syntax + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + + + chr + + {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"} + + + + + +``` + +KioskModeApp Delete + +``` syntax + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + + + + + + +``` + +KioskModeApp Get + +``` syntax + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + + + + + + +``` + +KioskModeApp Replace + +``` syntax + + + + 2 + + + ./Device/Vendor/MSFT/AssignedAccess/KioskModeApp + + + chr + + {"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsAlarms_8wekyb3d8bbwe!App"} + + + + + +``` + +  + +  + + + + + diff --git a/windows/client-management/mdm/assignedaccess-ddf.md b/windows/client-management/mdm/assignedaccess-ddf.md new file mode 100644 index 0000000000..4f2fae2306 --- /dev/null +++ b/windows/client-management/mdm/assignedaccess-ddf.md @@ -0,0 +1,101 @@ +--- +title: AssignedAccess DDF +description: AssignedAccess DDF +ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# AssignedAccess DDF + + +This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + AssignedAccess + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + + KioskModeApp + + + + + + + + This node can accept and return json string which comprises of account name and AUMID for Kiosk mode app. + +Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}. + +When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output. + +This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same. + + + + + + + + + + + + + + text/plain + + + + + +``` + +## Related topics + + +[AssignedAccess configuration service provider](assignedaccess-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md new file mode 100644 index 0000000000..ebdb1d406e --- /dev/null +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -0,0 +1,925 @@ +--- +title: Azure Active Directory integration with MDM +description: Azure Active Directory is the world largest enterprise cloud identity management service. +ms.assetid: D03B0765-5B5F-4C7B-9E2B-18E747D504EE +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + + + + + +# Azure Active Directory integration with MDM + +Azure Active Directory is the world largest enterprise cloud identity management service. It’s used by millions of organizations to access Office 365 and thousands of business applications from Microsoft and third party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows 10 provides an integrated configuration experience with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in a smooth integrated flow. + +Once a device is enrolled in MDM, the MDM can enforce compliance with corporate policies, add or remove apps, and more. Additionally, the MDM can report a device’s compliance Azure AD. This enables Azure AD to allow access to corporate resources or applications secured by Azure AD only to devices that comply with policies. To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This topic describes the steps involved. + +## Connect to Azure AD + +Several ways to connect your devices: + +For company-owned devices: +- Join Windows to a traditional Active Directory domain +- Join Windows to Azure AD + +For personal devices (BYOD): +- Add a Microsoft work account to Windows + +### Azure AD Join + +Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as System Center Configuration Manager. In Windows 10, it’s also possible to manage domain joined devices with an MDM. + +Windows 10 introduces a new way to configure and deploy corporate owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller. + +Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device will not be joined to Azure AD. + +> **Important**  Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license. + +  +### BYOD scenario + +Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If that’s the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. It’s important to note that in the BYOD case, users can reject the MDM Terms of Use—in which case the device is not enrolled in MDM and access to corporate resources is typically restricted. + +## Integrated MDM enrollment and UX + +Two Azure AD MDM enrollment scenarios: +- Joining a device to Azure AD for company-owned devices +- Adding a work account to a personal device (BYOD) + +In both scenarios, Azure AD is responsible for authenticating the user and the device, which provides a verified unique device identifier that can be used fo MDM enrollment. + +In both scenarios, the enrollment flow provides an opportunity for the MDM service to render it's own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization. + +In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It is important that MDM vendors who chose to integrate with Azure AD to respect the Windows 10 design guidelines to the letter. This includes using a responsive web design and respecting the Windows accessibility guidelines, which includes the forward and back buttons that are properly wired to the navigation logic. Additional details are provided later in this topic. + +For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [this article](http://go.microsoft.com/fwlink/?LinkId=690246). + +Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** > **Accounts** > **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar. + +> **Note**  Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. + +  +### MDM endpoints involved in Azure AD integrated enrollment + +Azure AD MDM enrollment is a two-step process: + +1. Display the Terms of Use and gather user consent. + + This is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM. + +2. Enroll the device. + + This is an active flow where Windows OMA DM agent calls the MDM service to enroll the device. + +To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use endpoint and an MDM enrollment endpoint. + +**Terms of Use endpoint** +Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting user’s consent before the actual enrollment phase begins. + +It’s important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g. users in certain geographies may be subject to stricter device management policies). + +The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. It’s not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD. + +**MDM enrollment endpoint** +After the users accepts the Terms of Use, the device is registered in Azure AD and the automatic MDM enrollment begins. + +The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Subsequently, the device is enrolled for management with the MDM. This is done by calling the enrollment endpoint and requesting enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is made available to the MDM in the form of claims within an access token presented at the enrollment endpoint. + +![azure ad enrollment flow](images/azure-ad-enrollment-flow.png) + +The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654). A sample for reporting device compliance is provided later in this topic. + +## Make the MDM a reliable party of Azure AD + +To participate in the integrated enrollment flow outlined in the previous section, the MDM must be able to consume access tokens issued by Azure AD. To report compliance to Azure AD, the MDM must be able to authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654). + +### Add a cloud-based MDM + +A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It is a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer. + +The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613661). + +> **Note**  For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. + +  +The keys used by the MDM application to request access tokens from Azure AD are managed within the tenant of the MDM vendor and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, regardless of the customer tenent to which the device being managed belongs. + +Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery. + +1. Login to the Azure Management Portal using an admin account in your home tenant. +2. In the left navigation, click on the **Active Directory**. +3. Click the directory tenant where you want to register the application. + + Ensure that you are logged into your home tenant. +4. Click the **Applications** tab. +5. In the drawer, click **Add**. +6. Click **Add an application my organization is developing**. +7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then click **Next**. +8. Enter the login URL for your MDM service. +9. For the App ID, enter **https://<your\_tenant\_name>/ContosoMDM**, then click OK. +10. While still in the Azure portal, click the **Configure** tab of your application. +11. Mark your application as **multi-tenant**. +12. Find the client ID value and copy it. + + You will need this later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery. +13. Generate a key for your application and copy it. + + You will need this to call the Azure AD Graph API to report device compliance. This is covered in the subsequent section. + +For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613667) + +### Add an on-premises MDM + +An on-premises MDM application is inherently different that a cloud MDM. It is a single-tenant application that is present uniquely within the tenant of the customer. Therefore, customers must add the application directly within their own tenant. Additionally, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD. + +The customer experience for adding an on-premises MDM to their tenant is similar to that as the cloud-based MDM. There is an entry in the Azure AD app gallery to add an on-premises MDN to the tenant and administrators can configure the required URLs for enrollment and Terms of Use. + +Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance. + +For more information about registering applications with Azure AD, see [Basics of Registering an Application in Azure AD](http://go.microsoft.com/fwlink/p/?LinkId=613671). + +### Key management and security guidelines + +The application keys used by your MDM service are a sensitive resource. They should be protected and rolled over periodically for greater security. Access tokens obtained by your MDM service to call the Azure AD Graph API are bearer tokens and should be protected to avoid unauthorized disclosure. + +For security best practices, see [Windows Azure Security Essentials](http://go.microsoft.com/fwlink/p/?LinkId=613715). + +You can rollover the application keys used by a cloud-based MDM service without requiring a customer interaction. There is a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant. + +For the on-premises MDM, the keys used to authenticate with Azure AD are within the tenant of the customer and must be rolled over by the customer's administrator. In this case, you should provide guidance to the customers about rolling over and protecting the keys to improved security. + +## Publish your MDM app to Azure AD app gallery + + +IT administrators use the Azure AD app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Azure AD. + +The following image illustrates how MDM applications will show up in the Azure app gallery in a category dedicated to MDM software. + +![azure ad add an app for mdm](images/azure-ad-app-gallery.png) + +### Add cloud-based MDM to the app gallery + +You should work with the Azure AD engineering team if your MDM application is cloud-based. The following table shows the required information to create an entry in the Azure AD app gallery. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ItemDescription

Application ID

The client ID of your MDM app that is configured within your tenant. This is the unique identifier for your multi-tenant app.

Publisher

A string that identifies the publisher of the app.

Application URL

A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL is not used for the actual enrollment.

Description

A brief description of your MDM app, which must be under 255 characters.

Icons

A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215

+ +  +### Add on-premises MDM to the app gallery + +There are no special requirements for adding on-premises MDM to the app gallery.There is a generic entry for administrator to add an app to their tenant. + +However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. These are used to obtain authorization to access the Azure AD Graph API and for reporting device compliance. + +## Themes + +The pages rendered by the MDM as part of the integrated enrollment process must use Windows 10 templates ([Download the Windows 10 templates and CSS files](http://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared Windows 10 templates ensure a seamless experience for the customers. + +There are 3 distinct scenarios: + +1. MDM enrollment as part of Azure AD Join in Windows OOBE. +2. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**. +3. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD). + +Scenarios 1, 2, and 3 are available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. Scenarios 1 and 3 are available in Windows 10 Mobile. Support for scenario 1 was added in Windows 10 Mobile, version 1511. + +The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows 10 templates and CSS files](http://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip). + +### Using themes + +An MDM page must adhere to a predefined theme depending on the scenario that is displayed. For example, if the CXH-HOSTHTTP header is FRX, which is the OOBE scenario, the page must support a dark theme with blue background color, which uses WinJS file Ui-dark.css ver 4.0 and oobe-desktop.css ver 1.0.4. + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + +
CXH-HOST (HTTP HEADER)SenarioBackground ThemeWinJSScenario CSS
FRXOOBEDark theme + blue background colorFilename: Ui-dark.cssFilename: oobe-dekstop.css
MOSETSettings/ +

Post OOBE

Light themeFilename: Ui-light.cssFilename: settings-desktop.css
+ +  +## Terms of Use protocol semantics + +The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows performs a full-page redirect to this endpoint. This enables the MDM to display the terms and conditions that apply and allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue. + +### Redirect to the Terms of Use endpoint + +This is a full page redirect to the Terms of User endpoint hosted by the MDM. Here is an example URL, https://fabrikam.contosomdm.com/TermsOfUse. + +The following parameters are passed in the query string: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
ItemDescription

redirect_uri

After the user accepts or rejects the Terms of Use, the user is redirected to this URL.

client-request-id

A GUID that is used to correlate logs for diagnostic and debugging purposes. You use this parameter to log or trace the state of the enrollment request to help find the root cause in case of failures.

api-version

Specifies the version of the protocol requested by the client. This provides a mechanism to support version revisions of the protocol.

mode

Specifies that the device is corporate owned when mode=azureadjoin. This parameter is not present for BYOD devices.

+ +  +### Access token + +A bearer access token is issued by Azure AD is passed in the authorization header of the HTTP request. Here is a typical format: + +**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw… + +The following claims are expected in the access token passed by Windows to the Terms of Use endpoint: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
ItemDescription

Object ID

Identifier of the user object corresponding to the authenticated user.

UPN

A claim containing the user principal name (UPN) of the authenticated user.

TID

A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.

Resource

A sanitized URL representing the MDM application. Example, https://fabrikam.contosomdm.com.

+  +> **Note**  There is no device ID claim in the access token because the device may not yet be enrolled at this time. + +  +To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654). + +Here's an example URL. + +``` syntax +https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0 +Authorization: Bearer eyJ0eXAiOi +``` + +The MDM is expected to validate the signature of the access token to ensure it was issued by Azure AD and ensure that recipient is appropriate. + +### Terms of Use content + +The MDM may perform other additional redirects as necessary before displaying the Terms of Use content to the user. The appropriate Terms of Use content should be returned to the caller (Windows) so it can be displayed to the end user in the browser control. + +The Terms of Use content should contain the following buttons: + +- **Accept** - the user accepts the Terms of Use and proceeds with enrollment. +- **Decline** - the user declines and stops the enrollment process. + +The Terms of Use content must be consistent with the theme used for the other pages rendered during this process. + +### Terms of Use endpoint processing logic + +At this point, the user is on the Terms of Use page shown during the OOBE or from the Setting experiences. The user has the following options on the page: + +- **User clicks on the Accept button** - The MDM must redirect to the URI specified by the redirect\_uri parameter in the incoming request. The following query string parameters are expected: + - **IsAccepted** - This mandatory Boolean must be set to true. + - **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes. + - Here is an example redirect - ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true +- **User clicks on the Decline button** - The MDM must redirect to the URI specified in redirect\_uri in the incoming request. The following query string parameters are expected: + - **IsAccepted** - This mandatory Boolean must be set to false. This also applies if the user skipped the Terms of Use. + - **OpaqueBlob** - This parameter is not expected to be used because the enrollment is stopped with an error message displayed to the user. + +Users skip the Terms of Use when they are adding a Microsoft work account to their device. However, then cannot skip it during the Azure AD Join process. The decline button must not be shown in the Azure AD Join process because MDM enrollment cannot be declined by the user if configured by the administrator for the Azure AD Join. + +We recommend that you send the client-request-id parameters in the query string as part of this redirect response. + +### Terms Of Use Error handling + +If an error was encountered during the terms of use processing, the MDM can return two parameters – an error and error\_description parameter in its redirect request back to Windows. Note that the URL should be encoded and the contents of the error\_description should be in English plain text. This text is not visible to the end-user and therefore localization of the error description text is not a concern. + +Here is the URL format: + +``` syntax +HTTP/1.1 302 +Location: +?error=access_denied&error_description=Access%20is%20denied%2E + + +Example: +HTTP/1.1 302 +Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Acess%20is%20denied%2E +``` + +The following table shows the error codes. + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
CauseHTTP statusErrorDescription

api-version

302

invalid_request

unsupported version

Tenant or user data are missingor other required prerequisites for device enrollment are not met

302

unauthorized_client

unauthorized user or tenant

Azure AD token validation failed

302

unauthorized_client

unauthorized_client

internal service error

302

server_error

internal service error

+ +  +## Enrollment protocol with Azure AD + +With Azure integrated MDM enrollment, there is no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments. + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
DetailTraditional MDM enrollmentAzure AD Join (corporate-owned device)Azure AD add a work account (user-owned device)

MDM auto-discovery using email address to retrieve MDM discovery URL

Enrollment

Not applicable

+

Discovery URL provisioned in Azure

Uses MDM discovery URL

Enrollment

+

Enrollment renewal

+

ROBO

Enrollment

+

Enrollment renewal

+

ROBO

Enrollment

+

Enrollment renewal

+

ROBO

Is MDM enrollment required?

Yes

Yes

No

+

User can decline.

Authentication type

OnPremise

+

Federated

+

Certificate

Federated

Federated

EnrollmentPolicyServiceURL

Optional (all auth)

Optional (all auth)

+

Optional (all auth)

+

EnrollmentServiceURL

Required (all auth)

Used (all auth)

Used (all auth)

EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL

Highly recommended

Highly recommended

Highly recommended

AuthenticationServiceURL used

Used (Federated auth)

Skipped

Skipped

BinarySecurityToken

Custom per MDM

Azure AD issued token

Azure AD issued token

EnrollmentType

Full

Device

Full

Enrolled certificate type

User certificate

Device certificate

User certificate

Enrolled certificate store

My/User

My/System

My/User

CSR subject name

User Principal Name

Device ID

User Principal Name

EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL

Not supported

Supported

Supported

CSPs accessible during enrollment

Windows 10 support:

+
    +
  • DMClient
    • +
  • CertificateStore
    • +
  • RootCATrustedCertificates
    • +
  • ClientCertificateInstall
    • +
  • EnterpriseModernAppManagement
    • +
  • PassportForWork
    • +
  • Policy
    • +
  • w7 APPLICATION
    • +
+

Legacy support:

+
    +
  • EnterpriseAppManagement (Windows Phone 8.1)
    • +

same as traditional MDM enrollment

same as traditional MDM enrollment

+ +  + +## Management protocol with Azure AD + +There are two different MDM enrollment types that take advantage of integration with Azure AD and therefore make use of Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users. + +**Multiple user management for Azure AD joined devices** +In this scenario the MDM enrollment applies to every Azure AD user who logs on to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, conclude what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an additional HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token is not sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user logs on to the machine, Azure AD user token is not available to OMA-DM process. Typically MDM enrollment completes before Azure AD user logs on to machine and the initial management session does not contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device. + +**Adding a work account and MDM enrollment to a device** +In this scenario, the MDM enrollment applies to a single user who initially added his work account and enrolled the device. In this enrollment type the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device. + +**Evaluating Azure AD user tokens** +The Azure AD token is in the HTTP Authorization header in the following format: + +``` syntax +Authorization:Bearer +``` + +Additional claims may be present in the Azure AD token, such as: + +- User - user currently logged in +- Device compliance - value set the the MDM service into Azure +- Device ID - identifies the device that is checking in +- Tenant ID + +Access token issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to initiate the enrollment process. There are a couple of options to evaluate the tokens: + +- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JSON Web Token Handler](http://go.microsoft.com/fwlink/p/?LinkId=613820). +- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613667). + +## Device Alert 1224 for Azure AD user token + +An alert is sent when the DM session starts and there is an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example: + +``` syntax +Alert Type: com.microsoft/MDM/AADUserToken + +Alert sample: + + + 1 + 1224 + + + com.microsoft/MDM/AADUserToken + chr + + UserToken inserted here + + + … other xml tags … + +``` + +## Determine when a user is logged in through polling + +An alert is send to the MDM server in DM package\#1. + +- Alert type - com.microsoft/MDM/LoginStatus +- Alert format - chr +- Alert data - provide login status information for the current active logged in user. + - Logged in user who has an Azure AD account - predefined text: user. + - Logged in user without an Azure AD account- predefined text: others. + - No active user - predefined text:none + +Here's an example. + +``` syntax + + + 1 + 1224 + + + com.microsoft/MDM/LoginStatus + chr + + user + + + … other xml tags … + +``` + +## Report device compliance to Azure AD + +Once a device is enrolled with the MDM for management, corporate policies configured by the IT administrator are enforced on the device. The device compliance with configured policies is evaluated by the MDM and then reported to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD. + +For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613822). + +- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. Use this key to authenticate the MDM service with Azure AD, in order to obtain authorization. +- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This is because each on-premises instance of your MDM product has a different tenant-specific key. For this purpose, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD. + +### Use Azure AD Graph API + +The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device currently being managed by it. + +``` syntax +Sample Graph API Request: + +PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1 +Authorization: Bearer eyJ0eXAiO……… +Accept: application/json +Content-Type: application/json +{ “isManaged”:true, + “isCompliant”:true +} +``` + +Where: + +- **contoso.com** – This is the name of the Azure AD tenant to whose directory the device has been joined. +- **db7ab579-3759-4492-a03f-655ca7f52ae1** – This is the device identifier for the device whose compliance information is being reported to Azure AD. +- **eyJ0eXAiO**……… – This is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Azure AD Graph API. The access token is placed in the HTTP authorization header of the request. +- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status. +- **api-version** - Use this parameter to specify which version of the graph API is being requested. + +Response: + +- Success - HTTP 204 with No Content. +- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant cannot be found. + +## Data loss during unenrollment from Azure Active Directory Join + +When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. + +![aadj unenerollment](images/azure-ad-unenrollment.png) + +## Error codes + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
CodeIDError message
0x80180001"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR

There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

0x80180002"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR

There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

0x80180003"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR

This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.

0x80180004"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR

There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.

0x80180005"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR

There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

0x80180006"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR

There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

0x80180007"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR

There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

0x80180008"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR

There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

0x80180009"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS

Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.

0x8018000A"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED

This device is already enrolled. You can contact your system administrator with the error code {0}.

0x8018000D"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID

There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.

0x8018000E"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED

There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

0x8018000F"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR

There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

0x80180010"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY

There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

0x80180012"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT

There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.

0x80180013"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED

Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.

0x80180014"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED

This feature is not supported. Contact your system administrator with the error code {0}.

0x80180015"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED

This feature is not supported. Contact your system administrator with the error code {0}.

0x80180016"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW

The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.

0x80180017"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE

The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.

0x80180018"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE

There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.

0x80180019"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID

Looks like the server is not correctly configured. You can try to do this again or contact your system administrator with the error code {0}.

"rejectedTermsOfUse""idErrorRejectedTermsOfUse"

Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.

0x801c0001"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR

There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

0x801c0002"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR

There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

0x801c0003"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR

This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.

0x801c0006"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR

There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

0x801c000B"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTEDThe server being contacted is not trusted. Contact your system administrator with the error code {0}.
0x801c000C"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED

There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

0x801c000E"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED

Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.

0x801c000F"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT

A reboot is required to complete device registration.

0x801c0010"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR

Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.

0x801c0011"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR

There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

0x801c0012"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR

There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}

0x801c0013"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND

There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

0x801c0014"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND

There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.

+ +  + +  + + + + + diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md new file mode 100644 index 0000000000..d7d5beca50 --- /dev/null +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -0,0 +1,682 @@ +--- +title: BitLocker CSP +description: BitLocker CSP +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# BitLocker CSP + +The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. + +> [!Note] +> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes. +> You must send all the settings together in a single SyncML to be effective. + +A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns +the setting configured by the admin. + +For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if TPM protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength). + +The following diagram shows the BitLocker configuration service provider in tree format. + +![bitlocker csp](images/provisioning-csp-bitlocker.png) + +**./Device/Vendor/MSFT/BitLocker** +

Defines the root node for the BitLocker configuration service provider.

+ +**RequireStorageCardEncryption** +

Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU.

+ +

Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.

+ +

If you want to disable this policy use the following SyncML:

+ +``` syntax + + + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption + + + int + + 0 + + + + +``` + +

Data type is integer. Supported operations are Add, Get, Replace, and Delete.

+ +**RequireDeviceEncryption** + +

Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption.

+ +

Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.

+ +

If you want to disable this policy use the following SyncML:

+ +``` syntax + + + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption + + + int + + 0 + + + + +``` + +

Data type is integer. Supported operations are Add, Get, Replace, and Delete.

+ +**EncryptionMethodByDriveType** +

Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)" (Policy EncryptionMethodWithXts_Name).

+ +

This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.

+ +

If you enable this setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511.

+ +

If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.

+ +

Sample value for this node to enable this policy and set the encryption methods is:

+ +``` syntax + +``` + +

EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives

+

EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.

+

EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.

+ +

The possible values for 'xx' are:

+
    +
  • 3 = AES-CBC 128
    • +
  • 4 = AES-CBC 256
    • +
  • 6 = XTS-AES 128
    • +
  • 7 = XTS-AES 256
    • +
+ +

If you want to disable this policy use the following SyncML:

+ +``` syntax + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType + + + chr + + <disabled/> + + +``` + +

Data type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**SystemDrivesRequireStartupAuthentication** +

This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup" (ConfigureAdvancedStartup_Name ).

+ +

This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.

+ +> [!Note] +> Only one of the additional authentication options can be required at startup, otherwise an error occurs. + +

If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.

+ +

On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.

+ +

If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.

+ +

If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.

+ +> [!Note] +> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. + +

Sample value for this node to enable this policy is:

+ +``` syntax + +``` +

Data id:

+
    +
  • ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).
    • +
  • ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key.
    • +
  • ConfigurePINUsageDropDown_Name = (for computer with TPM) Configure TPM startup PIN.
    • +
  • ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN.
    • +
  • ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.
    • +
+ +

The possible values for 'xx' are:

+
    +
  • true = Explicitly allow
    • +
  • false = Policy not set
    • +
+ +

The possible values for 'yy' are:

+
    +
  • 2 = Optional
    • +
  • 1 = Required
    • +
  • 0 = Disallowed
    • +
+ +

Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:

+ +``` syntax + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication + + + chr + + <disabled/> + + +``` +

Data type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**SystemDrivesMinimumPINLength** +

This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup" (GP MinimumPINLength_Name).

+ +

This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.

+ +

If you enable this setting, you can require a minimum number of digits to be used when setting the startup PIN.

+ +

If you disable or do not configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.

+ +

Sample value for this node to enable this policy is:

+ +``` syntax + +``` + +

Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:

+ +``` syntax + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength + + + chr + + <disabled/> + + +``` + +

Data type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**SystemDrivesRecoveryMessage** +

This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).

+ +

This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. +

+ +

If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). + +

If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.

+ +

If you set the the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.

+ +

Sample value for this node to enable this policy is:

+ +``` syntax + +``` +

The possible values for 'xx' are:

+
    +
  • 0 = Empty
    • +
  • 1 = Use default recovery message and URL.
    • +
  • 2 = Custom recovery message is set.
    • +
  • 3 = Custom recovery URL is set.
    • +
  • 'yy' = string of max length 900.
    • +
  • 'zz' = string of max length 500.
    • +
+ +

Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:

+ +``` syntax + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage + + + chr + + <disabled/> + + +``` + +> [!Note] +> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen. + +

Data type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**SystemDrivesRecoveryOptions** +

This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).

+ +

This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.

+ +

The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

+ +

In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

+ +

Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.

+ +

Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.

+ +

Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

+ +> [!Note] +> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated. + +

If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.

+ +

If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.

+ +

Sample value for this node to enable this policy is:

+ +``` syntax + +``` + +

The possible values for 'xx' are:

+
    +
  • true = Explicitly allow
    • +
  • false = Policy not set
    • +
  • +
+ +

The possible values for 'yy' are:

+
    +
  • 2 = Allowed
    • +
  • 1 = Required
    • +
  • 0 = Disallowed
    • +
+ +

The possible values for 'zz' are:

+
    +
  • 2 = Store recovery passwords only
    • +
  • 1 = Store recovery passwords and key packages
    • +
  • +
+ +

Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:

+ +``` syntax + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions + + + chr + + <disabled/> + + +``` + +

Data type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FixedDrivesRecoveryOptions** +

This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (FDVRecoveryUsage_Name).

+ +

This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.

+ +

The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.

+ +

In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.

+ +

Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.

+ +

Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.

+ +

Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.

+ +

Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.

+ +> [!Note] +> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated. + +

If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.

+ +

If this setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.

+ +

Sample value for this node to enable this policy is:

+ +``` syntax + +``` + +

The possible values for 'xx' are:

+
    +
  • true = Explicitly allow
    • +
  • false = Policy not set
    • +
+ +

The possible values for 'yy' are:

+
    +
  • 2 = Allowed
    • +
  • 1 = Required
    • +
  • 0 = Disallowed
    • + +
+ +

The possible values for 'zz' are:

+
    +
  • 2 = Store recovery passwords only
    • +
  • 1 = Store recovery passwords and key packages
    • +
+ +

Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:

+ +``` syntax + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions + + + chr + + <disabled/> + + +``` + +

Data type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FixedDrivesRequireEncryption** +

This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).

+ +

This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.

+ +

If you enable this setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

+ +

Sample value for this node to enable this policy is:

+ +``` syntax + +``` + +

If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML:

+ +``` syntax + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption + + + chr + + <disabled/> + + +``` + +

Data type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**RemovableDrivesRequireEncryption** +

This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).

+ +

This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.

+ +

If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.

+ +

If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.

+ +

If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.

+ +> [!Note] +> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored. + +

Sample value for this node to enable this policy is:

+ +``` syntax + +``` + +

The possible values for 'xx' are:

+
    +
  • true = Explicitly allow
    • +
  • false = Policy not set
    • +
+ +

Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:

+ +``` syntax + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption + + + chr + + <disabled/> + + +``` + + +### SyncML example + +The following example is provided to show proper format and should not be taken as a recommendation. + +``` syntax + + + + + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption + + + int + + 1 + + + + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption + + + int + + 1 + + + + + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType + + + <enabled/> + <data id="EncryptionMethodWithXtsOsDropDown_Name" value="4"/> + <data id="EncryptionMethodWithXtsFdvDropDown_Name" value="7"/> + <data id="EncryptionMethodWithXtsRdvDropDown_Name" value="4"/> + + + + + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication + + + <enabled/> + <data id="ConfigureNonTPMStartupKeyUsage_Name" value="true"/> + <data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="2"/> + <data id="ConfigurePINUsageDropDown_Name" value="2"/> + <data id="ConfigureTPMPINKeyUsageDropDown_Name" value="2"/> + <data id="ConfigureTPMUsageDropDown_Name" value="2"/> + + + + + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength + + + <enabled/> + <data id="MinPINLength" value="6"/> + + + + + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage + + + <enabled/> + <data id="RecoveryMessage_Input" value="blablablabla"/> + <data id="PrebootRecoveryInfoDropDown_Name" value="2"/> + <data id="RecoveryUrl_Input" value="blablabla"/> + + + + + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions + + + <enabled/> + <data id="OSAllowDRA_Name" value="true"/> + <data id="OSRecoveryPasswordUsageDropDown_Name" value="2"/> + <data id="OSRecoveryKeyUsageDropDown_Name" value="2"/> + <data id="OSHideRecoveryPage_Name" value="true"/> + <data id="OSActiveDirectoryBackup_Name" value="true"/> + <data id="OSActiveDirectoryBackupDropDown_Name" value="2"/> + <data id="OSRequireActiveDirectoryBackup_Name" value="true"/> + + + + + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions + + + <enabled/> + <data id="FDVAllowDRA_Name" value="true"/> + <data id="FDVRecoveryPasswordUsageDropDown_Name" value="2"/> + <data id="FDVRecoveryKeyUsageDropDown_Name" value="2"/> + <data id="FDVHideRecoveryPage_Name" value="true"/> + <data id="FDVActiveDirectoryBackup_Name" value="true"/> + <data id="FDVActiveDirectoryBackupDropDown_Name" value="2"/> + <data id="FDVRequireActiveDirectoryBackup_Name" value="true"/> + + + + + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption + + + <enabled/> + + + + + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption + + + <enabled/> + <data id="RDVCrossOrg" value="true"/> + + + + + + + +``` + +**AllowWarningForOtherDiskEncryption** + +

Allows the Admin to disable the warning prompt for other disk encryption on the user machines.

+ +

The following list shows the supported values:

+ +- 0 – Disables the warning prompt. +- 1 (default) – Warning prompt allowed. + +

Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:

+ +``` syntax + + 110 + + + ./Device/Vendor/MSFT/BitLocker/DisableWarningForOtherDiskEncryption + + + int + + 0 + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md new file mode 100644 index 0000000000..2b0491ab35 --- /dev/null +++ b/windows/client-management/mdm/bitlocker-ddf-file.md @@ -0,0 +1,598 @@ +--- +title: BitLocker DDF file +description: BitLocker DDF file +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# BitLocker DDF file + +This topic shows the OMA DM device description framework (DDF) for the **BitLocker** configuration service provider. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + BitLocker + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.0/MDM/BitLocker + + + + + RequireStorageCardEncryption + + + + + + + + Allows the Admin to require storage card encryption on the device. + The format is integer. + This policy is only valid for mobile SKU. + Sample value for this node to enable this policy: + 1 + + Disabling the policy will not turn off the encryption on the storage card. But will stop prompting the user to turn it on. + If you want to disable this policy use the following SyncML: + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption + + + int + + 0 + + + + + + + + + + + + + + text/plain + + + + + RequireDeviceEncryption + + + + + + + + Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption. + The format is integer. + Sample value for this node to enable this policy: + 1 + + Disabling the policy will not turn off the encryption on the system drive. But will stop prompting the user to turn it on. + If you want to disable this policy use the following SyncML: + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption + + + int + + 0 + + + + + + + + + + + + + + text/plain + + + + + EncryptionMethodByDriveType + + + + + + + + This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress. + If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511). + If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.” + The format is string. + Sample value for this node to enable this policy and set the encryption methods is: + <enabled/><data id="EncryptionMethodWithXtsOsDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsFdvDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsRdvDropDown_Name" value="xx"/> + + EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives. + EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives. + EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives. + + The possible values for 'xx' are: + 3 = AES-CBC 128 + 4 = AES-CBC 256 + 6 = XTS-AES 128 + 7 = XTS-AES 256 + + If you want to disable this policy use the following SyncML: + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType + + + chr + + <disabled/> + + + + Note: Maps to GP EncryptionMethodWithXts_Name policy. + + + + + + + + + + + + text/plain + + + + + SystemDrivesRequireStartupAuthentication + + + + + + + + This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker. + Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs. + If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive. + On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both. + If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard. + If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM. + Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard. + The format is string. + Sample value for this node to enable this policy is: + <enabled/><data id="ConfigureNonTPMStartupKeyUsage_Name" value="xx"/><data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="yy"/><data id="ConfigurePINUsageDropDown_Name" value="yy"/><data id="ConfigureTPMPINKeyUsageDropDown_Name" value="yy"/><data id="ConfigureTPMUsageDropDown_Name" value="yy"/> + + ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive) + All of the below settings are for computers with a TPM. + ConfigureTPMStartupKeyUsageDropDown_Name = Configure TPM startup key. + ConfigurePINUsageDropDown_Name = Configure TPM startup PIN. + ConfigureTPMPINKeyUsageDropDown_Name = Configure TPM startup key and PIN. + ConfigureTPMUsageDropDown_Name = Configure TPM startup. + + The possible values for 'xx' are: + true = Explicitly allow + false = Policy not set + + The possible values for 'yy' are: + 2 = Optional + 1 = Required + 0 = Disallowed + + Disabling the policy will let the system choose the default behaviors. + If you want to disable this policy use the following SyncML: + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication + + + chr + + <disabled/> + + + + Note: Maps to GP ConfigureAdvancedStartup_Name policy. + + + + + + + + + + + + text/plain + + + + + SystemDrivesMinimumPINLength + + + + + + + + This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits. + If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN. + If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits. + The format is string. + Sample value for this node to enable this policy is: + <enabled/><data id="MinPINLength" value="xx"/> + + Disabling the policy will let the system choose the default behaviors. + If you want to disable this policy use the following SyncML: + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength + + + chr + + <disabled/> + + + + Note: Maps to GP MinimumPINLength_Name policy. + + + + + + + + + + + + text/plain + + + + + SystemDrivesRecoveryMessage + + + + + + + + This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked. + If you set the "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL). + If you set the "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message. + If you set the "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen. + Note: Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen. + The format is string. + Sample value for this node to enable this policy is: + <enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/> + + The possible values for 'xx' are: + 0 = Empty + 1 = Use default recovery message and URL. + 2 = Custom recovery message is set. + 3 = Custom recovery URL is set. + 'yy' = string of max length 900. + 'zz' = string of max length 500. + + Disabling the policy will let the system choose the default behaviors. + If you want to disable this policy use the following SyncML: + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage + + + chr + + <disabled/> + + + + Note: Maps to GP PrebootRecoveryInfo_Name policy. + + + + + + + + + + + + text/plain + + + + + SystemDrivesRecoveryOptions + + + + + + + + This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. + The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. + In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. + Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. + Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS. + Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. + Note: If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated. + If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives. + If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS. + The format is string. + Sample value for this node to enable this policy is: + <enabled/><data id="OSAllowDRA_Name" value="xx"/><data id="OSRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="OSRecoveryKeyUsageDropDown_Name" value="yy"/><data id="OSHideRecoveryPage_Name" value="xx"/><data id="OSActiveDirectoryBackup_Name" value="xx"/><data id="OSActiveDirectoryBackupDropDown_Name" value="zz"/><data id="OSRequireActiveDirectoryBackup_Name" value="xx"/> + + The possible values for 'xx' are: + true = Explicitly allow + false = Policy not set + + The possible values for 'yy' are: + 2 = Allowed + 1 = Required + 0 = Disallowed + + The possible values for 'zz' are: + 2 = Store recovery passwords only + 1 = Store recovery passwords and key packages + + Disabling the policy will let the system choose the default behaviors. + If you want to disable this policy use the following SyncML: + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions + + + chr + + <disabled/> + + + + Note: Maps to GP OSRecoveryUsage_Name policy. + + + + + + + + + + + + text/plain + + + + + FixedDrivesRecoveryOptions + + + + + + + + This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. + The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents. + In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key. + Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting. + Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD. + Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. + Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS. + Note: If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" data field is set, a recovery password is automatically generated. + If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives. + The format is string. + Sample value for this node to enable this policy is: + <enabled/><data id="FDVAllowDRA_Name" value="xx"/><data id="FDVRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="FDVRecoveryKeyUsageDropDown_Name" value="yy"/><data id="FDVHideRecoveryPage_Name" value="xx"/><data id="FDVActiveDirectoryBackup_Name" value="xx"/><data id="FDVActiveDirectoryBackupDropDown_Name" value="zz"/><data id="FDVRequireActiveDirectoryBackup_Name" value="xx"/> + + The possible values for 'xx' are: + true = Explicitly allow + false = Policy not set + + The possible values for 'yy' are: + 2 = Allowed + 1 = Required + 0 = Disallowed + + The possible values for 'zz' are: + 2 = Store recovery passwords only + 1 = Store recovery passwords and key packages + + Disabling the policy will let the system choose the default behaviors. + If you want to disable this policy use the following SyncML: + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions + + + chr + + <disabled/> + + + + Note: Maps to GP FDVRecoveryUsage_Name policy. + + + + + + + + + + + + text/plain + + + + + FixedDrivesRequireEncryption + + + + + + + + This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. + If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. + If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access. + The format is string. + Sample value for this node to enable this policy is: + <enabled/> + + Disabling the policy will let the system choose the default behaviors. + If you want to disable this policy use the following SyncML: + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption + + + chr + + <disabled/> + + + + Note: Maps to GP FDVDenyWriteAccess_Name policy. + + + + + + + + + + + + text/plain + + + + + RemovableDrivesRequireEncryption + + + + + + + + This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. + If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. + If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting. + If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. + Note: This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored. + The format is string. + Sample value for this node to enable this policy is: + <enabled/><data id="RDVCrossOrg" value="xx"/> + + The possible values for 'xx' are: + true = Explicitly allow + false = Policy not set + + Disabling the policy will let the system choose the default behaviors. + If you want to disable this policy use the following SyncML: + + $CmdID$ + + + ./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption + + + chr + + <disabled/> + + + + Note: Maps to GP RDVDenyWriteAccess_Name policy. + + + + + + + + + + + + text/plain + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md new file mode 100644 index 0000000000..86259803e4 --- /dev/null +++ b/windows/client-management/mdm/bootstrap-csp.md @@ -0,0 +1,48 @@ +--- +title: BOOTSTRAP CSP +description: BOOTSTRAP CSP +ms.assetid: b8acbddc-347f-4543-a45b-ad2ffae3ffd0 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# BOOTSTRAP CSP + + +The BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device. + +> **Note**  BOOTSTRAP CSP is only supported in Windows 10 Mobile. + +  + +> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. + +  + +The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. + +![bootstrap csp (cp)](images/provisioning-csp-bootstrap-cp.png) + +**CONTEXT-ALLOW** +Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value. + +**PROVURL** +Required. Specifies the location of a Trusted Provisioning Server (TPS). The PROVURL value must be a complete URL string with a maximum length of 256 characters. + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md new file mode 100644 index 0000000000..e762d03a4f --- /dev/null +++ b/windows/client-management/mdm/browserfavorite-csp.md @@ -0,0 +1,113 @@ +--- +title: BrowserFavorite CSP +description: BrowserFavorite CSP +ms.assetid: 5d2351ff-2d6a-4273-9b09-224623723cbf +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# BrowserFavorite CSP + + +The BrowserFavorite configuration service provider is used to add and remove URLs from the favorites list on a device. + +> **Note**  BrowserFavorite CSP is only supported in Windows Phone 8.1. + +  + +The BrowserFavorite configuration service provider manages only the favorites at the root favorite folder level. It does not manage subfolders under the root favorite folder nor does it manage favorites under a subfolder. + +> **Note**   +This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_INTERNET\_EXPLORER\_FAVORITES capabilities to be accessed from a network configuration application. + +  + +The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. + +![browserfavorite csp (cp)](images/provisioning-csp-browserfavorite-cp.png) + +***favorite name*** +Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer. + +> **Note**  The *favorite name* should contain only characters that are valid in the Windows file system. The invalid characters are: \\ / : \* ? " < > | + +  + +Adding the same favorite twice adds only one occurrence to the Favorites list. If a favorite is added when another favorite with the same name but a different URL is already in the Favorites list, the existing favorite is replaced with the new favorite. + +**URL** +Optional. Specifies the complete URL for the favorite. + +## OMA client provisioning examples + + +Adding a new browser favorite. + +``` syntax + + + + + + + + +``` + +## Microsoft Custom Elements + + +The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
ElementsAvailable

parm-query

Yes

noparm

Yes

nocharacteristic

Yes

characteristic-query

Yes

+

Recursive query: Yes

+

Top-level query: Yes

+ +  + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md new file mode 100644 index 0000000000..3d370d247f --- /dev/null +++ b/windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md @@ -0,0 +1,119 @@ +--- +title: Bulk assign and reclaim seats from users +description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Windows Store for Business. +ms.assetid: 99E2F37D-1FF3-4511-8969-19571656780A +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Bulk assign and reclaim seats from users + +The **Bulk assign and reclaim seats from users** operation returns reclaimed or assigned seats in the Windows Store for Business. + +## Request + + ++++ + + + + + + + + + + + + +
MethodRequest URI

POST

https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats

+ +  +### URI parameters + +The following parameters may be specified in the request URI. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterTypeDescription

productId

string

Required. Product identifier for an application that is used by the Store for Business.

skuId

string

Required. Product identifier that specifies a specific SKU of an application.

username

string

Requires UserPrincipalName (UPN). User name of the target user account.

seatAction

[SeatAction](data-structures-windows-store-for-business.md#seataction)

+ +  +## Response + +### Response body + +The response body contains [BulkSeatOperationResultSet](data-structures-windows-store-for-business.md#bulkseatoperationresultset). + + ++++++ + + + + + + + + + + + + + + + + +
Error codeDescriptionRetryData field

404

Not found

Item type: Inventory

+

Values: ProductId/SkuId

+ +  + +  + + + + + diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md new file mode 100644 index 0000000000..dca0fac617 --- /dev/null +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -0,0 +1,169 @@ +--- +title: Bulk enrollment +description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10. +MS-HAID: +- 'p\_phdevicemgmt.bulk\_enrollment' +- 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool' +ms.assetid: DEB98FF3-CC5C-47A1-9277-9EF939716C87 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + + +# Bulk enrollment + +Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 desktop and mobile devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario. + +## Typical use cases + +- Set up devices in bulk for large organizations to be managed by MDM. +- Set up kiosks, such as ATMs or point-of-sale (POS) terminals. +- Set up school computers. +- Set up industrial machinery. +- Set handheld POS devices. + +On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can log in to use it. This is especially useful in getting a large number of desktop ready to use within a domain. + +On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them. + +> **Note**   +> - Bulk-join is not supported in Azure Active Directory Join. +> - Bulk enrollment does not work in Intune standalone enviroment. +> - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console. + +  + +## What you need + +- Windows 10 devices +- Windows Imaging and Configuration Designer (ICD) tool + To get the ICD tool, download the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information about the ICD tool, see [Windows Imaging and Configuration Designer](https://msdn.microsoft.com/library/windows/hardware/dn916113) and [Getting started with Windows ICD](https://msdn.microsoft.com/library/windows/hardware/dn916112). +- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.) +- Wi-Fi credentials, computer name scheme, and anything else required by your organization. + + Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain. + +## Create and apply a provisioning package for on-premise authentication + +Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. + +1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +2. Click **Advanced Provisioning**. + + ![icd start page](images/bulk-enrollment7.png) +3. Enter a project name and click **Next**. +4. Select **All Windows editions**, since Provisioning CSP is common to all Windows 10 editions, then click **Next**. +5. Skip **Import a provisioning package (optional)** and click **Finish**. +6. Expand **Runtime settings** > **Workplace**. +7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**. + The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". +8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. + Here is the list of available settings: + - **AuthPolicy** - Select **OnPremise**. + - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. + - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. + - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. + - **Secret** - Password + For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md). + Here is the screenshot of the ICD at this point. + ![bulk enrollment screenshot](images/bulk-enrollment.png) +9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). +10. When you are done adding all the settings, on the **File** menu, click **Save**. +11. On the main menu click **Export** > **Provisioning package**. + + ![icd menu for export](images/bulk-enrollment2.png) +12. Enter the values for your package and specify the package output location. + + ![enter package information](images/bulk-enrollment3.png) + ![enter additonal information for package information](images/bulk-enrollment4.png) + ![specify file location](images/bulk-enrollment6.png) +13. Click **Build**. + + ![icb build window](images/bulk-enrollment5.png) +14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). +15. Apply the package to your devices. + +## Create and apply a provisioning package for certificate authentication + +Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings. + +1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe). +2. Click **Advanced Provisioning**. +3. Enter a project name and click **Next**. +4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows 10 editions. +5. Skip **Import a provisioning package (optional)** and click **Finish**. +6. Specify the certificate. + 1. Go to **Runtime settings** > **Certificates** > **ClientCertificates**. + 2. Enter a **CertificateName** and then click **Add**. + 3. Enter the **CertificatePasword**. + 4. For **CertificatePath**, browse and select the certificate to be used. + 5. Set **ExportCertificate** to False. + 6. For **KeyLocation**, select **Software only**. + + ![icd certificates section](images/bulk-enrollment8.png) +7. Specify the workplace settings. + 1. Got to **Workplace** > **Enrollments**. + 2. Enter the **UPN** for the enrollment and then click **Add**. + The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com". + 3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process. + Here is the list of available settings: + - **AuthPolicy** - Select **Certificate**. + - **DiscoveryServiceFullUrl** - specify the full URL for the discovery service. + - **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank. + - **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank. + - **Secret** - the certificate thumbprint. + For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md). +8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**). +9. When you are done adding all the settings, on the **File** menu, click **Save**. +10. Export and build the package (steps 10-13 in the procedure above). +11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package). +12. Apply the package to your devices. + +## Apply a provisioning package + +Here's the list of topics about applying a provisioning package: + +- [Apply a package on the first-run setup screen (out-of-the-box experience)](https://technet.microsoft.com/itpro/windows/deploy/provision-pcs-for-initial-deployment#apply-package) - topic in Technet. +- [Apply a package to a Windows 10 desktop edition image](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN +- [Apply a package to a Windows 10 Mobile image](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx#to_apply_a_provisioning_package_to_a_mobile_image) - topic in MSDN. +- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - topic below + +## Apply a package from the Settings menu + +1. Go to **Settings** > **Accounts** > **Access work or school**. +2. Click **Add or remove a provisioning package**. +3. Click **Add a package**. + +## Validate that the provisioning package was applied + +1. Go to **Settings** > **Accounts** > **Access work or school**. +2. Click **Add or remove a provisioning package**. + You should see the your package listed. + +## Retry logic in case of a failure + +If the provisioning engine receives a failure from a CSP it will retry to provision 3 times in a row. + +If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry 4 times at a decaying rate of 15 minutes -> 1 hr -> 4 hr -> "Next System Start". These attempts will be run from a SYSTEM context. + +It will also retry to apply the provisioning each time it is launched, if started from somewhere else as well. + +In addition, provisioning will be restarted in a SYSTEM context after a login and the system has been idle ([details on idle conditions](https://msdn.microsoft.com/library/windows/desktop/aa383561.aspx)). + +## Other provisioning topics + +Here are links to step-by-step provisioning topics in Technet. + +- [Provision PCs with apps and certificates for initial deployment](https://technet.microsoft.com/itpro/windows/deploy/provision-pcs-with-apps-and-certificates) +- [Provision PCs with common settings for initial deployment](https://technet.microsoft.com/itpro/windows/deploy/provision-pcs-for-initial-deployment) + +  + + + + + + diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md new file mode 100644 index 0000000000..2eb3f56669 --- /dev/null +++ b/windows/client-management/mdm/cellularsettings-csp.md @@ -0,0 +1,68 @@ +--- +title: CellularSettings CSP +description: CellularSettings CSP +ms.assetid: ce8b6f16-37ca-4aaf-98b0-306d12e326df +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# CellularSettings CSP + +The CellularSettings configuration service provider is used to configure cellular settings on a mobile device. + +> [!Note] +> Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions. + +The following image shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. + +![provisioning\-csp\-cellularsettings](images/provisioning-csp-cellularsettings.png) + +**DataRoam** +

Optional. Integer. Specifies the default roaming value. Valid values are:

+ +
++++ + + + + + + + + + + + + + + + + + + + + +
ValueSetting

0

Don’t roam

1

Don’t roam (or Domestic roaming if applicable)

2

Roam

+ +  + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md new file mode 100644 index 0000000000..06d6f265b6 --- /dev/null +++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md @@ -0,0 +1,513 @@ +--- +title: Certificate authentication device enrollment +description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy. +ms.assetid: 57DB3C9E-E4C9-4275-AAB5-01315F9D3910 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Certificate authentication device enrollment + + +This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). + +> **Note**  To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107). + + +## In this topic + + +- [Discovery service](#discovery-service) +- [Enrollment policy web service](#enrollment-policy-web-service) +- [Enrollment web service](#enrollment-web-service) + +For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). + +## Discovery Service + +The following example shows the discovery service request. + +``` syntax +POST /EnrollmentServer/Discovery.svc HTTP/1.1 +Content-Type: application/soap+xml; charset=utf-8 +User-Agent: Windows Enrollment Client +Host: EnterpriseEnrollment.Contoso.com +Content-Length: xxx +Cache-Control: no-cache + + + + + + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc + + + + + + user@contoso.com + 101 + 10.0.0.0 + 3.0 + WindowsPhone + 10.0.0.0 + Certificate + + + + +``` + +The following example shows the discovery service response. + +``` +HTTP/1.1 200 OK +Content-Length: 865 +Content-Type: application/soap+xml; charset=utf-8 +Server: EnterpriseEnrollment.Contoso.com +Date: Tue, 02 Aug 2012 00:32:56 GMT + + + +http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse + + + d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8 + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + + + + Certificate + 3.0 + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + + + +``` + +## Enrollment policy web service + +The following example shows the policy web service request. + +``` +POST /ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC HTTP/1.1 +Content-Type: application/soap+xml; charset=utf-8 +User-Agent: Windows Enrollment Client +Host: enrolltest.contoso.com +Content-Length: xxxx +Cache-Control: no-cache + + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies + + urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + + B64EncodedSampleBinarySecurityToken + + + + + + + + + + + + + + WindowsMobile + + Core + + 9.0.9999.0 + + MY_WINDOWS_DEVICE + + FF:FF:FF:FF:FF:FF + + 49015420323756 + + Lite + + WindowsPhone + + + 10.0.0.0 + + + 7BA748C8-703E-4DF2-A74A-92984117346A + + + +``` + +The following snippet shows the policy web service response. + +``` +HTTP/1.1 200 OK +Date: Fri, 03 Aug 2012 20:00:00 GMT +Server: +Content-Type: application/soap+xml +Content-Length: xxxx + + + + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse + + + d4335d7c-e192-402d-b0e7-f5d550467e3c + urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598 + + + + + + + + + + 0 + + + 3 + + 2048 + + + + + + + + + + + + 0 + + + + + + + + + + + 1.3.14.3.2.29 + 1 + 0 + szOID_OIWSEC_sha1RSASign + + + + + + +``` + +## Enrollment web service + +The following example shows the enrollment web service request. + +``` +POST /EnrollmentServer/DeviceEnrollmentWebService.svc HTTP/1.1 +Content-Type: application/soap+xml; charset=utf-8 +User-Agent: Windows Enrollment Client +Host: enrolltest.contoso.com +Content-Length: 3242 +Cache-Control: no-cache + + + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep + + urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + + 2014-10-16T17:55:13Z + 2014-10-16T17:57:13Z + + + B64EncodedSampleBinarySecurityToken + + + + + + MessageDigestValue + + + + SignedMessageBlob/ds:SignatureValue> + + + + + + + + + + + + + + http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken + + + http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue + + DER format PKCS#10 certificate request in Base64 encoding Insterted Here + + + + + + 10.0.0.0 + + MY_WINDOWS_DEVICE + + FF:FF:FF:FF:FF:FF + + CC:CC:CC:CC:CC:CC + + 49015420323756 + + Full + + WindowsPhone + + + 10.0.0.0 + + + 7BA748C8-703E-4DF2-A74A-92984117346A + + 3J4KLJ9SDJFAL93JLAKHJSDFJHAO83HAKSHFLAHSKFNHNPA2934342 + + True + + + + + +``` + +The following example shows the enrollment web service response. + +``` +HTTP/1.1 200 OK +Cache-Control: private +Content-Length: 10231 +Content-Type: application/soap+xml; charset=utf-8 +Server: Microsoft-IIS/7.0 +Date: Fri, 03 Aug 2012 00:32:59 GMT + + + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep + + urn:uuid:81a5419a-496b-474f-a627-5cdd33eed8ab + + + 2012-08-02T00:32:59.420Z + 2012-08-02T00:37:59.420Z + + + + + + + + http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken + + + + B64EncodedSampleBinarySecurityToken + + + 0 + + + + + + +``` + +The following example shows the encoded provisioning XML. + +``` + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +  + + + + + diff --git a/windows/client-management/mdm/certificate-renewal-windows-mdm.md b/windows/client-management/mdm/certificate-renewal-windows-mdm.md new file mode 100644 index 0000000000..03875bfea6 --- /dev/null +++ b/windows/client-management/mdm/certificate-renewal-windows-mdm.md @@ -0,0 +1,184 @@ +--- +title: Certificate Renewal +description: The enrolled client certificate expires after a period of use. +MS-HAID: +- 'p\_phdevicemgmt.certificate\_renewal' +- 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm' +ms.assetid: F910C50C-FF67-40B0-AAB0-CA7CE02A9619 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Certificate Renewal + + +The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account, and the enrollment client gets a new client certificate from the enrollment server and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported. + +> **Note**  Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered. + +  + +## In this topic + + +- [Automatic certificate renewal request](#automatic-certificate-renewal-request) +- [Certificate renewal schedule configuration](#certificate-renewal-schedule-configuration) +- [Certificate renewal response](#certificate-renewal-response) +- [Configuration service providers supported during MDM enrollment and certificate renewal](#configuration-service-providers-supported-during-mdm-enrollment-and-certificate-renewal) + + +## Automatic certificate renewal request + + +In addition to manual certificate renewal, Windows includes support for automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that does not require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to perform client Transport Layer Security (TLS). The user security token is not needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate based client authentication for automatic certificate renewal. + +> **Note**  Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI. + +  + +Auto certificate renewal is the only supported MDM client certificate renewal method for the device that is enrolled using WAB authentication (meaning that the AuthPolicy is set to Federated). It also means if the server supports WAB authentication, the MDM certificate enrollment server MUST also support client TLS in order to renew the MDM client certificate. + +For the device that is enrolled with the OnPremise authentication method, for backward compatibility, the default renewal method is user manual certificate renewal. However, for Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal via CertificateStore CSP’s ROBOSupport node under CertificateStore/My/WSTEP/Renew URL. For more information about Renew related configuration settings, refer to the CertificateStore configuration service provider. + +Unlike manual certificate renewal where there is an additional b64 encoding for PKCS\#7 message content, with automatic renewal, the PKCS\#7 message content isn’t b64 encoded separately. + +During the automatic certificate renewal process, if the root certificate isn’t trusted by the device, the authentication will fail. Make sure using one of device pre-installed root certificates or provision the root cert over a DM session via CertificateStore Configuration Service Provider. + +During the automatic certificate renew process, the device will deny HTTP redirect request from the server unless it is the same redirect URL that the user explicitly accepted during the initial MDM enrollment process. + +The following example shows the details of an automatic renewal request. + +``` + + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep + urn:uuid:61a17f2c-42e9-4a45-9c85-f15c1c8baee8 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://dm.contoso.com/EnrollmentService/DeviceEnrollmentService.svc + + + 2011-07-11T19:49:08.579Z + 2011-07-11T19:54:08.579Z + + + user@contoso.com + + + + + + + + + http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken + + http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew + + BinarySecurityTokenInsertedHere + + + + WindowsPhone + + + 5.0.7616.0 + + + + + +``` + + + +## Certificate renewal schedule configuration + +In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry to be configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSP’s RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, instead of only reminding the user once, the Windows device will remind the user with a prompt dialog at every renewal retry time until the certificate is expired. + +For more information about the parameters, see the CertificateStore configuration service provider. + +Unlike manual certificate renewal, the device will not perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure that the device has enough time to perform an automatic renewal, we recommend that you set a renewal period a couple months (40-60 days) before the certificate expires and set the renewal retry interval to be every few days such as every 4-5 days instead every 7 days (weekly) to increase the chance that the device will a connectivity at different days of the week. + +> **Note**  For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval. +> For Windows Phone 8.1 devices upgraded to Windows 10 Mobile, renewal will happen at the configured ROBO internal. This is expected and by design. + +  + +## Certificate renewal response + +When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment): + +- The signature of the PKCS\#7 BinarySecurityToken is correct +- The client’s certificate is in the renewal period +- The certificate was issued by the enrollment service +- The requester is the same as the requester for initial enrollment +- For standard client’s request, the client hasn’t been blocked + +After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA. + +> **Note**  The HTTP server response must not be chunked; it must be sent as one message. + + +The following example shows the details of an certificate renewal response. + +``` + + + + + + + + + + + + + + + + + + + + + + +``` + +> **Note**  The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time. + +  + + +## Configuration service providers supported during MDM enrollment and certificate renewal + + +The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider. + +- CertificateStore +- w7 APPLICATION +- DMClient +- EnterpriseAppManagement + +  + + + + + + diff --git a/windows/client-management/mdm/certificatestore-csp.md b/windows/client-management/mdm/certificatestore-csp.md new file mode 100644 index 0000000000..20bda706fb --- /dev/null +++ b/windows/client-management/mdm/certificatestore-csp.md @@ -0,0 +1,637 @@ +--- +title: CertificateStore CSP +description: CertificateStore CSP +ms.assetid: 0fe28629-3cc3-42a0-91b3-3624c8462fd3 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# CertificateStore CSP + + +The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates. + +> **Note**   The CertificateStore configuration service provider does not support installing client certificates. + +  + +For the CertificateStore CSP, you cannot use the Replace command unless the node already exists. + +The following diagram shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. + +![provisioning\-csp\-certificatestore](images/provisioning-csp-certificatestore.png) + +**Root/System** +Defines the certificate store that contains root, or self-signed, certificates. + +Supported operation is Get. + +> **Note**  Root/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing root certificates. + +  + +**CA/System** +Defines the certificate store that contains cryptographic information, including intermediary certification authorities. + +Supported operation is Get. + +> **Note**  CA/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing CA certificates. + +  + +**My/User** +Defines the certificate store that contains public keys for client certificates. This is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications. + +Supported operation is Get. + +> **Note**  My/User is case sensitive. + +  + +**My/System** +Defines the certificate store that contains public key for client certificate. This is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading. + +Supported operation is Get. + +> **Note**  My/System is case sensitive. + +  + +***CertHash*** +Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + +Supported operations are Get, Delete, and Replace. + +***CertHash*/EncodedCertificate** +Required. Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + +Supported operations are Get, Add, Delete, and Replace. + +***CertHash*/IssuedBy** +Required. Returns the name of the certificate issuer. This is equivalent to the *Issuer* member in the CERT\_INFO data structure. + +Supported operation is Get. + +***CertHash*/IssuedTo** +Required. Returns the name of the certificate subject. This is equivalent to the *Subject* member in the CERT\_INFO data structure. + +Supported operation is Get. + +***CertHash*/ValidFrom** +Required. Returns the starting date of the certificate's validity. This is equivalent to the *NotBefore* member in the CERT\_INFO structure. + +Supported operation is Get. + +***CertHash*/ValidTo** +Required. Returns the expiration date of the certificate. This is equivalent to the *NotAfter* member in the CERT\_INFO structure. + +Supported operation is Get. + +***CertHash*/TemplateName** +Required. Returns the certificate template name. + +Supported operation is Get. + +**My/SCEP** +Required for Simple Certificate Enrollment Protocol (SCEP) certificate enrollment. The parent node grouping the SCEP certificate related settings. + +Supported operation is Get. + +> **Note**  Please use the ClientCertificateInstall CSP to install SCEP certificates moving forward. All enhancements to SCEP will happen in that CSP. + +  + +**My/SCEP/****_UniqueID_** +Required for SCEP certificate enrollment. A unique ID to differentiate certificate enrollment requests. Format is node. + +Supported operations are Get, Add, Replace, and Delete. + +**My/SCEP/*UniqueID*/Install** +Required for SCEP certificate enrollment. Parent node to group SCEP certificate install related request. Format is node. + +Supported operations are Add, Replace, and Delete. + +> **Note**   Though the children nodes under Install support Replace commands, after the Exec command is sent to the device, the device takes the values that are set when the Exec command is accepted. You should not expect the node value change that occurs after the Exec command is accepted to impact the current undergoing enrollment. You should check the Status node value and make sure that the device is not at an unknown stage before changing the children node values. + +  + +**My/SCEP/*UniqueID*/Install/ServerURL** +Required for SCEP certificate enrollment. Specifies the certificate enrollment server. The server could specify multiple server URLs separated by a semicolon. Value type is string. + +Supported operations are Get, Add, Delete, and Replace. + +**My/SCEP/*UniqueID*/Install/Challenge** +Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Value type is chr. + +Supported operations are Get, Add, Replace, and Delete. + +Challenge will be deleted shortly after the Exec command is accepted. + +**My/SCEP/*UniqueID*/Install/EKUMapping** +Required. Specifies the extended key usages and subject to SCEP server configuration. The list of OIDs are separated by a plus sign **+**, such as OID1+OID2+OID3. Value type is chr. + +Supported operations are Get, Add, Delete, and Replace. + +**My/SCEP/*UniqueID*/Install/KeyUsage** +Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or fourth (0x80) or both bits set. If the value does not have those bits set, configuration will fail. Value type is an integer. + +Supported operations are Get, Add, Delete, and Replace. + +**My/SCEP/*UniqueID*/Install/SubjectName** +Required. Specifies the subject name. Value type is chr. + +Supported operations are Get, Add, Delete, and Replace. + +**My/SCEP/*UniqueID*/Install/KeyProtection** +Optional. Specifies the location of the private key. Although the private key is protected by TPM, it is not protected with TPM PIN. SCEP enrolled certificate does not support TPM PIN protection. + +Supported values are one of the following: + +- 1 – Private key is protected by device TPM. + +- 2 – Private key is protected by device TPM if the device supports TPM. + +- 3 (default) – Private key is only saved in the software KSP. + +Value type is an integer. + +Supported operations are Get, Add, Delete, and Replace. + +**My/SCEP/*UniqueID*/Install/RetryDelay** +Optional. Specifies the device retry waiting time in minutes when the SCEP server sends the pending status. Default value is 5 and the minimum value is 1. Value type is an integer. + +Supported operations are Get, Add, and Delete. + +**My/SCEP/*UniqueID*/Install/RetryCount** +Optional. Special to SCEP. Specifies the device retry times when the SCEP server sends pending status. Value type is an integer. Default value is 3. Max value cannot be larger than 30. If it is larger than 30, the device will use 30. The min value is 0, which means no retry. + +Supported operations are Get, Add, Delete, and Replace. + +**My/SCEP/*UniqueID*/Install/TemplateName** +Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server; therefore, the MDM server typically does not need to provide it. Value type is chr. + +Supported operations are Get, Add, and Delete. + +**My/SCEP/*UniqueID*/Install/KeyLength** +Required for enrollment. Specify private key length (RSA). Value type is an integer. Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified. + +Supported operations are Get, Add, Delete, and Replace. + +**My/SCEP/*UniqueID*/Install/HashAlgorithm** +Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by the MDM server. If multiple hash algorithm families are specified, they must be separated with +. + +Value type is chr. + +Supported operations are Get, Add, Delete, and Replace. + +**My/SCEP/*UniqueID*/Install/CAThumbprint** +Required. Specifies the root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it does not match, the authentication fails. Value type is chr. + +Supported operations are Get, Add, Delete, and Replace. + +**My/SCEP/*UniqueID*/Install/SubjectAlternativeNames** +Optional. Specifies the subject alternative name. Multiple alternative names can be specified. Each name is the combination of name format+actual name. Refer to the name type definition in MSDN. Each pair is separated by semicolon. For example, multiple subject alternative names are presented in the format *<nameformat1>*+*<actual name1>*;*<name format 2>*+*<actual name2>*. Value type is chr. + +Supported operations are Get, Add, Delete, and Replace. + +**My/SCEP/*UniqueID*/Install/ValidPeriod** +Optional. Specifies the units for the valid period. Value type is chr. + +Supported operations are Get, Add, Delete, and Replace. + +Valid values are one of the following: + +- Days (default) +- Months +- Years + +> **Note**   The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server. + +  + +**My/SCEP/*UniqueID*/Install/ValidPeriodUnits** +Optional. Specifies desired number of units used in validity period and subject to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. The valid period specified by MDM overwrites the valid period specified in the certificate template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. Value type is an integer. + +Supported operations are Get, Add, Delete, and Replace. + +> **Note**   The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server. + +  + +**My/SCEP/*UniqueID*/Install/Enroll** +Required. Triggers the device to start the certificate enrollment. The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node does not contain a value. + +Supported operation is Exec. + +**My/WSTEP/CertThumbprint** +Optional. Returns the current MDM client certificate thumbprint. If renewal succeeds, it shows the renewed certificate thumbprint. If renewal fails or is in progress, it shows the thumbprint of the cert that needs to be renewed. Value type is chr. + +Supported operation is Get. + +**My/SCEP/*UniqueID*/Status** +Required. Specifies the latest status for the certificate due to enrollment request. Value type is chr. + +Supported operation is Get. + +Valid values are one of the following: + +- 1 – Finished successfully. + +- 2 – Pending. The device has not finished the action, but has received the SCEP server pending response. + +- 16 - Action failed. + +- 32 – Unknown. + +**My/SCEP/*UniqueID*/ErrorCode** +Optional. The integer value that indicates the HRESULT of the last enrollment error code. + +Supported operation is Get. + +**My/SCEP/*UniqueID*/CertThumbprint** +Optional. Specifies the current certificate thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. Value type is chr. + +Supported operation is Get. + +**My/SCEP/*UniqueID*/RespondentServerUrl** +Required. Returns the URL of the SCEP server that responded to the enrollment request. Value type is string. + +Supported operation is Get. + +**My/WSTEP** +Required for MDM enrolled device. The parent node that hosts the MDM enrollment client certificate related settings that is enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node. + +Supported operation is Get. + +**My/WSTEP/Renew** +Optional. The parent node to group renewal related settings. + +Supported operation is Get. + +**My/WSTEP/Renew/ServerURL** +Optional. Specifies the URL of certificate renewal server. If this node does not exist, the client uses the initial certificate enrollment URL. + +> **Note**  The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service. + +  + +Supported operations are Add, Get, Delete, and Replace. + +**My/WSTEP/Renew/RenewalPeriod** +Optional. The time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server cannot set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It is recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity. + +The default value is 42 and the valid values are 1 – 1000. Value type is an integer. + +Supported operations are Add, Get, Delete, and Replace. + +> **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands. + +  + +**My/WSTEP/Renew/RetryInterval** +Optional. Specifies the retry interval (in days) when the previous renewal failed. It applies to both manual certificate renewal and ROBO automatic certificate renewal. The retry schedule stops at the certificate expiration date. + +For ROBO renewal failure, the client retries the renewal periodically until the device reaches the certificate expiration date. This parameter specifies the waiting period for ROBO renewal retries. + +For manual retry failure, there are no built-in retries. The user can retry later. At the next scheduled certificate renewal retry period, the device prompts the credential dialog again. + +The default value is 7 and the valid values are 1 – 1000 AND =< RenewalPeriod, otherwise it will result in errors. Value type is an integer. + +Supported operations are Add, Get, Delete, and Replace. + +> **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands. + +  + +**My/WSTEP/Renew/ROBOSupport** +Optional. Notifies the client if the MDM enrollment server supports ROBO auto certificate renewal. Value type is bool. + +ROBO is the only supported renewal method for Windows 10. This value is ignored and always considered to be true. + +Supported operations are Add, Get, Delete, and Replace. + +> **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands. + +  + +**My/WSTEP/Renew/Status** +Required. Shows the latest action status for this certificate. Value type is an integer. + +Supported operation is Get. + +Supported values are one of the following: + +- 0 – Not started. + +- 1 – Renewal in progress. + +- 2 – Renewal succeeded. + +- 3 – Renewal failed. + +**My/WSTEP/Renew/ErrorCode** +Optional. If certificate renewal fails, this integer value indicates the HRESULT of the last error code during the renewal process. Value type is an integer. + +Supported operation is Get. + +**My/WSTEP/Renew/LastRenewalAttemptTime** +Added in Windows 10, version 1607. Time of the last attempted renewal. + +Supported operation is Get. + +**My/WSTEP/Renew/RenewNow** +Added in Windows 10, version 1607. Initiates a renewal now. + +Supported operation is Execute. + +**My/WSTEP/Renew/RetryAfterExpiryInterval** +Added in Windows 10, version 1703. How long after the enrollment certificate has expired before trying to renew. + +Supported operations are Add, Get, and Replace. + +## Examples + + +Add a root certificate to the MDM server. + +``` syntax + + 1 + + + +./Vendor/MSFT/CertificateStore/Root/System//EncodedCertificate + + + B64EncodedCertInsertedHere + + b64 + + + +``` + +Get all installed client certificates. + +``` syntax + + 1 + + + +./Vendor/MSFT/CertificateStore/My/User?list=StructData + + + + +``` + +Delete a root certificate. + +``` syntax + + 1 + + + +./Vendor/MSFT/CertificateStore/Root/System/ + + + + +``` + +Configure the device to enroll a client certificate through SCEP. + +``` syntax + +100 + + 1 + + ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1 + + + node + + + + + 2 + + ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/RetryCount + + + int + + 1 + + + + 3 + + ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/RetryDelay + + + int + + 1 + + + + 4 + + ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyUsage + + + int + + 160 + + + + 5 + + ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyLength + + + int + + 1024 + + + + 6 + + ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/HashAlgorithm + + + chr + + SHA-1 + + + + 7 + + ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/SubjectName + + + chr + + CN=AnnaLee + + + + 8 + + ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/SubjectAlternativeNames + + + chr + + 11+tom@MyDomain.Contoso.com;3+MyDomain.Contoso.com + + + + 9 + + ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ValidPeriod + + + chr + + Years + + + + 10 + + ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ValidPeriodUnits + + + int + + 1 + + + + 11 + + ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/EKUMapping + + + chr + + 1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2 + + + + 12 + + ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyProtection + + + int + + 3 + + + + 13 + + ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ServerURL + + + chr + + https://contoso.com/certsrv/ctcep.dll + + + + 14 + + ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/Challenge + + + chr + + ChallengeInsertedHere + + + + 15 + + ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/CAThumbprint + + + chr + + CAThumbprintInsertedHere + + + + 16 + + ./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/Enroll + + + + +``` + +Configure the device to automatically renew an MDM client certificate with the specified renew period and retry interval. + +``` syntax + + 1 + + 2 + + ./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/ROBOSupport + + bool + + true + + + + 3 + + ./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/RenewPeriod + + int + + 60 + + + + 4 + + ./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/RetryInterval + + int + + 4 + + + +``` + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/certificatestore-ddf-file.md b/windows/client-management/mdm/certificatestore-ddf-file.md new file mode 100644 index 0000000000..dce1073030 --- /dev/null +++ b/windows/client-management/mdm/certificatestore-ddf-file.md @@ -0,0 +1,1677 @@ +--- +title: CertificateStore DDF file +description: This topic shows the OMA DM device description framework (DDF) for the CertificateStore configuration service provider. DDF files are used only with OMA DM provisioning XML. +ms.assetid: D9A12D4E-3122-45C3-AD12-CC4FFAEC08B8 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# CertificateStore DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **CertificateStore** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + CertificateStore + ./Vendor/MSFT + + + + + This object is used to add or delete a security certificate to the device's certificate store. + + + + + + + + + + + + + + + ROOT + + + + + This store holds only root (self-signed) certificates. + + + + + + + + + + + + + + + * + + + + + + The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + EncodedCertificate + + + + + + + The base64 Encoded X.509 certificate. + + + + + + + + + + + text/plain + + + + + IssuedBy + + + + + The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + IssuedTo + + + + + The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + ValidFrom + + + + + The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + ValidTo + + + + + The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + TemplateName + + + + + + + + + + + + + + + text/plain + + + + + + System + + + + + This store holds the System portion of the root store. + + + + + + + + + + + + + + + * + + + + + + The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + EncodedCertificate + + + + + + + The base64 Encoded X.509 certificate. + + + + + + + + + + + text/plain + + + + + IssuedBy + + + + + The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + IssuedTo + + + + + The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + ValidFrom + + + + + The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + ValidTo + + + + + The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + TemplateName + + + + + + + + + + + + + + + text/plain + + + + + + + + MY + + + + + This store keeps all end-user personal certificates. + + + + + + + + + + + + + + + User + + + + + This store holds the User portion of the MY store. + + + + + + + + + + + + + + + * + + + + + + The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + EncodedCertificate + + + + + + + The base64 Encoded X.509 certificate. Note that though during MDM enrollment, enrollment server could use WAP XML format to add public part of MDM client cert via EncodedCertificate node, properly enroll a client certificate including private needs a cert enroll protocol handle it or user installs it manually. In WP, the server cannot purely rely on CertificateStore CSP to install a client certificate including private key. + + + + + + + + + + + text/plain + + + + + IssuedBy + + + + + The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + IssuedTo + + + + + The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + ValidFrom + + + + + The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + ValidTo + + + + + The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + TemplateName + + + + + + + + + + + + + + + text/plain + + + + + + + SCEP + + + + + This store holds the SCEP portion of the MY store and handle operations related to SCEP certificate enrollment. + + + + + + + + + + + + + + + * + + + + + + + The UniqueID for the SCEP enrollment request. Each client certificate should have different unique ID. + + + + + + + + + + + + + + + Install + + + + + The group to represent the install request + + + + + + + + + + + + + + + ServerURL + + + + + + Specify the cert enrollment server. + + + + + + + + + + + text/plain + + + + + Challenge + + + + + + Enroll requester authentication shared secret. + + + + + + + + + + + text/plain + + + + + EKUMapping + + + + + + Specify extended key usages. The list of OIDs are separated by plus “+”. + + + + + + + + + + + text/plain + + + + + KeyUsage + + + + + + Specify the key usage bits (0x80, 0x20, 0xA0) for the cert. + + + + + + + + + + + text/plain + + + + + SubjectName + + + + + + Specify the subject name. + + + + + + + + + + + text/plain + + + + + KeyProtection + + + + + + Specify where to keep the private key. + + + + + + + + + + + text/plain + + + + + RetryDelay + + + + + + When the SCEP server sends pending status, specify device retry waiting time in minutes. + + + + + + + + + + + text/plain + + + + + RetryCount + + + + + + When the SCEP sends pending status, specify device retry times. + + + + + + + + + + + text/plain + + + + + TemplateName + + + + + + Certificate Template Name OID (As in AD used by PKI infrastructure. + + + + + + + + + + + text/plain + + + + + KeyLength + + + + + + Specify private key length (RSA). + + + + + + + + + + + text/plain + + + + + HashAlgrithm + + + + + + Client create Cert enroll request, get supported hash OIalgorithm from SCEP server and match it with one specified in this parameter. + + + + + + + + + + + text/plain + + + + + CAThumbPrint + + + + + + Specify root CA thumbprint. + + + + + + + + + + + text/plain + + + + + SubjectAlternativeNames + + + + + + Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Each pair is separated by semi-comma. + + + + + + + + + + + text/plain + + + + + ValidPeriod + + + + + Specify the period of time that cert is valid. The valid period specified by MDM will overwrite the valid period specified in cert template. + + + + + + + + + + + text/plain + + + + + ValidPeriodUnit + + + + + + Specify valid period unit type. + + + + + + + + + + + text/plain + + + + + Enroll + + + + + Start the cert enrollment. + + + + + + + + + + + text/plain + + + + + + CertThumbPrint + + + + + Specify the current cert’s thumbprint. + + + + + + + + + + + text/plain + + + + + Status + + + + + Specify the latest status for the certificate due to enroll request. + + + + + + + + + + + text/plain + + + + + ErrorCode + + + + + Specify the last hresult in case enroll action failed. + + + + + + + + + + + text/plain + + + + + + + WSTEP + + + + + The parent node that hosts client certificate that is enrolled via WSTEP, e.g. the certificate that is enrolled during MDM enrollment. + + + + + + + + + + + + + + + CertThumprint + + + + + The thumb print of enrolled MDM client certificate. + + + + + + + + + + + text/plain + + + + + Renew + + + + + Under this node are the renew properties. + + + + + + + + + + + + + + + RenewPeriod + + + + + + + + Specify the number of days prior to the enrollment cert expiration to prompt the user to renew. + + + + + + + + + + + text/plain + + + + + ServerURL + + + + + + + + Optional. Specifies the cert renewal server URL which is the discovery server. + + + + + + + + + + + text/plain + + + + + RetryInterval + + + + + + + + Optional. This parameter specifies retry interval when previous renew failed (in days). It applies to both manual cert renewal and ROBO cert renewal. Retry schedule will stop at cert expiration date. + + + + + + + + + + + text/plain + + + + + ROBOSupport + + + + + + + + Optional. Notify the client whether enrollment server supports ROBO auto certificate renew. NOTE: This flag is only needed to the device which is MDM enrolled via On-premise authentication method. For MDM enrolled with federated authentication, ROBO is the only supported renewal method. If the server sets this node value to be false or delete this node for federated enrolled device, the configuration will fail with OMA DM error code 405. + + + + + + + + + + + text/plain + + + + + Status + + + + + Show the latest action status for this certificate. + + + + + + + + + + + text/plain + + + + + ErrorCode + + + + + If certificate renew fails, this node provide the last hresult code during renew process. + + + + + + + + + + + text/plain + + + + + LastRenewalAttemptTime + + + + + Time of last attempted renew + + + + + + + + + + text/plain + + + + + RenewNow + + + + + Initiate a renew now + + + + + + + + + + + text/plain + + + + + RetryAfterExpiryInterval + + + + + + How long after the enrollment cert has expiried to keep trying to renew + + + + + + + + + + + text/plain + + + + + + + + CA + + + + + This cryptographic store contains intermediary certification authorities. + + + + + + + + + + + + + + + * + + + + + + The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + EncodedCertificate + + + + + + + The base64 Encoded X.509 certificate + + + + + + + + + + + text/plain + + + + + IssuedBy + + + + + The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + IssuedTo + + + + + The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + ValidFrom + + + + + The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + ValidTo + + + + + The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + TemplateName + + + + + + + + + + + + + + + text/plain + + + + + + System + + + + + This store holds the System portion of the CA store. + + + + + + + + + + + + + + + * + + + + + + The SHA1 hash for the certificate. The 20-byte SHA1 hash of the certificate is specified in hexadecimal. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + + + + + EncodedCertificate + + + + + + + The base64 Encoded X.509 certificate. + + + + + + + + + + + text/plain + + + + + IssuedBy + + + + + The name of the certificate issuer. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + IssuedTo + + + + + The name of the certificate subject. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + ValidFrom + + + + + The starting date of the certificate's validity. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + ValidTo + + + + + The expiration date of the certificate. This node is implicitly created only when the EncodedCertificate node is added. + + + + + + + + + + + text/plain + + + + + TemplateName + + + + + + + + + + + + + + + text/plain + + + + + + + + +``` + +  + +  + + + + + diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md new file mode 100644 index 0000000000..4f2d5cc211 --- /dev/null +++ b/windows/client-management/mdm/cleanpc-csp.md @@ -0,0 +1,30 @@ +--- +title: CleanPC CSP +description: The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703. +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# CleanPC CSP + +The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703. + +The following diagram shows the CleanPC configuration service provider in tree format. + +![CleanPC csp diagram](images/provisioning-csp-cleanpc.png) + +**./Device/Vendor/MSFT/CleanPC** +

The root node for the CleanPC configuration service provider.

+ +**CleanPCWithoutRetainingUserData** +

An integer specifying a CleanPC operation without any retention of user data. + +

The only supported operation is Execute. + +**CleanPCRetainingUserData** +

An integer specifying a CleanPC operation with retention of user data. + +

The only supported operation is Execute. diff --git a/windows/client-management/mdm/cleanpc-ddf.md b/windows/client-management/mdm/cleanpc-ddf.md new file mode 100644 index 0000000000..cfbd44cc65 --- /dev/null +++ b/windows/client-management/mdm/cleanpc-ddf.md @@ -0,0 +1,105 @@ +--- +title: CleanPC DDF +description: This topic shows the OMA DM device description framework (DDF) for the CleanPC configuration service provider. DDF files are used only with OMA DM provisioning XML. +ms.assetid: A2182898-1577-4675-BAE5-2A3A9C2AAC9B +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# CleanPC DDF + +This topic shows the OMA DM device description framework (DDF) for the **CleanPC** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + CleanPC + ./Device/Vendor/MSFT + + + + + Allow removal of user installed and pre-installed applications, with option to persist user data + + + + + + + + + + + com.microsoft/1.0/MDM/CleanPC + + + + CleanPCWithoutRetainingUserData + + + + + CleanPC operation without any retention of User data + + + + + + + + + + + text/plain + + + + + CleanPCRetainingUserData + + + + + CleanPC operation with retention of User data + + + + + + + + + + + text/plain + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md new file mode 100644 index 0000000000..6391e50c7d --- /dev/null +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -0,0 +1,672 @@ +--- +title: ClientCertificateInstall CSP +description: ClientCertificateInstall CSP +ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ClientCertificateInstall CSP + + +The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. + +For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block. + +> **Note**   +Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue. + +You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. + + +The following image shows the ClientCertificateInstall configuration service provider in tree format. + +![clientcertificateinstall csp](images/provisioning-csp-clientcertificateinstall.png) + +**Device or User** +

For device certificates, use **./Device/Vendor/MSFT** path and for user certificates use **./User/Vendor/MSFT** path. + +**ClientCertificateInstall** +

The root node for the ClientCertificateInstaller configuration service provider. + +**ClientCertificateInstall/PFXCertInstall** +

Required for PFX certificate installation. The parent node grouping the PFX certificate related settings. + +

Supported operation is Get. + +**ClientCertificateInstall/PFXCertInstall/****_UniqueID_** +

Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. + +

The data type format is node. + +

Supported operations are Get, Add, and Delete . + +

Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob. + +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation** +

Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to. + +

Supported operations are Get, Add, and Replace. + +

The data type is an integer corresponding to one of the following values: + +| Value | Description | +|-------|---------------------------------------------------------------------------------------------------------------| +| 1 | Install to TPM if present, fail if not present. | +| 2 | Install to TPM if present. If not present, fallback to software. | +| 3 | Install to software. | +| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified | + + +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName** +

ptional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail. + +

Date type is string. + +

Supported operations are Get, Add, and Replace. + +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob** +

CRYPT\_DATA\_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation. + +

The data type format is binary. + +

Supported operations are Get, Add, and Replace. + +

If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten. + +

If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail. + +

In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT\_DATA\_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](http://go.microsoft.com/fwlink/p/?LinkId=523871). + +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword** +

Password that protects the PFX blob. This is required if the PFX is password protected. + +

Data Type is a string. + +

Supported operations are Get, Add, and Replace. + +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType** +

Optional. Used to specify whtether the PFX certificate password is encrypted with the MDM certificate by the MDM sever. + +

The data type is int. Valid values: + +- 0 - Password is not encrypted. +- 1 - Password is encrypted with the MDM certificate. +- 2 - Password is encrypted with custom certificate. + +

When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting. + +

Supported operations are Get, Add, and Replace. + +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable** +

Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM. + +> **Note**  You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. + +  +

The data type bool. + +

Supported operations are Get, Add, and Replace. + +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint** +

Returns the thumbprint of the installed PFX certificate. + +

The datatype is a string. + +

Supported operation is Get. + +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status** +

Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. + +

Data type is an integer. + +

Supported operation is Get. + +**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore** +

Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword. + +

Data type is string. + +

Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP** +

Node for SCEP. + +> **Note**  An alert is sent after the SCEP certificate is installed. + +  +**ClientCertificateInstall/SCEP/****_UniqueID_** +

A unique ID to differentiate different certificate installation requests. + +

Supported operations are Get, Add, Replace, and Delete. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install** +

A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests. + +

Supported operations are Get, Add, Replace, and Delete. + +> **Note**  Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values. + +  +**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL** +

Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons. + +

Data type is string. + +

Supported operations are Get, Add, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge** +

Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted. + +

Data type is string. + +

Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping** +

Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus **+**. For example, *OID1*+*OID2*+*OID3*. + +Data type is string. +

Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesn’t have those bits set, the configuration will fail. + +

Data type is int. + +

Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName** +

Required. Specifies the subject name. + +

Data type is string. + +

Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection** +

Optional. Specifies where to keep the private key. + +> **Note**  Even if the private key is protected by TPM, it is not protected with a TPM PIN. + +  +

The data type is an integer corresponding to one of the following values: + +| Value | Description | +|-------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 1 | Private key protected by TPM. | +| 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. | +| 3 | (Default) Private key saved in software KSP. | +| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specifed, otherwise enrollment will fail. | + +  +

Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay** +

Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes. + +

Data type format is an integer. + +

The default value is 5. + +

The minimum value is 1. + +

Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount** +

Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status. + +

Data type is integer. + +

Default value is 3. + +

Maximum value is 30. If the value is larger than 30, the device will use 30. + +

Minimum value is 0, which indicates no retry. + +

Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName** +

Optional. OID of certificate template name. + +> **Note**  This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it. + +  +

Data type is string. + +

Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength** +

Required for enrollment. Specify private key length (RSA). + +

Data type is integer. + +

Valid values are 1024, 2048, and 4096. + +

For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length. + +

Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm** +

Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with **+**. + +

For Windows Hello for Business, only SHA256 is the supported algorithm. + +

Data type is string. + +

Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint** +

Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail. + +

Data type is string. + +

Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames** +

Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information. + +

Each pair is separated by semicolon. For example, multiple SANs are presented in the format of *\[name format1\]*+*\[actual name1\]*;*\[name format 2\]*+*\[actual name2\]*. + +

Data type is string. + +

Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod** +

Optional. Specifies the units for the valid certificate period. + +

Data type is string. + +

Valid values are: + +- Days (Default) +- Months +- Years + +> **Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. + +  +

Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits** +

Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. + +

Data type is string. + +>**Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. + +  +

Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName** +

Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail. + +

Data type is string. + +

Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt** +

Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for. + +

Data type is string. + +

Supported operations are Add, Get, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll** +

Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added. + +

The date type format is Null, meaning this node doesn’t contain a value. + +

The only supported operation is Execute. + +**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList** +

Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail. + +

Data type is string. + +

Supported operations are Add, Get, Delete, and Replace. + +**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint** +

Optional. Specifies the current certificate’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. + +

If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string. + +

Data type is string. + +

The only supported operation is Get. + +**ClientCertificateInstall/SCEP/*UniqueID*/Status** +

Required. Specifies latest status of the certificated during the enrollment request. + +

Data type is string. Valid values: + +

The only supported operation is Get. + +| Value | Description | +|-------|---------------------------------------------------------------------------------------------------| +| 1 | Finished successfully | +| 2 | Pending (the device hasn’t finished the action but has received the SCEP server pending response) | +| 16 | Action failed | +| 32 | Unknown | + +  +**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode** +

Optional. An integer value that indicates the HRESULT of the last enrollment error code. + +

The only supported operation is Get. + +**ClientCertificateInstall/SCEP/*UniqueID*/RespondentServerUrl** +

Required. Returns the URL of the SCEP server that responded to the enrollment request. + +

Data type is string. + +

The only supported operation is Get. + +## Example + + +Enroll a client certificate through SCEP. + +``` syntax + + + + + 301 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/ + + + node + + + + + 302 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/RetryCount + + + int + + 1 + + + + 303 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/RetryDelay + + + int + + 1 + + + + 304 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyUsage + + + int + + 160 + + + + 305 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyLength + + + int + + 1024 + + + + 306 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/HashAlgorithm + + + chr + + SHA-1 + + + + 307 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/SubjectName + + + chr + + CN=ContosoCSP + + + + 308 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/SubjectAlternativeNames + + + chr + + + + + + 309 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ValidPeriod + + + chr + + Years + + + + 310 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ValidPeriodUnits + + + int + + 1 + + + + 311 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/EKUMapping + + + chr + + 1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2+1.3.6.1.5.5.7.3.2 + + + + 312 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/KeyProtection + + + int + + 3 + + + + 313$ + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/ServerURL + + + chr + + http://constoso.com/certsrv/mscep/mscep.dll + + + + 314 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/Challenge + + + chr + + 1234CB055B7EBF384A9486A22B7559A5 + + + + 315 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/CAThumbprint + + + chr + + 12345087E648875D1DF5D9F9FF89DD10 + + + + 316 + + + ./Device/Vendor/MSFT/ClientCertificateInstall/SCEP//Install/Enroll + + + + + + + +``` + +Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate fro "My" store. + +``` syntax + + + + $CmdID$ + + + ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C + + + + + $CmdID$ + + $CmdID$ + + + ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/KeyLocation + + + int + + 2 + + + + $CmdID$ + + + ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertBlob + + + chr + + Base64_Encode_Cert_Blob + + + + $CmdID$ + + + ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPassword + + + chr + + Base64Encoded_Encrypted_Password_Blog + + + + $CmdID$ + + + ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionType + + + int + + 2 + + + + $CmdID$ + + + ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionStore + + + chr + + My + + + + + $CmdID$ + + + ./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXKeyExportable + + + bool + + true + + + + + + +``` + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/clientcertificateinstall-ddf-file.md b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md new file mode 100644 index 0000000000..d94173af03 --- /dev/null +++ b/windows/client-management/mdm/clientcertificateinstall-ddf-file.md @@ -0,0 +1,1067 @@ +--- +title: ClientCertificateInstall DDF file +description: ClientCertificateInstall DDF file +ms.assetid: 7F65D045-A750-4CDE-A1CE-7D152AA060CA +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ClientCertificateInstall DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **ClientCertificateInstall** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + ClientCertificateInstall + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + com.microsoft/1.1/MDM/ClientCertificateInstall + + + + PFXCertInstall + + + + + Required for PFX certificate installation. The parent node grouping the PFX cert related settings. Supported operation is Get. + + + + + + + + + + + + + + + + + + + + + + + Required for PFX certificate installation. A unique ID to differentiate different certificate install requests. +Format is node. +Supported operations are Get, Add, Delete +Calling Delete on the this node, should delete the certificates and the keys that were installed by the corresponding PFX blob. + + + + + + + + + + + UniqueID + + + + + + KeyLocation + + + + + + + Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to. Supported operations are Get, Add + Datatype will be int +1- Install to TPM, fail if not present +2 – Install to TPM if present, if not present fallback to Software +3 – Install to software +4 – Install to NGC container whose name is specified + + + + + + + + + + + + text/plain + + + + + ContainerName + + + + + + + Optional. +Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. +Format is chr +Supported operations are Get, Add, Delete and Replace + + + + + + + + + + + + text/plain + + + + + PFXCertBlob + + + + + + + Required. +CRYPT_DATA_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. Add on this node will trigger the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, fKeyExportable) are present before this is called. This will also set the Status node to the current Status of the operation. +Format is Binary64 +Supported operations are Get, Add, Replace +If Add is called on this node and a blob already exists, it will fail. If Replace is called on this node, the certificates will be overwritten. +If Add is called on this node for a new PFX, the certificate will be added. If Replace is called on this node when it does not exist, this will fail. +In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate +CRYPT_DATA_BLOB on MSDN can be found at http://msdn.microsoft.com/en-us/library/windows/desktop/aa381414(v=vs.85).aspx + + + + + + + + + + + + text/plain + + + + + PFXCertPassword + + + + + + + +Required if PFX is password protected. +Password that protects the PFX blob. +Format is chr. Supported operations are Add, Get + + + + + + + + + + + + text/plain + + + + + PFXCertPasswordEncryptionType + + + + + + + 0 + Optional. Used to specify if the PFX certificate password is encrypted with a certificate. +If the value is +0 - Password is not encrypted +1- Password is encrypted using the MDM certificate by the MDM server +2 - Password is encrypted by a Custom Certificate by the MDM server. When this value is used here, also specify the custom store name in the PFXCertPasswordEncryptionStore node. +The datatype for this node is int. +Supported operations are Add, Replace + + + + + + + + + + + + text/plain + + + + + PFXKeyExportable + + + + + + + true + Optional. Used to specify if the private key installed is exportable (can be exported later). The datatype for this node is bool. +Supported operations are Add, Get + + + + + + + + + + + + text/plain + + + + + Thumbprint + + + + + Returns the thumbprint of the PFX certificate installed. Format is string.Supported operations are Get. + + + + + + + + + + + + text/plain + + + + + Status + + + + + Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore. Datatype is int. +Support operations are Get + + + + + + + + + + + + text/plain + + + + + PFXCertPasswordEncryptionStore + + + + + + + Optional. +When a value of "2" is contained iin PFXCertPasswordEncryptionType, specify the store name where the certificate for decrypting the PFXCertPassword is stored. +Datatype is string, +Support operation are Add, Get and Replace. + + + + + + + + + + + + text/plain + + + + + + + SCEP + + + + + + + + + + + + + + + + + + + + + + + + + + + Required for SCEP certificate installation. A unique ID to differentiate different certificate install requests. +Format is node. +Supported operations are Get, Add, Delete +Calling Delete on the this node, should delete the corresponding SCEP certificate + + + + + + + + + + UniqueID + + + + + + Install + + + + + + + + Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request. Format is node. Supported operation is Add, Delete. + +NOTE: though the children nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing children node values. + + + + + + + + + + + + + + + ServerURL + + + + + + + + Required for SCEP certificate enrollment. Specify the cert enrollment server. The server could specify multiple server URLs separated by semicolon. +Format is string. +Supported operations are Get, Add, Delete, Replace. + + + + + + + + + + + text/plain + + + + + Challenge + + + + + + + + Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Format is chr. Supported operations are Get, Add, Replace, Delete. Challenge will be deleted shortly after the Exec command is accepted. + + + + + + + + + + + text/plain + + + + + EKUMapping + + + + + + + + Required. Specify extended key usages. Subjected to SCEP server configuration. The list of OIDs are separated by plus “+”. Sample format: OID1+OID2+OID3. + +Format is chr. + +Supported operations are Get, Add, Delete, Replace. + + + + + + + + + + + text/plain + + + + + KeyUsage + + + + + + + + Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail. + +Format is int. + +Supported operations are Get, Add, Delete, Replace. + + + + + + + + + + + text/plain + + + + + SubjectName + + + + + + + + Required. Specify the subject name. Format is chr. Supported operations are Get, Add, Delete, Replace. + + + + + + + + + + + text/plain + + + + + KeyProtection + + + + + + + + 3 + Optional. Specify where to keep the private key. Note that even it is protected by TPM, it is not guarded with TPM PIN. +SCEP enrolled cert doesn’t support TPM PIN protection. +Supported values: +1 – private key protected by TPM, + +2 – private key protected by phone TPM if the device supports TPM. +All Windows Phone 8.1 devices support TPM and will treat value 2 as 1 + +3 (default) – private key saved in software KSP + +4 – private key protected by NGC. If this option is specified, container name should be specifed, if not enrollment will fail + + +Format is int. + +Supported operations are Get, Add, Delete, Replace + + + + + + + + + + + + text/plain + + + + + RetryDelay + + + + + + + + 5 + Optional. When the SCEP server sends pending status, specify device retry waiting time in minutes. + +Default value is: 5 +The min value is 1. + +Format is int. + +Supported operations are Get, Add, Delete noreplace + + + + + + + + + + + text/plain + + + + + RetryCount + + + + + + + + 3 + Optional. Special to SCEP. Specify device retry times when the SCEP sever sends pending status. Format is int. Default value is 3. Max value: the value cannot be larger than 30. If it is larger than 30, the device will use 30. +The min value is 0 which means no retry. Supported operations are Get, Add, Delete, Replace. + + + + + + + + + + + text/plain + + + + + TemplateName + + + + + + + + Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server, therefore the MDM server typically doesn’t need to provide it. Format is chr. Supported operations are Get, Add, Delete.noreplace + + + + + + + + + + + text/plain + + + + + KeyLength + + + + + + + + Required for enrollment. Specify private key length (RSA). Format is int. + +Valid value: 1024, 2048, 4096. For NGC, only 2048 is the supported keylength. + +Supported operations are Get, Add, Delete, Replace. + + + + + + + + + + + text/plain + + + + + HashAlgorithm + + + + + + + + Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +. + +For NGC, only SHA256 is supported as the supported algorithm + +Format is chr. +Supported operations are Get, Add, Delete, Replace. + + + + + + + + + + + text/plain + + + + + CAThumbprint + + + + + + + + Required. Specify root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates SCEP server, it checks CA cert from SCEP server whether match with this cert. If not match, fail the authentication. +Format is chr. +Supported operations are Get, Add, Delete, Replace. + + + + + + + + + + + text/plain + + + + + SubjectAlternativeNames + + + + + + + + Optional. Specify subject alternative name. Multiple alternative names could be specified by this node. Each name is the combination of name format+actual name. Refer name type definition in MSDN. Each pair is separated by semicolon. E.g. multiple SAN are presented in the format of [nameformat1]+[actual name1];[name format 2]+[actual name2]. + +Format is chr. + +Supported operations are Get, Add, Delete, Replace. + + + + + + + + + + + text/plain + + + + + ValidPeriod + + + + + + + + Days + Optional. Specify the units for valid period. Valid values are: Days(Default), Months, Years. +Format is chr. +Supported operations are Get, Add, Delete, Replace. + +NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate. + + + + + + + + + + + text/plain + + + + + ValidPeriodUnits + + + + + + + + 0 + Optional. Specify desired number of units used in validity period. Subjected to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in cert template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. + +Format is int. + +Supported operations are Get, Add, Delete, Replace. + +NOTE: The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPerio) the SCEP server as part of certificate enrollment request. It is the server’s decision on how to use this valid period to create the certificate. + + + + + + + + + + + text/plain + + + + + ContainerName + + + + + + + + Optional. +Specifies the NGC container name (if NGC KSP is chosen for above node). If this node is not specified when NGC KSP is chosen, enrollment will fail. + +Format is chr + +Supported operations are Get, Add, Delete and Replace + + + + + + + + + + + text/plain + + + + + CustomTextToShowInPrompt + + + + + + + + Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information for why the user needs to enter the PIN and what the certificate will be used for through this. + +Format is chr + +Supported operations are Get, Add, Delete and Replace + + + + + + + + + + + text/plain + + + + + Enroll + + + + + Required. Trigger the device to start the cert enrollment. The device will not notify MDM server after cert enrollment is done. The MDM server could later query the device to find out whether new cert is added. + +Format is null, e.g. this node doesn’t contain a value. + +Supported operation is Exec. + + + + + + + + + + + text/plain + + + + + AADKeyIdentifierList + + + + + + + + Optional. Specify the AAD Key Identifier List as a semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail. + + + + + + + + + + + text/plain + + + + + + CertThumbprint + + + + + Optional. Specify the current cert’s thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. Format is chr. Supported operation is Get. + + + + + + + + + + + text/plain + + + + + Status + + + + + Required. Specify the latest status for the certificate due to enroll request. + +Format is chr. + +Supported operation is Get. + +Valid values are: +1 – finished successfully +2 – pending (the device hasn’t finished the action but has received the SCEP server pending response) +32 – unknown +16 - action failed + + + + + + + + + + + text/plain + + + + + ErrorCode + + + + + Optional. The integer value that indicates the HRESULT of the last enrollment error code. +Supported operation is Get. + + + + + + + + + + + text/plain + + + + + RespondentServerUrl + + + + + Required. Returns the URL of the SCEP server that responded to the enrollment request. + +Format is String + +Supported operation is Get + + + + + + + + + + + text/plain + + + + + + + +``` + +## Related topics + + +[ClientCertificateInstall configuration service provider](clientcertificateinstall-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md new file mode 100644 index 0000000000..94a6e27f51 --- /dev/null +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -0,0 +1,314 @@ +--- +title: CM\_CellularEntries CSP +description: CM\_CellularEntries CSP +ms.assetid: f8dac9ef-b709-4b76-b6f5-34c2e6a3c847 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# CM\_CellularEntries CSP + +The CM\_CellularEntries configuration service provider is used to configure the General Packet Radio Service (GPRS) entries on the device. It defines each GSM data access point. + +> [!Note] +> Starting in the next major update to Windows 10, the CM\_CellularEntries CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions. + +This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application. + +The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. + +![cm\-cellularentries csp](images/provisioning-csp-cm-cellularentries.png) + +**_entryname_** +

Defines the name of the connection.

+ +

The [CMPolicy configuration service provider](cmpolicy-csp.md) uses the value of *entryname* to identify the connection that is associated with a policy and [CM\_ProxyEntries configuration service provider](cm-proxyentries-csp.md) uses the value of *entryname* to identify the connection that is associated with a proxy.

+ +**AlwaysOn** +

Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available. + +

A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS. + +

A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs. + +

There must be at least one AlwaysOn Internet connection provisioned for the mobile operator. + +**AuthType** +

Optional. Type: String. Specifies the method of authentication used for a connection. + +

A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None". + +**ConnectionType** +

Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available: + +
++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +

gprs

Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE).

cdma

Used for CDMA type connections (1XRTT + EVDO).

lte

Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.

legacy

Used for GPRS + GSM + EDGE + UMTS connections.

lte_iwlan

Used for GPRS type connections that may be offloaded over WiFi

iwlan

Used for connections that are implemented over WiFi offload only

+ +  + +**Desc.langid** +

Optional. Specifies the UI display string used by the defined language ID. + +

A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as `Desc.0409` with a value of `"GPRS Connection"` will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no **Desc** parameter is provisioned for a given language, the system will default to the name used to create the entry. + +**Enabled** +

Specifies if the connection is enabled. + +

A value of "0" specifies that the connection is disabled. A value of "1" specifies that the connection is enabled. + +**IpHeaderCompression** +

Optional. Specifies if IP header compression is enabled. + +

A value of "0" specifies that IP header compression for the connection is disabled. A value of "1" specifies that IP header compression for the connection is enabled. + +**Password** +

Required if AuthType is set to a value other than "None". Specifies the password used to connect to the APN. + +**SwCompression** +

Optional. Specifies if software compression is enabled. + +

A value of "0" specifies that software compression for the connection is disabled. A value of "1" specifies that software compression for the connection is enabled. + +**UserName** +

Required if AuthType is set to a value other than "None". Specifies the user name used to connect to the APN. + +**UseRequiresMappingsPolicy** +

Optional. Specifies if the connection requires a corresponding mappings policy. + +

A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present. + +

For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic. + +**Version** +

Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider. + +

This value must be "1" if included. + +**GPRSInfoAccessPointName** +

Specifies the logical name to select the GPRS gateway. For more information about allowable values, see GSM specification 07.07 "10.1.1 Define PDP Context +CGDCONT". + +**Roaming** +

Optional. Type: Int. This parameter specifies the roaming conditions under which the connection should be activated. The following conditions are available: + +- 0 - Home network only. +- 1 (default)- All roaming conditions (home and roaming). +- 2 - Home and domestic roaming only. +- 3 - Domestic roaming only. +- 4 - Non-domestic roaming only. +- 5 - Roaming only. + +**OEMConnectionID** +

Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value is not specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices. + +**ApnId** +

Optional. Type: Int. Specifies the purpose of the APN. If a value is not specified, the default value is "0" (none). This parameter is only used on LTE devices. + +**IPType** +

Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value is not specified, the default value is "IPv4". + +> [!Warning]   +> Do not use IPv6 or IPv4v6xlat on a device or network that does not support IPv6. Data functionality will not work. In addition, the device will not be able to connect to a roaming network that does not support IPv6 unless you configure roaming connections with an IPType of IPv4v6. + +  + +**ExemptFromDisablePolicy** +

Added back in Windows 10, version 1511. Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value is not specified, the default value is "0" (not exempt). + +

To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed. + +> [!Important]   +> Do not set ExemptFromDisablePolicy to "1", ExemptFromRoaming to "1", or UseRequiresMappingsPolicy to "1" for general purpose connections. + +

To avoid UX inconsistency with certain value combinations of ExemptFromDisablePolicy and AllowMmsIfDataIsOff, when you do not set ExemptFromDisablePolicy to 1 (default is 0), you should: + +- Hide the toggle for AllowMmsIfDataIsOff by setting AllowMmsIfDataIsOffEnabled to 0 (default is 1) +- Set AllowMMSIfDataIsOff to 1 (default is 0) + +  + +**ExemptFromRoaming** +

Added back in Windows 10, version 1511. Optional. Type: Int. This should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value is not specified, the default value is "0" (not exempt). + +**TetheringNAI** +

Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection is not a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value is not specified, the default value is "0". + +**IdleDisconnectTimeout** +

Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds. + +> [!Important]   +

You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used. + +  + +> [!Note]   +> If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds. + +  + +**SimIccId** +

For single SIM phones, this parm is optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection. + +**PurposeGroups** +

Optional. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available: + +- Internet - 3E5545D2-1137-4DC8-A198-33F1C657515F +- MMS - 53E2C5D3-D13C-4068-AA38-9C48FF2E55A8 +- IMS - 474D66ED-0E4B-476B-A455-19BB1239ED13 +- SUPL - 6D42669F-52A9-408E-9493-1071DCC437BD +- Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB (added in the next version of Windows 10) +- Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364 (added in the next version of Windows 10) + +## Additional information + + +To delete a connection, you must first delete any associated proxies and then delete the connection. The following example shows how to delete the proxy and then the connection. + +``` syntax + + + + + + + + +``` + +## OMA client provisioning examples + + +Configuring a GPRS connection: + +``` syntax + + + + + + + + + + + + +``` + +Configuring an LTE connection: + +``` syntax + + + + + + + + + + + + + + +``` + +Configuring a CDMA connection: + +``` syntax + + + + + + + + + + + + + + +``` + +## Microsoft Custom Elements + + +The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning. + + ++++ + + + + + + + + + + + + + + + + + + + + +
ElementAvailable

nocharacteristic

Yes

characteristic-query

Yes

parm-query

Yes

+ +  + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md new file mode 100644 index 0000000000..693b4feb34 --- /dev/null +++ b/windows/client-management/mdm/cm-proxyentries-csp.md @@ -0,0 +1,150 @@ +--- +title: CM\_ProxyEntries CSP +description: CM\_ProxyEntries CSP +ms.assetid: f4c3dc71-c85a-4c68-9ce9-19f408ff7a0a +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# CM\_ProxyEntries CSP + + +The CM\_ProxyEntries configuration service provider is used to configure proxy connections on the mobile device. + +> **Note**  CM\_ProxyEntries CSP is only supported in Windows 10 Mobile. + +  + +> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. + +  + +The following diagram shows the CM\_ProxyEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP) and OMA Device Management(OMA DM). Support for OMA DM was added in Windows 10, version 1607. + +![cm\-proxyentries csp (cp)](images/provisioning-csp-cm-proxyentries-cp.png) + +**entryname** +Defines the name of the connection proxy. + +Each cellular entry can have only one proxy entry. For example, an Internet connection can have no more than one HTTP proxy specified but it might also have a WAP proxy. If two applications need access to the same APN but one application needs a proxy and the other application cannot have a proxy, two entries can be created with different names for the same APN. + +**ConnectionName** +Specifies the name of the connection the proxy is associated with. This is the APN name of a connection configured using the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md). + +**BypassLocal** +Specifies if the proxy should be bypassed when local hosts are accessed by the device. + +A value of "0" specifies that the proxy bypass for local hosts is disabled. A value of "1" specifies that the proxy bypass for local hosts is enabled. + +**Enable** +Specifies if the proxy is enabled. + +A value of "0" specifies that the proxy is disabled. A value of "1" specifies that the proxy is enabled. + +**Exception** +Specifies a list of external hosts which should bypass the proxy when accessed. + +The exception list is a semi-colon delimited list of host names. For example, to bypass the proxy when either MSN or Yahoo is accessed, the value for the Exception list would be "www.msn.com;www.yahoo.com". + +**Password** +Specifies the password used to connect to the proxy. + +Passwords are only required for WAP and SOCKS proxies and are not used for HTTP proxies. Queries of this parameter return a string composed of asterisks (\*). + +When setting the password, passing in the same string causes the new password to be ignored and does not change the existing password. + +**Port** +Specifies the port number of the proxy server. + +**Server** +Specifies the name of the proxy server. + +**Type** +Specifies the type of proxy connection for this entry. + +The following list enumerates the values allowed for the Type parameter. + +- "0" = Null proxy + +- "1" = HTTP proxy + +- "2" = WAP proxy + +- "4" = SOCKS4 proxy + +- "5" = SOCKS5 proxy + +The Null proxy can be used to allow Connection Manager to treat one network as a super set of another network by creating a null proxy from one network to the other. + +**UserName** +Specifies the username used to connect to the proxy. + +## Additional information + + +To delete both a proxy and its associated connection, you must delete the proxy first, and then delete the connection. The following example shows how to delete the proxy and then the connection. + +``` syntax + + + + + + + + +``` + +## Microsoft Custom Elements + + +The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning. + + ++++ + + + + + + + + + + + + + + + + + + + + +
ElementAvailable

parm-query

Yes

nocharacteristic

Yes

characteristic-query

Yes

+

Recursive query: Yes

+

Top level query: Yes

+ +  + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md new file mode 100644 index 0000000000..e83953965b --- /dev/null +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -0,0 +1,513 @@ +--- +title: CMPolicy CSP +description: CMPolicy CSP +ms.assetid: 62623915-9747-4eb1-8027-449827b85e6b +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# CMPolicy CSP + + +The CMPolicy configuration service provider defines rules that the Connection Manager uses to identify the correct connection for a connection request. + +> **Note**   +This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. + +  + +Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicy configuration service provider can have multiple policies + +**Policy Ordering**: There is no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence. + +**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN. + +The following diagram shows the CMPolicy configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management. + +![cmpolicy csp (dm,cp)](images/provisioning-csp-cmpolicy.png) + +***policyName*** +Defines the name of the policy. + +**SID** +The value of SID depends on the ClientType. + +For Universal Windows Platform (UWP) app-based mapping policies, SID is the Package family name without curly brackets {}, not the application. + +For non-UWP application-based mapping policies, SID is the application product ID in GUID format. The curly brackets {} around the GUID are required. + +For host-based mapping policies, SID must be set to `*`. + +**ClientType** +Specifies the mapping policy type. + +The following list describes the available mapping policy types: + +- Application-based mapping policies are applied to applications. To specify this mapping type, use the value `app`. + +- Host-based mapping policies are applied to all types of clients requesting connections to specified host(s). To specify this mapping type, use the value `*`. + +**Host** +Specifies the name of a host pattern. The host name is matched to the connection request to select the right policy to use. + +The host pattern can have two wild cards, "\*" and "+". The host pattern is not a URL pattern and there is no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com". + +**OrderedConnections** +Specifies whether the list of connections is in preference order. + +A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference. + +**Conn****_XXX_** +Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004". + +**ConnectionID** +Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter. + +For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you have a connection configured by using the CM\_CellularEntries configuration service provider, the connection name could be the name of the connection. If you have a NAP configured with the NAPID set to “GPRS1”, the connection name could be “GPRS1@WAP”. + +For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. The curly brackets {} around the GUID are required. The following connection types are available: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Connection typeGUID

GSM

{A05DC613-E393-40ad-AA89-CCCE04277CD9}

CDMA

{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}

Legacy 3GPP

{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}

LTE

{2378E547-8312-46A5-905E-5C581E92693B}

Wi-Fi

{8568B401-858E-4B7B-B3DF-0FD4927F131B}

Wi-Fi hotspot

{072FC7DC-1D93-40D1-9BB0-2114D7D73434}

+ +  + +For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Network typeGUID

GPRS

{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}

1XRTT

{B1E700AE-A62F-49FF-9BBE-B880C995F27D}

EDGE

{C347F8EC-7095-423D-B838-7C7A7F38CD03}

WCDMA UMTS

{A72F04C6-9BE6-4151-B5EF-15A53E12C482}

WCDMA FOMA

{B8326098-F845-42F3-804E-8CC3FF7B50B4}

1XEVDO

{DD42DF39-EBDF-407C-8146-1685416401B2}

1XEVDV

{61BF1BFD-5218-4CD4-949C-241CA3F326F6}

HSPA HSDPA

{047F7282-BABD-4893-AA77-B8B312657F8C}

HSPA HSUPA

{1536A1C6-A4AF-423C-8884-6BDDA3656F84}

LTE

{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}

EHRPD

{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}

Ethernet 10Mbps

{97D3D1B3-854A-4C32-BD1C-C13069078370}

Ethernet 100Mbps

{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}

Ethernet Gbps

{556C1E6B-B8D4-448E-836D-9451BA4CCE75}

+ +  + +For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
Device typeGUID

Cellular device

{F9A53167-4016-4198-9B41-86D9522DC019}

Ethernet

{97844272-00C7-4572-B20A-D8D861C095F2}

Bluetooth

{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}

Virtual

{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}

+ +  + +**Type** +Specifies the type of connection being referenced. The following list describes the available connection types: + +- `CMST_CONNECTION_NAME` – A connection specified by name. + +- `CMST_CONNECTION_TYPE` – Any connection of a specified type. + +- `CMST_CONNECTION_NETWORK_TYPE` – Any connection of a specified network type. + +- `CMST_CONNECTION_DEVICE_TYPE` – Any connection of the specified device type. + +## OMA client provisioning examples + + +Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. + +``` syntax + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. + +``` syntax + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## OMA DM examples + + +Adding an application-based mapping policy: + +``` syntax + + + + 8000 + + 8051 + + + ./Vendor/MSFT/CMPolicy/BTHPolicy4/SID + + {A05D1234-F393-9385-AA89-CD3E049367D2} + + + + 8052 + + + ./Vendor/MSFT/CMPolicy/BTHPolicy4/ClientType + + app + + + + 8053 + + + ./Vendor/MSFT/CMPolicy/BTHPolicy4/Host + + *.+ + + + + 8054 + + + ./Vendor/MSFT/CMPolicy/BTHPolicy4/OrderedConnections + + 1 + + + + 8055 + + + ./Vendor/MSFT/CMPolicy/BTHPolicy4/Connections/Conn000/ConnectionId + + {A05DC613-E393-40AD-AA89-CCCE04277CD9} + + + + 8056 + + + ./Vendor/MSFT/CMPolicy/BTHPolicy4/Connections/Conn000/Type + + CMST_CONNECTION_DEVICE_TYPE + + + + + + +``` + +Adding a host-based mapping policy: + +``` syntax + + + + 8000 + + 8049 + + + ./Vendor/MSFT/CMPolicy/BTHPolicy6/SID + + * + + + + 8050 + + + ./Vendor/MSFT/CMPolicy/BTHPolicy6/ClientType + + * + + + + 8051 + + + ./Vendor/MSFT/CMPolicy/BTHPolicy6/Host + + *.contoso.com + + + + 8052 + + + ./Vendor/MSFT/CMPolicy/BTHPolicy6/OrderedConnections + + 1 + + + + 8053 + + + ./Vendor/MSFT/CMPolicy/BTHPolicy6/Connections/Conn000/ConnectionId + + {AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96} + + + + 8054 + + + ./Vendor/MSFT/CMPolicy/BTHPolicy6/Connections/Conn000/Type + + CMST_CONNECTION_NETWORK_TYPE + + + + + + +``` + +## Microsoft Custom Elements + + + ++++ + + + + + + + + + + + + + + + + + + + + +
ElementAvailable

parm-query

Yes

nocharacteristic

Yes

characteristic-query

Yes

+

Recursive query: Yes

+

Top level query: Yes

+ +  + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md new file mode 100644 index 0000000000..a3c9b663bf --- /dev/null +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -0,0 +1,513 @@ +--- +title: CMPolicyEnterprise CSP +description: CMPolicyEnterprise CSP +ms.assetid: A0BE3458-ABED-4F80-B467-F842157B94BF +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# CMPolicyEnterprise CSP + + +The CMPolicyEnterprise configuration service provider is used by the enterprise to define rules that the Connection Manager uses to identify the correct connection for a connection request. + +> **Note**   +This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. + +  + +Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies + +**Policy Ordering**: There is no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence. + +**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN. + +The following diagram shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management. + +![cmpolicy csp (dm,cp)](images/provisioning-csp-cmpolicyenterprise.png) + +***policyName*** +Defines the name of the policy. + +**SID** +The value of SID depends on the ClientType. + +For Universal Windows Platform (UWP) app-based mapping policies, SID is the Package family name without curly brackets {}, not the application. + +For non-UWP application-based mapping policies, SID is the application product ID in GUID format. The curly brackets {} around the GUID are required. + +For host-based mapping policies, SID must be set to `*`. + +**ClientType** +Specifies the mapping policy type. + +The following list describes the available mapping policy types: + +- Application-based mapping policies are applied to applications. To specify this mapping type, use the value `app`. + +- Host-based mapping policies are applied to all types of clients requesting connections to specified host(s). To specify this mapping type, use the value `*`. + +**Host** +Specifies the name of a host pattern. The host name is matched to the connection request to select the right policy to use. + +The host pattern can have two wild cards, "\*" and "+". The host pattern is not a URL pattern and there is no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com". + +**OrderedConnections** +Specifies whether the list of connections is in preference order. + +A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference. + +**Conn****_XXX_** +Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004". + +**ConnectionID** +Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter. + +For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you have a connection configured by using the CM\_CellularEntries configuration service provider, the connection name could be the name of the connection. If you have a NAP configured with the NAPID set to “GPRS1”, the connection name could be “GPRS1@WAP”. + +For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. The curly brackets {} around the GUID are required. The following connection types are available: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Connection typeGUID

GSM

{A05DC613-E393-40ad-AA89-CCCE04277CD9}

CDMA

{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}

Legacy 3GPP

{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}

LTE

{2378E547-8312-46A5-905E-5C581E92693B}

Wi-Fi

{8568B401-858E-4B7B-B3DF-0FD4927F131B}

Wi-Fi hotspot

{072FC7DC-1D93-40D1-9BB0-2114D7D73434}

+ +  + +For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Network typeGUID

GPRS

{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}

1XRTT

{B1E700AE-A62F-49FF-9BBE-B880C995F27D}

EDGE

{C347F8EC-7095-423D-B838-7C7A7F38CD03}

WCDMA UMTS

{A72F04C6-9BE6-4151-B5EF-15A53E12C482}

WCDMA FOMA

{B8326098-F845-42F3-804E-8CC3FF7B50B4}

1XEVDO

{DD42DF39-EBDF-407C-8146-1685416401B2}

1XEVDV

{61BF1BFD-5218-4CD4-949C-241CA3F326F6}

HSPA HSDPA

{047F7282-BABD-4893-AA77-B8B312657F8C}

HSPA HSUPA

{1536A1C6-A4AF-423C-8884-6BDDA3656F84}

LTE

{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}

EHRPD

{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}

Ethernet 10Mbps

{97D3D1B3-854A-4C32-BD1C-C13069078370}

Ethernet 100Mbps

{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}

Ethernet Gbps

{556C1E6B-B8D4-448E-836D-9451BA4CCE75}

+ +  + +For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
Device typeGUID

Cellular device

{F9A53167-4016-4198-9B41-86D9522DC019}

Ethernet

{97844272-00C7-4572-B20A-D8D861C095F2}

Bluetooth

{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}

Virtual

{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}

+ +  + +**Type** +Specifies the type of connection being referenced. The following list describes the available connection types: + +- `CMST_CONNECTION_NAME` – A connection specified by name. + +- `CMST_CONNECTION_TYPE` – Any connection of a specified type. + +- `CMST_CONNECTION_NETWORK_TYPE` – Any connection of a specified device type. + +- `CMST_CONNECTION_DEVICE_TYPE` – Any connection of the specified network type. + +## OMA client provisioning examples + + +Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. + +``` syntax + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. + +``` syntax + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## OMA DM examples + + +Adding an application-based mapping policy: + +``` syntax + + + + 8000 + + 8051 + + + ./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/SID + + {A05D1234-F393-9385-AA89-CD3E049367D2} + + + + 8052 + + + ./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/ClientType + + app + + + + 8053 + + + ./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/Host + + *.+ + + + + 8054 + + + ./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/OrderedConnections + + 1 + + + + 8055 + + + ./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/Connections/Conn000/ConnectionId + + {A05DC613-E393-40AD-AA89-CCCE04277CD9} + + + + 8056 + + + ./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/Connections/Conn000/Type + + CMST_CONNECTION_DEVICE_TYPE + + + + + + +``` + +Adding a host-based mapping policy: + +``` syntax + + + + 8000 + + 8049 + + + ./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/SID + + * + + + + 8050 + + + ./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/ClientType + + * + + + + 8051 + + + ./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/Host + + *.contoso.com + + + + 8052 + + + ./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/OrderedConnections + + 1 + + + + 8053 + + + ./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/Connections/Conn000/ConnectionId + + {AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96} + + + + 8054 + + + ./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/Connections/Conn000/Type + + CMST_CONNECTION_NETWORK_TYPE + + + + + + +``` + +## Microsoft Custom Elements + + + ++++ + + + + + + + + + + + + + + + + + + + + +
ElementAvailable

parm-query

Yes

nocharacteristic

Yes

characteristic-query

Yes

+

Recursive query: Yes

+

Top level query: Yes

+ +  + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md new file mode 100644 index 0000000000..6305ea17c3 --- /dev/null +++ b/windows/client-management/mdm/cmpolicyenterprise-ddf-file.md @@ -0,0 +1,315 @@ +--- +title: CMPolicyEnterprise DDF file +description: CMPolicyEnterprise DDF file +ms.assetid: 065EF07A-0CF3-4EE5-B620-3464A75B7EED +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# CMPolicyEnterprise DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **CMPolicyEnterprise** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + CMPolicyEnterprise + + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.0/MDM/CMPolicyEnterprise + + + + + + + + + + + The name of the policy + + + + + + + + + + + + + PolicyName + + + + + + SID + + + + + + + + The value of SID depends on the ClienType + + + + + + + + + + + + + SID + + text/plain + + + + + ClientType + + + + + + + + Specifies the mapping policy type + + + + + + + + + + + + + ClientType + + text/plain + + + + + Host + + + + + + + + Specifies the name of a host pattern + + + + + + + + + + + + + Host + + text/plain + + + + + OrderedConnections + + + + + + + + Specifies whether the list of connections is in preference order + + + + + + + + + + + + + OrderedConnection + + text/plain + + + + + Connections + + + + + + + + + + + + + + + + + Connections + + + + + + + + + + + + + Connection associated with the policy + + + + + + + + + + + + + ConnXXX + + + + + + ConnectionID + + + + + + + + A unique identifier for a connection within a group of connections + + + + + + + + + + + + + ConnectionID + + text/plain + + + + + Type + + + + + + + + The type of connection being referenced + + + + + + + + + + + + + Type + + text/plain + + + + + + + + +``` + +## Related topics + + +[CMPolicyEnterprise configuration service provider](cmpolicyenterprise-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md new file mode 100644 index 0000000000..f92fff6839 --- /dev/null +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -0,0 +1,2486 @@ +--- +title: Configuration service provider reference +description: A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. +ms.assetid: 71823658-951f-4163-9c40-c4d4adceaaec +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Configuration service provider reference + +A configuration service provider (CSP) is an interface to read, set, modify, or delete configuration settings on the device. These settings map to registry keys or files. Some configuration service providers support the WAP format, some support SyncML, and some support both. SyncML is only used over–the–air for Open Mobile Alliance Device Management (OMA DM), whereas WAP can be used over–the–air for OMA Client Provisioning, or it can be included in the phone image as a .provxml file that is installed during boot. + +For information about the bridge WMI provider classes that map to these CSPs, see [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224). + +Additional lists: +- [List of CSPs supported in Windows Holographic](#hololens) +- [List of CSPs supported in Microsoft Surface Hub ](#surfacehubcspsupport) +- [List of CSPs supported in Windows 10 IoT Core](#iotcoresupport) +- [List of CSPs supported in Windows 10 S](#windows10s) + +The following tables show the configuration service providers support in Windows 10. + + +

+ +## CSP support + + +[APPLICATION CSP](application-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[ActiveSync CSP](activesync-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[AllJoynManagement CSP](alljoynmanagement-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcross markcross mark
+ + + + + +[AppLocker CSP](applocker-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[AssignedAccess CSP](assignedaccess-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck markcheck markcross markcross mark
+ + + + + +[BOOTSTRAP CSP](bootstrap-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[BitLocker CSP](bitlocker-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck mark2check mark2check mark2check mark2check mark2
+ + + + + +[BrowserFavorite CSP](browserfavorite-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcross markcross mark
+ + + + + +[CMPolicy CSP](cmpolicy-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck mark1check mark1
+ + + + + +[CM_CellularEntries CSP](cm-cellularentries-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark2check mark2check mark2check mark2check markcheck mark
+ + + + + +[CM_ProxyEntries CSP](cm-proxyentries-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[CellularSettings CSP](cellularsettings-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark2check mark2check mark2check mark2check markcheck mark
+ + + + + +[CertificateStore CSP](certificatestore-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[CleanPC CSP](cleanpc-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck mark2check mark2check mark2cross markcross mark
+ + + + + +[ClientCertificateInstall CSP](clientcertificateinstall-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[CustomDeviceUI CSP](customdeviceui-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcross markcross mark
+ + + + + +[DMAcc CSP](dmacc-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[DMClient CSP](dmclient-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[Defender CSP](defender-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcross markcross mark
+ + + + + +[DevDetail CSP](devdetail-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[DevInfo CSP](devinfo-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[DeveloperSetup CSP](developersetup-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcross markcross markcross mark
+ + + + + +[DeviceInstanceService CSP](deviceinstanceservice-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[DeviceLock CSP](devicelock-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[DeviceManageability CSP](devicemanageability-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[DeviceStatus CSP](devicestatus-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[DiagnosticLog CSP](diagnosticlog-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[DynamicManagement CSP](dynamicmanagement-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck mark2check mark2check mark2check mark2
+ + + + + +[EMAIL2 CSP](email2-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[EnterpriseAPN CSP](enterpriseapn-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark2check mark2check mark2check mark2check markcheck mark
+ + + + + +[EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck mark2check mark2cross markcross mark
+ + + + + +[EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcross markcross mark
+ + + + + +[EnterpriseExt CSP](enterpriseext-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[FileSystem CSP](filesystem-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck mark (Provisioning only)check mark (Provisioning only)
+ + + + + +[HealthAttestation CSP](healthattestation-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[HotSpot CSP](hotspot-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[Maps CSP](maps-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[Messaging CSP](messaging-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcross markcheck mark2check mark2
+ + + + + +[NAP CSP](nap-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[NAPDEF CSP](napdef-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[NetworkProxy CSP](networkproxy-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2check mark2check mark2
+ + + + + +[NetworkQoSPolicy CSP](networkqospolicy-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcross markcross markcross mark
+ + + + + +[NodeCache CSP](nodecache-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[Office CSP](office-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + + + +[PROXY CSP](proxy-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[PXLOGICAL CSP](pxlogical-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[PassportForWork CSP](passportforwork-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[Personalization CSP](personalization-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcheck mark2check mark2cross markcross mark
+ + + + + +[Policy CSP](policy-configuration-service-provider.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[PolicyManager CSP](policymanager-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[Provisioning CSP](provisioning-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark (Provisioning only)check mark (Provisioning only)check mark (Provisioning only)check mark (Provisioning only)check mark (Provisioning only)check mark (Provisioning only)
+ + + + + +[Reboot CSP](reboot-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[Registry CSP](registry-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[RemoteFind CSP](remotefind-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[RemoteLock](remotelock-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[RemoteRing CSP](remotering-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[RemoteWipe CSP](remotewipe-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[Reporting CSP](reporting-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[RootCATrustedCertificates CSP](rootcacertificates-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[SUPL CSP](supl-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[SecureAssessment CSP](secureassessment-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + + + +[SecurityPolicy CSP](securitypolicy-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[SharedPC CSP](sharedpc-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + + + +[Storage CSP](storage-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[SurfaceHub](surfacehub-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
+ + + + + +[UnifiedWriteFilter CSP](unifiedwritefilter-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcheck markcheck markcross markcross mark
+ + + + + +[Update CSP](update-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[VPN CSP](vpn-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[VPNv2 CSP](vpnv2-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[W4 APPLICATION CSP](w4-application-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark
+ + + + + +[WiFi CSP](wifi-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[Win32AppInventory CSP](win32appinventory-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + + + +[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark1check mark1check mark1cross markcross mark
+ + + + + +[WindowsLicensing CSP](windowslicensing-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check markcheck markcheck markcheck markcheck markcheck mark
+ + + + + +[WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcross markcross markcross markcheck markcheck mark
+ + + + + +[w7 APPLICATION CSP](w7-application-csp.md) + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
check mark
+ + + + +
+ + + + Footnotes: +- 1 - Added in Windows 10, version 1607 +- 2 - Added in Windows 10, version 1703 + +> [!Note] +> You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip). + + +## CSPs supported in Windows Holographic + + +The following list shows the configuration service providers supported in Windows Holographic editions. + +| Configuration service provider | Windows Holographic edition | Windows Holographic for Business edition | +|-------------------------------------------------------------------------------------------------------|-------------------------------------|-------------------------------------------| +| [Application CSP](application-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [AppLocker CSP](applocker-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [CertificateStore CSP](certificatestore-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [DevDetail CSP](devdetail-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DeveloperSetup CSP](developersetup-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)2 (Provisioning only)| +| [DeviceStatus CSP](devicestatus-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [DevInfo CSP](devinfo-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DiagnosticLog CSP](diagnosticlog-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [DMAcc CSP](dmacc-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [DMClient CSP](dmclient-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [NodeCache CSP](nodecache-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | +| [Policy CSP](policy-configuration-service-provider.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [Update CSP](update-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [VPN2 CSP](vpnv2-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [WiFi CSP](wifi-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | +| [WindowsLicensing CSP](windowslicensing-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | + +Footnotes: +- 2 - Added in Windows 10, version 1703 + +## New CSPs added in Windows 10, version 1703 + +- [BitLocker CSP](bitlocker-csp.md) +- [CleanPC CSP](cleanpc-csp.md) +- [DeveloperSetup CSP](developersetup-csp.md) +- [DynamicManagement CSP](dynamicmanagement-csp.md) +- [EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md) +- [Messaging CSP](messaging-csp.md) +- [NetworkProxy CSP](networkproxy-csp.md) +- [NetworkQoSPolicy CSP](networkqospolicy-csp.md) +- [Office CSP](office-csp.md) +- [Personalization CSP](personalization-csp.md) + +## New CSPs added in Windows 10, version 1511 + +- [AllJoynManagement CSP](alljoynmanagement-csp.md) +- [Maps CSP](maps-csp.md) +- [Reporting CSP](reporting-csp.md) +- [SurfaceHub CSP](surfacehub-csp.md) +- [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md) + +## CSPs supported in Microsoft Surface Hub + +- [APPLICATION CSP](application-csp.md) +- [CertificateStore CSP](certificatestore-csp.md) +- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) +- [Defender CSP](defender-csp.md) +- [DevDetail CSP](devdetail-csp.md) +- [DeviceManageability CSP](devicemanageability-csp.md) +- [DeviceStatus CSP](devicestatus-csp.md) +- [DevInfo CSP](devinfo-csp.md) +- [DiagnosticLog CSP](diagnosticlog-csp.md) +- [DMAcc CSP](dmacc-csp.md) +- [DMClient CSP](dmclient-csp.md) +- [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) +- [HealthAttestation CSP](healthattestation-csp.md) +- [NetworkQoSPolicy CSP](networkqospolicy-csp.md) +- [NodeCache CSP](nodecache-csp.md) +- [PassportForWork CSP](passportforwork-csp.md) +- [Policy CSP](policy-configuration-service-provider.md) +- [Reboot CSP](reboot-csp.md) +- [RemoteWipe CSP](remotewipe-csp.md) +- [Reporting CSP](reporting-csp.md) +- [RootCATrustedCertificates CSP](rootcacertificates-csp.md) +- [SurfaceHub CSP](surfacehub-csp.md) +- [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) + + +## CSPs supported in Windows 10 IoT Core + +- [AllJoynManagement CSP](alljoynmanagement-csp.md) +- [APPLICATION CSP](application-csp.md) +- [CertificateStore CSP](certificatestore-csp.md) +- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) +- [CustomDeviceUI CSP](customdeviceui-csp.md) +- [DevDetail CSP](devdetail-csp.md) +- [DevInfo CSP](devinfo-csp.md) +- [DiagnosticLog CSP](diagnosticlog-csp.md) +- [DMAcc CSP](dmacc-csp.md) +- [DMClient CSP](dmclient-csp.md) +- [EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md) +- [Policy CSP](policy-configuration-service-provider.md) +- [Provisioning CSP (Provisioning only)](provisioning-csp.md) +- [RootCATrustedCertificates CSP](rootcacertificates-csp.md) +- [Update CSP](update-csp.md) +- [VPNv2 CSP](vpnv2-csp.md) +- [WiFi CSP](wifi-csp.md) + +## CSPs supported in Windows 10 S + +The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that Office CSP and EnterpriseDesktop CSP are not available in Windows 10 S. Here is the list: + +- [ActiveSync CSP](activesync-csp.md) +- [APPLICATION CSP](application-csp.md) +- [AppLocker CSP](applocker-csp.md) +- [BOOTSTRAP CSP](bootstrap-csp.md) +- [CellularSettings CSP](cellularsettings-csp.md) +- [CertificateStore CSP](certificatestore-csp.md) +- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) +- [CM_CellularEntries CSP](cm-cellularentries-csp.md) +- [Defender CSP](defender-csp.md) +- [DevDetail CSP](devdetail-csp.md) +- [DeviceManageability CSP](devicemanageability-csp.md) +- [DeviceStatus CSP](devicestatus-csp.md) +- [DevInfo CSP](devinfo-csp.md) +- [DiagnosticLog CSP](diagnosticlog-csp.md) +- [DMAcc CSP](dmacc-csp.md) +- [DMClient CSP](dmclient-csp.md) +- [EMAIL2 CSP](email2-csp.md) +- [EnterpriseAPN CSP](enterpriseapn-csp.md) +- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) +- [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) +- [HealthAttestation CSP](healthattestation-csp.md) +- [NAP CSP](nap-csp.md) +- [NAPDEF CSP](napdef-csp.md) +- [NetworkProxy CSP](networkproxy-csp.md) +- [NodeCache CSP](nodecache-csp.md) +- [PassportForWork CSP](passportforwork-csp.md) +- [Policy CSP](policy-configuration-service-provider.md) +- [Provisioning CSP](provisioning-csp.md) +- [PROXY CSP](proxy-csp.md) +- [PXLOGICAL CSP](pxlogical-csp.md) +- [Reboot CSP](reboot-csp.md) +- [RemoteFind CSP](remotefind-csp.md) +- [RemoteWipe CSP](remotewipe-csp.md) +- [Reporting CSP](reporting-csp.md) +- [RootCATrustedCertificates CSP](rootcacertificates-csp.md) +- [SecureAssessment CSP](secureassessment-csp.md) +- [SecurityPolicy CSP](securitypolicy-csp.md) +- [SharedPC CSP](sharedpc-csp.md) +- [Storage CSP](storage-csp.md) +- [SUPL CSP](supl-csp.md) +- [Update CSP](update-csp.md) +- [VPNv2 CSP](vpnv2-csp.md) +- [WiFi CSP](wifi-csp.md) +- [Win32AppInventory CSP](win32appinventory-csp.md) +- [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) +- [WindowsLicensing CSP](windowslicensing-csp.md) diff --git a/windows/client-management/mdm/create-a-custom-configuration-service-provider.md b/windows/client-management/mdm/create-a-custom-configuration-service-provider.md new file mode 100644 index 0000000000..1d424f8364 --- /dev/null +++ b/windows/client-management/mdm/create-a-custom-configuration-service-provider.md @@ -0,0 +1,94 @@ +--- +title: Create a custom configuration service provider +description: Create a custom configuration service provider +ms.assetid: 0cb37f03-5bf2-4451-8276-23f4a1dee33f +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Create a custom configuration service provider + +Mobile device OEMs can create custom configuration service providers to manage their devices. A configuration service provider includes an interface for creating, editing, and deleting nodes, and the nodes themselves. Each node contains data for one registry value and can optionally support get, set, and delete operations. + +To design a custom configuration service provider, the OEM must perform the following steps: + +1. Establish node semantics +2. Shape the configuration service provider's subtree +3. Choose a transactioning scheme for each node +4. Determine node operations + +For more information, see [Designing a custom configuration service provider](design-a-custom-windows-csp.md). + +To write a custom configuration service provider, the OEM must implement the following interfaces: + +- [IConfigServiceProvider2](iconfigserviceprovider2.md) (one per configuration service provider) + +- [ICSPNode](icspnode.md) (one per node) + +- [ICSPNodeTransactioning](icspnodetransactioning.md) (optional, for internally transactioned nodes only) + +- [ICSPValidate](icspvalidate.md) (optional, for UI only) + +This code must be compiled into a single .dll file and added to a package by using the instructions found in "Adding content to a package" in [Creating packages](https://msdn.microsoft.com/en-us/library/windows/hardware/dn756642). While writing this code, OEMs can store registry settings and files in the following locations. + + ++++ + + + + + + + + + + +

File location

%DataDrive%\SharedData\OEM\CSP\

Registry location

$(HKLM.SOFTWARE)\OEM\CSP\

+ + +For examples of how to perform common tasks such as adding a node, replacing a node's value, querying a node's value, or enumerating a node's children, see [Samples for writing a custom configuration service provider](samples-for-writing-a-custom-configuration-service-provider.md). + +To register the configuration service provider as a COM object, you must add the following registry setting to your package. This step is required. In the following sample, replace *uniqueCSPguid* with a new, unique CLSID generated for this purpose. Replace *dllName* with the name of the .dll file that contains the code for your configuration service provider. + +``` syntax + + + + + +``` + +To register the configuration service provider with ConfigManager2, you must add the following registry setting to your package. This step is required. In the following sample, replace *dllName* with the name of the configuration service provider (the name of the root node). Replace *uniqueCSPguid* with the same *uniqueCSPguid* value as in the preceding example. + +``` syntax + + + + + +``` + +To make the configuration service provider accessible from WAP XML, you must register it with the WAP data processing unit by setting the following registry key in your package. Replace *Name* with the name of the configuration service provider. Leave the GUID value exactly as written here. + +``` syntax + + + + + +``` + +  + + + + + + diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md new file mode 100644 index 0000000000..955159f333 --- /dev/null +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -0,0 +1,106 @@ +--- +title: CustomDeviceUI CSP +description: CustomDeviceUI CSP +ms.assetid: 20ED1867-7B9E-4455-B397-53B8B15C95A3 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# CustomDeviceUI CSP + +The CustomDeviceUI configuration service provider allows OEMs to implement their custom foreground application, as well as the background tasks to run on an IoT device running IoT Core. Only one foreground application is supported per device. Multiple background tasks are supported. +The following diagram shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. + +> **Note**  This configuration service provider only applies to Windows 10 IoT Core (IoT Core). + +![customdeviceui csp](images/provisioning-csp-customdeviceui.png) + +**./Vendor/MSFT/CustomDeviceUI** +The root node for the CustomDeviceUI configuration service provider. The supported operation is Get. + +**StartupAppID** +AppID string value is the default appid/AUMID to launch during startup. The supported operations are Get and Replace. + +**BackgroundTasksToLaunch** +List of package names of background tasks that need to be launched on device startup. The supported operation is Get. + +**BackgroundTasksToLaunch/****_BackgroundTaskPackageName_** +Package Full Name of the App that needs be launched in the background. This can contain no entry points, a single entry point, or multiple entry points. The supported operations are Add, Delete, Get, and Replace. + +## SyncML examples + + +**Set StartupAppID** + +``` syntax + + + + 1 + + + ./Vendor/MSFT/CustomDeviceUI/StartupAppID + + + chr + + DefaultApp_cw5n1h2txyewy!App + + + + + +``` + +**Get all background tasks** + +``` syntax + + + + 1 + + + ./Vendor/MSFT/CustomDeviceUI/BackgroundTaskstoLaunch?list=Struct + + + + + + +``` + +**Add background task** + +``` syntax + + + + 1 + + + ./Vendor/MSFT/CustomDeviceUI/BackgroundTaskstoLaunch/BackgroundService1_1.3.0.1_neutral__8wekyb3d8bbwe + + + chr + + 0 + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/customdeviceui-ddf.md b/windows/client-management/mdm/customdeviceui-ddf.md new file mode 100644 index 0000000000..d44a97a49e --- /dev/null +++ b/windows/client-management/mdm/customdeviceui-ddf.md @@ -0,0 +1,146 @@ +--- +title: CustomDeviceUI DDF +description: CustomDeviceUI DDF +ms.assetid: E6D6B902-C57C-48A6-9654-CCBA3898455E +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# CustomDeviceUI DDF + + +This topic shows the OMA DM device description framework (DDF) for the **CustomDeviceUI** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + CustomDeviceUI + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.0/MDM/CustomDeviceUI + + + + StartupAppID + + + + + + AppID string value is the default appid/AUMID to launch during boot up + + + + + + + + + + + + + + text/plain + + + + + BackgroundTasksToLaunch + + + + + List of package names of background tasks that needs to be launched on boot. + + + + + + + + + + + + + Background Tasks to Launch + + + + + + + + + + + + + + Package Full Name of the App that needs be launched in the background. This can contain no entry points, a single or multiple entry points + + + + + + + + + + + + + BackgroundTaskPackageName + + text/plain + + + + + + +``` + +## Related topics + + +[CustomDeviceUI configuration service provider](customdeviceui-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/data-structures-windows-store-for-business.md b/windows/client-management/mdm/data-structures-windows-store-for-business.md new file mode 100644 index 0000000000..18b093df38 --- /dev/null +++ b/windows/client-management/mdm/data-structures-windows-store-for-business.md @@ -0,0 +1,1148 @@ +--- +title: Data structures for Windows Store for Business +MS-HAID: +- 'p\_phdevicemgmt.business\_store\_data\_structures' +- 'p\_phDeviceMgmt.data\_structures\_windows\_store\_for\_business' +ms.assetid: ABE44EC8-CBE5-4775-BA8A-4564CB73531B +description: +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Data structures for Windows Store for Business + + +Here's the list of data structures used in the Windows Store for Business REST APIs: + +- [AlternateIdentifier](#alternateidentifier) +- [BulkSeatOperationResultSet](#bulkseatoperationresultset) +- [FailedSeatRequest](#failedseatrequest) +- [FrameworkPackageDetails](#frameworkpackagedetails) +- [InventoryDistributionPolicy](#inventorydistributionpolicy) +- [InventoryEntryDetails](#inventoryentrydetails) +- [InventoryResultSet](#inventoryresultset) +- [InventoryStatus](#inventorystatus) +- [LicenseType](#licensetype) +- [LocalizedProductDetail](#localizedproductdetail) +- [OfflineLicense](#offlinelicense) +- [PackageLocation](#packagelocation) +- [ProductArchitectures](#productarchitectures) +- [ProductDetails](#productdetails) +- [ProductImage](#productimage) +- [ProductKey](#productkey) +- [ProductPackageDetails](#productpackagedetails) +- [ProductPackageFormat](#productpackageformat) +- [ProductPackageSet](#productpackageset) +- [ProductPlatform](#productplatform) +- [PublisherDetails](#publisherdetails) +- [SeatAction](#seataction) +- [SeatDetails](#seatdetails) +- [SeatDetailsResultSet](#seatdetailsresultset) +- [SeatState](#seatstate) +- [SupportedProductPlatform](#supportedproductplatform) +- [VersionInfo](#versioninfo) + +## AlternateIdentifier + + +Specifies the properties of the alternate identifier. + + +++++ + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

type

string

LegacyWindowStoreProductId, LegacyWindowsPhoneProductId, RedirectToThresholdProductId

value

string

+ +  + +## BulkSeatOperationResultSet + + + +++++ + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

seatDetails

Collection of [SeatDetails](#seatdetails)

failedSeatOperations

Collection of [FailedSeatRequest](#failedseatrequest)

+ +  + +## FailedSeatRequest + + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

failureReason

string

productKey

[ProductKey](#productkey)

userName

string

+ +  + +## FrameworkPackageDetails + + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

packageId

string

contentId

string

Identifies a specific application

location

[PackageLocation](#packagelocation)

packageFullName

string

packageIdentityName

string

architectures

collection of [ProductArchitectures](#productarchitectures)

packageFormat

[ProductPackageFormat](#productpackageformat)

platforms

collection of [ProductPlatform](#productplatform)

fileSize

integer -64

packageRank

integer-3232

Optional

+ +  + +## InventoryDistributionPolicy + + + +++++ + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

open

Open distribution policy - licenses/seats can be assigned/consumed without limit

restricted

Restricted distribution policy - licenses/seats must be assigned/consumed according to the available count

+ +  + +## InventoryEntryDetails + + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

productKey

[ProductKey](#productkey)

Identifier used on subsequent requests to get additional content including product descriptions, offline license, and download URLs.

seatCapacity

integer-64

Total number of seats that have been purchased for an application

availableSeats

integer-64

Number of available seats remaining for an application.

lastModified

dateTime

Specifies the last modified date for an application. Modifications for an application includes updated product details, updates to an application, and updates to the quantity of an application.

licenseType

[LicenseType](#licensetype)

Indicates whether the set of seats for a given application supports online or offline licensing.

distributionPolicy

InventoryDistributionPolicy

status

InventoryStatus

+ +  + +## InventoryResultSet + + + +++++ + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

continuationToken

string

continuationToken is only available if there is a next page

inventoryEntries

collection of

+ +  + +## InventoryStatus + + + +++++ + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

active

Entry is available in the organization’s inventory

removed

Entry has been removed from the organization’s inventory

+ +  + +## LicenseType + + + ++++ + + + + + + + + + + + + + + + + +
NameDescription

online

Online license application.

offline

Offline license application.

+ +  + +## LocalizedProductDetail + + +Specifies the properties of the localized product. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

language

string

Language or fallback language if the specified language is not available.

displayName

string

Display name of the application.

description

string

App description provided by developer can be up to 10,000 characters.

images

collection of [ProductImage](#productimage)

Artwork and icon associated with the application.

publisher

[PublisherDetails](#publisherdetails)

Publisher of the application.

+ +  + +## OfflineLicense + + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

productKey

[ProductKey](#productkey)

Identifies a set of seats associated with an application.

licenseBlob

string

Base-64 encoded offline license that can be installed via a CSP.

licenseInstanceId

string

Version of the license.

requestorId

string

Organization requesting the license.

contentId

string

Identifies the specific license required by an application.

+ +  + +## ProductArchitectures + + + +++ + + + + + + + + + + + + + + + + + + + +
Name

neutral

arm

x86

x64

+ +  + +## PackageContentInfo + + + ++++ + + + + + + + + + + + + + + + + +
NameType

productPlatforms

collection of [ProductPlatform](#productplatform)

packageFormat

string

+ +  + +## PackageLocation + + + +++++ + + + + + + + + + + + + + + +
NameTypeDescription

url

URI

CDN location of the packages. URL expiration is based on the estimated time to download the package.

+ +  + +## ProductDetails + + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

productKey

[ProductKey](#productkey)

Identifier used on subsequent requests to get additional content including product descriptions, offline license, and download URLs.

productType

string

Type of product.

supportedLanguages

collection of strings

The set of localized languages for an application.

publisherId

string

Publisher identifier.

category

string

Application category.

alternateIds

collection of [AlternateIdentifier](#alternateidentifier)

The identifiers that can be used to instantiate the installation of on online application.

packageFamilyName

string

supportedPlatforms

collection of [ProductPlatform](#productplatform)

+ +  + +## ProductKey + + +Specifies the proerties of the product key. + + +++++ + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

productId

string

Product identifier for an application that is used by the Store for Business.

skuId

string

Product identifier that specifies a specific SKU of an application.

+ +  + +## ProductImage + + +Specifies the proerties of the product image. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

location

URI

Location of the download images.

purpose

string

App screenshots and icons

height

string

Height of the image in pixels.

width

string

Width of the image in pixels.

caption

string

Unlimited

backgroundColor

string

Format #RRGGBB

foregroundColor

string

Format #RRGGBB

fileSize

long

Size of the file.

+ +  + +## PublisherDetails + + +Specifies the proerties of the publisher details. + + +++++ + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

publisherName

string

Name of the publisher.

publisherWebsite

string

Website of the publisher.

+ +  + +## ProductPackageDetails + + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

frameworkDependencyPackages

collection of [FrameworkPackageDetails](#frameworkpackagedetails)

contentId

string

Identifies a specific application.

packageId

string

location

[PackageLocation](#packagelocation)

packageFullName

string

example, Microsoft.BingTranslator_1.1.10917.2059_x86__8wekyb3d8bbwe

packageIdentityName

string

example, Microsoft.BingTranslator

architectures

collection of [ProductArchitectures](#productarchitectures)

Values {x86, x64, arm, neutral}

packageFormat

[ProductPackageFormat](#productpackageformat)

appx, appxbundle, xap

platforms

collection of [ProductPlatform](#productplatform)

packageId

string

fileSize

integer-64

packageRank

integer-32

optional

+ +  + +## ProductPackageSet + + + +++++ + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

packageSetId

string

An identifier for the particular combination of application packages.

productPackages

collection of [ProductPackageDetails](#productpackagedetails)

A collection of application packages.

+ +  + +## ProductPackageFormat + + + +++ + + + + + + + + + + + + + + + + +
Name

appx

appxBundle

xap

+ +  + +## ProductPlatform + + + ++++ + + + + + + + + + + + + + + + + + + + + +
NameType

platformName

string

minVersion

[VersionInfo](#versioninfo)

maxTestedVersion

[VersionInfo](#versioninfo)

+ +  + +## SeatAction + + + +++ + + + + + + + + + + + + + +
Name

assign

reclaim

+ +  + +## SeatDetails + + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescription

assignedTo

string

Format = UPN (user@domain)

dateAssigned

datetime

state

[SeatState](#seatstate)

productKey

[ProductKey](#productkey)

+ +  + +## SeatDetailsResultSet + + + ++++ + + + + + + + + + + + + + + + + +
NameType

seats

Collection of [SeatDetails](#seatdetails)

continuationToken

string

+ +  + +## SeatState + + + +++ + + + + + + + + + + + + + +
Name

active

revoked

+ +  + +## SupportedProductPlatform + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
NameType

platformName

string

minVersion

[VersionInfo](#versioninfo)

maxTestedVersion

[VersionInfo](#versioninfo)

architectures

collection of ProductArchitectures

+ +  + +## VersionInfo + + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
NameType

major

integer-23

minor

integer-23

build

integer-23

revision

integer-23

+ +  + +  + + + + + + diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md new file mode 100644 index 0000000000..71e91e480e --- /dev/null +++ b/windows/client-management/mdm/defender-csp.md @@ -0,0 +1,325 @@ +--- +title: Defender CSP +description: Defender CSP +ms.assetid: 481AA74F-08B2-4A32-B95D-5A3FD05B335C +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Defender CSP + + +The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. + +The following image shows the Windows Defender configuration service provider in tree format + +![defender csp diagram](images/provisioning-csp-defender.png) + +**Detections** +An interior node to group all threats detected by Windows Defender. + +Supported operation is Get. + +**Detections/****_ThreatId_** +The ID of a threat that has been detected by Windows Defender. + +Supported operation is Get. + +**Detections/*ThreatId*/Name** +The name of the specific threat. + +The data type is a string. + +Supported operation is Get. + +**Detections/*ThreatId*/URL** +URL link for additional threat information. + +The data type is a string. + +Supported operation is Get. + +**Detections/*ThreatId*/Severity** +Threat severity ID. + +The data type is a integer. + +The following list shows the supported values: + +- 0 = Unknown +- 1 = Low +- 2 = Moderate +- 4 = High +- 5 = Severe + +Supported operation is Get. + +**Detections/*ThreatId*/Category** +Threat category ID. + +The data type is a integer. + +The following table describes the supported values: + +| Value | Description | +|-------|-----------------------------| +| 0 | Invalid | +| 1 | Adware | +| 2 | Spyware | +| 3 | Password stealer | +| 4 | Trojan downloader | +| 5 | Worm | +| 6 | Backdoor | +| 7 | Remote access Trojan | +| 8 | Trojan | +| 9 | Email flooder | +| 10 | Keylogger | +| 11 | Dialer | +| 12 | Monitoring software | +| 13 | Browser modifier | +| 14 | Cookie | +| 15 | Browser plugin | +| 16 | AOL exploit | +| 17 | Nuker | +| 18 | Security disabler | +| 19 | Joke program | +| 20 | Hostile ActiveX control | +| 21 | Software bundler | +| 22 | Stealth modifier | +| 23 | Settings modifier | +| 24 | Toolbar | +| 25 | Remote control software | +| 26 | Trojan FTP | +| 27 | Potential unwanted software | +| 28 | ICQ exploit | +| 29 | Trojan telnet | +| 30 | Exploit | +| 31 | File sharing program | +| 32 | Malware creation tool | +| 33 | Remote control software | +| 34 | Tool | +| 36 | Trojan denial of service | +| 37 | Trojan dropper | +| 38 | Trojan mass mailer | +| 39 | Trojan monitoring software | +| 40 | Trojan proxy server | +| 42 | Virus | +| 43 | Known | +| 44 | Unknown | +| 45 | SPP | +| 46 | Behavior | +| 47 | Vulnerability | +| 48 | Policy | + +  + +Supported operation is Get. + +**Detections/*ThreatId*/CurrentStatus** +Information about the current status of the threat. + +The data type is a integer. + +The following list shows the supported values: + +- 0 = Unknown +- 1 = Detected +- 2 = Cleaned +- 3 = Quarantined +- 4 = Removed +- 5 = Allowed +- 6 = Blocked +- 102 = Clean failed +- 103 = Quarantine failed +- 104 = Remove failed +- 105 = Allow failed +- 106 = Abandoned +- 107 = Block failed + +Supported operation is Get. + +**Detections/*ThreatId*/ExecutionStatus** +Information about the execution status of the threat. + +The data type is a integer. + +Supported operation is Get. + +**Detections/*ThreatId*/InitialDetectionTime** +The first time this particular threat was detected. + +The data type is a string. + +Supported operation is Get. + +**Detections/*ThreatId*/LastThreatStatusChangeTime** +The last time this particular threat was changed. + +The data type is a string. + +Supported operation is Get. + +**Detections/*ThreatId*/NumberOfDetections** +Number of times this threat has been detected on a particular client. + +The data type is a integer. + +Supported operation is Get. + +**Health** +An interior node to group information about Windows Defender health status. + +Supported operation is Get. + +**Health/ComputerState** +Provide the current state of the device. + +The data type is a integer. + +The following list shows the supported values: + +- 0 = Clean +- 1 = Pending full scan +- 2 = Pending reboot +- 4 = Pending manual steps +- 8 = Pending offline scan +- 16 = Pending critical failure + +Supported operation is Get. + +**Health/DefenderEnabled** +Indicates whether the Windows Defender service is running. + +The data type is a boolean. + +Supported operation is Get. + +**Health/RtpEnabled** +Indicates whether real-time protection is running. + +The data type is a boolean. + +Supported operation is Get. + +**Health/NisEnabled** +Indicates whether network protection is running. + +The data type is a boolean. + +Supported operation is Get. + +**Health/QuickScanOverdue** +Indicates whether a Windows Defender quick scan is overdue for the device. + +The data type is a boolean. + +Supported operation is Get. + +**Health/FullScanOverdue** +Indicates whether a Windows Defender full scan is overdue for the device. + +The data type is a boolean. + +Supported operation is Get. + +**Health/SignatureOutOfDate** +Indicates whether the Windows Defender signature is outdated. + +The data type is a boolean. + +Supported operation is Get. + +**Health/RebootRequired** +Indicates whether a device reboot is needed. + +The data type is a boolean. + +Supported operation is Get. + +**Health/FullScanRequired** +Indicates whether a Windows Defender full scan is required. + +The data type is a boolean. + +Supported operation is Get. + +**Health/EngineVersion** +Version number of the current Windows Defender engine on the device. + +The data type is a string. + +Supported operation is Get. + +**Health/SignatureVersion** +Version number of the current Windows Defender signatures on the device. + +The data type is a string. + +Supported operation is Get. + +**Health/DefenderVersion** +Version number of Windows Defender on the device. + +The data type is a string. + +Supported operation is Get. + +**Health/QuickScanTime** +Time of the last Windows Defender quick scan of the device. + +The data type is a string. + +Supported operation is Get. + +**Health/FullScanTime** +Time of the last Windows Defender full scan of the device. + +The data type is a string. + +Supported operation is Get. + +**Health/QuickScanSigVersion** +Signature version used for the last quick scan of the device. + +The data type is a string. + +Supported operation is Get. + +**Health/FullScanSigVersion** +Signature version used for the last full scan of the device. + +The data type is a string. + +Supported operation is Get. + +**Scan** +Node that can be used to start a Windows Defender scan on a device. + +Valid values are: +- 1 - quick scan +- 2 - full scan + +Supported operations are Get and Execute. + +**UpdateSignature** +Node that can be used to perform signature updates for Windows Defender. + +Supported operations are Get and Execute. + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md new file mode 100644 index 0000000000..f6856761c6 --- /dev/null +++ b/windows/client-management/mdm/defender-ddf.md @@ -0,0 +1,671 @@ +--- +title: Defender DDF file +description: Defender DDF file +ms.assetid: 39B9E6CF-4857-4199-B3C3-EC740A439F65 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Defender DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **Defender** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + Defender + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + + Detections + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ThreatId + + + + + + Name + + + + + + + + + + + + + + + text/plain + + + + + URL + + + + + + + + + + + + + + + text/plain + + + + + Severity + + + + + + + + + + + + + + + text/plain + + + + + Category + + + + + + + + + + + + + + + text/plain + + + + + CurrentStatus + + + + + + + + + + + + + + + text/plain + + + + + ExecutionStatus + + + + + + + + + + + + + + + text/plain + + + + + InitialDetectionTime + + + + + + + + + + + + + + + text/plain + + + + + LastThreatStatusChangeTime + + + + + + + + + + + + + + + text/plain + + + + + NumberOfDetections + + + + + + + + + + + + + + + text/plain + + + + + + + Health + + + + + + + + + + + + + + + + + + + ComputerState + + + + + + + + + + + + + + + text/plain + + + + + DefenderEnabled + + + + + + + + + + + + + + + text/plain + + + + + RtpEnabled + + + + + + + + + + + + + + + text/plain + + + + + NisEnabled + + + + + + + + + + + + + + + text/plain + + + + + QuickScanOverdue + + + + + + + + + + + + + + + text/plain + + + + + FullScanOverdue + + + + + + + + + + + + + + + text/plain + + + + + SignatureOutOfDate + + + + + + + + + + + + + + + text/plain + + + + + RebootRequired + + + + + + + + + + + + + + + text/plain + + + + + FullScanRequired + + + + + + + + + + + + + + + text/plain + + + + + EngineVersion + + + + + + + + + + + + + + + text/plain + + + + + SignatureVersion + + + + + + + + + + + + + + + text/plain + + + + + DefenderVersion + + + + + + + + + + + + + + + text/plain + + + + + QuickScanTime + + + + + + + + + + + + + + + text/plain + + + + + FullScanTime + + + + + + + + + + + + + + + text/plain + + + + + QuickScanSigVersion + + + + + + + + + + + + + + + text/plain + + + + + FullScanSigVersion + + + + + + + + + + + + + + + text/plain + + + + + + Scan + + + + + + + + + + + + + + + + text/plain + + + + + UpdateSignature + + + + + + + + + + + + + + + + text/plain + + + + + +``` + +## Related topics + + +[Defender configuration service provider](defender-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/design-a-custom-windows-csp.md b/windows/client-management/mdm/design-a-custom-windows-csp.md new file mode 100644 index 0000000000..ed969ccbee --- /dev/null +++ b/windows/client-management/mdm/design-a-custom-windows-csp.md @@ -0,0 +1,166 @@ +--- +title: Design a custom configuration service provider +description: Design a custom configuration service provider +MS-HAID: +- 'p\_phDeviceMgmt.designing\_a\_custom\_configuration\_service\_provider' +- 'p\_phDeviceMgmt.design\_a\_custom\_windows\_csp' +ms.assetid: 0fff9516-a71a-4036-a57b-503ef1a81a37 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Design a custom configuration service provider + +To design a custom configuration service provider, the OEM must perform the following steps: + +1. Establish node semantics +2. Shape the configuration service provider's subtree +3. Choose a transactioning scheme for each node +4. Determine node operations + +For more information about the larger process of writing a new configuration service provider, see [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md). + +## Establish node semantics + +First, determine the nodes you need based on the kind of data to be stored in the registry. + +Nodes can represent anything from abstract concepts or collections (such as email accounts or connection settings) to more concrete objects (such as registry keys and values, directories, and files). + +### Example + +For example, a hypothetical Email configuration service provider might have these nodes: + +- Account: The name of the email account (such as "Hotmail") + +- Username: The user name or email address ("exampleAccount@hotmail.com") + +- Password: The user's password + +- Server: The DNS address of the server ("mail-serv1-example.mail.hotmail.com") + +The `Account`, `Username`, and `Server` nodes would hold text-based information about the email account, the user's email address, and the server address associated with that account. The `Password` node, however, might hold a binary hash of the user's password. + +## Shape the configuration service provider's subtree + +After determining what the nodes represent, decide where each node fits in the settings hierarchy. + +The root node of a configuration service provider's subtree must be the name of the configuration service provider. In this example, the root node is `Email`. + +All of the nodes defined in the previous step must reside under the configuration service provider's root node. Leaf nodes should be used to store data, and interior nodes should be used to group the data into logical collections. Node URIs must be unique. In other words, no two nodes can have both the same parent and the same name. + +There are three typical scenarios for grouping and structuring the nodes: + +- If all of the data belongs to the same component and no further categorizing or grouping is required, you can build a flat tree in which all values are stored directly under the root node. For examples of this design, see [DevInfo configuration service provider](devinfo-csp.md), [HotSpot configuration service provider](hotspot-csp.md), and [w4 APPLICATION configuration service provider](w4-application-csp.md). + +- If the configuration service provider's nodes represent a preexisting set of entities whose structure is well-defined (such as directories and files), the configuration service provider's nodes can simply mirror the existing structure. + +- If the data must be grouped by type or component, a more complex structure is required. This is especially true when there can be multiple instances of the dataset on the device, and each set is indexed by an ID, account name, or account type. In this case, you must build a more complex tree structure. For examples, see [ActiveSync configuration service provider](activesync-csp.md), [CertificateStore configuration service provider](certificatestore-csp.md), and [CMPolicy configuration service provider](cmpolicy-csp.md). + +### Example + +The following image shows an incorrect way to structure the hypothetical `Email` configuration service provider. The interior `Account` nodes group the account data (server name, user name, and user password). + +![provisioning\-customcsp\-example1](images/provisioning-customcsp-example1.png) + +However, the account nodes in this design are not unique. Even though the nodes are grouped sensibly, the path for each of the leaf nodes is ambiguous. There is no way to disambiguate the two `Username` nodes, for example, or to reliably access the same node by using the same path. This structure will not work. The easiest solution to this problem is usually to replace an interior node (the grouping node) by: + +1. Promoting a child node. + +2. Using the node value as the name of the new interior node. + +The following design conveys the same amount of information as the first design, but all nodes have a unique path, and therefore it will work. + +![provisioning\-customcsp\-example2](images/provisioning-customcsp-example2.png) + +In this case, the `Server` nodes have been promoted up one level to replace the `Account` nodes, and their values are now used as the node names. For example, you could have two different email accounts on the phone, with server names "www.hotmail.com" and "exchange.microsoft.com", each of which stores a user name and a password. + +Note that the process of shaping the configuration service provider’s subtree influences the choice of transactioning schemes for each node. If possible, peer nodes should not have dependencies on each other. Internode dependencies other than parent/child relationships create mandatory groups of settings, which makes configuration service provider development more difficult. + +## Choose a transactioning scheme for each node + +For each node, decide whether to use *external transactioning* or *internal transactioning* to manage the transaction phases (rollback persistence, rollback, and commitment) for the node. + +External transactioning is the simplest option because it allows ConfigManager2 to automatically handle the node's transactioning. + +However, you must use internal transactioning for the following types of nodes: + +- A node that supports the **Execute** method. + +- A node that contains sensitive information (such as a password) that must not be saved in plain text in the ConfigManager2 rollback document. + +- A node that has a dependency on another node that is not a parent. For example, if a parent node has two children that are both required, the configuration service provider could use internal transactioning to defer provisioning the account until both values are set. + +You can choose to mix transactioning modes in your configuration service provider, using internal transactioning for some operations but external transactioning for others. For more information about writing an internally transactioned node, see the [ICSPNodeTransactioning](icspnodetransactioning.md) interface. + +## Determine node operations + +The operations available for each node can vary depending on the purpose of the configuration service provider. The configuration service provider will be easier to use if the operations are consistent. For more information about the supported operations, see the [ICSPNode](icspnode.md) interface. + +For externally transactioned nodes, an operation implementation must include the contrary operations shown in the following table to allow rollback of the operation. + +For internally transactioned nodes, the practice of implementing the contrary commands for each command is recommended, but not required. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Node operationContrary node operation

Add

Clear and DeleteChild

Copy

To copy to a new node: Clear and DeleteChild

+

To copy to an existing node: Add and SetValue

Clear

To restore the state of the deleted node: SetValue and SetProperty

DeleteChild

To restore the old node: Add

DeleteProperty

To restore the deleted property: SetProperty

Execute

Externally transactioned nodes do not support the Execute command.

GetValue

None

Move

To restore a source node: Move

+

To restore an overwritten target node: Add and SetValue

SetValue

To restore the previous value: SetValue

+ +  + +  + + + + + diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md new file mode 100644 index 0000000000..40ee770991 --- /dev/null +++ b/windows/client-management/mdm/devdetail-csp.md @@ -0,0 +1,194 @@ +--- +title: DevDetail CSP +description: DevDetail CSP +ms.assetid: 719bbd2d-508d-439b-b175-0874c7e6c360 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DevDetail CSP + +The DevDetail configuration service provider handles the management object which provides device-specific parameters to the OMA DM server. These device parameters are not sent from the client to the server automatically, but can be queried by servers using OMA DM commands. + +> [!NOTE] +> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. + +For the DevDetail CSP, you cannot use the Replace command unless the node already exists. + +The following diagram shows the DevDetail configuration service provider management object in tree format as used by OMA Device Management. The OMA Client Provisioning protocol is not supported for this configuration service provider. + +![devdetail csp (dm)](images/provisioning-csp-devdetail-dm.png) + +**DevTyp** +

Required. Returns the device model name /SystemProductName as a string. + +

Supported operation is Get. + +**OEM** +

Required. Returns the name of the Original Equipment Manufacturer (OEM) as a string, as defined in the specification SyncML Device Information, version 1.1.2. + +

Supported operation is Get. + +**FwV** +

Required. Returns the firmware version, as defined in the registry key HKEY\_LOCAL\_MACHINE\\System\\Platform\\DeviceTargetingInfo\\PhoneFirmwareRevision. + +

For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns the BIOS version as defined in the registry key HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\BIOSVersion. + +

Supported operation is Get. + +**SwV** +

Required. Returns the Windows 10 OS software version in the format MajorVersion.MinorVersion.BuildNumber.QFEnumber. Currently the BuildNumber returns the build number on the desktop and mobile build number on the phone. In the future, the build numbers may converge. + +

Supported operation is Get. + +**HwV** +

Required. Returns the hardware version, as defined in the registry key HKEY\_LOCAL\_MACHINE\\System\\Platform\\DeviceTargetingInfo\\PhoneRadioHardwareRevision. + +

For Windows 10 for desktop editions, it returns the BIOS version as defined in the registry key HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\BIOSVersion. + +

Supported operation is Get. + +**LrgObj** +

Required. Returns whether the device uses OMA DM Large Object Handling, as defined in the specification SyncML Device Information, version 1.1.2. + +

Supported operation is Get. + +**URI/MaxDepth** +

Required. Returns the maximum depth of the management tree that the device supports. The default is zero (0). + +

Supported operation is Get. + +

This is the maximum number of URI segments that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited depth. + +**URI/MaxTotLen** +

Required. Returns the maximum total length of any URI used to address a node or node property. The default is zero (0). + +

Supported operation is Get. + +

This is the largest number of characters in the URI that the device supports. The default value zero (0) indicates that the device supports a URI of unlimited length. + +**URI/MaxSegLen** +

Required. Returns the total length of any URI segment in a URI that addresses a node or node property. The default is zero (0). + +

Supported operation is Get. + +

This is the largest number of characters that the device can support in a single URI segment. The default value zero (0) indicates that the device supports URI segment of unlimited length. + +**Ext/Microsoft/MobileID** +

Required. Returns the mobile device ID associated with the cellular network. Returns 404 for devices that do not have a cellular network support. + +

Supported operation is Get. + +

The IMSI value is returned for GSM and UMTS networks. CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element. + +**Ext/Microsoft/LocalTime** +

Required. Returns the client local time in ISO 8601 format. + +

Supported operation is Get. + +**Ext/Microsoft/OSPlatform** +

Required. Returns the OS platform of the device. For Windows 10 for desktop editions, it returns the ProductName as defined in HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\ProductName. + +

Supported operation is Get. + +**Ext/Microsoft/ProcessorType** +

Required. Returns the processor type of the device as documented in SYSTEM\_INFO. + +

Supported operation is Get. + +**Ext/Microsoft/RadioSwV** +

Required. Returns the radio stack software version number. + +

Supported operation is Get. + +**Ext/Microsoft/Resolution** +

Required. Returns the UI screen resolution of the device (example: "480x800"). + +

Supported operation is Get. + +**Ext/Microsoft/CommercializationOperator** +

Required. Returns the name of the mobile operator if it exists; otherwise it returns 404.. + +

Supported operation is Get. + +**Ext/Microsoft/ProcessorArchitecture** +

Required. Returns the processor architecture of the device as "arm" or "x86". + +

Supported operation is Get. + +**Ext/Microsoft/DeviceName** +

Required. Contains the user-specified device name. + +

Support for Replace operation for Windows 10 Mobile was added in Windows 10, version 1511. Replace operation is not supported in the desktop or IoT Core. When you change the device name using this node, it triggers a dialog on the device asking the user to reboot. The new device name does not take effect until the device is restarted. If the user cancels the dialog, it will show again until a reboot occurs. + +

Value type is string. + +

Supported operations are Get and Replace. + +**Ext/Microsoft/TotalStorage** +

Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage). + +

Supported operation is Get. + +> [!NOTE] +> This is only supported in Windows 10 Mobile. + +**Ext/Microsoft/TotalRAM** +

Added in Windows 10, version 1511. Integer that specifies the total available memory in MB on the device (may be less than total physical memory). + +

Supported operation is Get. + +**Ext/WLANMACAddress** +

The MAC address of the active WLAN connection, as a 12-digit hexadecimal number. + +

Supported operation is Get. + +> [!NOTE] +> This is not supported in Windows 10 for desktop editions. + +**VoLTEServiceSetting** +

Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers. + +

Supported operation is Get. + +**WlanIPv4Address** +

Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers. + +

Supported operation is Get. + +**WlanIPv6Address** +

Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers. + +

Supported operation is Get. + +**WlanDnsSuffix** +

Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers. + +

Supported operation is Get. + +**WlanSubnetMask** +

Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers. + +

Supported operation is Get. + +**DeviceHardwareData** +

Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device. + +

Supported operation is Get. + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md new file mode 100644 index 0000000000..e7fbbcac7a --- /dev/null +++ b/windows/client-management/mdm/devdetail-ddf-file.md @@ -0,0 +1,696 @@ +--- +title: DevDetail DDF file +description: DevDetail DDF file +ms.assetid: 645fc2b5-2d2c-43b1-9058-26bedbe9f00d +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DevDetail DDF file + +This topic shows the OMA DM device description framework (DDF) for the **DevDetail** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + DevDetail + . + + + + + + + + + + + + + + + urn:oma:mo:oma-dm-devdetail:1.1 + + + + URI + + + + + + + + + + + + + + + + + + + MaxDepth + + + + + + + + + + + + + + + text/plain + + + + + MaxTotLen + + + + + + + + + + + + + + + text/plain + + + + + MaxSegLen + + + + + + + + + + + + + + + text/plain + + + + + + DevTyp + + + + + Device model name, as specified and tracked by the manufacturer + + + + + + + + + + + text/plain + + + + + OEM + + + + + Name of OEM + + + + + + + + + + + text/plain + + + + + FwV + + + + + Provide the version of OEM ROM region. + + + + + + + + + + + text/plain + + + + + SwV + + + + + Returns the Windows Phone OS software version. + + + + + + + + + + + text/plain + + + + + HwV + + + + + Returns the hardware version. + + + + + + + + + + + text/plain + + + + + LrgObj + + + + + + Large object isn't supported. The data for this node is "false". + + + + + + + + + + + + text/plain + + + + + Ext + + + + + Subtree to hold vendor-specific parameters + + + + + + + + + + + + + + + Microsoft + + + + + Subtree to hold vendor-specific parameters + + + + + + + + + + + + + + + MobileID + + + + + Indicates the subscriber ID registered with the cellular network. For GSM and UMTS networks, the value returned is the IMSI value; for other networks, SyncML Status code 404 is returned. + + + + + + + + + + + text/plain + + + + + RadioSwV + + + + + Version of the software radio stack + + + + + + + + + + + text/plain + + + + + Resolution + + + + + Resolution of the device in the format of WidthxLength (e.g., "400x800"). + + + + + + + + + + + text/plain + + + + + CommercializationOperator + + + + + Name of operator with whom the device was commercialized. + + + + + + + + + + + text/plain + + + + + ProcessorArchitecture + + + + + Processor architecture of the device, as returned by the GetSystemInfo API. + + + + + + + + + + + text/plain + + + + + ProcessorType + + + + + Processor type of the device, as returned by the GetSystemInfo API. + + + + + + + + + + + text/plain + + + + + OSPlatform + + + + + Name of the operating system platform. + + + + + + + + + + + text/plain + + + + + LocalTime + + + + + Returns the UTC time formatted per ISO8601. Example: 2003-06-16T18:37:44Z. + + + + + + + + + + + text/plain + + + + + DeviceName + + + + + + User-specified device name + + + + + + + + + + + text/plain + + + + + TotalStorage + + + + + Total available storage in MB from first internal drive on the device (may be less than total physical storage). Available for Windows Mobile only. + + + + + + + + + + + text/plain + + + + + TotalRAM + + + + + Total available memory in MB on the device (may be less than total physical memory). + + + + + + + + + + + text/plain + + + + + + WLANMACAddress + + + + + The MAC address of the active WiFi connection + + + + + + + + + + + text/plain + + + + + VoLTEServiceSetting + + + + + The VoLTE service setting on or off. Only exposed to Mobile Operator-based OMA-DM servers. + + + + + + + + + + + text/plain + + + + + WlanIPv4Address + + + + + The IPv4 address of the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers. + + + + + + + + + + + text/plain + + + + + WlanIPv6Address + + + + + The IPv6 address of the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers. + + + + + + + + + + + text/plain + + + + + WlanDnsSuffix + + + + + The DNS suffix of the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers. + + + + + + + + + + + text/plain + + + + + WlanSubnetMask + + + + + The subnet mask for the active WiFi connection. Only exposed to Enterprise-based OMA-DM servers. + + + + + + + + + + + text/plain + + + + + DeviceHardwareData + + + + + Added in Windows 10 version 1703. Returns a base64 encoded string of the hardware parameters of a device. + + + + + + + + + + + text/plain + + + + + + +``` + +## Related topics + + +[DevDetail configuration service provider](devdetail-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md new file mode 100644 index 0000000000..1a00b5f67c --- /dev/null +++ b/windows/client-management/mdm/developersetup-csp.md @@ -0,0 +1,68 @@ +--- +title: DeveloperSetup CSP +description: The DeveloperSetup configuration service provider (CSP) is used to configure developer mode on the device. This CSP was added in the next major update of Windows 10. +ms.assetid: +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DeveloperSetup CSP + +The DeveloperSetup configuration service provider (CSP) is used to configure Developer Mode on the device and connect to the Windows Device Portal. For more information about the Windows Device Portal, see [Windows Device Portal overview](https://msdn.microsoft.com/en-us/windows/uwp/debug-test-perf/device-portal). This CSP was added in Windows 10, version 1703. + +> [!NOTE] +The DeveloperSetup configuration service provider (CSP) is supported only in Windows 10 Holographic Enterprise edition and is for provisioning only. + +The following diagram shows the DeveloperSetup configuration service provider in tree format. + +![developersetup csp diagram](images/provisioning-csp-developersetup.png) + +**DeveloperSetup** +

The root node for the DeveloperSetup configuration service provider. + +**EnableDeveloperMode** +

A Boolean value that is used to enable Developer Mode on the device. The default value is false. + +

The only supported operation is Replace. + +**DevicePortal** +

The node for the Windows Device Portal. + +**DevicePortal/Authentication** +

The node that describes the characteristics of the authentication mechanism that is used for the Windows Device Portal. + +**DevicePortal/Authentication/Mode** +

An integer value that specifies the mode of authentication that is used when making requests to the Windows Device Portal. + +

The only supported operation is Replace. + +**DevicePortal/Authentication/BasicAuth** +

The node that describes the credentials that are used for basic authentication with the Windows Device Portal. + +**DevicePortal/Authentication/BasicAuth/Username** +

A string value that specifies the user name to use when performing basic authentication with the Windows Device Portal. +The user name must contain only ASCII characters and cannot contain a colon (:). + +

The only supported operation is Replace. + +**DevicePortal/Authentication/BasicAuth/Password** +

A string value that specifies the password to use when authenticating requests against the Windows Device Portal. + +

The only supported operation is Replace. + +**DevicePortal/Connection** +

The node for configuring connections to the Windows Device Portal service. + +**DevicePortal/Connection/HttpPort** +

An integer value that is used to configure the HTTP port for incoming connections to the Windows Device Portal service. +If authentication is enabled, **HttpPort** will redirect the user to the (required) **HttpsPort**. + +

The only supported operation is Replace. + +**DevicePortal/Connection/HttpsPort** +

An integer value that is used to configure the HTTPS port for incoming connections to the Windows Device Portal service. + +

The only supported operation is Replace. \ No newline at end of file diff --git a/windows/client-management/mdm/developersetup-ddf.md b/windows/client-management/mdm/developersetup-ddf.md new file mode 100644 index 0000000000..b9a3348cca --- /dev/null +++ b/windows/client-management/mdm/developersetup-ddf.md @@ -0,0 +1,298 @@ +--- +title: DeveloperSetup DDF file +description: This topic shows the OMA DM device description framework (DDF) for the DeveloperSetup configuration service provider. This CSP was added in Windows 10, version 1703. +ms.assetid: +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DeveloperSetup DDF file + +This topic shows the OMA DM device description framework (DDF) for the DeveloperSetup configuration service provider. This CSP was added in Windows 10, version 1703. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + DeveloperSetup + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.0/MDM/DeveloperSetup + + + + EnableDeveloperMode + + + + + False + Enables developer mode on the device + + + + + + + + + + + + + EnableDeveloperMode + + text/plain + + + + + DevicePortal + + + + + + + + + + + + + + + + + + + Authentication + + + + + Specifies characteristics of the authentication mechanism used for the Windows Device Portal. + + + + + + + + + + + + + Authentication + + + + + + Mode + + + + + Describes the mode of authentication used when making requests to the Device Portal. + + + + + + + + + + + + + Mode + + text/plain + + + + + BasicAuth + + + + + Describes credentials used for basic authentication + + + + + + + + + + + + + BasicAuth + + + + + + Username + + + + + Describes the username to use when performing basic authentication with the Windows Device Portal + + + + + + + + + + + + + Username + + text/plain + + + + + Password + + + + + Describes the password to use when authenticating requests against the Windows Device Portal + + + + + + + + + + + + + Password + + text/plain + + + + + + + Connection + + + + + + + + + + + + + + Connection + + + + + + HttpPort + + + + + Configures the HTTP port for incoming connections to the Device Portal Service. + + + + + + + + + + HttpPort + + text/plain + + + + + HttpsPort + + + + + Configures the HTTPS port for incoming connections to the Device Portal Service. + + + + + + + + + + HttpsPort + + text/plain + + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md new file mode 100644 index 0000000000..724d2abe69 --- /dev/null +++ b/windows/client-management/mdm/device-update-management.md @@ -0,0 +1,969 @@ +--- +title: Device update management +description: In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. +ms.assetid: C27BAEE7-2890-4FB7-9549-A6EACC790777 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + + +# Device update management + +In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we are investing heavily in extending the management capabilities available to MDMs. One key feature we are adding is the ability for MDMs to keep devices up-to-date with the latest Microsoft Updates. + +In particular, Windows 10 provides additional APIs to enable MDMs to: + +- Ensure machines stay up-to-date by configuring Automatic Update policies. +- Test updates on a smaller set of machines before enterprise-wide rollout by configuring which updates are approved for a given device. +- Get compliance status of managed devices so IT can easily understand which machines still need a particular security patch, or how up-to-date is a particular machine. + +This topic provides MDM ISVs with the information they need to implement update management in Windows 10. + +In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to: + +- Configure automatic update policies to ensure devices stay up-to-date. +- Get device compliance information (the list of updates that are needed but not yet installed). +- Specify a per-device update approval list, to ensure devices don’t install unapproved updates that have not been tested. +- Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs. + +The OMA DM APIs for specifying update approvals and getting compliance status reference updates using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the update’s title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](http://go.microsoft.com/fwlink/p/?LinkId=526707). +For more information about the CSPs, see [Update CSP](update-csp.md) and the update policy area of the [Policy CSP](policy-configuration-service-provider.md). + +The following diagram provides a conceptual overview of how this works: + +![mobile device update management](images/mdm-update-sync.png) + +The diagram can be roughly divided into three areas: + +- The Device Management service syncs update information (title, description, applicability) from Microsoft Update using the Server-Server sync protocol (top of the diagram). +- The Device Management service sets automatic update policies, obtains update compliance information, and sets approvals via OMA DM (left portion of the diagram). +- The device gets updates from Microsoft Update using client/server protocol, but only downloads and installs updates that are both applicable to the device and approved by IT (right portion of the diagram). + +## Getting update metadata using the Server-Server sync protocol + +The Microsoft Update Catalog is huge and contains many updates that are not needed by MDM-managed devices, including updates for legacy software (for example, updates to servers, down-level desktop operating systems, and legacy apps), and a large number of drivers. We recommend that the MDM use the Server-Server sync protocol to get update metadata for updates reported from the client. + +This section describes how this is done. The following diagram shows the server-server sync protocol process. + +![mdm server-server sync](images/deviceupdateprocess2.png) + +MSDN provides much information about the Server-Server sync protocol. In particular: + +- It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](http://go.microsoft.com/fwlink/p/?LinkId=526727). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development. +- You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx. + +Some important highlights: + +- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720), the **Sample 1: Authorization** code shows how this is done. Even though this is called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired. +- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](https://msdn.microsoft.com/library/dd304816.aspx) in MSDN. The LocURI to get the applicable updates with their revision Numbers is `./Vendor/MSFT/Update/InstallableUpdates?list=StructData`. Because not all updates are available via S2S sync, make sure you handle SOAP errors. +- For mobile devices, you can either sync metadata for a particular update by calling GetUpdateData, or for a local on-premises solution, you can use WSUS and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process). + +> **Note**  On Microsoft Update, metadata for a given update gets modified over time (updating descriptive information, fixing bugs in applicability rules, localization changes, etc). Each time such a change is made that doesn’t affect the update itself, a new update revision is created. The identity of an update revision is a compound key containing both an UpdateID (GUID) and a RevisionNumber (int). The MDM should not expose the notion of an update revision to IT. Instead, for each UpdateID (GUID) the MDM should just keep the metadata for the later revision of that update (the one with the highest revision number). + + +## Examples of update metadata XML structure and element descriptions + +The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). Some of the key elements are described below: + +- **UpdateID** – The unique identifier for an update +- **RevisionNumber** – Revision number for the update in case the update was modified. +- **CreationDate** – the date on which this update was created. +- **UpdateType** – The type of update which could include the following: + - **Detectoid** – if this update identity represents a compatibility logic + - **Category** – This could represent either of the following: + - A Product category the update belongs to. For example, Windows, MS office etc. + - The classification the update belongs to. For example, Drivers, security etc. + - **Software** – If the update is a software update. + - **Driver** – if the update is a driver update. +- **LocalizedProperties** – represents the language the update is available in, title and description of the update. It has the following fields: + - **Language** – The language code identifier (LCID). For example, en or es. + - **Title** – Title of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 x64 Edition (KB2526305)” + - **Description** – Description of the update. For example, “Windows SharePoint Services 3.0 Service Pack 3 (KB2526305) provides the latest updates to Windows SharePoint Services 3.0. After you install this item, you may have to restart your computer. After you have installed this item, it cannot be removed.” +- **KBArticleID** – The KB article number for this update that has details regarding the particular update. For example, . + +## Recommended Flow for Using the Server-Server Sync Protocol + +This section describes a possible algorithm for using the server-server sync protocol to pull in update metadata to the MDM. + +First some background: + +- If you have a multi-tenant MDM, the update metadata can be kept in a shared partition, since it is common to all tenants. +- A metadata sync service can then be implemented that periodically calls server-server sync to pull in metadata for the updates IT cares about. +- The MDM component that uses OMA DM to control devices (described in the next section) should send the metadata sync service the list of needed updates it gets from each client if those updates are not already known to the device. + + +The following procedure describes a basic algorithm for a metadata sync service: + +- Initialization, composed of the following: + 1. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since those are temporary in nature (for example, Defender releases about 4 new definition updates per day, each of which is cumulative). +- Sync periodically (we recommend once every 2 hours - no more than once/hour). + 1. Implement the authorization phase of the protocol to get a cookie if you don’t already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). + 2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720)), and: + - Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata has not already been pulled into the DB. + - If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one. + - Remove updates from the "needed update IDs to fault in" list once they have been brought in. + +This provides an efficient way to pull in the information about the set of Microsoft Updates that IT needs to manage, so the information can be used in various update management scenarios. For example, at update approval time you can pull information so IT can see what updates they are approving, or for compliance reports to see what updates are needed but not yet installed. + +## Managing updates using OMA DM + +An MDM can manage updates via OMA DM. The details of how to use and integrate an MDM with the Windows OMA DM protocol, and how to enroll devices for MDM management, is documented the [Mobile device management](mobile-device-enrollment.md) topic. This section focuses on how to extend that integration to support update management. The key aspects of update management include the following: + +- Configure automatic update policies to ensure devices stay up-to-date. +- Get device compliance information (the list of updates that are needed but not yet installed) +- Specify a per-device update approval list to ensure devices don’t install unapproved updates that have not been tested. +- Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs + +The following list describes a suggested model for applying updates. + +1. Have a "Test Group" and an "All Group". +2. In the Test group, just let all updates flow. +3. In the All Group, set up Quality Update deferral for 7 days and then Quality Updates will be auto approved after the 7 days. Note that Definition Updates are excluded from Quality Update deferrals and will be auto approved when they are availible. This can be done by setting Update/DeferQualityUpdatesPeriodInDays to 7 and just letting updates flow after seven days or pushing Pause in case of issues. + +Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md). Please refer to these topics for details on configuring updates. + +### Update policies + +The enterprise IT can configure auto-update polices via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality is not supported in Windows 10 Mobile and Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP. + +The following diagram shows the Update policies in a tree format. + +![update csp diagram](images/update-policies.png) + +**Update/ActiveHoursEnd** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. + +> [!NOTE] +> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. + +

Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. + +

The default is 17 (5 PM). + +**Update/ActiveHoursMaxRange** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. + +

Supported values are 8-18. + +

The default value is 18 (hours). + +**Update/ActiveHoursStart** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. + +> [!NOTE] +> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. + +

Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. + +

The default value is 8 (8 AM). + +**Update/AllowAutoUpdate** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Enables the IT admin to manage automatic update behavior to scan, download, and install updates. + +

Supported operations are Get and Replace. + +

The following list shows the supported values: + +- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. +- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. +- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. +- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. +- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. +- 5 – Turn off automatic updates. + +> [!IMPORTANT] +> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. +  + +

If the policy is not configured, end-users get the default behavior (Auto install and restart). + +**Update/AllowMUUpdateService** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education + + +

Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. + +

The following list shows the supported values: + +- 0 – Not allowed or not configured. +- 1 – Allowed. Accepts updates received through Microsoft Update. + +**Update/AllowNonMicrosoftSignedUpdate** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. + +

Supported operations are Get and Replace. + +

The following list shows the supported values: + +- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. +- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. + +

This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. + +**Update/AllowUpdateService** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. + +

Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store + +

Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working. + +

The following list shows the supported values: + +- 0 – Update service is not allowed. +- 1 (default) – Update service is allowed. + +> [!NOTE] +> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. + + +**Update/AutoRestartNotificationSchedule** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. + +

Supported values are 15, 30, 60, 120, and 240 (minutes). + +

The default value is 15 (minutes). + +**Update/AutoRestartRequiredNotificationDismissal** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. + +

The following list shows the supported values: + +- 1 (default) – Auto Dismissal. +- 2 – User Dismissal. + +**Update/BranchReadinessLevel** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. + +

The following list shows the supported values: + +- 16 (default) – User gets all applicable upgrades from Current Branch (CB). +- 32 – User gets upgrades from Current Branch for Business (CBB). + +**Update/DeferFeatureUpdatesPeriodInDays** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. +

Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + + +

Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. + +

Supported values are 0-180. + +**Update/DeferQualityUpdatesPeriodInDays** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. + +

Supported values are 0-30. + +**Update/DeferUpdatePeriod** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. + + +

Allows IT Admins to specify update delays for up to 4 weeks. + +

Supported values are 0-4, which refers to the number of weeks to defer updates. + +

In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following: + +- Update/RequireDeferUpgrade must be set to 1 +- System/AllowTelemetry must be set to 1 or higher + +

If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +

If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Update categoryMaximum deferralDeferral incrementUpdate type/notes

OS upgrade

8 months

1 month

Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5

Update

1 month

1 week

+Note +If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. +
+
    +
  • Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
    • +
  • Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
    • +
  • Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
    • +
  • Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
    • +
  • Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
    • +
  • Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F
    • +
  • Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
    • +
  • Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
    • +

Other/cannot defer

No deferral

No deferral

Any update category not specifically enumerated above falls into this category.

+

Definition Update - E0789628-CE08-4437-BE74-2495B842F43B

+ + +**Update/DeferUpgradePeriod** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. +> +> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. +> +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. + + +

Allows IT Admins to specify additional upgrade delays for up to 8 months. + +

Supported values are 0-8, which refers to the number of months to defer upgrades. + +

If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +

If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +**Update/EngagedRestartDeadline** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling). + +

Supported values are 2-30 days. + +

The default value is 0 days (not specified). + +**Update/EngagedRestartSnoozeSchedule** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications. + +

Supported values are 1-3 days. + +

The default value is 3 days. + +**Update/EngagedRestartTransitionSchedule** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. + +

Supported values are 2-30 days. + +

The default value is 7 days. + +**Update/ExcludeWUDriversInQualityUpdate** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. +> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + +

Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. + +

The following list shows the supported values: + +- 0 (default) – Allow Windows Update drivers. +- 1 – Exclude Windows Update drivers. + +**Update/IgnoreMOAppDownloadLimit** +

Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. + +> [!WARNING] +> Setting this policy might cause devices to incur costs from MO operators. + +

The following list shows the supported values: + +- 0 (default) – Do not ignore MO download limit for apps and their updates. +- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates. + +

To validate this policy: + +1. Enable the policy ensure the device is on a cellular network. +2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: + - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f` + + - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""` + +3. Verify that any downloads that are above the download size limit will complete without being paused. + + +**Update/IgnoreMOUpdateDownloadLimit** +

Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. + +> [!WARNING] +> Setting this policy might cause devices to incur costs from MO operators. + +

The following list shows the supported values: + +- 0 (default) – Do not ignore MO download limit for OS updates. +- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. + +

To validate this policy: + +1. Enable the policy and ensure the device is on a cellular network. +2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: + - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""` + +3. Verify that any downloads that are above the download size limit will complete without being paused. + + +**Update/PauseDeferrals** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. + + +

Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. + +

The following list shows the supported values: + +- 0 (default) – Deferrals are not paused. +- 1 – Deferrals are paused. + +

If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +

If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +**Update/PauseFeatureUpdates** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. +

Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + + +

Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. + +

The following list shows the supported values: + +- 0 (default) – Feature Updates are not paused. +- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. + +**Update/PauseQualityUpdates** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. + +

The following list shows the supported values: + +- 0 (default) – Quality Updates are not paused. +- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. + +**Update/RequireDeferUpgrade** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. + + +

Allows the IT admin to set a device to CBB train. + +

The following list shows the supported values: + +- 0 (default) – User gets upgrades from Current Branch. +- 1 – User gets upgrades from Current Branch for Business. + +**Update/RequireUpdateApproval** + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + +
+ +> [!NOTE] +> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. + + +

Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. + +

Supported operations are Get and Replace. + +

The following list shows the supported values: + +- 0 – Not configured. The device installs all applicable updates. +- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. + +**Update/ScheduleImminentRestartWarning** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. + +

Supported values are 15, 30, or 60 (minutes). + +

The default value is 15 (minutes). + +**Update/ScheduledInstallDay** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Enables the IT admin to schedule the day of the update installation. + +

The data type is a string. + +

Supported operations are Add, Delete, Get, and Replace. + +

The following list shows the supported values: + +- 0 (default) – Every day +- 1 – Sunday +- 2 – Monday +- 3 – Tuesday +- 4 – Wednesday +- 5 – Thursday +- 6 – Friday +- 7 – Saturday + +**Update/ScheduledInstallTime** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Enables the IT admin to schedule the time of the update installation. + +

The data type is a string. + +

Supported operations are Add, Delete, Get, and Replace. + +

Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. + +

The default value is 3. + +**Update/ScheduleRestartWarning** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications. + +

Supported values are 2, 4, 8, 12, or 24 (hours). + +

The default value is 4 (hours). + +**Update/SetAutoRestartNotificationDisable** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. + +

The following list shows the supported values: + +- 0 (default) – Enabled +- 1 – Disabled + +**Update/UpdateServiceUrl** +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + +> [!Important] +> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Enterprise. + +

Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet. + +

Supported operations are Get and Replace. + +

The following list shows the supported values: + +- Not configured. The device checks for updates from Microsoft Update. +- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. + +Example + +``` syntax + + $CmdID$ + + + chr + text/plain + + + ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl + + http://abcd-srv:8530 + + +``` + +**Update/UpdateServiceUrlAlternate** + +> **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. + +

Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. + +

This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. + +

To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. + +

Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. + +> [!Note] +> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. +> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates. +> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. + +### Update management + +The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following diagram shows the Update CSP in tree format.. + +![update csp diagram](images/provisioning-csp-update.png) + +**Update** +The root node. + +Supported operation is Get. + +**ApprovedUpdates** +Node for update approvals and EULA acceptance on behalf of the end-user. + +> **Note** When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. + +The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. + +The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (i.e., updates to the virus and spyware definitions on devices) and Security Updates (i.e., product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. + +> **Note**  For the Windows 10 build, the client may need to reboot after additional updates are added. + +  + +Supported operations are Get and Add. + +**ApprovedUpdates/****_Approved Update Guid_** +Specifies the update GUID. + +To auto-approve a class of updates, you can specify the [Update Classifications](http://go.microsoft.com/fwlink/p/?LinkId=526723) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. + +Supported operations are Get and Add. + +Sample syncml: + +``` +./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d +``` + +**ApprovedUpdates/*Approved Update Guid*/ApprovedTime** +Specifies the time the update gets approved. + +Supported operations are Get and Add. + +**FailedUpdates** +Specifies the approved updates that failed to install on a device. + +Supported operation is Get. + +**FailedUpdates/****_Failed Update Guid_** +Update identifier field of the UpdateIdentity GUID that represent an update that failed to download or install. + +Supported operation is Get. + +**FailedUpdates/*Failed Update Guid*/HResult** +The update failure error code. + +Supported operation is Get. + +**FailedUpdates/*Failed Update Guid*/Status** +Specifies the failed update status (for example, download, install). + +Supported operation is Get. + +**InstalledUpdates** +The updates that are installed on the device. + +Supported operation is Get. + +**InstalledUpdates/****_Installed Update Guid_** +UpdateIDs that represent the updates installed on a device. + +Supported operation is Get. + +**InstallableUpdates** +The updates that are applicable and not yet installed on the device. This includes updates that are not yet approved. + +Supported operation is Get. + +**InstallableUpdates/****_Installable Update Guid_** +Update identifiers that represent the updates applicable and not installed on a device. + +Supported operation is Get. + +**InstallableUpdates/*Installable Update Guid*/Type** +The UpdateClassification value of the update. Valid values are: + +- 0 - None +- 1 - Security +- 2 = Critical + +Supported operation is Get. + +**InstallableUpdates/*Installable Update Guid*/RevisionNumber** +The revision number for the update that must be passed in server to server sync to get the metadata for the update. + +Supported operation is Get. + +**PendingRebootUpdates** +The updates that require a reboot to complete the update session. + +Supported operation is Get. + +**PendingRebootUpdates/****_Pending Reboot Update Guid_** +Update identifiers for the pending reboot state. + +Supported operation is Get. + +**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime** +The time the update is installed. + +Supported operation is Get. + +**LastSuccessfulScanTime** +The last successful scan time. + +Supported operation is Get. + +**DeferUpgrade** +Upgrades deferred until the next period. + +Supported operation is Get. + + +## Windows 10, version 1607 for update management + +Here are the new policies added in Windows 10, version 1607 in [Policy CSP](policy-configuration-service-provider.md). You should use these policies for the new Windows 10, version 1607 devices. + +- Update/ActiveHoursEnd +- Update/ActiveHoursStart +- Update/AllowMUUpdateService +- Update/BranchReadinessLevel +- Update/DeferFeatureUpdatePeriodInDays +- Update/DeferQualityUpdatePeriodInDays +- Update/ExcludeWUDriversInQualityUpdate +- Update/PauseFeatureUpdates +- Update/PauseQualityUpdates + +Here's the list of corresponding Group Policy settings in HKLM\\Software\\Policies\\Microsoft\\Windows\\WindowsUpdate. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
GPO keyTypeValue

BranchReadinessLevel

REG_DWORD

16: systems take Feature Updates on the Current Branch (CB) train

+

32: systems take Feature Updates on the Current Branch for Business

+

Other value or absent: receive all applicable updates (CB)

DeferQualityUpdates

REG_DWORD

1: defer quality updates

+

Other value or absent: don’t defer quality updates

DeferQualityUpdatesPeriodInDays

REG_DWORD

0-30: days to defer quality updates

PauseQualityUpdates

REG_DWORD

1: pause quality updates

+

Other value or absent: don’t pause quality updates

DeferFeatureUpdates

REG_DWORD

1: defer feature updates

+

Other value or absent: don’t defer feature updates

DeferFeatureUpdatesPeriodInDays

REG_DWORD

0-180: days to defer feature updates

PauseFeatureUpdates

REG_DWORD

1: pause feature updates

+

Other value or absent: don’t pause feature updates

ExcludeWUDriversInQualityUpdate

REG_DWORD

1: exclude WU drivers

+

Other value or absent: offer WU drivers

+ +  + +Here is the list of older policies that are still supported for backward compatibility. You can use these for Windows 10, version 1511 devices. + +- Update/RequireDeferUpgrade +- Update/DeferUpgradePeriod +- Update/DeferUpdatePeriod +- Update/PauseDeferrals + +For Windows Update for Business, here is the list of supported policies on Windows 10 Mobile Enterprise: + +- For Windows 10, version 1511 (Build 10586): Update/RequireDeferUpgrade, Update/DeferUpdatePeriod and Update/PauseDeferrals. To use DeferUpdatePeriod and PauseDeferrals the RequireDeferUpgrade has to be set to 1, which essentially means for a device running 1511, the Windows Update for Business policies can only be set when a device is configured for CBB servicing. +- For Windows 10, version 1607 (Build 14393): Update/BranchReadinessLevel, Update/DeferQualityUpdatesPeriodInDays and Update/PauseQualityUpdates. In 1607 we added support where you can configure Windows Update for Business policies when a device is configured for CB/CBB servicing. + +> **Note**   +For policies supported for Windows Update for Business, when you set policies for both Windows 10, version 1607 and Windows 10, version 1511 running on 1607, then 1607 policies will be configured (1607 trumps 1511). + +For policies supported for Windows Update for Business, when you set 1511 policies on a device running 1607, the you will get the expected behavior for 1511 policies. + +  + +## Update management user experience screenshot + +The following screenshots of the administrator console shows the list of update titles, approval status, and additional metadata fields. + +![mdm update management screenshot](images/deviceupdatescreenshot1.png) + +![mdm update managment metadata screenshot](images/deviceupdatescreenshot2.png) + + +## SyncML example + +Set auto update to notify and defer. + +``` syntax + + + + 1 + + + int + text/plain + + + ./Vendor/MSFT/Policy/Config/Update/AllowUpdateService + + 0 + + 2 + + + int + text/plain + + + ./Vendor/MSFT/Policy/Config/Update/RequireDeferUpgrade + + 0 + + 3 + + + int + text/plain + + + ./Vendor/MSFT/Policy/Config/Update/RequireUpdateApproval + + 0 + + + + + +``` + +## Process flow diagram and screenshots of server sync process + +The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog. + +![mdm device update management screenshot](images/deviceupdatescreenshot3.png)![mdm device update management screenshot](images/deviceupdatescreenshot4.png)![mdm device update management screenshot](images/deviceupdatescreenshot5.png)![mdm device update management screenshot](images/deviceupdatescreenshot6.png)![mdm device update management screenshot](images/deviceupdatescreenshot7.png)![mdm device update management screenshot](images/deviceupdatescreenshot8.png)![mdm device update management screenshot](images/deviceupdatescreenshot9.png) + +  + + + + + + diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md new file mode 100644 index 0000000000..55339fb966 --- /dev/null +++ b/windows/client-management/mdm/deviceinstanceservice-csp.md @@ -0,0 +1,118 @@ +--- +title: DeviceInstanceService CSP +description: DeviceInstanceService CSP +ms.assetid: f113b6bb-6ce1-45ad-b725-1b6610721e2d +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DeviceInstanceService CSP + + +The DeviceInstanceService configuration service provider provides some device inventory information that could be useful for an enterprise. Additionally, this CSP supports querying two different phone numbers in the case of dual SIM. The URIs for SIM 1 and SIM 2 are ./Vendor/MSFT/DeviceInstanceService/Identity/Identity1 and ./Vendor/MSFT/DeviceInstanceService/Identity/Identity2 respectively. + +> **Note**   +Stop using DeviceInstanceService CSP and use the updated [DeviceStatus CSP](devicestatus-csp.md) instead. + +The DeviceInstance CSP is only supported in Windows 10 Mobile. + +  + +The following diagram shows the DeviceInstanceService configuration service provider in tree format. + +![provisioning\-csp\-deviceinstanceservice](images/provisioning-csp-deviceinstanceservice.png) + +**Roaming** +A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming. + +Supported operation is **Get**. + +Returns **True** if the device is roaming; otherwise **False**. + +**PhoneNumber** +A string that represents the phone number of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/PhoneNumber is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/PhoneNumber. + +Value type is chr. + +Supported operation is **Get**. + +**IMEI** +A string the represents the International Mobile Station Equipment Identity (IMEI) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMEI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMEI. + +Value type is chr. + +Supported operation is **Get**. + +**IMSI** +A string that represents the first six digits of device IMSI number (Mobile Country/region Code, Mobile Network Code) of the device. In case of dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/IMSI is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/IMSI. + +Value type is chr. + +Supported operation is **Get**. + +**Identity** +The parent node to group per SIM specific information in case of dual SIM mode. + +**Identity1** +The parent node to group SIM1 specific information in case of dual SIM mode. + +**Identity2** +The parent node to group SIM2 specific information in case of dual SIM mode. + +## Examples + + +The following sample shows how to query roaming status and phone number on the device. + +``` syntax + + 2 + + + ./Vendor/MSFT/DeviceInstanceService/Roaming + + + + + ./Vendor/MSFT/DeviceInstanceService/PhoneNumber + + + +``` + +Response from the phone. + +``` syntax + + 3 + 1 + 2 + + ./Vendor/MSFT/DeviceInstanceService/Roaming + bool + false + + + ./Vendor/MSFT/DeviceInstanceService/PhoneNumber + +14254458055 + + +``` + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md new file mode 100644 index 0000000000..47a36d95c3 --- /dev/null +++ b/windows/client-management/mdm/devicelock-csp.md @@ -0,0 +1,291 @@ +--- +title: DeviceLock CSP +description: DeviceLock CSP +ms.assetid: 9a547efb-738e-4677-95d3-5506d350d8ab +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DeviceLock CSP + + +The DeviceLock configuration service provider is used by the enterprise management server to configure device lock related policies. This configuration service provider is supported by an enterprise management server. + +> **Note**   The DeviceLock CSP is supported in Windows 10 Mobile for backward compatibility. For Windows 10 devices you should use [Policy CSP](policy-configuration-service-provider.md) for various device lock settings. You can continue to use DeviceLock CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices. The DeviceLock CSP will be deprecated some time in the future. + +  + +The DevicePasswordEnabled setting must be set to 0 (device password is enabled) for the following settings to take effect: + +- AllowSimpleDevicePassword +- MinDevicePasswordLength +- AlphanumericDevicePasswordRequired +- MaxDevicePasswordFailedAttempts +- MaxInactivityTimeDeviceLock +- MinDevicePasswordComplexCharacters + +The following image shows the DeviceLock configuration service provider in tree format. + +![devicelock csp](images/provisioning-csp-devicelock.png) + +**Provider** +Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get. + + ***ProviderID*** +Optional. The node that contains the configured management server's ProviderID. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one *ProviderID* node. Exchange ActiveSync policies set by Exchange are saved by the Sync client separately. Scope is dynamic. The following operations are supported: + +- **Add** - Add the management account to the configuration service provider tree. +- **Delete** - Delete all policies set by this account. This command could be used in enterprise unenrollment for removing policy values set by the enterprise management server. +- **Get** - Return all policies set by the management server. + +> **Note**   The value cannot be changed after it is added. The **Replace** command isn't supported. + +  + +***ProviderID*/DevicePasswordEnabled** +Optional. An integer value that specifies whether device lock is enabled. Possible values are one of the following: + +- 0 - Device lock is enabled. +- 1 (default) - Device lock not enabled. + +The scope is dynamic. + +Supported operations are Get, Add, and Replace. + +***ProviderID*/AllowSimpleDevicePassword** +Optional. An integer value that specifies whether simple passwords, such as "1111" or "1234", are allowed. Possible values for this node are one of the following: + +- 0 - Not allowed. +- 1 (default) - Allowed. + +Invalid values are treated as a configuration failure. The scope is dynamic. + +Supported operations are Get, Add, and Replace. + +***ProviderID*/MinDevicePasswordLength** +Optional. An integer value that specifies the minimum number of characters required in the PIN. Valid values are 4 to 18 inclusive. The default value is 4. Invalid values are treated as a configuration failure. The scope is dynamic. + +Supported operations are Get, Add, and Replace. + +***ProviderID*/AlphanumericDevicePasswordRequired** +Optional. An integer value that specifies the complexity of the password or PIN allowed. + +Valid values are one of the following: + +- 0 - Alphanumeric password required +- 1 - Users can choose a numeric or alphanumeric password +- 2 - Users can choose no password, numeric password, or alphanumeric password + +Invalid values are treated as a configuration failure. The scope is dynamic. + +Supported operations are Get, Add, and Replace. + +***ProviderID*/DevicePasswordExpiration** +Deprecated in Windows 10. + +***ProviderID*/DevicePasswordHistory** +Deprecated in Windows 10. + +***ProviderID*/MaxDevicePasswordFailedAttempts** +Optional. An integer value that specifies the number of authentication failures allowed before the device will be wiped. Valid values are 0 to 999. The default value is 0, which indicates the device will not be wiped regardless of the number of authentication failures. + +Invalid values are treated as a configuration failure. The scope is dynamic. + +Supported operations are Get, Add, and Replace. + +***ProviderID*/MaxInactivityTimeDeviceLock** +Optional. An integer value that specifies the amount of time (in minutes) that the device can remain idle before it is password locked. Valid values are 0 to 999. A value of 0 indicates no time-out is specified. In this case, the maximum screen time-out allowed by the UI applies. + +Invalid values are treated as a configuration failure. The scope is dynamic. + +Supported operations are Get, Add, and Replace. + +***ProviderID*/MinDevicePasswordComplexCharacters** +Optional. An integer value that specifies the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password. Valid values are 1 to 4 for mobile and 1 to 3 for desktop. The default value is 1. + +Invalid values are treated as a configuration failure. The scope is dynamic. + +Supported operations are Get, Add, and Replace. + +**DeviceValue** +Required. A permanent node that groups the policy values applied to the device. The server can query this node to discover what policy values are actually applied to the device. The scope is permanent. + +Supported operation is Get. + +**DeviceValue/DevicePasswordEnable, …, MinDevicePasswordComplexCharacters** +Required. This node has the same set of policy nodes as the **ProviderID** node. All nodes under **DeviceValue** are read-only permanent nodes. Each node represents the current device lock policy. For detailed descriptions of each policy, see the ***ProviderID*** subnode descriptions. + +## OMA DM examples + + +Set device lock policies: + +``` syntax + + 13 + + 2 + + + + ./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/MaxDevicePasswordFailedAttempts + + + + int + + 4 + + + + 3 + + + + ./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/DevicePasswordEnabled + + + int + + 0 + + + + 4 + + + + ./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/AllowSimpleDevicePassword + + + + int + + 1 + + + + 5 + + + + ./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/MinDevicePasswordLength + + + + int + + 5 + + + + 6 + + + + ./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/AlphanumericDevicePasswordRequired + + + + int + + 1 + + + + 7 + + + + ./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/DevicePasswordExpiration + + + + int + + 2 + + + + 8 + + + + ./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/DevicePasswordHistory + + + + int + + 50 + + + + 9 + + + + ./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/MaxInactivityTimeDeviceLock + + + + int + + 2 + + + + 10 + + + + ./Vendor/MSFT/DeviceLock/Provider/TestMDMServer/MinDevicePasswordComplexCharacters + + + + int + + 2 + + + +``` + +## Remarks + + +All node values under the **ProviderID** interior node represent the policy values set by the management server. + +- An **Add** or **Replace** command on those nodes returns success in the following cases: + + - The value is actually applied to the device. + + - The value isn't applied to the device because the device has a more secure value set already. + + From a security perspective, the device complies with the policy request that is at least as secure as the one requested. + +- A **Get** command on those nodes returns the value the server pushes down to the device. + +- If a **Replace** command fails, the node value is set back to the value that was to be replaced. + +- If an **Add** command fails, the node is not created. + +The value applied to the device can be queried via the nodes under the **DeviceValue** interior node. + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/devicelock-ddf-file.md b/windows/client-management/mdm/devicelock-ddf-file.md new file mode 100644 index 0000000000..466bcbbf38 --- /dev/null +++ b/windows/client-management/mdm/devicelock-ddf-file.md @@ -0,0 +1,510 @@ +--- +title: DeviceLock DDF file +description: DeviceLock DDF file +ms.assetid: 46a691b9-6350-4987-bfc7-f8b1eece3ad9 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DeviceLock DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **DeviceLock** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +``` syntax + +]> + + 1.2 + + DeviceLock + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.0/WindowsPhone/DeviceLock + + + + Provider + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + DevicePasswordEnabled + + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowSimpleDevicePassword + + + + + + + 1 + + + + + + + + + + + text/plain + + + + + MinDevicePasswordLength + + + + + + + 4 + + + + + + + + + + + text/plain + + + + + AlphanumericDevicePasswordRequired + + + + + + + 2 + + + + + + + + + + + text/plain + + + + + DevicePasswordExpiration + + + + + + + 0 + + + + + + + + + + + text/plain + + + + + DevicePasswordHistory + + + + + + + 0 + + + + + + + + + + + text/plain + + + + + MaxDevicePasswordFailedAttempts + + + + + + + 0 + + + + + + + + + + + text/plain + + + + + MaxInactivityTimeDeviceLock + + + + + + + 0 + + + + + + + + + + + text/plain + + + + + MinDevicePasswordComplexCharacters + + + + + + + 1 + + + + + + + + + + + text/plain + + + + + + + DeviceValue + + + + + + + + + + + + + + + + + + + DevicePasswordEnabled + + + + + + + + + + + + + + + text/plain + + + + + AllowSimpleDevicePassword + + + + + + + + + + + + + + + text/plain + + + + + MinDevicePasswordLength + + + + + + + + + + + + + + + text/plain + + + + + AlphanumericDevicePasswordRequired + + + + + + + + + + + + + + + text/plain + + + + + DevicePasswordExpiration + + + + + + + + + + + + + + + text/plain + + + + + DevicePasswordHistory + + + + + + + + + + + + + + + text/plain + + + + + MaxDevicePasswordFailedAttempts + + + + + + + + + + + + + + + text/plain + + + + + MaxInactivityTimeDeviceLock + + + + + + + + + + + + + + + text/plain + + + + + MinDevicePasswordComplexCharacters + + + + + + + + + + + + + + + text/plain + + + + + + +``` + +## Related topics + + +[DeviceLock configuration service provider](devicelock-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/devicemanageability-csp.md b/windows/client-management/mdm/devicemanageability-csp.md new file mode 100644 index 0000000000..8adc363d59 --- /dev/null +++ b/windows/client-management/mdm/devicemanageability-csp.md @@ -0,0 +1,42 @@ +--- +title: DeviceManageability CSP +description: The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607. +ms.assetid: FE563221-D5B5-4EFD-9B60-44FE4066B0D2 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DeviceManageability CSP + + +The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607. + +For performance reasons DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information. + +The following diagram shows the DeviceManageability configuration service provider in a tree format. + +![devicemanageability csp diagram](images/provisioning-csp-devicemanageability.png) + +**./Device/Vendor/MSFT/DeviceManageability** +Root node to group information about runtime MDM configuration capability on the target device. + +**Capabilities** +Interior node. + +**Capabilities/CSPVersions** +Returns the versions of all configuration service providers supported on the device for the MDM service. + + + +  + +  + + + + + + diff --git a/windows/client-management/mdm/devicemanageability-ddf.md b/windows/client-management/mdm/devicemanageability-ddf.md new file mode 100644 index 0000000000..1adb50855e --- /dev/null +++ b/windows/client-management/mdm/devicemanageability-ddf.md @@ -0,0 +1,105 @@ +--- +title: DeviceManageability DDF +description: This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607. +ms.assetid: D7FA8D51-95ED-40D2-AA84-DCC4BBC393AB +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DeviceManageability DDF + + +This topic shows the OMA DM device description framework (DDF) for the DeviceManageability configuration service provider. This CSP was added in Windows 10, version 1607. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + DeviceManageability + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.0/MDM/DeviceManageability + + + + Capabilities + + + + + + + + + + + + + + + + + + + CSPVersions + + + + + Returns the versions of all configuration service providers (CSP) for MDM. + + + + + + + + + + + text/plain + + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md new file mode 100644 index 0000000000..e89043b5c1 --- /dev/null +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -0,0 +1,238 @@ +--- +title: DeviceStatus CSP +description: The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies. +ms.assetid: 039B2010-9290-4A6E-B77B-B2469B482360 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DeviceStatus CSP + + +The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies. + +The following image shows the DeviceStatus configuration service provider in tree format. + +![devicestatus csp](images/provisioning-csp-devicestatus.png) + +**DeviceStatus** +The root node for the DeviceStatus configuration service provider. + +**DeviceStatus/SecureBootState** +Indicates whether secure boot is enabled. The value is one of the following: + +- 0 - Not supported +- 1 - Enabled +- 2 - Disabled + +Supported operation is Get. + +**DeviceStatus/CellularIdentities** +Required. Node for queries on the SIM cards. + +> **Note**  Multiple SIMs are supported. + +  + +**DeviceStatus/CellularIdentities/****_IMEI_** +The unique International Mobile Station Equipment Identity (IMEI) number of the mobile device. An IMEI is present for each SIM card on the device. + +**DeviceStatus/CellularIdentities/*IMEI*/IMSI** +The International Mobile Subscriber Identity (IMSI) associated with the IMEI number. + +Supported operation is Get. + +**DeviceStatus/CellularIdentities/*IMEI*/ICCID** +The Integrated Circuit Card ID (ICCID) of the SIM card associated with the specific IMEI number. + +Supported operation is Get. + +**DeviceStatus/CellularIdentities/*IMEI*/PhoneNumber** +Phone number associated with the specific IMEI number. + +Supported operation is Get. + +**DeviceStatus/CellularIdentities/*IMEI*/CommercializationOperator** +The mobile service provider or mobile operator associated with the specific IMEI number. + +Supported operation is Get. + +**DeviceStatus/CellularIdentities/*IMEI*/RoamingStatus** +Indicates whether the SIM card associated with the specific IMEI number is roaming. + +Supported operation is Get. + +**DeviceStatus/CellularIdentities/*IMEI*/RoamingCompliance** +Boolean value that indicates compliance with the enforced enterprise roaming policy. + +Supported operation is Get. + +**DeviceStatus/NetworkIdentifiers** +Node for queries on network and device properties. + +**DeviceStatus/NetworkIdentifiers/****_MacAddress_** +MAC address of the wireless network card. A MAC address is present for each network card on the device. + +**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV4** +IPv4 address of the network card associated with the MAC address. + +Supported operation is Get. + +**DeviceStatus/NetworkIdentifiers/*MacAddress*/IPAddressV6** +IPv6 address of the network card associated with the MAC address. + +Supported operation is Get. + +**DeviceStatus/NetworkIdentifiers/*MacAddress*/IsConnected** +Boolean value that indicates whether the network card associated with the MAC address has an active network connection. + +Supported operation is Get. + +**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type** +Type of network connection. The value is one of the following: + +- 2 - WLAN (or other Wireless interface) +- 1 - LAN (or other Wired interface) +- 0 - Unknown + +Supported operation is Get. + +**DeviceStatus/Compliance** +Node for the compliance query. + +**DeviceStatus/Compliance/EncryptionCompliance** +Boolean value that indicates compliance with the enterprise encryption policy. The value is one of the following: + +- 0 - not encrypted +- 1 - encrypted + +Supported operation is Get. + +**DeviceStatus/TPM** +Added in , version 1607. Node for the TPM query. + +Supported operation is Get. + +**DeviceStatus/TPM/SpecificationVersion** +Added in , version 1607. String that specifies the specification version. + +Supported operation is Get. + +**DeviceStatus/OS** +Added in , version 1607. Node for the OS query. + +Supported operation is Get. + +**DeviceStatus/OS/Edition** +Added in , version 1607. String that specifies the OS edition. + +Supported operation is Get. + +**DeviceStatus/Antivirus** +Added in , version 1607. Node for the antivirus query. + +Supported operation is Get. + +**DeviceStatus/Antivirus/SignatureStatus** +Added in , version 1607. Integer that specifies the status of the antivirus signature. + +Valid values: + +- 0 - The security software reports that it is not the most recent version. +- 1 (default) - The security software reports that it is the most recent version. +- 2 – Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) + +Supported operation is Get. + +**DeviceStatus/Antivirus/Status** +Added in , version 1607. Integer that specifies the status of the antivirus. + +Valid values: + +- 0 – Antivirus is on and monitoring +- 1 – Antivirus is disabled +- 2 – Antivirus is not monitoring the device/PC or some options have been turned off +- 3 (default) – Antivirus is temporarily not completely monitoring the device/PC +- 4 – Antivirus not applicable for this device. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) + +Supported operation is Get. + +**DeviceStatus/Antispyware** +Added in , version 1607. Node for the antispyware query. + +Supported operation is Get. + +**DeviceStatus/Antispyware/SignatureStatus** +Added in , version 1607. Integer that specifies the status of the antispyware signature. + +Supported operation is Get. + +**DeviceStatus/Antispyware/Status** +Added in , version 1607. Integer that specifies the status of the antispyware. + +Supported operation is Get. + +**DeviceStatus/Firewall** +Added in , version 1607. Node for the firewall query. + +Supported operation is Get. + +**DeviceStatus/Firewall/Status** +Added in , version 1607. Integer that specifies the status of the firewall. + +Valid values: + +- 0 – Firewall is on and monitoring +- 1 – Firewall has been disabled +- 2 – Firewall is not monitoring all networks or some rules have been turned off +- 3 (default) – Firewall is temporarily not monitoring all networks +- 4 – Not applicable. This is returned for devices like the phone that do not have an antivirus (where the API doesn’t exist.) + +Supported operation is Get. + +**DeviceStatus/UAC** +Added in , version 1607. Node for the UAC query. + +Supported operation is Get. + +**DeviceStatus/UAC/Status** +Added in , version 1607. Integer that specifies the status of the UAC. + +Supported operation is Get. + +**DeviceStatus/Battery** +Added in , version 1607. Node for the battery query. + +Supported operation is Get. + +**DeviceStatus/Battery/Status** +Added in , version 1607. Integer that specifies the status of the battery + +Supported operation is Get. + +**DeviceStatus/Battery/EstimatedChargeRemaining** +Added in , version 1607. Integer that specifies the estimated battery charge remaining. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx). + +The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1. + +Supported operation is Get. + +**DeviceStatus/Battery/EstimatedRuntime** +Added in , version 1607. Integer that specifies the estimated runtime of the battery. This is the value returned in **BatteryLifeTime** in [SYSTEM\_POWER\_STATUS structure](https://msdn.microsoft.com/library/windows/desktop/aa373232.aspx). + +The value is the number of seconds of battery life remaining when the device is not connected to an AC power source. When it is connected to a power source, the value is -1. When the estimation is unknown, the value is -1. + +Supported operation is Get. + +  + +  + + + + + + diff --git a/windows/client-management/mdm/devicestatus-ddf.md b/windows/client-management/mdm/devicestatus-ddf.md new file mode 100644 index 0000000000..b0e6ad935c --- /dev/null +++ b/windows/client-management/mdm/devicestatus-ddf.md @@ -0,0 +1,775 @@ +--- +title: DeviceStatus DDF +description: This topic shows the OMA DM device description framework (DDF) for the DeviceStatus configuration service provider. DDF files are used only with OMA DM provisioning XML. +ms.assetid: 780DC6B4-48A5-4F74-9F2E-6E0D88902A45 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DeviceStatus DDF + + +This topic shows the OMA DM device description framework (DDF) for the **DeviceStatus** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + DeviceStatus + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.2/MDM/DeviceStatus + + + + SecureBootState + + + + + + + + + + + + + + + text/plain + + + + + CellularIdentities + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + IMEI + + + + + + IMSI + + + + + + + + + + + + + + + text/plain + + + + + ICCID + + + + + + + + + + + + + + + text/plain + + + + + PhoneNumber + + + + + + + + + + + + + + + text/plain + + + + + CommercializationOperator + + + + + + + + + + + + + + + text/plain + + + + + RoamingStatus + + + + + + + + + + + + + + + text/plain + + + + + RoamingCompliance + + + + + + + + + + + + + + + text/plain + + + + + + + NetworkIdentifiers + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + MacAddress + + + + + + IPAddressV4 + + + + + + + + + + + + + + + text/plain + + + + + IPAddressV6 + + + + + + + + + + + + + + + text/plain + + + + + IsConnected + + + + + + + + + + + + + + + text/plain + + + + + Type + + + + + + + + + + + + + + + text/plain + + + + + + + Compliance + + + + + + + + + + + + + + + + + + + EncryptionCompliance + + + + + + + + + + + + + + + text/plain + + + + + + TPM + + + + + + + + + + + + + + + + + + + SpecificationVersion + + + + + Not available + + + + + + + + + + + text/plain + + + + + + OS + + + + + + + + + + + + + + + + + + + Edition + + + + + Not available + + + + + + + + + + + text/plain + + + + + + Antivirus + + + + + + + + + + + + + + + + + + + SignatureStatus + + + + + 1 + + + + + + + + + + + text/plain + + + + + Status + + + + + 3 + + + + + + + + + + + text/plain + + + + + + Antispyware + + + + + + + + + + + + + + + + + + + SignatureStatus + + + + + 1 + + + + + + + + + + + text/plain + + + + + Status + + + + + 3 + + + + + + + + + + + text/plain + + + + + + Firewall + + + + + + + + + + + + + + + + + + + Status + + + + + 3 + + + + + + + + + + + text/plain + + + + + + UAC + + + + + + + + + + + + + + + + + + + Status + + + + + + + + + + + + + + + text/plain + + + + + + Battery + + + + + + + + + + + + + + + + + + + Status + + + + + 0 + + + + + + + + + + + text/plain + + + + + EstimatedChargeRemaining + + + + + 0 + + + + + + + + + + + text/plain + + + + + EstimatedRuntime + + + + + 0 + + + + + + + + + + + text/plain + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/devinfo-csp.md b/windows/client-management/mdm/devinfo-csp.md new file mode 100644 index 0000000000..b11d4a12cf --- /dev/null +++ b/windows/client-management/mdm/devinfo-csp.md @@ -0,0 +1,79 @@ +--- +title: DevInfo CSP +description: DevInfo CSP +ms.assetid: d3eb70db-1ce9-4c72-a13d-651137c1713c +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DevInfo CSP + + +The DevInfo configuration service provider handles the managed object which provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session. + +> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. + +  + +For the DevInfo CSP, you cannot use the Replace command unless the node already exists. + +The following diagram shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol is not supported by this configuration service provider. + +![devinfo csp (dm)](images/provisioning-csp-devinfo-dm.png) + +**DevId** +Required. Returns an application-specific global unique device identifier by default. + +Supported operation is Get. + +The **UseHWDevID** parm of the [DMAcc configuration service provider](dmacc-csp.md) or DMS configuration service provider can be used to modify the return value to instead return a hardware device ID as follows: + +- For GSM phones, the IMEI is returned. + +- For CDMA phones, the MEID is returned. + +- For dual SIM phones, this value is retrieved from the UICC of the primary data line. + +- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns an application specific global unique identifier (GUID) irrespective of the value of UseHWDevID. + +**Man** +Required. Returns the name of the OEM. For Windows 10 for desktop editions, it returns the SystemManufacturer as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemManufacturer. + +If no name is found, this returns "Unknown". + +Supported operation is Get. + +**Mod** +Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10 for desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName. + +If no name is found, this returns "Unknown". + +Supported operation is Get. + +**DmV** +Required. Returns the current management client revision of the device. + +Supported operation is Get. + +**Lang** +Required. Returns the current user interface (UI) language setting of the device as defined by RFC1766. + +Supported operation is Get. + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/devinfo-ddf-file.md b/windows/client-management/mdm/devinfo-ddf-file.md new file mode 100644 index 0000000000..0ee45fd363 --- /dev/null +++ b/windows/client-management/mdm/devinfo-ddf-file.md @@ -0,0 +1,179 @@ +--- +title: DevInfo DDF file +description: DevInfo DDF file +ms.assetid: beb07cc6-4133-4c0f-aa05-64db2b4a004f +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DevInfo DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **DevInfo** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + DevInfo + . + + + + + + + + + + + + + + The interior node holding all devinfo objects + + urn:oma:mo:oma-dm-devinfo:1.0 + + 1 + + + DevId + + + + + An unique device identifier. An application-specific global unique device identifier is provided in this node. + + + + + + + + + + + text/plain + + 1 + + + + Man + + + + + + + + + + + + + + + text/plain + + 1 + + + + Mod + + + + + Device model name, as specified and tracked by the mobile operator + + + + + + + + + + + text/plain + + 1 + + + + DmV + + + + + The current management client revision of the device. + + + + + + + + + + + text/plain + + 1 + + + + Lang + + + + + The current language at the device user interface. + + + + + + + + + + + text/plain + + 1 + + + + +``` + +## Related topics + + +[DevInfo configuration service provider](devinfo-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md new file mode 100644 index 0000000000..d4c94639bd --- /dev/null +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -0,0 +1,327 @@ +--- +title: Diagnose MDM failures in Windows 10 +description: To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop or mobile device. The following sections describe the procedures for collecting MDM logs. +ms.assetid: 12D8263B-D839-4B19-9346-31E0CDD0CBF9 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Diagnose MDM failures in Windows 10 + +To help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server, you can examine the MDM logs collected from the desktop or mobile device. The following sections describe the procedures for collecting MDM logs. + +## Collect logs directly from Windows 10 PCs + +Starting with the Windows 10, version 1511, MDM logs are captured in the Event Viewer in the following location: + +- Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider + +Here's a screenshot: + +![mdm event viewer](images/diagnose-mdm-failures1.png) + +In this location, the **Admin** channel logs events by default. However, if you need more details logs you can enable **Debug** logs by choosing **Show Analytic and Debug** logs option in **View** menu in Event Viewer. + +**To collect Admin logs** + +1. Right click on the **Admin** node. +2. Select **Save all events as**. +3. Choose a location and enter a filename. +4. Click **Save**. +5. Choose **Display information for these languages** and then select **English**. +6. Click **Ok**. + +For more detailed logging, you can enable **Debug** logs. Right click on the **Debug** node and then click **Enable Log**. + +**To collect Debug logs** + +1. Right click on the **Debug** node. +2. Select **Save all events as**. +3. Choose a location and enter a filename. +4. Click **Save**. +5. Choose **Display information for these languages** and then select **English**. +6. Click **Ok**. + +You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC running the November 2015 update. + +## Collect logs remotely from Windows 10 PCs + +When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this. The [DiagnosticLog CSP](diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels: + +- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FAdmin +- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug + +Example: Enable the Debug channel logging + +``` syntax + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug/State + + + bool + + true + + + + + +``` + +Example: Export the Debug logs + +``` syntax + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug/Export + + + + + + +``` + +## Collect logs from Windows 10 Mobile devices + +Since there is no Event Viewer in Windows 10 Mobile, you can use the [Field Medic]( http://go.microsoft.com/fwlink/p/?LinkId=718232) app to collect logs. + +**To collect logs manually** + +1. Download and install the [Field Medic]( http://go.microsoft.com/fwlink/p/?LinkId=718232) app from the store. +2. Open the Field Medic app and then click on **Advanced**. + + ![field medic screenshot](images/diagnose-mdm-failures2.png) + +3. Click on **Choose with ETW provider to use**. + + ![field medic screenshot](images/diagnose-mdm-failures3.png) + +4. Check **Enterprise** and un-check the rest. + + ![field medic screenshot](images/diagnose-mdm-failures4.png) + +5. In the app, click on **Start Logging** and then perform the operation that you want to troubleshoot. + + ![field medic screenshot](images/diagnose-mdm-failures2.png) + +6. When the operation is done, click on **Stop Logging**. + + ![field medic screenshot](images/diagnose-mdm-failures5.png) + +7. Save the logs. They will be stored in the Field Medic log location on the device. +8. You can send the logs via email by attaching the files from **Documents > Field Medic > Reports > ...** folder. + + ![device documents folder](images/diagnose-mdm-failures6.png)![device folder screenshot](images/diagnose-mdm-failures7.png)![device folder screenshot](images/diagnose-mdm-failures8.png) + +The following table contains a list of common providers and their corresponding GUIDs. + +| GUID | Provider Name | +|--------------------------------------|--------------------------------------------------------| +| 099614a5-5dd7-4788-8bc9-e29f43db28fc | Microsoft-Windows-LDAP-Client | +| 0f67e49f-fe51-4e9f-b490-6f2948cc6027 | Microsoft-Windows-Kernel-Processor-Power | +| 0ff1c24b-7f05-45c0-abdc-3c8521be4f62 | Microsoft-Windows-Mobile-Broadband-Experience-SmsApi | +| 10e4f0e0-9686-4e62-b2d6-fd010eb976d3 | Microsoft-WindowsPhone-Shell-Events | +| 1e39b4ce-d1e6-46ce-b65b-5ab05d6cc266 | Microsoft-Windows-Networking-RealTimeCommunication | +| 22a7b160-f6e8-46b9-8e0b-a51989c85c66 | Microsoft-WindowsPhone-Bluetooth-AG | +| 2f94e1cc-a8c5-4fe7-a1c3-53d7bda8e73e | Microsoft-WindowsPhone-ConfigManager2 | +| 331c3b3a-2005-44c2-ac5e-77220c37d6b4 | Microsoft-Windows-Kernel-Power | +| 33693e1d-246a-471b-83be-3e75f47a832d | Microsoft-Windows-BTH-BTHUSB | +| 3742be72-99a9-42e6-9fd5-c01a330e3625 | Microsoft-WindowsPhone-PhoneAudio | +| 3b9602ff-e09b-4c6c-bc19-1a3dfa8f2250 | Microsoft-WindowsPhone-OmaDm-Client-Provider | +| 3da494e4-0fe2-415C-b895-fb5265c5c83b | Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider | +| 3f471139-acb7-4a01-b7a7-ff5da4ba2d43 | Microsoft-Windows-AppXDeployment-Server | +| 4180c4f7-e238-5519-338f-ec214f0b49aa | Microsoft.Windows.ResourceManager | +| 4637124c-1d40-4b4d-892f-2aaecf24ff06 | Microsoft-Windows-WinJson | +| 4d13548f-c7b8-4174-bb7a-d7f64bf22d29 | Microsoft-WindowsPhone-LocationServiceProvider | +| 4eacb4d0-263b-4b93-8cd6-778a278e5642 | Microsoft-Windows-GenericRoaming | +| 4f386063-ef17-4629-863c-d71597af743d | Microsoft-WindowsPhone-NotificationService | +| 55404e71-4db9-4deb-a5f5-8f86e46dde56 | Microsoft-Windows-Winsock-NameResolution | +| 59819d0a-adaf-46b2-8d7c-990bc39c7c15 | Microsoft-Windows-Battery | +| 5c103042-7e75-4629-a748-bdfa67607fac | Microsoft-WindowsPhone-Power | +| 69c1c3f1-2b5c-41d0-a14a-c7ca5130640e | Microsoft-WindowsPhone-Cortana | +| 6ad52b32-d609-4be9-ae07-ce8dae937e39 | Microsoft-Windows-RPC | +| 7263516b-6eb0-477b-b64f-17b91d29f239 | Microsoft-WindowsPhone-BatterySense | +| 7dd42a49-5329-4832-8dfd-43d979153a88 | Microsoft-Windows-Kernel-Network | +| ae4bd3be-f36f-45b6-8d21-bdd6fb832853 | Microsoft-Windows-Audio | +| daa6a96b-f3e7-4d4d-a0d6-31a350e6a445 | Microsoft-Windows-WLAN-Driver | +| 4d13548f-c7b8-4174-bb7a-d7f64bf22d29 | Microsoft-WindowsPhone-LocationServiceProvider | +| 74e106b7-00be-4a55-b707-7ab58d6a9e90 | Microsoft-WindowsPhone-Shell-OOBE | +| cbda4dbf-8d5d-4f69-9578-be14aa540d22 | Microsoft-Windows-AppLocker | +| e595f735-b42a-494b-afcd-b68666945cd3 | Microsoft-Windows-Firewall | +| e5fc4a0f-7198-492f-9b0f-88fdcbfded48 | Microsoft-Windows Networking VPN | +| e5c16d49-2464-4382-bb20-97a4b5465db9 | Microsoft-Windows-WiFiNetworkManager | + +  + +## Collect logs remotely from Windows 10 Mobile devices + +For mobile devices already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md). + +You can use the DiagnosticLog CSP to enable the ETW provider. The provider ID is 3DA494E4-0FE2-415C-B895-FB5265C5C83B. The following examples show how to enable the ETW provider: + +Add a collector node + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/MDM + + + node + + + + + + +``` + +Add the ETW provider to the trace + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/MDM/Providers/3DA494E4-0FE2-415C-B895-FB5265C5C83B + + + node + + + + + + +``` + +Start collector trace logging + +``` syntax + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/MDM/TraceControl + + + chr + + START + + + + + +``` + +Stop collector trace logging + +``` syntax + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/MDM/TraceControl + + + chr + + STOP + + + + + +``` + +After the logs are collected on the device, you can retrieve the files through the MDM channel using the FileDownload portion of the DiagnosticLog CSP. For details, see [DiagnosticLog CSP](diagnosticlog-csp.md). + +## View logs + +For best results, ensure that the PC or VM on which you are viewing logs matches the build of the OS from which the logs were collected. + +1. Open eventvwr.msc. +2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**. + + ![event viewer screenshot](images/diagnose-mdm-failures9.png) + +3. Navigate to the etl file that you got from the device and then open the file. +4. Click **Yes** when prompted to save it to the new log format. + + ![prompt](images/diagnose-mdm-failures10.png) + + ![diagnose mdm failures](images/diagnose-mdm-failures11.png) + +5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu. + + ![event viewer](images/diagnose-mdm-failures12.png) + +6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**. + + ![event filter](images/diagnose-mdm-failures13.png) + +7. Now you are ready to start reviewing the logs. + + ![event viewer](images/diagnose-mdm-failures14.png) + +## Collect device state data + +Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](diagnosticlog-csp.md), version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files. + +``` syntax + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/DeviceStateData/MdmConfiguration + + + chr + + SNAP + + + + + +``` + +  + + + + + + diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md new file mode 100644 index 0000000000..da0d026cab --- /dev/null +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -0,0 +1,919 @@ +--- +title: DiagnosticLog CSP +description: DiagnosticLog CSP +ms.assetid: F76E0056-3ACD-48B2-BEA1-1048C96571C3 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DiagnosticLog CSP + + +The DiagnosticLog configuration service provider (CSP) is used for generating and collecting diagnostic information from the device: Event Tracing for Windows (ETW) log files and current MDM configured state of the device. + +DiagnosticLog CSP supports the following type of event tracing: + +- Collector-based tracing +- Channel-based tracing + +### Collector-based tracing + +This type of event tracing simultaneously collects event data from a collection of registered ETW providers. + +An event collector is a container of registered ETW providers. Users can add or delete a collector node and register or unregister multiple providers in this collector. + +The ***CollectorName*** must be unique within the CSP and must not be a valid event channel name or a provider GUID. + +The DiagnosticLog CSP maintains a log file for each collector node and the log file is overwritten if a start command is triggered again on the same collector node. + +For each collector node, the user can: + +- Start or stop the session with all registered and enabled providers +- Query session status +- Change trace log file mode +- Change trace log file size limit + +The configurations log file mode and log file size limit does not take effect while trace session is in progress. These are applied when user stops the current session and then starts it again for this collector. + +For each registered provider in this collector, the user can: + +- Specify keywords to filter events from this provider +- Change trace level to filter events from this provider +- Enable or disable the provider in the trace session + +The changes on **State**, **Keywords** and **TraceLevel** takes effect immediately while trace session is in progress. + +> **Note**  Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode. + +  + +### Channel-based tracing + +The type of event tracing exports event data from a specific channel. This is only supported on the desktop. + +Users can add or delete a channel node using the full name, such as Microsoft-Windows-AppModel-Runtime/Admin. + +The DiagnosticLog CSP maintains a log file for each channel node and the log file is overwritten if a start command is triggered again on the same channel node. + +For each channel node, the user can: + +- Export channel event data into a log file (.evtx) +- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel +- Specify an XPath query to filter events while exporting the channel event data + +For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md). + +Here are the links to the DDFs: + +- [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2) +- [DiagnosticLog CSP version 1.3](diagnosticlog-ddf.md#version-1-3) + +The following diagram shows the DiagnosticLog configuration service provider in tree format. + +![diagnosticlog csp diagram](images/provisioning-csp-diagnosticlog.png) + +**./Vendor/MSFT/DiagnosticLog** +The root node for the DiagnosticLog configuration service provider. + +The following steps describe the process for gathering diagnostics using this CSP. + +1. Specify a *CollectorName* for the container of the target ETW providers. +2. (Optional) Set logging and log file parameters using the following options: + + - **TraceLogFileMode** + - **LogFileSizeLimitMB** + + Each of these are described later in this topic. + +3. Indicate one or more target ETW providers by supplying its *ProviderGUID* to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*. +4. (Optional) Set logging and log file parameters using the following options: + + - **TraceLevel** + - **Keywords** + + Each of these are described later in this topic. + +5. Start logging using **TraceControl** EXECUTE command “START” +6. Perform actions on the target device that will generate activity in the log files. +7. Stop logging using **TraceControl** EXECUTE command “STOP” +8. Collect the log file located in the `%temp%` folder using the method described in [Reading a log file](#reading-a-log-file) + +**EtwLog** +Node to contain the Error Tracing for Windows log. + +The supported operation is Get. + +**EtwLog/Collectors** +Interior node to contain dynamic child interior nodes for active providers. + +The supported operation is Get. + +**EtwLog/Collectors/****_CollectorName_** +Dynamic nodes to represent active collector configuration. + +Supported operations are Add, Delete, and Get. + +Add a collector + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement + + + node + + + + + + +``` + +Delete a collector + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement + + + + + + +``` + +**EtwLog/Collectors/*CollectorName*/TraceStatus** +Specifies whether the current logging status is running. + +The data type is an integer. + +The supported operation is Get. + +The following table represents the possible values: + +| Value | Description | +|-------|-------------| +| 0 | Stopped | +| 1 | Started | + +  + +**EtwLog/Collectors/*CollectorName*/TraceLogFileMode** +Specifies the log file logging mode. + +The data type is an integer. + +Supported operations are Get and Replace. + +The following table lists the possible values: + + ++++ + + + + + + + + + + + + + + + + +
ValueDescription

EVENT_TRACE_FILE_MODE_SEQUENTIAL (0x00000001)

Writes events to a log file sequentially; stops when the file reaches its maximum size.

EVENT_TRACE_FILE_MODE_CIRCULAR (0x00000002)

Writes events to a log file. After the file reaches the maximum size, the oldest events are replaced with incoming events.

+ +  + +**EtwLog/Collectors/*CollectorName*/TraceControl** +Specifies the logging and report action state. + +The data type is a string. + +The following table lists the possible values: + +| Value | Description | +|-------|--------------------| +| START | Start log tracing. | +| STOP | Stop log tracing | + +  + +The supported operation is Execute. + +After you have added a logging task, you can start a trace by running an Execute command on this node with the value START. + +To stop the trace, running an execute command on this node with the value STOP. + +Start collector trace logging + +``` syntax + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl + + + chr + + START + + + + + +``` + +Stop collector trace logging + +``` syntax + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/TraceControl + + + chr + + STOP + + + + + +``` + +**EtwLog/Collectors/*CollectorName*/LogFileSizeLimitMB** +Sets the log file size limit, in MB. + +The data type is an integer. + +Valid values are 1-2048. The default value is 4. + +Supported operations are Get and Replace. + +**EtwLog/Collectors/*CollectorName*/Providers** +Interior node to contain dynamic child interior nodes for active providers. + +The supported operation is Get. + +**EtwLog/Collectors/*CollectorName*/Providers/****_ProviderGUID_** +Dynamic nodes to represent active provider configuration per provider GUID. + +> **Note**  Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode. + +  + +Supported operations are Add, Delete, and Get. + +Add a provider + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b + + + node + + + + + + +``` + +Delete a provider + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b + + + + + + +``` + +**EtwLog/Collectors/*CollectorName*/Providers/*ProvderGUID*/TraceLevel** +Specifies the level of detail included in the trace log. + +The data type is an integer. + +Supported operations are Get and Replace. + +The following table lists the possible values. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ValueDescription

1 – TRACE_LEVEL_CRITICAL

Abnormal exit or termination events

2 – TRACE_LEVEL_ERROR

Severe error events

3 – TRACE_LEVEL_WARNING

Warning events such as allocation failures

4 – TRACE_LEVEL_INFORMATION

Non-error events, such as entry or exit events

5 – TRACE_LEVEL_VERBOSE

Detailed information

+ +  + +Set provider **TraceLevel** + +``` syntax + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/TraceLevel + + + int + + 1 + + + + + +``` + +**EtwLog/Collectors/*CollectorName*/Providers/*ProvderGUID*/Keywords** +Specifies the provider keywords to be used as MatchAnyKeyword for this provider. + +the data type is a string. + +Supported operations are Get and Replace. + +Default value is 0 meaning no keyword. + +Get provider **Keywords** + +``` syntax + + + + 1 + + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords + + + + + + + +``` + +Set provider **Keywords** + +``` syntax + + + + 4 + + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/Keywords + + + + chr + text/plain + + 12345678FFFFFFFF + + + + + +``` + +**EtwLog/Collectors/*CollectorName*/Providers/*ProvderGUID*/State** +Specifies if this provider is enabled in the trace session. + +The data type is a boolean. + +Supported operations are Get and Replace. This change will be effective during active trace session. + +The following table lists the possible values. Default value is TRUE. + + ++++ + + + + + + + + + + + + + + + + +
ValueDescription

TRUE

Provider is enabled in the trace session.

FALSE

Provider is disables in the trace session.

+ +  + +Set provider **State** + +``` syntax + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Collectors/DeviceManagement/Providers/3da494e4-0fe2-415C-b895-fb5265c5c83b/State + + + bool + + false + + + + + +``` + +**EtwLog/Channels** +Interior node to contain dynamic child interior nodes for registered channels. + +The supported operation is Get. + +**EtwLog/Channels/****_ChannelName_** +Dynamic nodes to represent a registered channel. The node name must be a valid Windows event log channel name, such as "Microsoft-Client-Licensing-Platform%2FAdmin" + +Supported operations are Add, Delete, and Get. + +Add a channel + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin + + + node + + + + + + +``` + +Delete a channel + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin + + + + + + +``` + +**EtwLog/Channels/*ChannelName*/Export** +Node to trigger the command to export channel event data into the log file. + +The supported operation is Execute. + +Export channel event data + +``` syntax + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Export + + + + + + +``` + +**EtwLog/Channels/*ChannelName*/Filter** +Specifies the XPath query string to filter the events while exporting. + +The data type is a string. + +Supported operations are Get and Replace. + +Default value is empty string. + +Get channel **Filter** + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/Filter + + + + + + +``` + +**EtwLog/Channels/*ChannelName*/State** +Specifies if the Channel is enabled or disabled. + +The data type is a boolean. + +Supported operations are Get and Replace. + +The following table lists the possible values. + + ++++ + + + + + + + + + + + + + + + + +
ValueDescription

TRUE

Channel is enabled.

FALSE

Channel is disabled.

+ +  + +Get channel **State** + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State + + + + + + +``` + +Set channel **State** + +``` syntax + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/EtwLog/Channels/Microsoft-Client-Licensing-Platform%2FAdmin/State + + + bool + + false + + + + + +``` + +**DeviceStateData** +Added in version 1.3 of the CSP in Windows 10, version 1607. Node for all types of device state data that are exposed. + +**DeviceStateData/MdmConfiguration** +Added in version 1.3 of the CSP in Windows 10, version 1607. Triggers the snapping of device management state data with SNAP. + +The supported value is Execute. + +``` syntax + + + + + 2 + + + ./Vendor/MSFT/DiagnosticLog/DeviceStateData/MdmConfiguration + + + chr + + SNAP + + + + + +``` + +**FileDownload** +Node to contain child nodes for log file transportation protocols and corresponding actions. + +**FileDownload/DMChannel** +Node to contain child nodes using DM channel for transport protocol. + +**FileDownload/DMChannel/****_FileContext_** +Dynamic interior nodes that represents per log file context. + +**FileDownload/DMChannel/*FileContext*/BlockSizeKB** +Sets the log read buffer, in KB. + +The data type is an integer. + +Valid values are 1-16. The default value is 4. + +Supported operations are Get and Replace. + +Set **BlockSizeKB** + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB + + + int + + 1 + + + + + +``` + +Get **BlockSizeKB** + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockSizeKB + + + + + + +``` + +**FileDownload/DMChannel/*FileContext*/BlockCount** +Represents the total read block count for the log file. + +The data type is an integer. + +The only supported operation is Get. + +Get **BlockCount** + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockCount + + + + + + +``` + +**FileDownload/DMChannel/*FileContext*/BlockIndexToRead** +Represents the read block start location. + +The data type is an integer. + +Supported operations are Get and Replace. + +Set **BlockIndexToRead** at 0 + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead + + + int + + 0 + + + + + +``` + +Set **BlockIndexToRead** at 1 + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockIndexToRead + + + int + + 1 + + + + + +``` + +**FileDownload/DMChannel/*FileContext*/BlockData** +The data type is Base64. + +The only supported operation is Get. + +Get **BlockData** + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel/DeviceManagement/BlockData + + + + + + +``` + +**FileDownload/DMChannel/*FileContext*/DataBlocks** +Node to transfer the selected log file block to the DM server. + +**FileDownload/DMChannel/*FileContext*/DataBlocks/****_BlockNumber_** +The data type is Base64. + +The only supported operation is Get. + +## Reading a log file + + +1. Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel** +2. Select a log file in the Enumeration result +3. Set **BlockSizeKB** per DM server payload limitation +4. Get **BlockCount** to determine total read request +5. Set **BlockIndexToRead** to initialize read start point +6. Get **BlockData** for upload log block +7. Increase **BlockIndexToRead** +8. Repeat step 5 to 7 until **BlockIndexToRead == (BlockIndexToRead – 1)** + +  + +  + + + + + + diff --git a/windows/client-management/mdm/diagnosticlog-ddf.md b/windows/client-management/mdm/diagnosticlog-ddf.md new file mode 100644 index 0000000000..48154f0bad --- /dev/null +++ b/windows/client-management/mdm/diagnosticlog-ddf.md @@ -0,0 +1,1300 @@ +--- +title: DiagnosticLog DDF +description: DiagnosticLog DDF +ms.assetid: 9DD75EDA-5913-45B4-9BED-20E30CDEBE16 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DiagnosticLog DDF + + +This topic shows the OMA DM device description framework (DDF) for the DiagnosticLog configuration service provider. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The content below are the latest versions of the DDF files: + +- [DiagnosticLog CSP version 1.2](#version-1-2) +- [DiagnosticLog CSP version 1.3](#version-1-3) + +## DiagnosticLog CSP version 1.2 + + +``` syntax + +]> + + 1.2 + + DiagnosticLog + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.2/MDM/DiagnosticLog + + + + EtwLog + + + + + Root node of all types of event logging nodes that CSP manages. + + + + + + + + + + + + + + + Collectors + + + + + Root node of registered "Collector" nodes. + + + + + + + + + + + + + + + + + + + + + + Each dynamic node represents a registered 'Collector' node. CSP will maintain an ETW trace session for this collector with its name used as a unique identifier. In a collector, a valid ETW provider can be registered and unregistered. The collector's associated trace session will enable the registered providers in it if the provider's state is 'Enabled'. Each provider's state, trace level and keywords can be controlled separately. The name of this node must not be a valid Windows event channel name. It can be a etw provider guid as long as it is not equal to an already registered 'Provider' node name. + + + + + + + + + + CollectorName + + + + + + TraceStatus + + + + + This node is used for getting the status of this collector node's associated trace session. 1 means "in progress"; 0 means "not started or stopped". + + + + + + + + + + + text/plain + + + + + TraceLogFileMode + + + + + + 1 + This node is used for setting or getting the trace log file mode of this collector node's associated trace session. The only two allowed values are 1 and 2, which are EVENT_TRACE_FILE_MODE_SEQUENTIAL and EVENT_TRACE_FILE_MODE_CIRCULAR. Default value is 1. + + + + + + + + + + + text/plain + + + + + TraceControl + + + + + + This node is to trigger "start" and "stop" of this collector node's associated trace session. "Get" returns the name of this node. + + + + + + + + + + + text/plain + + + + + LogFileSizeLimitMB + + + + + + 4 + This node is used for setting or getting the trace log file size limit(in Megabytes) of this collector node's associated trace session. The value range is 1~2048. Default value is 4. + + + + + + + + + + + text/plain + + + + + Providers + + + + + Root node of all providers registered in this collector node. + + + + + + + + + + + + + + + + + + + + + + Each dynamic node represents an ETW provider registered in this collector node. The node name must be a valid provider GUID. + + + + + + + + + + ProviderGuid + + + + + + Keywords + + + + + + "0" + This node is used for setting or getting the keywords of the event provider in this collector node's associated trace session. The string is in the form of hexadecimal digits and 16 chars wide. It'll be internally converted into ULONGLONG data type in the CSP. Default value is "0", which means all events from this provider are included. If the associated trace session is in progress, new keywords setting is applied immediately; if not, it'll be applied next time that session is started. + + + + + + + + + + + text/plain + + + + + TraceLevel + + + + + + 5 + This node is used for setting or getting the trace level of this event provider in this collector node's associated trace session. Default value is 5, which is TRACE_LEVEL_VERBOSE. If the associated trace session is in progress, new trace level setting is applied immediately;if not, it'll be applied next time that session is started. + + + + + + + + + + + text/plain + + + + + State + + + + + + true + This node is used for setting or getting the state of the event provider in this collector node's associated trace session. If the trace session isn't started, changing the value controls whether to enable the provider or not when session is started; if trace session is already started, changing its value causes enabling or disabling the provider in the live trace session. Default value is true. + + + + + + + + + + + text/plain + + + + + + + + + Channels + + + + + Root node of registered "Channel" nodes. + + + + + + + + + + + + + + + + + + + + + + Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly. + + + + + + + + + + ChannelName + + + + + + Export + + + + + + This node is to trigger exporting events into a log file from this node's associated Windows event channel. The log file's extension is .evtx, which is the standard extension of windows event channel log. The "Get" command returns the name of this node. + + + + + + + + + + + text/plain + + + + + State + + + + + + This node is used for setting or getting the 'Enabled' state of this node's associated windows event channel in the system. Setting it to "TRUE" enables the channel; setting it to "FALSE" disables the channel. + + + + + + + + + + + text/plain + + + + + Filter + + + + + + "" + This node is used for setting or getting the xpath query string to filter the events when exporting the log file from the channel. Default value is empty string. + + + + + + + + + + + text/plain + + + + + + + + FileDownload + + + + + Root node of all csp nodes that are related to log file download in csp. + + + + + + + + + + + + + + + DMChannel + + + + + Root node of all csp nodes that are used for controlling file download for their associated log file generated by logging csp nodes. + + + + + + + + + + + + + + + + + + + + Each dynamic node represents a 'FileContext' node corresponding to a log file generated by one of the logging CSP nodes(underneath 'EtwLog' node). The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node. The log file and its location will be determined by CSP based on the node name. File download is done by dividing the log file into multiple blocks of configured block size and then sending the blocks as requested by MDM server. + + + + + + + + + + FileContext + + + + + + BlockSizeKB + + + + + + 4 + This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4. + + + + + + + + + + + text/plain + + + + + BlockCount + + + + + This node is used for getting the total number of blocks for the associated log file. If the log file isn't generated yet, the value returned is -1; if the trace session is in progress, the value returned is -2. + + + + + + + + + + + text/plain + + + + + BlockIndexToRead + + + + + + This node is used for setting and getting the block index that points to the data block for 'BlockData' node. The value range is 0~(BlockCount-1). + + + + + + + + + + + text/plain + + + + + BlockData + + + + + This node is used to get the binary data of the block that 'BlockIndexToRead' node is pointing to. + + + + + + + + + + + + + + + + DataBlocks + + + + + Root node of all 'BlockNumber' nodes for the associated log file. The number of its children should be the total block count of the log file. No children nodes exist if 'BlockCount' node's value is less than 0. + + + + + + + + + + + + + + + + + + + + Each dynamic node represents a 'BlockNumber' node. The node name is an integer equal to the index of the block which this node stands for. Therefore the node name should be ranging from 0 to (BlockCount -1). It returns the binary data of the block which this node is referring to. + + + + + + + + + + BlockNumber + + + + + + + + + + + +``` + +## DiagnosticLog CSP version 1.3 + + +``` syntax + +]> + + 1.2 + + DiagnosticLog + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.3/MDM/DiagnosticLog + + + + EtwLog + + + + + Root node of all types of event logging nodes that CSP manages. + + + + + + + + + + + + + + + Collectors + + + + + Root node of registered "Collector" nodes. + + + + + + + + + + + + + + + + + + + + + + Each dynamic node represents a registered 'Collector' node. CSP will maintain an ETW trace session for this collector with its name used as a unique identifier. In a collector, a valid ETW provider can be registered and unregistered. The collector's associated trace session will enable the registered providers in it if the provider's state is 'Enabled'. Each provider's state, trace level and keywords can be controlled separately. The name of this node must not be a valid Windows event channel name. It can be a etw provider guid as long as it is not equal to an already registered 'Provider' node name. + + + + + + + + + + CollectorName + + + + + + TraceStatus + + + + + This node is used for getting the status of this collector node's associated trace session. 1 means "in progress"; 0 means "not started or stopped". + + + + + + + + + + + text/plain + + + + + TraceLogFileMode + + + + + + 1 + This node is used for setting or getting the trace log file mode of this collector node's associated trace session. The only two allowed values are 1 and 2, which are EVENT_TRACE_FILE_MODE_SEQUENTIAL and EVENT_TRACE_FILE_MODE_CIRCULAR. Default value is 1. + + + + + + + + + + + text/plain + + + + + TraceControl + + + + + + This node is to trigger "start" and "stop" of this collector node's associated trace session. "Get" returns the name of this node. + + + + + + + + + + + text/plain + + + + + LogFileSizeLimitMB + + + + + + 4 + This node is used for setting or getting the trace log file size limit(in Megabytes) of this collector node's associated trace session. The value range is 1~2048. Default value is 4. + + + + + + + + + + + text/plain + + + + + Providers + + + + + Root node of all providers registered in this collector node. + + + + + + + + + + + + + + + + + + + + + + Each dynamic node represents an ETW provider registered in this collector node. The node name must be a valid provider GUID. + + + + + + + + + + ProviderGuid + + + + + + Keywords + + + + + + "0" + This node is used for setting or getting the keywords of the event provider in this collector node's associated trace session. The string is in the form of hexadecimal digits and 16 chars wide. It'll be internally converted into ULONGLONG data type in the CSP. Default value is "0", which means all events from this provider are included. If the associated trace session is in progress, new keywords setting is applied immediately; if not, it'll be applied next time that session is started. + + + + + + + + + + + text/plain + + + + + TraceLevel + + + + + + 5 + This node is used for setting or getting the trace level of this event provider in this collector node's associated trace session. Default value is 5, which is TRACE_LEVEL_VERBOSE. If the associated trace session is in progress, new trace level setting is applied immediately;if not, it'll be applied next time that session is started. + + + + + + + + + + + text/plain + + + + + State + + + + + + true + This node is used for setting or getting the state of the event provider in this collector node's associated trace session. If the trace session isn't started, changing the value controls whether to enable the provider or not when session is started; if trace session is already started, changing its value causes enabling or disabling the provider in the live trace session. Default value is true. + + + + + + + + + + + text/plain + + + + + + + + + Channels + + + + + Root node of registered "Channel" nodes. + + + + + + + + + + + + + + + + + + + + + + Each dynamic node represents a registered 'Channel' node. The node name must be a valid Windows event log channel name, e.g. "Microsoft-Client-Licensing-Platform%2FAdmin". When specifying the name in the LocURI, it must be url encoded or it'll be translated into a different URI unexpectedly. + + + + + + + + + + ChannelName + + + + + + Export + + + + + + This node is to trigger exporting events into a log file from this node's associated Windows event channel. The log file's extension is .evtx, which is the standard extension of windows event channel log. The "Get" command returns the name of this node. + + + + + + + + + + + text/plain + + + + + State + + + + + + This node is used for setting or getting the 'Enabled' state of this node's associated windows event channel in the system. Setting it to "TRUE" enables the channel; setting it to "FALSE" disables the channel. + + + + + + + + + + + text/plain + + + + + Filter + + + + + + "" + This node is used for setting or getting the xpath query string to filter the events when exporting the log file from the channel. Default value is empty string. + + + + + + + + + + + text/plain + + + + + + + + DeviceStateData + + + + + Root node of all types of device state data that CSP exposes. + + + + + + + + + + + + + + + MdmConfiguration + + + + + This node is to trigger snapping of the Device Management state data with "SNAP". + + + + + + + + + + + text/plain + + + + + + FileDownload + + + + + Root node of all csp nodes that are related to log file download in csp. + + + + + + + + + + + + + + + DMChannel + + + + + Root node of all csp nodes that are used for controlling file download for their associated log file generated by logging csp nodes. + + + + + + + + + + + + + + + + + + + + Each dynamic node represents a 'FileContext' node corresponding to a log file generated by one of the logging CSP nodes(underneath 'EtwLog' node). The node name must be the name of a registered 'Provider', 'Collector' or 'Channel' node. The log file and its location will be determined by CSP based on the node name. File download is done by dividing the log file into multiple blocks of configured block size and then sending the blocks as requested by MDM server. + + + + + + + + + + FileContext + + + + + + BlockSizeKB + + + + + + 4 + This node is used for setting or getting the block size (in Kilobytes) for the download of assoicated log file. The value range is 1~16. Default value is 4. + + + + + + + + + + + text/plain + + + + + BlockCount + + + + + This node is used for getting the total number of blocks for the associated log file. If the log file isn't generated yet, the value returned is -1; if the trace session is in progress, the value returned is -2. + + + + + + + + + + + text/plain + + + + + BlockIndexToRead + + + + + + This node is used for setting and getting the block index that points to the data block for 'BlockData' node. The value range is 0~(BlockCount-1). + + + + + + + + + + + text/plain + + + + + BlockData + + + + + This node is used to get the binary data of the block that 'BlockIndexToRead' node is pointing to. + + + + + + + + + + + + + + + + DataBlocks + + + + + Root node of all 'BlockNumber' nodes for the associated log file. The number of its children should be the total block count of the log file. No children nodes exist if 'BlockCount' node's value is less than 0. + + + + + + + + + + + + + + + + + + + + Each dynamic node represents a 'BlockNumber' node. The node name is an integer equal to the index of the block which this node stands for. Therefore the node name should be ranging from 0 to (BlockCount -1). It returns the binary data of the block which this node is referring to. + + + + + + + + + + BlockNumber + + + + + + + + + + + +``` + +## Related topics + + +[DiagnosticLog configuration service provider](diagnosticlog-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md new file mode 100644 index 0000000000..29889b69f1 --- /dev/null +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -0,0 +1,157 @@ +--- +title: Disconnecting from the management infrastructure (unenrollment) +description: Disconnecting may be initiated either locally by the user from the phone or remotely by the IT admin using management server. +MS-HAID: +- 'p\_phdevicemgmt.disconnecting\_from\_the\_management\_infrastructure\_\_unenrollment\_' +- 'p\_phDeviceMgmt.disconnecting\_from\_mdm\_unenrollment' +ms.assetid: 33B2B248-631B-451F-B534-5DA095C4C8E8 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + + +# Disconnecting from the management infrastructure (unenrollment) + +Disconnecting may be initiated either locally by the user from the phone or remotely by the IT admin using management server. User-initiated disconnection is performed much like the initial connection, and it is initiated from the same location in the Setting Control Panel as creating the workplace account. Users may choose to disconnect for any number of reasons, including leaving the company or getting a new device and no longer needing access to their LOB apps on the old device. When an administrator initiates a disconnection, the enrollment client performs the disconnection during its next regular maintenance session. Administrators may choose to disconnect a user’s device after they’ve left the company or because the device is regularly failing to comply with the organization’s security settings policy. + +During disconnection, the client does the following: + +- Removes the enterprise application token that allowed installing and running LOB apps. Any business applications associated with this enterprise token are removed as well. +- Removes certificates that are configured by MDM server. +- Ceases enforcement of the settings policies that the management infrastructure has applied. +- Removes the device management client configuration and other setting configuration added by MDM server, including the scheduled maintenance task. The client remains dormant unless the user reconnects it to the management infrastructure. +- Reports successful initiated disassociation to the management infrastructure if the admin initiated the process. Note that in Windows, user-initiated disassociation is reported to the server as a best effort. + + +## In this topic + +- [User-initiated disconnection](#user-initiated-disconnection) +- [Server-initiated disconnection](#server-initiated-disconnection) +- [Unenrollment from Work Access settings page](#unenrollment-from-work-access-settings-page) +- [IT admin–requested disconnection](#it-admin-requested-disconnection) +- [Unenrollment from Azure Active Directory Join](#dataloss) + + +## User-initiated disconnection + +In Windows, after the user confirms the account deletion command and before the account is deleted, the MDM client will send a notification to the MDM server notifying that the server the account will be removed. This is a best effort action as no retry is built-in to ensure the notification is successfully sent to the device. + +This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work. + +> **Note**  The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=267526). + +  +The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**. + +After the user elects to unenroll, any active MDM OMA DM sessions are terminated. After that, the DM client starts a DM session, including a user unenroll generic alert in the first package that it sends to the server. + +The following sample shows an OMA DM first package that contains a generic alert message. For more information on WP OMA DM support, see the [OMA DM protocol support](oma-dm-protocol-support.md) topic. + +``` + + + 1.2 + DM/1.2 + 1 + 1 + + {unique device ID} + + + https://www.thephone-company.com/mgmt-server + + + + + 2 + 1226 + + + com.microsoft:mdm.unenrollment.userrequest + int + + 1 + + + + + + 2 + + + ./DevInfo/DevID + + {unique device ID} + + + ... + + + + + +``` + +After the previous package is sent, the unenrollment process begins. + + +## Server-initiated disconnection + +When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server will not get a response for the unenrollment, instead a generic alert notification is sent with messageid=1. + +``` syntax + + 4 + 1226 + + + com.microsoft:mdm.unenrollment.userrequest + int + + 1 + + +``` + + + +## Unenrollment from Work Access settings page + +If the user is enrolled into MDM using an Azure Active Directory (AAD Join or by adding a Microsoft work account), the MDM account will show up under the Work Access page. However, the **Disconnect** button is greyed out and not accessible. Users can remove that MDM account by removing the AAD association to the device. + +You can only use the Work Access page to unenroll under the following conditions: + +- Enrollment was done using bulk enrollment. +- Enrollment was created using the Work Access page. + + + +## Unenrollment from Azure Active Directory Join + +When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data. + +![aadj unenerollment](images/azure-ad-unenrollment.png) + +When a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the AAD association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state. + +Before remotely unenrolling corporate devices, you must ensure that there is at least one admin user on the device that is not part of the Azure tenant, otherwise the device will not have any admin user after the operation. + +In mobile devices, remote unenrollment for Azure Active Directory Joined devices will fail. To remove corporate content from these devices, we recommend you remotely wipe the device. + + +## IT admin–requested disconnection + +The server requests an enterprise management disconnection request by issuing an Exec OMA DM SyncML XML command to the device using the DMClient configuration service provider’s Unenroll node during the next client-initiated DM session. The Data tag inside the Exec command should be the value of the provisioned DM server ProviderID. For more information, see the Enterprise-specific DM client configuration topic. + +When the disconnection is completed, the user is notified that the device has been disconnected from enterprise management. + +  + + + + + + diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md new file mode 100644 index 0000000000..df7701702a --- /dev/null +++ b/windows/client-management/mdm/dmacc-csp.md @@ -0,0 +1,287 @@ +--- +title: DMAcc CSP +description: DMAcc CSP +ms.assetid: 43e73d8a-6617-44e7-8459-5c96f4422e63 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DMAcc CSP + + +The DMAcc configuration service provider allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects. The server can use this configuration service provider to add a new account or to manage an existing account, including an account that was bootstrapped by using the [w7 APPLICATION configuration service provider](w7-application-csp.md) + +> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. + +  + +For the DMAcc CSP, you cannot use the Replace command unless the node already exists. + +The following diagram shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol is not supported by this configuration service provider. + +![dmacc csp (dm)](images/provisioning-csp-dmacc-dm.png) + +**DMAcc** +Required. Defines the root node of all OMA DM server accounts that use the OMA DM version 1.2 protocol. + +***AccountUID*** +Optional. Defines the unique identifier for an OMA DM server account that uses the OMA DM version 1.2 protocol. + +For a [w7 APPLICATION configuration service provider](w7-application-csp.md) bootstrapped account, this element is assigned a unique name by the OMA DM Client. The unique name is the hexadecimal representation of the 256-bit SHA-2 hash of the provider ID. The OMA DM server can change this node name in subsequent OMA DM sessions. + +***AccountUID*/AppID** +Required. Specifies the application identifier for the OMA DM account. + +This value must be set to "w7". + +Value type is string. Supported operations are Add, Get, and Replace. + +***AccountUID*/ServerID** +Required. Specifies the OMA DM server's unique identifier for the current OMA DM account. This value is case-sensitive. + +Value type is string. Supported operations are Add, Get, and Replace. + +***AccountUID*/Name** +Optional. Specifies the display name of the application. + +Value type is string. Supported operations are Add, Get, and Replace. + +***AccountUID*/PrefConRef** +Optional. Specifies the preferred connectivity for the OMA DM account. + +This element contains either a URI to a NAP management object or a connection GUID used by Connection Manager. If this element is missing, the device uses the default connection that is provided by Connection Manager. + +Value type is string. Supported operations are Add, Get, and Replace. + +***AccountUID*/AppAddr** +Interior node for DM server address. + +Required. + +**AppAddr/****_ObjectName_** +Required. Defines the OMA DM server address. Only one server address can be configured. + +When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is "1". This is the first DM address encountered in the w7 APPLICATION configuration service provider, other DM accounts are ignored. + +***ObjectName*/Addr** +Required. Specifies the address of the OMA DM account. The type of address stored is specified by the AddrType element. + +Value type is string. Supported operations are Add, Get, and Replace. + +***ObjectName*/AddrType** +Required. Specifies the format and interpretation of the Addr node value. The default is "URI". + +The default value of "URI" specifies that the OMA DM account address in **Addr** is a URI address. A value of "IPv4" specifies that the OMA DM account address in **Addr** is an IP address. + +Value type is string. Supported operations are Add, Get, and Replace. + +***ObjectName*/Port** +Interior node for port information. + +Optional. + +**Port/****_ObjectName_** +Required. Only one port number can be configured. + +When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is "1". + +***ObjectName*/PortNbr** +Required. Specifies the port number of the OMA MD account address. This must be a decimal number that fits within the range of a 16-bit unsigned integer. + +Value type is string. Supported operations are Add, Get, and Replace. + +***AccountUID*/AAuthPref** +Optional. Specifies the application authentication preference. + +A value of "BASIC" specifies that the client attempts BASIC authentication. A value of "DIGEST' specifies that the client attempts MD5 authentication. + +If this value is empty, the client attempts to use the authentication mechanism negotiated in the previous session if one exists. If the value is empty, no previous session exists, and MD5 credentials exist, clients try MD5 authorization first. If the criteria are not met then the client tries BASIC authorization first. + +Value type is string. Supported operations are Add, Get, and Replace. + +***AccountUID*/AppAuth** +Optional. Defines authentication settings. + +**AppAuth/****_ObjectName_** +Required. Defines one set of authentication settings. + +When mapping the [w7 APPLICATION configuration service provider](w7-application-csp.md) to the DMAcc Configuration Service Provider, the name of this element is same name as the AAuthLevel value ("CLRED" or "SRVCRED"). + +***ObjectName*/AAuthlevel** +Required. Specifies the application authentication level. + +A value of "CLCRED" indicates that the credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level. A value of "SRVCRED" indicates that the credentials server will authenticate itself to the OMA DM Client at the OMA DM protocol level. + +Value type is string. Supported operations are Add and Replace. + +***ObjectName*/AAuthType** +Required. Specifies the authentication type. + +If the AAuthlevel is "CLCRED", the supported values are "BASIC" and "DIGEST". If the AAuthlevel is "SRVCRED", the supported value is "DIGEST". + +Value type is string. Supported operations are Add, Get, and Replace. + +***ObjectName*/AAuthName** +Optional. Specifies the authentication name. + +Value type is string. Supported operations are Add, Get, and Replace. + +***ObjectName*/AAuthSecret** +Optional. Specifies the password or secret used for authentication. + +Value type is string. Supported operations are Add and Replace. + +***ObjectName*/AAuthData** +Optional. Specifies the next nonce used for authentication. + +"Nonce" refers to a number used once. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in repeat attacks. + +Value type is binary. Supported operations are Add and Replace. + +***AccountUID*/Ext** +Required. Defines a set of extended parameters. + +This element holds vendor-specific information about the OMA DM account and is created automatically when the OMA DM account is created. + +**Ext/Microsoft** +Required. Defines a set of Microsoft-specific extended parameters. + +This element is created automatically when the OMA DM account is created. + +**Microsoft/BackCompatRetryDisabled** +Optional. Specifies whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr on subsequent attempts (not including the first time). The default is "FALSE". + +The default value of "FALSE" indicates that backward-compatible retries are enabled. A value of "TRUE" indicates that backward-compatible retries are disabled. + +Value type is bool. Supported operations are Add, Get, and Replace. + +**Microsoft/ConnRetryFreq** +Optional. Specifies the number of retries the DM client performs when there are Connection Manager level or wininet level errors. + +The default value is 3. + +Value type is integer. Supported operations are Add, Get, and Replace. + +**Microsoft/DefaultEncoding** +Optional. Specifies whether the OMA DM client will use WBXML or XML for the DM package when communicating with the server. The default is "application/vnd.syncml.dm+xml". + +The default value of "application/vnd.syncml.dm+xml" specifies that XML is used. A value of "application/vnd.syncml.dm+wbxml" specifies that WBXML is used. + +Value type is string. Supported operations are Add, Get, and Replace. + +**Microsoft/InitialBackOffTime** +Optional. Specifies the initial wait time in milliseconds when the OMA DM client retries for the first time. The wait time grows exponentially. + +The default value is 16000. + +Value type is integer. Supported operations are Add, Get, and Replace. + +**Microsoft/MaxBackOffTime** +Optional. This node specifies the maximum number of milliseconds to wait before attempting a connection retry. + +The default value is 86400000. + +Value type is integer. Supported operations are Add, Get, and Replace. + +**Microsoft/ProtoVer** +Optional. Specifies the OMA DM Protocol version that the server supports. There is no default value. + +Valid values are "1.1" and "1.2". The protocol version set by this element will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this element is not specified when adding a DM server account, the latest DM protocol version that the client supports is used. Windows 10 clients support version 1.2. + +Value type is string. Supported operations are Add, Get, and Replace. + +**Microsoft/Role** +Required. Specifies the role mask that the OMA DM session runs with when it communicates with the server. + +If this parameter is not present, the DM session is given the role mask of the OMA DM session that the server created. The following list shows the valid security role masks and their values. + +- 4 = SECROLE\_OPERATOR + +- 8 = SECROLE\_MANAGER + +- 16 = SECROLE\_USER\_AUTH + +- 128 = SECROLE\_OPERATOR\_TPS + +The acceptable access roles for this node cannot be more than the roles assigned to the DMAcc object. + +Value type is integer. Supported operations are Get and Replace. + +**Microsoft/UseHWDevID** +Optional. Specifies whether to use the hardware ID for the ./DevInfo/DevID element in the DM account to identify the device. The default is "FALSE". + +The default value of "FALSE" specifies that an application-specific GUID is returned for the ./DevInfo/DevID rather than the hardware device ID. + +A value is "TRUE" specifies that the hardware device ID will be provided for the ./DevInfo/DevID element and the Source LocURI for the OMA DM package that is sent to the server. In this case: + +- For GSM phones, the IMEI is returned. + +- For CDMA phones, the MEID is returned. + +- For dual SIM phones, this value is retrieved from the UICC of the primary data line. + +Value type is bool. Supported operations are Add, Get, and Replace. + +**Microsoft/UseNonceResync** +Optional. Specifies whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication. The default is "FALSE". + +If the authentication fails because the server nonce does not match the server nonce that is stored on the device, then the device can use the backup nonce as the server nonce. For this procedure to be successful, if the device did not authenticate with the preconfigured nonce value, the server must then use the backup nonce when sending the signed server notification message. + +The default value of "FALSE" specifies that the client does not try to authenticate the notification with the backup server nonce if authentication to the stored nonce fails. A value of "TRUE" specifies that the client initiates a DM session if the backup server nonce is received after authentication failed. + +Value type is bool. Supported operations are Add, Get, and Replace. + +**CRLCheck** +Optional. Allows connection to the DM server to check the Certificate Revocation List (CRL). Set to true to enable SSL revocation. + +Value type is bool. Supported operations are Add, Get, and Replace. + +**DisableOnRoaming** +Optional. Determines whether the OMA DM client should be launched when roaming. + +Value type is bool. Supported operations are Add, Get, and Replace. + +**SSLCLIENTCERTSEARCHCRITERIA** +Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter is used to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it is ignored. + +The string is a concatenation of name/value pairs, each member of the pair delimited by the "&" character. The name and values are delimited by the "=" character. If there are multiple values, each value is delimited by the Unicode character "U+F000". If the name or value contains characters not in the UNRESERVED set (as specified in RFC2396), then those characters are URI-escaped per the RFC. + +The supported names are Subject and Stores; wildcard certificate search is not supported. + +Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name is not case sensitive. + +> **Note**   %EF%80%80 is the UTF8-encoded character U+F000. + +  + +Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following: + +``` syntax + +``` + +Value type is string. Supported operations are Add, Get, and Replace. + +**InitiateSession** +Optional. When this node is added, a session is started with the MDM server. + +Supported operations are Add, and Replace. + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/dmacc-ddf-file.md b/windows/client-management/mdm/dmacc-ddf-file.md new file mode 100644 index 0000000000..dbca78b881 --- /dev/null +++ b/windows/client-management/mdm/dmacc-ddf-file.md @@ -0,0 +1,877 @@ +--- +title: DMAcc DDF file +description: DMAcc DDF file +ms.assetid: 44dc99aa-2a85-498b-8f52-a81863765606 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DMAcc DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **DMAcc** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + DMAcc + ./SyncML + + + + + This interior node is a common parent to all OMA DM server account nodes that use OMA DM 1.2 protocol. + + + + + + + + + + + urn:oma:mo:oma-dm-dmacc:1.1 + + + + * + + + + + + + + This interior node acts as a placeholder for zero or more OMA DM server accounts. If this OMA DM server account is bootstrapped using the w7 APPLICATION, the name of this node is generated from the 256-bit version of SHA-2 hash of the w7 PROVIDER-ID parm. + + + + + + + + + + + + + + + AppID + + + + + + + The only supported value is w7. + + + + + + + + + + Application ID for DM Account MO + + text/plain + + + + + ServerID + + + + + + + + + + + + + + + + Server Identifier + + text/plain + + + + + Name + + + + + + + + + + + + + + + + Displayable name for the Management Server + + text/plain + + + + + PrefConRef + + + + + + + The only supported values include the NAPID of a bootstrapped NAP management object or a connection GUID used by connection manager. If this node is missing, the device will use the default connection provided by connection manager. + + + + + + + + + + Reference to preferred connectivity + + text/plain + + + + + AppAddr + + + + + + Only the first address provisioned is used. + + + + + + + + + + A collection of references to DM server address + + + + + + * + + + + + + + + + + + + + + + The "name" node for AppAddr object + + + + + + Addr + + + + + + + + + + + + + + + + Management Server Address + + text/plain + + + + + AddrType + + + + + + + + + + + + + + + + Management Server Address Type + + text/plain + + + + + Port + + + + + + + + + + + + + + + A collection of all Port objects + + + + + + * + + + + + + + + + + + + + + + + The "name" node for a Port object + + + + + + PortNbr + + + + + + + + + + + + + + + + Port + + text/plain + + + + + + + + + AAuthPref + + + + + + + Supported values: BASIC, DIGEST + + + + + + + + + + Application Authentication Type preference + + text/plain + + + + + AppAuth + + + + + + + + + + + + + + + A collection of all references to multiple Application Authentication objects + + + + + + * + + + + + + + + + + + + + + + The "name" node for multiple Application Authentication objects + + + + + + AAuthLevel + + + + + + + + + + + + + + + + Application Authentication level + + text/plain + + + + + AAuthType + + + + + + + If AAuthLevel is CLCRED, the supported types include BASIC and DIGEST. If AAuthLevel is SRVCRED, the only supported type is DIGEST. + + + + + + + + + + Application Authentication Type + + text/plain + + + + + AAuthName + + + + + + + + + + + + + + + + Application Authentication Name + + text/plain + + + + + AAuthSecret + + + + + + + + + + + + + + + Application Authentication Secret + + text/plain + + + + + AAuthData + + + + + + + + + + + + + + + Application Authentication Data + + text/plain + + + + + + + Ext + + + + + + + + + + + + + + Vendor specific information + + + + + + Microsoft + + + + + + + + + + + + + + The collection of Microsoft specific settings + + + + + + Role + + + + + + If this node is unspecified, its default value is the access role of the session that created the server account. The value for this node must be a subset of the roles used in creating this server account. + + + + + + + + + + The security role mask that the DM session should run with + + text/plain + + + + + ProtoVer + + + + + + + This node value corresponds to what the client would put in the VerDTD element of an OMA-DM package. No default value is assumed. The only valid value for this node is 1.1 or 1.2. + + + + + + + + + + The OMA-DM protocol version that the client should use in communicating with the server + + text/plain + + + + + DefaultEncoding + + + + + + + This node specifies the encoding that the OMA-DM client will use to encode its first package. Valid values include "application/vnd.syncml.dm+xml" (for XML) and "application/vnd.syncml.dm+wbxml" (for WBXML). If this node is left unspecified, the OMA-DM client defaults to "application/vnd.syncml.dm+xml". + + + + + + + + + + + text/plain + + + + + UseHwDevID + + + + + + + A value of true indicates that, during an OMA-DM session with this server, the value of the ./DevInfo/DevId node is the hardware ID of device (e.g, IMEI for a GSM device, ESN for a CDMA Device, hashed UUID for a non-radio device). The default value of false indicates that the value of ./DevInfo/DevId node is a hash of the UUID of the device. + + + + + + + + + + + text/plain + + + + + ConnRetryFreq + + + + + + + This node specifies how many times DM client will retry a connection to the server if the connection fails. The default value is 3 retries. + + + + + + + + + + + text/plain + + + + + InitialBackOffTime + + + + + + + This node specifies the initial amount of time (in milliseconds) that the DM client waits before attempting a connection retry. After the initial wait, the wait time grows exponentially. The default value is 16000 milliseconds. + + + + + + + + + + + text/plain + + + + + MaxBackOffTime + + + + + + + This node specifies the maximum number of milliseconds to wait before attempting a connection retry. The default value is 86400000. + + + + + + + + + + + text/plain + + + + + BackCompatRetryDisabled + + + + + + + This node specifies whether to disable the ability of the DM client to communicate with a down-level server. + Possible Values: + false (default) -- Compatibility with down-level servers is enabled + true -- Compatibility with down-level servers is disabled + + + + + + + + + + + text/plain + + + + + UseNonceResync + + + + + + + This node specifies whether the DM client can use the nonce resynchronization protocol when authentication of a server notification fails. If nonce resynchronization is disabled and authentication of the server notification fails, the notification is dropped. + Possible Values: + false (default) : Nonce resynchronization is disabled. + true : Nonce resynchronization is enabled. + + + + + + + + + + + text/plain + + + + + CRLCheck + + + + + + + + + + + + + + + + CRLCheck + + text/plain + + + + + DisableOnRoaming + + + + + + + + + + + + + + + + DisableOnRoaming + + text/plain + + + + + SSLCLIENTCERTSEARCHCRITERIA + + + + + + + + + + + + + + + + SSLCLIENTCERTSEARCHCRITERIA + + text/plain + + + + + InitiateSession + + + + + + When this node is added, a session is started with the MDM server. + + + + + + + + + + + + + + + + + + + + + +``` + +## Related topics + + +[DMAcc configuration service provider](dmacc-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md new file mode 100644 index 0000000000..59c7ae444e --- /dev/null +++ b/windows/client-management/mdm/dmclient-csp.md @@ -0,0 +1,677 @@ +--- +title: DMClient CSP +description: The DMClient configuration service provider is used to specify additional enterprise-specific mobile device management configuration settings for identifying the device in the enterprise domain, security mitigation for certificate renewal, and server-triggered enterprise unenrollment. +ms.assetid: a5cf35d9-ced0-4087-a247-225f102f2544 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DMClient CSP + + +The DMClient configuration service provider is used to specify additional enterprise-specific mobile device management configuration settings for identifying the device in the enterprise domain, security mitigation for certificate renewal, and server-triggered enterprise unenrollment. + +The following diagram shows the DMClient configuration service provider in tree format. + +![dmclient csp](images/provisioning-csp-dmclient-th2.png) + +**DMClient** +Root node for the CSP. + +**UpdateManagementServiceAddress** +For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semi-colon delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node. + +**HWDevID** +Added in Windows 10, version 1703. Returns the hardware device ID. + +Supported operation is Get. Value type is string. + +**Provider** +Required. The root node for all settings that belong to a single management server. Scope is permanent. + +Supported operation is Get. + +**Provider/****_ProviderID_** +Optional. This node contains the URI-encoded value of the bootstrapped device management account’s Provider ID. Scope is dynamic. As a best practice, use text that doesn’t require XML/URI escaping. + +Supported operations are Get and Add. + +**Provider/*ProviderID*/EntDeviceName** +Optional. Character string that contains the user-friendly device name used by the IT admin console. The value is set during the enrollment process by way of the DMClient configuration service provider. You can retrieve it later during an OMA DM session. + +Supported operations are Get and Add. + +**Provider/*ProviderID*/EntDMID** +Optional. Character string that contains the unique enterprise device ID. The value is set by the management server during the enrollment process by way of the DMClient configuration service provider. You can retrieve it later during an OMA DM session. + +Supported operations are Get and Add. + +> **Note**   Although hardware device IDs are guaranteed to be unique, there is a concern that this is not ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION configuration service provider’s **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server. +This node is required and must be set by the server before the client certificate renewal is triggered. + +  + +**Provider/*ProviderID*/ExchangeID** +Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. This is useful for the enterprise management server to correlate and merge records for a device that is managed by exchange and natively managed by a dedicated management server. + +> **Note**  In some cases for the desktop, this node will return "not found" until the user sets up their email. + +  + +Supported operation is Get. + +The following is a Get command example. + +``` syntax + + 12 + + + ./Vendor/MSFT/DMClient/Provider//ExchangeID + + + +``` + +**Provider/*ProviderID*/PublisherDeviceID** +(Only for Windows 10 Mobile.) Optional. The PublisherDeviceID is a device-unique ID created based on the enterprise Publisher ID. Publisher ID is created based on the enterprise application token and enterprise ID via ./Vendor/MSFT/EnterpriseAppManagement/<enterprise id>/EnrollmentToken. It is to ensure that for one enterprise, each device has a unique ID associated with it. For the same device, if it has multiple enterprises’ applications, each enterprise is identified differently. + +Supported operation is Get. + +**Provider/*ProviderID*/SignedEntDMID** +Optional. Character string that contains the device ID. This node and the nodes **CertRenewTimeStamp** can be used by the mobile device management server to verify client identity in order to update the registration record after the device certificate is renewed. The device signs the **EntDMID** with the old client certificate during the certificate renewal process and saves the signature locally. + +Supported operation is Get. + +**Provider/*ProviderID*/CertRenewTimeStamp** +Optional. The time in OMA DM standard time format. This node is designed to reduce the risk of the certificate being used by another device. The device records the time that the new certificate was created. + +Supported operation is Get. + +**Provider/*ProviderID*/ManagementServiceAddress** +Required. The character string that contains the device management server address. It can be updated during an OMA DM session by the management server to allow the server to load balance to another server in situations where too many devices are connected to the server. + +> **Note**  When the ManagementServerAddressList value is set, the device ignores the value in ManagementServiceAddress. + +  + +The DMClient configuration service provider will save the address to the same location as the w7 and DMS configuration service providers to ensure the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped via the [w7 APPLICATION configuration service provider](w7-application-csp.md). + +Starting in Windows 10, version 1511, this node supports multiple server addresses in the format <URL1><URL2><URL3>. If there is only a single URL, then the <> are not required. This is supported for both desktop and mobile devices. + +During a DM session, the device will use the first address on the list and then keep going down the list until a successful connection is achieved. The DM client should cache the successfully connected server URL for the next session. + +Supported operations are Add, Get, and Replace. + +**Provider/*ProviderID*/UPN** +Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This is useful in scenarios where the user email address changes in the identity system, or in the scenario where the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN. + +Supported operations are Get and Replace. + +**Provider/*ProviderID*/HelpPhoneNumber** +Optional. The character string that allows the user experience to include a customized help phone number that the end user will be able to view and use if they need help or support. + +Supported operations are Get, Replace, and Delete. + +**Provider/*ProviderID*/HelpWebsite** +Optional. The character string that allows the user experience to include a customized help website that the end user will be able to view and use if they need help or support. + +Supported operations are Get, Replace, and Delete + +**Provider/*ProviderID*/HelpEmailAddress** +Optional. The character string that allows the user experience to include a customized help email address that the end user will be able to view and use if they need help or support. + +Supported operations are Get, Replace, and Delete. + +**Provider/*ProviderID*/RequireMessageSigning** +Boolean type. Primarly used for SSL bridging mode where firewalls and proxies are deployed and where device client identity is required. When enabled, every SyncML message from the device will carry an additional HTTP header named MDM-Signature. This header contains BASE64-encoded Cryptographic Message Syntax using a Detached Signature of the complete SyncML message SHA-2 (inclusive of the SyncHdr and SyncBody). Signing is performed using the private key of the management session certificate that was enrolled as part of the enrollment process. The device public key and PKCS9 UTC signing time stamp are included as part of the authenticated attributes in the signature. + +Default value is false, where the device management client does not include authentication information in the management session HTTP header. Optionally set to true, where the client authentication information is provided in the management session HTTP header. + +When enabled, the MDM server should validate the signature and the timestamp using the device identify certificate enrolled as part of MS-MDE, ensure the certificate and time are valid, and verify that the signature is trusted by the MDM server. + +Supported operations are Get, Replace, and Delete. + +**Provider/*ProviderID*/SyncApplicationVersion** +Optional. Used by the management server to set the DM session version that the server and device should use. Default is 1.0. In Windows 10, the DM session protocol version of the client is 2.0. If the server is updated to support 2.0, then you should set this value to 2.0. In the next session, check to see if there is a client behavior change between 1.0 and 2.0. + +> **Note**   +This node is only supported in Windows 10 and later. + +Once you set the value to 2.0, it will not go back to 1.0. + +  + +Supported operations are Get, Replace, and Delete. + +**Provider/*ProviderID*/MaxSyncApplicationVersion** +Optional. Used by the client to indicate the latest DM session version that it supports. Default is 2.0. + +When you query this node, a Windows 10 client will return 2.0 and a Windows 8.1 client will return an error code (404 node not found). + +Supported operation is Get. + +**Provider/*ProviderID*/AADResourceID** +Optional. This is the ResourceID used when requesting the user token from the OMA DM session for Azure Active Directory enrollments (AAD Join or Add Accounts). The token is audience specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you are trying to access. + +For more information about Azure Active Directory enrollment, see [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md). + +**Provider/*ProviderID*/EnableOmaDmKeepAliveMessage** +Added in Windows 10, version 1511. A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow. + +When the server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending. + +To work around the timeout, you can use this setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information. + +Here is an example of DM message sent by the device when it is in pending state: + +``` syntax + + +1.2 + DM/1.2 + 10 + 2 + + https://www.contoso.com/mgmt-server + + + {unique device ID} + + + + + 2 + 1224 + + + Reversed-Domain-Name:com.microsoft.mdm.requestpending + + 1 + + + + +``` + +**Provider/*ProviderID*/AADDeviceID** +Added in Windows 10, version 1607. Returns the device ID for the Azure Active Directory device registration. + +Supported operation is Get. + +**Provider/*ProviderID*/EnrollmentType** +Added in Windows 10, version 1607. Returns the enrollment type (Device or Full). + +Supported operation is Get. + +**Provider/*ProviderID*/HWDevID** +Added in Windows 10, version 1607. Returns the hardware device ID. + +Supported operation is Get. + +**Provider/*ProviderID*/CommercialID** +Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this telemetry data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization.. + +Supported operations are Add, Get, Replace, and Delete. + +**Provider/*ProviderID*/ManagementServerAddressList** +Added in Windows 10, version 1607. The list of management server URLs in the format <URL1><URL2><URL3>, etc... If there is only one, the angle brackets (<>) are not required. + +> **Note**  The < and > should be escaped. + +  + +``` syntax + + 101 + + + + ./Vendor/MSFT/DMClient/Provider//ManagementServerAddressList + + + <https://server1><https:// server2> + + +``` + +If ManagementServerAddressList node is set, the device will only use the server URL configured in this node and ignore the ManagementServiceAddress value. + +When the server is not responding after a specified number of retries, the device tries to use the next server URL in the list until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first on in the list. + +Supported operations are Get and Replace. Value type is string. + +**Provider/*ProviderID*/ManagementServerToUpgradeTo** +Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM server to upgrade to for a Mobile Application Management (MAM) enrolled device. + +Supported operations are Add, Delete, Get, and Replace. Value type is string. + +**Provider/*ProviderID*/Poll** +Optional. Polling schedules must utilize the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated. + +Supported operations are Get and Add. + +There are three schedules managed under the Poll node which enable a rich polling schedule experience to provide greater flexibility in managing the way in which devices poll the management server. There are a variety of ways in which polling schedules may be set. If an invalid polling configuration is set, the device will correct or remove the schedules in order to restore the polling schedules back to a valid configuration. + +If there is no infinite schedule set, then a 24-hour schedule is created and scheduled to launch in the maintenance window. + +**Valid poll schedule: sigmoid polling schedule with infinite schedule (Recommended).** + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Schedule nameSchedule set by the serverActual value queried on device

IntervalForFirstSetOfRetries

15

15

NumberOfFirstRetries

5

5

IntervalForSecondSetOfRetries

60

60

NumberOfSecondRetries

10

10

IntervalForRemainingScheduledRetries

1440

1440

NumberOfRemainingScheduledRetries

0

0

+ +  + +**Valid poll schedule: initial enrollment only \[no infinite schedule\]** + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Schedule nameSchedule set by the serverActual value queried on device

IntervalForFirstSetOfRetries

15

15

NumberOfFirstRetries

5

5

IntervalForSecondSetOfRetries

60

60

NumberOfSecondRetries

10

10

IntervalForRemainingScheduledRetries

0

0

NumberOfRemainingScheduledRetries

0

0

+ +  + +**Invalid poll schedule: disable all poll schedules** + +> **Note**   Disabling poll schedules results in UNDEFINED behavior and enrollment may fail if poll schedules are all set to zero. + +  + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Schedule nameSchedule set by the serverActual value queried on device

IntervalForFirstSetOfRetries

0

0

NumberOfFirstRetries

0

0

IntervalForSecondSetOfRetries

0

0

NumberOfSecondRetries

0

0

IntervalForRemainingScheduledRetries

0

0

NumberOfRemainingScheduledRetries

0

0

+ +  + +**Invalid poll schedule: two infinite schedules** + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Schedule nameSchedule set by serverActual schedule set on deviceActual experience

IntervalForFirstSetOfRetries

15

15

Device polls

NumberOfFirstRetries

5

5

Device polls

IntervalForSecondSetOfRetries

1440

1440

Device polls the server once in 24 hours

NumberOfSecondRetries

0

0

Device polls the server once in 24 hours

IntervalForRemainingScheduledRetries

1440

0

Third schedule is disabled

NumberOfRemainingScheduledRetries

0

0

Third schedule is disabled

+ +  + +If the device was previously enrolled in MDM with polling schedule configured via registry key values directly, the MDM server that supports using DMClient CSP to update polling schedule must first send an Add command to add a **./Vendor/MSFT/DMClient/Enrollment/<ProviderID>/Poll** node before it sends a Get/Replace command to query or update polling parameters via DMClient CSP + +When using the DMClient CSP to configure polling schedule parameters, the server must not set all six polling parameters to 0, or set all 3 number of retry nodes to 0 because it will cause a configuration failure. + +**Provider/*ProviderID*/Poll/IntervalForFirstSetOfRetries** +Optional. The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /<ProviderID>/Poll/NumberOfFirstRetries. If IntervalForFirstSetOfRetries is not set, then the default value is used. The default value is 15. If the value is set to 0, this schedule is disabled. + +Supported operations are Get and Replace. + +The IntervalForFirstSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxRetryInterval path that previously utilized the Registry CSP. + +**Provider/*ProviderID*/Poll/NumberOfFirstRetries** +Optional. The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. If the value is set to 0 and the IntervalForFirstSetOfRetries value is not 0, then the schedule will be set to repeat an infinite number of times and second set and this set of schedule will not set in this case. The default value is 10. + +Supported operations are Get and Replace. + +The NumberOfFirstRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\AuxNumRetries path that previously utilized the Registry CSP. + +The first set of retries is intended to give the management server some buffered time to be ready to send policies and settings configuration to the device. The total time for first set of retries should not be more than a few hours. The server should not set NumberOfFirstRetries to be 0. RemainingScheduledRetries is used for the long run device polling schedule. + +**Provider/*ProviderID*/Poll/IntervalForSecondSetOfRetries** +Optional. The waiting time (in minutes) for the second set of retries as specified by the number of retries in /<ProviderID>/Poll/NumberOfSecondRetries. Default value is 0. If this value is set to zero, then this schedule is disabled. + +Supported operations are Get and Replace. + +The IntervalForSecondSetOfRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\RetryInterval path that previously utilized the Registry CSP. + +**Provider/*ProviderID*/Poll/NumberOfSecondRetries** +Optional. The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForSecondSetOfRetries is not set to 0 AND the first set of retries is not set as infinite retries, then the schedule repeats an infinite number of times. However, if the first set of retries is set at infinite, then this schedule is disabled. + +Supported operations are Get and Replace. + +The NumberOfSecondRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\NumRetries path that previously utilized the Registry CSP. + +The second set of retries is also optional and temporarily retries that the total duration should be last for more than a day. And the IntervalForSecondSetOfRetries should be longer than IntervalForFirstSetOfRetries. RemainingScheduledRetries is used for the long run device polling schedule. + +**Provider/*ProviderID*/Poll/IntervalForRemainingScheduledRetries** +Optional. The waiting time (in minutes) for the initial set of retries as specified by the number of retries in /<ProviderID>/Poll/NumberOfRemainingScheduledRetries. Default value is 0. If IntervalForRemainingScheduledRetries is set to 0, then this schedule is disabled. + +Supported operations are Get and Replace. + +The IntervalForRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2RetryInterval path that previously utilized the Registry CSP. + +**Provider/*ProviderID*/Poll/NumberOfRemainingScheduledRetries** +Optional. The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server. Default value is 0. If the value is set to 0 and IntervalForRemainingScheduledRetries AND the first and second set of retries are not set as infinite retries, then the schedule will be set to repeat for an infinite number of times. However, if either or both of the first and second set of retries are set as infinite, then this schedule will be disabled. + +Supported operations are Get and Replace. + +The NumberOfRemainingScheduledRetries replaces the deprecated HKLM\\Software\\Microsoft\\Enrollment\\OmaDmRetry\\Aux2NumRetries path that previously utilized the Registry CSP. + +The RemainingScheduledRetries is used for the long run device polling schedule. IntervalForRemainingScheduledRetries should not be set smaller than 1440 minutes (24 hours) in Windows Phone 8.1 device. Windows Phone 8.1 supports MDM server push. + +**Provider/*ProviderID*/Poll/PollOnLogin** +Optional. Boolean value that allows the IT admin to require the device to start a management session on any user login, regardless of if the user has preciously logged in. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false. + +Supported operations are Add, Get, and Replace. + +**Provider/*ProviderID*/Poll/AllUsersPollOnFirstLogin** +Optional. Boolean value that allows the IT admin to require the device to start a management session on first user login for all NT users. A session is only kicked off the first time a user logs in to the system; subsequent logins will not trigger an MDM session. Login is not the same as device unlock. Default value is false, where polling is disabled on first login. Supported values are true or false. + +Supported operations are Add, Get, and Replace. + +**Provider/*ProviderID*/Push** +Optional. Not configurable during WAP Provisioining XML. If removed, DM sessions triggered by Push will no longer be supported. + +Supported operations are Add and Delete. + +**Provider/*ProviderID*/Push/PFN** +Required. A string provided by the Windows 10 ecosystem for a Mobile Device Management solution. Used to register a device for Push Notifications. The server must use the same PFN as the devices it is managing. + +Supported operations are Add, Get, and Replace. + +**Provider/*ProviderID*/Push/ChannelURI** +Required. A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device based on the PFN that was provided. If no valid PFN is currently set, ChannelURI will return null. + +Supported operation is Get. + +**Provider/*ProviderID*/Push/Status** +Required. An integer that maps to a known error state or condition on the system. + +Supported operation is Get. + +The status error mapping is listed below. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
StatusDescription

0

Success

1

Failure: invalid PFN

2

Failure: invalid or expired device authentication with MSA

3

Failure: WNS client registration failed due to an invalid or revoked PFN

4

Failure: no Channel URI assigned

5

Failure: Channel URI has expired

6

Failure: Channel URI failed to be revoked

7

Failure: push notification received, but unable to establish an OMA-DM session due to power or connectivity limitations.

8

Unknown error

+ +  + +**Provider/*ProviderID*/CustomEnrollmentCompletePage** +Optional. Added in Windows 10, version 1703. + +Supported operations are Add, Delete, and Get. + +**Provider/*ProviderID*/CustomEnrollmentCompletePage/Title** +Optional. Added in Windows 10, version 1703. Specifies the title of the all done page that appears at the end of the MDM enrollment flow. + +Supported operations are Add, Delete, Get, and Replace. Value type is string. + +**Provider/*ProviderID*/CustomEnrollmentCompletePage/BodyText** +Optional. Added in Windows 10, version 1703. Specifies the body text of the all done page that appears at the end of the MDM enrollment flow. + +Supported operations are Add, Delete, Get, and Replace. Value type is string. + +**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkHref** +Optional. Added in Windows 10, version 1703. Specifies the URL that is shown at the end of the MDM enrollment flow. + +Supported operations are Add, Delete, Get, and Replace. Value type is string. + +**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkText** +Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that is shown at the end of the MDM enrollment flow. + +Supported operations are Add, Delete, Get, and Replace. Value type is string. + +**Provider/*ProviderID*/Unenroll** +Required. The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `` tag under the `` element. Scope is permanent. + +Supported operations are Get and Exec. + +Note that <LocURI>./Vendor/MSFT/DMClient/Unenroll</LocURI> is supported for backward compatibility. + +The following SyncML shows how to remotely unenroll the device. Note that this command should be inserted in the general DM packages sent from the server to the device. + +``` syntax + + 2 + + + ./Vendor/MSFT/DMClient/Provider//Unenroll + + + chr + + TestMDMServer + + + +``` + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/dmclient-ddf-file.md b/windows/client-management/mdm/dmclient-ddf-file.md new file mode 100644 index 0000000000..85bc763412 --- /dev/null +++ b/windows/client-management/mdm/dmclient-ddf-file.md @@ -0,0 +1,1089 @@ +--- +title: DMClient DDF file +description: DMClient DDF file +ms.assetid: A21B33AF-DB76-4059-8170-FADF2CB898A0 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DMClient DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **DMClient** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + DMClient + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.3/MDM/DMClient + + + + Provider + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + text/plain + + + + EntDeviceName + + + + + + + + + + + + + + + + + + text/plain + + + + + ExchangeID + + + + + + + + + + + + + + + + + + text/plain + + + + + EntDMID + + + + + + + + + + + + + + + + + + text/plain + + + + + SignedEntDMID + + + + + + + + + + + + + + + + + + text/plain + + + + + CertRenewTimeStamp + + + + + + + + + + + + + + + + + + text/plain + + + + + + PublisherDeviceID + + + + + + + + + + + + + + + + + + text/plain + + + + + + ManagementServiceAddress + + + + + + + + + + + + + + + + text/plain + + + + + UPN + + + + + + + + + + + + + + + + + text/plain + + + + + HelpPhoneNumber + + + + + + + + + + + + + + + + + + text/plain + + + + + HelpWebsite + + + + + + + + + + + + + + + + + + text/plain + + + + + HelpEmailAddress + + + + + + + + + + + + + + + + + + text/plain + + + + + RequireMessageSigning + + + + + + + + + + + + + + + + + + text/plain + + + + + SyncApplicationVersion + + + + + + + + + + + + + + + + + + text/plain + + + + + MaxSyncApplicationVersion + + + + + + + + + + + + + + + text/plain + + + + + Unenroll + + + + + + + + + + + + + + + + text/plain + + + + + AADResourceID + + + + + + + + + + + + + + + + + text/plain + + + + + AADDeviceID + + + + + Device ID used for AAD device registration + + + + + + + + + + + text/plain + + + + + EnrollmentType + + + + + Type of MDM enrollment + + + + + + + + + + + text/plain + + + + + EnableOmaDmKeepAliveMessage + + + + + + + + + + + + + + + + text/plain + + + + + HWDevID + + + + + + + + + + + + + + + text/plain + + + + + ManagementServerAddressList + + + + + + + + + + + + + + + + text/plain + + + + + CommercialID + + + + + + + + + + + + + + + + + + text/plain + + + + + ManagementServerToUpgradeTo + + + + + + + + Specify the Discovery server URL of the MDM server to upgrade to for a MAM enrolled device + + + + + + + + + + + text/plain + + + + + Push + + + + + + + + + + + + + + + + + + + + + PFN + + + + + + + + + + + + + + + + + + text/plain + + + + + ChannelURI + + + + + + + + + + + + + + + text/plain + + + + + Status + + + + + + + + + + + + + + + text/plain + + + + + + Poll + + + + + + + + + + + + + + + + + + + + + IntervalForFirstSetOfRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + NumberOfFirstRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + IntervalForSecondSetOfRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + NumberOfSecondRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + IntervalForRemainingScheduledRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + NumberOfRemainingScheduledRetries + + + + + + + + + + + + + + + + + + text/plain + + + + + PollOnLogin + + + + + + + + + + + + + + + + + + text/plain + + + + + AllUsersPollOnFirstLogin + + + + + + + + + + + + + + + + + + text/plain + + + + + + CustomEnrollmentCompletePage + + + + + + + + + + + + + + + + + + + + + Title + + + + + + + + + + + + + + + + + + text/plain + + + + + BodyText + + + + + + + + + + + + + + + + + + text/plain + + + + + HyperlinkHref + + + + + + + + + + + + + + + + + + text/plain + + + + + HyperlinkText + + + + + + + + + + + + + + + + + + text/plain + + + + + + + + Unenroll + + + + + + + + + + + + + + + + text/plain + + + + + UpdateManagementServiceAddress + + + + + + + + + + + + + + + + text/plain + + + + + HWDevID + + + + + + + + + + + + + + + text/plain + + + + + +``` + +## Related topics + + +[DMClient configuration service provider](dmclient-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md new file mode 100644 index 0000000000..c78e43cc7d --- /dev/null +++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md @@ -0,0 +1,232 @@ +--- +title: DMProcessConfigXMLFiltered function +description: Configures phone settings by using OMA Client Provisioning XML. +Search.Refinement.TopicID: 184 +ms.assetid: 31D79901-6206-454C-AE78-9B85A3B3487F +keywords: ["DMProcessConfigXMLFiltered function"] +topic_type: +- apiref +api_name: +- DMProcessConfigXMLFiltered +api_location: +- dmprocessxmlfiltered.dll +api_type: +- DllExport +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DMProcessConfigXMLFiltered function + +> **Important**   +The use of this function for automatic data configuration (ADC) is deprecated in Windows Phone 8.1. Please see [Connectivity configuration](https://msdn.microsoft.com/en-us/library/windows/hardware/dn757424) for more information about the new process for provisioning connectivity configuration. However, this function is still supported for other OEM uses. + + +Configures phone settings by using OMA Client Provisioning XML. Use of this function is strictly limited to the following scenarios. + +- Adding dynamic credentials for OMA Client Provisioning. + +- Manufacturing test applications. These applications and the supporting drivers must be removed from the phones before they are sold. + +Microsoft recommends that this function is not used to configure the following types of settings. + +- Security settings that are configured by using CertificateStore, SecurityPolicy, and RemoteWipe, unless they are related to OMA DM or OMA Client Provisioning security policies. + +- Non-cellular data connection settings (such as Hotspot settings). + +- File system files and registry settings, unless they are used for OMA DM account management, mobile operator data connection settings, or manufacturing tests. + +- Email settings. + +> **Note**  The **DMProcessConfigXMLFiltered** function has full functionality in Windows 10 Mobile and Windows Phone 8.1, but it has a read-only functionality in Windows 10 desktop. + +  + +## Syntax + +```C++ +HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered( +        LPCWSTR pszXmlIn, +  const WCHAR   **rgszAllowedCspNode, +  const DWORD   dwNumAllowedCspNodes, +        BSTR    *pbstrXmlOut +); +``` + +## Parameters + +*pszXmlIn* +

    +
  • \[in\] The null–terminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. **DMProcessConfigXMLFiltered** accepts only OMA Client Provisioning XML (also known as WAP provisioning). It does not accept OMA DM SyncML XML (also known as SyncML).
    • +
+
+ +*rgszAllowedCspNode* +
    +
  • \[in\] Array of **WCHAR\*** that specify which configuration service provider nodes are allowed to be invoked.
    • +
+
+ +*dwNumAllowedCspNodes* +
    +
  • \[in\] Number of elements passed in *rgszAllowedCspNode*.
    • +
+
+ +*pbstrXmlOut* +
    +
  • \[out\] The resulting null–terminated XML from configuration. The caller of **DMProcessConfigXMLFiltered** is responsible for cleanup of the output buffer that the *pbstrXmlOut* parameter references. Use [**SysFreeString**](https://msdn.microsoft.com/library/windows/hardware/ms221481) to free the memory.
    • +
+
+ +If **DMProcessConfigXMLFiltered** retrieves a document, the *pbstrXmlOut* holds the XML output (in string form) of the provisioning operations. If **DMProcessConfigXMLFiltered** returns a failure, the XML output often contains "error nodes" that indicate which elements of the original XML failed. If the input document does not contain queries and is successfully processed, the output document should resemble the input document. In some error cases, no output is returned. + +## Return value + +Returns the standard **HRESULT** value **S\_OK** to indicate success. The following table shows the additional error codes that may be returned. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Return codeDescription

CONFIG_E_OBJECTBUSY

Another instance of the configuration management service is currently running.

CONFIG_E_ENTRYNOTFOUND

No metabase entry was found.

CONFIG_E_CSPEXCEPTION

An exception occurred in one of the configuration service providers.

CONFIG_E_TRANSACTIONINGFAILURE

A configuration service provider failed to roll back properly. The affected settings might be in an unknown state.

CONFIG_E_BAD_XML

The XML input is invalid or malformed.

+ +  + +## Remarks + +The processing of the XML is transactional; either the entire document gets processed successfully or none of the settings are processed. Therefore, the **DMProcessConfigXMLFiltered** function processes only one XML configuration request at a time. + +The usage of **DMProcessConfigXMLFiltered** depends on the configuration service providers that are used. For example, if the input .provxml contains the following two settings: + +``` XML + +    +        +            +            +            +            +            +        +    +    +        +            +        +    + +``` + +Then, the second parameter in the call to **DMProcessConfigXMLFiltered** would have to have the following definition. + +``` C++ +LPCWSTR rgszAllowedCspNodes[] = +{ +    L"NAPDEF", +    L"BrowserFavorite" +}; +``` + +This array of configuration service provider names indicates which .provxml contents should be present. If the provxml contains "EMAIL2" provisioning but *rgszAllowedCspNodes* does not contain EMAIL2, then **DMProcessConfigXMLFiltered** fails with an **E\_ACCESSDENIED** error code. + +The following code sample shows how this array would be passed in. Note that *szProvxmlContent* does not show the full XML contents for brevity. In actual usage, the "…" would contain the full XML string shown above. + +``` C++ +WCHAR szProvxmlContent[] = L"..."; +BSTR bstr = NULL; + +HRESULT hr = DMProcessConfigXMLFiltered( +                szProvxmlContent, +                rgszAllowedCspNodes, +                _countof(rgszAllowedCspNodes), +                &bstr +                ); + +/* check error */ + +if ( bstr != NULL ) +{ +    SysFreeString( bstr ); +    bstr = NULL; +} +``` + +## Requirements + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + +

Minimum supported client

None supported

Minimum supported server

None supported

Minimum supported phone

Windows Phone 8.1

Header

Dmprocessxmlfiltered.h

Library

Dmprocessxmlfiltered.lib

DLL

Dmprocessxmlfiltered.dll

+ +## See also + +[**SysFreeString**](https://msdn.microsoft.com/library/windows/hardware/ms221481) + +  + + + + + + diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md new file mode 100644 index 0000000000..17fa2ec201 --- /dev/null +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -0,0 +1,63 @@ +--- +title: DMSessionActions CSP +description: DMSessionActions CSP +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DMSessionActions CSP + + +The DMSessionActions configuration service provider (CSP) is used to manage: + +- the number of sessions the client skips if the device is in a low power state +- which CSP nodes should send an alert back to the server if there were any changes. + +This CSP was added in Windows 10, version 1703. + +The following diagram shows the DMSessionActions configuration service provider in tree format. + +![dmsessionactions csp](images/provisioning-csp-dmsessionactions.png) + +**./Device/Vendor/MSFT/DMSessionActions or ./User/Vendor/MSFT/DMSessionActions** +

Defines the root node for the DMSessionActions configuration service provider.

+ +**_ProviderID_** +

Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means that there should be only one ProviderID node under NodeCache.

+ +

Scope is dynamic. Supported operations are Get, Add, and Delete.

+ +**_ProviderID_/CheckinAlertConfiguration** +

Node for the custom configuration of alerts to be sent during MDM sync session.

+ +**_ProviderID_/CheckinAlertConfiguration/Nodes** +

Required. Root node for URIs to be queried. Scope is dynamic.

+ +

Supported operation is Get.

+ +**_ProviderID_/CheckinAlertConfiguration/Nodes/_NodeID_** +

Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.

+ +

Supported operations are Get, Add, and Delete.

+ +**_ProviderID_/CheckinAlertConfiguration/Nodes/_NodeID_/NodeURI** +

Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**AlertData** +

Node to query the custom alert per server configuration

+

Value type is string. Supported operation is Get.

+ +**PowerSettings** +

Node for power related configrations

+ +**PowerSettings/MaxSkippedSessionsInLowPowerState** +

Maximum number of continuous skipped sync sessions when the device is in low power state.

+

Value type is integer. Supported operations are Add, Get, Replace, and Delete.

+ +**PowerSettings/MaxTimeSessionsSkippedInLowPowerState** +

Maximum time in minutes when the device can skip the check-in with the server if the device is in low power state.

+

Value type is integer. Supported operations are Add, Get, Replace, and Delete.

\ No newline at end of file diff --git a/windows/client-management/mdm/dmsessionactions-ddf.md b/windows/client-management/mdm/dmsessionactions-ddf.md new file mode 100644 index 0000000000..1983b804cc --- /dev/null +++ b/windows/client-management/mdm/dmsessionactions-ddf.md @@ -0,0 +1,470 @@ +--- +title: DMSessionActions DDF file +description: DMSessionActions DDF file +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DMSessionActions DDF file + + +> [!WARNING] +> Some information relates to prereleased product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +This topic shows the OMA DM device description framework (DDF) for the **DMSessionActions** configuration service provider. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + DMSessionActions + ./User/Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.1/MDM/DMSessionActions + + + + + + + + + + + + + + + + + + + + ProviderID + + + + + + CheckinAlertConfiguration + + + + + + + + + + + + + + + + + + + Nodes + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + NodeID + + + + + + NodeURI + + + + + + + + + + + + + + + + + + text/plain + + + + + + + + AlertData + + + + + + + + + + + + + + + text/plain + + + + + PowerSettings + + + + + + + + + + + + + + + + + + + + + MaxSkippedSessionsInLowPowerState + + + + + + + + + + + + + + + + + + text/plain + + + + + MaxTimeSessionsSkippedInLowPowerState + + + + + + + + + + + + + + + + + + text/plain + + + + + + + + DMSessionActions + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.1/MDM/DMSessionActions + + + + + + + + + + + + + + + + + + + + ProviderID + + + + + + CheckinAlertConfiguration + + + + + + + + + + + + + + + + + + + Nodes + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + NodeID + + + + + + NodeURI + + + + + + + + + + + + + + + + + + text/plain + + + + + + + + AlertData + + + + + + + + + + + + + + + text/plain + + + + + PowerSettings + + + + + + + + + + + + + + + + + + + + + MaxSkippedSessionsInLowPowerState + + + + + + + + + + + + + + + + + + text/plain + + + + + MaxTimeSessionsSkippedInLowPowerState + + + + + + + + + + + + + + + + + + text/plain + + + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md new file mode 100644 index 0000000000..b0a286169f --- /dev/null +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -0,0 +1,223 @@ +--- +title: DynamicManagement CSP +description: DynamicManagement CSP +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DynamicManagement CSP + +Windows 10 allows you to manage devices differently depending on location, network, or time.  In Windows 10, version 1703 the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. + +This CSP was added in Windows 10, version 1703. + +The following diagram shows the DynamicManagement configuration service provider in tree format. + +![dynamicmanagement csp](images/provisioning-csp-dynamicmanagement.png) + +**DynamicManagement** +

The root node for the DynamicManagement configuration service provider.

+ +**NotificationsEnabled** +

Boolean value for sending notification to the user of a context change.

+

Default value is False. Supported operations are Get and Replace.

+

Example to turn on NotificationsEnabled:

+ +``` syntax + + 100 + + + ./Vendor/MSFT/DynamicManagement/NotificationsEnabled + + + text/plain + bool + + true + + +``` +**ActiveList** +

A string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000..

+

Supported operation is Get.

+ +**Contexts** +

Node for context information.

+

Supported operation is Get.

+ +***ContextID*** +

Node created by the server to define a context. Maximum amount of characters allowed is 38.

+

Supported operations are Add, Get, and Delete.

+ +**SignalDefinition** +

Signal Definition XML.

+

Value type is string. Supported operations are Add, Get, Delete, and Replace.

+ +**SettingsPack** +

Settings that get applied when the Context is active.

+

Value type is string. Supported operations are Add, Get, Delete, and Replace.

+ +**SettingsPackResponse** +

Response from applying a Settings Pack that contains information on each individual action..

+

Value type is string. Supported operation is Get.

+ +**ContextStatus** +

Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed..

+

Value type is integer. Supported operation is Get.

+ +**Altitude** +

A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities..

+

Value type is integer. Supported operations are Add, Get, Delete, and Replace.

+ +**AlertsEnabled** +

A Boolean value for sending an alert to the server when a context fails.

+

Supported operations are Get and Replace.

+ +## Examples + +Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100 meters radius of the specified latitude/longitude + +``` syntax + + 200 + + + ./Vendor/MSFT/DynamicManagement/Contexts/Bldg109/SettingsPack + + + text/plain + chr + + <SyncML> + <SyncBody><Replace><CmdID>1001</CmdID><Item><Target><LocURI>./Vendor/MSFT/Policy/Config/Experience/AllowCortana</LocURI></Target><Meta><Format xmlns="syncml:metinf">int</Format></Meta><Data>0</Data></Item></Replace><Final/></SyncBody></SyncML> + + + + 201 + + + ./Vendor/MSFT/DynamicManagement/Contexts/Bldg109/SignalDefinition + + + text/plain + chr + + + <rule schemaVersion="1.0"> + + <and> + <signal type="geoloc" latitude="47.6375" longitude="-122.1402" radiusInMeters="100"/> + <signal type="time"> + <daily startTime="09:00:00" endTime="17:00:00"/> + </signal> + </and> + </rule> + + + + + 202 + + + ./Vendor/MSFT/DynamicManagement/Contexts/Bldg109/Altitude + + + int + + 3 + + +``` + +Disable camera using network trigger with time trigger, from 9-5, when ip4 gateway is 192.168.0.1 + +``` syntax + + 300 + + + ./Vendor/MSFT/DynamicManagement/Contexts/NetworkWithTime/SettingsPack + + + text/plain + chr + + <SyncML> + <SyncBody><Replace><CmdID>1002</CmdID><Item><Target><LocURI>./Vendor/MSFT/Policy/Config/Camera/AllowCamera</LocURI></Target><Meta><Format xmlns="syncml:metinf">int</Format></Meta><Data>0</Data></Item></Replace> <Final/></SyncBody></SyncML> + + + + 301 + + + ./Vendor/MSFT/DynamicManagement/Contexts/ NetworkWithTime /SignalDefinition + + + text/plain + chr + + + <rule schemaVersion="1.0"> + <and> + <signal type="ipConfig"> + <ipv4Gateway>192.168.0.1</ipv4Gateway> + </signal> + <signal type="time"> + <daily startTime="09:00:00" endTime="17:00:00"/> + </signal> + </and> + </rule> + + + + + 302 + + + ./Vendor/MSFT/DynamicManagement/Contexts/ NetworkWithTime /Altitude + + + int + + 10 + + +``` + +Delete a context + +``` syntax + + 400 + + + ./Vendor/MSFT/DynamicManagement/Contexts/NetworkWithTime + + + +``` + +Get ContextStatus and SignalDefinition from a specific context + +``` syntax + + 400 + + + ./Vendor/MSFT/DynamicManagement/Contexts/NetworkWithTime/ContextStatus + + + + + 401 + + + ./Vendor/MSFT/DynamicManagement/Contexts/NetworkWithTime/SignalDefinition + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/dynamicmanagement-ddf.md b/windows/client-management/mdm/dynamicmanagement-ddf.md new file mode 100644 index 0000000000..c1b15243de --- /dev/null +++ b/windows/client-management/mdm/dynamicmanagement-ddf.md @@ -0,0 +1,317 @@ +--- +title: DynamicManagement DDF file +description: DynamicManagement DDF file +ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# DynamicManagement DDF file + +This topic shows the OMA DM device description framework (DDF) for the **DynamicManagement** configuration service provider. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + DynamicManagement + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + + NotificationsEnabled + + + + + + False + A Boolean value that sets if the user is notified of a context change. + + + + + + + + + + + + + NotificationsEnabled + + text/plain + + + + + ActiveList + + + + + A string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000. + + + + + + + + + + + + + ActiveList + + text/plain + + + + + Contexts + + + + + + + + + + + + + + + + + Contexts + + + + + + + + + + + + + Node created by the server to define a context. Maximum amount of characters allowed is 38. + + + + + + + + + + + + + ContextID + + + + + + SignalDefinition + + + + + + + + Signal Definition XML + + + + + + + + + + + + + SignalDefinition + + text/plain + + + + + SettingsPack + + + + + + + + Settings that get applied when the Context is active. + + + + + + + + + + + + + SettingsPack + + text/plain + + + + + SettingsPackResponse + + + + + Response from applying a Settings Pack, contains information on each individual action. + + + + + + + + + + + + + SettingsPackResponse + + text/plain + + + + + ContextStatus + + + + + 0 + Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed. + + + + + + + + + + + + + ContextStatus + + text/plain + + + + + Altitude + + + + + + + + A value that determines how to handle resolution of applying multiple contexts on the device. Required, and must be distinct of other priorities. + + + + + + + + + + + + + Altitude + + text/plain + + + + + + + AlertsEnabled + + + + + + True + A Boolean value that sets if when a context fails, the CSP sends an alert to the Server + + + + + + + + + + + + + AlertsEnabled + + text/plain + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md new file mode 100644 index 0000000000..23d7112ba0 --- /dev/null +++ b/windows/client-management/mdm/eap-configuration.md @@ -0,0 +1,297 @@ +--- +title: EAP configuration +description: The topic provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile and information about EAP certificate filtering in Windows 10. +ms.assetid: DD3F2292-4B4C-4430-A57F-922FED2A8FAE +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EAP configuration + + +The topic provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile and information about EAP certificate filtering in Windows 10. + +## Create an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile + + +Here is an easy way to get the EAP configuration from your desktop using the rasphone tool that is shipped in the box. + +1. Run rasphone.exe. + + ![vpnv2 rasphone](images/vpnv2-csp-rasphone.png) + +2. If you don't currently have any VPN connections and you see the following message, click **OK**. + + ![vpnv2 eap configuration](images/vpnv2-csp-networkconnections.png) + +3. Select **Workplace network** in the wizard. + + ![vpnv2 eap configuration](images/vpnv2-csp-setupnewconnection.png) + +4. Enter any dummy information for the internet address and connection name. These can be fake since it does not impact the authentication parameters. + + ![vpnv2 eap configuration](images/vpnv2-csp-setupnewconnection2.png) + +5. Create a fake VPN connection. In the UI shown below, click **Properties**. + + ![vpnv2 eap configuration](images/vpnv2-csp-choosenetworkconnection.png) + +6. In the **Test Properties** dialog, click the **Security** tab. + + ![vpnv2 eap configuration](images/vpnv2-csp-testproperties.png) + +7. In the **Security** tab, select **Use Extensible Authentication Protocol (EAP)** radio button. + + ![vpnv2 eap configuration](images/vpnv2-csp-testproperties2.png) + +8. From the drop down menu, select the EAP method that you want to configure. Then click **Properties** to configure as needed. + + ![vpnv2 eap configuration](images/vpnv2-csp-testproperties3.png)![vpnv2 eap configuration](images/vpnv2-csp-testproperties4.png) + +9. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML. + + ``` syntax + Get-VpnConnection -Name Test + ``` + + Here is an example output. + + ``` syntax + Name : Test + ServerAddress : 1.1.1.1 + AllUserConnection : False + Guid : {EC87F6C9-8823-416C-B92B-517D592E250F} + TunnelType : Automatic + AuthenticationMethod : {Eap} + EncryptionLevel : Optional + L2tpIPsecAuth : Certificate + UseWinlogonCredential : False + EapConfigXmlStream : #document + ConnectionStatus : Disconnected + RememberCredential : True + SplitTunneling : False + DnsSuffix : + IdleDisconnectSeconds : 0 + ``` + + ``` syntax + $a = Get-VpnConnection -Name Test + ``` + + ``` syntax + $a.EapConfigXmlStream.InnerXml + ``` + + Here is an example output + + ``` syntax + 1300013truefalsefalsetrue + true + ``` + + **Note**  You should check with MDM vendor if you need to pass this XML in escaped format. The XSDs for all EAP methods are shipped in the box and can be found at the following locations: + - C:\\Windows\\schemas\\EAPHost + - C:\\Windows\\schemas\\EAPMethods + +   + +## EAP certificate filtering + + +In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate. + +Enterprises deploying certificate based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This can lead to issues such as: + +- The user may be prompted to select the certificate. +- The wrong certificate may get auto selected and cause an authentication failure. + +A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication. + +EAP XML must be updated with relevant information for your environment This can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: + +- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile. +- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field. + +For information about EAP Settings, see + +For information about generating an EAP XML, see EAP configuration + +For more information about extended key usage, see + +For information about adding extended key usage (EKU) to a certificate, see + +The following list describes the prerequisites for a certificate to be used with EAP: + +- The certificate must have at least one of the following EKU (Extended Key Usage) properties: + + - Client Authentication + - As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2 + - Any Purpose + - An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that additional non-critical or custom EKUs can still be added to the certificate for effective filtering. + - All Purpose + - As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but does not want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes. +- The user or the computer certificate on the client chains to a trusted root CA +- The user or the computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy. +- The user or the computer certificate does not fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server. +- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user. + +The following XML sample explains the properties for the EAP TLS XML including certificate filtering. + +> **Note**  For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements. + +  + +``` syntax + + + 13 + + + 0 + 0 + 0 + + + + + + + 13 + + + + + true + + + + + + + false + + + false + false + false + + + + + + ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + + + + + + + + + + + ContostoITEKU + + 1.3.6.1.4.1.311.42.1.15 + + + + + + + + + ContostoITEKU + + + + + Example1 + + + true + + + + + + + + + + + +``` + +> **Note**  The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd** + +  + +Alternately you can use the following procedure to create an EAP Configuration XML. + +1. Follow steps 1 through 7 in the EAP configuration topic. +2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.) + + ![vpn self host properties window](images/certfiltering1.png) + + **Note**  For PEAP or TTLS, select the appropriate method and continue following this procedure. + +   + +3. Click the **Properties** button underneath the drop down menu. +4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. + + ![smart card or other certificate properties window](images/certfiltering2.png) + +5. In the **Configure Certificate Selection** menu, adjust the filters as needed. + + ![configure certificate window](images/certfiltering3.png) + +6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box. +7. Close the rasphone dialog box. +8. Continue following the procedure in the EAP configuration topic from Step 9 to get an EAP TLS profile with appropriate filtering. + +> **Note**  You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) topic. + +  + +  + +  + + + + + + diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md new file mode 100644 index 0000000000..54fe0d1273 --- /dev/null +++ b/windows/client-management/mdm/email2-csp.md @@ -0,0 +1,339 @@ +--- +title: EMAIL2 CSP +description: EMAIL2 CSP +ms.assetid: bcfc9d98-bc2e-42c6-9b81-0b5bf65ce2b8 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EMAIL2 CSP + + +The EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts. + +> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_MAIL capabilities to be accessed from a network configuration application. +On the desktop, only per user configuration is supported. + +  + +The following diagram shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. + +![email2 csp (dm,cp)](images/provisioning-csp-email2.png) + +In Windows 10 Mobile, after the user’s out of box experience, an OEM or mobile operator can use the EMAIL2 configuration service provider to provision the device with a mobile operator’s proprietary mail over the air. After provisioning, the **Start** screen has a tile for the proprietary mail provider and there is also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status. + +Configuration data is not encrypted when sent over the air (OTA). Be aware that this is a potential security risk when sending sensitive configuration data, such as passwords. + +> [!IMPORTANT] +> All Add and Replace commands need to be wrapped in an Atomic section. + +**EMAIL2** +The configuration service provider root node. + +Supported operation is Get. + +***GUID*** +Defines a specific email account. A globally unique identifier (GUID) must be generated for each email account on the device. Provisioning with an account that has the same GUID as an existing one does not create the new account and Add command will fail in this case. + +Supported operations are Get, Add, and Delete. + +The braces {} around the GUID are required in the EMAIL2 configuration service provider. + +- For OMA Client Provisioning, the braces can be sent literally. For example, ``. + +- For OMA DM, the braces must be sent using ASCII values of 0x7B and 0x7D respectively. For example, `./Vendor/MSFT/EMAIL2/0x7BC556E16F-56C4-4edb-9C64-D9469EE1FBE0x7D` + +**ACCOUNTICON** +Optional. Returns the location of the icon associated with the account. + +Supported operations are Get, Add, Replace and Delete. + +The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings, email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired. + +**ACCOUNTTYPE** +Required. Specifies the type of account. + +Supported operations are Get, Add, Replace and Delete. + +Valid values are: + +- Email: normal email + +- VVM: visual voice mail + +**AUTHNAME** +Required. Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name). + +Supported operations are Get, Add, Replace and Delete. + +**AUTHREQUIRED** +Optional. Character string that specifies whether the outgoing server requires authentication. + +Supported operations are Get, Add, Replace and Delete. + +Valid values are one of the following: + +- 0 - Server authentication is not required. +- 1 - Server authentication is required. + +> **Note**  If this value is not specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED. + +  + +**AUTHSECRET** +Optional. Character string that specifies the user's password. The same password is used for SMTP authentication. + +Supported operations are Get, Add, Replace and Delete. + +**DOMAIN** +Optional. Character string that specifies the incoming server credentials domain. Limited to 255 characters. + +Supported operations are Get, Add, Replace and Delete. + +**DWNDAY** +Optional. Character string that specifies how many days' worth of email should be downloaded from the server. + +Supported operations are Get, Add, Replace and Delete. + +Valid values are one of the following: + +- -1: Specifies that all email currently on the server should be downloaded. + +- 7: Specifies that 7 days’ worth of email should be downloaded. + +- 14: Specifies that 14 days’ worth of email should be downloaded. + +- 30: Specifies that 30 days’ worth of email should be downloaded. + +**INSERVER** +Required. Character string that specifies the name of the incoming server name and port number. This is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is: + +- server name:port number + +Supported operations are Get, Add and Replace. + +**LINGER** +Optional. Character string that specifies the length of time between email send/receive updates in minutes. + +Supported operations are Get, Add, Replace and Delete. + +Valid values are: + +- 0 - Email updates must be performed manually. + +- 15 (default) - Wait for 15 minutes between updates. + +- 30 - Wait for 30 minutes between updates. + +- 60 - Wait for 60 minutes between updates. + +- 120 - Wait for 120 minutes between updates. + +**KEEPMAX** +Optional. Specifies the maximum size for a message attachment. Attachments beyond this size will not be downloaded but it will remain on the server. The message itself will be downloaded. This value can be set only for IMAP4 accounts. + +The limit is specified in KB + +Valid values are 0, 25, 50, 125, and 250. + +A value of 0 meaning that no limit will be enforced. + +Supported operations are Get, Add, Replace and Delete. + +**NAME** +Optional. Character string that specifies the name of the sender displayed on a sent email. It should be set to the user’s name. Limited to 255 characters. + +Supported operations are Get, Add, Replace and Delete. + +**OUTSERVER** +Required. Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is: + +- server name:port number + +Supported operations are Get, Add, Delete, and Replace. + +**REPLYADDR** +Required. Character string that specifies the reply email address of the user (usually the same as the user email address). Sending email will fail without it. Limited to 255 characters. + +Supported operations are Get, Add, Delete and Replace. + +**SERVICENAME** +Required. Character string that specifies the name of the email service to create or edit (32 characters maximum). + +Supported operations are Get, Add, Replace, and Delete. + +> **Note**   The EMAIL2 Configuration Service Provider does not support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created. + +  + +**SERVICETYPE** +Required. Character string that specifies the type of email service to create or edit (for example, "IMAP4" or "POP3"). + +Supported operations are Get, Add, Replace, and Delete. + +> **Note**   The EMAIL2 Configuration Service Provider does not support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created. + +  + +**RETRIEVE** +Optional. Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated. + +Valid values are 512, 1024, 2048, 5120, 20480, and 51200. + +Supported operations are Get, Add, Replace, and Delete. + +**SERVERDELETEACTION** +Optional. Character string that specifies how message is deleted on server. Valid values: + +- 1 - delete message on the server +- 2 - keep the message on the server (delete to the Trash folder). + +Any other value results in default action, which depends on the transport. + +Supported operations are Get, Add, Replace, and Delete. + +**CELLULARONLY** +Optional. If this flag is set, the account only uses the cellular network and not Wi-Fi. + +Value type is string. Supported operations are Get, Add, Replace, and Delete. + +**SYNCINGCONTENTTYPES** +Required. Specifies a bitmask for which content types are supported for syncing (eg: Mail, Contacts, Calendar). + +- No data (0x0) +- Contacts (0x1) +- Mail (0x2) +- Appointments (0x4) +- Tasks (0x8) +- Notes (0x10) +- Feeds (0x60) +- Network Photo (0x180) +- Group and room (0x200) +- Chat (0x400) +- Email Recipient Email (0x800) +- Server Link (0x1000) +- All items (0xffffffff) + +Supported operations are Get, Add, Replace, and Delete. + +**CONTACTSSERVER** +Optional. Server for contact sync if it is different from the email server. + +Supported operations are Get, Add, Replace, and Delete. + +**CALENDARSERVER** +Optional. Server for calendar sync if it is different from the email server. + +Supported operations are Get, Add, Replace, and Delete. + +**CONTACTSSERVERREQUIRESSL** +Optional. Indicates if the connection to the contact server requires SSL. + +Supported operations are Get, Add, Replace, and Delete. + +**CALENDARSERVERREQUIRESSL** +Optional. Indicates if the connection to the calendar server requires SSL. + +Supported operations are Get, Add, Replace, and Delete. + +**CONTACTSSYNCSCHEDULE** +Optional. Sets the schedule for syncing contact items. + +Supported operations are Get, Add, Replace, and Delete. + +**CALENDARSYNCSCHEDULE** +Optional. Sets the schedule for syncing calendar items. + +Supported operations are Get, Add, Replace, and Delete. + +**SMTPALTAUTHNAME** +Optional. Character string that specifies the display name associated with the user's alternative SMTP email account. + +Supported operations are Get, Add, Replace and Delete. + +**SMTPALTDOMAIN** +Optional. Character string that specifies the domain name for the user's alternative SMTP account. + +Supported operations are Get, Add, Replace and Delete. + +**SMTPALTENABLED** +Optional. Character string that specifies if the user's alternate SMTP account is enabled. + +Supported operations are Get, Add, Replace and Delete. + +A value of "FALSE" specifies that the user's alternate SMTP email account is disabled. A value of "TRUE" specifies that the user's alternate SMTP email account is enabled. + +**SMTPALTPASSWORD** +Optional. Character string that specifies the password for the user's alternate SMTP account. + +Supported operations are Get, Add, Replace and Delete. + +**TAGPROPS** +Optional. Defines a group of properties with non-standard element names. + +Supported operations are Get, Add, Replace and Delete. + +**TAGPROPS/8128000B** +Optional. Character string that specifies if the incoming email server requires SSL. + +Supported operations are Get, Add, Replace and Delete. + +Value is one of the following: + +- 0 - SSL is not required. +- 1 - SSL is required. + +**TAGPROPS/812C000B** +Optional. Character string that specifies if the outgoing email server requires SSL. + +Supported operations are Get and Replace. + +Value is one of the following: + +- 0 - SSL is not required. +- 1 - SSL is required. + +## Remarks + + +When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted and all messages and other properties that the transport (for example, Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored). + +For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it is left out in the <LocURI></LocURI> block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials: + +- The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set. + +- If some but not all of the outgoing server credentials parameters are present then the EMAIL2 Configuration Service Provider will be considered in error. + +- Account details cannot be queried unless the account GUID is known. Currently, there is no way to perform a top-level query for account GUIDs. + +Windows 10 Mobile supports Transport Layer Security (TLS), but this cannot be explicitly enabled through this configuration service provider, and the user cannot enable TLS through the UI. If the connection to the mail server is initiated with deferred SSL, the mail server can send STARTTLS as a server capability and TLS will be enabled. The following steps show how to enable TLS. + +1. The device attempts to connect to the mail server using SSL. + +2. If the SSL connection fails, the device attempts to connect using deferred SSL. + +3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device does not attempt another connection. + +4. If the user did not select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection. + +5. If the connection succeeds using any of the encryption protocols, the device requests the server capabilities. + +6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, the device enables TLS. TLS is not enabled on connections using SSL or non-SSL. + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/email2-ddf-file.md b/windows/client-management/mdm/email2-ddf-file.md new file mode 100644 index 0000000000..58614e459a --- /dev/null +++ b/windows/client-management/mdm/email2-ddf-file.md @@ -0,0 +1,881 @@ +--- +title: EMAIL2 DDF file +description: EMAIL2 DDF file +ms.assetid: 7e266db0-2fd9-4412-b428-4550f41a1738 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EMAIL2 DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **EMAIL2** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + EMAIL2 + ./Vendor/MSFT + + + + + Root characteristic + + + + + + + + + + + com.microsoft/1.0/MDM/EMAIL2 + + + + + + + + + + + + This is unique and identifies a particular account. Also, we can only have 6 additional email accounts. So, depending on how many are already there on the device, we can have from 1 to 6. + + + + + 1 + + + + + Account GUID + + + + + + ACCOUNTICON + + + + + + + + The location of the icon associated with the account. + + + + + + + + + + + text/plain + + + + + ACCOUNTTYPE + + + + + + + + Specifies the type of account. Valid values are: Email - normal email, VVM - visual voice mail + + + + + + + + + + + text/plain + + + + + AUTHNAME + + + + + + + + User Name for Incoming server. Limited to 255 chars. + + + + + + + + + + + text/plain + + + + + AUTHREQUIRED + + + + + + + + This will specify whether the outgoing server requires authentication. + 1 for TRUE + 0 for FALSE(default). + Note: If this is not specified then SMTP authentication will not be done. Also, this is different from the SMTPALTENABLED. That is to specify different set of credentials for SMTP. + + + + + + + + + + + + text/plain + + + + + AUTHSECRET + + + + + + + + Password. Limited to 255 chars. + + + + + + + + + + + text/plain + + + + + DOMAIN + + + + + + + + Incoming server credentials domain. Limited to 255 chars. + + + + + + + + + + + text/plain + + + + + DWNDAY + + + + + + + + Specifies how many days of email to download. (number of days worth going back into the past) + + + + + + + + + + + text/plain + + + + + INSERVER + + + + + + + + The incoming server name and port number. Limited to 62 chars. If the standard port number is used, the port number isn't necessary to be specified in this node. The value format is: + Server name:port number + + + + + + + + + + + + text/plain + + + + + LINGER + + + + + + + + Specifies how frequently Messaging performs scheduled send/receives. (Specified as the length of time in minutes, between updates.) + + + + + + + + + + + text/plain + + + + + KEEPMAX + + + + + + + + Specifies the maximum size for a message's attachment. (Attachments beyond this size will not be downloaded but will remain on the server. The message itself will be downloaded). This value can be set only for IMAP4 accounts. The limit is specified in KB, with a value of 0 meaning that no limit will be enforced. + + + + + + + + + + + text/plain + + + + + NAME + + + + + + + + User Display Name. Limited to 255 chars + + + + + + + + + + + text/plain + + + + + OUTSERVER + + + + + + + + The outcoming server name and port number. Limited to 62 chars. The value format is: + Server name:port number + If the standard port number is used, the port number isn't necessary to be specified in this node. + + + + + + + + + + + + text/plain + + + + + REPLYADDR + + + + + + + + SMTP reply address of the user. Limited to 255 chars. + + + + + + + + + + + text/plain + + + + + SERVICENAME + + + + + + + + This is the account name. It's limited to 32 characters. + + + + + + + + + + + text/plain + + + + + SERVICETYPE + + + + + + + + This is the type of account. Valid values are POP3/IMAP4. + + + + + + + + + + + text/plain + + + + + RETRIEVE + + + + + + + + Specifies the maximum size(in bytes) for messages retrieved from the incoming email server. Messages beyond this size will still be retrieved, but will be truncated. + + + + + + + + + + + text/plain + + + + + SERVERDELETEACTION + + + + + + + + Specifies how message is deleted on server. + 1 for delete message on server, + 2 for keep the message on server (delete to Trash folder), + any other value default action is used, which depends on the transport. + + + + + + + + + + + + text/plain + + + + + CELLULARONLY + + + + + + + + If this flag is set, the account uses cellular network only and not Wi-Fi. + + + + + + + + + + + text/plain + + + + + SYNCINGCONTENTTYPES + + + + + + + + Specifies a bitmask for which content types are supported for syncing (eg: Mail, Contacts, Calendar). No data (0x0), Contacts (0x1), Mail (0x2), Appointments (0x4), Tasks (0x8), Notes (0x10), Feeds (0x60), Network Photo (0x180), Group and room (0x200), Chat (0x400), Email Recipient Email (0x800), Server Link (0x1000), All items (0xffffffff). + + + + + + + + + + + text/plain + + + + + CONTACTSSERVER + + + + + + + + Server for contact sync if it is different from the email server. + + + + + + + + + + + text/plain + + + + + CALENDARSERVER + + + + + + + + Server for calendar sync if it is different from the email server. + + + + + + + + + + + text/plain + + + + + CONTACTSSERVERREQUIRESSL + + + + + + + + Defines if the connection to the contact server requires SSL. + + + + + + + + + + + text/plain + + + + + CALENDARSERVERREQUIRESSL + + + + + + + + Defines if the connection to the calendar server requires SSL. + + + + + + + + + + + text/plain + + + + + CONTACTSSYNCSCHEDULE + + + + + + + + Sets the schedule for syncing contact items. + + + + + + + + + + + text/plain + + + + + CALENDARSYNCSCHEDULE + + + + + + + + Sets the schedule for syncing calendar items. + + + + + + + + + + + text/plain + + + + + SMTPALTAUTHNAME + + + + + + + + If SMTPALTENABLED is true, then this will have the alternate User Name for SMTP. 255 chars. + + + + + + + + + + + text/plain + + + + + SMTPALTDOMAIN + + + + + + + + If SMTPALTENABLED is true, then this will have the alternate domain for SMTP. 255 chars. + + + + + + + + + + + text/plain + + + + + SMTPALTENABLED + + + + + + + + This is a bool value that specifies if we have separate SMTP credentials. +1 for true +0 for false (default) + + + + + + + + + + + text/plain + + + + + SMTPALTPASSWORD + + + + + + + + If SMTPALTENABLED is true, then this will have the alternate password for SMTP. 255 chars. + + + + + + + + + + + text/plain + + + + + TAGPROPS + + + + + + + + Specifies that stated parameter element name attributes is nonstandard tag properties. + + + + + + + + + + + + + + + 8128000B + + + + + + + + Specify whether incoming server requires SSL connection. +1- Require SSL connection +0- Doesn't require SSL connection (default) + + + + + + + + + + + text/plain + + + + + 812C000B + + + + + + + + Specify whether outgoing server requires SSL connection. +1- Require SSL connection +0- Doesn't require SSL connection (default) + + + + + + + + + + + text/plain + + + + + + + +``` + +## Related topics + + +[EMAIL2 configuration service provider](email2-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md new file mode 100644 index 0000000000..6fc5284a64 --- /dev/null +++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md @@ -0,0 +1,527 @@ +--- +title: Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices +description: Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. +ms.assetid: ED3DAF80-847C-462B-BDB1-486577906772 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices + + +Like any Windows devices, Windows 10 Mobile devices use Microsoft Update by default to download updates over the Internet. However, in some enterprise environments, devices may not be able to access the Internet to retrieve their updates. Because of network restrictions or other enterprise policies, devices must download their updates from an internal location. This document describes how to enable offline updates using System Center Configuration Manager. + +Here is a table of update path to Windows 10 Mobile. + + ++++ + + + + + + + + + + + + + + + + + + + + +
Starting SKUUpgrade to Windows 10 Mobile

Windows Mobile 6.5

No

Windows Phone 8

No

Windows Phone 8.1

Yes

+ +  +To configure the MDM service provider and enable the mobile devices to download updates from a predefined internal location, an IT administrator or device administrator must perform a series of manual and automated steps. + +Here is the outline of the process: + +1. Prepare a test device that can connect to the Internet to download the released update packages. +2. After the updates are downloaded and before pressing the install button, retrieve an XML file on the device that contains all the metadata about each update package. +3. Check the status code in the XML file. +4. Check for registry dependencies. +5. Using a script that we provide, parse the XML file to extract download URLs for the update packages. +6. Download the update packages using the download URLs. +7. Place the downloaded packages on an internal share that is accessible to devices you are updating. +8. Create two additional XML files that define the specific updates to download and the specific locations from which to download the updates, and deploy them onto the production device. +9. Start the update process from the devices. + +As a part of the update process, Windows will run data migrators to bring forward configured settings and data on the device. For instance, if the device was configured with a maintenance time or other update policy in Windows Embedded 8.1 Handheld, these settings will automatically get migrated to Windows 10 as part of the update process. If the Handheld device was configured for assigned access lockdown, then this configuration will also get migrated to Windows 10 as part of the update process. This includes ProductId & AumId conversion for all internal apps (including buttonremapping apps). + +Note that the migrators do not take care of the following: + +- 3rd party apps provided by OEMs +- deprecated 1st party apps, such as Bing News +- deprecated system/application settings, such as Microsoft.Game, Microsoft.IE + +In the event of an Enterprise Reset, these migrated settings are automatically persisted. + +Down the road, after the upgrade to Windows 10 is complete, if you decide to push down a new wehlockdown.xml, you would need to take the following steps to ensure that the updated settings are persisted through an Enterprise Reset: + +1. Delete the TPK\*ppkg and push down a new ppkg with your new configuration to the persistent folder. +2. Push down a new ppkg with your new configuration with higher priority. Note that in ICD, Owner=Microsoft, Rank=0 is the lowest priority; and vise versa. With this step, the old assigned access lockdown configuration will be overwritten. + +**Requirements:** + +- The test device must be same as the other production devices that are receiving the updates. +- Your test device must be enrolled with System Center Configuration Manager. +- Your device can connect to the Internet. +- Your device must have an SD card with at least 0.5 GB of free space. +- Ensure that the settings app and PhoneUpdate applet are available via Assigned Access. + +The following diagram is a high-level overview of the process. + +![update process for windows embedded 8.1 devices](images/windowsembedded-update.png) + +## Step 1: Prepare a test device to download updates from Microsoft Update + + +Define the baseline update set that will be applied to other devices. Use a device that is running the most recent image as the test device. + +Trigger the device to check for updates either manually or using System Center Configuration Manager. + +**Manually** + +1. From the device, go to **Settings** > **Phone updates** > **Check for updates**. +2. Sync the device. Go to **Settings** > **Workplace** > **Enrolled** and click the refresh icon. Repeat as needed. +3. Follow the prompts to download the updates, but do not press the install button. + +> **Note**  There is a bug in all OS versions up to GDR2 where the CSP will not set the assigned value. There is no way to change or set this until GDR2 is deployed onto the device. + + +**Using System Center Configuration Manager** + +1. Remotely trigger a scan of the test device by deploying a Trigger Scan Configuration Baseline. + + ![device scan using sccm](images/windowsembedded-update2.png) + +2. Set the value of this OMA-URI by browsing to the settings of this Configuration Item and selecting the newly created Trigger Scan settings from the previous step. + + ![device scan using sccm](images/windowsembedded-update3.png) + +3. Ensure that the value that is specified for this URI is greater than the value on the device(s) and that the Remediate noncompliant rules when supported option is checked. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value. + + ![device scan using sccm](images/windowsembedded-update4.png) + +4. Create a Configuration Baseline for TriggerScan and Deploy. It is recommended that this Configuration Baseline be deployed after the Controlled Updates Baseline has been applied to the device (the corresponding files are deployed on the device through a device sync session). +5. Follow the prompts for downloading the updates, but do not install the updates on the device. + + +## Step 2: Retrieve the device update report XML from the device + +After updates are downloaded (but not installed on the device), the process generates an XML file that contains information about the packages it downloaded. You must retrieve this XML file. + +There are two ways to retrieve this file from the device; one pre-GDR1 and one post-GDR1. + +**Pre-GDR1: Parse a compliance log from the device in ConfigMgr** + +1. Create a Configuration Item using ConfigMgr to look at the registry entry ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/ApprovedUpdatesXml. + + > **Note**  In System Center Configuration Manager, you may see an error about exceeding the file limit when using ApprovedUpdatesXml. However, the process still completes even if the file is large. + + If the XML file is greater than 32K you can also use ./Vendor/MSFT/FileSystem/<*filename*>. +2. Set a baseline for this Configuration Item with a “dummy” value (such as zzz), and ensure that you do not remediate it. + + The dummy value is not be set; it is only used for comparison. +3. After the report XML is sent to the device, System Center Configuration Manager displays a compliance log that contains the report information. The log can contain significant amount of data. +4. Parse this log for the report XML content. + +For a step-by-step walkthrough, see [How to retrieve a device update report using System Center Configuration Manager logs](#how-to-retrieve-a-device-update-report-using-system-center-configuration-manager-logs). + +**Post-GDR1: Retrieve the report xml file using an SD card** + +1. Create a Configuration Item using ConfigMgr to set a registry value for ./Vendor/MSFT/EnterpriseExt/DeviceUpdate/CopyUpdateReportToSDCard. +2. The value that you define for this Configuration Item is defined by the relative path to the SD card which includes the filename of the XML file (such as SDCardRoot\\Update\\DUReport.xml). +3. Remove the SD card from device and copy the XML file to your PC. + +## Step 3: Check the status code in the XML file +Make sure that the status code is set to 0000-0000 (success). + +## Step 4: Check for registry dependencies +Remove any registry dependencies in the XML file. + +## Step 5: Extract download URLs from the report XML + +Use the [example PowerShell script](#example-powershell-script) to extract the download URLs from the XML file or parse it manually. + +## Step 6: Retrieve update packages using download URLs + +Use a script or manually download each update package to a PC or an internal share. + +## Step 7: Place the update packages on an accessible share + +Put all the update packages into an internal share that is accessible to all the devices that need these updates. Ensure that the internal share can support multiple devices trying to access the updates at the same time. + +## Step 8: Create two XML files for production devices to select updates and download locations + +Here are the two files. + + ++++ + + + + + + + + + + + + + + + + +
TermDescription

DUControlledUpdates.xml

This is the same file as the report XML retrieved in Step 2 with a different name. This file tells the device the specific update packages to download. See Appendix for example

+

DUCustomContentUris.xml

This file maps the update packages in DUControlledUpdates.xml to the internal share location.

+ +  + +For a walkthrough of these steps, [How to deploy controlled updates](#how-to-deploy-controlled-updates). Ensure that the trigger scan configuration baseline HAS NOT been deployed. + + +### How to deploy controlled updates + +This process has three parts: + +- Create a configuration item for DUControlledUpdates.xml +- Create a configuration item for DUCustomContentURIs.xml +- Create a configuration item for approved updates. + + +**Create a configuration item for DUControlledUpdates.xml** + +1. Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then click **Select**. + + ![embedded device update](images/windowsembedded-update18.png) + +2. Browse to the DUControlledUpdates.xml that was created from the test device and specify that file path and name on the device as `NonPersistent\DUControlledUpdates.xml`. + + ![embedded device update](images/windowsembedded-update19.png) + +3. Check the box **Remediate noncompliant settings**. +4. Click **OK**. + + +**Create a configuration item for DUCustomContentURIs.xml** + +1. Create a configuration item and specify that file path and name on the device as `NonPersistent\DUCustomContentURIs.xml` +2. Check the box **Remediate noncompliant settings**. + + ![embedded device upate](images/windowsembedded-update21.png) + +3. Click **OK**. + + +**Create a configuration baseline for approved updates** + +1. Create a configuration baseline item and give it a name (such as ControlledUpdates). +2. Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then click **OK**. + + ![embedded device upate](images/windowsembedded-update22.png) + +3. Deploy the configuration baseline to the appropriate device or device collection. + + ![embedded device upate](images/windowsembedded-update23.png) + +4. Click **OK**. + +## Step 7: Trigger the other devices to scan, download, and install updates + +Now that the other "production" or "in-store" devices have the necessary information to download updates from an internal share, the devices are ready for updates. + +### Use this process for unmanaged devices + +If the update policy of the device is not managed or restricted by System Center Configuration Manager, an update process can be initiated on the device in one of the following ways: + +- Initiated by a periodic scan that the device automatically performs. +- Initiated manually through **Settings** -> **Phone Update** -> **Check for Updates**. + +### Use this process for managed devices + +If the update policy of the device is managed or restricted by MDM, an update process can be initiated on the device in one of the following ways: + +- Trigger the device to scan for updates through System Center Configuration Manager. + + Ensure that the trigger scan has successfully executed, and then remove the trigger scan configuration baseline. + + > **Note**  Ensure that the PhoneUpdateRestriction Policy is set to a value of 0, to ensure that the device will not perform an automatic scan. + + +- Trigger the device to scan as part of a Maintenance Window defined by the IT Admin in System Center Configuration Manager. + +After the installation of updates is completed, the IT Admin can use the DUReport generated in the production devices to determine if the device successfully installed the list of updates. If the device did not, error codes are provided in the DUReport.xml. To retrieve the device update report from a device, perform the same steps defined in [Step 2](#step2). + + +## Example PowerShell script + +``` syntax +param ( +# [Parameter (Mandatory=$true, HelpMessage="Input File")] + [String]$inputFile, + +# [Parameter (Mandatory=$true, HelpMessage="Download Cache Location")] + [String]$downloadCache, + +# [Parameter (Mandatory=$true, HelpMessage="Local Cache URL")] + [String]$localCacheURL + ) + +#DownloadFiles Function +function DownloadFiles($inputFile, $downloadCache, $localCacheURL) +{ + $customContentURIFileCreationError = "Not able to create Custom Content URI File" +#Read the Input File + $report = [xml](Get-Content $inputFile) + +# this is where the document will be saved + $customContentURLFile = "$downloadCache\DUCustomContentUris.xml" + New-Item -Path $customContentURLFile -ItemType File -force -ErrorAction SilentlyContinue -ErrorVariable NewItemError > $null + if ($NewItemError -ne "") + { + PrintMessageAndExit $customContentURIFileCreationError + } + +# get an XMLTextWriter to create the XML + $XmlWriter = New-Object System.XMl.XmlTextWriter($customContentURLFile,$Null) + +# choose a pretty formatting: + $xmlWriter.Formatting = 'Indented' + $xmlWriter.Indentation = 1 + $XmlWriter.IndentChar = "`t" + +# write the header + $xmlWriter.WriteStartDocument() + $xmlWriter.WriteStartElement('CustomContentUrls') + foreach ($update in $report.UpdateData.coreUpdateMetadata.updateSet.update) + { + if (!$update.destinationFilePath -or !$update.contentUrl) + { + continue; + } + + $destFilePath = $update.destinationFilePath.Trim(); + $contentUrl = $update.contentUrl.Trim(); + + Write-Host "Pre-Processing Line: $destFilePath#$contentUrl" + if (($destFilePath -ne "") -and ($destFilePath.Contains("\")) -and ($contentUrl -ne "") -and ($contentUrl.Contains("/")) ) + { + $isBundle = $update.isBundle + $revisionId = $update.revisionId + $updateId = $update.updateId + $revisionNum = $update.revisionNum + + $fileName = $destFilePath.Substring($destFilePath.LastIndexOf("\") + 1); +#Write-Host "Processing Line: $destFilePath#$contentUrl" + if ($fileName -ne "") + { + $destination = $downloadCache + "\" + $fileName; + Try + { + $wc = New-Object System.Net.WebClient + $wc.DownloadFile($contentUrl, $destination) + Write-Host "Successfull Download: $contentUrl#$destination"; + + $XmlWriter.WriteStartElement('contentUrl') + $XmlWriter.WriteAttributeString('isBundle', $isBundle) + $XmlWriter.WriteAttributeString('revisionId', $revisionId) + $XmlWriter.WriteAttributeString('updateId', $updateId) + $XmlWriter.WriteAttributeString('revisionNum', $revisionNum) + $XmlWriter.WriteRaw($localCacheURL + $fileName) + $xmlWriter.WriteEndElement() + } + Catch [ArgumentNullException] + { + Write-Host "Content URL is null"; + } + Catch [WebException] + { + Write-Host "Invalid Content URL: $contentUrl"; + } + Catch + { + Write-Host "Exception in Download: $contentUrl"; + } + } + else + { + Write-Host "Ignored Input Line: $contentUrl" + } + } + else + { + Write-Host "Ignored Input Line: $contentUrl" + } + } + +# close the "CustomContentUrls" node + $xmlWriter.WriteEndElement() + +# finalize the document + $xmlWriter.WriteEndDocument() + $xmlWriter.Flush() + $xmlWriter.Close() + + Write-Host "Successfully Created Custom Content URL File: $customContentURLFile" +} + +#PrintMessage Function +function PrintMessageAndExit($ErrorMessage) +{ + Write-Host $ErrorMessage + exit 1 +} + +#PrintMessage Function +function PrintUsageAndExit() +{ + Write-Host "Usage: Download.ps1 -inputFile -downloadCache -localCacheURL " + exit 1 +} + +if (($inputFile -eq "") -or ($downloadCache -eq "") -or ($localCacheURL -eq "")) +{ + PrintUsageAndExit +} +if (!$localCacheURL.EndsWith("/")) +{ + $localCacheURL = $localCacheURL + "/"; +} +$inputFileErrorString = "Input File does not exist"; +$downloadCacheErrorString = "Download Cache does not exist"; +$downloadCacheAddError = "Access Denied in creating the Download Cache Folder"; +$downloadCacheRemoveError = "Not able to delete files from Download Cache" +$downloadCacheClearWarningString = "Download Cache not empty. Do you want to Clear"; + +#Check if Input File Exist +$inputFileExists = Test-Path $inputFile; +if(!$inputFileExists) +{ + PrintMessageAndExit($inputFileErrorString) +} + +#Check if Download Cache Exist +$downloadCacheExists = Test-Path $downloadCache; +if(!$downloadCacheExists) +{ + PrintMessageAndExit($downloadCacheErrorString) +} + +$downloadCacheFileCount = (Get-ChildItem $downloadCache).Length; +if ($downloadCacheFileCount -ne 0) +{ +#Clear the directory + Remove-Item $downloadCache -Recurse -Force -Confirm -ErrorVariable RemoveItemError -ErrorAction SilentlyContinue > $null + if ($RemoveItemError -ne "") + { + PrintMessageAndExit $downloadCacheRemoveError + } + + $childItem = Get-ChildItem $downloadCache -ErrorAction SilentlyContinue > $null + $downloadCacheFileCount = ($childItem).Length; + if ($downloadCacheFileCount -ne 0) + { + PrintMessageAndExit $downloadCacheRemoveError + } + +#Create a new directory + New-Item -Path $downloadCache -ItemType Directory -ErrorAction SilentlyContinue -ErrorVariable NewItemError > $null + if ($NewItemError -ne "") + { + PrintMessageAndExit $downloadCacheAddError + } +} + +DownloadFiles $inputFile $downloadCache $localCacheURL +``` + + +## How to retrieve a device update report using System Center Configuration Manager logs + +Use this procedure for pre-GDR1 devices. + +**For pre-GDR1 devices** + +1. Trigger a device scan. Go to **Settings** -> **Phone Update** -> **Check for Updates**. + + Since the DUReport settings have not been remedied, you should see a non-compliance. +2. In System Center Configuration Manager under **Assets and Compliance** > **Compliance Settings**, right-click on **Configuration Items**. +3. Select **Create Configuration Item**. + + ![device update using sccm](images/windowsembedded-update5.png) +4. Enter a filename (such as GetDUReport) and then choose **Mobile Device**. +5. In the **Mobile Device Settings** page, check the box **Configure Additional Settings that are not in the default settings group**, and the click **Next**. + + ![device update using sccm](images/windowsembedded-update6.png) +6. In the **Additional Settings** page, click **Add**. + + ![device update using sccm](images/windowsembedded-update7.png) +7. In the **Browse Settings** page, click **Create Setting**. + + ![device update](images/windowsembedded-update8.png) +8. Enter a unique **Name**. For the **Setting type**, select **OMA-URI** and for the **Data type**, select **String**. +9. In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, the click **OK**. + + ![handheld device update](images/windowsembedded-update9.png) +10. In the **Browse Settings** page, click **Close**. +11. In the **Create Configuration Item Wizard** page, check **All Windows Embedded 8.1 Handheld** as the supported platform, and then click **Next**. + + ![embedded device update](images/windowsembedded-update10.png) +12. Close the **Create Configuration Item Wizard** page. +13. Right-click on the newly create configuration item, and then select the **Compliance Rules** tab. +14. Click the new created mobile device setting (such as DUReport) and then click **Select**. +15. Enter a dummy value (such as zzz) that is different from the one on the device. + + ![embedded device update](images/windowsembedded-update11.png) +16. Disable remediation by unchecking the **Remediate noncompliant rules when supported** option. +17. Click **OK** to close the Edit Rule page. +18. Create a new configuration baseline. Under **Assets and Compliance** > **Compliance Settings**, right-click on **Configuration Baselines**. +19. Select **Create Configuration Item**. + + ![embedded device update](images/windowsembedded-update12.png) +20. Enter a baseline name (such as RetrieveDUReport). +21. Add the configuration item that you just created. Select **Add** and then select the configuration item that you just created (such as DUReport). + + ![embedded device update](images/windowsembedded-update13.png) +22. Click **OK**, then click **OK** again to complete the configuration baseline. +23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created and the select **Deploy**. + + ![embedded device update](images/windowsembedded-update14.png) +24. Check the check box **Remediate noncompliant rules when supported**. +25. Select the appropriate device collection and define the schedule. + + ![device update](images/windowsembedded-update15.png) +26. To view the DUReport content, select the appropriate deployment for the configuration saseline that you created. Right-click on the deployment and select **View Status**. +27. Click **Run Summarization** and then click **Refresh**. On the Non-Compliant tab, the test device(s) should be listed. +28. Under **Asset Details**, right-click on the test device, and then select **Mode Details**. + + ![device update](images/windowsembedded-update16.png) +29. In the Non-compliant tab, you will see the DUReport, but you cannot retrieve the content from here. + + ![device update](images/windowsembedded-update17.png) +30. To retrieve the DUReport, open an Explorer windows to C:\\Program Files\\SMS\_CCM\\SMS\_DM.log. +31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz" where zzz is the dummy value. Just above this copy the information for UpdateData and use this information to create the DUControlledUpdates.xml. + +  + + + + + diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md new file mode 100644 index 0000000000..d6b71a088d --- /dev/null +++ b/windows/client-management/mdm/enterprise-app-management.md @@ -0,0 +1,905 @@ +--- +title: Enterprise app management +description: This topic covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows. +ms.assetid: 225DEE61-C3E3-4F75-BC79-5068759DFE99 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Enterprise app management + +This topic covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows. It is the ability to manage both Store and non-Store apps as part of the native MDM capabilities. New in Windows 10 is the ability to take inventory of all your apps. + +## Application management goals + +Windows 10 offers the ability for management servers to: + +- Install apps directly from the Windows Store for Business +- Deploy offline Store apps and licenses +- Deploy line-of-business (LOB) apps (non-Store apps) +- Inventory all apps for a user (Store and non-Store apps) +- Inventory all apps for a device (Store and non-Store apps) +- Uninstall all apps for a user (Store and non-Store apps) +- Provision apps so they are installed for all users of a device running Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) +- Remove the provisioned app on the device running Windows 10 for desktop editions + +## Inventory your apps + +Windows 10 lets you inventory all apps deployed to a user and all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and does not include traditional Win32 apps installed via MSI or executables. When the apps are inventoried they are separated based on the following app classifications: + +- Store - Apps that are from the Windows Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business +- nonStore - Apps that were not acquired from the Windows Store. +- System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried. + +These classifications are represented as nodes in the EnterpriseModernAppManagement CSP. + +The following diagram shows the EnterpriseModernAppManagement CSP in a tree format. + +![enterprisemodernappmanagement csp diagram](images/provisioning-csp-enterprisemodernappmanagement.png) + +Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System). + +Inventory can be performed recursively at any level from the AppManagement node through the package full name. Inventory can also be performed only for a specific inventory attribute. + +Inventory is specific to the package full name and lists bundled packs and resources packs as applicable under the package family name. + +> **Note**  On Windows 10 Mobile, XAP packages have the product ID in place of both the package family name and package full name. + +  +Here are the nodes for each package full name: + +- Name +- Version +- Publisher +- Architecture +- InstallLocation +- IsFramework +- IsBundle +- InstallDate +- ResourceID +- RequiresReinstall +- PackageStatus +- Users +- IsProvisioned + +For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md). + +### App inventory + +You can use the EnterpriseModernAppManagement CSP to query for all apps installed for a user or device. The query returns all apps regardless if they were installed via MDM or other methods. Inventory can be performed at the user or device level. Inventory at the device level will return information for all users on the device. + +Note that performing a full inventory of a device can be resource intensive on the client based on the hardware and number of apps that are installed. The data returned can also be very large. You may want to chunk these requests to reduce the impact to clients and network traffic. + +Here is an example of a query for all apps on the device. + +``` syntax + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement?list=StructData + + + +``` + +Here is an example of a query for a specific app for a user. + +``` syntax + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}?list=StructData + + + +``` + +### Store license inventory + +You can use the EnterpriseModernAppManagement CSP to query for all app licenses installed for a user or device. The query returns all app licenses regardless if they were installed via MDM or other methods. Inventory can be performed at the user or device level. Inventory at the device level will return information for all users on the device. + +Here are the nodes for each license ID: + +- LicenseCategory +- LicenseUsage +- RequestedID + +For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md). + +> **Note**  The LicenseID in the CSP is the content ID for the license. + + +Here is an example of a query for all app licenses on a device. + +``` syntax + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses?list=StructData + + + +``` + +Here is an example of a query for all app licenses for a user. + +``` syntax + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id}?list=StructData + + + +``` + +## Enable the device to install non-Store apps + +There are two basic types of apps you can deploy: Store apps and enterprise signed apps. To deploy enterprise signed apps, you must enable a setting on the device to allow trusted apps. The apps can be signed by a Microsoft approved root (such as Symantec), an enterprise deployed root or apps that are self-signed. This section covers the steps to configure the device for non-store app deployment. + +### Unlock the device for non-Store apps + +To deploy app that are not from the Windows Store, you must configure the ApplicationManagement/AllowAllTrustedApps policy. This policy allows the installation of non-Store apps on the device provided that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. For more information about deploying user license, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user). + +The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device or a root certificate in the Trusted Root of the device. The policy is not configured by default, which means only apps from the Windows Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device. + +For more information about the AllowAllTrustedApps policy, see [Policy CSP](policy-configuration-service-provider.md). + +Here are some examples. + +``` syntax + + + 1 + + + ./Vendor/MSFT/Policy/Result/ApplicationManagement/AllowAllTrustedApps?list=StructData + + + + + + 2 + + + ./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAllTrustedApps + + + int + text/plain + + 1 + + +``` + +### Unlock the device for developer mode + +Development of apps on Windows 10 no longer requires a special license. You can enable debugging and deployment of non-packaged apps using ApplicationManagement/AllowDeveloperUnlock policy in Policy CSP. + +AllowDeveloperUnlock policy enables the development mode on the device. The AllowDeveloperUnlock is not configured by default, which means only Windows Store apps can be installed. If the management server explicitly sets the value to off, the setting is disabled in the settings panel on the device. + +Deployment of apps to Windows 10 for desktop editions requires that there is a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device. Deployment to Windows 10 Mobile does not validate whether the non-Store apps have a valid root of trust on the device. + +For more information about the AllowDeveloperUnlock policy, see [Policy CSP](policy-configuration-service-provider.md). + +Here is an example. + +``` syntax + + + 1 + + + ./Vendor/MSFT/Policy/Result/ApplicationManagement/AllowDeveloperUnlock?list=StructData + + + + + + 2 + + + ./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowDeveloperUnlock + + + int + text/plain + + 1 + + +``` + +## Install your apps + +You can install apps to a specific user or to all users of a device. Apps are installed directly from the Windows Store or in some cases from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps. + +### Deploy apps to user from the Store + +To deploy an app to a user directly from the Windows Store, the management server performs an Add and Exec commands on the AppInstallation node of the EnterpriseModernAppManagement CSP. This is only supported in the user context and not supported in the device context. + +If you purchased an app from the Store for Business and the app is specified for an online license, the app and license must be acquired directly from the Windows Store. + +Here are the requirements for this scenario: + +- The app is assigned to a user Azure Active Directory (AAD) identity in the Store for Business. You can do this directly in the Store for Business or through a management server. +- The device requires connectivity to the Windows Store. +- Windows Store services must be enabled on the device. Note that the UI for the Windows Store can be disabled by the enterprise admin. +- The user must be signed in with their AAD identity. + +Here are some examples. + +``` syntax + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/StoreInstall + + + xml + + + + +``` + +Here are the changes from the previous release: + +1. The "{CatID}" reference should be updated to "{ProductID}". This value is acquired as a part of the Store for Business management tool. +2. The value for flags can be "0" or "1" + + When using "0" the management tool calls back to the Store for Business sync to assign a user a seat of an application. When using "1" the management tool does not call back in to the Store for Business sync to assign a user a seat of an application. The CSP will claim a seat if one is available. + +3. The skuid is a new parameter that is required. This value is acquired as a part of the Store for Business to management tool sync. + +### Deploy an offline license to a user + +If you purchased an app from the Store for Business, the app license must be deployed to the device. + +The app license only needs to be deployed as part of the initial installation of the app. During an update, only the app is deployed to the user. + +In the SyncML, you need to specify the following information in the Exec command: + +- License ID - This is specified in the LocURI. The License ID for the offline license is referred to as the "Content ID" in the license file. You can retrieve this information from the Base64 encoded license download from the Store for Business. +- License Content - This is specified in the data section. The License Content is the Base64 encoded blob of the license. + +Here is an example of an offline license installation. + +``` syntax + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/AddLicense + + + xml + + + + +``` + + +### Deploy apps to a user from a hosted location + +If you purchased an app from the Store for Business and the app is specified for an offline license or the app is a non-Store app, the app must be deployed from a hosted location. + +Here are the requirements for this scenario: + +- The location of the app can be a local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_ +- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements. +- The device does not need to have connectivity to the Windows Store, store services, or the have the Windows Store UI be enabled. +- The user must be logged in, but association with AAD identity is not required. + +> **Note**  You must unlock the device to deploy nonStore apps or you must deploy the app license before deploying the offline apps. For details, see [Deploy an offline license to a user](#deploy-an-offline-license-to-a-user). + +  +The Add command for the package family name is required to ensure proper removal of the app at unenrollment. + +Here is an example of a line-of-business app installation. + +``` syntax + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName} + + + + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + +``` + +Here is an example of an app installation with dependencies. + +``` syntax + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName + + + + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + + + + + + + +``` + +Here is an example of an app installation with dependencies and optional packages. + +``` syntax + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName + + + + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + + + + + + + + + + + +``` + +### Provision apps for all users of a device + +Provisioning allows you to stage the app to the device and all users of the device can have the app registered on their next login. This is only supported for app purchased from the Store for Business and the app is specified for an offline license or the app is a non-Store app. The app must be offered from a hosted location. The app is installed as a local system. To install to a local file share, the 'local system' of the device must have access to the share. + +Here are the requirements for this scenario: + +- The location of the app can be the local files system (C:\\StagedApps\\app1.appx), a UNC path (\\\\server\\share\\app1.apx), or an HTTPS location (https://contoso.com/app1.appx\_ +- The user must have permission to access the content location. For HTTPs, you can use server authentication or certificate authentication using a certificate associated with the enrollment. HTTP locations are supported, but not recommended because of lack of authentication requirements. +- The device does not need to have connectivity to the Windows Store, or store services enabled. +- The device does not need any AAD identity or domain membership. +- For nonStore app, your device must be unlocked. +- For Store offline apps, the required licenses must be deployed prior to deploying the apps. + +To provision app for all users of a device from a hosted location, the management server performs an Add and Exec command on the AppInstallation node in the device context. The Add command for the package family name is required to ensure proper removal of the app at unenrollment. + +> **Note**  When you remove the provisioned app, it will not remove it from the users that already installed the app. + +  + +Here is an example of app installation. + +> **Note**  This is only supported in Windows 10 for desktop editions. + + +``` syntax + + + 0 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName + + + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + +``` + +The HostedInstall Exec command contains a Data node that requires an embedded XML. Here are the requirements for the data XML: + +- Application node has a required parameter, PackageURI, which can be a local file location, UNC, or HTTPs location. +- Dependencies can be specified if required to be installed with the package. This is optional. + +The DeploymentOptions parameter is only available in the user context. + +Here is an example of app installation with dependencies. + +> **Note**  This is only supported in Windows 10 for desktop editions. + + +``` syntax + + + 0 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName + + + + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + xml + + + + + + + + + + + +``` + +### Get status of app installations + +When an app installation is completed, a Windows notification is sent. You can also query the status of using the AppInstallation node. Here is the list of information you can get back in the query: + +- Status - indicates the status of app installation. + - NOT\_INSTALLED (0) - The node was added, but the execution was not completed. + - INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of suceess this value is updated. + - FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. + - INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up actio has not completed, this state may briefly appear. +- LastError - This is the last error reported by the app deployment server. +- LastErrorDescription - Describes the last error reported by the app deployment server. +- Status - This is an integer that indicates the progress of the app installation. In cases of an https location, this shows the estimated download progress. + + Status is not available for provisioning and only used for user-based installations. For provisioning, the value is always 0. + +When an app is installed successfully, the node is cleaned up and no longer present. The status of the app can be reported under the AppManagement node. + +Here is an example of a query for a specific app installation. + +``` syntax + + + 2 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}?list=StructData + + + +``` + +Here is an example of a query for all app installations. + +``` syntax + + + 2 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation?list=StructData + + + +``` + +### Alert for installation completion + +Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success. + +Here is an example of an alert. + +``` syntax + + 4 + 1226 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall + + + Reversed-Domain-Name:com.microsoft.mdm.EnterpriseHostedAppInstall.result + int + + 0 + + +``` + +For user-based installation, use the ./User path and for provisioning of apps, use the ./Device path. + +The Data field value of 0 (zero) indicates sucess, otherwise it is an error code. If there is a failure, you can get more details from the AppInstallation node. + +> **Note**  At this time, the alert for Store app installation is not yet available. + + +## Uninstall your apps + +You can uninstall apps from users from Windows 10 devices. To uninstall an app, you delete it from the AppManagement node of the CSP. Within the AppManagement node, packages are organized based on their origin according to the following nodes: + +- AppStore - These apps are for the Windows Store. Apps can be directly installed from the store or delivered to the enterprise from the Store for Business. +- nonStore - These apps that were not acquired from the Windows Store. +- System - These apps are part of the OS. You cannot uninstall these apps. + +To uninstall an app, you delete it under the origin node, package family name, and package full name. To uninstall a XAP, use the product ID in place of the package family nane and package full name. + +Here is an example for uninstalling all versions of an app for a user. + +``` syntax + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName} + + + +``` + +Here is an example for uninstalling a specific version of the app for a user. + +``` syntax + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} + + + +``` + +### Removed provisioned apps from a device + +You can remove provisioned apps from a device for a specific version or for all versions of a package family. When a provisioned app is removed, it is not available to future users for the device. Logged in users who has the app registered to them will continue to have access to the app. If you want to removed the app for those users, you must explicitly uninstall the app for those users. + +> **Note**  You can only remove an app that has an inventory value IsProvisioned = 1. + +  +Removing provisioned app occurs in the device context. + +Here is an example for removing a provisioned app from a device. + +``` syntax + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName} + + + +``` + +Here is an example for removing a specific version of a provisioned app from a device: + +``` syntax + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/{PackageFullName} + + + +``` + +### Remove a store app license + +You can remove app licenses from a device per app based on the content ID. + +Here is an example for removing an app license for a user. + +``` syntax + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id} + + + +``` + +Here is an example for removing an app license for a provisioned package (device context). + +``` syntax + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{license id} + + + +``` + +### Alert for app uninstallation + +Uninstallation of an app can take some time complete, hence the uninstallation is performed asynchronously. When the Exec command is completed, the client sends a notification to the management server with a status, whether it's a failure or success. + +For user-based uninstallation, use ./User in the LocURI, and for provisioning, use ./Device in the LocURI. + +Here is an example. There is only one uninstall for hosted and store apps. + +``` syntax + + 1226 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/{PackageFamilyName} + + + Reversed-Domain-Name:com.microsoft.mdm.EnterpriseAppUninstall.result + int + + 0 + + +``` + +## Update your apps + +Apps installed on a device can be updated using the management server. Apps can be updated directly from the store or installed from a hosted location. + +### Update apps directly from the store + +To update an app from Windows Store, the device requires contact with the store services. + +Here is an example of an update scan. + +``` syntax + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/UpdateScan + + + +``` + +Here is an example of a status check. + +``` syntax + + + 1 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/LastScanError + + + +``` + +### Update apps from a hosted location + +Updating an existing app follows the same process as an initial installation. For more information, see [Deploy apps to a user from a hosted location](#deploy-apps-to-a-user-from-a-hosted-location). + + +### Update provisioned apps + +A provisioned app automatically updates when an app update is sent to the user. You can also update a provisioned app using the same process as an initial provisioning. For more information about initial provisioning, see [Provision apps for all users of a device](#provision-apps-for-all-users-of-a-device). + +### Prevent app from automatic updates + +You can prevent specific apps from being automatically updated. This allows you to turn on auto-updates for apps, with specific apps excluded as defined by the IT admin. + +Turning off updates only applies to updates from the Windows Store at the device level. This feature is not available at a user level. You can still update an app if the offline packages is pushed from hosted install location. + +Here is an example. + +``` syntax + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/{PackageFamilyName}/DoNotUpdate + + + int + text/plain + + 1 + +``` + +## Additional app management scenarios + +The following subsections provide information about additional settings configurations. + +### Restrict app installation to the system volume + +You can install app on non-system volumes, such as a secondary partition or removable media (USB or SD cards). Using the RestrictApptoSystemVolume policy, you can prevent apps from getting installed or moved to non-system volumes. For more information about this policy, see [Policy CSP](policy-configuration-service-provider.md). + +> **Note**  This is only supported in mobile devices. + + +Here is an example. + +``` syntax + + + 1 + + + ./Vendor/MSFT/Policy/Result/ApplicationManagement/RestrictAppToSystemVolume?list=StructData + + + + + + 2 + + + ./Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppToSystemVolume + + + int + text/plain + + 1 + + +``` + +### Restrict AppData to the system volume + +In Windows 10 Mobile IT administrators can set a policy to restrict user application data for a Windows Store app to the system volume, regardless of where the package is installed or moved. + +> **Note**  The feature is only for Windows 10 Mobile. + +  +The RestrictAppDataToSystemVolume policy in [Policy CSP](policy-configuration-service-provider.md) enables you to restrict all user application data to stay on the system volume. When the policy is not configured or if it is disabled, and you move a package or when it is installed to a difference volume, then the user application data will moved to the same volume. You can set this policy to 0 (off, default) or 1. + +Here is an example. + +``` syntax + + + 1 + + + ./Vendor/MSFT/Policy/Result/ApplicationManagement/RestrictAppDataToSystemVolume?list=StructData + + + + + + 2 + + + ./Vendor/MSFT/Policy/Config/ApplicationManagement/RestrictAppDataToSystemVolume + + + int + text/plain + + 1 + + +``` + +### Enable shared user app data + +The Universal Windows app has the ability to share application data between the users of the device. The ability to share data can be set at a package family level or per device. + +> **Note**  This is only applicable to multi-user devices. + + +The AllowSharedUserAppData policy in [Policy CSP](policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API. + +If you disable this policy, applications cannot share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there is any shared data, and /Remove-SharedAppxData to remove it). + +The valid values are 0 (off, default value) and 1 (on). + +Here is an example. + +``` syntax + + + 1 + + + ./Vendor/MSFT/Policy/Result/ApplicationManagement/AllowSharedUserAppData?list=StructData + + + + + + 2 + + + ./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowSharedUserAppData + + + int + text/plain + + 1 + + +``` + +  + + + + + + diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md new file mode 100644 index 0000000000..c61db977e9 --- /dev/null +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -0,0 +1,143 @@ +--- +title: EnterpriseAPN CSP +description: The EnterpriseAPN configuration service provider is used by the enterprise to provision an APN for the Internet. +ms.assetid: E125F6A5-EE44-41B1-A8CC-DF295082E6B2 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseAPN CSP + +The EnterpriseAPN configuration service provider (CSP) is used by the enterprise to provision an APN for the Internet. + +> [!Note] +Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions. + +The following image shows the EnterpriseAPN configuration service provider in tree format. + +![enterpriseapn csp](images/provisioning-csp-enterpriseapn-rs1.png) + +**EnterpriseAPN** +

The root node for the EnterpriseAPN configuration service provider.

+ +**EnterpriseAPN/****_ConnectionName_** +

Name of the connection as seen by Windows Connection Manager.

+ +

Supported operations are Add, Get, Delete, and Replace.

+ +**EnterpriseAPN/*ConnectionName*/APNName** +

Enterprise APN name.

+ +

Supported operations are Add, Get, Delete, and Replace.

+ +**EnterpriseAPN/*ConnectionName*/IPType** +

This value can be one of the following:

+ +- IPv4 - only IPV4 connection type +- IPv6 - only IPv6 connection type +- IPv4v6 (default)- IPv4 and IPv6 concurrently. +- IPv4v6xlat - IPv6 with IPv4 provided by 46xlat + +

Supported operations are Add, Get, Delete, and Replace.

+ +**EnterpriseAPN/*ConnectionName*/IsAttachAPN** +

Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.

+ +

Supported operations are Add, Get, Delete, and Replace.

+ +**EnterpriseAPN/*ConnectionName*/ClassId** +

GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM\_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.

+ +

Supported operations are Add, Get, Delete, and Replace.

+ +**EnterpriseAPN/*ConnectionName*/AuthType** +

Authentication type. This value can be one of the following:

+ +- None (default) +- Auto +- PAP +- CHAP +- MSCHAPv2 + +

Supported operations are Add, Get, Delete, and Replace.

+ +**EnterpriseAPN/*ConnectionName*/UserName** +

User name for use with PAP, CHAP, or MSCHAPv2 authentication.

+ +

Supported operations are Add, Get, Delete, and Replace.

+ +**EnterpriseAPN/*ConnectionName*/Password** +

Password corresponding to the username.

+ +

Supported operations are Add, Get, Delete, and Replace.

+ +**EnterpriseAPN/*ConnectionName*/IccId** +

Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node is not present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.

+ +

Supported operations are Add, Get, Delete, and Replace.

+ +**EnterpriseAPN/*ConnectionName*/AlwaysOn** +

Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.

+ +

The default value is true.

+ +

Supported operations are Add, Get, Delete, and Replace.

+ +**EnterpriseAPN/*ConnectionName*/Enabled** +

Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.

+ +

The default value is true.

+ +

Supported operations are Add, Get, Delete, and Replace.

+ +**EnterpriseAPN/*ConnectionName*/Roaming** +

Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:

+ +
    +
  • 0 - Disallowed
    • +
  • 1 - Allowed
    • +
  • 2 - DomesticRoaming
    • +
  • 3 - UseOnlyForDomesticRoaming
    • +
  • 4 - UseOnlyForNonDomesticRoaming
    • +
  • 5 - UseOnlyForRoaming
    • +
+ +

Default is 1 (all roaming allowed).

+ +

Value type is string. Supported operations are Add, Get, Delete, and Replace.

+ + +**EnterpriseAPN/Settings** +

Added in Windows 10, version 1607. Node that contains global settings.

+ +**EnterpriseAPN/Settings/AllowUserControl** +

Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.

+ +

The default value is false.

+ +

Supported operations are Get and Replace.

+ +**EnterpriseAPN/Settings/HideView** +

Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.

+ +

The default value is false.

+ +

Supported operations are Get and Replace.

+ +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/enterpriseapn-ddf.md b/windows/client-management/mdm/enterpriseapn-ddf.md new file mode 100644 index 0000000000..8d656ebb72 --- /dev/null +++ b/windows/client-management/mdm/enterpriseapn-ddf.md @@ -0,0 +1,1210 @@ +--- +title: EnterpriseAPN DDF +description: EnterpriseAPN DDF +ms.assetid: A953ADEF-4523-425F-926C-48DA62EB9E21 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseAPN DDF + + +This topic shows the OMA DM device description framework (DDF) for the **EnterpriseAPN** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The content below are the different versions of the DDF for this CSP. + + +- [EnterpriseAPN CSP version 1.0 DDF](#enterpriseapn-csp-version-1-0-ddf) +- [EnterpriseAPN CSP version 1.1 DDF](#enterpriseapn-csp-version-1-1-ddf) +- [EnterpriseAPN CSP version 1.2 DDF](#enterpriseapn-csp-version-1-2-ddf) + +### EnterpriseAPN CSP version 1.0 DDF + +``` syntax + +]> + + 1.2 + + EnterpriseAPN + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + + + + + + + + + Name of the connection as seen by WCM + + + + + + + + + + + + + ConnectionName + + + + + + APNName + + + + + + + + Enterprise APN name + + + + + + + + + + + + + APNName + + text/plain + + + + + IPType + + + + + + + + IPv4v6 + One of IPv4, IPv6, IPv4v6, or IPv4v6xlat + + + + + + + + + + + + + IPType + + text/plain + + + + + IsAttachAPN + + + + + + + + false + Indicates whether this APN should be requested as part of an LTE Attach. + + + + + + + + + + + + + IsAttachAPN + + text/plain + + + + + APNClassId + + + + + + + + 9476C91D-608F-47B6-856A-1D90C1BED333 + GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries. + + + + + + + + + + + + + ApnClassId + + text/plain + + + + + AuthType + + + + + + + + None + Authentication type, one of None, Auto, PAP, CHAP, MSCHAPv2 + + + + + + + + + + + + + AuthType + + text/plain + + + + + UserName + + + + + + + + User name, for use with PAP, CHAP, MSCHAPv2 authentication. + + + + + + + + + + + + + UserName + + text/plain + + + + + Password + + + + + + + + Password corresponding to UserName for PAP, CHAP, and MSCHAPv2 authentication. + + + + + + + + + + + + + Password + + text/plain + + + + + IccId + + + + + + + + ICCID to be associated with the cellular connection profile.If this node is not present, the connection will be created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data. + + + + + + + + + + + + + IccId + + text/plain + + + + + + +``` + +### EnterpriseAPN CSP version 1.1 DDF + +``` syntax + +]> + + 1.2 + + EnterpriseAPN + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.1/MDM/EnterpriseAPN + + + + + + + + + + + Name of the connection as seen by WCM + + + + + + + + + + + + + ConnectionName + + + + + + APNName + + + + + + + + Enterprise APN name + + + + + + + + + + + + + APNName + + text/plain + + + + + IPType + + + + + + + + IPv4v6 + One of IPv4, IPv6, IPv4v6, or IPv4v6xlat, specifying whether the connection supports IPv4 only, IPv6 only, IPv4 and IPv6 concurrently, or IPv6 with IPv4 provided by 46xlat + + + + + + + + + + + + + IPType + + text/plain + + + + + IsAttachAPN + + + + + + + + false + Indicates whether this APN should be requested as part of an LTE Attach. + + + + + + + + + + + + + IsAttachAPN + + text/plain + + + + + ClassId + + + + + + + + 9476C91D-608F-47B6-856A-1D90C1BED333 + GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries. + + + + + + + + + + + + + ClassId + + text/plain + + + + + AuthType + + + + + + + + None + Authentication type, one of None, Auto, PAP, CHAP, MSCHAPv2 + + + + + + + + + + + + + AuthType + + text/plain + + + + + UserName + + + + + + + + User name, for use with PAP, CHAP, MSCHAPv2 authentication. + + + + + + + + + + + + + UserName + + text/plain + + + + + Password + + + + + + + + Password corresponding to UserName for PAP, CHAP, and MSCHAPv2 authentication. + + + + + + + + + + + + + Password + + text/plain + + + + + IccId + + + + + + + + ICCID to be associated with the cellular connection profile.If this node is not present, the connection will be created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data. + + + + + + + + + + + + + IccId + + text/plain + + + + + AlwaysOn + + + + + + + + true + Boolean that specifies whether the CM will automatically attempt to connect to the APN when a connection is available. Default is true. + + + + + + + + + + + + + AlwaysOn + + text/plain + + + + + Enabled + + + + + + + + true + Boolean that specifies whether the connection is enabled. Default is true. + + + + + + + + + + + + + Enabled + + text/plain + + + + + + Settings + + + + + Global settings. + + + + + + + + + + + + + Settings + + + + + + AllowUserControl + + + + + + false + Boolean that specifies whether the cellular UX will allow users to control the visibility of enterprise APNs. Default is false. + + + + + + + + + + + + + AllowUserControl + + text/plain + + + + + HideView + + + + + + false + Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Default is false. Only applicable if AllowUserControl is true. + + + + + + + + + + + + + HideView + + text/plain + + + + + + +``` + +### EnterpriseAPN CSP version 1.2 DDF + +``` syntax + +]> + + 1.2 + + EnterpriseAPN + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.2/MDM/EnterpriseAPN + + + + + + + + + + + Name of the connection as seen by WCM + + + + + + + + + + + + + ConnectionName + + + + + + APNName + + + + + + + + Enterprise APN name + + + + + + + + + + + + + APNName + + text/plain + + + + + IPType + + + + + + + + IPv4v6 + One of IPv4, IPv6, IPv4v6, or IPv4v6xlat, specifying whether the connection supports IPv4 only, IPv6 only, IPv4 and IPv6 concurrently, or IPv6 with IPv4 provided by 46xlat + + + + + + + + + + + + + IPType + + text/plain + + + + + IsAttachAPN + + + + + + + + false + Indicates whether this APN should be requested as part of an LTE Attach. + + + + + + + + + + + + + IsAttachAPN + + text/plain + + + + + ClassId + + + + + + + + 9476C91D-608F-47B6-856A-1D90C1BED333 + GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries. + + + + + + + + + + + + + ClassId + + text/plain + + + + + AuthType + + + + + + + + None + Authentication type, one of None, Auto, PAP, CHAP, MSCHAPv2 + + + + + + + + + + + + + AuthType + + text/plain + + + + + UserName + + + + + + + + User name, for use with PAP, CHAP, MSCHAPv2 authentication. + + + + + + + + + + + + + UserName + + text/plain + + + + + Password + + + + + + + + Password corresponding to UserName for PAP, CHAP, and MSCHAPv2 authentication. + + + + + + + + + + + + + Password + + text/plain + + + + + IccId + + + + + + + + ICCID to be associated with the cellular connection profile.If this node is not present, the connection will be created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data. + + + + + + + + + + + + + IccId + + text/plain + + + + + AlwaysOn + + + + + + + + true + Boolean that specifies whether the CM will automatically attempt to connect to the APN when a connection is available. Default is true. + + + + + + + + + + + + + AlwaysOn + + text/plain + + + + + Enabled + + + + + + + + true + Boolean that specifies whether the connection is enabled. Default is true. + + + + + + + + + + + + + Enabled + + text/plain + + + + + Roaming + + + + + + + + 1 + Roaming setting that specifies whether the connection should be activated when the device is roaming. 0: Disallowed, 1: Allowed, 2: DomesticRoaming, 3: UseOnlyForDomesticRoaming, 4: UseOnlyForNonDomesticRoaming, 5: UseOnlyForRoaming. Default is 1 (all roam allowed). + + + + + + + + + + + + + Roaming + + text/plain + + + + + + Settings + + + + + Global settings. + + + + + + + + + + + + + Settings + + + + + + AllowUserControl + + + + + + false + Boolean that specifies whether the cellular UX will allow users to control the visibility of enterprise APNs. Default is false. + + + + + + + + + + + + + AllowUserControl + + text/plain + + + + + HideView + + + + + + false + Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Default is false. Only applicable if AllowUserControl is true. + + + + + + + + + + + + + HideView + + text/plain + + + + + + +``` + + +## Related topics + + +[EnterpriseAPN configuration service provider](enterpriseapn-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md new file mode 100644 index 0000000000..4067c76438 --- /dev/null +++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md @@ -0,0 +1,543 @@ +--- +title: EnterpriseAppManagement CSP +description: EnterpriseAppManagement CSP +ms.assetid: 698b8bf4-652e-474b-97e4-381031357623 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseAppManagement CSP + + +The EnterpriseAppManagement enterprise configuration service provider is used to handle enterprise application management tasks such as installing an enterprise application token, the first auto-downloadable app link, querying installed enterprise applications (name and version), auto updating already installed enterprise applications, and removing all installed enterprise apps (including the enterprise app token) during unenrollment. + +> **Note**   The EnterpriseAppManagement CSP is only supported in Windows 10 Mobile. + +  + +The following diagram shows the EnterpriseAppManagement configuration service provider in tree format. + +![enterpriseappmanagement csp](images/provisioning-csp-enterpriseappmanagement.png) + +***EnterpriseID*** +Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications. + +Supported operations are Add, Delete, and Get. + +***EnterpriseID*/EnrollmentToken** +Required. Used to install or update the binary representation of the application enrollment token (AET) and initiate "phone home" token validation. Scope is dynamic. + +Supported operations are Get, Add, and Replace. + +***EnterpriseID*/StoreProductID** +Required. The node to host the ProductId node. Scope is dynamic. + +Supported operation is Get. + +**/StoreProductID/ProductId** +The character string that contains the ID of the first enterprise application (usually a Company Hub app), which is automatically installed on the device. Scope is dynamic. + +Supported operations are Get and Add. + +***EnterpriseID*/StoreUri** +Optional. The character string that contains the URI of the first enterprise application to be installed on the device. The enrollment client downloads and installs the application from this URI. Scope is dynamic. + +Supported operations are Get and Add. + +***EnterpriseID*/CertificateSearchCriteria** +Optional. The character string that contains the search criteria to search for the DM-enrolled client certificate. The certificate is used for client authentication during enterprise application download. The company's application content server should use the enterprise-enrolled client certificate to authenticate the device. The value must be a URL encoded representation of the X.500 distinguished name of the client certificates Subject property. The X.500 name must conform to the format required by the [CertStrToName](http://go.microsoft.com/fwlink/p/?LinkId=523869) function. This search parameter is case sensitive. Scope is dynamic. + +Supported operations are Get and Add. + +> **Note**   Do NOT use Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00. The server must replace this value in the supplied client certificate. If your server returns a client certificate containing the same Subject value, this can cause unexpected behavior. The server should always override the subject value and not use the default device-provided Device ID Subject= Subject=CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1\\x00 + +  + +***EnterpriseID*/Status** +Required. The integer value that indicates the current status of the application enrollment. Valid values are 0 (ENABLED), 1 (INSTALL\_DISABLED), 2 (REVOKED), and 3 (INVALID). Scope is dynamic. + +Supported operation is Get. + +***EnterpriseID*/CRLCheck** +Optional. Character value that specifies whether the device should do a CRL check when using a certificate to authenticate the server. Valid values are "1" (CRL check required), "0" (CRL check not required). Scope is dynamic. + +Supported operations are Get, Add, and Replace. + +***EnterpriseID*/EnterpriseApps** +Required. The root node to for individual enterprise application related settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider). + +Supported operation is Get. + +**/EnterpriseApps/Inventory** +Required. The root node for individual enterprise application inventory settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider). + +Supported operation is Get. + +**/Inventory/****_ProductID_** +Optional. A node that contains s single enterprise application product ID in GUID format. Scope is dynamic. + +Supported operation is Get. + +**/Inventory/*ProductID*/Version** +Required. The character string that contains the current version of the installed enterprise application. Scope is dynamic. + +Supported operation is Get. + +**/Inventory/*ProductID*/Title** +Required. The character string that contains the name of the installed enterprise application. Scope is dynamic. + +Supported operation is Get. + +**/Inventory/*ProductID*/Publisher** +Required. The character string that contains the name of the publisher of the installed enterprise application. Scope is dynamic. + +Supported operation is Get. + +**/Inventory/*ProductID*/InstallDate** +Required. The time (in the character format YYYY-MM-DD-HH:MM:SS) that the application was installed or updated. Scope is dynamic. + +Supported operation is Get. + +**/EnterpriseApps/Download** +Required. This node groups application download-related parameters. The enterprise server can only automatically update currently installed enterprise applications. The end user controls which enterprise applications to download and install. Scope is dynamic. + +Supported operation is Get. + +**/Download/****_ProductID_** +Optional. This node contains the GUID for the installed enterprise application. Each installed application has a unique ID. Scope is dynamic. + +Supported operations are Get, Add, and Replace. + +**/Download/*ProductID*/Version** +Optional. The character string that contains version information (set by the caller) for the application currently being downloaded. Scope is dynamic. + +Supported operations are Get, Add, and Replace. + +**/Download/*ProductID*/Name** +Required. The character string that contains the name of the installed application. Scope is dynamic. + +Supported operation is Get. + +**/Download/*ProductID*/URL** +Optional. The character string that contains the URL for the updated version of the installed application. The device will download application updates from this link. Scope is dynamic. + +Supported operations are Get, Add, and Replace. + +**/Download/*ProductID*/Status** +Required. The integer value that indicates the status of the current download process. The following table shows the possible values. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +

0: CONFIRM

Waiting for confirmation from user.

1: QUEUED

Waiting for download to start.

2: DOWNLOADING

In the process of downloading.

3: DOWNLOADED

Waiting for installation to start.

4: INSTALLING

Handed off for installation.

5: INSTALLED

Successfully installed

6: FAILED

Application was rejected (not signed properly, bad XAP format, not enrolled properly, etc.)

7:DOWNLOAD_FAILED

Unable to connect to server, file doesn't exist, etc.

+ +  + +Scope is dynamic. Supported operations are Get, Add, and Replace. + +**/Download/*ProductID*/LastError** +Required. The integer value that indicates the HRESULT of the last error code. If there are no errors, the value is 0 (S\_OK). Scope is dynamic. + +Supported operation is Get. + +**/Download/*ProductID*/LastErrorDesc** +Required. The character string that contains the human readable description of the last error code. + +**/Download/*ProductID*/DownloadInstall** +Required. The node to allow the server to trigger the download and installation for an updated version of the user installed application. The format for this node is null. The server must query the device later to determine the status. For each product ID, the status field is retained for up to one week. Scope is dynamic. + +Supported operation is Exec. + +## Remarks + + +### Install and Update Line of Business (LOB) applications + +A workplace can automatically install and update Line of Business applications during a management session. Line of Business applications support a variety of file types including XAP (8.0 and 8.1), AppX, and AppXBundles. A workplace can also update applications from XAP file formats to Appx and AppxBundle formats through the same channel. For more information, see the Examples section. + +### Uninstall Line of Business (LOB) applications + +A workplace can also remotely uninstall Line of Business applications on the device. It is not possible to use this mechanism to uninstall Store applications on the device or Line of Business applications that are not installed by the enrolled workplace (for side-loaded application scenarios). For more information, see the Examples section + +### Query installed Store application + +You can determine if a Store application is installed on a system. First, you need the Store application GUID. You can get the Store application GUID by going to the URL for the Store application. + +The Microsoft Store application has a GUID of d5dc1ebb-a7f1-df11-9264-00237de2db9e. + +Use the following SyncML format to query to see if the application is installed on a managed device: + +``` syntax + + 1 + + + ./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7B D5DC1EBB-A7F1-DF11-9264-00237DE2DB9E%7D + + + +``` + +Response from the device (it contains list of subnodes if this app is installed in the device). + +``` syntax + + 3 + 1 + 2 + + + + ./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7B D5DC1EBB-A7F1-DF11-9264-00237DE2DB9E%7D + + + node + + +Version/Title/Publisher/InstallDate + + +``` + +### Node Values + +All node values under the ProviderID interior node represent the policy values that the management server wants to set. + +- An Add or Replace command on those nodes returns success in both of the following cases: + + - The value is actually applied to the device. + + - The value isn’t applied to the device because the device has a more secure value set already. + +From a security perspective, the device complies with the policy request that is at least as secure as the one requested. + +- A Get command on those nodes returns the value that the server pushes down to the device. + +- If a Replace command fails, the node value is set to be the previous value before Replace command was applied. + +- If an Add command fails, the node is not created. + +The value actually applied to the device can be queried via the nodes under the DeviceValue interior node. + +## OMA DM examples + + +Enroll enterprise ID “4000000001” for the first time: + +``` syntax + + 2 + + + ./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnrollmentToken + + + chr + + InsertTokenHere + + + + ./Vendor/MSFT/EnterpriseAppManagement/4000000001/CertificateSearchCriteria + + + + chr + + SearchCriteriaInsertedHere + + +``` + +Update the enrollment token (for example, to update an expired application enrollment token): + +``` syntax + + 2 + + + ./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnrollmentToken + + + chr + + InsertUpdaedTokenHere + + +``` + +Query all installed applications that belong to enterprise id “4000000001”: + +``` syntax + + 2 + + + + ./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory?list=StructData + + + + +``` + +Response from the device (that contains two installed applications): + +``` syntax + + 3 + 1 + 2 + + + + ./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory + + + + node + + + + + + +./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D + + + + node + + + + + + +./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D + + + + node + + + + + + +./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Version + + + 1.0.0.0 + + + + +./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Title + + + Sample1 + + + + +./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Publisher + + + ExamplePublisher + + + + +./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/InstallDate + + + 2012-10-30T21:09:52Z + + + + +./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Version + + + 1.0.0.0 + + + + +./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Title + + + Sample2 + + + + +./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/Publisher + + + Contoso + + + + +./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB0322158-C3C2-44EB-8A31-D14A9FEC450E%7D/InstallDate + + + 2012-10-31T21:23:31Z + + +``` + +## Install and update an enterprise application + + +Install or update the installed app with the product ID “{B316008A-141D-4A79-810F-8B764C4CFDFB}”. + +To perform an XAP update, create the Name, URL, Version, and DownloadInstall nodes first, then perform an “execute” on the “DownloadInstall” node (all within an “Atomic” operation). If the application does not exist, the application will be silently installed without any user interaction. If the application cannot be installed, the user will be notified with an Alert dialog. + +> **Note**   +1. If a previous app-update node existed for this product ID (the node can persist for up to 1 week or 7 days after an installation has completed), then a 418 (already exist) error would be returned on the “Add”. To get around the 418 error, the server should issue a Replace command for the Name, URL, and Version nodes, and then execute on the “DownloadInstall” (within an “Atomic” operation). + +2. The application product ID curly braces need to be escaped where { is %7B and } is %7D. + +  + +``` syntax + + 2 + + + 3 + + + +./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/Name + + + + chr + + ContosoApp1 + + + + +./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/URL + + + + chr + + http://contoso.com/enterpriseapps/ContosoApp1.xap + + + + +./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/Version + + + chr + + 2.0.0.0 + + + + +./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/DownloadInstall + + + 1 + + + + 4 + + + +./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Download/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D/DownloadInstall + + + + int + + 0 + + + +``` + +## Uninstall enterprise application + + +Uninstall an installed enterprise application with product ID “{7BB316008A-141D-4A79-810F-8B764C4CFDFB }”: + +``` syntax + + + + 2 + + + ./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D + + + + + + +``` + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md new file mode 100644 index 0000000000..17b4288eb5 --- /dev/null +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -0,0 +1,132 @@ +--- +title: EnterpriseAppVManagement CSP +description: EnterpriseAppVManagement CSP +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseAppVManagement CSP + +The EnterpriseAppVManagement configuration service provider (CSP) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions). This CSP was added in Windows 10, version 1703. + +The following diagram shows the EnterpriseAppVManagement configuration service provider in tree format. + +![enterpriseappvmanagement csp](images/provisioning-csp-enterpriseappvmanagement.png) + +**./Vendor/MSFT/EnterpriseAppVManagement** +

Root node for the EnterpriseAppVManagement configuration service provider.

+ +**AppVPackageManagement** +

Used to query App-V package information (post-publish).

+ +**AppVPackageManagement/EnterpriseID** +

Used to query package information. Value is always "HostedInstall".

+ +**AppVPackageManagement/EnterpriseID/PackageFamilyName** +

Package ID of the published App-V package.

+ +**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_** +

Version ID of the published App-V package.

+ +**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/Name** +

Name specified in the published AppV package.

+

Value type is string. Supported operation is Get.

+ +**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/Version** +

Version specified in the published AppV package.

+

Value type is string. Supported operation is Get.

+ +**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/Publisher** +

Publisher as specified in the published asset information of the AppV package.

+

Value type is string. Supported operation is Get.

+ +**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/InstallLocation** +

Local package path specified in the published asset information of the AppV package.

+

Value type is string. Supported operation is Get.

+ +**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/InstallDate** +

Date the app was installed, as specified in the published asset information of the AppV package.

+

Value type is string. Supported operation is Get.

+ +**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/Users** +

Registered users for app, as specified in the published asset information of the AppV package.

+

Value type is string. Supported operation is Get.

+ +**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/AppVPackageId** +

Package ID of the published App-V package.

+

Value type is string. Supported operation is Get.

+ +**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/AppVVersionId** +

Version ID of the published App-V package.

+

Value type is string. Supported operation is Get.

+ +**AppVPackageManagement/_EnterpriseID_/_PackageFamilyName_/_PackageFullName_/AppVPackageUri** +

Package URI of the published App-V package.

+

Value type is string. Supported operation is Get.

+ +**AppVPublishing** +

Used to monitor publishing operations on App-V.

+ +**AppVPublishing/LastSync** +

Used to monitor publishing status of last sync operation.

+ +**AppVPublishing/LastSync/LastError** +

Error code and error description of last sync operation.

+

Value type is string. Supported operation is Get.

+ +**AppVPublishing/LastSync/LastErrorDescription** +

Last sync error status. One of the following values may be returned:

+ +- SYNC\_ERR_NONE (0) - No errors during publish. +- SYNC\_ERR\_UNPUBLISH_GROUPS (1) - Unpublish groups failed during publish. +- SYNC\_ERR\_PUBLISH\_NONGROUP_PACKAGES (2) - Publish no-group packages failed during publish. +- SYNC\_ERR\_PUBLISH\_GROUP_PACKAGES (3) - Publish group packages failed during publish. +- SYNC\_ERR\_UNPUBLISH_PACKAGES (4) - Unpublish packages failed during publish. +- SYNC\_ERR\_NEW_POLICY_WRITE (5) - New policy write failed during publish. +- SYNC\_ERR\_MULTIPLE\_DURING_PUBLISH (6) - Multiple non-fatal errors occured during publish. + +

Value type is string. Supported operation is Get.

+ +**AppVPublishing/LastSync/SyncStatusDescription** +

Latest sync in-progress stage. One of the following values may be returned:

+ +- SYNC\_PROGRESS_IDLE (0) - App-V publishing is idle. +- SYNC\_PROGRESS\_UNPUBLISH_GROUPS (1) - App-V connection groups publish in progress. +- SYN\_PROGRESS\_PUBLISH\_NONGROUP_PACKAGES (2) - App-V packages (non connection group) publish in progress. +- SYNC\_PROGRESS\_PUBLISH\_GROUP_PACKAGES (3) - App-V packages (connection group) publish in progress. +- SYN\C_PROGRESS_UNPUBLISH_PACKAGES (4) - App-V packages unpublish in progress. + +

Value type is string. Supported operation is Get.

+ +**AppVPublishing/LastSync/SyncProgress** +

Latest sync state. One of the following values may be returned:

+ +- SYNC\_STATUS_IDLE (0) - App-V Sync is idle. +- SYNC\_STATUS\_PUBLISH_STARTED (1) - App-V Sync is initializing. +- SYNC\_STATUS\_PUBLISH\_IN_PROGRESS (2) - App-V Sync is in progress. +- SYNC\_STATUS\_PUBLISH\_COMPLETED (3) - App-V Sync is complete. +- SYNC\_STATUS\_PUBLISH\_REBOOT_REQUIRED (4) - App-V Sync requires device reboot. + +

Value type is string. Supported operation is Get.

+ +**AppVPublishing/Sync** +

Used to perform App-V synchronization.

+ +**AppVPublishing/Sync/PublishXML** +

Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [[MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol](https://msdn.microsoft.com/en-us/library/mt739986.aspx).

+

Supported operations are Get, Delete, and Execute.

+ + +**AppVDynamicPolicy** +

Used to set App-V Policy Configuration documents for publishing packages.

+ +**AppVDynamicPolicy/_ConfigurationId_** +

ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).

+ +**AppVDynamicPolicy/_ConfigurationId_/Policy** +

XML for App-V Policy Configuration documents for publishing packages.

+

Value type is xml. Supported operations are Add, Get, Delete, and Replace.

+ diff --git a/windows/client-management/mdm/enterpriseappvmanagement-ddf.md b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md new file mode 100644 index 0000000000..19c14ddfc4 --- /dev/null +++ b/windows/client-management/mdm/enterpriseappvmanagement-ddf.md @@ -0,0 +1,590 @@ +--- +title: EnterpriseAppVManagement DDF file +description: EnterpriseAppVManagement DDF file +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseAppVManagement DDF file + +This topic shows the OMA DM device description framework (DDF) for the **EnterpriseAppVManagement** configuration service provider. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + EnterpriseAppVManagement + ./Vendor/MSFT + + + + + Used for inventory and App-V management. + + + + + + + + + + + + + + + AppVPackageManagement + + + + + Used to query App-V package information (post-publish). + + + + + + + + + + + + + + + + + + + + Used to query package information. Value is always 'HostedInstall'. + + + + + + + + + + EnterpriseID + + + + + + + + + + + Package ID of the published App-V package. + + + + + + + + + + PackageFamilyName + + + + + + + + + + + Version ID of the published App-V package. + + + + + + + + + + PackageFullName + + + + + + Name + + + + + Name specified in the published AppV package. + + + + + + + + + + + text/plain + + + + + Version + + + + + Version specified in the published AppV package. + + + + + + + + + + + text/plain + + + + + Publisher + + + + + Publisher specified in the published AppV package's asset information. + + + + + + + + + + + text/plain + + + + + InstallLocation + + + + + Local package path specified in the published AppV package's asset information. + + + + + + + + + + + text/plain + + + + + InstallDate + + + + + Date the app was installed, as specified in the published AppV package's asset information. + + + + + + + + + + + text/plain + + + + + Users + + + + + Registered users for app, as specified in the published AppV package's asset information. + + + + + + + + + + + text/plain + + + + + AppVPackageId + + + + + Package ID of the published App-V package. + + + + + + + + + + + text/plain + + + + + AppVVersionId + + + + + Version ID of the published App-V package. + + + + + + + + + + + text/plain + + + + + AppVPackageUri + + + + + Package URI of the published App-V package. + + + + + + + + + + + text/plain + + + + + + + + + AppVPublishing + + + + + Used to monitor publishing operations on App-V. + + + + + + + + + + + + + + + LastSync + + + + + Used to monitor publishing status of last Sync operation. + + + + + + + + + + + + + + + LastError + + + + + Error code and error description of last Sync operation. + + + + + + + + + + + text/plain + + + + + LastErrorDescription + + + + + Last Sync error status. One of the following values may be returned: +SYNC_ERR_NONE (0) - No errors during publish. +SYNC_ERR_UNPUBLISH_GROUPS (1) - Unpublish groups failed during publish. +SYNC_ERR_PUBLISH_NONGROUP_PACKAGES (2) - Publish no-group packages failed during publish. +SYNC_ERR_PUBLISH_GROUP_PACKAGES (3) - Publish group packages failed during publish. +SYNC_ERR_UNPUBLISH_PACKAGES (4) - Unpublish packages failed during publish. +SYNC_ERR_NEW_POLICY_WRITE (5) - New policy write failed during publish. +SYNC_ERR_MULTIPLE_DURING_PUBLISH (6) - Multiple non-fatal errors occured during publish. + + + + + + + + + + + + text/plain + + + + + SyncStatusDescription + + + + + Latest Sync in-progress stage. One of the following values may be returned: +SYNC_PROGRESS_IDLE (0) - App-V publishing is idle. +SYNC_PROGRESS_UNPUBLISH_GROUPS (1) - App-V connection groups publish in progress. +SYNC_PROGRESS_PUBLISH_NONGROUP_PACKAGES (2) - App-V packages (non connection group) publish in progress. +SYNC_PROGRESS_PUBLISH_GROUP_PACKAGES (3) - App-V packages (connection group) publish in progress. +SYNC_PROGRESS_UNPUBLISH_PACKAGES (4) - App-V packages unpublish in progress. + + + + + + + + + + + + text/plain + + + + + SyncProgress + + + + + Latest Sync state. One of the following values may be returned: +SYNC_STATUS_IDLE (0) - App-V Sync is idle. +SYNC_STATUS_PUBLISH_STARTED (1) - App-V Sync is initializing. +SYNC_STATUS_PUBLISH_IN_PROGRESS (2) - App-V Sync is in progress. +SYNC_STATUS_PUBLISH_COMPLETED (3) - App-V Sync is complete. +SYNC_STATUS_PUBLISH_REBOOT_REQUIRED (4) - App-V Sync requires device reboot. + + + + + + + + + + + + text/plain + + + + + + Sync + + + + + + + + Used to perform App-V synchronization. + + + + + + + + + + + + + + + PublishXML + + + + + + + Used to execute the App-V synchronization using the Publishing protocol. + + + + + + + + + + + text/plain + + + + + + + AppVDynamicPolicy + + + + + Used to set App-V Policy Configuration documents for publishing packages. + + + + + + + + + + + + + + + + + + + + + + ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document. + + + + + + + + + + ConfigurationId + + + + + + Policy + + + + + + + + XML for App-V Policy Configuration documents for publishing packages. + + + + + + + + + + + text/plain + + + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md new file mode 100644 index 0000000000..069a8486f3 --- /dev/null +++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md @@ -0,0 +1,1673 @@ +--- +title: EnterpriseAssignedAccess CSP +description: EnterpriseAssignedAccess CSP +ms.assetid: 5F88E567-77AA-4822-A0BC-3B31100639AA +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseAssignedAccess CSP + + +The EnterpriseAssignedAccess configuration service provider allows IT administrators to configure settings, such as language and themes, lock down a device, and configure custom layouts on a device. For example, the administrator can lock down a device so that only applications specified in an Allow list are available. Apps not on the Allow list remain installed on the device, but are hidden from view and blocked from launching. + +> **Note**   The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile. + +  + +For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983). + +The following diagram shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. + +![enterpriseassignedaccess csp](images/provisioning-csp-enterpriseassignedaccess.png) + +The following list shows the characteristics and parameters. + +**.Vendor/MSFT/EnterpriseAssignedAccess/** +The root node for the EnterpriseAssignedAccess configuration service provider. Supported operations are Add, Delete, Get and Replace. + +**AssignedAccess/** +The parent node of assigned access XML. + +**AssignedAccess/AssignedAccessXml** +The XML code that controls the assigned access settings that will be applied to the device. + +Supported operations are Add, Delete, Get and Replace. + +The Apps and Settings sections of lockdown XML constitute an Allow list. Any app or setting that is not specified in AssignedAccessXML will not be available on the device to users. The following table describes the entries in lockdown XML. + +> **Important**   +When using the AssignedAccessXml in the EnterpriseAssignedAccess CSP through an MDM, the XML must use escaped characters, such as < instead of < because it is embedded in an XML. The examples provided in the topic are formatted for readability. + +When using the AssignedAccessXml in a provisioning package using the Windows Imaging and Configuration Designer (ICD) tool, do not use escaped characters. + +  + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EntryDescription

ActionCenter

You can enable or disable the Action Center (formerly known as Notification Center) on the device. Set to true to enable the Action Center, or set to false to disable the Action Center.

+

Example:

+
<ActionCenter enabled="true"></ActionCenter>
+

In Windows 10, when the Action Center is disabled, Above Lock notifications and toasts are also disabled. When the Action Center is enabled, the following policies are also enabled:

+
    +
  • AboveLock/AllowActionCenterNotifications
    • +
  • AboveLock/AllowToasts
    • +
+

For more information about these policies, see [Policy CSP](policy-configuration-service-provider.md)

+

You can also add the following optional attributes to the ActionCenter element to override the default behavior:

+
    +
  • aboveLockToastEnabled
    • +
  • actionCenterNotificationEnabled
    • +
+

Valid values are 0 (policy disabled), 1 (policy enabled), and -1 (not set, policy enabled).

+

In this example, the Action Center is enabled and both policies are disabled.

+
<ActionCenter enabled="true" aboveLockToastEnabled="0" actionCenterNotificationEnabled="0"/>
+

These optional attributes are independent of each other.

+

In this example, Action Center is enabled, the notifications policy is disabled, and the toast policy is enabled by default because it is not set.

+
<ActionCenter enabled="true" actionCenterNotificationEnabled="0"/>

StartScreenSize

Specify the size of the Start screen. In addition to 4/6 columns, you can also use 4/6/8 depending on screen resolutions.

+

Valid values:

+
    +
  • Small sets the width to 4 columns on device with short axis <400epx or 6 columns on devices with short axis >=400epx.
    • +
  • Large sets the width to 6 columns on devices with short axis <400epx or 8 columns on devices with short axis >=400epx.
    • +
+

If you have existing lockdown XML, you must update it if your device has >=400epx on its short axis so that tiles on Start can fill all 8 columns if you want to use all 8 columns instead of 6, or use 6 columns instead of 4.

+

Example:

+
<StartScreenSize>Large</StartScreenSize>

Application

Provide the product ID for each app that will be available on the device.

+

You can find the product ID for a locally developed app in the AppManifest.xml file of the app. For the list of product ID and AUMID see [ProductIDs in Windows 10 Mobile](#productid).

+

To turn on the notification for a Windows app, you must include the application's AUMID in the lockdown XML. However, the user can change the setting at any time from user interface.

+
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail"/>
+modern app notification +

Include PinToStart to display an app on the Start screen. For apps pinned to the Start screen, identify a tile size (small, medium, or large), and a location. The size of a small tile is 1 column x 1 row, a medium tile is 2 x 2, and a large tile is 4 x 2.

+

For the tile location, the first value indicates the column and the second value indicates the row. A value of 0 indicates the first column, a value of 1 indicates the second column, and so on.

+

Include autoRun as an attribute to configure the application to run automatically.

+

Example:

+
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}" autoRun="true">
+   <PinToStart>
+      <Size>Large</Size>
+      <Location>
+         <LocationX>0</LocationX>
+         <LocationY>2</LocationY>
+      </Location>
+   </PinToStart>
+</Application>
+

Multiple App Packages enable multiple apps to exist inside the same package. Since ProductIds identify packages and not applications, specifying a ProductId is not enough to distinguish between individual apps inside a multiple app package. Trying to include application from a multiple app package with just a ProductId can result in unexpected behavior.

+

To support pinning applications in multiple app packages, use an AUMID parameter in lockdown XML. For the list of product ID and AUMID, see [ProductIDs in Windows 10 Mobile](#productid). The following example shows how to pin both Outlook mail and Outlook calendar.

+
<Apps>
+    <!-- Outlook Calendar -->
+    <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" 
+aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
+        <PinToStart>
+            <Size>Large</Size>
+            <Location>
+                <LocationX>1</LocationX>
+                <LocationY>4</LocationY>
+            </Location>
+        </PinToStart>
+    </Application>
+    <!-- Outlook Mail-->
+    <Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}" 
+aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
+        <PinToStart>
+            <Size>Large</Size>
+            <Location>
+                <LocationX>1</LocationX>
+                <LocationY>6</LocationY>
+            </Location>
+        </PinToStart>
+    </Application>
+</Apps>

Folder

A folder should be contained in <Applications/> node among with other <Application/> nodes, it shares most grammar with the Application Node, folderId is mandatory, folderName is optional, which is the folder name displayed on Start. folderId is a unique unsigned integer for each folder.

+

For example:

+
<Application folderId="4" folderName="foldername">
+    <PinToStart>
+        <Size>Large</Size>
+        <Location>
+            <LocationX>0</LocationX>
+            <LocationY>2</LocationY>
+        </Location>
+    </PinToStart>
+</Application>
+

An application that belongs in the folder would add an optional attribute ParentFolderId, which maps to folderId of the folder. In this case, the location of this application will be located inside the folder.

+
<Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
+    <PinToStart>
+        <Size>Medium</Size>
+        <Location>
+            <LocationX>0</LocationX>
+            <LocationY>0</LocationY>
+        </Location>
+        <ParentFolderId>2</ParentFolderId>
+    </PinToStart>
+</Application>

Settings

Settings pages

+

Starting in Windows 10, version 1511, you can specify the following settings pages in the lockdown XML file.

+
+Important  Do not specify a group entry without a page entry because it will cause an undefined behavior. +
+
+  +
+
    +
  • System (main menu) - SettingsPageGroupPCSystem +
      +
    • Display - SettingsPageDisplay
      • +
    • Notifications & actions - SettingsPageAppsNotifications
      • +
    • Phone - SettingsPageCalls
      • +
    • Messaging - SettingsPageMessaging
      • +
    • Battery saver - SettingsPageBatterySaver
      • +
    • Storage - SettingsPageStorageSenseStorageOverview
      • +
    • Driving mode - SettingsPageDrivingMode
      • +
    • Offline maps - SettingsPageMaps
      • +
    • About - SettingsPagePCSystemInfo
      • +
    • Apps for websites - SettingsPageAppsForWebsites
      • +
    • +
  • Devices (main menu) - SettingsPageGroupDevices +
      +
    • Default camera - SettingsPagePhotos
      • +
    • Bluetooth - SettingsPagePCSystemBluetooth
      • +
    • NFC - SettingsPagePhoneNFC
      • +
    • Mouse - SettingsPageMouseTouchpad
      • +
    • USB - SettingsPageUsb
      • +
    • +
  • Network and wireless (main menu) - SettingsPageGroupNetwork +
      +
    • Cellular and SIM - SettingsPageNetworkCellular
      • +
    • Wi-Fi - SettingsPageNetworkWiFi
      • +
    • Airplane mode - SettingsPageNetworkAirplaneMode
      • +
    • Data usage - SettingsPageDataSenseOverview
      • +
    • Mobile hotspot - SettingsPageNetworkMobileHotspot
      • +
    • VPN - SettingsPageNetworkVPN
      • +
    • +
    • +
  • Personalization (main menu) - SettingsPageGroupPersonalization +
      +
    • Start - SettingsPageBackGround
      • +
    • Colors - SettingsPageColors
      • +
    • Sounds - SettingsPageSounds
      • +
    • Lock screen - SettingsPageLockscreen
      • +
    • Glance - SettingsPageGlance
      • +
    • Navigation bar - SettingsNavigationBar
      • +
    • +
  • Accounts (main menu) - SettingsPageGroupAccounts +
      +
    • Your account - SettingsPageAccountsPicture
      • +
    • Sign-in options - SettingsPageAccountsSignInOptions
      • +
    • Work access - SettingsPageWorkAccess
      • +
    • Sync your settings - SettingsPageAccountsSync
      • +
    • Apps corner* - SettingsPageAppsCorner
      • +
    • Email - SettingsPageAccountsEmailApp
      • +
    • +
  • Time and language (main menu) - SettingsPageGroupTimeRegion +
      +
    • Date and time - SettingsPageTimeRegionDateTime
      • +
    • Language - SettingsPageTimeLanguage
      • +
    • Region - SettingsPageRegion
      • +
    • Keyboard - SettingsPageKeyboard
      • +
    • Speech - SettingsPageSpeech
      • +
    • +
  • Ease of access (main menu) - SettingsPageGroupEaseOfAccess +
      +
    • Narrator - SettingsPageEaseOfAccessNarrator
      • +
    • Magnifier - SettingsPageEaseOfAccessMagnifier
      • +
    • High contrast - SettingsPageEaseOfAccessHighContrast
      • +
    • Closed captions - SettingsPageEaseOfAccessClosedCaptioning
      • +
    • More options - SettingsPageEaseOfAccessMoreOptions
      • +
    • +
  • Privacy (main menu) - SettingsPageGroupPrivacy +
      +
    • Location - SettingsPagePrivacyLocation
      • +
    • Camera - SettingsPagePrivacyWebcam
      • +
    • Microphone - SettingsPagePrivacyMicrophone
      • +
    • Motion - SettingsPagePrivacyMotionData
      • +
    • Speech inking and typing - SettingsPagePrivacyPersonalization
      • +
    • Account info - SettingsPagePrivacyAccountInfo
      • +
    • Contacts - SettingsPagePrivacyContacts
      • +
    • Calendar - SettingsPagePrivacyCalendar
      • +
    • Messaging - SettingsPagePrivacyMessaging
      • +
    • Radios - SettingsPagePrivacyRadios
      • +
    • Background apps - SettingsPagePrivacyBackgroundApps
      • +
    • Accessory apps - SettingsPageAccessories
      • +
    • Advertising ID - SettingsPagePrivacyAdvertisingId
      • +
    • Other devices - SettingsPagePrivacyCustomPeripherals
      • +
    • Feedback & diagnostics - SettingsPagePrivacySIUFSettings
      • +
    • Call history - SettingsPagePrivacyCallHistory
      • +
    • Email - SettingsPagePrivacyEmail
      • +
    • Phone call - SettingsPagePrivacyPhoneCall
      • +
    • Notifications - SettingsPagePrivacyNotifications
      • +
    • CDP - SettingsPagePrivacyCDP
      • +
    • +
  • Update and Security (main menu) - SettingsPageGroupRestore +
      +
    • Phone update - SettingsPageRestoreMusUpdate
      • +
    • Backup - SettingsPageRestoreOneBackup
      • +
    • Find my phone - SettingsPageFindMyDevice
      • +
    • For developers - SettingsPageSystemDeveloperOptions
      • +
    • Windows Insider Program - SettingsPageFlights
      • +
    • Device encryption - SettingsPageGroupPCSystemDeviceEncryption
      • +
    • +
  • OEM (main menu) - SettingsPageGroupExtensibility +
      +
    • Extensibility - SettingsPageExtensibility
      • +
    • +
+

Quick action settings

+

Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page).

+

Note: Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. This statement does not apply to Windows 10, version 1703.

+
    +

  • SystemSettings_System_Display_QuickAction_Brightness

    +

    Dependencies - SettingsPageSystemDisplay, SettingsPageDisplay

    • +

  • SystemSettings_System_Display_Internal_Rotation

    +

    Dependencies - SettingsPageSystemDisplay, SettingsPageDisplay

    • +

  • SystemSettings_QuickAction_WiFi

    +

    Dependencies - SettingsPageGroupNetwork, SettingsPageNetworkWiFi

    • +

  • SystemSettings_QuickAction_InternetSharing

    +

    Dependencies - SettingsPageGroupNetwork, SettingsPageInternetSharing

    • +

  • SystemSettings_QuickAction_CellularData

    +

    Dependencies - SettingsPageGroupNetwork, SettingsPageNetworkCellular

    • +

  • SystemSettings_QuickAction_AirplaneMode

    +

    Dependencies - SettingsPageGroupNetwork, SettingsPageNetworkAirplaneMode

    • +

  • SystemSettings_Privacy_LocationEnabledUserPhone

    +

    Dependencies - SettingsGroupPrivacyLocationGlobals, SettingsPagePrivacyLocation

    • +

  • SystemSettings_Network_VPN_QuickAction

    +

    Dependencies - SettingsPageGroupNetwork, SettingsPageNetworkVPN

    • +

  • SystemSettings_Launcher_QuickNote

    +

    Dependencies - none

    • +

  • SystemSettings_Flashlight_Toggle

    +

    Dependencies - none

    • +

  • SystemSettings_Device_BluetoothQuickAction

    +

    Dependencies - SettingsPageGroupDevices, SettingsPagePCSystemBluetooth

    • +

  • SystemSettings_BatterySaver_LandingPage_OverrideControl

    +

    Dependencies - BatterySaver_LandingPage_SettingsConfiguration, SettingsPageBatterySaver

    • +

  • QuickActions_Launcher_DeviceDiscovery

    +

    Dependencies - none

    • +

  • QuickActions_Launcher_AllSettings

    +

    Dependencies - none

    • +

  • SystemSettings_QuickAction_QuietHours

    +

    Dependencies - none

    • +

  • SystemSettings_QuickAction_Camera

    +

    Dependencies - none

    • +
+

In this example, all settings pages and quick action settings are allowed. An empty <Settings> node indicates that none of the settings are blocked.

+
<Settings>
+</Settings>
+

In this example, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names.

+
<Settings> 
+  <System name="SettingsPageGroupPCSystem" /> 
+  <System name="SettingsPageDisplay" /> 
+  <System name="SettingsPageAppsNotifications" />
+  <System name="SettingsPageCalls" />
+  <System name="SettingsPageMessaging" /> 
+  <System name="SettingsPageBatterySaver" /> 
+  <System name="SettingsPageStorageSenseStorageOverview" />
+  <System name="SettingsPageGroupPCSystemDeviceEncryption" /> 
+  <System name="SettingsPageDrivingMode" /> 
+  <System name="SettingsPagePCSystemInfo" /> 
+ </Settings>
+

To remove access to all of the settings in the system, the settings application would simply not be listed in the app list for a particular role.

Buttons

The following list identifies the hardware buttons on the device that you can lock down in ButtonLockdownList. When a user taps a button that is in the lockdown list, nothing will happen.

+
    +

  • Start

    +
    +Note   +

    Lock down of the Start button only prevents the press and hold event.

    +
    +
    +  +
    • +

  • Back

    • +

  • Search

    • +

  • Camera

    • +

  • Custom1

    • +

  • Custom2

    • +

  • Custom3

    +
    +Note   +

    Custom buttons are hardware buttons that can be added to devices by OEMs.

    +
    +
    +  +
    • +
+

Example:

+
<Buttons>
+   <ButtonLockdownList>
+      <!-- Lockdown all buttons -->
+         <Button name="Search">
+         </Button>
+         <Button name="Camera">
+         </Button>
+         <Button name="Custom1">
+         </Button>
+         <Button name="Custom2">
+         </Button>
+         <Button name="Custom3">
+         </Button>
+   </ButtonLockdownList>
+

The Search and custom buttons can be remapped or configured to open a specific application. Button remapping takes effect for the device and applies to all users.

+
+Note   +

The lockdown settings for a button, per user role, will apply regardless of the button mapping.

+
+
+  +
+
+Warning   +

Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.

+
+
+  +
+

To remap a button in lockdown XML, you supply the button name, the button event (typically "press"), and the product ID for the application the button will open.

+

Example:

+
<ButtonRemapList>
+   <Button name="Search">
+      <ButtonEvent name="Press">
+         <!-- Alarms -->
+         <Application productId="{08179793-ED2E-45EA-BA12-BDE3EE9C3CE3}" parameters="" />
+          </ButtonEvent>
+   </Button>
+</ButtonRemapList>
+

Disabling navigation buttons

+

To disable navigation buttons (such as Home or Back) in lockdown XML, you supply the name (for example, Start) and button event (typically "press").

+

The following section contains a sample lockdown XML file that shows how to disable navigation buttons.

+

Example:

+
<?xml version="1.0" encoding="utf-8"?>
+<HandheldLockdown version="1.0" >
+    <Default>
+        <ActionCenter enabled="false" />
+        <Apps>
+            <!-- Settings -->
+            <Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
+                <PinToStart>
+                    <Size>Large</Size>
+                    <Location>
+                        <LocationX>0</LocationX>
+                        <LocationY>0</LocationY>
+                    </Location>
+                </PinToStart>
+            </Application>
+
+            <!-- Phone Apps -->
+            <Application productId="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}">
+                <PinToStart>
+                    <Size>Small</Size>
+                    <Location>
+                        <LocationX>2</LocationX>
+                        <LocationY>2</LocationY>
+                    </Location>
+                </PinToStart>
+            </Application>
+        </Apps>
+        <Buttons>
+            <ButtonLockdownList>
+                <Button name="Start">
+                    <ButtonEvent name="Press" />
+                </Button>
+                <Button name="Back">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+                <Button name="Search">
+                    <ButtonEvent name="All" />
+                </Button>
+                <Button name="Camera">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+                <Button name="Custom1">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+                <Button name="Custom2">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+                <Button name="Custom3">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+            </ButtonLockdownList>
+            <ButtonRemapList />
+        </Buttons>
+        <MenuItems>
+            <DisableMenuItems/>
+        </MenuItems>
+        <Settings>
+        </Settings>
+        <Tiles>
+            <EnableTileManipulation/>
+        </Tiles>
+        <StartScreenSize>Small</StartScreenSize>
+    </Default>
+</HandheldLockdown>

MenuItems

Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create.

+

Example:

+
<MenuItems>
+   <DisableMenuItems/>
+</MenuItems>
+
+Important   +

If DisableMenuItems is not included in a profile, users of that profile can uninstall apps.

+
+
+  +

Tiles

Turning-on tile manipulation

+

By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile.

+

If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.

+
+Important   +

If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in user’s profile.

+
+
+  +
+

The following sample file contains configuration for enabling tile manipulation.

+
+Note   +

Tile manipulation is disabled when you don’t have a <Tiles> node in lockdown XML, or if you have a <Tiles> node but don’t have the <EnableTileManipulation/> node.

+
+
+  +
+

Example:

+
<?xml version="1.0" encoding="utf-8"?>
+<HandheldLockdown version="1.0" >
+    <Default>
+        <ActionCenter enabled="false" />
+        <Apps>
+            <!-- Settings -->
+            <Application productId="{2A4E62D8-8809-4787-89F8-69D0F01654FB}">
+                <PinToStart>
+                    <Size>Large</Size>
+                    <Location>
+                        <LocationX>0</LocationX>
+                        <LocationY>0</LocationY>
+                    </Location>
+                </PinToStart>
+            </Application>
+
+            <!-- Phone Apps -->
+            <Application productId="{F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7}">
+                <PinToStart>
+                    <Size>Small</Size>
+                    <Location>
+                        <LocationX>2</LocationX>
+                        <LocationY>2</LocationY>
+                    </Location>
+                </PinToStart>
+            </Application>
+        </Apps>
+        <Buttons>
+            <ButtonLockdownList>
+                <Button name="Start">
+                    <ButtonEvent name="Press" />
+                </Button>
+                <Button name="Back">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+                <Button name="Search">
+                    <ButtonEvent name="All" />
+                </Button>
+                <Button name="Camera">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+                <Button name="Custom1">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+                <Button name="Custom2">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+                <Button name="Custom3">
+                    <ButtonEvent name="Press" />
+                    <ButtonEvent name="PressAndHold" />
+                </Button>
+            </ButtonLockdownList>
+            <ButtonRemapList />
+        </Buttons>
+        <MenuItems>
+            <DisableMenuItems/>
+        </MenuItems>
+        <Settings>
+        </Settings>
+        <Tiles>
+            <EnableTileManipulation/>
+        </Tiles>
+        <StartScreenSize>Small</StartScreenSize>
+    </Default>
+</HandheldLockdown>

CSP Runner

Allows CSPs to be executed on the device per user role. You can use this to implement role specific policies, such as changing the color scheme when an admin logs on the device, or to set configurations per role.

+ +  + +**LockscreenWallpaper/** +The parent node of the lock screen-related parameters that let administrators query and manage the lock screen image on devices. Supported operations are Add, Delete, Get and Replace. + +**LockscreenWallpaper/BGFileName** +The file name of the lock screen. The image file for the lock screen can be in .jpg or .png format and must not exceed 2 MB. The file name can also be in the Universal Naming Convention (UNC) format, in which case the device downloads it from the shared network and then sets it as the lock screen wallpaper. + +Supported operations are Add, Get, and Replace. + +**Theme/** +The parent node of theme-related parameters. + +Supported operations are Add, Delete, Get and Replace. + +**Theme/ThemeBackground** +Indicates whether the background color is light or dark. Set to **0** for light; set to **1** for dark. + +Supported operations are Get and Replace. + +**Theme/ThemeAccentColorID** +The accent color to apply as the foreground color for tiles, controls, and other visual elements on the device. The following table shows the possible values. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ValueDescription

0

Lime

1

Green

2

Emerald

3

Teal (Viridian)

4

Cyan (Blue)

5

Cobalt

6

Indigo

7

Violet (Purple)

8

Pink

9

Magenta

10

Crimson

11

Red

12

Orange (Mango)

13

Amber

14

Yellow

15

Brown

16

Olive

17

Steel

18

Mauve

19

Sienna

101 through 104

Optional colors, as defined by the OEM

151

Custom accent color for Enterprise

+ +  + +Supported operations are Get and Replace. + +**Theme/ThemeAccentColorValue** +A 6-character string for the accent color to apply to controls and other visual elements. + +To use a custom accent color for Enterprise, enter **151** for *ThemeAccentColorID* before *ThemeAccentColorValue* in lockdown XML. *ThemeAccentColorValue* configures the custom accent color using hex values for red, green, and blue, in RRGGBB format. For example, enter FF0000 for red. + +Supported operations are Get and Replace. + +**PersistData** +Not supported in Windows 10. + +The parent node of whether to persist data that has been provisioned on the device. + +**PersistData/PersistProvisionedData** +Not supported in Windows 10. Use doWipePersistProvisionedData in [RemoteWipe CSP](remotewipe-csp.md) instead. + +**Clock/TimeZone/** +An integer that specifies the time zone of the device. The following table shows the possible values. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ValueTime zone

0

UTC-12 International Date Line West

100

UTC+13 Samoa

110

UTC-11 Coordinated Universal Time-11

200

UTC-10 Hawaii

300

UTC-09 Alaska

400

UTC-08 Pacific Time (US & Canada)

410

UTC-08 Baja California

500

UTC-07 Mountain Time (US & Canada)

510

UTC-07 Chihuahua, La Paz, Mazatlan

520

UTC-07 Arizona

600

UTC-06 Saskatchewan

610

UTC-06 Central America

620

UTC-06 Central Time (US & Canada)

630

UTC-06 Guadalajara, Mexico City, Monterrey

700

UTC-05 Eastern Time (US & Canada)

710

UTC-05 Bogota, Lima, Quito

720

UTC-05 Indiana (East)

800

UTC-04 Atlantic Time (Canada)

810

UTC-04 Cuiaba

820

UTC-04 Santiago

830

UTC-04 Georgetown, La Paz, Manaus, San Juan

840

UTC-04 Caracas

850

UTC-04 Asuncion

900

UTC-03:30 Newfoundland

910

UTC-03 Brasilia

920

UTC-03 Greenland

930

UTC-03 Montevideo

940

UTC-03 Cayenne, Fortaleza

950

UTC-03 Buenos Aires

960

UTC-03 Salvador

1000

UTC-02 Mid-Atlantic

1010

UTC-02 Coordinated Universal Time-02

1100

UTC-01 Azores

1110

UTC-01 Cabo Verde

1200

UTC Dublin, Edinburgh, Lisbon, London

1210

UTC Monrovia, Reykjavik

1220

UTC Casablanca

1230

UTC Coordinated Universal Time

1300

UTC+01 Belgrade, Bratislava, Budapest, Ljubljana, Prague

1310

UTC+01 Sarajevo, Skopje, Warsaw, Zagreb

1320

UTC+01 Brussels, Copenhagen, Madrid, Paris

1330

UTC+01 West Central Africa

1340

UTC+01 Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna

1350

UTC+01 Windhoek

1360

UTC+01 Tripoli

1400

UTC+02 E. Europe

1410

UTC+02 Cairo

1420

UTC+02 Helsinki, Kyiv, Riga, Sofia, Tallinn, Vilnius

1430

UTC+02 Athens, Bucharest

1440

UTC+02 Jerusalem

1450

UTC+02 Amman

1460

UTC+02 Beirut

1470

UTC+02 Harare, Pretoria

1480

UTC+02 Damascus

1490

UTC+02 Istanbul

1500

UTC+03 Kuwait, Riyadh

1510

UTC+03 Baghdad

1520

UTC+03 Nairobi

1530

UTC+03 Kaliningrad, Minsk

1540

UTC+04 Moscow, St. Petersburg, Volgograd

1550

UTC+03 Tehran

1600

UTC+04 Abu Dhabi, Muscat

1610

UTC+04 Baku

1620

UTC+04 Yerevan

1630

UTC+04 Kabul

1640

UTC+04 Tbilisi

1650

UTC+04 Port Louis

1700

UTC+06 Ekaterinburg

1710

UTC+05 Tashkent

1720

UTC+05 Chennai, Kolkata, Mumbai, New Delhi

1730

UTC+05 Sri Jayawardenepura

1740

UTC+05 Kathmandu

1750

UTC+05 Islamabad, Karachi

1800

UTC+06 Astana

1810

UTC+07 Novosibirsk

1820

UTC+06 Yangon (Rangoon)

1830

UTC+06 Dhaka

1900

UTC+08 Krasnoyarsk

1910

UTC+07 Bangkok, Hanoi, Jakarta

1900

UTC+08 Krasnoyarsk

2000

UTC+08 Beijing, Chongqing, Hong Kong SAR, Urumqi

2010

UTC+09 Irkutsk

2020

UTC+08 Kuala Lumpur, Singapore

2030

UTC+08 Taipei

2040

UTC+08 Perth

2050

UTC+08 Ulaanbaatar

2100

UTC+09 Seoul

2110

UTC+09 Osaka, Sapporo, Tokyo

2120

UTC+10 Yakutsk

2130

UTC+09 Darwin

2140

UTC+09 Adelaide

2200

UTC+10 Canberra, Melbourne, Sydney

2210

UTC+10 Brisbane

2220

UTC+10 Hobart

2230

UTC+11 Vladivostok

2240

UTC+10 Guam, Port Moresby

2300

UTC+11 Solomon Is., New Caledonia

2310

UTC+12 Magadan

2400

UTC+12 Fiji

2410

UTC+12 Auckland, Wellington

2420

UTC+12 Petropavlovsk-Kamchatsky

2430

UTC+12 Coordinated Universal Time +12

2500

UTC+13 Nuku'alofa

+ +  + +Supported operations are Get and Replace. + +**Locale/Language/** +The culture code that identifies the language to display on a device, and specifies the formatting of numbers, currencies, time, and dates. For language values, see [Locale IDs Assigned by Microsoft](http://go.microsoft.com/fwlink/p/?LinkID=189567). + +The language setting is configured in the Default User profile only. + +> **Note**  Apply the Locale ID only after the corresponding language packs are built into and supported for the OS image running on the device. The specified language will be applied as the phone language and a restart may be required. + +  + +Supported operations are Get and Replace. + +## OMA client provisioning examples + + +The XML examples in this section show how to perform various tasks by using OMA client provisioning. + +> **Note**  These examples are XML snippets and do not include all sections that are required for a complete lockdown XML file. + +  + +### Assigned Access settings + +The following example shows how to add a new policy. + +``` syntax + +    +      +    + +``` + +### Language + +The following example shows how to specify the language to display on the device. + +``` syntax + +    +      +    + +``` + +## OMA DM examples + + +These XML examples show how to perform various tasks using OMA DM. + +### Assigned access settings + +The following example shows how to lock down a device. + +``` syntax + + + + 2 + + + ./Vendor/MSFT/EnterpriseAssignedAccess/AssignedAccess/AssignedAccessXml + + <?xml version="1.0" encoding="utf-8"?><HandheldLockdown version="1.0"><Default><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5615}" pinToStart="1"/><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5612}" pinToStart="2"/></Apps><Settings><System name="Microsoft.Themes" /><System name="Microsoft.About" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /><Button name="Camera" disableEvents="All" /><Button name="Search" disableEvents="All" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Default><RoleList><Role guid="{76C01983-A872-4C4E-B4C6-321EAC709CEA}" name="Associate"><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5615}" pinToStart="1"/></Apps><Settings><System name="Microsoft.Themes" /><System name="Microsoft.About" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /><Button name="Camera" disableEvents="All" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Role><Role guid="{8ABB8A10-4418-4467-9E18-99D11FA54E30}" name="Manager"><Apps><Application productId="{5B04B775-356B-4AA0-AAF8-6491FFEA5612}" pinToStart="1"/></Apps><Settings><System name="Microsoft.Themes" /></Settings><Buttons><Button name="Start" disableEvents="PressAndHold" /></Buttons><MenuItems><DisableMenuItems/></MenuItems></Role></RoleList></HandheldLockdown> + + + + + +``` + +### Theme + +The following example shows how to change the accent color to one of the standard colors. + +``` syntax + +    +       +         1 +          +             +             ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID +             +             +               int +             +             +            7 +          +       +       +    + +``` + +The following example shows how to change the theme. + +``` syntax + +    +       +           1 +           +               +                   ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground +               +               +                   int +               +               +               1 +           +       +       +    + +``` + +The following example shows how to set a custom theme accent color for the enterprise environment. + +``` syntax + +    +      1 +       +          +             ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID +          +          +            int +          +          +         151 +       +    + + 2 + + + ./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorValue + + + chr + + + FF0000 + + + + +``` + +### Lock screen + +Use the examples in this section to set a new lock screen and manage the lock screen features. If using a UNC path, format the LocURI as \\\\host\\share\\image.jpg. + +``` syntax +2 +    +      ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName +    +      chr +      text/plain +    +    c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg +    + +``` + +The following example shows how to query the device for the file being used as the lock screen. + +``` syntax +2 +    +      ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName +    + +``` + +The following example shows how to change the existing lock screen image to one of your choosing. + +``` syntax + +    +       +         2 +          +             +               ./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName +             +             +               chr +               text/plain +             +            c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg +          +       +       +    + +``` + +### Time zone + +The following example shows how to set the time zone to UTC-07 Mountain Time (US & Canada). + +``` syntax + +    +       +         2 +          +             +               ./Vendor/MSFT/EnterpriseAssignedAccess/Clock/TimeZone +             +             +               int +             +            500 +          +       +       +    + +``` + +The following example shows how to set the time zone to Pacific Standard Time (UTC-08:00) without observing daylight savings time (UTC+01:00). + +``` syntax + +    +       +         2 +          +             +               ./Vendor/MSFT/EnterpriseAssignedAccess/Clock/TimeZone +             +             +               int +             +            400  +          +       +       +    + +``` + +### Language + +The following example shows how to set the language. + +``` syntax + +    +       +         1 +          +             +               ./Vendor/MSFT/EnterpriseAssignedAccess/Locale/Language +             +             +               int +             +            1033 +          +       +       +    + +``` + +## Product IDs in Windows 10 Mobile + + +The following table lists the product ID and AUMID for each app that is included in Windows 10 Mobile. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
AppProduct IDAUMID
Alarms and clock44F7D2B4-553D-4BEC-A8B7-634CE897ED5FMicrosoft.WindowsAlarms_8wekyb3d8bbwe!App
CalculatorB58171C6-C70C-4266-A2E8-8F9C994F4456Microsoft.WindowsCalculator_8wekyb3d8bbwe!App
CameraF0D8FEFD-31CD-43A1-A45A-D0276DB069F1Microsoft.WindowsCamera_8wekyb3d8bbwe!App
Contact Support0DB5FCFF-4544-458A-B320-E352DFD9CA2BWindows.ContactSupport_cw5n1h2txyewy!App
CortanaFD68DCF4-166F-4C55-A4CA-348020F71B94Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUI
ExcelEAD3E7C0-FAE6-4603-8699-6A448138F4DCMicrosoft.Office.Excel_8wekyb3d8bbwe!microsoft.excel
Facebook82A23635-5BD9-DF11-A844-00237DE2DB9EMicrosoft.MSFacebook_8wekyb3d8bbwe!x82a236355bd9df11a84400237de2db9e
File ExplorerC5E2524A-EA46-4F67-841F-6A9465D9D515c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy!App
FM RadioF725010E-455D-4C09-AC48-BCDEF0D4B626N/A
Get StartedB3726308-3D74-4A14-A84C-867C8C735C3CMicrosoft.Getstarted_8wekyb3d8bbwe!App
Groove MusicD2B6A184-DA39-4C9A-9E0A-8B589B03DEC0Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic
MapsED27A07E-AF57-416B-BC0C-2596B622EF7DMicrosoft.WindowsMaps_8wekyb3d8bbwe!App
Messaging27E26F40-E031-48A6-B130-D1F20388991AMicrosoft.Messaging_8wekyb3d8bbwe!x27e26f40ye031y48a6yb130yd1f20388991ax
Microsoft Edge395589FB-5884-4709-B9DF-F7D558663FFDMicrosoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge
Money1E0440F1-7ABF-4B9A-863D-177970EEFB5EMicrosoft.BingFinance_8wekyb3d8bbwe!AppexFinance
Movies and TV6AFFE59E-0467-4701-851F-7AC026E21665Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo
News9C3E8CAD-6702-4842-8F61-B8B33CC9CAF1Microsoft.BingNews_8wekyb3d8bbwe!AppexNews
OneDriveAD543082-80EC-45BB-AA02-FFE7F4182BA8Microsoft.MicrosoftSkydrive_8wekyb3d8bbwe!App
OneNoteCA05B3AB-F157-450C-8C49-A1F127F5E71DMicrosoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim
Outlook Calendar

A558FEBA-85D7-4665-B5D8-A2FF9C19799B

Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Calendar

Outlook Mail

A558FEBA-85D7-4665-B5D8-A2FF9C19799B

Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail

People60BE1FB8-3291-4B21-BD39-2221AB166481Microsoft.People_8wekyb3d8bbwe!xb94d6231y84ddy49a8yace3ybc955e769e85x
Phone (dialer)F41B5D0E-EE94-4F47-9CFE-3D3934C5A2C7Microsoft.CommsPhone_8wekyb3d8bbwe!App
PhotosFCA55E1B-B9A4-4289-882F-084EF4145005Microsoft.Windows.Photos_8wekyb3d8bbwe!App
PodcastsC3215724-B279-4206-8C3E-61D1A9D63ED3Microsoft.MSPodcast_8wekyb3d8bbwe!xc3215724yb279y4206y8c3ey61d1a9d63ed3x
PowerpointB50483C4-8046-4E1B-81BA-590B24935798Microsoft.Office.PowerPoint_8wekyb3d8bbwe!microsoft.pptim
Settings2A4E62D8-8809-4787-89F8-69D0F01654FB2a4e62d8-8809-4787-89f8-69d0f01654fb_8wekyb3d8bbwe!App
SkypeC3F8E570-68B3-4D6A-BDBB-C0A3F4360A51Microsoft.SkypeApp_kzf8qxf38zg5c!Skype.AppId
Skype Video27E26F40-E031-48A6-B130-D1F20388991AMicrosoft.Messaging_8wekyb3d8bbwe!App
Sports0F4C8C7E-7114-4E1E-A84C-50664DB13B17Microsoft.BingSports_8wekyb3d8bbwe!AppexSports
Storage5B04B775-356B-4AA0-AAF8-6491FFEA564DN/A
Store7D47D89A-7900-47C5-93F2-46EB6D94C159Microsoft.WindowsStore_8wekyb3d8bbwe!App
Voice recorder7311B9C5-A4E9-4C74-BC3C-55B06BA95AD0Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe!App
Wallet587A4577-7868-4745-A29E-F996203F1462Microsoft.MicrosoftWallet_8wekyb3d8bbwe!App
Weather63C2A117-8604-44E7-8CEF-DF10BE3A57C8Microsoft.BingWeather_8wekyb3d8bbwe!App
Windows Feedback7604089D-D13F-4A2D-9998-33FC02B63CE3Microsoft.WindowsFeedback_8wekyb3d8bbwe!App
Word258F115C-48F4-4ADB-9A68-1387E634459BMicrosoft.Office.Word_8wekyb3d8bbwe!microsoft.word
XboxB806836F-EEBE-41C9-8669-19E243B81B83Microsoft.XboxApp_8wekyb3d8bbwe!Microsoft.XboxApp
+ +  + +  + +  + + + + + + diff --git a/windows/client-management/mdm/enterpriseassignedaccess-ddf.md b/windows/client-management/mdm/enterpriseassignedaccess-ddf.md new file mode 100644 index 0000000000..f98ed740fe --- /dev/null +++ b/windows/client-management/mdm/enterpriseassignedaccess-ddf.md @@ -0,0 +1,325 @@ +--- +title: EnterpriseAssignedAccess DDF +description: EnterpriseAssignedAccess DDF +ms.assetid: 8BD6FB05-E643-4695-99A2-633995884B37 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseAssignedAccess DDF + + +This topic shows the OMA DM device description framework (DDF) for the **EnterpriseAssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip). + +``` syntax + +]> + + 1.2 + + EnterpriseAssignedAccess + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.1/MDM/EnterpriseAssignedAccess + + + + AssignedAccess + + + + + + + + + + + + + + + + + + + + + + AssignedAccessXml + + + + + + + + + + + + + + + + + + text/plain + + + + + + LockScreenWallpaper + + + + + + + + + + + + + + + + + + + + + + BGFileName + + + + + + + + + + + + + + + + + text/plain + + + + + + Theme + + + + + + + + + + + + + + + + + + + + + + ThemeBackground + + + + + + + + + + + + + + + + text/plain + + + + + ThemeAccentColorID + + + + + + + + + + + + + + + + text/plain + + + + + ThemeAccentColorValue + + + + + + + + + + + + + + + + text/plain + + + + + + Clock + + + + + + + + + + + + + + + + + + + + + + TimeZone + + + + + + + + + + + + + + + + text/plain + + + + + + Locale + + + + + + + + + + + + + + + + + + + + + + Language + + + + + + + + + + + + + + + + text/plain + + + + + + +``` + + + +  + +  + + + + + + diff --git a/windows/client-management/mdm/enterpriseassignedaccess-xsd.md b/windows/client-management/mdm/enterpriseassignedaccess-xsd.md new file mode 100644 index 0000000000..6d19a5aedd --- /dev/null +++ b/windows/client-management/mdm/enterpriseassignedaccess-xsd.md @@ -0,0 +1,267 @@ +--- +title: EnterpriseAssignedAccess XSD +description: EnterpriseAssignedAccess XSD +ms.assetid: BB3B633E-E361-4B95-9D4A-CE6E08D67ADA +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseAssignedAccess XSD + + +This XSD can be used to validate that the lockdown XML in the <Data> block of the AssignedAccessXML node. + +``` syntax + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md new file mode 100644 index 0000000000..d75ed17826 --- /dev/null +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -0,0 +1,344 @@ +--- +title: EnterpriseDataProtection CSP +description: The EnterpriseDataProtection configuration service provider (CSP) is used to configure Windows Information Protection (WIP) (formerly known as Enterprise Data Protection) specific settings. +ms.assetid: E2D4467F-A154-4C00-9208-7798EF3E25B3 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseDataProtection CSP + +The EnterpriseDataProtection configuration service provider (CSP) is used to configure Windows Information Protection (WIP) (formerly known as Enterprise Data Protection) specific settings. For more information about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip). + +> **Note**   +>- To make WIP functional the AppLocker CSP and the network isolation specific settings must also be configured. For more information, see [AppLocker CSP](applocker-csp.md) and NetworkIsolation policies in [Policy CSP](policy-configuration-service-provider.md). +>- This CSP was added in Windows 10, version 1607. + +  + +While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. For VPN best practice recommendations, see [VPNv2 CSP](vpnv2-csp.md). + +To learn more about WIP, see the following TechNet topics: + +- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy) +- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip) + +The following diagram shows the EnterpriseDataProtection CSP in tree format. + +![enterprisedataprotection csp diagram](images/provisioning-csp-enterprisedataprotection.png) + +**./Device/Vendor/MSFT/EnterpriseDataProtection** +

The root node for the CSP. + +**Settings** +

The root node for the Windows Information Protection (WIP) configuration settings. + +**Settings/EDPEnforcementLevel** +

Set the WIP enforcement level. Note that setting this value is not sufficient to enable WIP on the device. Attempts to change this value will fail when the WIP cleanup is running. + +

The following list shows the supported values: + +- 0 (default) – Off / No protection (decrypts previously protected data). +- 1 – Silent mode (encrypt and audit only). +- 2 – Override mode (encrypt, prompt, and audit). +- 3 – Block mode (encrypt, block, and audit). + +

Supported operations are Add, Get, Replace and Delete. Value type is integer. + +**Settings/EnterpriseProtectedDomainNames** +

A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. Attempts to change this value will fail when the WIP cleanup is running. + +

Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client. + +> **Note**  The client requires domain name to be canonical, otherwise the setting will be rejected by the client. + +  + +

Here are the steps to create canonical domain names: + +1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com. +2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. +3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0). + +

Supported operations are Add, Get, Replace and Delete. Value type is string. + +**Settings/AllowUserDecryption** +

Allows the user to decrypt files. If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences. + +> [!Important] +> Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + +

Supported operations are Add, Get, Replace and Delete. Value type is integer. + +**Settings/RequireProtectionUnderLockConfig** +

Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. A PIN must be configured on the device before you can apply this policy. + +

The following list shows the supported values: + +- 0 (default) – Not required. +- 1 – Required. + +

Most restricted value is 1. + +

The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware. + +> **Note**  This setting is only supported in Windows 10 Mobile. + +  + +

Supported operations are Add, Get, Replace and Delete. Value type is integer. + +**Settings/DataRecoveryCertificate** +

Specifies a recovery certificate that can be used for data recovery of encrypted files. This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through MDM instead of Group Policy. + +> **Note**  If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced. + +

DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP. +The binary blob is the serialized version of following structure: + +``` syntax +// +//  Recovery Policy Data Structures +// +  +typedef struct _RECOVERY_POLICY_HEADER { +    USHORT      MajorRevision; +    USHORT      MinorRevision; +    ULONG       RecoveryKeyCount; +} RECOVERY_POLICY_HEADER, *PRECOVERY_POLICY_HEADER; +  +typedef struct _RECOVERY_POLICY_1_1    { +        RECOVERY_POLICY_HEADER  RecoveryPolicyHeader; +        RECOVERY_KEY_1_1        RecoveryKeyList[1]; +}   RECOVERY_POLICY_1_1, *PRECOVERY_POLICY_1_1; +  +#define EFS_RECOVERY_POLICY_MAJOR_REVISION_1   (1) +#define EFS_RECOVERY_POLICY_MINOR_REVISION_0   (0) +  +#define EFS_RECOVERY_POLICY_MINOR_REVISION_1   (1) +  +/////////////////////////////////////////////////////////////////////////////// +//                                                                            / +//  RECOVERY_KEY Data Structure                                               / +//                                                                            / +/////////////////////////////////////////////////////////////////////////////// +  +// +// Current format of recovery data. +// +  +typedef struct _RECOVERY_KEY_1_1   { +        ULONG               TotalLength; +        EFS_PUBLIC_KEY_INFO PublicKeyInfo; +} RECOVERY_KEY_1_1, *PRECOVERY_KEY_1_1; +  +  +typedef struct _EFS_PUBLIC_KEY_INFO { +  +    // +    // The length of this entire structure, including string data +    // appended to the end. The length should be a multiple of 8 for +    // 64 bit alignment +    // +  +    ULONG Length; +  +    // +    // Sid of owner of the public key (regardless of format). +   // This field is to be treated as a hint only. +    // +  +    ULONG PossibleKeyOwner; +  +    // +    // Contains information describing how to interpret +    // the public key information +    // +  +    ULONG KeySourceTag; +  +    union { +  +        struct { +  +            // +            // The following fields contain offsets based at the +            // beginning of the structure.  Each offset is to +            // a NULL terminated WCHAR string. +            // +  +            ULONG ContainerName; +            ULONG ProviderName; +  +            // +            // The exported public key used to encrypt the FEK. +            // This field contains an offset from the beginning of the +            // structure. +            // +  +            ULONG PublicKeyBlob; +  +            // +            // Length of the PublicKeyBlob in bytes +            // +  +            ULONG PublicKeyBlobLength; +  +        } ContainerInfo; +  +        struct { +  +            ULONG CertificateLength;       // in bytes +            ULONG Certificate;             // offset from start of structure +  +        } CertificateInfo; +  +  +        struct { +  +            ULONG ThumbprintLength;        // in bytes +            ULONG CertHashData;            // offset from start of structure +  +        } CertificateThumbprint; +    }; +  +  +  +} EFS_PUBLIC_KEY_INFO, *PEFS_PUBLIC_KEY_INFO; +  +// +// Possible KeyTag values +// +  +typedef enum _PUBLIC_KEY_SOURCE_TAG { +    EfsCryptoAPIContainer = 1, +    EfsCertificate, +    EfsCertificateThumbprint +} PUBLIC_KEY_SOURCE_TAG, *PPUBLIC_KEY_SOURCE_TAG; +  +``` + +

For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate. + +

Supported operations are Add, Get, Replace and Delete. Value type is base-64 encoded certificate. + +**Settings/RevokeOnUnenroll** +

This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. If the keys are not revoked, there will be no revoked file cleanup subsequently. Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1. + +

The following list shows the supported values: + +- 0 – Don't revoke keys. +- 1 (default) – Revoke keys. + +

Supported operations are Add, Get, Replace and Delete. Value type is integer. + +**Settings/RevokeOnMDMHandoff** +

Added in Windows 10, version 1703. This policy controls whether to revoke the WIP keys when a device upgrades from MAM to MDM. If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service. + +- 0 - Don't revoke keys +- 1 (dafault) - Revoke keys + +

Supported operations are Add, Get, Replace and Delete. Value type is integer. + +**Settings/RMSTemplateIDForEDP** +

TemplateID GUID to use for RMS encryption. The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access. + +

Supported operations are Add, Get, Replace and Delete. Value type is string (GUID). + +**Settings/AllowAzureRMSForEDP** +

Specifies whether to allow Azure RMS encryption for WIP. + +- 0 (default) – Don't use RMS. +- 1 – Use RMS. + +

Supported operations are Add, Get, Replace and Delete. Value type is integer. + +**Settings/SMBAutoEncryptedFileExtensions** +

Added in Windows 10, version 1703. Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an SMB share within the corporate boundary as defined in the Policy CSP nodes for [NetworkIsolation/EnterpriseIPRange](policy-configuration-service-provider.md#networkisolation-enterpriseiprange) and [NetworkIsolation/EnterpriseNetworkDomainNames](policy-configuration-service-provider.md#networkisolation-enterprisenetworkdomainnames). Use semicolon (;) delimiter in the list. +

When this policy is not specified, the existing auto-encryption behavior is applied. When this policy is configured, only files with the extensions in the list will be encrypted. +

Supported operations are Add, Get, Replace and Delete. Value type is string. + +**Settings/EDPShowIcons** +

Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles in the Start menu. Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app. + +

The following list shows the supported values: + +- 0 (default) - No WIP overlays on icons or tiles. +- 1 - Show WIP overlays on protected files and apps that can only create enterprise content. + +

Supported operations are Add, Get, Replace and Delete. Value type is integer. + +**Status** +

A read-only bit mask that indicates the current state of WIP on the Device. The MDM service can use this value to determine the current overall state of WIP. WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured. + +

Suggested values: + + +++++++ + + + + + + + + + + + + + + + + +

Reserved for future use

WIP mandatory settings

+

Set = 1

+

Not set = 0

Reserved for future use

AppLocker configured

+

Yes = 1

+

No = 0

WIP on = 1

+

WIP off = 0

4

3

2

1

0

+ +  + +

Bit 0 indicates whether WIP is on or off. + +

Bit 1 indicates whether AppLocker WIP policies are set. + +

Bit 3 indicates whether the mandatory WIP policies are configured. If one or more of the mandatory WIP policies are not configured, the bit 3 is set to 0 (zero). + +

Here's the list of mandatory WIP policies: + +- EDPEnforcementLevel in EnterpriseDataProtection CSP +- DataRecoveryCertificate in EnterpriseDataProtection CSP +- EnterpriseProtectedDomainNames in EnterpriseDataProtection CSP +- NetworkIsolation/EnterpriseIPRange in Policy CSP +- NetworkIsolation/EnterpriseNetworkDomainNames in Policy CSP + +

Bits 2 and 4 are reserved for future use. + +

Supported operation is Get. Value type is integer. + +  + +  + + + + + diff --git a/windows/client-management/mdm/enterprisedataprotection-ddf-file.md b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md new file mode 100644 index 0000000000..a7914046b2 --- /dev/null +++ b/windows/client-management/mdm/enterprisedataprotection-ddf-file.md @@ -0,0 +1,361 @@ +--- +title: EnterpriseDataProtection DDF file +description: The following topic shows the OMA DM device description framework (DDF) for the EnterpriseDataProtection configuration service provider. +ms.assetid: C6427C52-76F9-4EE0-98F9-DE278529D459 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseDataProtection DDF file + +The following topic shows the OMA DM device description framework (DDF) for the EnterpriseDataProtection configuration service provider. + +> [!Important] +> Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + EnterpriseDataProtection + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.0/MDM/EnterpriseDataProtection + + + + Settings + + + + + + + + + + + + + + + + + + + EDPEnforcementLevel + + + + + + + + Maps to MDM "EDPEnforcementLevel" policy. + + + + + + + + + + + text/plain + + + + + EnterpriseProtectedDomainNames + + + + + + + + Maps to EnerpriseProtectedDomainNames MDM policy. + + + + + + + + + + + text/plain + + + + + AllowUserDecryption + + + + + + + + Deprecated. Recommendation is to always set to 1. When fetching this policy value, client will always return 1 regardless of what was originally set by server. + + + + + + + + + + + text/plain + + + + + RequireProtectionUnderLockConfig + + + + + + + + + + + + + + + + + + text/plain + + + + + DataRecoveryCertificate + + + + + + + + + + + + + + + + + + + + + + + RevokeOnUnenroll + + + + + + + + + + + + + + + + + + text/plain + + + + + RevokeOnMDMHandoff + + + + + + + + + + + + + + + + + + text/plain + + + + + RMSTemplateIDForEDP + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowAzureRMSForEDP + + + + + + + + + + + + + + + + + + text/plain + + + + + SMBAutoEncryptedFileExtensions + + + + + + + + + + + + + + + + + + text/plain + + + + + EDPShowIcons + + + + + + + + + + + + + + + + + + text/plain + + + + + + Status + + + + + + + + + + + + + + Current state of Enterprise Data Protection configuration on the device. + + text/plain + + + + + +``` + +  + +  + + + + + diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md new file mode 100644 index 0000000000..bc056caa35 --- /dev/null +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -0,0 +1,546 @@ +--- +title: EnterpriseDesktopAppManagement CSP +description: The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications. +ms.assetid: 2BFF7491-BB01-41BA-9A22-AB209EE59FC5 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseDesktopAppManagement CSP + + +The EnterpriseDesktopAppManagement configuration service provider is used to handle enterprise desktop application management tasks, such as querying installed enterprise applications, installing applications, or removing applications. + +Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example). + +The following diagram shows the EnterpriseDesktopAppManagement CSP in tree format. + +![enterprisedesktopappmanagement csp](images/provisioning-csp-enterprisedesktopappmanagement.png) + +**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement** +The root node for the EnterpriseDesktopAppManagement configuration service provider. + +**MSI** +Node for all settings. + +**MSI/****_ProductID_** +The MSI product code for the application. + +**MSI/*ProductID*/Version** +Version number. Value type is string. Supported operation is Get. + +**MSI/*ProductID*/Name** +Name of the application. Value type is string. Supported operation is Get. + +**MSI/*ProductID*/Publisher** +Publisher of application. Value type is string. Supported operation is Get. + +**MSI/*ProductID*/InstallPath** +Installation path of the application. Value type is string. Supported operation is Get. + +**MSI/*ProductID*/InstallDate** +Installation date of the application. Value type is string. Supported operation is Get. + +**MSI/*ProductID*/DownloadInstall** +Executes the download and installation of the application. Value type is string. Supported operations are Execute and Get. + +**MSI/*ProductID*/Status** +Status of the application. Value type is string. Supported operation is Get. + +| Status | Value | +|---------------------------|-------| +| Initialized | 10 | +| Download In Progress | 20 | +| Pending Download Retry | 25 | +| Download Failed | 30 | +| Download Completed | 40 | +| Pending User Session | 48 | +| Enforcement In Progress | 50 | +| Pending Enforcement Retry | 55 | +| Enforcement Failed | 60 | +| Enforcement Completed | 70 | + +  + +**MSI/*ProductID*/LastError** +The last error code during the application installation process. This is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this could be the result of executing MSIExec.exe or the error result from an API that failed. + +Value type is string. Supported operation is Get. + +**MSI/*ProductID*/LastErrorDesc** +Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there is no LastErrorDesc returned. + +Value type is string. Supported operation is Get. + +**MSI/UpgradeCode** +Added in the March service release of Windows 10, version 1607. + +**MSI/UpgradeCode/_Guid_** +Added in the March service release of Windows 10, version 1607. A gateway (or device management server) uses this method to detect matching upgrade MSI product when a Admin wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed. + +Value type is string. Supported operation is Get. + + +## Examples + + +**SyncML to request CSP version information** + +``` syntax + + + + 12345 + + + ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement?prop=Type + + + + + + +``` + +The following table describes the fields in the previous sample: + +| Name | Description | +|--------|-------------------------------------------------------------------------------------------------------------------------------| +| Get | Operation being performed. The Get operation is a request to return information. | +| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | +| LocURI | Path to Win32 CSP command processor. | + +  + +**SyncML to perform MSI operations for application uninstall** + +``` syntax + + + + 12345 + + + ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D + + + + + + +``` + +The following table describes the fields in the previous sample: + +| Name | Description | +|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Delete | Operation being performed. The Delete operation is a request to delete the CSP node that represents the specified MSI installed application and to perform and uninstall of the application as part of the process. | +| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | +| LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. | + +  + +**SyncML to perform MSI operations for application status reporting** + +``` syntax + + + + 12345 + + + ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D + + + + + + +``` + +The following table describes the fields in the previous sample: + +| Name | Description | +|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Get | Operation being performed. The Get operation is a request to report the status of the specified MSI installed application. | +| CmdID | Input value used to reference the request. Responses will include this value which can be used to match request and response. | +| LocURI | Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting. | + +  + +**SyncML to perform MSI install operations for an application targeted to a specific user on the device. The Add command is required to preceed the Exec command.** + +``` syntax + + + + 1 + + + ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C384D2B-9B9A-0CB37243539C%7D/DownloadInstall + + + + + 6 + + + ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B1803A630-3C38-4D2B-9B9A-0CB37243539C%7D/DownloadInstall + + + xml + text/plain + + + + + + + + http://bcl-w2k12r2-vm/testapps/msi/reboot/reboot.msi + + https://dp2.com/packages/myApp.msi + + + +134D8F1F7C3C036DC3DCDA9F97515C8C7951DB154B73365C9C22962BD23E3EB3 + + + /quiet + 5 + 3 + 5 + + + + + + + + + +``` + +The following table describes the fields in the previous sample: + + ++++ + + + + + + + + + + + + + + + + +
NameDescription
AddThis is required to precede the Exec command. +
    +
  • CmdID - Input value used to reference the request. Reponses includes this value, which can be use to match the request and response.
    • +
  • LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
    • +
ExecThe Exec node includes the parameters and properties requires to locate, download, validate and perform product installation. +
    +
  • CmdID - Input value used to reference the request. Responses will include this value which can be used to match request and response.
    • +
  • LocURI - Path to Win32 CSP command processor, including the Product ID (in this example, 1803A630-3C38-4D2B-9B9A-0CB37243539C) property escaped for XML formatting.
    • +
  • Data - The Data node contains an embedded XML, of type “MsiInstallJob”
    • +
  • MsiInstallJob - Contains all information required for the successful download, validation and execution of the MSI installation process (see section at the end of this document for details on this embedded data object).
    • +
+ +  + +> **Note**  Information status on the MSI job will be reported using standard OMA-DM notification mechanism. The status reported is represented using standard MSIEXEC return codes as HRESULT as defined in the MSIEXEC topic on Microsoft TechNet at . + +  + +**SyncML to perform MSI install operations for an application targeted to all users on the device (per-device installation)** + +``` syntax + + + + 1 + + + ./Device /Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B6F7CB29F-1319-4816-B345-0856916EB801%7D/DownloadInstall + + + + + + 67890 + + + ./Device /Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/%7B6F7CB29F-1319-4816-B345-0856916EB801%7D/DownloadInstall + + + xml + text/plain + + + + + + + http://bcl-w2k12r2-vm/testapps/msi/Orca/Orca.msi + https://dp2.com/packages/myApp.msi + + + + 4525065777EF18B9444ABF71DD4B48E5F64F4F0E1E029995FB8DA441CDE4296E + + + /quiet + 5 + 3 + 5 + + + + + + + + + +``` + +The following table MsiInstallJob describes the schema elements. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ElementDescription
MsiInstallJobroot element +

"Attribute: "id - the application identifier of the application being installed

Productchild element of MsiInstallJob +

Attribute: “Version” – string representation of application version

Downloadchild element of Product. Container for download configuration information.
ContentURLListchild element of Download. Contains list of 1 or more content download URL locators in the form of ContentURL elements.
ContentURLLocation content should be downloaded from. Must be a property formatted URL that points to the .MSI file.
ValidationContains information used to validate contend authenticity. • FileHash – SHA256 hash value of file content
FileHashSHA256 hash value of file content
Enforcementinstallation properties to be used when installing this MSI
CommandLineCommand-line options to be used when calling MSIEXEC.exe
TimeoutAmount of time, in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation.
RetryCountThe number of times the download and installation operation will be retried before the installation will be marked as failed.
RetryIntervalAmount of time, in minutes between retry operations.
+ +  + +Here is an example of a common response to a request + +``` syntax + + + + + + 12345 + 1 + 0 + SyncHdr + 200 + + + 67890 + 1 + 1 + Add + 200 + + + + +``` + +## How to determine which installation context to use for an MSI package + + +The following tables shows how app targeting and MSI package type (per-user, per machine, or dual mode) are installed in the client. + +For Intune standalone environment, the MSI package will determine the MSI execution context. + + ++++++ + + + + + + + + + + + + + + + + + + + + + + +
TargetPer-user MSIPer-machine MSIDual mode MSI
UserInstall the MSI per-user +

LocURI contains a User prefix, such as ./User

Install the MSI per-device +

LocURI contains a Device prefix, such as ./Device

Install the MSI per-user +

LocURI contains a User prefix, such as ./User

SystemInstall the MSI per-user +

LocURI contains a User prefix, such as ./User

Install the MSI per-device +

LocURI contains a Device prefix, such as ./Device

Install the MSI per-user +

LocURI contains a User prefix, such as ./User

+ +  + +The following table applies to SCCM hybrid environment. + + ++++++ + + + + + + + + + + + + + + + + + + + + + + +
TargetPer-user MSIPer-machine MSIDual mode MSI
UserInstall the MSI per-user +

LocURI contains a User prefix, such as ./User

Install the MSI per-device +

LocURI contains a Device prefix, such as ./Device

Install the MSI per-user +

LocURI contains a User prefix, such as ./User

SystemInstall the MSI per-user +

LocURI contains a User prefix, such as ./User

Install the MSI per-device +

LocURI contains a Device prefix, such as ./Device

Install the MSI per- system context +

LocURI contains a Device prefix, such as ./Device

+ +  + +## How to determine the package type from the MSI package + + +- ALLUSERS="" - per-user package type +- ALLUSERS=1 - per-machine package type +- ALLUSERS=2, MSIINSTALLPERUSER=1 - dual mode package type + +Properties can be specified in the package, passed through the command line, modified by a transform, or (more commonly) selected through a user interface dialog. + +Here's a list of references: + +- [Using Windows Installer](https://technet.microsoft.com/library/cc782896.aspx) +- [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](http://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx) +- SyncML Representation Protocol, Draft Version 1.3 - 27 Aug 2009 (OMA-TS-SyncML\_RepPro-V1\_3-20090827-D) + +## Alert example + + +``` syntax + + 4 + 1224 + + + ./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{AF9257BA-6BBD-4624-AA9B-0182D50292C3}/DownloadInstall + + + Reversed-Domain-Name:com.microsoft.mdm.win32csp_install + int + informational + + 0 + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md new file mode 100644 index 0000000000..5bd96246ec --- /dev/null +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-ddf-file.md @@ -0,0 +1,369 @@ +--- +title: EnterpriseDesktopAppManagement DDF +description: This topic shows the OMA DM device description framework (DDF) for the EnterpriseDesktopAppManagement configuration service provider. +ms.assetid: EF448602-65AC-4D59-A0E8-779876542FE3 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseDesktopAppManagement DDF + + +This topic shows the OMA DM device description framework (DDF) for the **EnterpriseDesktopAppManagement** configuration service provider. + +DDF files are used only with OMA DM provisioning XML. + +``` syntax + +]> + + 1.2 + + EnterpriseDesktopAppManagement + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.0/MDM/EnterpriseDesktopAppManagement + + + + MSI + + + + + Product Type is MSI + + + + + + + + + + + + + + + + + + + + + + + + + MSI product code for Threshold + + + + + + + + + + + + + ProductID + + + + + + Version + + + + + MSI Product Version + + + + + + + + + + + + + + text/plain + + + + + Name + + + + + + + + + + + + + + + + + + text/plain + + + + + Publisher + + + + + + + + + + + + + + + + + + text/plain + + + + + InstallPath + + + + + + + + + + + + + + + + + + text/plain + + + + + InstallDate + + + + + + + + + + + + + + + + + + text/plain + + + + + DownloadInstall + + + + + + + + Method to download and install an MSI app + + + + + + + + + + + + + + text/plain + + + + + Status + + + + + + + + + + + + + + + + + + text/plain + + + + + LastError + + + + + + + + + + + + + + + + + + text/plain + + + + + LastErrorDesc + + + + + + + + + + + + + + + + + + text/plain + + + + + + UpgradeCode + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Guid + + text/plain + + + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md new file mode 100644 index 0000000000..d5e415b890 --- /dev/null +++ b/windows/client-management/mdm/enterprisedesktopappmanagement2-xsd.md @@ -0,0 +1,104 @@ +--- +title: EnterpriseDesktopAppManagement XSD +description: This topic contains the XSD schema file for the EnterpriseDesktopAppManagement configuration service provider’s DownloadInstall parameter. +ms.assetid: 60980257-4F48-4A68-8E8E-1EF0A3F090E2 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseDesktopAppManagement XSD + + +This topic contains the XSD schema file for the EnterpriseDesktopAppManagement configuration service provider’s DownloadInstall parameter. + +``` syntax + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +The following table describes the various elements and attributes of the XSD file: + +  + +| Name | Description | +|----------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| MsiInstallJob | Root element | +| id | The application identifier for the application being installed. | +| Product | Child element of MsiInstallJob | +| Version | String representation of the application version | +| Download | Child element of Product. Container for download configuration information. | +| ContentURLList | Child element of Download. Contains list of one or more content download URL locators in the form of ContentURL elements. | +| ContentURL | Location that content should be downloaded from. Must be a property formatted URL that points to the MSI file. | +| Validation | Contains information used to validate content authenticity. | +| FileHash | SHA256 hash value of file content. | +| Enforcement | Installation properties to be used when installing this MSI | +| CommandLine | Command-line options to be used when calling MSIEXEC.exe | +| Timeout | Amount of time in minutes that the installation process can run before the installer considers the installation may have failed and no longer monitors the installation operation. | +| RetryCount | Number of times the download and installation operation will be retried before the installation will be marked as failed. | +| RetryInterval | Amount of time in minutes between retry operations. | + +  + +  + +  + + + + + + diff --git a/windows/client-management/mdm/enterpriseext-csp.md b/windows/client-management/mdm/enterpriseext-csp.md new file mode 100644 index 0000000000..2bb98165d4 --- /dev/null +++ b/windows/client-management/mdm/enterpriseext-csp.md @@ -0,0 +1,370 @@ +--- +title: EnterpriseExt CSP +description: EnterpriseExt CSP +ms.assetid: ACA5CD79-BBD5-4DD1-86DA-0285B93982BD +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseExt CSP + + +The EnterpriseExt configuration service provider allows OEMs to set their own unique ID for their devices, set display brightness values, and set the LED behavior. + +> **Note**   The EnterpriseExt CSP is only supported in Windows 10 Mobile. + +  + +The following diagram shows the EnterpriseExt configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. + +![enterpriseext csp](images/provisioning-csp-enterpriseext.png) + +The following list shows the characteristics and parameters. + +**./Vendor/MSFT/EnterpriseExt** +The root node for the EnterpriseExt configuration service provider. Supported operations is Get. + +**DeviceCustomData** +Node for setting the custom device ID and string. + +**DeviceCustomData/CustomID** +Any string value as the device ID. This value appears in **Settings** > **About** > **Info**. + +Here's an example for getting custom data. + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/EnterpriseExt/DeviceCustomData/CustomID + + + + + ./Vendor/MSFT/EnterpriseExt/DeviceCustomData/CustomString + + + + + + +``` + +**DeviceCustomData/CustomString** +Any string value that is associated with the device. + +Here's an example for setting custom data. + +``` syntax + + + + + 1 + + + ./Vendor/MSFT/EnterpriseExt/DeviceCustomData/CustomID + + urn:uuid:130CCE0D-0187-5866-855A-DE7406F76046 + + + + ./Vendor/MSFT/EnterpriseExt/DeviceCustomData/CustomString + + {"firstName":"John","lastName":"Doe"} + + + + + +``` + +**Brightness** +Node for setting device brightness values. + +**Brightness/Default** +Default display brightness value. For example, you can maximize battery life by reducing the default value or set it to medium in a facility that is generally darker. + +The valid values are: + +- Automatic - the device determines the brightness +- Low +- Medium +- High + +The supported operations are Get and Replace. + +Here's an example for getting the current default value. + +``` syntax + + + + + 2 + + + ./Vendor/MSFT/EnterpriseExt/Brightness/Default + + + + + + +``` + +Here's an example for setting the default value to medium. + +``` syntax + + + + + 2 + + + ./Vendor/MSFT/EnterpriseExt/Brightness/Default + + medium + + + + + +``` + +**Brightness/MaxAuto** +Maximum display brightness value when the device is set to automatic mode. The device brightness will never be higher than the MaxAuto value. The value values are: + +- Low +- Medium +- High + +The supported operations are Get and Replace. + +Here's an example for setting the maximum auto-brightness to medium. + +``` syntax + + + + + 2 + + + ./Vendor/MSFT/EnterpriseExt/Brightness/MaxAuto + + medium + + + + + +``` + +**LedAlertNotification** +Node for setting LED behavior of the device. + +**LedAlertNotification/State** +LED state. The valid values are: + +- 0 - off +- 1 - on +- 2 - blink + +Example: LED On + +``` syntax + + + + + 3 + + + ./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Intensity + + + int + + 100 + + + + ./Vendor/MSFT/EnterpriseExt/LedAlertNotification/State + + + int + + 1 + + + + + +``` + +Example: LED Off + +``` syntax + + + + + 3 + + + ./Vendor/MSFT/EnterpriseExt/LedAlertNotification/State + + + int + + 0 + + + + + +``` + +**LedAlertNotification/Intensity** +Intensity of the LED brightness. You can set the value between 1 - 100. + +Example: LED blink + +``` syntax + + + + + 3 + + + ./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Period + + + int + + 500 + + + + ./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Dutycycle + + + int + + 70 + + + + ./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Intensity + + + int + + 100 + + + + ./Vendor/MSFT/EnterpriseExt/LedAlertNotification/Cyclecount + + + int + + 543210 + + + + ./Vendor/MSFT/EnterpriseExt/LedAlertNotification/State + + + int + + 2 + + + + + +``` + +**LedAlertNotification/Period** +Duration of each blink, which is the time of ON + OFF. The value is in milliseconds. This is valid only for blink. + +**LedAlertNotification/DutyCycle** +LED ON duration during one blink cycle. You can set the value between 1 - 100. This is valid only for blink. + +**LedAlertNotification/Cyclecount** +Number of blink cycles. The data type is a 4-byte signed integer. Any negative value or zero results in an error. This node is only valid for blink. + +**DeviceReboot** +Removed in Windows 10. + +**DeviceReboot/WaitTime** +Removed in Windows 10. + +**MaintenanceWindow** +Removed in Windows 10. + +**MaintenanceWindow/MaintenanceAllowed** +Removed in Windows 10. + +**MaintenanceWindow/MWMandatory** +Removed in Windows 10. + +**MaintenanceWindow/ScheduleXML** +Removed in Windows 10. + +**MaintenanceWindow/MWNotificationDuration** +Removed in Windows 10. + +**MaintenanceWindow/MWminimumDuration** +Removed in Windows 10. + +**DeviceUpdate** +Removed in Windows 10. + +**DeviceUpdate/DateTimeStamp** +Removed in Windows 10. + +**DeviceUpdate/UpdateResultXml** +Removed in Windows 10. + +**MDM** +Removed in Windows 10. + +**MDM/Server** +Removed in Windows 10. + +**MDM/Username** +Removed in Windows 10. + +**MDM/Password** +Removed in Windows 10. + +**MDM/EnableDeviceEnrollment** +Removed in Windows 10. + +**Pfx** +Removed in Windows 10. + +**DisableEnterpriseValidation** +Removed in Windows 10. + +  + +  + +10/10/2016 + + + + diff --git a/windows/client-management/mdm/enterpriseext-ddf.md b/windows/client-management/mdm/enterpriseext-ddf.md new file mode 100644 index 0000000000..06bc4c0198 --- /dev/null +++ b/windows/client-management/mdm/enterpriseext-ddf.md @@ -0,0 +1,317 @@ +--- +title: EnterpriseExt DDF +description: EnterpriseExt DDF +ms.assetid: 71BF81D4-FBEC-4B03-BF99-F7A5EDD4F91B +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseExt DDF + + +This topic shows the OMA DM device description framework (DDF) for the **EnterpriseExt** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip). + +``` syntax + +]> + + 1.2 + + EnterpriseExt + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + + DeviceCustomData + + + + + + + + + + + + + + + + + + + + + + CustomID + + + + + + + + + + + + + + + + text/plain + + + + + CustomString + + + + + + + + + + + + + + + + text/plain + + + + + + Brightness + + + + + + + + + + + + + + + + + + + + + + Default + + + + + + + + + + + + + + + + text/plain + + + + + MaxAuto + + + + + + + + + + + + + + + + text/plain + + + + + + LedAlertNotification + + + + + + + + + + + + + + + + + + + + + + State + + + + + + + + + + + + + + + + text/plain + + + + + Intensity + + + + + + + + + + + + + + + + text/plain + + + + + Period + + + + + + + + + + + + + + + + text/plain + + + + + DutyCycle + + + + + + + + + + + + + + + + text/plain + + + + + Cyclecount + + + + + + + + + + + + + + + + text/plain + + + + + + +``` + + + +  + +  + + + + + diff --git a/windows/client-management/mdm/enterpriseextfilessystem-csp.md b/windows/client-management/mdm/enterpriseextfilessystem-csp.md new file mode 100644 index 0000000000..f6b332a182 --- /dev/null +++ b/windows/client-management/mdm/enterpriseextfilessystem-csp.md @@ -0,0 +1,127 @@ +--- +title: EnterpriseExtFileSystem CSP +description: EnterpriseExtFileSystem CSP +ms.assetid: F773AD72-A800-481A-A9E2-899BA56F4426 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseExtFileSystem CSP + + +The EnterpriseExtFileSystem configuration service provider (CSP) allows IT administrators to add, retrieve, or change files in the file system through the Mobile Device Management (MDM) service. For example, you can use this configuration service provider to push a provisioning XML file or a new lock screen background image file to a device through the MDM service, and also retrieve logs from the device in the enterprise environment. + +> **Note**  The EnterpriseExtFileSystem CSP is only supported in Windows 10 Mobile. + +  + +File contents are embedded directly into the syncML message, so there is a limit to the size of the file that can be retrieved from the device. The default limit is 0x100000 (1 MB). You can configure this limit by using the following registry key: **Software\\Microsoft\\Provisioning\\CSPs\\.\\Vendor\\MSFT\\EnterpriseExtFileSystem\\MaxFileReadSize**. + +The following diagram shows the EnterpriseExtFileSystem configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). + +![enterpriseextfilesystem csp](images/provisioning-csp-enterpriseextfilesystem.png) + +The following list describes the characteristics and parameters. + +**./Vendor/MSFT/EnterpriseExtFileSystem** +

The root node for the EnterpriseExtFileSystem configuration service provider. Supported operations are Add and Get.

+ +**Persistent** +

The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Persistent folder, it accesses that data from the EnterpriseExtFileSystem\\Persistent node. Files written to the Persistent folder persists over ordinary power cycles.

+ +> **Important**  There is a limit to the amount of data that can be persisted, which varies depending on how much disk space is available on one of the partitions. This data cap amount (that can be persisted) varies by manufacturer. + +  + +> **Note**   When the IT admin triggers a **doWipePersistProvisionedData** action using [RemoteWipe CSP](remotewipe-csp.md), items stored in the Persistent folder are persisted over wipe and restored when the device boots again. The contents are not persisted if a **doWipe** action is triggered. + +  + +**NonPersistent** +

The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Non-Persistent folder, it accesses that data from the EnterpriseExtFileSystem\\NonPersistent node. Files written to the NonPersistent folder will persist over ordinary power cycles.

+ +

When the device is wiped, any data stored in the NonPersistent folder is deleted.

+ +**OemProfile** +

Added in Windows 10, version 1511. The EnterpriseExtFileSystem CSP allows an enterprise to deploy an OEM profile on the device, such as a barcode scanner profile then can be consumed by the OEM barcode scanner driver. The file is placed into the \\data\\shareddata\\oem\\public\\profile\\ folder of the device.

+ +***Directory*** +

The name of a directory in the device file system. Any *Directory* node can have directories and files as child nodes.

+ +

Use the Add command to create a new directory. You cannot use it to add a new directory under a file system root.

+ +

Use the Get command to return the list of child node names under *Directory*.

+ +

Use the Get command with ?List=Struct to recursively return all child node names, including subdirectory names, under *Directory*.

+ +***Filename*** +

The name of a file in the device file system.

+ +Supported operations is Get. + +## OMA DM examples + + +The following example shows how to retrieve a file from the device. + +``` syntax + + 2 + + + ./Vendor/MSFT/EnterpriseExtFileSystem/Persistent/file.txt + + + +``` + +The following example shows the file name that is returned in the body of the response syncML code. In this example, the full path of the file on the device is C:/data/test/bin/filename.txt. + +``` syntax + + 3 + 1 + 2 + + + ./Vendor/MSFT/EnterpriseExtFileSystem/Persistent/filename.txt + + + b64 + application/octet-stream + + aGVsbG8gd29ybGQ= + + +``` + +The following example shows how to push a file to the device. + +``` syntax + + 2 + + + ./Vendor/MSFT/EnterpriseExtFileSystem/Persistent/new.txt + + + b64 + application/octet-stream + + aGVsbG8gd29ybGQ= + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/enterpriseextfilesystem-ddf.md b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md new file mode 100644 index 0000000000..dc371ba33a --- /dev/null +++ b/windows/client-management/mdm/enterpriseextfilesystem-ddf.md @@ -0,0 +1,270 @@ +--- +title: EnterpriseExtFileSystem DDF +description: EnterpriseExtFileSystem DDF +ms.assetid: 2D292E4B-15EE-4AEB-8884-6FEE8B92D2D1 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseExtFileSystem DDF + + +This topic shows the OMA DM device description framework (DDF) for the **EnterpriseExtFileSystem** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip). + +``` syntax + +]> + + 1.2 + + EnterpriseExtFileSystem + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + + Persistent + + + + + + + + + + + + + + + + + + + + Files_abc1 + + + + + + + + + + + + + + + + + Files + + + + + + + Directory_abc2 + + + + + + + + + + + + + + + + + Directory + + text/plain + + + + + + NonPersistent + + + + + + + + + + + + + + + + + + + + Files_abc3 + + + + + + + + + + + + + + + + + Files + + text/plain + + + + + Directory_abc4 + + + + + + + + + + + + + + + + + Directory + + text/plain + + + + + + OemProfile + + + + + + + + + + + + + + + + + + + + Directory_abc5 + + + + + + + + + + + + + + + + + Directory + + text/plain + + + + + Files_abc6 + + + + + + + + + + + + + + + + + Files + + text/plain + + + + + + +``` + +## Related topics + + +[EnterpriseExtFileSystem configuration service provider](enterpriseextfilessystem-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md new file mode 100644 index 0000000000..23fea75c17 --- /dev/null +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -0,0 +1,526 @@ +--- +title: EnterpriseModernAppManagement CSP +description: EnterpriseModernAppManagement CSP +ms.assetid: 9DD0741A-A229-41A0-A85A-93E185207C42 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseModernAppManagement CSP + +The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md). + +> [!Note] +> Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP. + +The following image shows the EnterpriseModernAppManagement configuration service provider in tree format. + +![enterprisemodernappmanagement csp diagram](images/provisioning-csp-enterprisemodernappmanagement.png) + +**Device or User context** +

For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path. + +> [!Note] +> Windows Holographic and Windows 10 Mobile only support per-user configuration of the EnterpriseModernAppManagement CSP. + +**AppManagement** +

Required. Used for inventory and app management (post-install). + +**AppManagement/UpdateScan** +

Required. Used to start the Windows Update scan. + +

Supported operation is Execute. + +**AppManagement/LastScanError** +

Required. Reports the last error code returned by the update scan. + +

Supported operation is Get. + +**AppManagement/AppInventoryResults** +

Added in Windows 10, version 1511. Required. Returns the results for app inventory that was created after the AppInventoryQuery operation. + +

Supported operation is Get. + +

Here's an example of AppInventoryResults operation. + +``` syntax + + 11 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryResults + + + +``` + +**AppManagement/AppInventoryQuery** +

Added in Windows 10, version 1511. Required. Specifies the query for app inventory. + +

Query parameters: + +- Output - Specifies the parameters for the information returned in AppInventoryResults operation. Mutiple value must be separate by |. Valid values are: + - PackagesName - returns the *PackageFamilyName* and *PackageFullName* of the app. Default if nothing is specified. + - PackageDetails - returns all inventory attributes of the package. This includes all information from PackageNames parameter, but does not validate RequiresReinstall. + - RequiredReinstall - Validates the app status of the apps in the inventory query to determine if they require a reinstallation. This attribute may impact system performance depending on the number of apps installed. Requiring reinstall occurs when resource package updates or when the app is in a tampered state. +- Source - specifies the app classification that aligns to the existing inventory nodes. You can use a specific filter or if no filter is specified then all sources will be returned. If no value is specified, all classifications are returned. Valid values are: + - AppStore - This classification is for apps that were acquired from Windows Store. These were apps directly installed from Windows Store or enterprise apps from Windows Store for Business. + - nonStore - This classification is for apps that were not acquired from the Windows Store. + - System - Apps that are part of the OS. You cannot uninstall these apps. This classification is read-only and can only be inventoried. +- PackageTypeFilter - Specifies one or multiple types of packages you can use to query the user or device. Multiple values must be separated by |. Valid values are: + + - Main - returns the main installed package. + - Bundle - returns installed bundle packages. + - Framework - returns installed framework packages. + - Resource - returns installed resources packages. Resources are either language, scale, or DirectX resources. They are parts of a bundle. + - XAP - returns XAP package types. + - All - returns all package types. + + If no value is specified, the combination of Main, Bundle, Framework, and XAP are returned. + +- PackageFamilyName - specifies the name of a particular package. If you specify this parameter, it returns the Package Family name if the package contains this value. + + If you do not specify this value, then all packages are returned. + +- Publisher - specifies the publisher of a particular package. If you specify this parameter, it returns the publisher if the value exists in the Publisher field. + + If you do not specify this value, then all publishers are returned. + + +

Supported operation is Get and Replace. + +

The following example sets the inventory query for the package names and checks the status for reinstallation for all main packages that are nonStore apps. + +``` syntax + + 10 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppInventoryQuery + + xml + + + +``` +**AppManagement/RemovePackage** +

Added in Windows 10, version 1703. Used to remove packages. + +

Parameters: +

    +
  • Package +
      +
    • Name: Specifies the PackageFullName of the particular package to remove.
      • +
    • RemoveForAllUsers: +
        +
      • 0 (default) – Package will be un-provisioned so that new users do not receive the package. The package will remain installed for current users.
        • +
      • 1 – Package will be removed for all users.
        • +
      +
      • +
    +
    • +
  • User (optional): Specifies the SID of the particular user for whom to remove the package; only the package for the specified user can be removed. Not required for ./User/Vendor/MSFT.
    • +
+ + +

Supported operation is Execute. + +

The following example removes a package for the specified user: + +```XML + + 10 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/RemovePackage + + xml + + + + + +``` +

The following example removes a package for all users: + +````XML + + 10 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/RemovePackage + + xml + + + + + +```` + +**AppManagement/nonStore** +

Used to manage enterprise apps or developer apps that were not acquired from the Windows Store. + +

Supported operation is Get. + +**AppManagement/System** +

Reports apps installed as part of the operating system. + +

Supported operation is Get. + +**AppManagement/AppStore** +

Required. Used for managing apps from the Windows Store. + +

Supported operations are Get and Delete. + +**.../****_PackageFamilyName_** +

Optional. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. + +

Supported operations are Get and Delete. + +> [!Note] +> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. + + +

Here's an example for uninstalling an app: + +``` syntax + + + + + 2 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/%7b12345678-9012-3456-7890-123456789012%7D + + + + + + +``` + +**.../*PackageFamilyName*/****_PackageFullName_** +

Optional. Full name of the package installed. + +

Supported operations are Get and Delete. + +> [!Note] +> XAP files use a product ID in place of PackageFullName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. + +  +**.../*PackageFamilyName*/*PackageFullName*/Name** +

Required. Name of the app. Value type is string. + +

Supported operation is Get. + +**.../*PackageFamilyName*/*PackageFullName*/Version** +

Required. Version of the app. Value type is string. + +

Supported operation is Get. + +**.../*PackageFamilyName*/*PackageFullName*/Publisher** +

Required. Publisher name of the app. Value type is string. + +

Supported operation is Get. + +**.../*PackageFamilyName*/*PackageFullName*/Architecture** +

Required. Architecture of installed package. Value type is string. + +> [!Note] +> Not applicable to XAP files. + +  + +

Supported operation is Get. + +**.../*PackageFamilyName*/*PackageFullName*/InstallLocation** +

Required. Install location of the app on the device. Value type is string. + +> [!Note] +> Not applicable to XAP files. + +  + +

Supported operation is Get. + +**.../*PackageFamilyName*/*PackageFullName*/IsFramework** +

Required. Whether or not the app is a framework package. Value type is int. The value is 1 if the app is a framework package and 0 (zero) for all other cases. + +> [!Note] +> Not applicable to XAP files. + +  +

Supported operation is Get. + +**.../*PackageFamilyName*/*PackageFullName*/IsBundle** +

Required. The value is 1 if the package is an app bundle and 0 (zero) for all other cases. Value type is int. + +

Supported operation is Get. + +**.../*PackageFamilyName*/*PackageFullName*/InstallDate** +

Required. Date the app was installed. Value type is string. + +

Supported operation is Get. + +**.../*PackageFamilyName*/*PackageFullName*/ResourceID** +

Required. Resource ID of the app. This is null for the main app, ~ for a bundle, and contains resource information for resources packages. Value type is string. + +> [!Note] +> Not applicable to XAP files. + +  +

Supported operation is Get. + +**.../*PackageFamilyName*/*PackageFullName*/PackageStatus** +

Required. Provides information about the status of the package. Value type is int. Valid values are: + +- OK (0) - The package is usable. +- LicenseIssue (1) - The license of the package is not valid. +- Modified (2) - The package payload was modified by an unknown source. +- Tampered (4) - The package payload was tampered intentionally. +- Disabled (8) - The package is not available for use. It can still be serviced. + +> [!Note] +> Not applicable to XAP files. + +  + +

Supported operation is Get. + +**.../*PackageFamilyName*/*PackageFullName*/RequiresReinstall** +

Required. Specifies whether the package state has changed and requires a reinstallation of the app. This can occur when new app resources are required, such as when a device has a change in language preference or a new DPI. It can also occur of the package was corrupted. If the value is 1, reinstallation of the app is performed. Value type is int. + +> [!Note] +> Not applicable to XAP files. + +  +

Supported operation is Get. + +**.../*PackageFamilyName*/*PackageFullName*/Users** +

Required. Registered users of the app. If the query is at the device level, it returns all the registered users of the device. If you query the user context, it will only return the current user. Value type is string. + +

Supported operation is Get. + +**.../*PackageFamilyName*/*PackageFullName*/IsProvisioned** +

Required. The value is 0 or 1 that indicates if the app is provisioned on the device. The value type is int. + +

Supported operation is Get. + +**.../*PackageFamilyName*/DoNotUpdate** +

Required. Specifies whether you want to block a specific app from being updated via auto-updates. + +

Supported operations are Add, Get, Delete, and Replace. + +**.../*PackageFamilyName*/AppSettingPolicy** (only for ./User/Vendor/MSFT) +

Added in Windows 10, version 1511. Interior node for all managed app setting values. This node is only supported in the user context. + +**.../*PackageFamilyName*/AppSettingPolicy/****_SettingValue_** (only for ./User/Vendor/MSFT) +

Added in Windows 10, version 1511. The *SettingValue* and data represent a key value pair to be configured for the app. The node represents the name of the key and the data represents the value. You can find this value in LocalSettings in the Managed.App.Settings container. + +

This setting only works for apps that support the feature and it is only supported in the user context. + +

Value type is string. Supported operations are Add, Get, Replace, and Delete. + +

The following example sets the value for the 'Server' + +``` syntax + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/AppSettingPolicy/Server + + + chr + + server1.contoso.com + + +``` + +

The following example gets all managed app settings for a specific app. + +``` syntax + + + 0 + + + ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/AppStore/PackageFamilyName/AppSettingPolicy?list=StructData + + + +``` + +**AppInstallation** +

Required node. Used to perform app installation. + +**AppInstallation/****_PackageFamilyName_** +

Optional node. Package family name (PFN) of the app. There is one for each PFN on the device when reporting inventory. These items are rooted under their signing origin. + +

Supported operations are Get and Add. + +> [!Note] +> XAP files use a product ID in place of PackageFamilyName. Here's an example of XAP product ID (including the braces), {12345678-9012-3456-7890-123456789012}. + +  +**AppInstallation/*PackageFamilyName*/StoreInstall** +

Required. Command to perform an install of an app and a license from the Windows Store. + +

Supported operation is Execute, Add, Delete, and Get. + +**AppInstallation/*PackageFamilyName*/HostedInstall** +

Required. Command to perform an install of an app package from a hosted location (this can be a local drive, a UNC, or https data source). + +

Supported operation is Execute, Add, Delete, and Get. + +**AppInstallation/*PackageFamilyName*/LastError** +

Required. Last error relating to the app installation. + +

Supported operation is Get. + +> [!Note] +> This element is not present after the app is installed. + +  + +**AppInstallation/*PackageFamilyName*/LastErrorDescription** +

Required. Description of last error relating to the app installation. + +

Supported operation is Get. + +> [!Note] +> This element is not present after the app is installed. + +  +**AppInstallation/*PackageFamilyName*/Status** +

Required. Status of app installation. The following values are returned: + +- NOT\_INSTALLED (0) - The node was added, but the execution has not completed. +- INSTALLING (1) - Execution has started, but the deployment has not completed. If the deployment completes regardless of success, this value is updated. +- FAILED (2) - Installation failed. The details of the error can be found under LastError and LastErrorDescription. +- INSTALLED (3) - Once an install is successful this node is cleaned up, however in the event the clean up action has not completed, this state may briefly appear. + +

Supported operation is Get. + +> [!Note] +> This element is not present after the app is installed. + +  +**AppInstallation/*PackageFamilyName*/ProgessStatus** +

Required. An integer the indicates the progress of the app installation. For https locations, this indicates the download progress. ProgressStatus is not available for provisioning and it is only for user-based installations. In provisioning, the value is always 0 (zero). + +

Supported operation is Get. + +> [!Note] +> This element is not present after the app is installed. + +  +**AppLicenses** +

Required node. Used to manage licenses for app scenarios. + +**AppLicenses/StoreLicenses** +

Required node. Used to manage licenses for store apps. + +**AppLicenses/StoreLicenses/****_LicenseID_** +

Optional node. License ID for a store installed app. The license ID is generally the PFN of the app. + +

Supported operations are Add, Get, and Delete. + +**AppLicenses/StoreLicenses/*LicenseID*/LicenseCategory** +

Added in Windows 10, version 1511. Required. Category of license that is used to classify various license sources. Valid value: + +- Unknown - unknown license category +- Retail - license sold through retail channels, typically from the Windows Store +- Enterprise - license sold through the enterprise sales channel, typically from the Store for Business +- OEM - license issued to an OEM +- Developer - developer license, typically installed during the app development or side-loading scernarios. + +

Supported operation is Get. + +**AppLicenses/StoreLicenses/*LicenseID*/LicenseUsage** +

Added in Windows 10, version 1511. Required. Indicates the allowed usage for the license. Valid values: + +- Unknown - usage is unknown +- Online - the license is only valid for online usage. This is for applications with concurrence requirements, such as an app used on several computers, but can only be used on one at any given time. +- Offline - license is valid for use offline. You don't need a connection to the internet to use this license. +- Enterprise Root - + +

Supported operation is Get. + +**AppLicenses/StoreLicenses/*LicenseID*/RequesterID** +

Added in Windows 10, version 1511. Required. Identifier for the entity that requested the license, such as the client who acquired the license. For example, all licenses issued by the Store for Business for a particular enterprise client has the same RequesterID. + +

Supported operation is Get. + +**AppLicenses/StoreLicenses/*LicenseID*/AddLicense** +

Required. Command to add license. + +

Supported operation is Execute. + +**AppLicenses/StoreLicenses/*LicenseID*/GetLicenseFromStore** +

Added in Windows 10, version 1511. Required. Command to get license from the store. + +

Supported operation is Execute. + +## Examples + + +

For examples of how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md). + +

Query the device for a specific app subcategory, such as nonStore apps. + +``` syntax + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore + + + +``` + +

The result contains a list of apps, such as <Data>App1/App2/App3</Data>. + +

Subsequent query for a specific app for its properties. + +``` syntax + + + 1 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/App1?list=StructData + + + + + 2 + + + ./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppManagement/nonStore/App2?list=StructData + + + +``` + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md new file mode 100644 index 0000000000..4da9c4b384 --- /dev/null +++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md @@ -0,0 +1,920 @@ +--- +title: EnterpriseModernAppManagement DDF +description: EnterpriseModernAppManagement DDF +ms.assetid: +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseModernAppManagement DDF + +This topic shows the OMA DM device description framework (DDF) for the **EnterpriseModernAppManagement** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + EnterpriseModernAppManagement + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + + AppManagement + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + EnterpriseID + + + + + + + + + + + + + + + + + + + + + + PackageFamilyName + + + + + + + + + + + + + + + + + + + + + + PackageFullName + + + + + + Name + + + + + + + + + + + + + + + text/plain + + + + + Version + + + + + + + + + + + + + + + text/plain + + + + + Publisher + + + + + + + + + + + + + + + text/plain + + + + + Architecture + + + + + + + + + + + + + + + text/plain + + + + + InstallLocation + + + + + + + + + + + + + + + text/plain + + + + + IsFramework + + + + + + + + + + + + + + + text/plain + + + + + IsBundle + + + + + + + + + + + + + + + text/plain + + + + + InstallDate + + + + + + + + + + + + + + + text/plain + + + + + ResourceID + + + + + + + + + + + + + + + text/plain + + + + + PackageStatus + + + + + + + + + + + + + + + text/plain + + + + + RequiresReinstall + + + + + + + + + + + + + + + text/plain + + + + + Users + + + + + + + + + + + + + + + text/plain + + + + + IsProvisioned + + + + + + + + + + + + + + + text/plain + + + + + + DoNotUpdate + + + + + + + + + + + + + + + + + DoNotUpdate + + text/plain + + + + + AppSettingPolicy + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SettingValue + + text/plain + + + + + + + + UpdateScan + + + + + + + + + + + + + + + text/plain + + + + + LastScanError + + + + + + + + + + + + + + + text/plain + + + + + AppInventoryResults + + + + + + + + + + + + + + + text/plain + + + + + AppInventoryQuery + + + + + + + + + + + + + + + + text/plain + + + + + RemovePackage + + + + + + + + + + + + + + + text/plain + + + + + + AppInstallation + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + PackageFamilyName + + + + + + StoreInstall + + + + + + + + + + + + + + + + + + text/plain + + + + + HostedInstall + + + + + + + + + + + + + + + + + + text/plain + + + + + LastError + + + + + + + + + + + + + + + text/plain + + + + + LastErrorDesc + + + + + + + + + + + + + + + text/plain + + + + + Status + + + + + + + + + + + + + + + text/plain + + + + + ProgressStatus + + + + + + + + + + + + + + + text/plain + + + + + + + AppLicenses + + + + + + + + + + + + + + + + + + + StoreLicenses + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + LicenseID + + + + + + LicenseCategory + + + + + + + + + + + + + + + text/plain + + + + + LicenseUsage + + + + + + + + + + + + + + + text/plain + + + + + RequesterID + + + + + + + + + + + + + + + text/plain + + + + + AddLicense + + + + + + + + + + + + + + + text/plain + + + + + GetLicenseFromStore + + + + + + + + + + + + + + + text/plain + + + + + + + + +``` + +## Related topics + +[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md new file mode 100644 index 0000000000..74d0c2cb31 --- /dev/null +++ b/windows/client-management/mdm/enterprisemodernappmanagement-xsd.md @@ -0,0 +1,56 @@ +--- +title: EnterpriseModernAppManagement XSD +description: Here is the XSD for the application parameters. +ms.assetid: D393D094-25E5-4E66-A60F-B59CC312BF57 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# EnterpriseModernAppManagement XSD + + +Here is the XSD for the application parameters. + +``` syntax + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md new file mode 100644 index 0000000000..4855aaefd7 --- /dev/null +++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md @@ -0,0 +1,644 @@ +--- +title: Federated authentication device enrollment +description: This section provides an example of the mobile device enrollment protocol using federated authentication policy. +ms.assetid: 049ECA6E-1AF5-4CB2-8F1C-A5F22D722DAA +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Federated authentication device enrollment + + +This section provides an example of the mobile device enrollment protocol using federated authentication policy. When the authentication policy is set to Federated, the web authentication broker is leveraged by the enrollment client to get a security token. The enrollment client calls the web authentication broker API within the response message to start the process. The server should build the web authentication broker pages to fit the device screen and should be consistent with the existing enrollment UI. The opaque security token that is returned from the broker as an end page is used by the enrollment client as the device security secret during the client certificate request call. + +The <AuthenticationServiceURL> element the discovery response message specifies web authentication broker page start URL. + +For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). + +## In this topic + + +[Discovery service](#discovery-service) +[Enrollment policy web service](#enrollment-policy-web-service) +[Enrollment web service](#enrollment-web-service) + +For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). + +## Discovery service + + +The discovery web service provides the configuration information necessary for a user to enroll a phone with a management service. The service is a restful web service over HTTPS (server authentication only). + +> **Note**  The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. + +  + +The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc + +The first request is a standard HTTP GET request. + +The following example shows a request via HTTP GET to the discovery server given user@contoso.com as the email address. + +``` +Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc +Content Type: unknown +Header Byte Count: 153 +Body Byte Count: 0 +``` + +``` +GET /EnrollmentServer/Discovery.svc HTTP/1.1 +User-Agent: Windows Phone 8 Enrollment Client +Host: EnterpriseEnrollment.contoso.com +Pragma: no-cache +``` + +``` +Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc +Content Type: text/html +Header Byte Count: 248 +Body Byte Count: 0 +``` + +``` +HTTP/1.1 200 OK +Connection: Keep-Alive +Pragma: no-cache +Cache-Control: no-cache +Content-Type: text/html +Content-Length: 0 +``` + +After the device gets a response from the server, the device sends a POST request to enterpriseenrollment.*domain\_name*/EnrollmentServer/Discovery.svc. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to enterpriseenrollment.*domain\_name* to the enrollment server. + +The following logic is applied: + +1. The device first tries HTTPS. If the server cert is not trusted by the device, the HTTPS fails. +2. If that fails, the device tries HTTP to see whether it is redirected: + - If the device is not redirected, it prompts the user for the server address. + - If the device is redirected, it prompts the user to allow the redirect. + +The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address + +``` +https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc +``` + +The following example shows the discovery service request. + +``` syntax + + + + + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc + + + + + + user@contoso.com + 3 + 3.0 + WindowsPhone + 10.0.0.0 + + OnPremise + Federated + + + + +``` + +The discovery response is in the XML format and includes the following fields: + +- Enrollment service URL (EnrollmentServiceUrl) – Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. +- Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. +- In Windows, Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. + +> **Note**  The HTTP server response must not be chunked; it must be sent as one message. + +  + +When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be leveraged by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call. + +> **Note**  Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance: +> - Parse the OS version from the data sent up during the discovery request. +> - Append the OS version as a parameter in the AuthenticationServiceURL. +> - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication. + +  + +A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist. + +> **Note**  The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented. + +  + +The following are the explicit requirements for the server. + +- The <DiscoveryResponse><AuthenticationServiceUrl> element must support HTTPS. +- The authentication server must use a device trusted root certificate. Otherwise, the WAP call will fail. +- WP doesn’t support Window Integrated Authentication (WIA) for ADFS during WAB authentication. ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows device. + +The enrollment client issues an HTTPS request as follows: + +``` +AuthenticationServiceUrl?appru=&login_hint= +``` + +- <appid> is of the form ms-app://string +- <User Principal Name> is the name of the enrolling user, for example, user@constoso.com as input by the user in an enrollment sign in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication. + +After authentication is complete, the auth server should return an HTML form document with a POST method action of appid identified in the query string parameter. + +``` +HTTP/1.1 200 OK +Content-Type: text/html; charset=UTF-8 +Vary: Accept-Encoding +Content-Length: 556 + + + + + Working... + + + + +

+

+ +
+ + +``` + +The server has to send a POST to a redirect URL of the form ms-app://string (the URL scheme is ms-app) as indicated in the POST method action. The security token value is the base64-encoded string "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary" contained in the <wsse:BinarySecurityToken> EncodingType attribute. Windows does the binary encode when it sends it back to enrollment server, in the form it is just HTML encoded. This string is opaque to the enrollment client; the client does not interpret the string. + +The following example shows a response received from the discovery web service which requires authentication via WAB. + +``` syntax + + + + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse + + + d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8 + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + + + + Federated + 3.0 + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + https://portal.manage.contoso.com/LoginRedirect.aspx + + + + + +``` + +## Enrollment policy web service + + +Policy service is optional. By default, if no policies are specified, the minimum key length is 2k and the hash algorithm is SHA-1. + +This web service implements the X.509 Certificate Enrollment Policy Protocol (MS-XCEP) specification that allows customizing certificate enrollment to match different security needs of enterprises at different times (cryptographic agility). The service processes the GetPolicies message from the client, authenticates the client, and returns matching enrollment policies in the GetPoliciesResponse message. + +For Federated authentication policy, The security token credential is provided in a request message using the <wsse:BinarySecurityToken> element \[WSS\]. The security token is retrieved as described in the discovery response section. The authentication information is as follows: + +- wsse:Security: The enrollment client implements the <wsse:Security> element defined in \[WSS\] section 5. The <wsse:Security> element must be a child of the <s:Header> element. +- wsse:BinarySecurityToken: The enrollment client implements the <wsse:BinarySecurityToken> element defined in \[WSS\] section 6.3. The <wsse:BinarySecurityToken> element must be included as a child of the <wsse:Security> element in the SOAP header. + +As was described in the discovery response section, the inclusion of the <wsse:BinarySecurityToken> element is opaque to the enrollment client, and the client does not interpret the string, and the inclusion of the element is agreed upon by the security token authentication server (as identified in the <AuthenticationServiceUrl> element of <DiscoveryResponse> and the enterprise server. + +The <wsse:BinarySecurityToken> element contains a base64-encoded string. The enrollment client uses the security token received from the authentication server and base64-encodes the token to populate the <wsse:BinarySecurityToken> element. wsse:BinarySecurityToken/attributes/ValueType: The <wsse:BinarySecurityToken> ValueType attribute must be "http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken". + +wsse:BinarySecurityToken/attributes/EncodingType: The <wsse:BinarySecurityToken> EncodingType attribute must be "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\#base64binary". + +The following is an enrollment policy request example with a received security token as client credential. + +``` syntax + + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies + + urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + + B64EncodedSampleBinarySecurityToken + + + + + + + + + + + + + +``` + +After the user is authenticated, the web service retrieves the certificate template that the user should enroll with and creates enrollment policies based on the certificate template properties. A sample of the response can be found on MSDN. + +MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. For Windows device, we will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms. + +> **Note**  The HTTP server response must not be chunked; it must be sent as one message. + +  + +The following snippet shows the policy web service response. + +``` syntax + + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse + + urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598 + + + + + + + + + + + 0 + + + CEPUnitTest + 3 + + 1209600 + 172800 + + + true + false + + + 2048 + + + + + + + + 101 + 0 + + + + + + + 0 + + + + + + + + + + + 1.3.14.3.2.29 + 1 + 0 + szOID_OIWSEC_sha1RSASign + + + + + +``` + +## Enrollment web service + + +This web service implements the MS-WSTEP protocol. It processes the RequestSecurityToken (RST) message from the client, authenticates the client, requests the certificate from the CA, and returns it in the RequestSecurityTokenResponse (RSTR) to the client. Besides the issued certificate, the response also contains configurations needed to provision the DM client. + +The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on match the certificate template), the client can enroll successfully. + +Note that the RequestSecurityToken will use a custom TokenType (http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section. + +The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. + +> **Note**  The policy service and the enrollment service must be on the same server; that is, they must have the same host name. + +  + +The following example shows the enrollment web service request for federated authentication. + +``` syntax + + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep + + urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + + B64EncodedSampleBinarySecurityToken + + + + + + + http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken + + + http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue + + + DER format PKCS#10 certificate request in Base64 encoding Insterted Here + + + + 4 + + + 10.0.9999.0 + + + MY_WINDOWS_DEVICE + + + FF:FF:FF:FF:FF:FF + + + CC:CC:CC:CC:CC:CC + + 49015420323756 + + + 30215420323756 + + + Full + + + CIMClient_Windows + + + 10.0.9999.0 + + + 7BA748C8-703E-4DF2-A74A-92984117346A + + + True + + + + +``` + +After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR). + +> **Note**  The HTTP server response must not be chunked; it must be sent as one message. + +  + +Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (http://schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc), because the token is more than an X.509 v3 certificate. + +The provisioning XML contains: + +- The requested certificates (required) +- The DM client configuration (required) + +The client will install the client certificate, the enterprise root certificate, and intermediate CA certificate if there is one. The DM configuration includes the name and address of the DM server, which client certificate to use, and schedules when the DM client calls back to the server. + +Enrollment provisioning XML should contain a maximum of one root certificate and one intermediate CA certificate that is needed to chain up the MDM client certificate. Additional root and intermediate CA certificates could be provisioned during an OMA DM session. + +When provisioning root and intermediate CA certificates, the supported CSP node path is: CertificateStore/Root/System for root certificate provisioning, CertificateStore/My/User for intermediate CA certificate provisioning. + +Here is a sample RSTR message and a sample of OMA client provisioning XML within RSTR. For more information about the configuration service providers (CSPs) used in provisioning XML, see the Enterprise settings, policies and app management section. + +The following example shows the enrollment web service response. + +``` syntax + + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep + + urn:uuid:81a5419a-496b-474f-a627-5cdd33eed8ab + + + 2012-08-02T00:32:59.420Z + 2012-08-02T00:37:59.420Z + + + + + + + + http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken + + + + B64EncodedSampleBinarySecurityToken + + + 0 + + + + + +``` + +The following code shows sample provisioning XML (presented in the preceding package as a security token): + +``` + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +**Notes** + +- <Parm name> and <characteristic type=> elements in the w7 APPLICATION CSP XML are case sensitive and must be all uppercase. +- In w7 APPLICATION characteristic, both CLIENT and APPSRV credentials should be provided in XML. +- Detailed descriptions of these settings are located in the [Enterprise settings, policies and app management](windows-mdm-enterprise-settings.md) section of this document. +- The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique. +- Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate. +- CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it. + +  + + + + + + diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md new file mode 100644 index 0000000000..7b22236bf3 --- /dev/null +++ b/windows/client-management/mdm/filesystem-csp.md @@ -0,0 +1,111 @@ +--- +title: FileSystem CSP +description: FileSystem CSP +ms.assetid: 9117ee16-ca7a-4efa-9270-c9ac8547e541 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# FileSystem CSP + + +The FileSystem configuration service provider is used to query, add, modify, and delete files, file directories, and file attributes on the mobile device. It can retrieve information about or manage files in ROM, files in persistent store and files on any removable storage card that is present in the device. It works for files that are hidden from the user as well as those that are visible to the user. + +> **Note**  FileSystem CSP is only supported in Windows 10 Mobile. + +  + +> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application. + +  + +The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider. + +![filesystem csp (dm)](images/provisioning-csp-filesystem-dm.png) + +**FileSystem** +Required. Defines the root of the file system management object. It functions as the root directory for file system queries. + +Recursive queries or deletes are not supported for this element. Add commands will add a new file or directory under the root path. + +The following properties are supported for the root node: + +- `Name`: The root node name. The Get command is the only supported command. + +- `Type`: The MIME type of the file, which is com.microsoft/windowsmobile/1.1/FileSystemMO. The Get command is the only supported command. + +- `Format`: The format, which is `node`. The Get command is the only supported command. + +- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. + +- `Size`: Not supported. + +- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. + +***file directory*** +Optional. Returns the name of a directory in the device file system. Any *file directory* element can contain directories and files as child elements. + +The Get command returns the name of the file directory. The Get command with `?List=Struct` will recursively return all child element names (including sub-directory names). The Get command with `?list=StructData` query is not supported and returns a 406 error code. + +The Add command is used to create a new directory. Adding a new directory under the file system root is not supported and returns a 405 error code. + +The Replace command is not supported. + +The Delete command is used to delete all files and subfolders under this *file directory*. + +The following properties are supported for file directories: + +- `Name`: The file directory name. The Get command is the only supported command. + +- `Type`: The MIME type of the file, which an empty string for directories that are not the root node. The Get command is the only supported command. + +- `Format`: The format, which is `node`. The Get command is the only supported command. + +- `TStamp`: A standard OMA property that indicates the last time the file directory was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. + +- `Size`: Not supported. + +- `msft:SystemAttributes`: A custom property that contains file directory attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. + +***file name*** +Optional. Return a file in binary format. If the file is too large for the configuration service to return, it returns error code 413 (Request entity too large) instead. + +The Delete command deletes the file. + +The Replace command updates an entire file with new file contents. + +The Add command adds the file to the file directory + +The Get command is not supported on a *file name* element, only on the properties of the element. + +The following properties are supported for files: + +- `Name`: The file name. The Get command is the only supported command. + +- `Type`: The MIME type of the file. This value is always set to the generic MIME type: `application/octet-stream`. The Get command is the only supported command. + +- `Format`: The format, which is b64 encoded for binary data is sent over XML, and bin format for binary data sent over wbxml. The Get command is the only supported command. + +- `TStamp`: A standard OMA property that indicates the last time the file was changed. The value is represented by a string containing a UTC based, ISO 8601 basic format, complete representation of a date and time value, e.g. 20010711T163817Z means July 11, 2001 at 16 hours, 38 minutes and 17 seconds. The Get command is the only supported command. + +- `Size`: The unencoded file content size in bytes. The Get command is the only supported command. + +- `msft:SystemAttributes`: A custom property that contains file attributes. This value is an integer bit mask that corresponds to the FILE\_ATTRIBUTE values and flags defined in the header file winnt.h. This supports the Get command and the Replace command. + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md new file mode 100644 index 0000000000..b0553d3220 --- /dev/null +++ b/windows/client-management/mdm/firewall-csp.md @@ -0,0 +1,246 @@ +--- +title: Firewall CSP +description: Firewall CSP +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Firewall CSP + +> [!WARNING] +> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + +The Firewall configuration service provider (CSP) allows the mobile device management (MDM) server to configure the Windows Defender Firewall global settings, per profile settings, as well as the desired set of custom rules to be enforced on the device. Using the Firewall CSP the IT admin can now manage both domain joined and non-domain devices, and reduce the risk of network security threats across all systems connecting to the corporate network. This CSP is new in the next major update to Windows 10. + +Firewall configuration commands must be wrapped in an Atomic block in SyncML. + +The following diagram shows the Firewall configuration service provider in tree format. + +![firewall csp](images/provisioning-csp-firewall.png) + +**./Vendor/MSFT/Firewall** +

Root node for the Firewall configuration service provider.

+ +**MdmStore** +

Interior node.

+

Supported operation is Get.

+ +**MdmStore/Global** +

Interior node.

+

Supported operations are Get and Replace.

+ +**MdmStore/Global/PolicyVersionSupported** +

DWORD value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.

+

Value type in integer. Supported operation is Get.

+ +**MdmStore/Global/CurrentProfiles** +

DWORD value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.

+

Value type in integer. Supported operation is Get.

+ +**MdmStore/Global/DisableStatefulFtp** +

This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win.

+

Boolean value. Supported operations are Get and Replace.

+ +**MdmStore/Global/SaIdleTime** +

This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.<

+

Value type is integer. Supported operations are Get and Replace.

+ +**MdmStore/Global/TPresharedKeyEncodingBD** +

Specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

+

Value type is integer. Supported operations are Get and Replace.

+ +**MdmStore/Global/IPsecExempt** +

This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

+

Value type is integer. Supported operations are Get and Replace.

+ +**MdmStore/Global/CRLcheck** +

This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.

+

Value type is integer. Supported operations are Get and Replace.

+ +**MdmStore/Global/PolicyVersion** +

This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.

+

Value type is string. Supported operation is Get.

+ +**MdmStore/Global/BinaryVersionSupported** +

This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.

+

Value type is string. Supported operation is Get.

+ +**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM** +

This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

+

Boolean value. Supported operations are Get and Replace.

+ +**MdmStore/Global/EnablePacketQueue** +

This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.

+

Value type is integer. Supported operations are Get and Replace.

+ +**MdmStore/DomainProfile** +

Interior node. Supported operation is Get.

+ +**MdmStore/PrivateProfile** +

Interior node. Supported operation is Get.

+ +**MdmStore/PublicProfile** +

Interior node. Supported operation is Get.

+ +**/EnableFirewall** +

This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DisableStealthMode** +

This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/Shielded** +

This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DisableUnicastResponsesToMulticastBroadcast** +

This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DisableInboundNotifications** +

This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/AuthAppsAllowUserPrefMerge** +

This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/GlobalPortsAllowUserPrefMerge** +

This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/AllowLocalPolicyMerge** +

This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/AllowLocalIpsecPolicyMerge** +

This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DefaultOutboundAction** +

This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DefaultInboundAction** +

This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**/DisableStealthModeIpsecSecuredPacketExemption** +

This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.

+

Value type is integer. Supported operations are Get and Replace.

+ +**FirewallRules** +

A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.

+ +**FirewallRules/_FirewallRuleName_** +

Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).

+ +**FirewallRules/_FirewallRuleName_/App** +

Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:

+
    +
  • PackageFamilyName
    • +
  • FilePath
    • +
  • FQBN
    • +
  • ServiceName
    • +
+

Supported operation is Get.

+ +**FirewallRules/_FirewallRuleName_/App/PackageFamilyName** +

This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/App/FilePath** +

This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/App/Fqbn** +

Fully Qualified Binary Name

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/App/ServiceName** +

This is a service name used in cases when a service, not an application, is sending or receiving traffic.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/Protocol** +

0-255 number representing the ip protocol (TCP = 6, UDP = 17)

+

Value type is integer. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/LocalPortRanges** +

Comma separated list of ranges. For example, 100-120,200,300-320.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/RemotePortRanges** +

Comma separated list of ranges, For example, 100-120,200,300-320.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/LocalAddressRanges** +

Comma separated list of local addresses covered by the rule. The default value is "\*". Valid tokens include:

+
    +
  • "\*" indicates any local address. If present, this must be the only token included.
    • +
  • A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
    • +
  • A valid IPv6 address.
    • +
  • An IPv4 address range in the format of "start address - end address" with no spaces included.
    • +
  • An IPv6 address range in the format of "start address - end address" with no spaces included.
    • +
+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/RemoteAddressRanges** +

List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "\*". Valid tokens include:

+
    +
  • "\*" indicates any remote address. If present, this must be the only token included.
    • +
  • "Defaultgateway"
    • +
  • "DHCP"
    • +
  • "DNS"
    • +
  • "WINS"
    • +
  • "Intranet"
    • +
  • "RemoteCorpNetwork"
    • +
  • "Internet"
    • +
  • "PlayToRenderers"
    • +
  • "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
    • +
  • A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
    • +
  • A valid IPv6 address.
    • +
  • An IPv4 address range in the format of "start address - end address" with no spaces included.
    • +
  • An IPv6 address range in the format of "start address - end address" with no spaces included.
    • +
+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/Description** +

Specifies the description of the rule.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/Enabled** +

Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. +If not specified - a new rule is disabled by default.

+

Boolean value. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/Action** +

Specifies the action for the rule.

+

Supported operation is Get.

+ +**FirewallRules/_FirewallRuleName_/Action/Type** +

Specifies the action the rule enforces. Supported values:

+
    +
  • 0 - Block
    • +
  • 1 - Allow
    • +
+

Value type is integer. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes** +

List of ICMP types and codes separated by semicolon. "\*" indicates all ICMP types and codes.<

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList** +

Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/FriendlyName** +

Specifies the friendly name of the rule. The string must not contain the "|" character.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

+ +**FirewallRules/_FirewallRuleName_/Name** +

Name of the rule.

+

Value type is string. Supported operations are Add, Get, Replace, and Delete.

diff --git a/windows/client-management/mdm/get-inventory.md b/windows/client-management/mdm/get-inventory.md new file mode 100644 index 0000000000..405f3c7a29 --- /dev/null +++ b/windows/client-management/mdm/get-inventory.md @@ -0,0 +1,171 @@ +--- +title: Get Inventory +description: The Get Inventory operation retrieves information from the Windows Store for Business to determine if new or updated applications are available. +MS-HAID: +- 'p\_phdevicemgmt.get\_seatblock' +- 'p\_phDeviceMgmt.get\_inventory' +ms.assetid: C5485722-FC49-4358-A097-74169B204E74 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Get Inventory + +The **Get Inventory** operation retrieves information from the Windows Store for Business to determine if new or updated applications are available. + +## Request + + ++++ + + + + + + + + + + + + +
MethodRequest URI

GET

https://bspmts.mp.microsoft.com/V1/Inventory?continuationToken={ContinuationToken}&modifiedSince={ModifiedSince}&licenseTypes={LicenseType}&maxResults={MaxResults}

+ + +  + +### URI parameters + +The following parameters may be specified in the request URI. + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterTypeDefault valueDescription

continuationToken

string

Null

modifiedSince

datetime

Null

Optional. Used to determine changes since a specific date.

licenseTypes

collection of [LicenseType](data-structures-windows-store-for-business.md#licensetype)

{online,offline}

Optional. A collection of license types

maxResults

integer-32

25

Optional. Specifies the maximum number of applications returned in a single query.

+ + + + +Here are some examples. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
Query typeExample query

Online and offline

https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=online&licenseTypes=offline&maxResults=25

Online only

https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=online&maxResults=25

Offline only

https://bspmts.mp.microsoft.com/V1/Inventory?licenseTypes=offline&maxResults=25

Both license types and a time filter

https://bspmts.mp.microsoft.com/V1/Inventory?modifiedSince=2015-07-13T14%3a02%3a25.6863382-07%3a00&licenseTypes=online&licenseTypes=offline&maxResults=25

+ + + + + ++++++ + + + + + + + + + + + + + + + + +
Error codeDescriptionRetryData field

400

Invalid parameters

No

Parameter name

+

Invalid modified date, license, or continuationToken

+

Details: String

+ + + + +## Response + +### Response body + +The response contains [InventoryResultSet](data-structures-windows-store-for-business.md#inventoryresultset). + +  + + + + + + diff --git a/windows/client-management/mdm/get-localized-product-details.md b/windows/client-management/mdm/get-localized-product-details.md new file mode 100644 index 0000000000..16f29cb848 --- /dev/null +++ b/windows/client-management/mdm/get-localized-product-details.md @@ -0,0 +1,120 @@ +--- +title: Get localized product details +description: The Get localized product details operation retrieves the localization information of a product from the Windows Store for Business. +ms.assetid: EF6AFCA9-8699-46C9-A3BB-CD2750C07901 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Get localized product details + +The **Get localized product details** operation retrieves the localization information of a product from the Windows Store for Business. + +## Request + + ++++ + + + + + + + + + + + + +
MethodRequest URI

GET

https://bspmts.mp.microsoft.com/V1/Products/{ProductId}/{SkuId}/LocalizedDetails/{language}

+ + +### URI parameters + +The following parameters may be specified in the request URI. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterTypeDescription

productId

string

Required. Product identifier for an application that is used by the Store for Business.

skuId

string

Required. Product identifier that specifies a specific SKU of an application.

language

string

Required. Language in ISO format, such as en-us, en-ca.

+ + + ++++++ + + + + + + + + + + + + + + + + + + + + + + +
Error codeDescriptionRetryData field

400

Invalid parameters

No

Parameter name

+

Reason: Missing parameter or invalid parameter

+

Details: String

404

Not found

Item type: productId, skuId, language

+ +  + +## Response + +The response contains [LocalizedProductDetail](data-structures-windows-store-for-business.md#localizedproductdetail). + +  + + + + + + diff --git a/windows/client-management/mdm/get-offline-license.md b/windows/client-management/mdm/get-offline-license.md new file mode 100644 index 0000000000..cf3a27b38c --- /dev/null +++ b/windows/client-management/mdm/get-offline-license.md @@ -0,0 +1,127 @@ +--- +title: Get offline license +description: The Get offline license operation retrieves the offline license information of a product from the Windows Store for Business. +ms.assetid: 08DAD813-CF4D-42D6-A783-994A03AEE051 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Get offline license + +The **Get offline license** operation retrieves the offline license information of a product from the Windows Store for Business. + +## Request + + ++++ + + + + + + + + + + + + +
MethodRequest URI

POST

https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/OfflineLicense/{contentId}

+ +  +### URI parameters + +The following parameters may be specified in the request URI. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterTypeDescription

productId

string

Required. Identifies a specific product that has been acquired.

skuId

string

Required. The SKU identifier.

contentId

string

Required. Identifies a specific application.

+ + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Error codeDescriptionRetryData field

400

Invalid parameters

No

Parameter name

+

Reason: Missing parameter or invalid parameter

+

Details: String

404

Not found

409

Conflict

Reason: Not owned, Not offline

+ + +## Response + +### Response body + +The response contains [OfflineLicense](data-structures-windows-store-for-business.md#offlinelicense). + +  + + + + + + diff --git a/windows/client-management/mdm/get-product-details.md b/windows/client-management/mdm/get-product-details.md new file mode 100644 index 0000000000..c602332f9b --- /dev/null +++ b/windows/client-management/mdm/get-product-details.md @@ -0,0 +1,116 @@ +--- +title: Get product details +description: The Get product details operation retrieves the product information from the Windows Store for Business for a specific application. +ms.assetid: BC432EBA-CE5E-43BD-BD54-942774767286 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Get product details + +The **Get product details** operation retrieves the product information from the Windows Store for Business for a specific application. + +## Request + + ++++ + + + + + + + + + + + + +
MethodRequest URI

GET

https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}

+ + +### URI parameters + +The following parameters may be specified in the request URI. + + +++++ + + + + + + + + + + + + + + + + + + + +
ParameterTypeDescription

productId

string

Required. Product identifier for an application that is used by the Store for Business.

skuId

string

Required. Product identifier that specifies a specific SKU of an application.

+ + + ++++++ + + + + + + + + + + + + + + + + + + + + + + +
Error codeDescriptionRetryData field

400

Invalid parameters

No

Parameter name

+

Reason: Missing parameter or invalid parameter

+

Details: String

404

Not found

+ +  +## Response + +### Response body + +The response contains [ProductDetails](data-structures-windows-store-for-business.md#productdetails). + +  + + + + + + diff --git a/windows/client-management/mdm/get-product-package.md b/windows/client-management/mdm/get-product-package.md new file mode 100644 index 0000000000..ef80b65d3b --- /dev/null +++ b/windows/client-management/mdm/get-product-package.md @@ -0,0 +1,133 @@ +--- +title: Get product package +description: The Get product package operation retrieves the information about a specific application in the Windows Store for Business. +ms.assetid: 4314C65E-6DDC-405C-A591-D66F799A341F +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Get product package + +The **Get product package** operation retrieves the information about a specific application in the Windows Store for Business. + +## Request + + ++++ + + + + + + + + + + + + +
MethodRequest URI

GET

https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/Packages/{packageId}

+ +  + +### URI parameters + +The following parameters may be specified in the request URI. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterTypeDescription

productId

string

Required. Product identifier for an application that is used by the Store for Business.

skuId

string

Required. Product identifier that specifies a specific SKU of an application.

packageId

string

Required.

+ + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Error codeDescriptionRetryData fieldDetails

400

Invalid parameters

No

Parameter name

+

Reason: Invalid parameter

+

Details: String

Can be productId, skuId, or packageId

404

Not found

Item type: Product/SKU

409

Conflict

Reason: Not owned

+ + +## Response + +### Response body + +The response body contains [ProductPackageDetails](data-structures-windows-store-for-business.md#productpackagedetails). + +  + + + + + + diff --git a/windows/client-management/mdm/get-product-packages.md b/windows/client-management/mdm/get-product-packages.md new file mode 100644 index 0000000000..24d354e7c2 --- /dev/null +++ b/windows/client-management/mdm/get-product-packages.md @@ -0,0 +1,121 @@ +--- +title: Get product packages +description: The Get product packages operation retrieves the information about applications in the Windows Store for Business. +ms.assetid: 039468BF-B9EE-4E1C-810C-9ACDD55C0835 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Get product packages + +The **Get product packages** operation retrieves the information about applications in the Windows Store for Business. + +## Request + + ++++ + + + + + + + + + + + + +
MethodRequest URI

GET

https://bspmts.mp.microsoft.com/V1/Products/{productId}/{skuId}/Packages

+ +  +### URI parameters + +The following parameters may be specified in the request URI. + + +++++ + + + + + + + + + + + + + + + + + + + +
ParameterTypeDescription

productId

string

Required. Product identifier for an application that is used by the Store for Business.

skuId

string

Required. Product identifier that specifies a specific SKU of an application.

+ +  + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Error codeDescriptionRetryData field

400

Invalid parameters

No

Parameter name

+

Reason: Missing parameter or invalid parameter

+

Details: String

404

Not found

409

Conflict

Reason: Not owned

+ + +## Response + +### Response body + +The response body contains [ProductPackageSet](data-structures-windows-store-for-business.md#productpackageset). + +  + + + + + diff --git a/windows/client-management/mdm/get-seat.md b/windows/client-management/mdm/get-seat.md new file mode 100644 index 0000000000..301be7db93 --- /dev/null +++ b/windows/client-management/mdm/get-seat.md @@ -0,0 +1,133 @@ +--- +title: Get seat +description: The Get seat operation retrieves the information about an active seat for a specified user in the Windows Store for Business. +ms.assetid: 715BAEB2-79FD-4945-A57F-482F9E7D07C6 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Get seat + +The **Get seat** operation retrieves the information about an active seat for a specified user in the Windows Store for Business. + +## Request + + ++++ + + + + + + + + + + + + +
MethodRequest URI

GET

https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}

+ + +### URI parameters + +The following parameters may be specified in the request URI. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterTypeDescription

productId

string

Required. Product identifier for an application that is used by the Store for Business.

skuId

string

Required. Product identifier that specifies a specific SKU of an application.

username

string

Requires UserPrincipalName (UPN). User name of the target user account.

+ +  +## Response + +### Response body + +The response body contains [SeatDetails](data-structures-windows-store-for-business.md#seatdetails). + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Error codeDescriptionRetryData fieldDetails

400

Invalid parameters

No

Parameter name

+

Reason: Missing parameter or invalid parameter

+

Details: String

Invalid can include productId, skuId or username

404

Not found

ItemType: Inventory, User, Seat

+

Values: ProductId/SkuId, UserName, ProductId/SkuId/Username

409

Conflict

Reason: Not online

+ +  + +  + + + + + diff --git a/windows/client-management/mdm/get-seats-assigned-to-a-user.md b/windows/client-management/mdm/get-seats-assigned-to-a-user.md new file mode 100644 index 0000000000..77e13c0706 --- /dev/null +++ b/windows/client-management/mdm/get-seats-assigned-to-a-user.md @@ -0,0 +1,122 @@ +--- +title: Get seats assigned to a user +description: The Get seats assigned to a user operation retrieves information about assigned seats in the Windows Store for Business. +ms.assetid: CB963E44-8C7C-46F9-A979-89BBB376172B +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Get seats assigned to a user + +The **Get seats assigned to a user** operation retrieves information about assigned seats in the Windows Store for Business. + +## Request + + ++++ + + + + + + + + + + + + +
MethodRequest URI

GET

https://bspmts.mp.microsoft.com/V1/Users/{username}/Seats?continuationToken={ContinuationToken}&maxResults={MaxResults}

+ + +### URI parameters + +The following parameters may be specified in the request URI. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterTypeDescription

useName

string

Requires UserPrincipalName (UPN). User name of the target user account.

continuationToken

string

Optional.

maxResults

inteter-32

Optional. Default = 25, Maximum = 100

+ +  +## Response + +### Response body + +The response body contain [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset). + + ++++++ + + + + + + + + + + + + + + + + + + + + + + +
Error codeDescriptionRetryData field

400

Invalid parameters

No

Parameter name

+

Reason: Invalid parameter

+

Details: String

404

Not found

Item type: User

+

Values: UserName

+ +  + +  + + + + + diff --git a/windows/client-management/mdm/get-seats.md b/windows/client-management/mdm/get-seats.md new file mode 100644 index 0000000000..1e5fbe93dd --- /dev/null +++ b/windows/client-management/mdm/get-seats.md @@ -0,0 +1,132 @@ +--- +title: Get seats +description: The Get seats operation retrieves the information about active seats in the Windows Store for Business. +ms.assetid: 32945788-47AC-4259-B616-F359D48F4F2F +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Get seats + +The **Get seats** operation retrieves the information about active seats in the Windows Store for Business. + +## Request + + ++++ + + + + + + + + + + + + +
MethodRequest URI

GET

https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats?continuationToken={ContinuationToken}&maxResults={MaxResults}

+ +  +### URI parameters + +The following parameters may be specified in the request URI. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterTypeDescription

productId

string

Required. Product identifier for an application that is used by the Store for Business.

skuId

string

Required. Product identifier that specifies a specific SKU of an application.

continuationToken

string

Optional.

maxResults

int32

Optional. Default = 25, Maximum = 100

+ +  +## Response + +### Response body + +The response body contains [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset). + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Error codeDescriptionRetryData field

400

Invalid parameters

No

Parameter name

+

Reason: Missing parameter or invalid parameter

+

Details: String

404

Not found

409

Conflict

Reason: Not online

+ +  + +  + + + + + diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md new file mode 100644 index 0000000000..fb44d96773 --- /dev/null +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -0,0 +1,1166 @@ +--- +title: Device HealthAttestation CSP +description: Device HealthAttestation CSP +ms.assetid: 6F2D783C-F6B4-4A81-B9A2-522C4661D1AC +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Device HealthAttestation CSP + +The Device HealthAttestation configuration service provider (DHA-CSP) enables enterprise IT managers to assess if a device is booted to a trusted and compliant state, and take enterprise policy actions. + +The following is a list of functions performed by the Device HealthAttestation CSP: + +- Collects device boot logs, TPM audit trails and the TPM certificate (DHA-BootData) from a managed device +- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) +- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device +- Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data + +## Terms + +**TPM (Trusted Platform Module)** +

TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing.

+ +**DHA (Device HealthAttestation) feature** +

The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.

+ +**DHA-Enabled device (Device HealthAttestation enabled device)** +

A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.

+ +**DHA-Session (Device HealthAttestation session)** +

The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.

+ +

The following list of transactions are performed in one DHA-Session:

+
    +
  • DHA-CSP and DHA-Service communication: +
    • DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service
      • +
    • DHA-Service replies with an encrypted data blob (DHA-EncBlob)
      • +
    • + +
  • DHA-CSP and MDM-Server communication: +
    • MDM-Server sends a device health verification request to DHA-CSP
      • +
    • DHA-CSP replies with a payload called DHA-Data that includes an encrypted (DHA-EncBlob) and a signed (DHA-SignedBlob) data blob
      • +
    • + +
  • MDM-Server and DHA-Service communication: +
    • MDM-Server posts data it receives from devices to DHA-Service
      • +
    • DHA-Service reviews the data it receives, and replies with a device health report (DHA-Report)
      • +
    • +
+ +![healthattestation session diagram](images/healthattestation_1.png) + +**DHA session data (Device HealthAttestation session data)** +

The following list of data is produced or consumed in one DHA-Transaction:

+
    +
  • DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot and TPM counters) that are required for validating device boot health.
    • +
  • DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices.
    • +
  • DHA-SignedBlob: it is a signed snapshot of the current state of a device’s runtime that is captured by DHA-CSP at device health attestation time.
    • +
  • DHA-Data: an XML formatted data blob that devices forward for device health validation to DHA-Service via MDM-Server. DHA-Data has 2 parts: +
      +
    • DHA-EncBlob: the encrypted data blob that the device receives from DHA-Service
      • +
    • DHA-SignedBlob: a current snapshot of the current security state of the device that is generated by DHA-CSP
      • +
    +
    • +
  • DHA-Report: the report that is issued by DHA-Service to MDM-Server
    • +
  • Nonce: a crypto protected number that is generated by MDM-Server, which protects the DHA-Session from man-in-the-middle type attacks
    • +
+ +**DHA-Enabled MDM (Device HealthAttestation enabled device management solution)** +

Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.

+

DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromized by advanced security threats or running a malicious (jailbroken) operating system.

+

The following list of operations are performed by DHA-Enabled-MDM:

+
    +
  • Enables the DHA feature on a DHA-Enabled device
    • +
  • Issues device health attestation requests to enrolled/managed devices
    • +
  • Collects device health attestation data (DHA-Data), and sends it to Device Health Attestation Service (DHA-Service) for verification
    • +
  • Gets the device health report (DHA-Report) from DHA-Service, which triggers compliance action
    • +
+ +**DHA-CSP (Device HealthAttestation Configuration Service Provider)** +

The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.

+

The following list of operations are performed by DHA-CSP:

+
    +
  • Collects device boot data (DHA-BootData) from a managed device
    • +
  • Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
    • +
  • Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
    • +
  • Receives attestation requests (DHA-Requests) from a DHA-Enabled MDM, and replies with Device Health Attestation data (DHA-Data)
    • +
+ +**DHA-Service (Device HealthAttestation Service)** +

Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.

+ +

DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.

+

The following list of operations are performed by DHA-Service:

+ +- Receives device boot data (DHA-BootData) from a DHA-Enabled device +- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) +- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device +- Receives attestation requests (DHA-Requests) from a DHA-Enabled-MDM, and replies with a device health report (DHA-Report) + +![healthattestation service diagram](images/healthattestation_2.png) + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
DHA-Service typeDescriptionOperation cost
Device Health Attestation – Cloud

(DHA-Cloud)

DHA-Cloud is a Microsoft owned and operated DHA-Service that is:

+
    +
  • Available in Windows for free
    • +
  • Running on a high-availability and geo-balanced cloud infrastructure
    • +
  • Supported by most DHA-Enabled device management solutions as the default device attestation service provider
    • +
  • Accessible to all enterprise managed devices via following: +
      +
    • FQDN = has.spserv.microsoft.com) port
      • +
    • Port = 443
      • +
    • Protocol = TCP
      • +
    +
    • +
+		No cost
Device Health Attestation – On Premise

(DHA-OnPrem)

DHA-OnPrem refers to DHA-Service that is running on premise:

+
    +
  • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
    • +
  • Hosted on an enterprise owned and managed server device/hardware
    • +
  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on premise and hybrid (Cloud + OnPrem) hardware attestation scenarios
    • +

  • Accessible to all enterprise managed devices via following:

    +
      +
    • FQDN = (enterprise assigned)
      • +
    • Port = (enterprise assigned)
      • +
    • Protocol = TCP
      • +
    +
    • +
The operation cost of running one or more instances of Server 2016 on premise.
Device Health Attestation - Enterprise Managed Cloud

(DHA-EMC)

DHA-EMC refers to an enterprise managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise managed cloud service, such as Microsoft Azure.

+
    +
  • Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
    • +
  • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on premise and hybrid (Cloud + OnPrem) hardware attestation scenarios
    • +

  • Accessible to all enterprise managed devices via following:

    +
      +
    • FQDN = (enterprise assigned)
      • +
    • Port = (enterprise assigned)
      • +
    • Protocol = TCP
      • +
    +
    • +
The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure.
+ +## CSP diagram and node descriptions + + +The following diagram shows the Device HealthAttestation configuration service provider in tree format. + +![healthattestation csp](images/provisioning-csp-healthattestation.png) + +**./Vendor/MSFT/HealthAttestation** +

The root node for the device HealthAttestation configuration service provider.

+ +**VerifyHealth** (Required) +

Notifies the device to prepare a device health verification request.

+ +

The supported operation is Execute.

+ +**Status** (Required) +

Provides the current status of the device health request.

+ +

The supported operation is Get.

+ +

The following list shows some examples of supported values. For the complete list of status see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes).

+ +- 0 - (HEALTHATTESTATION\_CERT\_RETRI_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service +- 1 - (HEALTHATTESTATION\_CERT\_RETRI_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device +- 2 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_FAILED): A valid DHA-EncBlob could not be retrieved from the DHA-Service for reasons other than discussed in the DHA error/status codes +- 3 - (HEALTHATTESTATION\_CERT\_RETRI_COMPLETE): DHA-Data is ready for pick up + +**ForceRetrieve** (Optional) +

Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.

+ +

Boolean value. The supported operation is Replace.

+ +**Certificate** (Required) +

Instructs the DHA-CSP to forward DHA-Data to the MDM server.

+ +

Value type is b64.The supported operation is Get.

+ +**Nonce** (Required) +

Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.

+ +

The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.

+ +

The supported operations are Get and Replace.

+ +**CorrelationId** (Required) +

Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.

+ +

Value type is integer, the minimum value is - 2,147,483,648 and the maximun value is 2,147,483,647. The supported operation is Get.

+ +**HASEndpoint** (Optional) +

Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.

+ +

Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.

+ +**TpmReadyStatus** (Required) +

Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.

+

Value type is integer. The supported operation is Get.

+ +## **DHA-CSP integration steps** + + +The following list of validation and development tasks are required for integrating the Microsoft Device Health Attestation feature with a Windows Mobile device management solution (MDM): + + +1. [Verify HTTPS access](#verify-access) +2. [Assign an enterprise trusted DHA-Service](#assign-trusted-dha-service) +3. [Instruct client to prepare DHA-data for verification](#prepare-health-data) +4. [Take action based on the clients response](#take-action-client-response) +5. [Instruct the client to forward DHA-data for verification](#forward-health-attestation) +6. [Post DHA-data to DHA-service](#foward-data-to-has) +7. [Receive response from DHA-service](#receive-has-response) +8. [Parse DHA-Report data. Take appropriate policy action based on evaluation results](#take-policy-action) + +Each step is described in detail in the following sections of this topic. + +## **Step 1: Verify HTTPS access** + + +Validate that both the MDM server and the device (MDM client) can access has.spserv.microsoft.com using the TCP protocol over port 443 (HTTPS). + +You can use OpenSSL to validate access to DHA-Service. Here is a sample OpenSSL command and the response that was generated by DHA-Service: + +``` syntax +PS C:\openssl> ./openssl.exe s_client -connect has.spserv.microsoft.com:443 +CONNECTED(000001A8) +--- +Certificate chain + 0 s:/CN=*.spserv.microsoft.com + i:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2 + 1 s:/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2 + i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root +--- +Server certificate +-----BEGIN CERTIFICATE----- +MIIGOTCCBCGgAwIBAgITWgAA1KJb40tpukQoewABAADUojANBgkqhkiG9w0BAQsFA4ICAQCJaKewFQuqQwR5fkAr9kZOmtq5fk03p82eHWLaftXlc4RDvVFp4a2ciSjZL8f3f+XWPVdUj9DAi3bCSddlrcNOPRXNepFC1OEmKtE9jM0r7M8qnqFkIfbNrVNUtPxHoraQeMIgbk0SHEOlShY2GXETVBqZdDZ5Rmk4rA+3ggoeV8hNzm2dfNp0iGSrZzawbLzWU1D2Tped1k5IV63yb+cU/TmM …………………………………………………………………………………………………………………………………… +……………………………………………………………………………………………………………………………………………………………………………………………………………………………… +……………2RXXwogn1UM8TZduCEjz+b05mAkvytugzzaI4wXkCP4OgNyy8gul2z5Gj/51pCTN +-----END CERTIFICATE----- +subject=/CN=*.spserv.microsoft.com +issuer=/C=US/ST=Washington/L=Redmond/O=Microsoft Corporation/OU=Microsoft IT/CN=Microsoft IT SSL SHA2 +--- +No client certificate CA names sent +Peer signing digest: SHA1 +Server Temp Key: ECDH, P-384, 384 bits +--- +SSL handshake has read 3681 bytes and written 561 bytes +New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 +Server public key is 2048 bit +Secure Renegotiation IS supported +Compression: NONE +Expansion: NONE +No ALPN negotiated +SSL-Session: + Protocol: TLSv1.2 + Cipher: ECDHE-RSA-AES256-SHA384 + Session-ID: B22300009621370F84A4A3A7D9FC40D584E047C090604E5226083A02ED239C93 + Session-ID-ctx: + Master-Key: 9E3F6BE5B3D3B55C070470CA2B62EF59CC1D5ED9187EF5B3D1BBF4C101EE90BEB04F34FFD748A13C92A387104B8D1DE7 + Key-Arg: None + PSK identity: None + PSK identity hint: None + SRP username: None + Start Time: 1432078420 + Timeout: 300 (sec) + Verify return code: 20 (unable to get local issuer certificate) +``` + + +## **Step 2: Assign an enterprise trusted DHA-Service** + +There are three types of DHA-Service: +- Device Health Attestation – Cloud (owned and operated by Microsoft) +- Device Health Attestation – On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premise) +- Device Health Attestation - Enterprise Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise managed cloud) + +DHA-Cloud is the default setting. No further action is required if an enterprise is planning to use Microsoft DHA-Cloud as the trusted DHA-Service provider. + +For DHA-OnPrem & DHA-EMC scenarios, send a SyncML command to the HASEndpoint node to instruct a managed device to communicate with the enterprise trusted DHA-Service. + +The following example shows a sample call that instructs a managed device to communicate with an enterprise managed DHA-Service. + +``` syntax + + 1 + + + ./Vendor/MSFT/HealthAttestation/HASEndpoint + + www.ContosoDHA-Service + + +``` + + +## **Step 3: Instruct client to prepare health data for verification** + + +Send a SyncML call to start collection of the DHA-Data. + +The following example shows a sample call that triggers collection and verification of health attestation data from a managed device. + +``` syntax + + 1 + + + ./Vendor/MSFT/HealthAttestation/VerifyHealth + + + + + + 2 + + + ./Vendor/MSFT/HealthAttestation/Status + + + +``` + +## **Step 4: Take action based on the clients response** + + +After the client receives the health attestation request, it sends a response. The following list describes the responses, along with a recommended action to take. + +- If the response is HEALTHATTESTATION\_CERT_RETRI_COMPLETE (3) then proceed to the next section. +- If the response is HEALTHATTESTATION_CERT_RETRI_REQUESTED (1) or HEALTHATTESTATION_CERT_RETRI_UNINITIALIZED (0) wait for an alert, then proceed to the next section. + +Here is a sample alert that is issued by DHA_CSP: + +``` syntax + + 1 + 1226 + + + ./Vendor/MSFT/HealthAttestation/VerifyHealth + + + com.microsoft.mdm:HealthAttestation.Result + int + + 3 + + +``` +- If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). + +## **Step 5: Instruct the client to forward health attestation data for verification** + + +Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and pick up an encrypted payload that includes a health certificate and related data from the device. + +Here is an example: + +``` syntax + + 1 + + + ./Vendor/MSFT/HealthAttestation/Nonce + + AAAAAAAAAFFFFFFF + + + + + 2 + + + ./Vendor/MSFT/HealthAttestation/Certificate + + + + + + 3 + + + ./Vendor/MSFT/HealthAttestation/CorrelationId + + + + +``` + +## **Step 6: Forward device health attestation data to DHA-service** + + +In response to the request that was sent in the previous step, the MDM client forwards an XML formatted blob (response from ./Vendor/MSFT/HealthAttestation/Certificate node) and a call identifier called CorrelationId (response to ./Vendor/MSFT/HealthAttestation/CorrelationId node). + +When the MDM-Server receives the above data, it must: +- Log the CorrelationId it receives from the device (for future troubleshooting/reference), correlated to the call. +- Decode the XML formatted data blob it receives from the device +- Append the nonce that was generated by MDM service (add the nonce that was forwarded to the device in Step 5) to the XML structure that was forwarded by the device in following format: + +``` syntax + + + [INT] + [base64 blob, eg ‘ABc123+/…==’] + [base64 blob, eg ‘ABc123+/...==’] + + +``` +- Forward (HTTP Post) the XML data struct (including the nonce that was appended in the previous step) to the assigned DHA-Service that runs on: + - DHA-Cloud (Microsoft owned and operated DHA-Service) scenario: https://has.spserv.microsoft.com/DeviceHealthAttestation/ValidateHealthCertificate/v3 + - DHA-OnPrem or DHA-EMC: https://FullyQualifiedDomainName-FDQN/DeviceHealthAttestation/ValidateHealthCertificate/v3 + + +## **Step 7: Receive response from the DHA-service** + +When the Microsoft Device Health Attestation Service receives a request for verification, it performs the following steps: +- Decrypts the encrypted data it receives. +- Validates the data it has received +- Creates a report, and shares the evaluation results to the MDM server via SSL in XML format + +## **Step 8: Take appropriate policy action based on evaluation results** + + +After the MDM server receives the verified data, the information can be used to make policy decisions by evaluating the data. Some possible actions would be: + +- Allow the device access. +- Allow the device to access the resources, but flag the device for further investigation. +- Prevent a device from accessing resources. + +The following list of data points are verified by the DHA-Service in DHA-Report version 3: + +- [Issued](#issued ) +- [AIKPresent](#aikpresent) +- [ResetCount](#resetcount) * +- [RestartCount](#restartcount) * +- [DEPPolicy](#deppolicy) +- [BitlockerStatus](#bitlockerstatus) ** +- [BootManagerRevListVersion](#bootmanagerrevlistversion) +- [CodeIntegrityRevListVersion](#codeintegrityrevlistversion) +- [SecureBootEnabled](#securebootenabled) +- [BootDebuggingEnabled](#bootdebuggingenabled) +- [OSKernelDebuggingEnabled](#oskerneldebuggingenabled) +- [CodeIntegrityEnabled](#codeintegrityenabled) +- [TestSigningEnabled](#testsigningenabled) +- [SafeMode](#safemode) +- [WinPE ](#winpe) +- [ELAMDriverLoaded](#elamdriverloaded) *** +- [VSMEnabled](#vsmenabled) +- [PCRHashAlgorithmID](#pcrhashalgorithmid) +- [BootAppSVN](#bootappsvn) +- [BootManagerSVN](#bootmanagersvn) +- [TpmVersion](#tpmversion) +- [PCR0](#pcr0) +- [SBCPHash](#sbcphash) +- [CIPolicy](#cipolicy) +- [BootRevListInfo](#bootrevlistinfo) +- [OSRevListInfo](#osrevlistinfo) +- [HealthStatusMismatchFlags](#healthstatusmismatchflags) + +\* TPM 2.0 only +** Reports if Bitlocker was enabled during initial boot. +*** The “Hybrid Resume” must be disabled on the device. Reports 1st party ELAM “Defender” was loaded during boot. + +Each of these are described in further detail in the following sections, along with the recommended actions to take. + +**Issued** +

The date and time DHA-report was evaluated or issued to MDM.

+ +**AIKPresent** +

When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.

+ +

If AIKPresent = True (1), then allow access.

+ +

If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Disallow access to HBI assets +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. + +**ResetCount** (Reported only for devices that support TPM 2.0) +

This attribute reports the number of times a PC device has hibernated or resumed.

+ +**RestartCount** (Reported only for devices that support TPM 2.0) +

This attribute reports the number of times a PC device has rebooted

+ +**DEPPolicy** +

A device can be trusted more if the DEP Policy is enabled on the device.

+ +

Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.

+ +

DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:

+ +- To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff** +- To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn** + +

If DEPPolicy = 1 (On), then allow access.

+ +

If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Disallow access to HBI assets +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. + +**BitlockerStatus** (at boot time) +

When Bitlocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.

+ +

Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.

+ +

If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.

+ +

If BitLockerStatus = 1 (On), then allow access.

+ +

If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Disallow access to HBI assets +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. + +**BootManagerRevListVersion** +

This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.

+ +

If BootManagerRevListVersion = \[CurrentVersion\], then allow access.

+ +

If BootManagerRevListVersion != \[CurrentVersion\], then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Disallow access to HBI and MBI assets +- Place the device in a watch list to monitor the device more closely for potential risks. +- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. + +**CodeIntegrityRevListVersion** +

This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.

+ +

If CodeIntegrityRevListVersion = \[CurrentVersion\], then allow access.

+ +

If CodeIntegrityRevListVersion != \[CurrentVersion\], then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Disallow access to HBI and MBI assets +- Place the device in a watch list to monitor the device more closely for potential risks. +- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. + +**SecureBootEnabled** +

When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.

+ +

If SecureBootEnabled = 1 (True), then allow access.

+ +

If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Disallow access to HBI assets +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. + +**BootDebuggingEnabled** +

Boot debug enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.

+ +

Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:

+ +- To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off** +- To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on** + +

If BootdebuggingEnabled = 0 (False), then allow access.

+ +

If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Disallow access to HBI assets +- Place the device in a watch list to monitor the device more closely for potential risks. +- Trigger a corrective action, such as enabling VSM using WMI or a Powershell script. + +**OSKernelDebuggingEnabled** +

OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.

+ +

If OSKernelDebuggingEnabled = 0 (False), then allow access.

+ +

If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Disallow access to HBI assets +- Place the device in a watch list to monitor the device more closely for potential risks. +- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. + +**CodeIntegrityEnabled** +

When code integrity is enabled, code execution is restricted to integrity verified code.

+ +

Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.

+ +

On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.

+ +

If CodeIntegrityEnabled = 1 (True), then allow access.

+ +

If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Disallow access to HBI assets +- Allow conditional access based on other data points that are present at evaluation time. For example, other attributes on the health certificate, or a devices past activities and trust history. +- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. + +**TestSigningEnabled** +

When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.

+ +

Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:

+ +- To disable boot debugging, type **bcdedit.exe /set {current} testsigning off** +- To enable boot debugging, type **bcdedit.exe /set {current} testsigning on** + +

If TestSigningEnabled = 0 (False), then allow access.

+ +

If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Disallow access to HBI and MBI assets +- Place the device in a watch list to monitor the device more closely for potential risks. +- Trigger a corrective action, such as enabling test signing using WMI or a Powershell script. + +**SafeMode** +

Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.

+ +

If SafeMode = 0 (False), then allow access.

+ +

If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Disallow access to HBI assets +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. + +**WinPE** +

Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.

+ +

If WinPE = 0 (False), then allow access.

+ +

If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.

+ +**ELAMDriverLoaded** (Windows Defender) +

To use this reporting feature you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.

+ +

In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM (Windows Defender) was loaded during initial boot.

+ +

If a device is expected to use a 3rd party antivirus program, ignore the reported state.

+ +

If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.

+ +

If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:

+ +- Disallow all access +- Disallow access to HBI assets +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. + +**Bcdedit.exe /set {current} vsmlaunchtype auto** + +

If ELAMDriverLoaded = 1 (True), then allow access.

+ +

If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Disallow access to HBI assets +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. + +**VSMEnabled** +

Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1GB of memory – it has just enough capability to run the LSA service that is used for all authentication brokering.

+ +

VSM can be enabled by using the following command in WMI or a PowerShell script:

+ +

bcdedit.exe /set {current} vsmlaunchtype auto

+ +

If VSMEnabled = 1 (True), then allow access.

+

If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Disallow access to HBI assets +- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue + +**PCRHashAlgorithmID** +

This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.

+ +**BootAppSVN** +

This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device

+ +

If reported BootAppSVN equals an accepted value, then allow access.

+ +

If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Direct the device to an enterprise honeypot, to further monitor the device's activities. + +**BootManagerSVN** +

This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.

+ +

If reported BootManagerSVN equals an accepted value, then allow access.

+ +

If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Direct the device to an enterprise honeypot, to further monitor the device's activities. + +**TPMVersion** + +

This attribute identifies the version of the TPM that is running on the attested device.

+

TPMVersion node provides to replies "1" and "2":

+
    +
  • 1 means TPM specification version 1.2
    • +
  • 2 means TPM specification version 2.0
    • +
+ +

Based on the reply you receive from TPMVersion node:

+ +- If reported TPMVersion equals an accepted value, then allow access. +- If reported TPMVersion does not equal an accepted value, then take one of the following actions that align with your enterprise policies: + - Disallow all access + - Direct the device to an enterprise honeypot, to further monitor the device's activities. + +**PCR0** +

The measurement that is captured in PCR\[0\] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.

+ +

Enterprise managers can create a whitelist of trusted PCR\[0\] values, compare the PCR\[0\] value of the managed devices (the value that is verified and reported by HAS) with the whitelist, and then make a trust decision based on the result of the comparison.

+ +

If your enterprise does not have a whitelist of accepted PCR\[0\] values, then take no action.

+ +

If PCR\[0\] equals an accepted whitelisted value, then allow access.

+ +

If PCR\[0\] does not equal any accepted whitelisted value, then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Direct the device to an enterprise honeypot, to further monitor the device's activities. + +**SBCPHash** +

SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.

+ +

If SBCPHash is not present, or is an accepted (whitelisted) value, then allow access. + +

If SBCPHash is present in DHA-Report, and is not a whitelisted value, then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Place the device in a watch list to monitor the device more closely for potential risks. + +**CIPolicy** +

This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.

+ +

If CIPolicy is not present, or is an accepted (whitelisted) value, then allow access.

+ +

If CIPolicy is present and is not a whitelisted value, then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Place the device in a watch list to monitor the device more closely for potential risks. + +**BootRevListInfo** +

This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.

+ +

If reported BootRevListInfo version equals an accepted value, then allow access.

+ +

If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Direct the device to an enterprise honeypot, to further monitor the device's activities. + +**OSRevListInfo** +

This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.

+ +

If reported OSRevListInfo version equals an accepted value, then allow access.

+ +

If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:

+ +- Disallow all access +- Direct the device to an enterprise honeypot, to further monitor the device's activities. + +**HealthStatusMismatchFlags** +

HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.

+ +

In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.

+ +## **Device HealthAttestation CSP status and error codes** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Error codeError nameDescription
0HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZEDThis is the initial state for devices that have never participated in a DHA-Session.
1HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTEDThis state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server.
2HEALTHATTESTATION_CERT_RETRIEVAL_FAILEDThis state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.
3HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETEThis state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server.
4HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAILDeprecated in Windows 10, version 1607.
5HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAILDHA-CSP failed to get a claim quote.
6HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READYDHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider.
7HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAILDHA-CSP failed in retrieving Windows AIK
8HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAILDeprecated in Windows 10, version 1607.
9HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSIONInvalid TPM version (TPM version is not 1.2 or 2.0)
10HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAILNonce was not found in the registry.
11HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAILCorrelation ID was not found in the registry.
12HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAILDeprecated in Windows 10, version 1607.
13HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAILDeprecated in Windows 10, version 1607.
14HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAILFailure in Encoding functions. (Extremely unlikely scenario)
15HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAILDeprecated in Windows 10, version 1607.
16HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XMLDHA-CSP failed to load the payload it received from DHA-Service
17HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XMLDHA-CSP received a corrupted response from DHA-Service.
18HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XMLDHA-CSP received an empty response from DHA-Service.
19HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EKDHA-CSP failed in decrypting the AES key from the EK challenge.
20HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EKDHA-CSP failed in decrypting the health cert with the AES key.
21HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUBDHA-CSP failed in exporting the AIK Public Key.
22HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLYDHA-CSP failed in trying to create a claim with AIK attestation data.
23HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUBDHA-CSP failed in appending the AIK Pub to the request blob.
24HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERTDHA-CSP failed in appending the AIK Cert to the request blob.
25HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLEDHA-CSP failed to obtain a Session handle.
26HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLEDHA-CSP failed to connect to the DHA-Service.
27HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLEDHA-CSP failed to create a HTTP request handle.
28HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTIONDHA-CSP failed to set options.
29HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERSDHA-CSP failed to add request headers.
30HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUESTDHA-CSP failed to send the HTTP request.
31HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSEDHA-CSP failed to receive a response from the DHA-Service.
32HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERSDHA-CSP failed to query headers when trying to get HTTP status code.
33HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSEDHA-CSP received an empty response from DHA-Service even though HTTP status was OK.
34HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSEDHA-CSP received an empty response along with a HTTP error code from DHA-Service.
35HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USERDHA-CSP failed to impersonate user.
36HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATORDHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode.
0xFFFFHEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWNDHA-CSP failed due to an unknown reason, this error is highly unlikely to occur.
400Bad_Request_From_ClientDHA-CSP has received a bad (malformed) attestation request.
404Endpoint_Not_ReachableDHA-Service is not reachable by DHA-CSP
+ +## DHA-Report V3 schema + + +``` syntax + + + + + + + + + + + + + + + + + + Health certificate non machine identifiable properties + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + If there's a status mismatch, these flags will be set + + + + + + + + + + + + + + + + Health certificate validation response + + + + + + + + + + + + + + + + + + +``` + +## DHA-Report example + + +``` syntax + + + + 2016-10-21T02:12:58.6656577Z + false + 2107533174 + 2749041230 + 0 + 0 + 0 + 0 + false + false + false + true + true + false + false + true + false + 0 + 1 + 1 + 2 + 4ACCBE0ADB9627FFD6285C2E06EC5AC59ABF62C7 + 00000000000001001A000B00200000005300690050006F006C006900630079002E007000370062000000A4BF7EF05585876A61CBFF7CAE8123BE756D58B1BBE04F9719D15D6271514CF5 + 005D447A7CC6D101200000000B00CBB56E8B19267E24A2986C4A616CCB58B4D53F6020AC8FD5FC205C20F2AB00BC + 8073EEA7F8FAD001200000000B00A8285B04DE618ACF4174C59F07AECC002D11DD7D97FA5D464F190C9D9E3479BA + + +``` + + + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + + diff --git a/windows/client-management/mdm/healthattestation-ddf.md b/windows/client-management/mdm/healthattestation-ddf.md new file mode 100644 index 0000000000..f3e857ee6f --- /dev/null +++ b/windows/client-management/mdm/healthattestation-ddf.md @@ -0,0 +1,228 @@ +--- +title: HealthAttestation DDF +description: HealthAttestation DDF +ms.assetid: D20AC78D-D2D4-434B-B9FD-294BCD9D1DDE +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# HealthAttestation DDF + + +This topic shows the OMA DM device description framework (DDF) for the **HealthAttestation** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + HealthAttestation + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.2/MDM/HealthAttestation + + + + VerifyHealth + + + + + + + + + + + + + + + + + Status + + + + + + + + + + + + + + + text/plain + + + + + ForceRetrieve + + + + + + False + + + + + + + + + + + text/plain + + + + + Certificate + + + + + + + + + + + + + + + + + + + + Nonce + + + + + + \0 + + + + + + + + + + + text/plain + + + + + CorrelationID + + + + + + + + + + + + + + + text/plain + + + + + HASEndpoint + + + + + + + + + + + + + text/plain + + + + + TpmReadyStatus + + + + + + + + + + + + + + + text/plain + + + + + + +``` + +## Related topics + + +[HealthAttestation configuration service provider](healthattestation-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md new file mode 100644 index 0000000000..181c625ca6 --- /dev/null +++ b/windows/client-management/mdm/hotspot-csp.md @@ -0,0 +1,213 @@ +--- +title: HotSpot CSP +description: HotSpot CSP +ms.assetid: ec49dec1-fa79-420a-a9a7-e86668b3eebf +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# HotSpot CSP + + +The HotSpot configuration service provider is used to configure and enable Internet sharing on the device, in which the device can be configured to share its cellular connection over Wi-Fi with up to eight client devices or computers. + +> **Note**  HotSpot CSP is only supported in Windows 10 Mobile. + +  + +> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application. + +  + +The following diagram shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider. + +![hotspot csp (cp)](images/provisioning-csp-hotspot-cp.png) + +**Enabled** +Required. Specifies whether to enable Internet sharing on the device. The default is false. + +If this is initially set to false, the feature is turned off and the Internet sharing screen is removed from Settings so that the user cannot access it. Configuration changes or connection sharing state changes will not be possible. + +When this is set to true, the Internet sharing screen is added to Settings, though sharing is turned off by default until the user turns it on. + +This setting can be provisioned over the air, but it may require a reboot if Settings was open when this was enabled for the first time. + +**DedicatedConnections** +Optional. Specifies the semicolon separated list of Connection Manager cellular connections that Internet sharing will use as the public connections. + +By default, any available connection will be used as a public connection. However, this node allows a mobile operator to specify one or more connection names to use as public connections. + +Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections. + +> **Note**   The mapping policy will also include the connection specified in the **TetheringNAIConnection** value as well. + +  + +If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share + +If the Internet sharing service is already in a sharing state, setting this node will not take effect until sharing is stopped and restarted. + +**TetheringNAIConnection** +Optional. Specifies the CDMA TetheringNAI Connection Manager cellular connection that Internet sharing will use as a public connection. + +If a CDMA mobile operator requires using a Tethering NAI during Internet sharing, they must use the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md) to provision a TetheringNAI connection and then specify the provisioned connection in this node. + +Specified connections will be mapped, by policy, to the Internet sharing service. All attempts to enumerate Connection Manager connections for the Internet sharing service will return only the mapped connections. + +> **Note**   The mapping policy will also include the connections specified in the **DedicatedConnections** as well. + +  + +If the specified connections do not exist, Internet sharing will not start because it will not have any cellular connections available to share + +If the Internet sharing service is already in a sharing state, setting this node will not take effect until sharing is stopped and restarted. + +**MaxUsers** +Optional. Specifies the maximum number of simultaneous users that can be connected to a device while in a sharing state. The value must be between 1 and 8 inclusive. The default value is 5. + +If the Internet sharing service is already in a sharing state, setting this node will not take effect until sharing is stopped and restarted. + +**MaxBluetoothUsers** +Optional. Specifies the maximum number of simultaneous Bluetooth users that can be connected to a device while sharing over Bluetooth. The value must be between 1 and 7 inclusive. The default value is 7. + +**MOHelpNumber** +Optional. A mobile operator–specified device number that is displayed to the user when the Internet sharing service fails to start. The user interface displays a message informing the user that they can call the specified number for help. + +**MOInfoLink** +Optional. A mobile operator–specified HTTP link that is displayed to the user when Internet sharing is disabled or the device is not entitled. The user interface displays a message informing the user that they can visit the specified link for more information about how to enable the feature. + +**MOAppLink** +Optional. A Windows device application link that points to a preinstalled application, provided by the mobile operator, that will help a user to subscribe to the mobile operator’s Internet sharing service when Internet sharing is not provisioned or entitlement fails. The general format for the link is `app://MOapp`. + +**MOHelpMessage** +Optional. Reference to a localized string, provided by the mobile operator, that is displayed when Internet sharing is not enabled due to entitlement failure. The node takes a language-neutral registry value string, which has the following form: + +`@,-` + +Where `` is the path to the resource dll that contains the string and `` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](http://msdn.microsoft.com/library/windows/desktop/dd374120.aspx) on MSDN. + +> **Note**  MOAppLink is required to use the MOHelpMessage setting. + +  + +**EntitlementRequired** +Optional. Specifies whether the device requires an entitlement check to determine if Internet sharing should be enabled. This node is set to a Boolean value. The default value is **True**. + +By default the Internet sharing service will check entitlement every time an attempt is made to enable Internet sharing. Internet sharing should be set to **False** for carrier-unlocked devices. + +**EntitlementDll** +Required if `EntitlementRequired` is set to true. The path to the entitlement DLL used to make entitlement checks that verify that the device is entitled to use the Internet sharing service on a mobile operator’s network. The value is a string that represents a valid file system path to the entitlement DLL. By default, the Internet sharing service fails entitlement checks if this setting is missing or empty. For more information, see [Creating an Entitlement DLL](#creating-entitlement-dll) later in this topic. + +**EntitlementInterval** +Optional. The time interval, in seconds, between entitlement checks. The default value is 86,400 seconds (24 hours). + +If a periodic entitlement check fails, Internet sharing is automatically disabled. + +**PeerlessTimeout** +Optional. The time-out period, in minutes, after which Internet sharing should automatically turn off if there are no longer any active clients. This node can be set to any value between 1 and 120 inclusive. A value of 0 is not supported. The default value is 5 minutes. + +A reboot may be required before changes to this node take effect. + +**PublicConnectionTimeout** +Optional. The time-out value, in minutes, after which Internet sharing is automatically turned off if a cellular connection is not available. This node can be set to any value between 1 and 60 inclusive. The default value is 20 minutes. A time-out is required, so a value of 0 is not supported. + +Changes to this node require a reboot. + +**MinWifiKeyLength** +> **Important**   This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi key is 8. + +  + +**MinWifiSSIDLength** +> **Important**   This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi SSID is 1. + +  + +## Additional requirements for CDMA networks + + +For CDMA networks that use a separate Network Access Identity (NAI) for Internet sharing, a new parm, TetheringNAI, has been added in the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md) configuration service provider. The following sample demonstrates how to specify the connection. + +``` syntax + + + + + + + + + + + + + + + +``` + +> **Note**  CDMA devices are limited to one active data connection at a time. This means any application or service (such as email or MMS) that is bound to another connection may not work while Internet sharing is turned on. + +  + +## Creating an Entitlement DLL + + +For mobile operator networks that require an entitlement check, the OEM must provide a DLL in the device image that implements a function with the following signature: + +`ICS_ENTITLEMENT_RESULT IsEntitled(void);` + +The `EntitlementDll` parm of the HotSpot configuration service provider must be set to a string that is the path to this DLL. + +The DLL must be code signed in a specific way, see [Sign binaries and packages](https://msdn.microsoft.com/en-us/library/windows/hardware/dn789217(v=vs.85).aspx). + +During an entitlement check the Internet Sharing service loads the specified DLL and then call the `IsEntitled` function. The function must connect to the server to perform any required validation, then return one of the following **ICS\_ENTITLEMENT\_RESULT** enumeration values. + + ++++ + + + + + + + + + + + + + + + + + + + + +
ValueDescription

ENTITLEMENT_SUCCESS

The device is allowed to connect to the server.

ENTITLEMENT_FAILED

The device is not allowed to connect to the server

ENTITLEMENT_UNAVAILABLE

The entitlement check failed because the device could not contact the server or acquire a connection to verify entitlement.

+ +  + +The definition for the **ICS\_ENTITLEMENT\_RESULT** is in the header file `IcsEntitlementh`, which ships with the Windows Adaptation Kit. + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/iconfigserviceprovider2.md b/windows/client-management/mdm/iconfigserviceprovider2.md new file mode 100644 index 0000000000..be59397ff3 --- /dev/null +++ b/windows/client-management/mdm/iconfigserviceprovider2.md @@ -0,0 +1,54 @@ +--- +title: IConfigServiceProvider2 +description: IConfigServiceProvider2 +ms.assetid: 8deec0fb-59a6-4d08-8ddb-6d0d3d868a10 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# IConfigServiceProvider2 + + +OEMs are required to implement this interface once per configuration service provider. ConfigManager2 clients use this interface to instantiate the configuration service provider, to communicate general state information to the configuration service provider, and often to access or create nodes. + +The following table shows the methods defined by this interface that OEMs must implement. + + ++++ + + + + + + + + + + + + + + + + +
MethodDescription

[IConfigServiceProvider2::ConfigManagerNotification](iconfigserviceprovider2configmanagernotification.md)

Enables ConfigManager2 to send notifications to a configuration service provider of events such as when the configuration service provider is loaded or unloaded, when rollbacks are performed, and when actions are called on nodes.

[IConfigServiceProvider2::GetNode](iconfigserviceprovider2getnode.md)

Returns a node from the configuration service provider based on the path relative to the root node.

+ +  + +## Related topics + +[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) + +  + + + + + + diff --git a/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md b/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md new file mode 100644 index 0000000000..2d72418a32 --- /dev/null +++ b/windows/client-management/mdm/iconfigserviceprovider2configmanagernotification.md @@ -0,0 +1,143 @@ +--- +title: IConfigServiceProvider2 ConfigManagerNotification +description: IConfigServiceProvider2 ConfigManagerNotification +ms.assetid: b1f0fe0f-afbe-4b36-a75d-34239a86a75c +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# IConfigServiceProvider2::ConfigManagerNotification + + +This method enables ConfigManager2 to send notifications of events to a configuration service provider, such as when the configuration service provider is loaded or unloaded, when rollbacks are performed, and when actions are called on nodes. + +## Syntax + + +``` syntax +HRESULT ConfigManagerNotification([in] CFGMGR_NOTIFICATION cmnfyState, + [in] LPARAM lpParam); +``` + +## Parameters + + +*cmnfyState* +
    +
  • +The following events are supported by all configuration service providers. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    EventDescription

    CFGMGR_NOTIFICATION_LOAD

    First time the configuration service provider is loaded/instantiated.

    CFGMGR_NOTIFICATION_BEGINCOMMANDPROCESSING

    About to run the first command of a transaction.

    CFGMGR_NOTIFICATION_ENDCOMMANDPROCESSING

    Last command of transaction has executed. This event is always raised if BEGINCOMMANDPROCESSING was raised, even if the handling of BEGINCOMMANDPROCESSING failed.

    CFGMGR_NOTIFICATION_BEGINCOMMIT

    About to commit the first command of a transaction.

    CFGMGR_NOTIFICATION_ENDCOMMIT

    Last command of a transaction has been committed. This event is always raised if BEGINCOMMIT was raised, even if the handling of BEGINCOMMIT failed.

    CFGMGR_NOTIFICATION_BEGINROLLBACK

    About to roll back the first command of the transaction.

    CFGMGR_NOTIFICATION_ENDROLLBACK

    Last command of the transaction has been rolled back. This event is always raised if BEGINROLLBACK was raised, even if the handling of BEGINROLLBACK failed.

    CFGMGR_NOTIFICATION_UNLOAD

    The configuration service provider is about to be unloaded/deleted.

    CFGMGR_NOTIFICATION_SETSESSIONOBJ

    Session object is available for use; lpParam can be cast to an IConfigSession2 pointer.

    CFGMGR_NOTIFICATION_BEGINTRANSACTIONING

    Primarily used for compatibility with v1 configuration service providers. Signals the beginning of a transactioning sequence.

    CFGMGR_NOTIFICATION_ENDTRANSACTIONING

    Primarily used for compatibility with v1 configuration service providers. Signals the end of a transactioning sequence.

    +
    • +
+
+ + +*lpParam* +
    +
  • +Normally NULL, but contains a pointer to an IConfigSession2 instance if *cmnfState* is CFGMGR\_NOTIFICATION\_SETSESSIONOBJ. +
    • +
+
+ +## Return Value + +A value of S\_OK indicates success. + +## Remarks + +ConfigManager2 guarantees that if it raised one of the BEGIN events + +- CFGMGR\_NOTIFICATION\_BEGINCOMMANDPROCESSING +- CFGMGR\_NOTIFICATION\_BEGINCOMMIT +- CFGMGR\_NOTIFICATION\_BEGINROLLBACK + +then the corresponding END event will be raised, even if the handling of the BEGIN notification failed. +For each transaction, the sequence of notifications is: + +1. BEGINCOMMANDPROCESSING + +2. BEGINTRANSACTIONING + +3. ENDTRANSACTIONING + +4. ENDCOMMANDPROCESSING + +5. Either BEGINCOMMIT or BEGINROLLBACK, depending on whether the transaction succeeded or failed. + +6. Either ENDCOMMIT or ENDROLLBACK, depending on whether the transaction succeeded or failed. + +Each configuration service provider will receive the relevant BEGIN/END notifications exactly once per each transaction that ConfigManager2 executes. + +## Requirements + +**Header:** None + +  + + + + + + diff --git a/windows/client-management/mdm/iconfigserviceprovider2getnode.md b/windows/client-management/mdm/iconfigserviceprovider2getnode.md new file mode 100644 index 0000000000..d9efa4d469 --- /dev/null +++ b/windows/client-management/mdm/iconfigserviceprovider2getnode.md @@ -0,0 +1,103 @@ +--- +title: IConfigServiceProvider2 GetNode +description: IConfigServiceProvider2 GetNode +ms.assetid: 4dc10a59-f6a2-45c0-927c-d594afc9bb91 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# IConfigServiceProvider2::GetNode + + +This method returns a node from the configuration service provider based on the path that was passed in. The returned node is a descendent of the root node. + +## Syntax + + +``` syntax +HRESULT GetNode([in] IConfigManager2URI* pURI, + [out] ICSPNode** ppNode, + [in, out] DWORD* pgrfNodeOptions); +``` + +## Parameters + +*pUri* +
    +
  • +URI of the child node, relative to the root node. For example, to access the "./Vendor/Contoso/SampleCSP/ContainerA/UserName" node, ConfigManager2 calls the configuration service provider's `GetNode` method and passes in an IConfigManager2URI instance representing the URI “SampleCSP/ContainerA/UserName”. +
    • +
+
+*ppNode* +
    +
  • +If the query is successful, this returns the ICSPNode instance at the *pUri* location in the configuration service provider's tree. +
    • +
+
+*pgrfNodeOptions* +
    +
  • +Nodes support the following features. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Feature nameBit value (in hex)Notes

    CSPNODE_OPTION_NATIVESECURITY

    0x01

    The native security option signifies that the node handles its own security checking, and that ConfigManager2 does not have to manage security for this node.

    CSPNODE_OPTION_INTERNALTRANSACTION

    0x02

    The internal transactioning option tells ConfigManager2 that the configuration service provider handles the transactioning (rollback and commitment) for the node. To handle internal transactioning, the node must implement the [ICSPNodeTransactioning](icspnodetransactioning.md).

    CSPNODE_OPTION_HANDLEALLPROPERTIES

    0x04

    Unused.

    CSPNODE_OPTION_SECRETDATA

    0x08

    Unused.

    +
    • +
+
+ +## Return Value + +This method returns an ICSPNode. If the function returns null, call GetLastError to get the error value. + +A value of S\_OK indicates that a node was successfully found. CFGMGR\_E\_NODENOTFOUND indicates that the node does not exist. Note that this may be normal, as in the case of optional nodes. + +## Requirements + +**Header:** None + +  + + + + + + diff --git a/windows/client-management/mdm/icspnode.md b/windows/client-management/mdm/icspnode.md new file mode 100644 index 0000000000..5da7ad4b29 --- /dev/null +++ b/windows/client-management/mdm/icspnode.md @@ -0,0 +1,101 @@ +--- +title: ICSPNode +description: ICSPNode +ms.assetid: 023466e6-a8ab-48ad-8548-291409686ac2 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ICSPNode + +This interface does most of the work in a configuration service provider. Each individual node in a configuration service provider tree is represented by a separate implementation of this interface. The actions of a ConfigManager2 client are typically translated into calls to an instance of an ICSPNode. + +These methods must be implemented so that, if they fail, the node's state at the end of the method matches the state before the method was called. + +Some nodes will not be able to perform certain actions, and can return CFGMGR\_E\_COMMANDNOTALLOWED for those methods. For each method that is implemented for externally–transactioned nodes, the contrary method must also be implemented, as defined by "Determine node operations" in [Designing a custom configuration service provider](design-a-custom-windows-csp.md). + +The following table shows the methods defined by this interface that OEMs must implement. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
MethodDescription

[ICSPNode::Add](icspnodeadd.md)

Adds an immediate child to a configuration service provider node and returns a pointer to the new child node.

[ICSPNode::Clear](icspnodeclear.md)

Deletes the contents and children of the current configuration service provider node. Called before [ICSPNode::DeleteChild](icspnodedeletechild.md).

[ICSPNode::Copy](icspnodecopy.md)

Makes a copy of the current node at the specified path within the configuration service provider. If the target node exists, it should be overwritten.

[ICSPNode::DeleteChild](icspnodedeletechild.md)

Deletes the specified child node from the configuration service provider node.

[ICSPNode::DeleteProperty](icspnodedeleteproperty.md)

Deletes a property from a configuration service provider node.

[ICSPNode::Execute](icspnodeexecute.md)

Runs a task on an internally-transactioned configuration service provider node by passing in the specified user data and returning a result.

[ICSPNode::GetChildNodeNames](icspnodegetchildnodenames.md)

Returns the list of children for a configuration service provider node.

[ICSPNode::GetProperty](icspnodegetproperty.md)

Returns a property value from a configuration service provider node.

[ICSPNode::GetPropertyIdentifiers](icspnodegetpropertyidentifiers.md)

Returns a list of non-standard properties supported by the node. The returned array must be allocated with CoTaskMemAlloc.

[ICSPNode::GetValue](icspnodegetvalue.md)

Gets the value and data type for the node. Interior (non-leaf) nodes may not have a value.

[ICSPNode::Move](icspnodemove.md)

Moves this node to a new location within the configuration service provider. If the target node already exists, it should be overwritten.

[ICSPNode::SetProperty](icspnodesetproperty.md)

Sets a property value for a configuration service provider node.

[ICSPNode::SetValue](icspnodesetvalue.md)

Sets the value for the configuration service provider node. It is an error to attempt to set the value of an interior node.

+ +  + +## Related topics + +[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) + +  + + + + + + diff --git a/windows/client-management/mdm/icspnodeadd.md b/windows/client-management/mdm/icspnodeadd.md new file mode 100644 index 0000000000..20be80123e --- /dev/null +++ b/windows/client-management/mdm/icspnodeadd.md @@ -0,0 +1,115 @@ +--- +title: ICSPNode Add +description: ICSPNode Add +ms.assetid: 5f03d350-c82b-4747-975f-385fd8b5b3a8 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ICSPNode::Add + +This method adds an immediate child node to a configuration service provider node and returns a pointer to the new node. + +## Syntax + +``` syntax +HRESULT Add([in] IConfigManager2URI* pChildName, + [in] CFG_DATATYPE DataType, + [in] VARIANT varValue, + [in, out] ICSPNode** ppNewNode, + [in, out] DWORD* pgrfNodeOptions); +``` + +## Parameters + +*pChildName* +      Name of child node to add. + +*DataType* +      Data type of the child node to add. Supported types include: +- CFG\_DATATYPE\_NODE + +- CFG\_DATATYPE\_NULL + +- CFG\_DATATYPE\_BINARY + +- CFG\_DATATYPE\_INTEGER + +- CFG\_DATATYPE\_STRING + +- CFG\_DATATYPE\_MULTIPLE\_STRING + +*varValue* +      Value of the child node to add. + +*ppNewNode* +      New child node to return. + +*pgrfNodeOptions* +      Features supported on the new child node. + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Feature nameBit value (in hex)Notes

CSPNODE_OPTION_NATIVESECURITY

0x01

The native security option signifies that the node handles its own security checking, and that ConfigManager2 does not have to manage security for this node.

CSPNODE_OPTION_INTERNALTRANSACTION

0x02

The internal transactioning option tells ConfigManager2 that the configuration service provider handles the transactioning (rollback and commitment) for the node. To handle internal transactioning, the node must implement the [ICSPNodeTransactioning](icspnodetransactioning.md).

CSPNODE_OPTION_HANDLEALLPROPERTIES

0x04

Unused.

CSPNODE_OPTION_SECRETDATA

0x08

Unused.

+ +  +## Return Value + +This method returns an ICSPNode and the feature options supported on that child node. If the method returns null, call GetLastError to get the error value. + +A value of S\_OK indicates that a node was successfully found. CMN\_E\_ALREADY\_EXISTS indicates that a child node with the same name already exists. CFGMGR\_E\_COMMANDNOTALLOWED indicates that this node does not support the **Add** method. + +## Remarks + +For externally–transactioned nodes, if this method is implemented, then [ICSPNode::Clear](icspnodeclear.md) and [ICSPNode::DeleteChild](icspnodedeletechild.md) must also be implemented or rollback will fail. + +## Requirements + +**Header:** None + +## Related topics + +[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) + +  + + + + + + diff --git a/windows/client-management/mdm/icspnodeclear.md b/windows/client-management/mdm/icspnodeclear.md new file mode 100644 index 0000000000..5c0f660fa3 --- /dev/null +++ b/windows/client-management/mdm/icspnodeclear.md @@ -0,0 +1,50 @@ +--- +title: ICSPNode Clear +description: ICSPNode Clear +ms.assetid: b414498b-110a-472d-95c0-2d5b38cd78a6 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + + +# ICSPNode::Clear + +This method deletes the contents and child nodes of the current configuration service provider node. This method is always called on the child node before [ICSPNode::DeleteChild](icspnodedeletechild.md) is called on the parent node. + + +## Syntax + +``` syntax +HRESULT Clear(); +``` + + +## Return Value + +A value of S\_OK indicates that the node was successfully cleared. CFGMGR\_E\_COMMANDNOTALLOWED indicates that this node does not support the **Clear** method. + + +## Remarks + +For externally–transactioned nodes, if this method is implemented, then [ICSPNode::SetValue](icspnodesetvalue.md) and [ICSPNode::SetProperty](icspnodesetproperty.md) must also be implemented or rollback will fail. + +Before calling **Clear** on the target node, ConfigManager2 attempts to gather the current state of the node; the parent node does not have to preserve the state of its child nodes if they are externally-transactioned. + +## Requirements + +**Header:** None + + +## Related topics + +[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) + +  + + + + + diff --git a/windows/client-management/mdm/icspnodecopy.md b/windows/client-management/mdm/icspnodecopy.md new file mode 100644 index 0000000000..cf113766b6 --- /dev/null +++ b/windows/client-management/mdm/icspnodecopy.md @@ -0,0 +1,93 @@ +--- +title: ICSPNode Copy +description: ICSPNode Copy +ms.assetid: cd5ce0bc-a08b-4f82-802d-c7ff8701b41f +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ICSPNode::Copy + +This method makes a copy of the current node at the specified path within the configuration service provider. If the target node exists, it should be overwritten. + +## Syntax + +``` syntax +HRESULT Copy([in] IConfigManager2URI* puriDestination, + [in, out] ICSPNode** ppNewNode, + [in, out] DWORD* pgrfNodeOptions); +``` + +## Parameters + +*puriDestination* +      Path and name of new node's location, relative to the configuration service provider's root node. + +*ppNewNode* +      New node created by the copy operation. + +*pgrfNodeOptions* +      Features supported on the new node. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Feature nameBit value (in hex)Notes

CSPNODE_OPTION_NATIVESECURITY

0x01

The native security option signifies that the node handles its own security checking, and that ConfigManager2 does not have to manage security for this node.

CSPNODE_OPTION_INTERNALTRANSACTION

0x02

The internal transactioning option tells ConfigManager2 that the configuration service provider handles the transactioning (rollback and commitment) for the node. To handle internal transactioning, the node must implement the [ICSPNodeTransactioning](icspnodetransactioning.md).

CSPNODE_OPTION_HANDLEALLPROPERTIES

0x04

Unused.

CSPNODE_OPTION_SECRETDATA

0x08

Unused.

+ +  +## Return Value + +A value of S\_OK indicates that the node was successfully copied to the new location. CFGMGR\_E\_COMMANDNOTALLOWED indicates that this node does not support the **Copy** method. + +## Remarks + +For externally–transactioned nodes, if this method is implemented, then [ICSPNode::Add](icspnodeadd.md), [ICSPNode::SetValue](icspnodesetvalue.md), [ICSPNode::Clear](icspnodeclear.md), and [ICSPNode::DeleteChild](icspnodedeletechild.md) must also be implemented or rollback will fail. + +## Requirements + +**Header:** None + +## Related topics + +[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) + + + + + + diff --git a/windows/client-management/mdm/icspnodedeletechild.md b/windows/client-management/mdm/icspnodedeletechild.md new file mode 100644 index 0000000000..686df037ea --- /dev/null +++ b/windows/client-management/mdm/icspnodedeletechild.md @@ -0,0 +1,56 @@ +--- +title: ICSPNode DeleteChild +description: ICSPNode DeleteChild +ms.assetid: 8cf3663d-a4cf-4d11-b03a-f1d096ad7f9c +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ICSPNode::DeleteChild + +Deletes the specified child node from the configuration service provider node. [ICSPNode::Clear](icspnodeclear.md) must always be called first on the child node that is to be deleted. + +## Syntax + +``` syntax +HRESULT DeleteChild([in] IConfigManager2URI* puriChildToDelete); +``` + +## Parameters + +*puriChildToDelete* +      The name of the child node to delete. + +## Return Values + +| Return Value | Description | +|------------------------------|--------------------------------------------------| +| CFGMGR\_E\_NODENOTFOUND | The child node does not exist | +| CFGMGR\_E\_COMMANDNOTALLOWED | The child node to be deleted is a read-only node | +| S\_OK | Success. | + +  +A value of S\_OK indicates that a node was successfully deleted. CFGMGR\_E\_NODENOTFOUND indicates that the child node does not exist. CFGMGR\_E\_COMMANDNOTALLOWED indicates that this node does not support the **ICSP::DeleteChild** method, or that the child node to be deleted is a read-only node. + +## Remarks + +For externally–transactioned nodes, if this method is implemented, then [ICSPNode::Add](icspnodeadd.md) must also be implemented or rollback will fail. + +## Requirements + +**Header:** None + +## Related topics + +[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) + +  + + + + + + diff --git a/windows/client-management/mdm/icspnodedeleteproperty.md b/windows/client-management/mdm/icspnodedeleteproperty.md new file mode 100644 index 0000000000..74126c9679 --- /dev/null +++ b/windows/client-management/mdm/icspnodedeleteproperty.md @@ -0,0 +1,49 @@ +--- +title: ICSPNode DeleteProperty +description: ICSPNode DeleteProperty +ms.assetid: 7e21851f-d663-4558-b3e8-590d24b4f6c4 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ICSPNode::DeleteProperty + +This method deletes a property from a configuration service provider node. + +## Syntax + +``` syntax +HRESULT DeleteProperty([in] REFGUID guidProperty); +``` + +## Parameters + +*guidProperty* +      The GUID of the property to delete. + +## Return Value + +A value of S\_OK indicates that a node was successfully found. CFGMGR\_E\_PROPERTYNOTSUPPORTED indicates that this node does not manage or implement the property itself, but delegates it to ConfigManager2. E\_NOTIMPL indicates this method is not supported by this node. + +## Remarks + +For externally–transactioned nodes, if this method is implemented, then [ICSPNode::SetProperty](icspnodesetproperty.md) must also be implemented or rollback will fail. + +## Requirements + +**Header:** None + +## Related topics + +[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) + +  + + + + + + diff --git a/windows/client-management/mdm/icspnodeexecute.md b/windows/client-management/mdm/icspnodeexecute.md new file mode 100644 index 0000000000..ef2c4dfa1a --- /dev/null +++ b/windows/client-management/mdm/icspnodeexecute.md @@ -0,0 +1,47 @@ +--- +title: ICSPNode Execute +description: ICSPNode Execute +ms.assetid: 5916e7b7-256d-49fd-82b6-db0547a215ec +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ICSPNode::Execute + +This method runs a task on an internally-transactioned configuration service provider node by passing in the specified user data and returning a result. The exact meaning of **Execute** and whether it is even supported depends on the purpose of the node. For example, **Execute** called on a node that represents a file should probably **ShellExecute** the file, whereas calling **Execute** on a registry node generally does not make sense. + +## Syntax + +``` syntax +HRESULT Execute([in] VARIANT varUserData); +``` + +## Parameters + +*varUserData* +    Data to pass into the execution. + +## Return Value + +A value of S\_OK indicates that the operation was performed successfully on the node. E\_NOTIMPL should be returned if this method is not implemented. + +## Remarks + +Externally–transactioned nodes do not support this method. + +## Requirements + +**Header:** None + +## Related topics + +[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) + +  + + + + diff --git a/windows/client-management/mdm/icspnodegetchildnodenames.md b/windows/client-management/mdm/icspnodegetchildnodenames.md new file mode 100644 index 0000000000..aa63ca5b8e --- /dev/null +++ b/windows/client-management/mdm/icspnodegetchildnodenames.md @@ -0,0 +1,53 @@ +--- +title: ICSPNode GetChildNodeNames +description: ICSPNode GetChildNodeNames +ms.assetid: dc057f2b-282b-49ac-91c4-bb83bd3ca4dc +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ICSPNode::GetChildNodeNames + +This method returns the list of child nodes for a configuration service provider node. + +## Syntax + +``` syntax +HRESULT GetChildNodeNames([out] ULONG* pulCount, + [out,size_is(,*pulCount)] BSTR** pbstrNodeNames); +``` + +## Parameters + +*pulCount* +

The number of child nodes to return.

+ +*pbstrNodeNames* +

The array of child node names. The returned array must be allocated with `CoTaskMemAlloc`. Each element of the array must be a valid, non-NULL `BSTR`, allocated by `SysAllocString` or `SysAllocStringLen`. The names returned must not be encoded in any way, including URI-encoding, for canonicalization reasons.

+ +## Return Value + +A value of S\_OK indicates that a node was successfully found. CFGMGR\_E\_COMMANDNOTALLOWED indicates that this was called on a leaf node (no children will be returned). + +## Remarks + +For externally–transactioned nodes, no additional methods are required for successful rollback. + +## Requirements + +**Header:** None + +## Related topics + +[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) + +  + + + + + + diff --git a/windows/client-management/mdm/icspnodegetproperty.md b/windows/client-management/mdm/icspnodegetproperty.md new file mode 100644 index 0000000000..673d9e8e15 --- /dev/null +++ b/windows/client-management/mdm/icspnodegetproperty.md @@ -0,0 +1,55 @@ +--- +title: ICSPNode GetProperty +description: ICSPNode GetProperty +ms.assetid: a2bdc158-72e0-4cdb-97ce-f5cf1a44b7db +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ICSPNode::GetProperty + +This method returns a property value from a configuration service provider node. + +## Syntax + +``` syntax +HRESULT GetProperty([in] REFGUID guidProperty, + [in,out] VARIANT* pvarValue); +``` + +## Parameters + +*guidProperty* +

GUID that specifies the property to return.

+ +*pvarValue* +

Value to return.

+ +## Return Value + +A value of S\_OK indicates that the value was successfully returned. CFGMGR\_E\_COMMANDNOTSUPPORTED indicates that the node does not implement the property itself, but delegates the management of the property to ConfigManager2. + +## Remarks + +Every node must handle the CFGMGR\_PROPERTY\_DATATYPE property. + +For externally–transactioned nodes, no additional methods are required for successful rollback. + +## Requirements + +**Header:** None + +## Related topics + +[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) + +  + + + + + + diff --git a/windows/client-management/mdm/icspnodegetpropertyidentifiers.md b/windows/client-management/mdm/icspnodegetpropertyidentifiers.md new file mode 100644 index 0000000000..55fabbe552 --- /dev/null +++ b/windows/client-management/mdm/icspnodegetpropertyidentifiers.md @@ -0,0 +1,52 @@ +--- +title: ICSPNode GetPropertyIdentifiers +description: ICSPNode GetPropertyIdentifiers +ms.assetid: 8a052cd3-d74c-40c4-845f-f804b920deb4 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ICSPNode::GetPropertyIdentifiers + +This method returns a list of non-standard properties supported by the node. The returned array must be allocated with `CoTaskMemAlloc`. + +## Syntax + +``` syntax +HRESULT GetPropertyIdentifiers([out] ULONG* pulCount, + [out,size_is(,*pulCount)] GUID** pguidProperties); +``` + +## Parameters + +*pulCount* +

The number of non-standard properties to return.

+ +*pguidProperties* +

The array of property GUIDs to return. This array must be allocated with `CoTaskMemAlloc`.

+ +## Return Value + +A value of S\_OK indicates that the properties were successfully returned. E\_NOTIMPL indicates that this method is not supported by the node. + +## Remarks + +For externally–transactioned nodes, no additional methods are required for successful rollback. + +## Requirements + +**Header:** None + +## Related topics + +[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) + +  + + + + + diff --git a/windows/client-management/mdm/icspnodegetvalue.md b/windows/client-management/mdm/icspnodegetvalue.md new file mode 100644 index 0000000000..fe58b75211 --- /dev/null +++ b/windows/client-management/mdm/icspnodegetvalue.md @@ -0,0 +1,50 @@ +--- +title: ICSPNode GetValue +description: ICSPNode GetValue +ms.assetid: c684036d-98be-4659-8ce8-f72436a39b90 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ICSPNode::GetValue + +This method gets the value and data type for the node. Interior (non-leaf) nodes may not have a value. + +## Syntax + +``` syntax +HRESULT GetValue([in,out] VARIANT* pvarValue); +``` + +## Parameters + +*pvarValue* +

Data value to return. A node containing a password value returns 16 asterisks (‘\*’) for this method. A leaf node whose value has not been set returns a variant whose type is `VT_NULL`. +

+ +## Return Value + +A value of S\_OK indicates that a node was successfully found. CFGMGR\_E\_COMMANDNOTALLOWED indicates that this node does not support the **ICSP::GetValue** methods, or that this is an interior node. + +## Remarks + +For externally–transactioned nodes, this node is not required to implement any other methods for a successful rollback. + +## Requirements + +**Header:** None + +## Related topics + +[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) + +  + + + + + + diff --git a/windows/client-management/mdm/icspnodemove.md b/windows/client-management/mdm/icspnodemove.md new file mode 100644 index 0000000000..53c5047934 --- /dev/null +++ b/windows/client-management/mdm/icspnodemove.md @@ -0,0 +1,49 @@ +--- +title: ICSPNode Move +description: ICSPNode Move +ms.assetid: efb359c3-5c86-4975-bf6f-a1c33922442a +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ICSPNode::Move + +This method moves the node to a new location within the configuration service provider. If the target node already exists, it should be overwritten. + +## Syntax + +``` syntax +HRESULT Move([in] IConfigManager2URI* puriDestination); +``` + +## Parameters + +*puriDestination* +

Path and name of the node's new location, relative to the configuration service provider's root node.

+ +## Return Value + +A value of S\_OK indicates that the node was successfully moved. CFGMGR\_E\_COMMANDNOTALLOWED indicates that this node does not support the **ICSP::Move** method. + +## Remarks + +For externally–transactioned nodes, if this method is implemented, then [ICSPNode::Add](icspnodeadd.md) and [ICSPNode::SetValue](icspnodesetvalue.md) must also be implemented or rollback will fail. + +## Requirements + +**Header:** None + +## Related topics + +[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) + +  + + + + + + diff --git a/windows/client-management/mdm/icspnodesetproperty.md b/windows/client-management/mdm/icspnodesetproperty.md new file mode 100644 index 0000000000..daae584a37 --- /dev/null +++ b/windows/client-management/mdm/icspnodesetproperty.md @@ -0,0 +1,55 @@ +--- +title: ICSPNode SetProperty +description: ICSPNode SetProperty +ms.assetid: e235c38f-ea04-4cd8-adec-3c6c0ce7172d +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ICSPNode::SetProperty + +This method sets a property value for a configuration service provider node. + +## Syntax + +``` syntax +HRESULT SetProperty([in] REFGUID guidProperty, + [in] VARIANT varValue); +``` + +## Parameters + +*guidProperty* +

The GUID of the property.

+ +*varValue* +

The value to return.

+ +## Return Value + +A value of S\_OK indicates that a node was successfully found. CFGMGR\_E\_COMMANDNOTSUPPORTED indicates that this node delegates the management of the property to ConfigManager2. + +## Remarks + +Every node must properly handle the CFGMGR\_PROPERTY\_DATATYPE property. + +For externally–transactioned nodes, no additional methods are required for successful rollback. + +## Requirements + +**Header:** None + +## Related topics + +[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) + +  + + + + + + diff --git a/windows/client-management/mdm/icspnodesetvalue.md b/windows/client-management/mdm/icspnodesetvalue.md new file mode 100644 index 0000000000..ccb5ff6c76 --- /dev/null +++ b/windows/client-management/mdm/icspnodesetvalue.md @@ -0,0 +1,49 @@ +--- +title: ICSPNode SetValue +description: ICSPNode SetValue +ms.assetid: b218636d-fe8b-4a0f-b4e8-a621f65619d3 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ICSPNode::SetValue + +This method sets the value for the configuration service provider node. It is an error to attempt to set the value of an interior node. + +## Syntax + +``` syntax +HRESULT SetValue([in] VARIANT varValue); +``` + +## Parameters + +*varValue* +

Value to set. To clear a leaf node’s value, set *varValue*’s type to `VT_NULL`.

+ +## Return Value + +A value of S\_OK indicates that the value was set successfully. CFGMGR\_E\_COMMANDNOTALLOWED indicates that this node does not support the **ICSP::SetValue** method, or that it's an internal node. + +## Remarks + +For externally–transactioned nodes, no additional methods must be implemented to support rollback. + +## Requirements + +**Header:** None + +## Related topics + +[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) + +  + + + + + + diff --git a/windows/client-management/mdm/icspnodetransactioning.md b/windows/client-management/mdm/icspnodetransactioning.md new file mode 100644 index 0000000000..536708cb7d --- /dev/null +++ b/windows/client-management/mdm/icspnodetransactioning.md @@ -0,0 +1,80 @@ +--- +title: ICSPNodeTransactioning +description: ICSPNodeTransactioning +ms.assetid: 24dc518a-4a8d-41fe-9bc6-217bbbdf6a3f +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ICSPNodeTransactioning + +This is an optional interface that enables a configuration service provider to define its own transactioning scheme (internal transactioning) for an individual node. Transactioning supports the ability to roll back previous actions on a node. The majority of nodes use external transactioning, which is handled automatically, and do not need to implement this interface. For more information about internal and external transactioning, including how to handle the `RollbackAction` functions, see "Determine node operations" in [Designing a custom configuration service provider](design-a-custom-windows-csp.md). + +``` syntax +interface ICSPNodeTransactioning : IUnknown +{ + HRESULT PersistRollbackAddState([in] IConfigManager2URI* puriChild, + [in] CFG_DATATYPE DataType, + [in] VARIANT varValue, + [in] ISequentialStream* pRollbackStream, + [in] ISequentialStream* pUninstallStream); + HRESULT PersistRollbackCopyState([in] IConfigManager2URI* puriDestination, + [in] ISequentialStream* pRollbackStream, + [in] ISequentialStream* pUninstallStream); + HRESULT PersistRollbackDeleteChildState([in] IConfigManager2URI* puriChild, + [in] ISequentialStream* pRollbackStream, + [in] ISequentialStream* pUninstallStream); + HRESULT PersistRollbackClearState([in] ISequentialStream* pRollbackStream, + [in] ISequentialStream* pUninstallStream); + HRESULT PersistRollbackExecuteState([in] VARIANT varUserData, + [in] ISequentialStream* pRollbackStream, + [in] ISequentialStream* pUninstallStream); + HRESULT PersistRollbackMoveState([in] IConfigManager2URI* puriDestination, + [in] ISequentialStream* pRollbackStream, + [in] ISequentialStream* pUninstallStream); + HRESULT PersistRollbackSetValueState([in] VARIANT varValue, + [in] ISequentialStream* pRollbackStream, + [in] ISequentialStream* pUninstallStream); + HRESULT PersistRollbackSetPropertyState([in] REFGUID guidProperty, + [in] VARIANT varValue, + [in] ISequentialStream* pRollbackStream, + [in] ISequentialStream* pUninstallStream); + HRESULT PersistRollbackDeletePropertyState([in] REFGUID guidProperty, + [in] ISequentialStream* pRollbackStream, + [in] ISequentialStream* pUninstallStream); + HRESULT RollbackAdd([in] ISequentialStream* pUndoStream, + [in] BOOL fRecoveryRollback); + HRESULT RollbackCopy([in] ISequentialStream* pUndoStream, + [in] BOOL fRecoveryRollback); + HRESULT RollbackDeleteChild([in] ISequentialStream* pUndoStream, + [in] BOOL fRecoveryRollback); + HRESULT RollbackClear([in] ISequentialStream* pUndoStream, + [in] BOOL fRecoveryRollback); + HRESULT RollbackExecute([in] ISequentialStream* pUndoStream, + [in] BOOL fRecoveryRollback); + HRESULT RollbackMove([in] ISequentialStream* pUndoStream, + [in] BOOL fRecoveryRollback); + HRESULT RollbackSetValue([in] ISequentialStream* pUndoStream, + [in] BOOL fRecoveryRollback); + HRESULT RollbackSetProperty([in] ISequentialStream* pUndoStream, + [in] BOOL fRecoveryRollback); + HRESULT RollbackDeleteProperty([in] ISequentialStream* pUndoStream, + [in] BOOL fRecoveryRollback); + + HRESULT Commit(); +}; +``` + +## Related topics + +[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) + +  + + + + + diff --git a/windows/client-management/mdm/icspvalidate.md b/windows/client-management/mdm/icspvalidate.md new file mode 100644 index 0000000000..42828da848 --- /dev/null +++ b/windows/client-management/mdm/icspvalidate.md @@ -0,0 +1,51 @@ +--- +title: ICSPValidate +description: ICSPValidate +ms.assetid: b0993f2d-6269-412f-a329-af25fff34ca2 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ICSPValidate + +This interface is optional. It is called by ConfigManager2 as it batches commands before transactioning begins. This allows the configuration service provider to validate the node before performing specific actions. It is generally only used for configuration service providers that need to expose UI. + +``` syntax +interface ICSPValidate : IUnknown +{ + HRESULT ValidateAdd([in] IConfigNodeState* pNodeState, + [in] IConfigManager2URI* puriChild, + [in] CFG_DATATYPE DataType, + [in] VARIANT varValue); + HRESULT ValidateCopy([in] IConfigNodeState* pNodeState, + [in] IConfigManager2URI* puriDestination); + HRESULT ValidateDeleteChild([in] IConfigNodeState* pNodeState, + [in] IConfigManager2URI* puriChild); + HRESULT ValidateClear([in] IConfigNodeState* pNodeState); + HRESULT ValidateExecute([in] IConfigNodeState* pNodeState, + [in] VARIANT varUserData); + HRESULT ValidateMove([in] IConfigNodeState* pNodeState, + [in] IConfigManager2URI* puriDestination); + HRESULT ValidateSetValue([in] IConfigNodeState* pNodeState, + [in] VARIANT varValue); + HRESULT ValidateSetProperty([in] IConfigNodeState* pNodeState, + [in] REFGUID guidProperty, + [in] VARIANT varValue); + HRESULT ValidateDeleteProperty([in] IConfigNodeState* pNodeState, + [in] REFGUID guidProperty); +``` + +## Related topics + +[Create a custom configuration service provider](create-a-custom-configuration-service-provider.md) + +  + + + + + + diff --git a/windows/client-management/mdm/images/HealthAttestation_1.png b/windows/client-management/mdm/images/HealthAttestation_1.png new file mode 100644 index 0000000000..f0c5d03fc9 Binary files /dev/null and b/windows/client-management/mdm/images/HealthAttestation_1.png differ diff --git a/windows/client-management/mdm/images/HealthAttestation_2.png b/windows/client-management/mdm/images/HealthAttestation_2.png new file mode 100644 index 0000000000..e2e13ff8c4 Binary files /dev/null and b/windows/client-management/mdm/images/HealthAttestation_2.png differ diff --git a/windows/client-management/mdm/images/applocker-screenshot1.png b/windows/client-management/mdm/images/applocker-screenshot1.png new file mode 100644 index 0000000000..9de9e74f70 Binary files /dev/null and b/windows/client-management/mdm/images/applocker-screenshot1.png differ diff --git a/windows/client-management/mdm/images/applocker-screenshot2.png b/windows/client-management/mdm/images/applocker-screenshot2.png new file mode 100644 index 0000000000..33b794f9b4 Binary files /dev/null and b/windows/client-management/mdm/images/applocker-screenshot2.png differ diff --git a/windows/client-management/mdm/images/applocker-screenshot3.png b/windows/client-management/mdm/images/applocker-screenshot3.png new file mode 100644 index 0000000000..d9de466e2d Binary files /dev/null and b/windows/client-management/mdm/images/applocker-screenshot3.png differ diff --git a/windows/client-management/mdm/images/azure-ad-add-tenant1.png b/windows/client-management/mdm/images/azure-ad-add-tenant1.png new file mode 100644 index 0000000000..3e32d82f7b Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-add-tenant1.png differ diff --git a/windows/client-management/mdm/images/azure-ad-add-tenant10.png b/windows/client-management/mdm/images/azure-ad-add-tenant10.png new file mode 100644 index 0000000000..a6e7c07f67 Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-add-tenant10.png differ diff --git a/windows/client-management/mdm/images/azure-ad-add-tenant11.png b/windows/client-management/mdm/images/azure-ad-add-tenant11.png new file mode 100644 index 0000000000..4648df15d8 Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-add-tenant11.png differ diff --git a/windows/client-management/mdm/images/azure-ad-add-tenant12.png b/windows/client-management/mdm/images/azure-ad-add-tenant12.png new file mode 100644 index 0000000000..1b234faef0 Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-add-tenant12.png differ diff --git a/windows/client-management/mdm/images/azure-ad-add-tenant13.png b/windows/client-management/mdm/images/azure-ad-add-tenant13.png new file mode 100644 index 0000000000..b44e7370cd Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-add-tenant13.png differ diff --git a/windows/client-management/mdm/images/azure-ad-add-tenant14.png b/windows/client-management/mdm/images/azure-ad-add-tenant14.png new file mode 100644 index 0000000000..d295c71a69 Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-add-tenant14.png differ diff --git a/windows/client-management/mdm/images/azure-ad-add-tenant15.png b/windows/client-management/mdm/images/azure-ad-add-tenant15.png new file mode 100644 index 0000000000..d0639750c2 Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-add-tenant15.png differ diff --git a/windows/client-management/mdm/images/azure-ad-add-tenant2.png b/windows/client-management/mdm/images/azure-ad-add-tenant2.png new file mode 100644 index 0000000000..3099043171 Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-add-tenant2.png differ diff --git a/windows/client-management/mdm/images/azure-ad-add-tenant3-b.png b/windows/client-management/mdm/images/azure-ad-add-tenant3-b.png new file mode 100644 index 0000000000..e845896e37 Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-add-tenant3-b.png differ diff --git a/windows/client-management/mdm/images/azure-ad-add-tenant3.png b/windows/client-management/mdm/images/azure-ad-add-tenant3.png new file mode 100644 index 0000000000..7ede724ff0 Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-add-tenant3.png differ diff --git a/windows/client-management/mdm/images/azure-ad-add-tenant4.png b/windows/client-management/mdm/images/azure-ad-add-tenant4.png new file mode 100644 index 0000000000..8c6f4bbbdd Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-add-tenant4.png differ diff --git a/windows/client-management/mdm/images/azure-ad-add-tenant5.png b/windows/client-management/mdm/images/azure-ad-add-tenant5.png new file mode 100644 index 0000000000..ad951c46b2 Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-add-tenant5.png differ diff --git a/windows/client-management/mdm/images/azure-ad-add-tenant6.png b/windows/client-management/mdm/images/azure-ad-add-tenant6.png new file mode 100644 index 0000000000..169df32316 Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-add-tenant6.png differ diff --git a/windows/client-management/mdm/images/azure-ad-add-tenant7.png b/windows/client-management/mdm/images/azure-ad-add-tenant7.png new file mode 100644 index 0000000000..73a1319eb9 Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-add-tenant7.png differ diff --git a/windows/client-management/mdm/images/azure-ad-add-tenant8.png b/windows/client-management/mdm/images/azure-ad-add-tenant8.png new file mode 100644 index 0000000000..b36d089a48 Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-add-tenant8.png differ diff --git a/windows/client-management/mdm/images/azure-ad-add-tenant9.png b/windows/client-management/mdm/images/azure-ad-add-tenant9.png new file mode 100644 index 0000000000..6589bda706 Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-add-tenant9.png differ diff --git a/windows/client-management/mdm/images/azure-ad-app-gallery.png b/windows/client-management/mdm/images/azure-ad-app-gallery.png new file mode 100644 index 0000000000..f96d2b7f89 Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-app-gallery.png differ diff --git a/windows/client-management/mdm/images/azure-ad-enrollment-flow.png b/windows/client-management/mdm/images/azure-ad-enrollment-flow.png new file mode 100644 index 0000000000..c4a3bab541 Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-enrollment-flow.png differ diff --git a/windows/client-management/mdm/images/azure-ad-unenrollment.png b/windows/client-management/mdm/images/azure-ad-unenrollment.png new file mode 100644 index 0000000000..f34d51f5fd Binary files /dev/null and b/windows/client-management/mdm/images/azure-ad-unenrollment.png differ diff --git a/windows/client-management/mdm/images/bulk-enrollment.png b/windows/client-management/mdm/images/bulk-enrollment.png new file mode 100644 index 0000000000..0e1c62ed7b Binary files /dev/null and b/windows/client-management/mdm/images/bulk-enrollment.png differ diff --git a/windows/client-management/mdm/images/bulk-enrollment2.png b/windows/client-management/mdm/images/bulk-enrollment2.png new file mode 100644 index 0000000000..34fe960ae0 Binary files /dev/null and b/windows/client-management/mdm/images/bulk-enrollment2.png differ diff --git a/windows/client-management/mdm/images/bulk-enrollment3.png b/windows/client-management/mdm/images/bulk-enrollment3.png new file mode 100644 index 0000000000..1d2c27da8e Binary files /dev/null and b/windows/client-management/mdm/images/bulk-enrollment3.png differ diff --git a/windows/client-management/mdm/images/bulk-enrollment4.png b/windows/client-management/mdm/images/bulk-enrollment4.png new file mode 100644 index 0000000000..e4506f370f Binary files /dev/null and b/windows/client-management/mdm/images/bulk-enrollment4.png differ diff --git a/windows/client-management/mdm/images/bulk-enrollment5.png b/windows/client-management/mdm/images/bulk-enrollment5.png new file mode 100644 index 0000000000..dbc8170c50 Binary files /dev/null and b/windows/client-management/mdm/images/bulk-enrollment5.png differ diff --git a/windows/client-management/mdm/images/bulk-enrollment6.png b/windows/client-management/mdm/images/bulk-enrollment6.png new file mode 100644 index 0000000000..cb74e21534 Binary files /dev/null and b/windows/client-management/mdm/images/bulk-enrollment6.png differ diff --git a/windows/client-management/mdm/images/bulk-enrollment7.png b/windows/client-management/mdm/images/bulk-enrollment7.png new file mode 100644 index 0000000000..41b06caca0 Binary files /dev/null and b/windows/client-management/mdm/images/bulk-enrollment7.png differ diff --git a/windows/client-management/mdm/images/bulk-enrollment8.png b/windows/client-management/mdm/images/bulk-enrollment8.png new file mode 100644 index 0000000000..20f02ca8aa Binary files /dev/null and b/windows/client-management/mdm/images/bulk-enrollment8.png differ diff --git a/windows/client-management/mdm/images/businessstoreportalservices10.png b/windows/client-management/mdm/images/businessstoreportalservices10.png new file mode 100644 index 0000000000..bd643ebfac Binary files /dev/null and b/windows/client-management/mdm/images/businessstoreportalservices10.png differ diff --git a/windows/client-management/mdm/images/businessstoreportalservices11.png b/windows/client-management/mdm/images/businessstoreportalservices11.png new file mode 100644 index 0000000000..f420a32be4 Binary files /dev/null and b/windows/client-management/mdm/images/businessstoreportalservices11.png differ diff --git a/windows/client-management/mdm/images/businessstoreportalservices12.png b/windows/client-management/mdm/images/businessstoreportalservices12.png new file mode 100644 index 0000000000..10cda8c9d6 Binary files /dev/null and b/windows/client-management/mdm/images/businessstoreportalservices12.png differ diff --git a/windows/client-management/mdm/images/businessstoreportalservices13.png b/windows/client-management/mdm/images/businessstoreportalservices13.png new file mode 100644 index 0000000000..c839aea73c Binary files /dev/null and b/windows/client-management/mdm/images/businessstoreportalservices13.png differ diff --git a/windows/client-management/mdm/images/businessstoreportalservices14.png b/windows/client-management/mdm/images/businessstoreportalservices14.png new file mode 100644 index 0000000000..01173f564e Binary files /dev/null and b/windows/client-management/mdm/images/businessstoreportalservices14.png differ diff --git a/windows/client-management/mdm/images/businessstoreportalservices2.png b/windows/client-management/mdm/images/businessstoreportalservices2.png new file mode 100644 index 0000000000..56d8981fc0 Binary files /dev/null and b/windows/client-management/mdm/images/businessstoreportalservices2.png differ diff --git a/windows/client-management/mdm/images/businessstoreportalservices3.png b/windows/client-management/mdm/images/businessstoreportalservices3.png new file mode 100644 index 0000000000..ac74b64ab1 Binary files /dev/null and b/windows/client-management/mdm/images/businessstoreportalservices3.png differ diff --git a/windows/client-management/mdm/images/businessstoreportalservices8.png b/windows/client-management/mdm/images/businessstoreportalservices8.png new file mode 100644 index 0000000000..81668d8ed3 Binary files /dev/null and b/windows/client-management/mdm/images/businessstoreportalservices8.png differ diff --git a/windows/client-management/mdm/images/businessstoreportalservices9.png b/windows/client-management/mdm/images/businessstoreportalservices9.png new file mode 100644 index 0000000000..1aaec4889e Binary files /dev/null and b/windows/client-management/mdm/images/businessstoreportalservices9.png differ diff --git a/windows/client-management/mdm/images/businessstoreportalservicesflow.png b/windows/client-management/mdm/images/businessstoreportalservicesflow.png new file mode 100644 index 0000000000..6a215fc076 Binary files /dev/null and b/windows/client-management/mdm/images/businessstoreportalservicesflow.png differ diff --git a/windows/client-management/mdm/images/certfiltering1.png b/windows/client-management/mdm/images/certfiltering1.png new file mode 100644 index 0000000000..0e84f433bc Binary files /dev/null and b/windows/client-management/mdm/images/certfiltering1.png differ diff --git a/windows/client-management/mdm/images/certfiltering2.png b/windows/client-management/mdm/images/certfiltering2.png new file mode 100644 index 0000000000..8e08b29641 Binary files /dev/null and b/windows/client-management/mdm/images/certfiltering2.png differ diff --git a/windows/client-management/mdm/images/certfiltering3.png b/windows/client-management/mdm/images/certfiltering3.png new file mode 100644 index 0000000000..ce5aae1f63 Binary files /dev/null and b/windows/client-management/mdm/images/certfiltering3.png differ diff --git a/windows/client-management/mdm/images/checkmark.png b/windows/client-management/mdm/images/checkmark.png new file mode 100644 index 0000000000..253e5fe54b Binary files /dev/null and b/windows/client-management/mdm/images/checkmark.png differ diff --git a/windows/client-management/mdm/images/crossmark.png b/windows/client-management/mdm/images/crossmark.png new file mode 100644 index 0000000000..b6758f3095 Binary files /dev/null and b/windows/client-management/mdm/images/crossmark.png differ diff --git a/windows/client-management/mdm/images/deeplinkenrollment1.png b/windows/client-management/mdm/images/deeplinkenrollment1.png new file mode 100644 index 0000000000..c53bc36ad5 Binary files /dev/null and b/windows/client-management/mdm/images/deeplinkenrollment1.png differ diff --git a/windows/client-management/mdm/images/deeplinkenrollment3.png b/windows/client-management/mdm/images/deeplinkenrollment3.png new file mode 100644 index 0000000000..5b6b73761b Binary files /dev/null and b/windows/client-management/mdm/images/deeplinkenrollment3.png differ diff --git a/windows/client-management/mdm/images/deeplinkenrollment4.png b/windows/client-management/mdm/images/deeplinkenrollment4.png new file mode 100644 index 0000000000..68e58ad31a Binary files /dev/null and b/windows/client-management/mdm/images/deeplinkenrollment4.png differ diff --git a/windows/client-management/mdm/images/deviceupdateprocess2.png b/windows/client-management/mdm/images/deviceupdateprocess2.png new file mode 100644 index 0000000000..fe58c1b3f2 Binary files /dev/null and b/windows/client-management/mdm/images/deviceupdateprocess2.png differ diff --git a/windows/client-management/mdm/images/deviceupdatescreenshot1.png b/windows/client-management/mdm/images/deviceupdatescreenshot1.png new file mode 100644 index 0000000000..2dbcfdffa6 Binary files /dev/null and b/windows/client-management/mdm/images/deviceupdatescreenshot1.png differ diff --git a/windows/client-management/mdm/images/deviceupdatescreenshot2.png b/windows/client-management/mdm/images/deviceupdatescreenshot2.png new file mode 100644 index 0000000000..296e49c25f Binary files /dev/null and b/windows/client-management/mdm/images/deviceupdatescreenshot2.png differ diff --git a/windows/client-management/mdm/images/deviceupdatescreenshot3.png b/windows/client-management/mdm/images/deviceupdatescreenshot3.png new file mode 100644 index 0000000000..5d22c95edc Binary files /dev/null and b/windows/client-management/mdm/images/deviceupdatescreenshot3.png differ diff --git a/windows/client-management/mdm/images/deviceupdatescreenshot4.png b/windows/client-management/mdm/images/deviceupdatescreenshot4.png new file mode 100644 index 0000000000..cb182201ce Binary files /dev/null and b/windows/client-management/mdm/images/deviceupdatescreenshot4.png differ diff --git a/windows/client-management/mdm/images/deviceupdatescreenshot5.png b/windows/client-management/mdm/images/deviceupdatescreenshot5.png new file mode 100644 index 0000000000..3c9201ce12 Binary files /dev/null and b/windows/client-management/mdm/images/deviceupdatescreenshot5.png differ diff --git a/windows/client-management/mdm/images/deviceupdatescreenshot6.png b/windows/client-management/mdm/images/deviceupdatescreenshot6.png new file mode 100644 index 0000000000..62a646cd57 Binary files /dev/null and b/windows/client-management/mdm/images/deviceupdatescreenshot6.png differ diff --git a/windows/client-management/mdm/images/deviceupdatescreenshot7.png b/windows/client-management/mdm/images/deviceupdatescreenshot7.png new file mode 100644 index 0000000000..ace2f50890 Binary files /dev/null and b/windows/client-management/mdm/images/deviceupdatescreenshot7.png differ diff --git a/windows/client-management/mdm/images/deviceupdatescreenshot8.png b/windows/client-management/mdm/images/deviceupdatescreenshot8.png new file mode 100644 index 0000000000..f48181787a Binary files /dev/null and b/windows/client-management/mdm/images/deviceupdatescreenshot8.png differ diff --git a/windows/client-management/mdm/images/deviceupdatescreenshot9.png b/windows/client-management/mdm/images/deviceupdatescreenshot9.png new file mode 100644 index 0000000000..400e160ebb Binary files /dev/null and b/windows/client-management/mdm/images/deviceupdatescreenshot9.png differ diff --git a/windows/client-management/mdm/images/diagnose-mdm-failures1.png b/windows/client-management/mdm/images/diagnose-mdm-failures1.png new file mode 100644 index 0000000000..c57c676649 Binary files /dev/null and b/windows/client-management/mdm/images/diagnose-mdm-failures1.png differ diff --git a/windows/client-management/mdm/images/diagnose-mdm-failures10.png b/windows/client-management/mdm/images/diagnose-mdm-failures10.png new file mode 100644 index 0000000000..45ec666d8e Binary files /dev/null and b/windows/client-management/mdm/images/diagnose-mdm-failures10.png differ diff --git a/windows/client-management/mdm/images/diagnose-mdm-failures11.png b/windows/client-management/mdm/images/diagnose-mdm-failures11.png new file mode 100644 index 0000000000..920784bc70 Binary files /dev/null and b/windows/client-management/mdm/images/diagnose-mdm-failures11.png differ diff --git a/windows/client-management/mdm/images/diagnose-mdm-failures12.png b/windows/client-management/mdm/images/diagnose-mdm-failures12.png new file mode 100644 index 0000000000..499c9f400f Binary files /dev/null and b/windows/client-management/mdm/images/diagnose-mdm-failures12.png differ diff --git a/windows/client-management/mdm/images/diagnose-mdm-failures13.png b/windows/client-management/mdm/images/diagnose-mdm-failures13.png new file mode 100644 index 0000000000..5b62f84e54 Binary files /dev/null and b/windows/client-management/mdm/images/diagnose-mdm-failures13.png differ diff --git a/windows/client-management/mdm/images/diagnose-mdm-failures14.png b/windows/client-management/mdm/images/diagnose-mdm-failures14.png new file mode 100644 index 0000000000..07833d288b Binary files /dev/null and b/windows/client-management/mdm/images/diagnose-mdm-failures14.png differ diff --git a/windows/client-management/mdm/images/diagnose-mdm-failures2.png b/windows/client-management/mdm/images/diagnose-mdm-failures2.png new file mode 100644 index 0000000000..ca29ceeac3 Binary files /dev/null and b/windows/client-management/mdm/images/diagnose-mdm-failures2.png differ diff --git a/windows/client-management/mdm/images/diagnose-mdm-failures3.png b/windows/client-management/mdm/images/diagnose-mdm-failures3.png new file mode 100644 index 0000000000..5da5c15077 Binary files /dev/null and b/windows/client-management/mdm/images/diagnose-mdm-failures3.png differ diff --git a/windows/client-management/mdm/images/diagnose-mdm-failures4.png b/windows/client-management/mdm/images/diagnose-mdm-failures4.png new file mode 100644 index 0000000000..20b55dcee7 Binary files /dev/null and b/windows/client-management/mdm/images/diagnose-mdm-failures4.png differ diff --git a/windows/client-management/mdm/images/diagnose-mdm-failures5.png b/windows/client-management/mdm/images/diagnose-mdm-failures5.png new file mode 100644 index 0000000000..6a3dec9354 Binary files /dev/null and b/windows/client-management/mdm/images/diagnose-mdm-failures5.png differ diff --git a/windows/client-management/mdm/images/diagnose-mdm-failures6.png b/windows/client-management/mdm/images/diagnose-mdm-failures6.png new file mode 100644 index 0000000000..5a9647cccd Binary files /dev/null and b/windows/client-management/mdm/images/diagnose-mdm-failures6.png differ diff --git a/windows/client-management/mdm/images/diagnose-mdm-failures7.png b/windows/client-management/mdm/images/diagnose-mdm-failures7.png new file mode 100644 index 0000000000..f39af3ccec Binary files /dev/null and b/windows/client-management/mdm/images/diagnose-mdm-failures7.png differ diff --git a/windows/client-management/mdm/images/diagnose-mdm-failures8.png b/windows/client-management/mdm/images/diagnose-mdm-failures8.png new file mode 100644 index 0000000000..d066198c59 Binary files /dev/null and b/windows/client-management/mdm/images/diagnose-mdm-failures8.png differ diff --git a/windows/client-management/mdm/images/diagnose-mdm-failures9.png b/windows/client-management/mdm/images/diagnose-mdm-failures9.png new file mode 100644 index 0000000000..5b9f68a74b Binary files /dev/null and b/windows/client-management/mdm/images/diagnose-mdm-failures9.png differ diff --git a/windows/client-management/mdm/images/enterprise-workflow.png b/windows/client-management/mdm/images/enterprise-workflow.png new file mode 100644 index 0000000000..fc01796296 Binary files /dev/null and b/windows/client-management/mdm/images/enterprise-workflow.png differ diff --git a/windows/client-management/mdm/images/enterpriseassignedaccess-csp.png b/windows/client-management/mdm/images/enterpriseassignedaccess-csp.png new file mode 100644 index 0000000000..9febfb37df Binary files /dev/null and b/windows/client-management/mdm/images/enterpriseassignedaccess-csp.png differ diff --git a/windows/client-management/mdm/images/faq-max-devices.png b/windows/client-management/mdm/images/faq-max-devices.png new file mode 100644 index 0000000000..bf101a0215 Binary files /dev/null and b/windows/client-management/mdm/images/faq-max-devices.png differ diff --git a/windows/client-management/mdm/images/group-policy-editor.png b/windows/client-management/mdm/images/group-policy-editor.png new file mode 100644 index 0000000000..019021c988 Binary files /dev/null and b/windows/client-management/mdm/images/group-policy-editor.png differ diff --git a/windows/client-management/mdm/images/group-policy-publisher-server-2-settings.png b/windows/client-management/mdm/images/group-policy-publisher-server-2-settings.png new file mode 100644 index 0000000000..84d23b1bec Binary files /dev/null and b/windows/client-management/mdm/images/group-policy-publisher-server-2-settings.png differ diff --git a/windows/client-management/mdm/images/implement-server-side-mobile-application-management.png b/windows/client-management/mdm/images/implement-server-side-mobile-application-management.png new file mode 100644 index 0000000000..88555f2d3b Binary files /dev/null and b/windows/client-management/mdm/images/implement-server-side-mobile-application-management.png differ diff --git a/windows/client-management/mdm/images/mdm-update-sync.png b/windows/client-management/mdm/images/mdm-update-sync.png new file mode 100644 index 0000000000..0793468e16 Binary files /dev/null and b/windows/client-management/mdm/images/mdm-update-sync.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-activesync-cp.png b/windows/client-management/mdm/images/provisioning-csp-activesync-cp.png new file mode 100644 index 0000000000..f73fce23b5 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-activesync-cp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-alljoynmanagement.png b/windows/client-management/mdm/images/provisioning-csp-alljoynmanagement.png new file mode 100644 index 0000000000..8bfe73ca36 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-alljoynmanagement.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-applocker.png b/windows/client-management/mdm/images/provisioning-csp-applocker.png new file mode 100644 index 0000000000..20e46ea2eb Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-applocker.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png new file mode 100644 index 0000000000..14d49cdd89 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-assignedaccess.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-bitlocker.png b/windows/client-management/mdm/images/provisioning-csp-bitlocker.png new file mode 100644 index 0000000000..e19bae9106 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-bitlocker.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-bootstrap-cp.png b/windows/client-management/mdm/images/provisioning-csp-bootstrap-cp.png new file mode 100644 index 0000000000..f7ec4f65f7 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-bootstrap-cp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-browserfavorite-cp.png b/windows/client-management/mdm/images/provisioning-csp-browserfavorite-cp.png new file mode 100644 index 0000000000..f79837b683 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-browserfavorite-cp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-cellularsettings.png b/windows/client-management/mdm/images/provisioning-csp-cellularsettings.png new file mode 100644 index 0000000000..c8fbd79761 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-cellularsettings.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-certificatestore.png b/windows/client-management/mdm/images/provisioning-csp-certificatestore.png new file mode 100644 index 0000000000..291122996d Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-certificatestore.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-cleanpc.png b/windows/client-management/mdm/images/provisioning-csp-cleanpc.png new file mode 100644 index 0000000000..1b1d0fb613 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-cleanpc.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-clientcertificateinstall.png b/windows/client-management/mdm/images/provisioning-csp-clientcertificateinstall.png new file mode 100644 index 0000000000..285576269b Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-clientcertificateinstall.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-cm-cellularentries.png b/windows/client-management/mdm/images/provisioning-csp-cm-cellularentries.png new file mode 100644 index 0000000000..87e5cd25ba Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-cm-cellularentries.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-cm-proxyentries-cp.png b/windows/client-management/mdm/images/provisioning-csp-cm-proxyentries-cp.png new file mode 100644 index 0000000000..6a1a3c35c2 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-cm-proxyentries-cp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-cmpolicy.png b/windows/client-management/mdm/images/provisioning-csp-cmpolicy.png new file mode 100644 index 0000000000..71d5c46b33 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-cmpolicy.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-cmpolicyenterprise.png b/windows/client-management/mdm/images/provisioning-csp-cmpolicyenterprise.png new file mode 100644 index 0000000000..1668606ec0 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-cmpolicyenterprise.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-customdeviceui.png b/windows/client-management/mdm/images/provisioning-csp-customdeviceui.png new file mode 100644 index 0000000000..0bccee955f Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-customdeviceui.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-defender.png b/windows/client-management/mdm/images/provisioning-csp-defender.png new file mode 100644 index 0000000000..b3be3ba7f4 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-defender.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png new file mode 100644 index 0000000000..3145a82ea4 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-developersetup.png b/windows/client-management/mdm/images/provisioning-csp-developersetup.png new file mode 100644 index 0000000000..09793afcf9 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-developersetup.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-deviceinstanceservice.png b/windows/client-management/mdm/images/provisioning-csp-deviceinstanceservice.png new file mode 100644 index 0000000000..c03c7232ac Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-deviceinstanceservice.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-devicelock.png b/windows/client-management/mdm/images/provisioning-csp-devicelock.png new file mode 100644 index 0000000000..f89b1a62aa Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-devicelock.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png b/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png new file mode 100644 index 0000000000..e8364c9bd7 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-devicemanageability.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-devicestatus.png b/windows/client-management/mdm/images/provisioning-csp-devicestatus.png new file mode 100644 index 0000000000..55b12f6c7f Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-devicestatus.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-devinfo-dm.png b/windows/client-management/mdm/images/provisioning-csp-devinfo-dm.png new file mode 100644 index 0000000000..31487a542f Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-devinfo-dm.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png b/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png new file mode 100644 index 0000000000..44449d7e6f Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-diagnosticlog.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-dmacc-dm.png b/windows/client-management/mdm/images/provisioning-csp-dmacc-dm.png new file mode 100644 index 0000000000..6c2c9150ee Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-dmacc-dm.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png b/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png new file mode 100644 index 0000000000..ae35570be6 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-dmclient-th2.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-dmsessionactions.png b/windows/client-management/mdm/images/provisioning-csp-dmsessionactions.png new file mode 100644 index 0000000000..3333e92249 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-dmsessionactions.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-dynamicmanagement.png b/windows/client-management/mdm/images/provisioning-csp-dynamicmanagement.png new file mode 100644 index 0000000000..fc7e7f12aa Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-dynamicmanagement.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-email2.png b/windows/client-management/mdm/images/provisioning-csp-email2.png new file mode 100644 index 0000000000..980b403aee Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-email2.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-enterpriseapn-rs1.png b/windows/client-management/mdm/images/provisioning-csp-enterpriseapn-rs1.png new file mode 100644 index 0000000000..33f7471063 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-enterpriseapn-rs1.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-enterpriseappmanagement.png b/windows/client-management/mdm/images/provisioning-csp-enterpriseappmanagement.png new file mode 100644 index 0000000000..bbc01eb24c Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-enterpriseappmanagement.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-enterpriseappvmanagement.png b/windows/client-management/mdm/images/provisioning-csp-enterpriseappvmanagement.png new file mode 100644 index 0000000000..1650842550 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-enterpriseappvmanagement.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-enterpriseassignedaccess.png b/windows/client-management/mdm/images/provisioning-csp-enterpriseassignedaccess.png new file mode 100644 index 0000000000..3411096e90 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-enterpriseassignedaccess.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-enterprisedataprotection.png b/windows/client-management/mdm/images/provisioning-csp-enterprisedataprotection.png new file mode 100644 index 0000000000..960a246a41 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-enterprisedataprotection.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-enterprisedesktopappmanagement.png b/windows/client-management/mdm/images/provisioning-csp-enterprisedesktopappmanagement.png new file mode 100644 index 0000000000..573749b4ec Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-enterprisedesktopappmanagement.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-enterpriseext.png b/windows/client-management/mdm/images/provisioning-csp-enterpriseext.png new file mode 100644 index 0000000000..04cf1f18fe Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-enterpriseext.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-enterpriseextfilesystem.png b/windows/client-management/mdm/images/provisioning-csp-enterpriseextfilesystem.png new file mode 100644 index 0000000000..e90fe5ba90 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-enterpriseextfilesystem.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png new file mode 100644 index 0000000000..b834990924 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-filesystem-dm.png b/windows/client-management/mdm/images/provisioning-csp-filesystem-dm.png new file mode 100644 index 0000000000..525159c3b2 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-filesystem-dm.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-firewall.png b/windows/client-management/mdm/images/provisioning-csp-firewall.png new file mode 100644 index 0000000000..a2cb0ecde8 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-firewall.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-healthattestation.png b/windows/client-management/mdm/images/provisioning-csp-healthattestation.png new file mode 100644 index 0000000000..20c1a14566 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-healthattestation.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-hotspot-cp.png b/windows/client-management/mdm/images/provisioning-csp-hotspot-cp.png new file mode 100644 index 0000000000..d3f928a8a7 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-hotspot-cp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-maps.png b/windows/client-management/mdm/images/provisioning-csp-maps.png new file mode 100644 index 0000000000..2fe7ee311d Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-maps.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-messaging.png b/windows/client-management/mdm/images/provisioning-csp-messaging.png new file mode 100644 index 0000000000..620476da70 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-messaging.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-nap.png b/windows/client-management/mdm/images/provisioning-csp-nap.png new file mode 100644 index 0000000000..9af073c7c0 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-nap.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-napdef-cp-2.png b/windows/client-management/mdm/images/provisioning-csp-napdef-cp-2.png new file mode 100644 index 0000000000..492b973eda Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-napdef-cp-2.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-napdef-cp.png b/windows/client-management/mdm/images/provisioning-csp-napdef-cp.png new file mode 100644 index 0000000000..b62865faf9 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-napdef-cp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-networkproxy.png b/windows/client-management/mdm/images/provisioning-csp-networkproxy.png new file mode 100644 index 0000000000..e46232fa42 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-networkproxy.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-networkqospolicy.png b/windows/client-management/mdm/images/provisioning-csp-networkqospolicy.png new file mode 100644 index 0000000000..734c4213ec Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-networkqospolicy.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-nodecache.png b/windows/client-management/mdm/images/provisioning-csp-nodecache.png new file mode 100644 index 0000000000..d46abae93f Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-nodecache.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-office.png b/windows/client-management/mdm/images/provisioning-csp-office.png new file mode 100644 index 0000000000..caa243a136 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-office.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-passportforwork.png b/windows/client-management/mdm/images/provisioning-csp-passportforwork.png new file mode 100644 index 0000000000..1714a93764 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-passportforwork.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png b/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png new file mode 100644 index 0000000000..f12f2fbd44 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-personalization.png b/windows/client-management/mdm/images/provisioning-csp-personalization.png new file mode 100644 index 0000000000..c64c18ce5c Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-personalization.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-policy.png b/windows/client-management/mdm/images/provisioning-csp-policy.png new file mode 100644 index 0000000000..d44ef30e52 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-policy.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-policymanager.png b/windows/client-management/mdm/images/provisioning-csp-policymanager.png new file mode 100644 index 0000000000..48d5b056df Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-policymanager.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-provisioning.png b/windows/client-management/mdm/images/provisioning-csp-provisioning.png new file mode 100644 index 0000000000..8383027916 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-provisioning.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-proxy.png b/windows/client-management/mdm/images/provisioning-csp-proxy.png new file mode 100644 index 0000000000..471842dbdb Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-proxy.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-pxlogical-cp-2.png b/windows/client-management/mdm/images/provisioning-csp-pxlogical-cp-2.png new file mode 100644 index 0000000000..19c6b30cf1 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-pxlogical-cp-2.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-pxlogical-cp.png b/windows/client-management/mdm/images/provisioning-csp-pxlogical-cp.png new file mode 100644 index 0000000000..b224a2cdc8 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-pxlogical-cp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-remotefind.png b/windows/client-management/mdm/images/provisioning-csp-remotefind.png new file mode 100644 index 0000000000..5ef59e1e3a Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-remotefind.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-remotelock.png b/windows/client-management/mdm/images/provisioning-csp-remotelock.png new file mode 100644 index 0000000000..dc7fb40afa Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-remotelock.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-remotering.png b/windows/client-management/mdm/images/provisioning-csp-remotering.png new file mode 100644 index 0000000000..6cd032f383 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-remotering.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png new file mode 100644 index 0000000000..2fc6da33fc Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-reporting.png b/windows/client-management/mdm/images/provisioning-csp-reporting.png new file mode 100644 index 0000000000..6d2c4695b1 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-reporting.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-rootcacertificate.png b/windows/client-management/mdm/images/provisioning-csp-rootcacertificate.png new file mode 100644 index 0000000000..7a3f671955 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-rootcacertificate.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-securitypolicy-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-securitypolicy-dmandcp.png new file mode 100644 index 0000000000..b3c09e85e4 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-securitypolicy-dmandcp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-storage.png b/windows/client-management/mdm/images/provisioning-csp-storage.png new file mode 100644 index 0000000000..072e20e583 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-storage.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png new file mode 100644 index 0000000000..58ee388b92 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-surfacehub.png b/windows/client-management/mdm/images/provisioning-csp-surfacehub.png new file mode 100644 index 0000000000..8ef11aeb25 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-surfacehub.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-update.png b/windows/client-management/mdm/images/provisioning-csp-update.png new file mode 100644 index 0000000000..d98b7fcea1 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-update.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-uwf.png b/windows/client-management/mdm/images/provisioning-csp-uwf.png new file mode 100644 index 0000000000..4f21fd2a03 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-uwf.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-vpn.png b/windows/client-management/mdm/images/provisioning-csp-vpn.png new file mode 100644 index 0000000000..15e907a16c Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-vpn.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-vpnv2-rs1.png b/windows/client-management/mdm/images/provisioning-csp-vpnv2-rs1.png new file mode 100644 index 0000000000..6bf38313ac Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-vpnv2-rs1.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-w4-application-cp.png b/windows/client-management/mdm/images/provisioning-csp-w4-application-cp.png new file mode 100644 index 0000000000..b6c9e3bd8f Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-w4-application-cp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-w7-application-dm.png b/windows/client-management/mdm/images/provisioning-csp-w7-application-dm.png new file mode 100644 index 0000000000..78cfe00a0e Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-w7-application-dm.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-watp.png b/windows/client-management/mdm/images/provisioning-csp-watp.png new file mode 100644 index 0000000000..7a0ac759f1 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-watp.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-wifi.png b/windows/client-management/mdm/images/provisioning-csp-wifi.png new file mode 100644 index 0000000000..c3f21cb31d Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-wifi.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-win32appinventory.png b/windows/client-management/mdm/images/provisioning-csp-win32appinventory.png new file mode 100644 index 0000000000..9ce9119d77 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-win32appinventory.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png b/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png new file mode 100644 index 0000000000..82d66f6742 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png differ diff --git a/windows/client-management/mdm/images/provisioning-csp-windowssecurityauditing.png b/windows/client-management/mdm/images/provisioning-csp-windowssecurityauditing.png new file mode 100644 index 0000000000..fe0baef545 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-windowssecurityauditing.png differ diff --git a/windows/client-management/mdm/images/provisioning-customcsp-example1.png b/windows/client-management/mdm/images/provisioning-customcsp-example1.png new file mode 100644 index 0000000000..5c1fba7347 Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-customcsp-example1.png differ diff --git a/windows/client-management/mdm/images/provisioning-customcsp-example2.png b/windows/client-management/mdm/images/provisioning-customcsp-example2.png new file mode 100644 index 0000000000..3f45c8ca1f Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-customcsp-example2.png differ diff --git a/windows/client-management/mdm/images/push-notification1.png b/windows/client-management/mdm/images/push-notification1.png new file mode 100644 index 0000000000..74388704f5 Binary files /dev/null and b/windows/client-management/mdm/images/push-notification1.png differ diff --git a/windows/client-management/mdm/images/push-notification10.png b/windows/client-management/mdm/images/push-notification10.png new file mode 100644 index 0000000000..d76ed273d0 Binary files /dev/null and b/windows/client-management/mdm/images/push-notification10.png differ diff --git a/windows/client-management/mdm/images/push-notification2.png b/windows/client-management/mdm/images/push-notification2.png new file mode 100644 index 0000000000..ba2c1c008e Binary files /dev/null and b/windows/client-management/mdm/images/push-notification2.png differ diff --git a/windows/client-management/mdm/images/push-notification3.png b/windows/client-management/mdm/images/push-notification3.png new file mode 100644 index 0000000000..d5a233353a Binary files /dev/null and b/windows/client-management/mdm/images/push-notification3.png differ diff --git a/windows/client-management/mdm/images/push-notification4.png b/windows/client-management/mdm/images/push-notification4.png new file mode 100644 index 0000000000..49633b7c4d Binary files /dev/null and b/windows/client-management/mdm/images/push-notification4.png differ diff --git a/windows/client-management/mdm/images/push-notification5.png b/windows/client-management/mdm/images/push-notification5.png new file mode 100644 index 0000000000..5abdfbf0bc Binary files /dev/null and b/windows/client-management/mdm/images/push-notification5.png differ diff --git a/windows/client-management/mdm/images/push-notification6.png b/windows/client-management/mdm/images/push-notification6.png new file mode 100644 index 0000000000..380863d930 Binary files /dev/null and b/windows/client-management/mdm/images/push-notification6.png differ diff --git a/windows/client-management/mdm/images/push-notification7.png b/windows/client-management/mdm/images/push-notification7.png new file mode 100644 index 0000000000..5185b49323 Binary files /dev/null and b/windows/client-management/mdm/images/push-notification7.png differ diff --git a/windows/client-management/mdm/images/reboot-csp.png b/windows/client-management/mdm/images/reboot-csp.png new file mode 100644 index 0000000000..3779d5fcd6 Binary files /dev/null and b/windows/client-management/mdm/images/reboot-csp.png differ diff --git a/windows/client-management/mdm/images/secureassessment-csp.png b/windows/client-management/mdm/images/secureassessment-csp.png new file mode 100644 index 0000000000..9538f31626 Binary files /dev/null and b/windows/client-management/mdm/images/secureassessment-csp.png differ diff --git a/windows/client-management/mdm/images/sharedpc-csp.png b/windows/client-management/mdm/images/sharedpc-csp.png new file mode 100644 index 0000000000..3491643287 Binary files /dev/null and b/windows/client-management/mdm/images/sharedpc-csp.png differ diff --git a/windows/client-management/mdm/images/ssl-settings.png b/windows/client-management/mdm/images/ssl-settings.png new file mode 100644 index 0000000000..f198c6ed01 Binary files /dev/null and b/windows/client-management/mdm/images/ssl-settings.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-1.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-1.png new file mode 100644 index 0000000000..6da12bc1e9 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-1.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-10.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-10.png new file mode 100644 index 0000000000..046fba9228 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-10.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-11.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-11.png new file mode 100644 index 0000000000..f4c27d987f Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-11.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-12.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-12.png new file mode 100644 index 0000000000..86a37dbeaf Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-12.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-13.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-13.png new file mode 100644 index 0000000000..b73d100bed Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-13.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-14.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-14.png new file mode 100644 index 0000000000..ca53b739d5 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-14.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-15.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-15.png new file mode 100644 index 0000000000..e0686385c0 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-15.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-16.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-16.png new file mode 100644 index 0000000000..e6848dfa60 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-16.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-17.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-17.png new file mode 100644 index 0000000000..79c4cd6bf4 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-17.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-18.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-18.png new file mode 100644 index 0000000000..bff21388e9 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-18.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-19.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-19.png new file mode 100644 index 0000000000..f5ab6a2823 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-19.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-2.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-2.png new file mode 100644 index 0000000000..ea02fe5541 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-2.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-20.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-20.png new file mode 100644 index 0000000000..657454dc5f Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-20.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-21.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-21.png new file mode 100644 index 0000000000..ca53b739d5 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-21.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-22.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-22.png new file mode 100644 index 0000000000..e0686385c0 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-22.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-23.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-23.png new file mode 100644 index 0000000000..b7b5659cdc Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-23.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-24.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-24.png new file mode 100644 index 0000000000..79c4cd6bf4 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-24.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-25.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-25.png new file mode 100644 index 0000000000..451edd5207 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-25.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-26.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-26.png new file mode 100644 index 0000000000..c321768cdc Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-26.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-27.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-27.png new file mode 100644 index 0000000000..e6e56cb009 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-27.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-28.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-28.png new file mode 100644 index 0000000000..ca53b739d5 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-28.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-29.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-29.png new file mode 100644 index 0000000000..e0686385c0 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-29.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-3.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-3.png new file mode 100644 index 0000000000..2c6a240864 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-3.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-30.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-30.png new file mode 100644 index 0000000000..0b168d716c Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-30.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-31.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-31.png new file mode 100644 index 0000000000..877055a152 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-31.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-32.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-32.png new file mode 100644 index 0000000000..6fa130ffe2 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-32.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-33.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-33.png new file mode 100644 index 0000000000..e46a66db99 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-33.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-34.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-34.png new file mode 100644 index 0000000000..28bccd8d04 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-34.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-35.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-35.png new file mode 100644 index 0000000000..808a093cdc Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-35.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-36.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-36.png new file mode 100644 index 0000000000..4f64e04263 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-36.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-37.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-37.png new file mode 100644 index 0000000000..ef30e3dddf Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-37.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-38.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-38.png new file mode 100644 index 0000000000..7ee23eda5d Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-38.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-39.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-39.png new file mode 100644 index 0000000000..a1ca65c3f4 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-39.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-4.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-4.png new file mode 100644 index 0000000000..214a6c5c2c Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-4.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-40.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-40.png new file mode 100644 index 0000000000..87f685d460 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-40.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-41.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-41.png new file mode 100644 index 0000000000..1832454fbc Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-41.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-42.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-42.png new file mode 100644 index 0000000000..c85e74d141 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-42.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-5.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-5.png new file mode 100644 index 0000000000..ca53b739d5 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-5.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-6.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-6.png new file mode 100644 index 0000000000..e865f66efe Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-6.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-7.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-7.png new file mode 100644 index 0000000000..26f4c4320d Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-7.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-8.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-8.png new file mode 100644 index 0000000000..fefb595eec Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-8.png differ diff --git a/windows/client-management/mdm/images/unifiedenrollment-rs1-9.png b/windows/client-management/mdm/images/unifiedenrollment-rs1-9.png new file mode 100644 index 0000000000..b3f9e58129 Binary files /dev/null and b/windows/client-management/mdm/images/unifiedenrollment-rs1-9.png differ diff --git a/windows/client-management/mdm/images/update-policies.png b/windows/client-management/mdm/images/update-policies.png new file mode 100644 index 0000000000..af72edd294 Binary files /dev/null and b/windows/client-management/mdm/images/update-policies.png differ diff --git a/windows/client-management/mdm/images/vpnv2-csp-choosenetworkconnection.png b/windows/client-management/mdm/images/vpnv2-csp-choosenetworkconnection.png new file mode 100644 index 0000000000..ab5be1dd3c Binary files /dev/null and b/windows/client-management/mdm/images/vpnv2-csp-choosenetworkconnection.png differ diff --git a/windows/client-management/mdm/images/vpnv2-csp-networkconnections.png b/windows/client-management/mdm/images/vpnv2-csp-networkconnections.png new file mode 100644 index 0000000000..aa4db526af Binary files /dev/null and b/windows/client-management/mdm/images/vpnv2-csp-networkconnections.png differ diff --git a/windows/client-management/mdm/images/vpnv2-csp-rasphone.png b/windows/client-management/mdm/images/vpnv2-csp-rasphone.png new file mode 100644 index 0000000000..71f6694c88 Binary files /dev/null and b/windows/client-management/mdm/images/vpnv2-csp-rasphone.png differ diff --git a/windows/client-management/mdm/images/vpnv2-csp-setupnewconnection.png b/windows/client-management/mdm/images/vpnv2-csp-setupnewconnection.png new file mode 100644 index 0000000000..e43d72fcd8 Binary files /dev/null and b/windows/client-management/mdm/images/vpnv2-csp-setupnewconnection.png differ diff --git a/windows/client-management/mdm/images/vpnv2-csp-setupnewconnection2.png b/windows/client-management/mdm/images/vpnv2-csp-setupnewconnection2.png new file mode 100644 index 0000000000..7d92c47d3a Binary files /dev/null and b/windows/client-management/mdm/images/vpnv2-csp-setupnewconnection2.png differ diff --git a/windows/client-management/mdm/images/vpnv2-csp-testproperties.png b/windows/client-management/mdm/images/vpnv2-csp-testproperties.png new file mode 100644 index 0000000000..38902de529 Binary files /dev/null and b/windows/client-management/mdm/images/vpnv2-csp-testproperties.png differ diff --git a/windows/client-management/mdm/images/vpnv2-csp-testproperties2.png b/windows/client-management/mdm/images/vpnv2-csp-testproperties2.png new file mode 100644 index 0000000000..9ed7cbf2d6 Binary files /dev/null and b/windows/client-management/mdm/images/vpnv2-csp-testproperties2.png differ diff --git a/windows/client-management/mdm/images/vpnv2-csp-testproperties3.png b/windows/client-management/mdm/images/vpnv2-csp-testproperties3.png new file mode 100644 index 0000000000..8fb417f9dc Binary files /dev/null and b/windows/client-management/mdm/images/vpnv2-csp-testproperties3.png differ diff --git a/windows/client-management/mdm/images/vpnv2-csp-testproperties4.png b/windows/client-management/mdm/images/vpnv2-csp-testproperties4.png new file mode 100644 index 0000000000..053759c9f1 Binary files /dev/null and b/windows/client-management/mdm/images/vpnv2-csp-testproperties4.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update.png b/windows/client-management/mdm/images/windowsembedded-update.png new file mode 100644 index 0000000000..1a1eaa7c64 Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update10.png b/windows/client-management/mdm/images/windowsembedded-update10.png new file mode 100644 index 0000000000..aae3534dfd Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update10.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update11.png b/windows/client-management/mdm/images/windowsembedded-update11.png new file mode 100644 index 0000000000..74a747adf4 Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update11.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update12.png b/windows/client-management/mdm/images/windowsembedded-update12.png new file mode 100644 index 0000000000..5279b02c64 Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update12.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update13.png b/windows/client-management/mdm/images/windowsembedded-update13.png new file mode 100644 index 0000000000..dfa15a35e3 Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update13.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update14.png b/windows/client-management/mdm/images/windowsembedded-update14.png new file mode 100644 index 0000000000..58417d2ca4 Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update14.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update15.png b/windows/client-management/mdm/images/windowsembedded-update15.png new file mode 100644 index 0000000000..2a234c3c41 Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update15.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update16.png b/windows/client-management/mdm/images/windowsembedded-update16.png new file mode 100644 index 0000000000..d5833c233f Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update16.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update17.png b/windows/client-management/mdm/images/windowsembedded-update17.png new file mode 100644 index 0000000000..b4cd548cca Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update17.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update18.png b/windows/client-management/mdm/images/windowsembedded-update18.png new file mode 100644 index 0000000000..58c4d1c93f Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update18.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update19.png b/windows/client-management/mdm/images/windowsembedded-update19.png new file mode 100644 index 0000000000..7684ebabd5 Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update19.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update2.png b/windows/client-management/mdm/images/windowsembedded-update2.png new file mode 100644 index 0000000000..71b47fca43 Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update2.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update21.png b/windows/client-management/mdm/images/windowsembedded-update21.png new file mode 100644 index 0000000000..fdf72a8ca3 Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update21.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update22.png b/windows/client-management/mdm/images/windowsembedded-update22.png new file mode 100644 index 0000000000..9e677907a6 Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update22.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update23.png b/windows/client-management/mdm/images/windowsembedded-update23.png new file mode 100644 index 0000000000..f41ea8efda Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update23.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update3.png b/windows/client-management/mdm/images/windowsembedded-update3.png new file mode 100644 index 0000000000..1d69407fd3 Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update3.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update4.png b/windows/client-management/mdm/images/windowsembedded-update4.png new file mode 100644 index 0000000000..0d5c96a2cc Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update4.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update5.png b/windows/client-management/mdm/images/windowsembedded-update5.png new file mode 100644 index 0000000000..18b0ac7828 Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update5.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update6.png b/windows/client-management/mdm/images/windowsembedded-update6.png new file mode 100644 index 0000000000..37a8b2ebe4 Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update6.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update7.png b/windows/client-management/mdm/images/windowsembedded-update7.png new file mode 100644 index 0000000000..a38954e8c6 Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update7.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update8.png b/windows/client-management/mdm/images/windowsembedded-update8.png new file mode 100644 index 0000000000..0a99c6bcae Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update8.png differ diff --git a/windows/client-management/mdm/images/windowsembedded-update9.png b/windows/client-management/mdm/images/windowsembedded-update9.png new file mode 100644 index 0000000000..3d6780497d Binary files /dev/null and b/windows/client-management/mdm/images/windowsembedded-update9.png differ diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md new file mode 100644 index 0000000000..904aabcc23 --- /dev/null +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -0,0 +1,170 @@ +--- +title: Implement server-side support for mobile application management on Windows +description: The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP). +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + + +# Implement server-side support for mobile application management on Windows + +The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703. + +## Integration with Azure Active Directory + +MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).  + +MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. + +On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings>Accounts>Access work or school**. + +Regular non-admin users can enroll to MAM.  + +## Integration with Windows Information Protection + +MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip) and WIP-aware applications. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they do not handle personal data, and therefore it is safe for Windows to protect data on their behalf.  + +To make applications WIP-aware, app developers need to include the following data in the app resource file: + +``` syntax +// Mark this binary as Allowed for WIP (EDP) purpose  +    MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID +     BEGIN +         0x0001 +     END  +``` + +## Configuring an Azure AD tenant for MAM enrollment + +MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the Management app for an IT admin configuration.  + +![Mobile application management app](images/implement-server-side-mobile-application-management.png) + +MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  + +## MAM enrollment + +MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](https://msdn.microsoft.com/en-us/library/mt221945.aspx). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.  + +Below are protocol changes for MAM enrollment:  +- MDM discovery is not supported +- APPAUTH node in [DMAcc CSP](dmacc-csp.md) is optional +- MAM enrollment variation of [MS-MDE2] protocol does not support the client authentication certificate, and therefore, does not support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication. + +Here is an example provisioning XML for MAM enrollment. + +``` syntax + +    +    +    +    +    + +``` + +Since the [Poll](dmclient-csp.md#provider-providerid-poll) node isn’t provided above, the device would default to once every 24 hours. + +## Supported Configuration Service Providers (CSPs) + +MAM on Windows support the following CSPs. All other CSPs will be blocked. Note the list may change later based on customer feedback. + +- [AppLocker CSP](applocker-csp.md) for configuration of WIP enterprise allowed apps +- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs +- [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703) +- [DevInfo CSP](devinfo-csp.md) +- [DMAcc CSP](dmacc-csp.md) +- [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL +- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has WIP policies +- [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703) +- [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management +- [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas +- [Reporting CSP](reporting-csp.md) for retrieving WIP logs +- [RootCaTrustedCertificates CSP](rootcacertificates-csp.md) +- [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM +- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM + + +## Device lock policies and EAS + +MAM supports device lock policies similar to MDM. The policies are configured by DeviceLock area of Policy CSP and PassportForWork CSP. + +We do not recommend configuring both Exchange Active Sync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows: + +
    +
  1. When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies and reports compliance to EAS:
      2. +
    • If the device is found to be compliant, EAS will report compliance to the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance does not require device admin rights.
      • +
    • If the device is found to be non-compliant, EAS will enforce its own policies to the device and the resultant set of policies will be a superset of both. Applying EAS policies to the device requires admin rights.
      • +
    +
  2. If a device that already has EAS policies is enrolled to MAM, the device will have both sets of policies: MAM, EAS, and the resultant set of policies will be a superset of both.
    3. +
+ +## Policy sync + +MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to authenticate to the service for policy syncs. + +## Change MAM enrollment to MDM + +Windows does not support applying both MAM and MDM policies to the same devices. If configured by the admin, a user can change his MAM enrollment to MDM. + +> [!Note] +> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On the Home edition, we do not recommend pushing MDM policies to enable users to upgrade. + +To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment. + +In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when WIP policies are removed from the device, the user’s access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that: + +
    +
  1. Both MAM and MDM policies for the organization support WIP
    2. +
  2. EDP CSP Enterprise ID is the same for both MAM and MDM
    3. +
  3. EDP CSP RevokeOnMDMHandoff is set to FALSE
    4. +
+ +If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings>Accounts>Access work or school**. The user can click on this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account will not be affected. + +## Skype for Business compliance with MAM + +We have updated Skype for Business to work with MAM. The following table explains Office release channels and release dates for Skype for Business compliance with the MAM feature. + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Update channelPrimary purposeLOB Tatoo availabilityDefault update channel for the products
[Current channel](https://technet.microsoft.com/en-us/library/mt455210.aspx#BKMK_CB)Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. March 9 2017

Visio Pro for Office 365

+

Project Online Desktop Client

+

Office 365 Business (the version of Office that comes with some Office 365 plans, such as Business Premium.)

[Deferred channel](https://technet.microsoft.com/en-us/library/mt455210.aspx#BKMK_CBB)Provide users with new features of Office only a few times a year.October 10 2017Office 365 ProPlus
[First release for deferred channel](https://technet.microsoft.com/en-us/library/mt455210.aspx#BKMK_FRCBB)Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. June 13 2017
\ No newline at end of file diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md new file mode 100644 index 0000000000..70a844c704 --- /dev/null +++ b/windows/client-management/mdm/index.md @@ -0,0 +1,63 @@ +--- +title: Mobile device management +description: Windows 10 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users’ privacy on their personal devices. +MS-HAID: +- 'p\_phDeviceMgmt.provisioning\_and\_device\_management' +- 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm' +ms.assetid: 50ac90a7-713e-4487-9cb9-b6d6fdaa4e5b +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Mobile device management + + +Windows 10 provides an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users’ privacy on their personal devices. A built-in management component can communicate with the management server. + +There are two parts to the Windows 10 management component: + +- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server. +- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT. + +Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). + +## Learn about device enrollment + + +- [Mobile device enrollment](mobile-device-enrollment.md) +- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) +- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) +- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) + +## Learn about device management + + +- [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md) +- [Enterprise app management](enterprise-app-management.md) +- [Device update management](device-update-management.md) +- [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md) +- [OMA DM protocol support](oma-dm-protocol-support.md) +- [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md) +- [Server requirements for OMA DM](server-requirements-windows-mdm.md) +- [Enterprise settings, policies, and app management](windows-mdm-enterprise-settings.md) + +## Learn about configuration service providers + + +- [Configuration service provider reference](configuration-service-provider-reference.md) +- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md) +- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md) +- [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md new file mode 100644 index 0000000000..98510df8a0 --- /dev/null +++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md @@ -0,0 +1,163 @@ +--- +title: Management tool for the Windows Store for Business +description: The Windows Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. +MS-HAID: +- 'p\_phdevicemgmt.business\_store\_portal\_management\_tool' +- 'p\_phDeviceMgmt.management\_tool\_for\_windows\_store\_for\_business' +ms.assetid: 0E39AE85-1703-4B24-9A7F-831C6455068F +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Management tool for the Windows Store for Business + +The Windows Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. The Store for Business enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates. + +Here's the list of the available capabilities: + +- Support for enterprise identities – Enables end users within an organization to use the identity that has been provided to them within the organization. This enables an organization to retain control of the application and eliminates the need for an organization to maintain another set of identities for their users. +- Bulk acquisition support of applications – Enables an IT administrator to acquire applications in bulk. IT departments can now take control over the procurement and distribution of applications. Previously, users acquire applications manually. +- License reclaim and re-use – Enables an enterprise to retain value in their purchases by allowing the ability to un-assign access to an application, and then reassign the application to another user. In Windows Store today, when a user with a Microsoft account leaves the organization he retains ownership of the application. +- Flexible distribution models for Windows Store apps – Allows the enterprise to integrate with an organization's infrastructure the processes to distribute applications to devices that are connected to Store for Business services and to devices without connectivity to the Store for Business services. +- Custom Line of Business app support –Enables management and distribution of enterprise applications through the Store for Business. +- Support for Windows desktop and mobile devices - The Store for Business supports both desktop and mobile devices. + +For additional information about Store for Business, see the TechNet topics in [Windows Store for Business](https://technet.microsoft.com/library/mt606951.aspx). + +## Management services + +The Store for Business provides services that enable a management tool to synchronize new and updated applications on behalf of an organization. Once synchronized, you can distribute new and updated applications using the Windows Management framework. The services provides several capabilities including providing application data, the ability to assign and reclaim applications, and the ability to download offline-licensed application packages. + + ++++ + + + + + + + + + + +

Application data

The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.

Licensing models

Offline vs. Online

+

Online-licensed applications require connectivity to the Windows Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Windows Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.

+

Offline-licensed applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.

+ +  + +### Offline-licensed application distribution + +The following diagram provides an overview of app distribution from acquisition of an offline-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. + +![business store offline app distribution](images/businessstoreportalservices2.png) + +### Online-licensed application distribution + +The following diagram provides an overview of app distribution from acquisition of an online-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application prior to issuing the policy to install the application. + +![business store online app distribution](images/businessstoreportalservices3.png) + +## Integrate with Azure Active Directory + +The Store for Business services rely on Azure Active Directory for authentication. The management tool must be registered as an Azure AD application within an organization tenant to authenticate against the Store for Business. + +To learn more about Azure AD and how to register your application within Azure AD, here are some topics to get you started: + +- Adding an application to Azure Active Directory - [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md) +- Accessing other Web applications and configuring your application to access other APIs - [Integrating Applications with Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=623021) +- Authenticating to the Store for Business services via Azure AD - [Authentication Scenarios for Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=623023) + +For code samples, see [Microsoft Azure Active Directory Samples and Documentation](http://go.microsoft.com/fwlink/p/?LinkId=623024) in GitHub. Patterns are very similar to [Daemon-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=623025) and [ConsoleApp-GraphAPI-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=623026). + +## Configure your Azure AD application + +Here are the steps to configure your Azure AD app. For additional information, see [Integrating Applications with Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=623021): + +1. Log into Microsoft Azure Management Portal (https:manage.windowsazure.com) +2. Go to the Active Directory module. +3. Select your directory. +4. Click the **Applications** tab. + + ![business store management tool](images/businessstoreportalservices8.png) + +5. Click **Add**. + + ![business store management tool](images/businessstoreportalservices9.png) + +6. Select **Add an application that my organization is developing**. + + ![business store management tool](images/businessstoreportalservices10.png) + +7. Specify a name and then select **WEB APPLICATION AND/OR WEB API**. + + ![business store management tool](images/businessstoreportalservices11.png) + +8. Specify the **SIGN-ON URL** to your application. + + ![business store management tool](images/businessstoreportalservices12.png) + +9. Specify whether your app is multi-tenant or single tenant. For more information, see [Integrating Applications with Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=623021). + + ![business store management tool](images/businessstoreportalservices13.png) + +10. Create a client key. + + ![business store management tool](images/businessstoreportalservices14.png) + + > **Note**  In the prior version of the tool, an update to the app manifest was required to authorize the application. This is no longer necessary. +   +11. Login to Store for Business and enable your application. For step-by-step guide, see [Configure an MDM provider](https://technet.microsoft.com/library/mt606939.aspx). + + +## Azure AD Authentication for MTS + +MTS requires calls to be authenticated using an Azure AD OAuth bearer token. The authorization token is for the Azure AD application representing the MDM component (service/daemon/on-prem instance) within the context of the directory/tenant it will be working on behalf-of. + +Here are the details for requesting an authorization token: + +- Login Authority = https://login.windows.net/<TargetTenantId> +- Resource/audience\* = https://onestore.microsoft.com +- ClientId = your AAD application client id +- ClientSecret = your AAD application client secret/key + +\* The token audience URI is meant as an identifier of the application for which the token is being generated, and it is not a URL for a service endpoint or a web-page. + +## Using the management tool + +After registering your management tool with Azure AD, the management tool can call into the management services. There are a couple of call patterns: + +- First the ability to get new or updated applications. +- Second the ability to assign or reclaim applications. + +The diagram below shows the call patterns for acquiring a new or updated application. + +![business store portal service flow diagram](images/businessstoreportalservicesflow.png) + +**Here is the list of available operations**: + +- [Get Inventory](get-inventory.md) +- [Get product details](get-product-details.md) +- [Get localized product details](get-localized-product-details.md) +- [Get offline license](get-offline-license.md) +- [Get product packages](get-product-packages.md) +- [Get product package](get-product-package.md) +- [Get seats](get-seats.md) +- [Get seat](get-seat.md) +- [Assign seats](assign-seats.md) +- [Reclaim seat from user](reclaim-seat-from-user.md) +- [Bulk assign and reclaim seats for users](bulk-assign-and-reclaim-seats-from-user.md) +- [Get seats assigned to a user](get-seats-assigned-to-a-user.md) + +  + + + + + diff --git a/windows/client-management/mdm/maps-csp.md b/windows/client-management/mdm/maps-csp.md new file mode 100644 index 0000000000..7a5f26f5ef --- /dev/null +++ b/windows/client-management/mdm/maps-csp.md @@ -0,0 +1,168 @@ +--- +title: Maps CSP +description: The Maps configuration service provider (CSP) is used to configure the maps to download to the device. This CSP was added in Windows 10, version 1511. +ms.assetid: E5157296-7C31-4B08-8877-15304C9F6F26 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Maps CSP + + +The Maps configuration service provider (CSP) is used to configure the maps to download to the device. This CSP was added in Windows 10, version 1511. + +> **Note**  The Maps CSP is only supported in Windows 10 Mobile. + +  + +The following diagram shows the Maps configuration service provider in tree format. + +![maps csp diagram](images/provisioning-csp-maps.png) + +**Maps** +Root node. + +**Packages** +Represents the map packages installed on the device. + +**Packages/****_Package_** +A GUID that represents a map package. When you add a *Package* node, Windows adds it to the queue for download to the device. See the table below for the list of various maps and corresponding GUIDS. + +**Packages/*Package*/Status** +Represents the stat of the package installed on the device. + +Valid values: + +- 1 - the specified map package is queued for download. +- 2 - the specified map package is downloading or installed. + +Supported operation is Get. If the map is neither queued, downloading, or installed, then you will get a 404 from a Get request. + +## Examples + + +Here is a list of GUIDs of the most downloaded reqions. + +| Region | GUID | +|-------------------------------|--------------------------------------| +| **Germany** | | +| Baden-Wuerttemberg | bab02b93-31c4-413a-b0fe-95a43e186d8c | +| Bavaria | dceea482-12e9-458e-9f0f-21def9a70ed7 | +| Berlin/Brandenburg | d8a80d64-07ef-4145-82e5-97910f1012df | +| Hesse | b28e2071-678b-4671-8eff-97e1c124f2fb | +| Lower Saxony/Bremen | e3ac0f21-7209-4f42-93bf-a0d12c7df2e5 | +| Mecklenburg-Western Pomerania | 75760c3d-e651-4b4a-abfb-c22e2bf1ed93 | +| North Rhine-Westphalia | 3846905a-891e-46a9-bc6a-53ec43edcab0 | +| Rhineland-Palatinate/Saarland | b4c18bb5-1bfe-4da8-a951-833046e37c90 | +| Saxony | 8899e1a8-fc79-4f3a-a591-85f15dfb1adb | +| Saxony-Anhalt | fdd9a3eb-4253-4c4b-b34d-66265775518d | +| Schleswig-Holstein/Hamburg | 74d868dd-99a7-492f-93ee-2b9c0a6b7ebc | +| Thuringia | 399a3387-a545-4249-9925-04660426ef1c | +| **United Kingdom** | | +| England | bf612bb8-4094-4158-ac06-96171fa7ffdf | +| Northern Ireland | 07f1d10f-cd72-4801-912a-7ba75ef5a627 | +| Scotland | cade44ea-4421-4023-9498-bf1f92025c9e | +| Wales | 869f9131-e3c7-41df-b106-9d787c633a10 | +| **USA** | | +| Alabama | 4fdaabf4-0160-4075-b7ad-7a8a71e69e7e | +| Alaska | f691e35f-a6b9-4d6c-b657-0f092d5f2f0e | +| Arizona | 4a179b8e-c993-4c4b-a242-51f69068d73b | +| Arkansas | 4d152d48-92aa-4696-b8b2-c0bbacd421b6 | +| California | 1859bd60-854a-40e3-9216-6e9cf1fcfdce | +| Colorado | d7b4de3d-370c-44dc-8dc7-dcafe676d5ff | +| Connecticut | 47fbdbe0-6c4d-4966-9a02-8decc94a5a1c | +| Delaware | b2882156-e75c-4bdf-8f9f-45cbfac6b915 | +| Florida | 1769c37c-f22a-4212-bd4b-47036693b034 | +| Georgia | ad34ec5d-d84c-42fa-bec1-fe6143d2e68d | +| Hawaii | 4019c8a1-0d8f-43c6-baa6-7ff5a7888f21 | +| Idaho | 008d318b-5004-4e13-a4a4-f520e7969026 | +| Illinois | a2c35505-daf5-432d-a4df-544a5c2987c2 | +| Indiana | 4c3b6963-e380-45a9-8b25-2bdc4ce1ab26 | +| Iowa | e07df1bc-01e6-4ffb-9a20-a142a6d38218 | +| Kansas | 3397467d-3fb9-4ded-b6ad-3ab7313f8ff1 | +| Kentucky | bc751324-a591-4ecd-b27a-af15b5518051 | +| Louisiana | d11a119c-9e25-40d9-aef9-ed2f161113b0 | +| Maine | db5e6077-f4dd-4548-b50e-ebd147d20c37 | +| Maryland | 17739d09-a70a-4a23-859c-eabc57418d2f | +| Massachusetts | d168d0d5-7683-45a4-afd4-767fd1359ad8 | +| Michigan | 0abd961b-9602-4a2e-b093-c43a2a80aab5 | +| Minnesota | 2946ed46-b171-4e38-9278-e33a6967f143 | +| Mississippi | 78a38671-a8e8-48f1-a23b-3576df370437 | +| Missouri | 5c885acb-5fdc-4305-84f1-e18d3163724b | +| Montana | baf84353-89cf-4abd-9226-b932fd2294a4 | +| Nebraska | e389c2f8-41a0-4121-a654-77c52fbd61ed | +| Nevada | 8c321bdc-8e37-4be6-96e0-1d85c77c89f0 | +| New Hampshire | 38c35895-98ce-4ee4-bb47-7291b5e8543a | +| New Jersey | 70b1d647-ff93-415f-b2be-da06ee800516 | +| New Mexico | b434ea36-03ca-405c-8332-044b602e7b49 | +| New York | 93f2ba61-e03d-4b30-9be3-6e10728302d4 | +| North Carolina | d07208ed-50da-42f2-bade-cb26f283e113 | +| North Dakota | 8c6f0ebb-f282-431e-b4be-8faca5f12be0 | +| Ohio | 36553594-8197-497f-911e-f1cd976c2e00 | +| Oklahoma | 4e3a77ff-9dca-4add-93e9-2a9d6bc244a6 | +| Oregon | cf99c8ce-1b11-4972-9e12-f8c2717ade98 | +| Pennsylvania | cb7c0dea-1f9d-41ae-b81c-e683488d260c | +| Rhode Island | 737c2fca-efd3-4f5a-9359-0c301ecc0813 | +| South Carolina | c0a5542f-5efb-49ae-9d80-3914faa4cf77 | +| South Dakota | dbd8268b-7502-4f71-ba1c-2d452d496b18 | +| Tennessee | b51f7ae4-9eac-4a2b-b605-c2f9736b3481 | +| Texas | 4cc26a23-596f-4164-b9c2-ce0267b1ada7 | +| Utah | 50b2e947-e7b3-41b2-b595-8446f3f425ca | +| Vermont | a888d9cc-9f2a-4f18-a00a-15fa860d355d | +| Virginia | bfb4cce0-8fa5-4e70-a3c7-a69adce17fc9 | +| Washington | 1734acf4-3f87-47db-aec2-2b24c08f5a60 | +| Washington D.C. | 271328d6-8409-4975-ba8c-ba44e02fd3e0 | +| West Virginia | 638b6499-749b-4908-bfe6-1b9dcf5eb675 | +| Wisconsin | 0b5a98f7-489d-4a07-859b-4e01fe9e1b32 | +| Wyoming | 360e0c25-a3bb-4e29-939a-3631eae46e9a | + +  + +Here is an example queuing a map package of New York for download. + +``` syntax + + + + 1 + + + ./Vendor/MSFT/Maps/Packages/93f2ba61-e03d-4b30-9be3-6e10728302d4 + + + + + + +``` + +Here is an example that gets the status of the New York map package on the device. + +``` syntax + + + + 1 + + + ./Vendor/MSFT/Maps/Packages/93f2ba61-e03d-4b30-9be3-6e10728302d4/Status + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/maps-ddf-file.md b/windows/client-management/mdm/maps-ddf-file.md new file mode 100644 index 0000000000..e91dbca47e --- /dev/null +++ b/windows/client-management/mdm/maps-ddf-file.md @@ -0,0 +1,125 @@ +--- +title: Maps DDF file +description: This topic shows the OMA DM device description framework (DDF) for the Maps configuration service provider. This CSP was added in Windows 10, version 1511. +ms.assetid: EF22DBB6-0578-4FD0-B8A6-19DC03288FAF +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Maps DDF file + + +This topic shows the OMA DM device description framework (DDF) for the Maps configuration service provider. This CSP was added in Windows 10, version 1511. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + Maps + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + + Packages + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Package + + + + + + Status + + + + + + + + + + + + + + + text/plain + + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md new file mode 100644 index 0000000000..c2896dd7cd --- /dev/null +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -0,0 +1,394 @@ +--- +title: MDM enrollment of Windows-based devices +description: MDM enrollment of Windows-based devices +MS-HAID: +- 'p\_phdevicemgmt.enrollment\_ui' +- 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' +ms.assetid: 4651C81B-D2D6-446A-AA24-04D01C1D0883 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# MDM enrollment of Windows-based devices + + +This topic describes the user experience of enrolling Windows 10-based PCs and devices. + +In today’s cloud-first world, enterprise IT departments increasingly want to let employees bring their own devices, or even choose and purchase corporate-owned devices. Connecting your devices to work makes it easy for you to access your organization’s resources (such as apps, the corporate network, and email). + +> **Note**  When you connect your device using mobile device management (MDM) enrollment, your organization may enforce certain policies on your device. + +  + +## Connecting corporate-owned Windows 10-based devices + + +Corporate owned devices can be connected to work either by joining the device to an Active Directory domain or an Azure Active Directory (Azure AD) domain. Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain. + +![active directory azure ad signin](images/unifiedenrollment-rs1-1.png) + +### Connecting your device to an Active Directory domain (Join a domain) + +Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education can be connected to an Active Directory domain. These devices can be connected using the Settings app. + +> **Note**  Mobile devices cannot be connected to an Active Directory domain. + +  + +### Out-of-box-experience (OOBE) + +Because joining your device to an Active Directory domain during the OOBE is not supported, you’ll need to first create a local account and then connect the device using the Settings app. + +1. On the **Who Owns this PC?** page, select **My work or school owns it**. + + ![oobe local account creation](images/unifiedenrollment-rs1-2.png) + +2. Next, select **Join a domain**. + + ![select domain or azure ad](images/unifiedenrollment-rs1-3.png) + +3. You will next see a prompt to set up a local account on the device. Enter your local account details and then click **Next** to continue. + + ![create pc account](images/unifiedenrollment-rs1-4.png) + +### Using the Settings app + +1. Launch the Settings app. + + ![windows settings page](images/unifiedenrollment-rs1-5.png) + +2. Next, select **Accounts**. + + ![windows settings accounts select](images/unifiedenrollment-rs1-6.png) + +3. Navigate to **Access work or school**. + + ![select access work or school](images/unifiedenrollment-rs1-7.png) + +4. Click **Connect**. + + ![connect to work or school](images/unifiedenrollment-rs1-8.png) + +5. Under **Alternate actions**, click **Join this device to a local Active Directory domain**. + + ![join account to active directory domain](images/unifiedenrollment-rs1-9.png) + +6. Type in your domain name, follow the instructions, and then click **Next** to continue. After you complete the flow and reboot your device, it should be connected to your Active Directory domain. You can now log into the device using your domain credentials. + + ![type in domain name](images/unifiedenrollment-rs1-10.png) + +### Help with connecting to an Active Directory domain + +There are a few instances where your device cannot be connected to an Active Directory domain: + +| Connection issue | Explanation | +|-----------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Your device is already connected to an Active Directory domain. | Your device can be connected to only a single Active Directory domain at a time. | +| Your device is connected to an Azure AD domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You cannot connect to both simultaneously. | +| You are logged in as a standard user. | Your device can only be connected to an Azure AD domain if you are logged in as an administrative user. You’ll need to switch to an administrator account to continue. | +| Your device is running Windows 10 Home. | This feature is not available on Windows 10 Home, so you will be unable to connect to an Active Directory domain. You will need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | + +  + +### Connecting your device to an Azure AD domain (Join Azure AD) + +All Windows devices can be connected to an Azure AD domain. These devices can be connected during OOBE. Additionally, desktop devices can be connected to an Azure AD domain using the Settings app. + +### Out-of-box-experience (OOBE) + +1. Select **My work or school owns it**, then click **Next.** + + ![oobe local account creation](images/unifiedenrollment-rs1-11.png) + +2. Click **Join Azure AD**, then click **Next.** + + ![select domain or azure ad](images/unifiedenrollment-rs1-12.png) + +3. Type in your Azure AD username. This is the email address you use to log into Microsoft Office 365 and similar services. + + If the tenant is a cloud-only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly on this page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as Active Directory Federation Services (AD FS) for authentication. + + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain. + + ![azure ad signin](images/unifiedenrollment-rs1-13.png) + +### Using the Settings app + +1. Launch the Settings app. + + ![windows settings page](images/unifiedenrollment-rs1-14.png) + +2. Next, navigate to **Accounts**. + + ![windows settings accounts select](images/unifiedenrollment-rs1-15.png) + +3. Navigate to **Access work or school**. + + ![select access work or school](images/unifiedenrollment-rs1-16.png) + +4. Click **Connect**. + + ![connect to work or school](images/unifiedenrollment-rs1-17.png) + +5. Under **Alternate Actions**, click **Join this device to Azure Active Directory**. + + ![join work or school account to azure ad](images/unifiedenrollment-rs1-18.png) + +6. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services. + + ![azure ad sign in](images/unifiedenrollment-rs1-19.png) + +7. If the tenant is a cloud only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly on this page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication. + + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. + + If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. + + After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now log out of your current account and sign in using your Azure AD username. + + ![corporate sign in](images/unifiedenrollment-rs1-20.png) + +### Help with connecting to an Azure AD domain + +There are a few instances where your device cannot be connected to an Azure AD domain: + +| Connection issue | Explanation | +|-----------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| Your device is connected to an Azure AD domain. | Your device can only be connected to a single Azure AD domain at a time. | +| Your device is already connected to an Active Directory domain. | Your device can either be connected to an Azure AD domain or an Active Directory domain. You cannot connect to both simultaneously. | +| Your device already has a user connected to a work account. | You can either connect to an Azure AD domain or connect to a work or school account. You cannot connect to both simultaneously. | +| You are logged in as a standard user. | Your device can only be connected to an Azure AD domain if you are logged in as an administrative user. You’ll need to switch to an administrator account to continue. | +| Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | +| Your device is running Windows 10 Home. | This feature is not available on Windows 10 Home, so you will be unable to connect to an Azure AD domain. You will need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | + +  + +## Connecting personally-owned devices (Bring your own device) + + +Personally owned devices, also known as bring your own device or BYOD, can be connected to a work or school account or to MDM. Windows 10 does not require a personal Microsoft account on devices to connect to work or school. + +### Connecting to a work or school account + +All Windows 10-based devices can be connected to a work or school account. You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps such as the universal Office apps. + +### Using the Settings app + +1. Launch the Settings app. + + ![windows settings page](images/unifiedenrollment-rs1-21.png) + +2. Next, navigate to **Accounts**. + + ![windows settings accounts select](images/unifiedenrollment-rs1-22.png) + +3. Navigate to **Access work or school**. + + ![select access work or school](images/unifiedenrollment-rs1-23.png) + +4. Click **Connect**. + + ![connect to work or school](images/unifiedenrollment-rs1-24.png) + +5. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services. + + ![join work or school account to azure ad](images/unifiedenrollment-rs1-25.png) + +6. If the tenant is a cloud only tenant, this page will change to show the organization's custom branding, and you will be able to enter your password directly into the page. If the tenant is part of a federated domain, you will be redirected to the organization's on-premises federation server, such as AD FS, for authentication. + + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. + + If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [this blog post](https://blogs.technet.microsoft.com/enterprisemobility/2015/08/14/windows-10-azure-ad-and-microsoft-intune-automatic-mdm-enrollment-powered-by-the-cloud/). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. + + ![corporate sign in](images/unifiedenrollment-rs1-26.png) + +7. After you complete the flow, your Microsoft account will be connected to your work or school account. + + ![account successfully added](images/unifiedenrollment-rs1-27.png) + +### Connecting to MDM on a desktop (Enrolling in device management) + +All Windows 10-based devices can be connected to an MDM. You can connect to an MDM through the Settings app. + +### Using the Settings app + +1. Launch the Settings app. + + ![windows settings page](images/unifiedenrollment-rs1-28.png) + +2. Next, navigate to **Accounts**. + + ![windows settings accounts page](images/unifiedenrollment-rs1-29.png) + +3. Navigate to **Access work or school**. + + ![access work or school](images/unifiedenrollment-rs1-30.png) + +4. Click the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934) . For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows-10-based-device-to-work-using-a-deep-link). + + ![connect to work or school](images/unifiedenrollment-rs1-31.png) + +5. Type in your work email address. + + ![set up work or school account](images/unifiedenrollment-rs1-32.png) + +6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. + + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. + + After you complete the flow, your device will be connected to your organization’s MDM. + + ![corporate sign in](images/unifiedenrollment-rs1-33.png) + +### Connecting to MDM on a phone (Enrolling in device management) + +1. Launch the **Settings** app and then click **Accounts**. + + ![phone settings](images/unifiedenrollment-rs1-38.png) + +2. Click **Access work or school**. + + ![phone settings](images/unifiedenrollment-rs1-39.png) + +3. Click the **Enroll only in device management** link. This is only available in the servicing build 14393.82 (KB3176934). For older builds, use [Connecting your Windows 10-based device to work using a deep link](#connecting-your-windows-10-based-device-to-work-using-a-deep-link). + + ![access work or school page](images/unifiedenrollment-rs1-40.png) + +4. Enter your work email address. + + ![enter your email address](images/unifiedenrollment-rs1-41.png) + +5. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. + + Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. + +6. After you complete the flow, your device will be connected to your organization’s MDM. + + ![completed mdm enrollment](images/unifiedenrollment-rs1-42.png) + +### Help with connecting personally-owned devices + +There are a few instances where your device may not be able to connect to work, as described in the following table. + +| Error Message | Description | +|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------| +| Your device is already connected to your organization’s cloud. | Your device is already connected to either Azure AD, a work or school account, or an AD domain. | +| We could not find your identity in your organization’s cloud. | The username you entered was not found on your Azure AD tenant. | +| Your device is already being managed by an organization. | Your device is either already managed by MDM or System Center Configuration Manager. | +| You don’t have the right privileges to perform this operation. Please talk to your admin. | You cannot enroll your device into MDM as a standard user. You must be on an administrator account. | +| We couldn’t auto-discover a management endpoint matching the username entered. Please check your username and try again. If you know the URL to your management endpoint, please enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | + +  + +## Connecting your Windows 10-based device to work using a deep link + + +Windows 10-based devices may be connected to work using a deep link. Users will be able to click or open a link in a particular format from anywhere in Windows 10 and be directed to the new enrollment experience. + +In Windows 10, version 1607, deep linking will only be supported for connecting devices to MDM. It will not support adding a work or school account, joining a device to Azure AD, and joining a device to Active Directory. + +The deep link used for connecting your device to work will always use the following format: + +**ms-device-enrollment:?mode={mode\_name}** + +| Parameter | Description | Supported Value for Windows 10| +|-----------|--------------------------------------------------------------|----------------------------------------------| +| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| “mdm” | +|Username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string | +| Servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string| +| Accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string | +| Deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to pass in a unique device identifier. Added in Windows 10, version 1703. | GUID | +| Tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string | +| Ownership | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3 | +  + +### Connecting to MDM using a deep link + +When connecting to MDM using a deep link, the URI you should use is + +**ms-device-enrollment:?mode=mdm** + +The following procedure describes how users can connect their devices to MDM using deep links. + +1. Starting with Windows 10, version 1607, you can create a link to launch the built-in enrollment app using the URI **ms-device-enrollment:?mode=mdm** and user-friendly display text, such as **Click here to connect Windows to work**: + + > **Note**  This will launch the flow equivalent to the Enroll into device management option in Windows 10, version 1511. + + - IT admins can add this link to a welcome email that users can click on to enroll into MDM. + + ![using enrollment deeplink in email](images/deeplinkenrollment1.png) + + - IT admins can also add this link to an internal web page that users refer to enrollment instructions. + +2. After clicking the link or running it, Windows 10 will launch the enrollment app in a special mode that only allows MDM enrollments (similar to the Enroll into device management option in Windows 10, version 1511). + + Type in your work email address. + + ![set up work or school account](images/deeplinkenrollment3.png) + +3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. + + > **Note**  Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. + + After you complete the flow, your device will be connected to your organization’s MDM. + + ![corporate sign in](images/deeplinkenrollment4.png) + +## Managing connections + + +Your work or school connections can be managed on the **Settings** > **Accounts** > **Access work or school** page. Your connections will show on this page and clicking on one will expand options for that connection. + +![managing work or school account](images/unifiedenrollment-rs1-34.png) + +### Manage + +The **Manage** button can be found on work or school connections involving Azure AD. This includes the following scenarios: + +- Connecting your device to an Azure AD domain +- Connecting to a work or school account. + +Clicking on the manage button will open the Azure AD portal associated with that connection in your default browser. + +### Info + +The **Info** button can be found on work or school connections involving MDM. This includes the following scenarios: + +- Connecting your device to an Azure AD domain that has auto-enroll into MDM configured. +- Connecting your device to a work or school account that has auto-enroll into MDM configured. +- Connecting your device to MDM. + +Clicking the **Info** button will open a new page in the Settings app that provides details about your MDM connection. You’ll be able to view your organization’s support information (if configured) on this page. You’ll also be able to start a sync session which will force your device to communicate to the MDM server and fetch any updates to policies if needed. + +![work or school info](images/unifiedenrollment-rs1-35.png) + +### Disconnect + +The **Disconnect** button can be found on all work connections. Generally, clicking the **Disconnect** button will remove the connection from the device. There are a few exceptions to this: + +- Devices that enforce the AllowManualMDMUnenrollment policy will not allow users to remove MDM enrollments. These connections must be removed by a server-initiated unenroll command. +- On mobile devices, you cannot disconnect from Azure AD. These connections can only be removed by wiping the device. + +> **Warning**  Disconnecting might result in the loss of data on the device. + +  + +![disconnect work or school account](images/unifiedenrollment-rs1-36.png) + +## Collecting diagnostic logs + + +You can collect diagnostic logs around your work connections by going to **Settings** > **Accounts** > **Access work or school**, and clicking the **Export your management logs** link under **Related Settings**. After you click the link, click **Export** and follow the path displayed to retrieve your management log files. + +![collecting enrollment management log files](images/unifiedenrollment-rs1-37.png) + +  + + + + + + diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md new file mode 100644 index 0000000000..25454c6580 --- /dev/null +++ b/windows/client-management/mdm/messaging-csp.md @@ -0,0 +1,101 @@ +--- +title: Messaging CSP +description: Messaging CSP +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Messaging CSP + +The Messaging configuration service provider is used to configure the ability to get text messages audited on a mobile device. This CSP was added in Windows 10, version 1703. + +The following diagram shows the Messaging configuration service provider in tree format. + +![messaging csp](images/provisioning-csp-messaging.png) + +**./User/Vendor/MSFT/Messaging** + +

Root node for the Messaging configuration service provider.

+ +**AuditingLevel** +

Turns on the "Text" auditing feature.

+

The following list shows the supported values:

+
    +
  • 0 (Default) - Off
    • +
  • 1 - On
    • +
+

Supported operations are Get and Replace.

+ +**Auditing** +

Node for auditing.

+

Supported operation is Get.

+ +**Messages** +

Node for messages.

+

Supported operation is Get.

+ +**Count** +

The number of messages to return in the Data setting. The default is 100.

+

Supported operations are Get and Replace.

+ +**RevisionId** +

Retrieves messages whose revision ID is greater than RevisionId.

+

Supported operations are Get and Replace.

+ +**Data** +

The JSON string of text messages on the device.

+

Supported operations are Get and Replace.

+ + +**SyncML example** + +``` syntax + + + + 2 + + + + ./User/Vendor/MSFT/Messaging/Auditing/Messages/Count + + + + int + text/plain + + 100 + + + + 3 + + + + ./User/Vendor/MSFT/Messaging/Auditing/Messages/RevisionId + + + + chr + text/plain + + 0 + + + + 4 + + + + ./User/Vendor/MSFT/Messaging/Auditing/Messages/Data + + + + + + + +``` diff --git a/windows/client-management/mdm/messaging-ddf.md b/windows/client-management/mdm/messaging-ddf.md new file mode 100644 index 0000000000..8a3d8d7e7d --- /dev/null +++ b/windows/client-management/mdm/messaging-ddf.md @@ -0,0 +1,182 @@ +--- +title: Messaging DDF file +description: Messaging DDF file +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Messaging DDF file + +This topic shows the OMA DM device description framework (DDF) for the Messaging configuration service provider. This CSP was added in Windows 10, version 1703. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + Messaging + ./User/Vendor/MSFT + + + + + + + + + + + + + + + + + + + AuditingLevel + + + + + + 0 + Turns on the 'Text' auditing feature. 0 = off, 1 = on + + + + + + + + + + + text/plain + + + + + Auditing + + + + + + + + + + + + + + + + + + + Messages + + + + + + + + + + + + + + + + + + + Count + + + + + + 100 + Number of messages to return in the 'Data' element + + + + + + + + + + + text/plain + + + + + RevisionId + + + + + + 0 + Retrieves messages whose revision id is greater than the 'RevisionId' + + + + + + + + + + + text/plain + + + + + Data + + + + + JSON string of 'text' messages on the device + + + + + + + + + + + text/plain + + + + + + + + +``` diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md new file mode 100644 index 0000000000..e0a4d74fa3 --- /dev/null +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -0,0 +1,303 @@ +--- +title: Mobile device enrollment +description: Mobile device enrollment is the first phase of enterprise management. +ms.assetid: 08C8B3DB-3263-414B-A368-F47B94F47A11 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Mobile device enrollment + + +Mobile device enrollment is the first phase of enterprise management. The device is configured to communicate with the MDM server using security precautions during the enrollment process. The enrollment service verifies that only authenticated and authorized devices can be managed by their enterprise. + +The enrollment process includes the following steps: + +1. Discovery of the enrollment endpoint + + This step provides the enrollment endpoint configuration settings. + +2. Certificate installation + + This step handles user authentication, certificate generation, and certificate installation. The installed certificates will be used in the future to manage client/server Secure Sockets Layer (SSL) mutual authentication. + +3. DM Client provisioning + + This step configures the Device Management (DM) client to connect to a Mobile Device Management (MDM) server after enrollment via DM SyncML over HTTPS (also known as Open Mobile Alliance Device Management (OMA DM) XML). + +## Enrollment protocol + + +There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). + +The enrollment process involves the following steps: + +**Discovery request** + The discovery request is a simple HTTP post call that returns XML over HTTP. The returned XML includes the authentication URL, the management service URL, and the user credential type. + +**Certificate enrollment policy** +The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in \[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619345) + +**Certificate enrollment** +The certificate enrollment is an implementation of the MS-WSTEP protocol. + +**Management configuration** +The server sends provisioning XML that contains a server certificate (for SSL server authentication), a client certificate issued by enterprise CA, DM client bootstrap information (for the client to communicate with the management server), an enterprise application token (for the user to install enterprise applications), and the link to download the Company Hub application. + +The following topics describe the end-to-end enrollment process using various authentication methods: + +- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) +- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) +- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) + +> **Note**  As a best practice, do not use hardcoded server-side checks on values such as: +> - User agent string +> - Any fixed URIs that are passed during enrollment +> - Specific formatting of any value unless otherwise noted, such as the format of the device ID. + +  + +## Prevent MDM enrollments + + +Starting in Windows 10, version 1607, to prevent MDM enrollments for domain-joined PCs, you can set the following Group Policy: + +Key: \\SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\MDM + +Value: DisableRegistration + +Using the GP editor, the path is Computer configuration > Administrative Templates > Windows Components > MDM > Disable MDM Enrollment. + +## Enrollment scenarios not supported + + +The following scenarios do not allow MDM enrollments: + +- Built-in administrator accounts on Windows desktop cannot enroll into MDM. +- Standard users on Windows desktop cannot enroll into MDM via the Work access page in **Settings**. To enroll a standard user into MDM, we recommend using a provisioning package or joining the device to Azure AD from **Settings** -> **System** -> **About**. +- Windows 8.1 devices enrolled into MDM via enroll-on-behalf-of (EOBO) can upgrade to Windows 10, but the enrollment is not supported. We recommend performing a server initiated unenroll to remove these enrollments and then enrolling after the upgrade to Windows 10 is completed. + +## Enrollment migration + + +**Desktop:** After the MDM client upgrade from Windows 8.1 to Windows 10, enrollment migration starts at the first client-initiated sync with the MDM service. The enrollment migration start time depends on the MDM server configuration. For example, for Intune it runs every 6 hours. + +Until the enrollment migration is completed, the user interface will show no enrollment and server push will not work. + +To manually trigger enrollment migration, you can run MDMMaintenenceTask. + +**Mobile devices:** After the MDM client upgrade from Windows Phone 8.1 to Windows 10 Mobile, enrollment migration is performed during the first boot after the upgrade. + +## Enrollment error messages + + +The enrollment server can decline enrollment messages using the SOAP Fault format. Errors created can be sent as follows: + +``` syntax + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollment/rstrc/wstep + 2493ee37-beeb-4cb9-833c-cadde9067645 + urn:uuid:urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749 + + + + + s:receiver + + s:authorization + + + + This User is not authorized to enroll + + + + +``` + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NamespaceSubcodeErrorDescriptionHRESULT

s:

MessageFormat

MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR

Message format is bad

80180001

s:

Authentication

MENROLL_E_DEVICE_AUTHENTICATION_ERROR

User not recognized

80180002

s:

Authorization

MENROLL_E_DEVICE_AUTHORIZATION_ERROR

User not allowed to enroll

80180003

s:

CertificateRequest

MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR

Failed to get certificate

80180004

s:

EnrollmentServer

MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR

80180005

a:

InternalServiceFault

MENROLL_E_DEVICE_INTERNALSERVICE_ERROR

The server hit an unexpected issue

80180006

a:

InvalidSecurity

MENROLL_E_DEVICE_INVALIDSECURITY_ERROR

Cannot parse the security header

80180007

+ +  + +In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here is an example: + +``` syntax + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollment/rstrc/wstep + 2493ee37-beeb-4cb9-833c-cadde9067645 + urn:uuid:urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749 + + + + + s:receiver + + s:authorization + + + + device cap reached + + + + devicecapreached + device cap reached + 2493ee37-beeb-4cb9-833c-cadde9067645 + + + + + +``` + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
SubcodeErrorDescriptionHRESULT

DeviceCapReached

MENROLL_E_DEVICECAPREACHED

User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help.

80180013

DeviceNotSupported

MENROLL_E_DEVICENOTSUPPORTED

Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device.

80180014

NotSupported

MENROLL_E_NOTSUPPORTED

Mobile device management generally not supported (would save an admin call)

80180015

NotEligibleToRenew

MENROLL_E_NOTELIGIBLETORENEW

Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling.

80180016

InMaintenance

MENROLL_E_INMAINTENANCE

Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved.

80180017

UserLicense

MENROLL_E_USERLICENSE

License of user is in bad state and blocking the enrollment. The user needs to call the admin.

80180018

InvalidEnrollmentData

MENROLL_E_ENROLLMENTDATAINVALID

The server rejected the enrollment data. The server may not be configured correctly.

80180019

+ +  + +TraceID is a freeform text node which is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment. + +## Related topics + + +- [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md) +- [Federated authentication device enrollment](federated-authentication-device-enrollment.md) +- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md) +- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md) + + + + + + diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md new file mode 100644 index 0000000000..d62bf09a6c --- /dev/null +++ b/windows/client-management/mdm/nap-csp.md @@ -0,0 +1,115 @@ +--- +title: NAP CSP +description: NAP CSP +ms.assetid: 82f04492-88a6-4afd-af10-a62b8d444d21 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# NAP CSP + + +The NAP (Network Access Point) Configuration Service Provider is used to manage and query GPRS and CDMA connections. + +> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. + +  + +For the NAP CSP, you cannot use the Replace command unless the node already exists. + +The following diagram shows the NAP configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider. + +![nap csp (dm)](images/provisioning-csp-nap.png) + +**./Vendor/MSFT/NAP** +Root node. + +***NAPX*** +Required. Defines the name of the network access point. + +It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead). + +***NAPX*/NAPID** +Required. Specifies the identifier of the destination network. + +The NAPID value must not include a "@" character. If the NAPDEF configuration service provider defines it as “connectionID@WAP”, this value should be set to “connectionID”. + +***NAPX*/NAME** +Optional. Specifies the user-friendly name of the connection. + +***NAPX*/ADDR** +Required. Specifies the address of the destination network. + +The ADDR may be the URL of an access point, the APN name for a GPRS access point, the telephone number of an answering modem, or any other string used to uniquely identify the address of the destination network. + +***NAPX*/ADDRTYPE** +Required. Specifies the type of address used to identify the destination network. + +The following table shows some commonly used ADDRTYPE values and the types of connection that corresponds with each value. + + ++++ + + + + + + + + + + + + + + + + + + + + +
ADDRTYPE ValueConnection Type

E164

RAS connections

APN

GPRS connections

ALPHA

Wi-Fi-based connections

+ +  + +***NAPX*/AuthInfo** +Optional node. Specifies the authentication information, including the protocol, user name, and password. + +***NAPX*/AuthInfo/AuthType** +Optional. Specifies the method of authentication. Some supported protocols are PAP, CHAP, HTTP-BASIC, HTTP-DIGEST, WTLS-SS, MD5. + +***NAPX*/AuthInfo/AuthName** +Optional. Specifies the user name and domain to be used during authentication. This field is in the form *Domain*\\*UserName*. + +***NAPX*/AuthInfo/AuthSecret** +Optional. Specifies the password used during authentication. + +Queries of this field will return a string composed of sixteen asterisks (\*). + +***NAPX*/Bearer** +Node. + +***NAPX*/Bearer/BearerType** +Required. Specifies the network type of the destination network. This can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, WiFi. + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md new file mode 100644 index 0000000000..0019bd057b --- /dev/null +++ b/windows/client-management/mdm/napdef-csp.md @@ -0,0 +1,146 @@ +--- +title: NAPDEF CSP +description: NAPDEF CSP +ms.assetid: 9bcc65dd-a72b-4f90-aba7-4066daa06988 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# NAPDEF CSP + + +The NAPDEF configuration service provider is used to add, modify, or delete WAP network access points (NAPs). For complete information about these settings, see the standard WAP specification WAP-183-ProvCont-20010724-a. + +> **Note**  You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list. + +  + +> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. + +  + +The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. + +![napdef csp (cp) (initial bootstrapping)](images/provisioning-csp-napdef-cp.png) + +The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider. + +![napdef csp (cp) (update bootstrapping)](images/provisioning-csp-napdef-cp-2.png) + +**NAPAUTHINFO** +Defines a group of authentication settings. + +**AUTHNAME** +Specifies the name used to authenticate the user. + +**AUTHSECRET** +Specifies the password used to authenticate the user. + +A query of this parameter returns asterisks (\*) in the results. + +**AUTHTYPE** +Specifies the protocol used to authenticate the user. + +The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols. Note + +> **Note**  **AuthName** and **AuthSecret** are not created if **AuthType** is not included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** is not included in the provisioning XML used to make the change. + +  + +**BEARER** +Specifies the type of bearer. + +Only Global System for Mobile Communication (GSM) and GSM-General Packet Radio Services (GPRS) are supported. + +**INTERNET** +Optional. Specifies whether this is an AlwaysOn connection. + +If **INTERNET** exists, the connection is an AlwaysOn connection and does not require a connection manager policy. + +If **INTERNET** does not exist, the connection is not an AlwaysOn connection and the connection requires a connection manager connection policy to be set. + +**LOCAL-ADDR** +Required for GPRS. Specifies the local address of the WAP client for GPRS access points. + +**LOCAL-ADDRTYPE** +Required for GPRS. Specifies the address format of the **LOCAL-ADDR** element. + +The value of LOCAL-ADDRTYPE can be "IPv4". + +**NAME** +Specifies the logical, user-readable identity of the NAP. + +**NAP-ADDRESS** +Specifies the address of the NAP. + +**NAP-ADDRTYPE** +Specifies the format and protocol of the **NAP-ADDRESS** element. + +Only Access Point Name (APN) and E164 are supported. + +**NAPID** +Required for initial bootstrapping. Specifies the name of the NAP. + +The maximum length of the **NAPID** value is 16 characters. + +***NAPID*** +Required for bootstrapping updating. Defines the name of the NAP. + +The name of the *NAPID* element is the same as the value passed during initial bootstrapping. In addition, the Microsoft format for NAPDEF contains the provisioning XML attribute mwid. This custom attribute is optional when adding a NAP or a proxy. It is required for *NAPID* when updating and deleting existing NAPs and proxies and must have its value set to 1. + +## Microsoft Custom Elements + + +The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
ELementsAvailable

parm-query

Yes

+

Note that some GPRS parameters will not necessarily contain the exact same value as was set.

noparm

Yes

nocharacteristic

Yes

characteristic-query

Yes

+ +  + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md new file mode 100644 index 0000000000..2e9efd2de6 --- /dev/null +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -0,0 +1,67 @@ +--- +title: NetworkProxy CSP +description: NetworkProxy CSP +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# NetworkProxy CSP + +The NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. These settings do not apply to VPN connections. This CSP was added in Windows 10, version 1703. + +> [!Note] +> In Windows 10 Mobile, the NetworkProxy CSP only works in ethernet connections. Use the WiFi CSP to configure per-network proxy for Wi-Fi connections in mobile devices. + +How the settings work: + +
    +
  1. If auto-detect is enabled, the system tries to find the path to a proxy auto config (PAC) script and download it.
    2. +
  2. If #1 fails and a setup script is specified, the system tries to download the explicitly configured PAC script.
    3. +
  3. If #2 fails and a proxy server is specified, the system tries to use the explicitly configured proxy server.
    4. +
  4. Otherwise, the system tries to reach the site directly.
    5. +
+ + +The following diagram shows the NetworkProxy configuration service provider in tree format. + +![networkproxy csp](images/provisioning-csp-networkproxy.png) + +**./Vendor/MSFT/NetworkProxy** +

The root node for the NetworkProxy configuration service provider..

+ +**AutoDetect** +

Automatically detect settings. If enabled, the system tries to find the path to a PAC script.

+

Valid values:

+
    +
  • 0 - Disabled
    • +
  • 1 (default) - Enabled
    • +
+

The data type is int. Supported operations are Get and Replace.

+ +**SetupScriptUrl** +

Address to the PAC script you want to use.

+

The data type is string. Supported operations are Get and Replace.

+ +**ProxyServer** +

Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections.

+

Supported operation is Get.

+ +**ProxyAddress** +

Address to the proxy server. Specify an address in the format <server>[“:”<port>]. 

+

The data type is string. Supported operations are Get and Replace.

+ +**Exceptions** +

Addresses that should not use the proxy server. The system will not use the proxy server for addresses beginning with what is specified in this node. Use semicolons (;) to separate entries. 

+

The data type is string. Supported operations are Get and Replace.

+ +**UseProxyForLocalAddresses** +

Specifies whether the proxy server should be used for local (intranet) addresses. 

+

Valid values:

+
    +
  • 0 (default) - Do not use proxy server for local addresses
    • +
  • 1 - Use proxy server for local addresses
    • +
+

The data type is int. Supported operations are Get and Replace.

diff --git a/windows/client-management/mdm/networkproxy-ddf.md b/windows/client-management/mdm/networkproxy-ddf.md new file mode 100644 index 0000000000..6657bc67ee --- /dev/null +++ b/windows/client-management/mdm/networkproxy-ddf.md @@ -0,0 +1,178 @@ +--- +title: NetworkProxy DDF file +description: AppNetworkProxyLocker DDF file +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# NetworkProxy DDF file + +This topic shows the OMA DM device description framework (DDF) for the **NetworkProxy** configuration service provider. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + NetworkProxy + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.0/MDM/NetworkProxy + + + + AutoDetect + + + + + + 1 + + + + + + + + + + + text/plain + + + + + SetupScriptUrl + + + + + + + + + + + + + + + + text/plain + + + + + ProxyServer + + + + + + + + + + + + + + + + + + + ProxyAddress + + + + + + + + + + + + + + + + text/plain + + + + + Exceptions + + + + + + + + + + + + + + + + text/plain + + + + + UseProxyForLocalAddresses + + + + + + 0 + + + + + + + + + + + text/plain + + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md new file mode 100644 index 0000000000..eb09ca2909 --- /dev/null +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -0,0 +1,105 @@ +--- +title: NetworkQoSPolicy CSP +description: he NetworkQoSPolicy CSP applies the Quality of Service (QoS) policy for Microsoft Surface Hub. This CSP was added in Windows 10, version 1703. +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# NetworkQoSPolicy CSP + +The NetworkQoSPolicy configuration service provider creates network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions. This CSP was added in Windows 10, version 1703. + +The following conditions are supported: +- Network traffic from a specific application name +- Network traffic from specific source or destination ports +- Network traffic from a specific IP protocol (TCP, UDP, or both) + +The following actions are supported: +- Layer 2 tagging using a IEEE 802.1p priority value +- Layer 3 tagging using a differentiated services code point (DSCP) value + +> [!NOTE] +> The NetworkQoSPolicy configuration service provider is supported only in Microsoft Surface Hub. + +The following diagram shows the NetworkQoSPolicy configuration service provider in tree format. + +![NetworkQoSPolicy CSP diagram](images/provisioning-csp-networkqospolicy.png) + +**NetworkQoSPolicy** +

The root node for the NetworkQoSPolicy configuration service provider.

+ +**Version** +

Specifies the version information. + +

The data type is int. + +

The only supported operation is Get. + +**_Name_** +

Node for the QoS policy name. + +**_Name_/IPProtocolMatchCondition** +

Specifies the IP protocol used to match the network traffic. + +

Valid values are: + + - 0 (default) - Both TCP and UDP + - 1 - TCP + - 2 - UDP + +

The data type is int. + +

The supported operations are Add, Get, Delete, and Replace. + +**_Name_/AppPathNameMatchCondition** +

Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. + +

The data type is char. + +

The supported operations are Add, Get, Delete, and Replace. + +**_Name_/SourcePortMatchCondition** +

Specifies a single port or a range of ports to be used to match the network traffic source. + +

Valid values are: + +- A range of source ports: _[first port number]_-_[last port number]_ +- A single source port: _[port number]_ + +

The data type is char. + +

The supported operations are Add, Get, Delete, and Replace. + +**_Name_/DestinationPortMatchCondition** +

Specifies a single source port or a range of ports to be used to match the network traffic destination. + +

Valid values are: + +- A range of destination ports: _[first port number]_-_[last port number]_ +- A single destination port: _[port number]_ + +

The data type is char. + +

The supported operations are Add, Get, Delete, and Replace. + +**_Name_/PriorityValue8021Action** +

Specifies the IEEE 802.1p priority value to apply to matching network traffic. + +

Valid values are 0-7. + +

The data type is int. + +

The supported operations are Add, Get, Delete, and Replace. + +**_Name_/DSCPAction** +

The differentiated services code point (DSCP) value to apply to matching network traffic. + +

Valid values are 0-63. + +

The data type is int. + +

The supported operations are Add, Get, Delete, and Replace. + diff --git a/windows/client-management/mdm/networkqospolicy-ddf.md b/windows/client-management/mdm/networkqospolicy-ddf.md new file mode 100644 index 0000000000..e22f1a5ac3 --- /dev/null +++ b/windows/client-management/mdm/networkqospolicy-ddf.md @@ -0,0 +1,286 @@ +--- +title: NetworkQoSPolicy DDF +description: This topic shows the OMA DM device description framework (DDF) for the NetworkQoSPolicy configuration service provider. DDF files are used only with OMA DM provisioning XML. +ms.assetid: +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# NetworkQoSPolicy DDF + +This topic shows the OMA DM device description framework (DDF) for the **NetworkQoSPolicy** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + NetworkQoSPolicy + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.0/MDM/NetworkQoSPolicy + + + + + Version + + + + + Version information. + + + + + + + + + + Version + + text/plain + + + + + + + + + + + + + The value of this node should be a policy name. + + + + + + + + + + Name + + + + + + PolicyStore + + + + + + + + The location where the QoS policy is stored. + + + + + + + + + + PolicyStore + + text/plain + + + + + IPProtocolMatchCondition + + + + + + + + 0 + Specifies the IP protocol used to match the network traffic. Valid values are 0: Both TCP and UDP (default), 1: TCP, 2: UDP. + + + + + + + + + + IPProtocolMatchCondition + + text/plain + + + + + AppPathNameMatchCondition + + + + + + + + Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. + + + + + + + + + + AppPathNameMatchCondition + + text/plain + + + + + SourcePortMatchCondition + + + + + + + + Specifies a single port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number] or [port number]. + + + + + + + + + + SourcePortMatchCondition + + text/plain + + + + + DestinationPortMatchCondition + + + + + + + + Specifies a single port or a range of ports to be used to match the network traffic. Valid values are [first port number]-[last port number] or [port number]. + + + + + + + + + + DestinationPortMatchCondition + + text/plain + + + + + PriorityValue8021Action + + + + + + + + The IEEE 802.1p value to apply to matching network traffice. Valid values are 0-7. + + + + + + + + + + PriorityValue8021Action + + text/plain + + + + + DSCPAction + + + + + + + + The differentiated services code point (DSCP) value to apply to matching network traffic. Valid values are 0-63. + + + + + + + + + + DSCPAction + + text/plain + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md new file mode 100644 index 0000000000..f0f271a8e3 --- /dev/null +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -0,0 +1,2313 @@ +--- +title: What's new in MDM enrollment and management +description: This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. +MS-HAID: +- 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview' +- 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management' +ms.assetid: 9C42064F-091C-4901-BC73-9ABE79EE4224 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# What's new in MDM enrollment and management + + +This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices. + +For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). + +## In this section + +- [What's new in Windows 10, version 1511](#whatsnew) +- [What's new in Windows 10, version 1607](#whatsnew1607) +- [What's new in Windows 10, version 1703](#whatsnew10) +- [Breaking changes and known issues](#breaking-changes-and-known-issues) + - [Get command inside an atomic command is not supported](#getcommand) + - [Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#notification) + - [Apps installed using WMI classes are not removed](#appsnotremoved) + - [Passing CDATA in SyncML does not work](#cdata) + - [SSL settings in IIS server for SCEP must be set to "Ignore"](#sslsettings) + - [MDM enrollment fails on the mobile device when traffic is going through proxy](#enrollmentviaproxy) + - [Server-initiated unenroll failure](#unenrollment) + - [Certificates causing issues with Wi-Fi and VPN](#certissues) + - [Version information for mobile devices](#versioninformation) + - [Upgrading Windows Phone 8.1 devices with app whitelisting using ApplicationRestriction policy has issues](#whitelist) + - [Apps dependent on Microsoft Frameworks may get blocked](#frameworks) + - [Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile](#wificertissue) + - [Remote PIN reset not supported in Azure Active Directory joined mobile devices](#remote) + - [MDM client will immediately check-in with the MDM server after client renews WNS channel URI](#renewwns) + - [User provisioning failure in Azure Active Directory joined Windows 10 PC](#userprovisioning) + - [Requirements to note for VPN certificates also used for Kerberos Authentication](#kerberos) + - [Device management agent for the push-button reset is not working](#pushbuttonreset) +- [Change history in MDM documentation](#change-history-in-mdm-documentation) +- [FAQ](#faq) + +## What's new in Windows 10, version 1511 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ItemDescription

New configuration service providers added in Windows 10, version 1511

    +
  • [AllJoynManagement CSP](alljoynmanagement-csp.md)
    • +
  • [Maps CSP](maps-csp.md)
    • +
  • [Reporting CSP](reporting-csp.md)
    • +
  • [SurfaceHub CSP](surfacehub-csp.md)
    • +
  • [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md)
    • +

New and updated policies in Policy CSP

The following policies have been added to the [Policy CSP](policy-configuration-service-provider.md):

+
    +
  • Accounts/DomainNamesForEmailSync
    • +
  • ApplicationManagement/AllowWindowsBridgeForAndroidAppsExecution
    • +
  • Bluetooth/ServicesAllowedList
    • +
  • DataProtection/AllowAzureRMSForEDP
    • +
  • DataProtection/RevokeOnUnenroll
    • +
  • DeviceLock/DevicePasswordExpiration
    • +
  • DeviceLock/DevicePasswordHistory
    • +
  • TextInput/AllowInputPanel
    • +
  • Update/PauseDeferrals
    • +
  • Update/RequireDeferUpdate
    • +
  • Update/RequireUpdateApproval
    • +
+

The following policies have been updated in the Policy CSP:

+
    +
  • System/AllowLocation
    • +
  • Update/RequireDeferUpgrade
    • +
+

The following policies have been deprecated in the Policy CSP:

+
    +
  • TextInput/AllowKoreanExtendedHanja
    • +
  • WiFi/AllowWiFiHotSpotReporting
    • +

Management tool for the Windows Store for Business

New topics. The Store for Business has a new web service designed for the enterprise to acquire, manage, and distribute applications in bulk. It enables several capabilities that are required for the enterprise to manage the lifecycle of applications from acquisition to updates.

Custom header for generic alert

The MDM-GenericAlert is a new custom header that hosts one or more alert information provided in the http messages sent by the device to the server during an OMA DM session. The generic alert is sent if the session is triggered by the device due to one or more critical or fatal alerts. Here is alert format:

+MDM-GenericAlert: <AlertType1><AlertType2> +

If present, the MDM-GenericAlert is presented in every the outgoing MDM message in the same OMA DM session. For more information about generic alerts, see section 8.7 in the OMA Device Management Protocol, Approved Version 1.2.1 in this [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=267526).

Alert message for slow client response

When the MDM server sends a configuration request, sometimes it takes the client longer than the HTTP timeout to get all information together and then the session ends unexpectedly due to timeout. By default, the MDM client does not send an alert that a DM request is pending.

+

To work around the timeout, you can use EnableOmaDmKeepAliveMessage setting to keep the session alive by sending a heartbeat message back to the server. This is achieved by sending a SyncML message with a specific device alert element in the body until the client is able to respond back to the server with the requested information. For details, see EnableOmaDmKeepAliveMessage node in the [DMClient CSP](dmclient-csp.md).

New node in DMClient CSP

Added a new node EnableOmaDmKeepAliveMessage to the [DMClient CSP](dmclient-csp.md) and updated the ManagementServerAddress to indicate that it can contain a list of URLs.

New nodes in EnterpriseModernAppManagement CSP

Added the following nodes to the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md):

+
    +
  • AppManagement/GetInventoryQuery
    • +
  • AppManagement/GetInventoryResults
    • +
  • .../PackageFamilyName/AppSettingPolicy/SettingValue
    • +
  • AppLicenses/StoreLicenses/LicenseID/LicenseCategory
    • +
  • AppLicenses/StoreLicenses/LicenseID/LicenseUsage
    • +
  • AppLicenses/StoreLicenses/LicenseID/RequesterID
    • +
  • AppLicenses/StoreLicenses/LicenseID/GetLicenseFromStore
    • +

New nodes in EnterpriseExt CSP

Added the following nodes to the [EnterpriseExt CSP](enterpriseext-csp.md):

+
    +
  • DeviceCustomData (CustomID, CustomeString)
    • +
  • Brightness (Default, MaxAuto)
    • +
  • LedAlertNotification (State, Intensity, Period, DutyCycle, Cyclecount)
    • +

New node in EnterpriseExtFileSystem CSP

Added OemProfile node to [EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md).

New nodes in PassportForWork CSP

Added the following nodes to [PassportForWork CSP](passportforwork-csp.md):

+
    +
  • TenantId/Policies/PINComplexity/History
    • +
  • TenantId/Policies/PINComplexity/Expiration
    • +
  • TenantId/Policies/Remote/UseRemotePassport (only for ./Device/Vendor/MSFT)
    • +
  • Biometrics/UseBiometrics (only for ./Device/Vendor/MSFT)
    • +
  • Biometrics/FacialFeaturesUseEnhancedAntiSpoofing (only for ./Device/Vendor/MSFT)
    • +

Updated EnterpriseAssignedAccess CSP

Here are the changes to the [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md):

+
    +
  • In AssignedAccessXML node, added new page settings and quick action settings.
    • +
  • In AssignedAccessXML node, added an example about how to pin applications in multiple app packages using the AUMID.
    • +
  • Updated the [EnterpriseAssignedAccess XSD](enterpriseassignedaccess-xsd.md) topic.
    • +

New nodes in the DevDetail CSP

Here are the changes to the [DevDetail CSP](devdetail-csp.md):

+
    +
  • Added TotalStore and TotalRAM settings.
    • +
  • Added support for Replace command for the DeviceName setting.
    • +

Handling large objects

Added support for the client to handle uploading of large objects to the server.

+ + +## What's new in Windows 10, version 1607 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ItemDescription

Sideloading of apps

Starting in Windows 10, version 1607, sideloading of apps is only allowed through [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md). Product keys (5x5) will no longer be supported to enable sideloading on Windows 10, version 1607 devices.

New value for [NodeCache CSP](nodecache-csp.md)

In [NodeCache CSP](nodecache-csp.md), the value of NodeCache root node starting in Windows 10, version 1607 is com.microsoft/1.0/MDM/NodeCache.

[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

New CSP.

[Policy CSP](policy-configuration-service-provider.md)

Removed the following policies:

+
    +
  • DataProtection/AllowAzureRMSForEDP - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
    • +
  • DataProtection/AllowUserDecryption - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
    • +
  • DataProtection/EDPEnforcementLevel - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
    • +
  • DataProtection/RequireProtectionUnderLockConfig - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
    • +
  • DataProtection/RevokeOnUnenroll - moved this policy to [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
    • +
  • DataProtection/EnterpriseCloudResources - moved this policy to NetworkIsolation policy
    • +
  • DataProtection/EnterpriseInternalProxyServers - moved this policy to NetworkIsolation policy
    • +
  • DataProtection/EnterpriseIPRange - moved this policy to NetworkIsolation policy
    • +
  • DataProtection/EnterpriseNetworkDomainNames - moved this policy to NetworkIsolation policy
    • +
  • DataProtection/EnterpriseProxyServers - moved this policy to NetworkIsolation policy
    • +
  • Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices - this policy has been deprecated.
    • +
+

Added the WiFi/AllowManualWiFiConfiguration and WiFi/AllowWiFi policies for Windows 10, version 1607:

+
    +
  • Windows 10 Pro
    • +
  • Windows 10 Enterprise
    • +
  • Windows 10 Education
    • +
+

Added the following new policies:

+
    +
  • AboveLock/AllowCortanaAboveLock
    • +
  • ApplicationManagement/DisableStoreOriginatedApps
    • +
  • Authentication/AllowSecondaryAuthenticationDevice
    • +
  • Bluetooth/AllowPrepairing
    • +
  • Browser/AllowExtensions
    • +
  • Browser/PreventAccessToAboutFlagsInMicrosoftEdge
    • +
  • Browser/ShowMessageWhenOpeningSitesInInternetExplorer
    • +
  • DeliveryOptimization/DOAbsoluteMaxCacheSize
    • +
  • DeliveryOptimization/DOMaxDownloadBandwidth
    • +
  • DeliveryOptimization/DOMinBackgroundQoS
    • +
  • DeliveryOptimization/DOModifyCacheDrive
    • +
  • DeliveryOptimization/DOMonthlyUploadDataCap
    • +
  • DeliveryOptimization/DOPercentageMaxDownloadBandwidth
    • +
  • DeviceLock/EnforceLockScreenAndLogonImage
    • +
  • DeviceLock/EnforceLockScreenProvider
    • +
  • Defender/PUAProtection
    • +
  • Experience/AllowThirdPartySuggestionsInWindowsSpotlight
    • +
  • Experience/AllowWindowsSpotlight
    • +
  • Experience/ConfigureWindowsSpotlightOnLockScreen
    • +
  • Experience/DoNotShowFeedbackNotifications
    • +
  • Licensing/AllowWindowsEntitlementActivation
    • +
  • Licensing/DisallowKMSClientOnlineAVSValidation
    • +
  • LockDown/AllowEdgeSwipe
    • +
  • Maps/EnableOfflineMapsAutoUpdate
    • +
  • Maps/AllowOfflineMapsDownloadOverMeteredConnection
    • +
  • Messaging/AllowMessageSync
    • +
  • NetworkIsolation/EnterpriseCloudResources
    • +
  • NetworkIsolation/EnterpriseInternalProxyServers
    • +
  • NetworkIsolation/EnterpriseIPRange
    • +
  • NetworkIsolation/EnterpriseIPRangesAreAuthoritative
    • +
  • NetworkIsolation/EnterpriseNetworkDomainNames
    • +
  • NetworkIsolation/EnterpriseProxyServers
    • +
  • NetworkIsolation/EnterpriseProxyServersAreAuthoritative
    • +
  • NetworkIsolation/NeutralResources
    • +
  • Notifications/DisallowNotificationMirroring
    • +
  • Privacy/DisableAdvertisingId
    • +
  • Privacy/LetAppsAccessAccountInfo
    • +
  • Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps
    • +
  • Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps
    • +
  • Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps
    • +
  • Privacy/LetAppsAccessCalendar
    • +
  • Privacy/LetAppsAccessCalendar_ForceAllowTheseApps
    • +
  • Privacy/LetAppsAccessCalendar_ForceDenyTheseApps
    • +
  • Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps
    • +
  • Privacy/LetAppsAccessCallHistory
    • +
  • Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps
    • +
  • Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps
    • +
  • Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps
    • +
  • Privacy/LetAppsAccessCamera
    • +
  • Privacy/LetAppsAccessCamera_ForceAllowTheseApps
    • +
  • Privacy/LetAppsAccessCamera_ForceDenyTheseApps
    • +
  • Privacy/LetAppsAccessCamera_UserInControlOfTheseApps
    • +
  • Privacy/LetAppsAccessContacts
    • +
  • Privacy/LetAppsAccessContacts_ForceAllowTheseApps
    • +
  • Privacy/LetAppsAccessContacts_ForceDenyTheseApps
    • +
  • Privacy/LetAppsAccessContacts_UserInControlOfTheseApps
    • +
  • Privacy/LetAppsAccessEmail
    • +
  • Privacy/LetAppsAccessEmail_ForceAllowTheseApps
    • +
  • Privacy/LetAppsAccessEmail_ForceDenyTheseApps
    • +
  • Privacy/LetAppsAccessEmail_UserInControlOfTheseApps
    • +
  • Privacy/LetAppsAccessLocation
    • +
  • Privacy/LetAppsAccessLocation_ForceAllowTheseApps
    • +
  • Privacy/LetAppsAccessLocation_ForceDenyTheseApps
    • +
  • Privacy/LetAppsAccessLocation_UserInControlOfTheseApps
    • +
  • Privacy/LetAppsAccessMessaging
    • +
  • Privacy/LetAppsAccessMessaging_ForceAllowTheseApps
    • +
  • Privacy/LetAppsAccessMessaging_ForceDenyTheseApps
    • +
  • Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps
    • +
  • Privacy/LetAppsAccessMicrophone
    • +
  • Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps
    • +
  • Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps
    • +
  • Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps
    • +
  • Privacy/LetAppsAccessMotion
    • +
  • Privacy/LetAppsAccessMotion_ForceAllowTheseApps
    • +
  • Privacy/LetAppsAccessMotion_ForceDenyTheseApps
    • +
  • Privacy/LetAppsAccessMotion_UserInControlOfTheseApps
    • +
  • Privacy/LetAppsAccessNotifications
    • +
  • Privacy/LetAppsAccessNotifications_ForceAllowTheseApps
    • +
  • Privacy/LetAppsAccessNotifications_ForceDenyTheseApps
    • +
  • Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps
    • +
  • Privacy/LetAppsAccessPhone
    • +
  • Privacy/LetAppsAccessPhone_ForceAllowTheseApps
    • +
  • Privacy/LetAppsAccessPhone_ForceDenyTheseApps
    • +
  • Privacy/LetAppsAccessPhone_UserInControlOfTheseApps
    • +
  • Privacy/LetAppsAccessRadios
    • +
  • Privacy/LetAppsAccessRadios_ForceAllowTheseApps
    • +
  • Privacy/LetAppsAccessRadios_ForceDenyTheseApps
    • +
  • Privacy/LetAppsAccessRadios_UserInControlOfTheseApps
    • +
  • Privacy/LetAppsAccessTrustedDevices
    • +
  • Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps
    • +
  • Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps
    • +
  • Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps
    • +
  • Privacy/LetAppsSyncWithDevices
    • +
  • Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps
    • +
  • Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps
    • +
  • Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps
    • +
  • Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices
    • +
  • Settings/AllowEditDeviceName
    • +
  • Speech/AllowSpeechModelUpdate
    • +
  • System/TelemetryProxy
    • +
  • Update/ActiveHoursStart
    • +
  • Update/ActiveHoursEnd
    • +
  • Update/AllowMUUpdateService
    • +
  • Update/BranchReadinessLevel
    • +
  • Update/DeferFeatureUpdatesPeriodInDays
    • +
  • Update/DeferQualityUpdatesPeriodInDays
    • +
  • Update/ExcludeWUDriversInQualityUpdate
    • +
  • Update/PauseFeatureUpdates
    • +
  • Update/PauseQualityUpdates
    • +
  • Update/UpdateServiceUrlAlternate (Added in the January service release of Windows 10, version 1607)
    • +
  • WindowsInkWorkspace/AllowWindowsInkWorkspace
    • +
  • WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace
    • +
  • WirelessDisplay/AllowProjectionToPC
    • +
  • WirelessDisplay/RequirePinForPairing
    • +
+

Updated the Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts description to remove outdated information.

+

Updated DeliveryOptimization/DODownloadMode to add new values.

+

Updated Experience/AllowCortana description to clarify what each supported value does.

+

Updated Security/AntiTheftMode description to clarify what each supported value does.

[DMClient CSP](dmclient-csp.md)

Added the following settings:

+
    +
  • ManagementServerAddressList
    • +
  • AADDeviceID
    • +
  • EnrollmentType
    • +
  • HWDevID
    • +
  • CommercialID
    • +
+

Removed the EnrollmentID setting.

[DeviceManageability CSP](devicemanageability-csp.md)

New CSP.

[DeviceStatus CSP](devicestatus-csp.md)

Added the following new settings:

+
    +
  • DeviceStatus/TPM/SpecificationVersion
    • +
  • DeviceStatus/OS/Edition
    • +
  • DeviceStatus/Antivirus/SignatureStatus
    • +
  • DeviceStatus/Antivirus/Status
    • +
  • DeviceStatus/Antispyware/SignatureStatus
    • +
  • DeviceStatus/Antispyware/Status
    • +
  • DeviceStatus/Firewall/Status
    • +
  • DeviceStatus/UAC/Status
    • +
  • DeviceStatus/Battery/Status
    • +
  • DeviceStatus/Battery/EstimatedChargeRemaining
    • +
  • DeviceStatus/Battery/EstimatedRuntime
    • +
[AssignedAccess CSP](assignedaccess-csp.md)

Added SyncML examples.

[EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md)
    +
  • Added a new Folder table entry in the AssignedAccess/AssignedAccessXml description.
    • +
  • Updated the DDF and XSD file sections.
    • +
[SecureAssessment CSP](secureassessment-csp.md)

New CSP for Windows 10, version 1607

[DiagnosticLog CSP](diagnosticlog-csp.md) +

[DiagnosticLog DDF](diagnosticlog-ddf.md)

Added version 1.3 of the CSP with two new settings. Added the new 1.3 version of the DDF. Added the following new settings in Windows 10, version 1607.

+
    +
  • DeviceStateData
    • +
  • DeviceStateData/MdmConfiguration
    • +
[Reboot CSP](reboot-csp.md)

New CSP for Windows 10, version 1607

[CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md)

New CSP for Windows 10, version 1607

[VPNv2 CSP](vpnv2-csp.md)

Added the following settings for Windows 10, version 1607

+
    +
  • ProfileName/RouteList/routeRowId/ExclusionRoute
    • +
  • ProfileName/DomainNameInformationList/dniRowId/AutoTrigger
    • +
  • ProfileName/DomainNameInformationList/dniRowId/Persistent
    • +
  • ProfileName/ProfileXML
    • +
  • ProfileName/DeviceCompliance/Enabled
    • +
  • ProfileName/DeviceCompliance/Sso
    • +
  • ProfileName/DeviceCompliance/Sso/Enabled
    • +
  • ProfileName/DeviceCompliance/Sso/IssuerHash
    • +
  • ProfileName/DeviceCompliance/Sso/Eku
    • +
  • ProfileName/NativeProfile/CryptographySuite
    • +
  • ProfileName/NativeProfile/CryptographySuite/AuthenticationTransformConstants
    • +
  • ProfileName/NativeProfile/CryptographySuite/CipherTransformConstants
    • +
  • ProfileName/NativeProfile/CryptographySuite/EncryptionMethod
    • +
  • ProfileName/NativeProfile/CryptographySuite/IntegrityCheckMethod
    • +
  • ProfileName/NativeProfile/CryptographySuite/DHGroup
    • +
  • ProfileName/NativeProfile/CryptographySuite/PfsGroup
    • +
  • ProfileName/NativeProfile/L2tpPsk
    • +
[Win32AppInventory CSP](win32appinventory-csp.md) +

[Win32AppInventory DDF](win32appinventory-ddf-file.md)

New CSP for Windows 10, version 1607.

[SharedPC CSP](sharedpc-csp.md)

New CSP for Windows 10, version 1607.

[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)

New CSP for Windows 10, version 1607.

[MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224)

Added new classes for Windows 10, version 1607.

[MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md)

Topic renamed from "Enrollment UI".

+

Completely updated enrollment procedures and screenshots.

[UnifiedWriteFilter CSP](unifiedwritefilter-csp.md) +

[UnifiedWriteFilter DDF File](unifiedwritefilter-ddf.md)

Added the following new setting for Windows 10, version 1607:

+
    +
  • NextSession/HORMEnabled
    • +
[CertificateStore CSP](certificatestore-csp.md) +

[CertificateStore DDF file](certificatestore-ddf-file.md)

Added the following new settings in Windows 10, version 1607:

+
    +
  • My/WSTEP/Renew/LastRenewalAttemptTime
    • +
  • My/WSTEP/Renew/RenewNow
    • +

[WindowsLicensing CSP](windowslicensing-csp.md)

Added the following new node and settings in Windows 10, version 1607, but not documented:

+
    +
  • Subscriptions
    • +
  • Subscriptions/SubscriptionId
    • +
  • Subscriptions/SubscriptionId/Status
    • +
  • Subscriptions/SubscriptionId/Name
    • +
+
+ +## What's new in Windows 10, version 1703 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ItemDescription

[Update CSP](update-csp.md)

Added the following nodes:

+
    +
  • FailedUpdates/Failed Update Guid/RevisionNumber
    • +
  • InstalledUpdates/Installed Update Guid/RevisionNumber
    • +
  • PendingRebootUpdates/Pending Reboot Update Guid/RevisionNumber
    • +
+
[CM_CellularEntries CSP](cm-cellularentries-csp.md)

To PurposeGroups setting, added the following values:

+
    +
  • Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB
    • +
  • Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364
    • +
+

[CertificateStore CSP](certificatestore-csp.md)

Added the following setting:

+
    +
  • My/WSTEP/Renew/RetryAfterExpiryInterval
    • +
+

[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)

Added the following setting:

+
    +
  • SCEP/UniqueID/Install/AADKeyIdentifierList
    • +
+

[DMAcc CSP](dmacc-csp.md)

Added the following setting:

+
    +
  • AccountUID/EXT/Microsoft/InitiateSession
    • +
+

[DMClient CSP](dmclient-csp.md)

Added the following nodes and settings:

+
    +
  • HWDevID
    • +
  • Provider/ProviderID/ManagementServerToUpgradeTo
    • +
  • Provider/ProviderID/CustomEnrollmentCompletePage
    • +
  • Provider/ProviderID/CustomEnrollmentCompletePage/Title
    • +
  • Provider/ProviderID/CustomEnrollmentCompletePage/BodyText
    • +
  • Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkHref
    • +
  • Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkText
    • +
+

[CellularSettings CSP](cellularsettings-csp.md)

[CM_CellularEntries CSP](cm-cellularentries-csp.md)

[EnterpriseAPN CSP](enterpriseapn-csp.md)

For these CSPs, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.

+
[SecureAssessment CSP](secureassessment-csp.md)

Added the following settings:

+
    +
  • AllowTextSuggestions
    • +
  • RequirePrinting
    • +
+
[EnterpriseAPN CSP](enterpriseapn-csp.md)

Added the following setting:

+
    +
  • Roaming
    • +
+
[Messaging CSP](messaging-csp.md)

Added new CSP. This CSP is only supported in Windows 10 Mobile and Mobile Enteprise editions.

+
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies:

+
    +
  • Accounts/AllowMicrosoftAccountSignInAssistant
    • +
  • ApplicationDefaults/DefaultAssociationsConfiguration
    • +
  • Browser/AllowAddressBarDropdown
    • +
  • Browser/AllowFlashClickToRun
    • +
  • Browser/AllowMicrosoftCompatibilityList
    • +
  • Browser/AllowSearchEngineCustomization
    • +
  • Browser/ClearBrowsingDataOnExit
    • +
  • Browser/ConfigureAdditionalSearchEngines
    • +
  • Browser/DisableLockdownOfStartPages
    • +
  • Browser/PreventFirstRunPage
    • +
  • Browser/PreventLiveTileDataCollection
    • +
  • Browser/SetDefaultSearchEngine
    • +
  • Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
    • +
  • Connectivity/AllowConnectedDevices
    • +
  • DeliveryOptimization/DOAllowVPNPeerCaching
    • +
  • DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload
    • +
  • DeliveryOptimization/DOMinDiskSizeAllowedToPeer
    • +
  • DeliveryOptimization/DOMinFileSizeToCache
    • +
  • DeliveryOptimization/DOMinRAMAllowedToPeer
    • +
  • DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay
    • +
  • Display/TurnOffGdiDPIScalingForApps
    • +
  • Display/TurnOnGdiDPIScalingForApps
    • +
  • EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
    • +
  • EnterpriseCloudPrint/CloudPrintOAuthAuthority
    • +
  • EnterpriseCloudPrint/CloudPrintOAuthClientId
    • +
  • EnterpriseCloudPrint/CloudPrintResourceId
    • +
  • EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
    • +
  • EnterpriseCloudPrint/MopriaDiscoveryResourceId
    • +
  • Experience/AllowFindMyDevice
    • +
  • Experience/AllowTailoredExperiencesWithDiagnosticData
    • +
  • Experience/AllowWindowsSpotlightOnActionCenter
    • +
  • Experience/AllowWindowsSpotlightWindowsWelcomeExperience
    • +
  • Location/EnableLocation
    • +
  • Messaging/AllowMMS
    • +
  • Messaging/AllowRCS
    • +
  • Privacy/LetAppsAccessTasks
    • +
  • Privacy/LetAppsAccessTasks_ForceAllowTheseApps
    • +
  • Privacy/LetAppsAccessTasks_ForceDenyTheseApps
    • +
  • Privacy/LetAppsAccessTasks_UserInControlOfTheseApps
    • +
  • Privacy/LetAppsGetDiagnosticInfo
    • +
  • Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps
    • +
  • Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps
    • +
  • Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps
    • +
  • Privacy/LetAppsRunInBackground
    • +
  • Privacy/LetAppsRunInBackground_ForceAllowTheseApps
    • +
  • Privacy/LetAppsRunInBackground_ForceDenyTheseApps
    • +
  • Privacy/LetAppsRunInBackground_UserInControlOfTheseApps
    • +
  • Settings/ConfigureTaskbarCalendar
    • +
  • Settings/PageVisibilityList
    • +
  • SmartScreen/EnableAppInstallControl
    • +
  • SmartScreen/EnableSmartScreenInShell
    • +
  • SmartScreen/PreventOverrideForFilesInShell
    • +
  • Start/HideAppList
    • +
  • Start/HideChangeAccountSettings
    • +
  • Start/HideFrequentlyUsedApps
    • +
  • Start/HideHibernate
    • +
  • Start/HideLock
    • +
  • Start/HidePowerButton
    • +
  • Start/HideRecentJumplists
    • +
  • Start/HideRecentlyAddedApps
    • +
  • Start/HideRestart
    • +
  • Start/HideShutDown
    • +
  • Start/HideSignOut
    • +
  • Start/HideSleep
    • +
  • Start/HideSwitchAccount
    • +
  • Start/HideUserTile
    • +
  • Start/ImportEdgeAssets
    • +
  • Start/NoPinningToTaskbar
    • +
  • System/AllowFontProviders
    • +
  • System/DisableOneDriveFileSync
    • +
  • TextInput/AllowKeyboardTextSuggestions
    • +
  • TimeLanguageSettings/AllowSet24HourClock
    • +
  • Update/ActiveHoursMaxRange
    • +
  • Update/AutoRestartNotificationSchedule
    • +
  • Update/AutoRestartNotificationStyle
    • +
  • Update/AutoRestartRequiredNotificationDismissal
    • +
  • Update/DetectionFrequency
    • +
  • Update/EngagedRestartDeadline
    • +
  • Update/EngagedRestartSnoozeSchedule
    • +
  • Update/EngagedRestartTransistionSchedule
    • +
  • Update/IgnoreMOAppDownloadLimit
    • +
  • Update/IgnoreMOUpdateDownloadLimit
    • +
  • Update/PauseFeatureUpdatesStartTime
    • +
  • Update/PauseQualityUpdatesStartTime
    • +
  • Update/SetAutoRestartNotificationDisable
    • +
  • Update/SetEDURestart
    • +
  • WiFi/AllowWiFiDirect
    • +
  • WindowsLogon/HideFastUserSwitching
    • +
  • WirelessDisplay/AllowProjectionFromPC
    • +
  • WirelessDisplay/AllowProjectionFromPCOverInfrastructure
    • +
  • WirelessDisplay/AllowProjectionToPCOverInfrastructure
    • +
  • WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver
    • +

Removed TextInput/AllowLinguisticDataCollection

+

Starting in Windows 10, version 1703, Update/UpdateServiceUrl is not supported in Windows 10 Mobile Enteprise and IoT Enterprise

+

Starting in Windows 10, version 1703, the maximum value of Update/DeferFeatureUpdatesPeriodInDays has been increased from 180 days, to 365 days.

+

Starting in Windows 10, version 1703, in Browser/HomePages you can use the "<about:blank>" value if you don’t want to send traffic to Microsoft.

+

Starting in Windows 10, version 1703, Start/StartLayout can now be set on a per-device basis in addition to the pre-existing per-user basis.

+

Added the ConfigOperations/ADMXInstall node and setting, which is used to ingest ADMX files.

+
[DevDetail CSP](devdetail-csp.md)

Added the following setting:

+
    +
  • DeviceHardwareData
    • +
+
[CleanPC CSP](cleanpc-csp.md)

Added new CSP.

[DeveloperSetup CSP](developersetup-csp.md)

Added new CSP.

[NetworkProxy CSP](networkproxy-csp.md)

Added new CSP.

[BitLocker CSP](bitlocker-csp.md)

Added new CSP.

+

Added the following setting:

+
    +
  • AllowWarningForOtherDiskEncryption
    • +
+
[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.

Added the following settings:

+
    +
  • RevokeOnMDMHandoff
    • +
  • SMBAutoEncryptedFileExtensions
    • +
[DynamicManagement CSP](dynamicmanagement-csp.md)

Added new CSP.

[Implement server-side support for mobile application management on Windows](implement-server-side-mobile-application-management.md)

New mobile application management (MAM) support added in Windows 10, version 1703.

[PassportForWork CSP](passportforwork-csp.md)

Added the following new node and settings:

+
    +
  • TenantId/Policies/ExcludeSecurityDevices (only for ./Device/Vendor/MSFT)
    • +
  • TenantId/Policies/ExcludeSecurityDevices/TPM12 (only for ./Device/Vendor/MSFT)
    • +
  • TenantId/Policies/EnablePinRecovery
    • +
[Office CSP](office-csp.md)

Added new CSP.

[Personalization CSP](personalization-csp.md)

Added new CSP.

[EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md)

Added new CSP.

[HealthAttestation CSP](healthattestation-csp.md)

Added the following settings:

+
    +
  • HASEndpoint - added in Windows 10, version 1607, but not documented
    • +
  • TpmReadyStatus - added in the March service release of Windows 10, version 1607
    • +

[SurfaceHub CSP](surfacehub-csp.md)

Added the following nodes and settings:

+
    +
  • InBoxApps/SkypeForBusiness
    • +
  • InBoxApps/SkypeForBusiness/DomainName
    • +
  • InBoxApps/Connect
    • +
  • InBoxApps/Connect/AutoLaunch
    • +
  • Properties/DefaultVolume
    • +
  • Properties/ScreenTimeout
    • +
  • Properties/SessionTimeout
    • +
  • Properties/SleepTimeout
    • +
  • Properties/AllowSessionResume
    • +
  • Properties/AllowAutoProxyAuth
    • +
  • Properties/DisableSigninSuggestions
    • +
  • Properties/DoNotShowMyMeetingsAndFiles
    • +
+
[NetworkQoSPolicy CSP](networkqospolicy-csp.md)

Added new CSP.

[WindowsLicensing CSP](windowslicensing-csp.md)

Added the following setting:

+
    +
  • ChangeProductKey
    • +
+
[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)

Added the following setting:

+
    +
  • Configuration/TelemetryReportingFrequency
    • +
+
[DMSessionActions CSP](dmsessionactions-csp.md)

Added new CSP.

+
[SharedPC CSP](dmsessionactions-csp.md)

Added new settings in Windows 10, version 1703.

+
    +
  • RestrictLocalStorage
    • +
  • KioskModeAUMID
    • +
  • KioskModeUserTileDisplayText
    • +
  • InactiveThreshold
    • +
  • MaxPageFileSizeMB
    • +
+

The default value for SetEduPolicies changed to false. The default value for SleepTimeout changed to 300.

+
[RemoteLock CSP](remotelock-csp.md)

Added following setting:

+
    +
  • LockAndRecoverPIN
    • +
+
[NodeCache CSP](nodecache-csp.md)

Added following settings:

+
    +
  • ChangedNodesData
    • +
  • AutoSetExpectedValue
    • +
+
[Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)

Added a zip file containing the DDF XML files of the CSPs. The link to the download is available in the DDF topics of various CSPs.

+
[RemoteWipe CSP](remotewipe-csp.md)

Added new setting in Windows 10, version 1703.

+
    +
  • doWipeProtected
    • +
+
[MDM Bridge WMI Provider](https://msdnstage.redmond.corp.microsoft.com/en-us/library/windows/desktop/dn905224(v=vs.85).aspx)

Added new classes and properties.

+
[Understanding ADMX-backed policies](understanding-admx-backed-policies.md)

Added a section describing SyncML examples of various ADMX elements.

+
[Deploy and configure App-V apps using MDM](appv-deploy-and-config.md)

Added a new topic describing how to deploy and configure App-V apps using MDM.

+
[EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md)

Added new setting in the March service release of Windows 10, version 1607.

+
    +
  • MSI/UpgradeCode/[Guid]
    • +
+
[Reporting CSP](reporting-csp.md)

Added new settings in Windows 10, version 1703.

+
    +
  • EnterpriseDataProtection/RetrieveByTimeRange/Type
    • +
  • EnterpriseDataProtection/RetrieveByCount/Type
    • +
+
[Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link)

Added following deep link parameters to the table:

+
    +
  • Username
    • +
  • Servername
    • +
  • Accesstoken
    • +
  • Deviceidentifier
    • +
  • Tenantidentifier
    • +
  • Ownership
    • +
+
MDM support for Windows 10 S

Updated the following topics to indicate MDM support in Windows 10 S.

+
    +
  • [Configuration service provider reference](configuration-service-provider-reference.md)
    • +
  • [Policy CSP](policy-configuration-service-provider.md)
    • +
+
  + + +## Breaking changes and known issues + +### Get command inside an atomic command is not supported + +In Windows 10, a Get command inside an atomic command is not supported. This was allowed in Windows Phone 8 and Windows Phone 8.1. + +### Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10 + +During an upgrade from Windows 8.1 to Windows 10, the notification channel URI information is not preserved. In addition, the MDM client loses the PFN, AppID, and client secret. + +After upgrading to Windows 10, you should call MDM\_WNSConfiguration class to recreate the notification channel URI. + +### Apps installed using WMI classes are not removed + +Applications installed using WMI classes are not removed when the MDM account is removed from device. + +### Passing CDATA in SyncML does not work + +Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windows 10. It worked in Windows Phone 8. + +### SSL settings in IIS server for SCEP must be set to "Ignore" + +The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10. In Windows Phone 8.1, when you set the client certificate to "Accept," it works fine. + +![ssl settings](images/ssl-settings.png) + +### MDM enrollment fails on the mobile device when traffic is going through proxy + +When the mobile device is configured to use a proxy that requires authentication, the enrollment will fail. To work around this issue, the user can use a proxy that does not require authentication or remove the proxy setting from the connected network. + +### Server-initiated unenrollment failure + +Server-initiated unenrollment for a device enrolled by adding a work account silently fails leaving the MDM account active. MDM policies and resources are still in place and the client can continue to sync with the server. + +Remote server unenrollment is disabled for mobile devices enrolled via Azure Active Directory Join. It returns an error message to the server. The only way to remove enrollment for a mobile device that is Azure AD joined is by remotely wiping the device. + +### Certificates causing issues with Wi-Fi and VPN + +Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue. + +### Version information for mobile devices + +The software version information from **DevDetail/SwV** does not match the version in **Settings** under **System/About**. + +### Upgrading Windows Phone 8.1 devices with app whitelisting using ApplicationRestriction policy has issues + +- When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile using ApplicationRestrictions with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps. + + Here's additional guidance for the upgrade process: + + - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents). + - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher rule if you are using it. + - In the SyncML, you must use lowercase product ID. + - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error. + + For additional details, see [ApplicationRestrictions in PolicyManager CSP](policymanager-csp.md#applicationmanagement-applicationrestrictions). + +- Silverlight xaps may not install even if publisher policy is specified using Windows Phone 8.1 publisher rule. For example, Silverlight app "Level" will not install even if you specify <Publisher PublisherName=”Microsoft Corporation” />. + + To workaround this issue, remove the Windows Phone 8.1 publisher rule and add the specific product ID for each Silverlight app you want to allow to the allowed app list. + +- Some apps (specifically those that are published in Windows Store as AppX Bundles) are blocked from installing even when they are included in the app list. + + No workaround is available at this time. An OS update to fix this issue is coming soon. + +### Apps dependent on Microsoft Frameworks may get blocked in phones prior to build 10586.218 + +Applies only to phone prior to build 10586.218: When ApplicationManagement/ApplicationRestrictions policy is deployed to Windows 10 Mobile, installation and update of apps dependent on Microsoft Frameworks may get blocked with error 0x80073CF9. To work around this issue, you must include the Microsoft Framework Id to your list of allowed apps. + +``` syntax + +``` + +### Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile + +In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate. + +Enterprises deploying certificate based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This can lead to issues such as: + +- The user may be prompted to select the certificate. +- The wrong certificate may get auto selected and cause an authentication failure. + +A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication. + +EAP XML must be updated with relevant information for your environment This can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows: + +- For Wi-Fi, look for the <EAPConfig> section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under <EAPConfig> with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile. +- For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field. + +For information about EAP Settings, see + +For information about generating an EAP XML, see [EAP configuration](eap-configuration.md) + +For more information about extended key usage, see + +For information about adding extended key usage (EKU) to a certificate, see + +The following list describes the prerequisites for a certificate to be used with EAP: + +- The certificate must have at least one of the following EKU (Extended Key Usage) properties: + + - Client Authentication + - As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2 + - Any Purpose + - An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that additional non-critical or custom EKUs can still be added to the certificate for effective filtering. + - All Purpose + - As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but does not want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes. +- The user or the computer certificate on the client chains to a trusted root CA +- The user or the computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy. +- The user or the computer certificate does not fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server. +- The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user. + +The following XML sample explains the properties for the EAP TLS XML including certificate filtering. + +> **Note**  For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements. + +  +``` syntax + + + 13 + + + 0 + 0 + 0 + + + + + + + 13 + + + + + true + + + + + + + false + + + false + false + false + + + + + + ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + + + + + + + + + + + ContostoITEKU + + 1.3.6.1.4.1.311.42.1.15 + + + + + + + + + ContostoITEKU + + + + + Example1 + + + true + + + + + + + + + + + +``` + +> **Note**  The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd** + +  + +Alternatively you can use the following procedure to create an EAP Configuration XML. + +1. Follow steps 1 through 7 in the [EAP configuration](eap-configuration.md) topic. +2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.) + + ![vpn selfhost properties window](images/certfiltering1.png) + + > **Note**  For PEAP or TTLS, select the appropriate method and continue following this procedure. + +3. Click the **Properties** button underneath the drop down menu. +4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button. + + ![smart card or other certificate properties window](images/certfiltering2.png) +5. In the **Configure Certificate Selection** menu, adjust the filters as needed. + + ![configure certificate selection window](images/certfiltering3.png) +6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box. +7. Close the rasphone dialog box. +8. Continue following the procedure in the [EAP configuration](eap-configuration.md) topic from Step 9 to get an EAP TLS profile with appropriate filtering. + +> **Note**  You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) topic. + + +### Remote PIN reset not supported in Azure Active Directory joined mobile devices + +In Windows 10 Mobile, remote PIN reset in Azure AD joined devices are not supported. Devices are wiped when you issue a remote PIN reset command using the RemoteLock CSP. + +### MDM client will immediately check-in with the MDM server after client renews WNS channel URI + +Starting in Windows 10, after the MDM client automatically renews the WNS channel URI, the MDM client will immediately check-in with the MDM server. Henceforth, for every MDM client check-in, the MDM server should send a GET request for "ProviderID/Push/ChannelURI" to retrieve the latest channel URI and compare it with the existing channel URI; then update the channel URI if necessary. + +### User provisioning failure in Azure Active Directory joined Windows 10 PC + +In Azure AD joined Windows 10 PC, provisioning /.User resources fails when the user is not logged in as an Azure AD user. If you attempt to join Azure AD from **Settings** > **System** > **About** user interface, make sure to log off and log on with Azure AD credentials to get your organizational configuration from your MDM server. This behavior is by design. + +### Requirements to note for VPN certificates also used for Kerberos Authentication + +If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premise resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that do not meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication. This issue primarily impacts Windows Phone. + +### Device management agent for the push-button reset is not working + +The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/desktop/push-button-reset-overview) keeps the registry settings for OMA DM sessions, but deletes the task schedules. The client enrollment is retained, but it never syncs with the MDM service. + + +## Change history in MDM documentation + +### May 2017 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md) +

Added the following new policies for Windows 10, version 1703:

+
    +
  • Browser/AllowFlashClickToRun
    • +
  • Experience/AllowFindMyDevice
    • +
  • Privacy/LetAppsAccessTasks
    • +
  • Privacy/LetAppsAccessTasks_ForceAllowTheseApps
    • +
  • Privacy/LetAppsAccessTasks_ForceDenyTheseApps
    • +
  • Privacy/LetAppsAccessTasks_UserInControlOfTheseApps
    • +
+

Starting in Windows 10, version 1703, the maximum value of Update/DeferFeatureUpdatesPeriodInDays has been increased from 180 days, to 365 days.

+

Added a statment that the following policies must target ./User.

+
    +
  • EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
    • +
  • EnterpriseCloudPrint/CloudPrintOAuthAuthority
    • +
  • EnterpriseCloudPrint/CloudPrintOAuthClientId
    • +
  • EnterpriseCloudPrint/CloudPrintResourceId
    • +
  • EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
    • +
  • EnterpriseCloudPrint/MopriaDiscoveryResourceId
    • +
+
[Understanding ADMX-backed policies](understanding-admx-backed-policies.md)

Added a section describing SyncML examples of various ADMX elements.

+
[BitLocker CSP](bitlocker-csp.md) +

Added the following setting:

+
    +
  • AllowWarningForOtherDiskEncryption
    • +
+

Note that SystemDrivesMinimumPINLength is 6 digits instead of 4.

+
[Reporting CSP](reporting-csp.md)

Added new settings in Windows 10, version 1703.

+
    +
  • EnterpriseDataProtection/RetrieveByTimeRange/Type
    • +
  • EnterpriseDataProtection/RetrieveByCount/Type
    • +
+
[Connecting your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connecting-your-windows-10-based-device-to-work-using-a-deep-link)

Added following deep link parameters to the table:

+
    +
  • Username
    • +
  • Servername
    • +
  • Accesstoken
    • +
  • Deviceidentifier
    • +
  • Tenantidentifier
    • +
  • Ownership
    • +
+
[Firewall CSP](firewall-csp.md)

Added new CSP in the next major update to Windows 10.

+
MDM support for Windows 10 S

Updated the following topics to indicate MDM support in Windows 10 S.

+
    +
  • [Configuration service provider reference](configuration-service-provider-reference.md)
    • +
  • [Policy CSP](policy-configuration-service-provider.md)
    • +
+
+ +### April 2017 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, version 1703:

+
    +
  • DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay
    • +
  • Start/ImportEdgeAssets
    • +
  • Update/DetectionFrequency
    • +
  • Update/PauseFeatureUpdatesStartTime
    • +
  • Update/PauseQualityUpdatesStartTime
    • +
  • Update/SetEDURestart
    • +
  • WiFi/AllowWiFiDirect
    • +
  • WirelessDisplay/AllowProjectionFromPC
    • +
  • WirelessDisplay/AllowProjectionFromPCOverInfrastructure
    • +
  • WirelessDisplay/AllowProjectionToPCOverInfrastructure
    • +
  • WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver
    • +
+

DeviceLock/EnforceLockScreenAndLogonImage is not supported in Windows 10 Pro edition.

+
[DMSessionActions CSP](sharedpc-csp.md)

Added new CSP for Windows 10, version 1703.

+

[CertificateStore CSP](certificatestore-csp.md)

Updated in Windows 10, version 1703. Added the following setting:

+
    +
  • My/WSTEP/Renew/RetryAfterExpiryInterval
    • +
+

[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)

Updated in Windows 10, version 1703. Added the following setting:

+
    +
  • SCEP/UniqueID/Install/AADKeyIdentifierList
    • +
+

[DMAcc CSP](dmacc-csp.md)

Updated in Windows 10, version 1703. Added the following setting:

+
    +
  • AccountUID/EXT/Microsoft/InitiateSession
    • +
+

[DMClient CSP](dmclient-csp.md)

Updated in Windows 10, version 1703. Added the following nodes and settings:

+
    +
  • HWDevID
    • +
  • Provider/ProviderID/ManagementServerToUpgradeTo
    • +
  • Provider/ProviderID/CustomEnrollmentCompletePage
    • +
  • Provider/ProviderID/CustomEnrollmentCompletePage/Title
    • +
  • Provider/ProviderID/CustomEnrollmentCompletePage/BodyText
    • +
  • Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkHref
    • +
  • Provider/ProviderID/CustomEnrollmentCompletePage/HyperlinkText
    • +
+
[SharedPC CSP](dmsessionactions-csp.md)

Added new settings in Windows 10, version 1703.

+
    +
  • RestrictLocalStorage
    • +
  • KioskModeAUMID
    • +
  • KioskModeUserTileDisplayText
    • +
  • InactiveThreshold
    • +
  • MaxPageFileSizeMB
    • +
+

The default value for SetEduPolicies changed to false. The default value for SleepTimeout changed to 300.

+
[RemoteLock CSP](remotelock-csp.md)

Added following setting:

+
    +
  • LockAndRecoverPIN
    • +
+
[NodeCache CSP](nodecache-csp.md)

Added following settings:

+
    +
  • ChangedNodesData
    • +
  • AutoSetExpectedValue
    • +
+
[Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)

Added a zip file containing the DDF XML files of the CSPs. The link to the download is available in the DDF topics of various CSPs.

+
[RemoteWipe CSP](remotewipe-csp.md)

Added new setting in Windows 10, version 1703.

+
    +
  • doWipeProtected
    • +
+
[EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md)

Added new setting in the March service release of Windows 10, version 1607.

+
    +
  • MSI/UpgradeCode/[Guid]
    • +
+
[MDM Bridge WMI Provider](https://msdnstage.redmond.corp.microsoft.com/en-us/library/windows/desktop/dn905224(v=vs.85).aspx)

Updated for Windows 10, version 1703. Added new classes and properties.

+
[Deploy and configure App-V apps using MDM](appv-deploy-and-config.md)

Added a new topic describing how to deploy and configure App-V apps using MDM.

+
+ +### March 2017 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, version 1703:

+
    +
  • Accounts/AllowMicrosoftAccountSignInAssistant
    • +
  • Connectivity/AllowConnectedDevices
    • +
  • Display/TurnOffGdiDPIScalingForApps
    • +
  • Display/TurnOnGdiDPIScalingForApps
    • +
  • Location/EnableLocation
    • +
  • SmartScreen/EnableAppInstallControl
    • +
  • SmartScreen/EnableSmartScreenInShell
    • +
  • SmartScreen/PreventOverrideForFilesInShell
    • +
  • Update/IgnoreMOAppDownloadLimit
    • +
  • Update/IgnoreMOUpdateDownloadLimit
    • +
+

For Windows 10, version 1703, added the ConfigOperations/ADMXInstall node and setting, which is used to ingest ADMX files.

+
[DeviceLock/DevicePasswordEnabled](policy-configuration-service-provider.md#devicelock-devicepasswordenabled) in Policy CSP

Added the following note:

+

**DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below:

+
    +
  • DevicePasswordEnabled is the parent policy of the following: +
    • AllowSimpleDevicePassword
      • +
    • MinDevicePasswordLength
      • +
    • AlphanumericDevicePasswordRequired +
      • MinDevicePasswordComplexCharacters
      •   +
    • MaxDevicePasswordFailedAttempts
      • +
    • MaxInactivityTimeDeviceLock
[Personalization CSP](personalization-csp.md)

Added new CSP for Windows 10, version 1703.

[EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md)

Added new CSP for Windows 10, version 1703.

[HealthAttestation CSP](healthattestation-csp.md)

Added the following settings:.

+
    +
  • HASEndpoint - added in Windows 10, version 1607, but not documented
    • +
  • TpmReadyStatus - added in the March service release of Windows 10, version 1607
    • +

[SurfaceHub CSP](surfacehub-csp.md)

Updated in Windows 10, version 1703. Added the following nodes and settings:

+
    +
  • InBoxApps/SkypeForBusiness
    • +
  • InBoxApps/SkypeForBusiness/DomainName
    • +
  • InBoxApps/Connect
    • +
  • InBoxApps/Connect/AutoLaunch
    • +
  • Properties/DefaultVolume
    • +
  • Properties/ScreenTimeout
    • +
  • Properties/SessionTimeout
    • +
  • Properties/SleepTimeout
    • +
  • Properties/AllowSessionResume
    • +
  • Properties/AllowAutoProxyAuth
    • +
  • Properties/DisableSigninSuggestions
    • +
  • Properties/DoNotShowMyMeetingsAndFiles
    • +
+
[NetworkQoSPolicy CSP](networkqospolicy-csp.md)

Added new CSP for Windows 10, version 1703.

[EnterpriseAPN CSP](enterpriseapn-csp.md)

Added the following setting:

+
    +
  • Roaming
    • +
+

[WindowsLicensing CSP](windowslicensing-csp.md)

Added the following setting for Windows 10, version 1703:

+
    +
  • ChangeProductKey
    • +
+

Added the following new node and settings in Windows 10, version 1607, but not previously documented:

+
    +
  • Subscriptions
    • +
  • Subscriptions/SubscriptionId
    • +
  • Subscriptions/SubscriptionId/Status
    • +
  • Subscriptions/SubscriptionId/Name
    • +
+
[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

Added the following settings:

+
    +
  • RevokeOnMDMHandoff
    • +
  • SMBAutoEncryptedFileExtensions
    • +
[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)

Updated in Windows 10, version 1703. Added the following setting:

+
    +
  • Configuration/TelemetryReportingFrequency
    • +
+
+ +### February 2017 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated topicDescription
[SecureAssessment CSP](secureassessment-csp.md)

Updated the following setting names:

+
    +
  • AllowScreenMonitoring - previously ScreenCaptureCapability
    • +
  • RequirePrinting - previously PrintingCapability
    • +
+
[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

Added the following statement to [Settings/EDPShowIcons](enterprisedataprotection-csp.md#settings-edpshowicons):

    +
  • Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app.
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, version 1703:

+
    +
  • ApplicationDefaults/DefaultAssociationsConfiguration
    • +
  • Browser/AllowAddressBarDropdown
    • +
  • Browser/AllowMicrosoftCompatibilityList
    • +
  • Browser/AllowSearchEngineCustomization
    • +
  • Browser/ClearBrowsingDataOnExit
    • +
  • Browser/ConfigureAdditionalSearchEngines
    • +
  • Browser/DisableLockdownOfStartPages
    • +
  • Browser/PreventFirstRunPage
    • +
  • Browser/PreventLiveTileDataCollection
    • +
  • Browser/SetDefaultSearchEngine
    • +
  • Browser/SyncFavoritesBetweenIEAndMicrosoftEdge
    • +
  • Connectivity/AllowConnectedDevices
    • +
  • DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload
    • +
  • Experience/AllowTailoredExperiencesWithDiagnosticData
    • +
  • Experience/AllowWindowsSpotlightOnActionCenter
    • +
  • Experience/AllowWindowsSpotlightWindowsWelcomeExperience
    • +
  • Settings/ConfigureTaskbarCalendar
    • +
  • Settings/PageVisibilityList
    • +
  • Start/HideAppList
    • +
  • Start/HideChangeAccountSettings
    • +
  • Start/HideFrequentlyUsedApps
    • +
  • Start/HideHibernate
    • +
  • Start/HideLock
    • +
  • Start/HidePowerButton
    • +
  • Start/HideRecentJumplists
    • +
  • Start/HideRecentlyAddedApps
    • +
  • Start/HideRestart
    • +
  • Start/HideShutDown
    • +
  • Start/HideSignOut
    • +
  • Start/HideSleep
    • +
  • Start/HideSwitchAccount
    • +
  • Start/HideUserTile
    • +
  • Start/NoPinningToTaskbar
    • +
  • System/AllowFontProviders
    • +
  • System/DisableOneDriveFileSync
    • +
  • TextInput/AllowKeyboardTextSuggestions
    • +
  • TimeLanguageSettings/AllowSet24HourClock
    • +
  • Update/ActiveHoursMaxRange
    • +
  • Update/AutoRestartNotificationSchedule
    • +
  • Update/AutoRestartNotificationStyle
    • +
  • Update/AutoRestartRequiredNotificationDismissal
    • +
  • Update/EngagedRestartDeadline
    • +
  • Update/EngagedRestartSnoozeSchedule
    • +
  • Update/EngagedRestartTransistionSchedule
    • +
  • Update/SetAutoRestartNotificationDisable
    • +
  • WindowsLogon/HideFastUserSwitching
    • +
+

Starting in Windows 10, version 1703, Update/UpdateServiceUrl is not supported in Windows 10 Mobile Enteprise and IoT Enterprise

+

Starting in Windows 10, version 1703, in Browser/HomePages you can use the "<about:blank>" value if you don’t want to send traffic to Microsoft.

+

Starting in Windows 10, version 1703, Start/StartLayout can now be set on a per-device basis in addition to the pre-existing per-user basis.

+
[NetworkProxy CSP](networkproxy-csp.md)

Added new CSP for Windows 10, version 1703.

[BitLocker CSP](bitlocker-csp.md)

Added new CSP for Windows 10, version 1703.

[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.

[DynamicManagement CSP](dynamicmanagement-csp.md)

Added new CSP for Windows 10, version 1703.

[Implement server-side support for mobile application management on Windows](implement-server-side-mobile-application-management.md)

New mobile application management (MAM) support added in Windows 10, version 1703.

[PassportForWork CSP](passportforwork-csp.md)

Updated in Windows 10, version 1703. Added the following new node and settings:

+
    +
  • TenantId/Policies/ExcludeSecurityDevices (only for ./Device/Vendor/MSFT)
    • +
  • TenantId/Policies/ExcludeSecurityDevices/TPM12 (only for ./Device/Vendor/MSFT)
    • +
  • TenantId/Policies/EnablePinRecovery
    • +
[Office CSP](office-csp.md)

Added new CSP for Windows 10, version 1703.

+ +### January 2017 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated topicDescription
[Reboot CSP](reboot-csp.md)

RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work. Also updated the Note in RebootNow.

+
[Device update management](device-update-management.md)

Updated the following section:

+
    +
  • [Recommended Flow for Using the Server-Server Sync Protocol](device-update-management.md#recommendedflow)
    • +
[SecureAssessment CSP](secureassessment-csp.md)

Updated in Windows 10, version 1703. Added the following settings

+
    +
  • AllowTextSuggestions
    • +
  • PrintingCapability
    • +
  • ScreenCaptureCapability
    • +
+
[DevDetail CSP](devdetail-csp.md)

Updated in Windows 10, version 1703. Added the following setting: DeviceHardwareData

[Messaging CSP](messaging-csp.md)

Added new CSP for Windows 10, version 1703. This CSP is only supported in Windows 10 Mobile and Mobile Enteprise editions.

+
[Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, version 1703:

+
    +
  • DeliveryOptimization/DOAllowVPNPeerCaching
    • +
  • DeliveryOptimization/DOMinDiskSizeAllowedToPeer
    • +
  • DeliveryOptimization/DOMinFileSizeToCache
    • +
  • DeliveryOptimization/DOMinRAMAllowedToPeer
    • +
  • EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint
    • +
  • EnterpriseCloudPrint/CloudPrintOAuthAuthority
    • +
  • EnterpriseCloudPrint/CloudPrintOAuthClientId
    • +
  • EnterpriseCloudPrint/CloudPrintResourceId
    • +
  • EnterpriseCloudPrint/DiscoveryMaxPrinterLimit
    • +
  • EnterpriseCloudPrint/MopriaDiscoveryResourceId
    • +
  • Messaging/AllowMMS
    • +
  • Messaging/AllowRCS
    • +
  • Privacy/LetAppsGetDiagnosticInfo
    • +
  • Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps
    • +
  • Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps
    • +
  • Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps
    • +
  • Privacy/LetAppsRunInBackground
    • +
  • Privacy/LetAppsRunInBackground_ForceAllowTheseApps
    • +
  • Privacy/LetAppsRunInBackground_ForceDenyTheseApps
    • +
  • Privacy/LetAppsRunInBackground_UserInControlOfTheseApps
    • +
+

Added the following new policy for the January service release of Windows 10, version 1607: Update/UpdateServiceUrlAlternate

+

Removed TextInput/AllowLinguisticDataCollection from Policy CSP in Windows 10 version 1703.

+
[CleanPC CSP](cleanpc-csp.md)

Added new CSP for Windows 10, version 1703.

[DeveloperSetup CSP](developersetup-csp.md)

Added new CSP for Windows 10, version 1703.

Added a download of Windows 10 version 1607 DDF files

You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).

+
[DeviceStatus CSP](devicestatus-csp.md)

Added the following values for DeviceStatus/NetworkIdentifiers/MacAddress/Type setting:

+
    +
  • 2 - WLAN (or other Wirless interface)
    • +
  • 1 - LAN (or other Wired interface)
    • +
  • 0 - Unknown
    • +
+ +### December, 2016 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated topicDescription
[Update CSP](update-csp.md)

Added the following nodes:

+
    +
  • FailedUpdates/Failed Update Guid/RevisionNumber
    • +
  • InstalledUpdates/Installed Update Guid/RevisionNumber
    • +
  • PendingRebootUpdates/Pending Reboot Update Guid/RevisionNumber
    • +
+
[AppLocker CSP](applocker-csp.md)

Added information about exempt applications list to the EnterpriseDataProtection setting.

+
[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

To Settings/RequireProtectionUnderLockConfig, added supported values.

+
[CM_CellularEntries CSP](cm-cellularentries-csp.md)

To PurposeGroups setting, added the following values for the next major update of Windows 10:

+
    +
  • Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB
    • +
  • Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364
    • +
+
[CellularSettings CSP](cellularsettings-csp.md)

[CM_CellularEntries CSP](cm-cellularentries-csp.md)

[EnterpriseAPN CSP](enterpriseapn-csp.md)

In the next major update of Windows 10, support was added for Windows 10 Home, Pro, Enterprise, and Education editions.

+
Updated the DDF topics.The following DDF topics were updated: +
    +
  • [DeviceManageability DDF file](devicemanageability-ddf.md)
    • +
  • [ClientCertificateInstall DDF file](clientcertificateinstall-ddf-file.md)
    • +
  • [DevDetail DDF file](devdetail-ddf-file.md)
    • +
  • [DeviceStatus DDF file](devicestatus-ddf.md)
    • +
  • [DevInfo DDF file](DevInfo-ddf-file.md)
    • +
  • [RootCATrustedCertificates DDF file](rootcacertificates-ddf-file.md)
    • +
  • [PassportForWork DDF](passportforwork-ddf.md)
    • +
  • [EnterpriseExt DDF](enterpriseext-ddf.md)
    • +
[Reporting CSP](reporting-csp.md)

Reporting/SecurityAuditing setting is not supported in Windows 10, version 1607 in the desktop editions.

+
+ +### November 2016 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated topicDescription
[EnterpriseAPN CSP](enterpriseapn-csp.md)

The EnterpriseAPN configuration service provider (CSP) is not supported in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), versions 1511 and 1607.

+
[Defender CSP](defender-csp.md)

Added the following values for Defender/Scan setting:

+
    +
  • 1 - quick scan
    • +
  • 2 - full scan
    • +
+
[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)

Added data recovery agent (DRA) information to Settings/DataRecoveryCertificate.

+
[Disconnecting from the management infrastructure (unenrollment)](disconnecting-from-mdm-unenrollment.md)

Added information about unenrollment from Azure Active Directory Join.

+
[Policy CSP](policy-configuration-service-provider.md)

Updated the description of the following policies.

    +
  • [Browser/Homepages](policy-configuration-service-provider.md#browser-homepages)
    • +
  • [DeviceLock/MaxInactivityTimeDeviceLock](policy-configuration-service-provider.md#devicelock-maxinactivitytimedevicelock)
    • +
  • [Experience/ConfigureWindowsSpotlightOnLockScreen](policy-configuration-service-provider.md#experience-configurewindowsspotlightonlockscreen)
    • +

+
+ +### October 27, 2016 + + ++++ + + + + + + + + + + + + + + + +
New or updated topicDescription
[CM_ProxyEntries CSP](cm-proxyentries-csp.md)

Support for OMA DM was added in Windows 10, version 1607

+
[AppLocker CSP](applocker-csp.md)

[Recommended deny list for Windows Information Protection](applocker-csp.md#recommended-deny-list-for-windows-information-protection) - example for Windows 10, version 1607 that denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications. +

+
+ +### October 21, 2016 + + ++++ + + + + + + + + + + + + +
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Updated the most restricted values for the following policies:

+
    +
  • Browser/AllowDoNotTrack
    • +
  • Browser/AllowPasswordManager
    • +
  • Browser/AllowPopups
    • +
  • Browser/AllowSmartScreen
    • +
+ +  + +### October 6, 2016 + + ++++ + + + + + + + + + + + + + + + + +
New or updated topicDescription

WindowsTeam CSP

Deleted the WindowsTeam CSP topic. You should use [SurfaceHub](surfacehub-csp.md) instead.

[Policy CSP](policy-configuration-service-provider.md)

Added the following policies:

+
    +
  • Search/DisableBackoff
    • +
  • Search/DisableRemovableDriveIndexing
    • +
  • Search/PreventIndexingLowDiskSpaceMB
    • +
  • Search/PreventRemoteQueries
    • +
+ +  + +### September 29, 2016 + + ++++ + + + + + + + + + + + + +
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Updated the following policy:

+
    +
  • System/AllowBuildPreview - supported in Windows 10 Mobile and Windows 10 Mobile Enterprise
    • +
  • Experience/AllowThirdPartySuggestionsInWindowsSpotlight - supported in Windows 10 Pro.
    • +
+ +  + +### September 22, 2016 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated topicDescription
[AppLocker CSP](applocker-csp.md)

Added the following note the the list of [Inbox apps and components](applocker-csp.md#inboxappsandcomponents):

+
+Note This list identifies system apps that ship as part of Windows that you can add to your AppLocker policy to ensure proper functioning of the operating system. If you decide to block some of these apps, we recommend a thorough testing before deploying to your production environment. Failure to do so may result in unexpected failures and can significantly degrade the user experience. +
+

[ComputerName](https://msdn.microsoft.com/library/windows/hardware/mt188590) in Windows Provisioning settings reference

ComputerName does not support asterisk (*) and does not support empty string.

[Policy CSP](policy-configuration-service-provider.md)

Updated the supported values for [Update/BranchReadinessLevel](policy-configuration-service-provider.md#update-branchreadinesslevel)

[Device update management](device-update-management.md)

Updated the following section:

+
    +
  • [Getting update metadata using the Server-Server sync protocol](device-update-management.md#gettingupdatemetadata)
    • +
+ +  + +### September 12, 2016 + + ++++ + + + + + + + + + + + + +
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md)

Added the following statement to Update/DeferUpdatePeriod policy:

+

In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following:

+
    +
  • Update/RequireDeferUpgrade must be set to 1
    • +
  • System/AllowTelemetry must be set to 1 or higher
    • +
+

Added new policy Experience/AllowThirdPartySuggestionsInWindowsSpotlight in Windows 10, version 1607.

+ +  + +### September 8, 2016 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated topicDescription
[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)

Updated the names for the following settings:

+
    +
  • AppInventoryQuery
    • +
  • AppInventoryResults
    • +
[Policy CSP](policy-configuration-service-provider.md)

Updated the following policy description:

+

+
+
System/AllowTelemetry
+

Allow the device to send diagnostic and usage telemetry data, such as Watson.

+

The following lists describe the supported values:

+

Windows 8.1 values

+
    +
  • 0 – Not allowed
    • +
  • 1 – Allowed, except for Secondary Data Requests.
    • +
  • 2 (default) – Allowed.
    • +
+

Windows 10 values

+
    +
  • 0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender. +
    +Note  This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. +
    +
    • +
  • 1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.
    • +
  • 2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.
    • +
  • 3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.
    • +
+
+Important If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1. +
+

Most restricted value is 0.

+
+
[OMA DM protocol support](oma-dm-protocol-support.md)

Updated the following description:

+
    +
  • LocURI - Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
    • +
[VPNv2 CSP](vpnv2-csp.md)

Updated the following description:

+
    +

  • VPNv2/ProfileName - Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/).

    +

    Supported operations include Get, Add, and Delete.

    +
    +Note  If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard. +
    +
    • +
[MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/hardware/dn905224)

Replaced the descriptions for each class member with links to the corresponding node in the CSP topic. The CSP topics contain the most up-to-date information.

+ +  + +### September 2, 2016 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated topicDescription
[Policy CSP](policy-configuration-service-provider.md) +

[PolicyManager CSP](policymanager-csp.md)

Added the following note:

+
    +
  • You cannot disable or enable Contact Support and Windows Feedback apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents).
    • +
[PassportForWork CSP](passportforwork-csp.md)

Added the following note:

+
+Important  Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. +
+
[ProfileXML XSD](vpnv2-profile-xsd.md)

Updated the [Native profile example](vpnv2-profile-xsd.md#native-profile-example) example.

[Policy CSP](policy-configuration-service-provider.md) +

[Device update management](device-update-management.md)

The following policies are not supported in Windows 10 Mobile Enterprise:

+
    +
  • DeferUpgradePeriod
    • +
  • DeferFeatureUpdatesPeriodInDays
    • +
  • PauseFeatureUpdates
    • +
  • ExcludeWUDrivers
    • +
+
+Note  Since these policies are not blocked, you will not get a failure message when you use them to configure a Windows 10 Mobile Enterprise device. However, the policies will not take effect. +
+

Added additional information about update policies supported for Windows Update for Business in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement).

[DevDetail CSP](devdetail-csp.md)

In Ext/Microsoft/DeviceName node, the Replace operation is only supported in Windows 10 Mobile, and not supported in the desktop.

+ +  + +### August 25, 2016 + + ++++ + + + + + + + + + + + + + + + + +
New or updated topicDescription
[Policy DDF file](policy-ddf-file.md)

Updated version for Windows 10, version 1607

[MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md)

Updated the section about enrolling in MDM on a desktop. Added a new section for enrolling in MDM on a phone.

+ +  + +### August 18, 2016 + + ++++ + + + + + + + + + + + + +
New or updated topicDescription
[CertificateStore CSP](certificatestore-csp.md) +

[CertificateStore DDF file](certificatestore-ddf-file.md)

Added the following new settings in Windows 10, version 1607:

+
    +
  • My/WSTEP/Renew/LastRenewalAttemptTime
    • +
  • My/WSTEP/Renew/RenewNow
    • +
+ +  + +### August 11, 2016 + + ++++ + + + + + + + + + + + + + + + + +
New or updated topicDescription
[Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md)

Added new section:

+
    +
  • [Retry logic in case of a failure](bulk-enrollment-using-windows-provisioning-tool.md#retry-logic-in-case-of-a-failure)
    • +
[Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)

Added a link to MDM enrollment templates and CSS files:

+
    +
  • [Download the Windows 10 templates and CSS files](http://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)
    • +
+ +  + +### August 2, 2016 + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
New or updated topicDescription
[OMA DM protocol support](oma-dm-protocol-support.md)

Added a table of common SyncML response codes that occur during OMA DM sessions.

[Mobile device enrollment](mobile-device-enrollment.md)

Updated the following section:

+
    +
  • [Enrollment error messages](mobile-device-enrollment.md#enrollment-error-messages)
    • +
[SUPL CSP](supl-csp.md)

LocMasterSwitchDependencyNII setting is not deprecated. Removed the note that it's deprecated in Windows 10.

[Push notification support for device management](push-notification-windows-mdm.md)

Added the following section:

+
    +
  • [Get WNS credentials and PFN for MDM push notification](push-notification-windows-mdm.md#get-wns-credentials-and-pfn-for-mdm-push-notification)
    • +
[RemoteWipe CSP](remotewipe-csp.md)

Updated [The Remote Wipe Process](remotewipe-csp.md#the-remote-wipe-process) section. Added the following note:

+
+Note  On the desktop, the remote wipe effectively performs a factory reset and the PC does not retain any information about the command once the wipe completes. Any response from the device about the actual status or result of the command may be inconsistent and unreliable because the MDM information has been removed. +
+
[Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md)

Added new step-by-step guide for creating and applying provisioning packages.

+ +  + +## FAQ + + +**Can there be more than 1 MDM server to enroll and manage devices in Windows 10?** +No. Only one MDM is allowed. + +**How do I set the maximum number of Azure Active Directory joined devices per user?** +1. Login to the portal as tenant admin: https://manage.windowsazure.com. +2. Click Active Directory on the left pane. +3. Choose your tenant. +4. Click **Configure**. +5. Set quota to unlimited. + + ![aad maximum joined devices](images/faq-max-devices.png) + +  + +  + + + + + diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md new file mode 100644 index 0000000000..66ec4f198b --- /dev/null +++ b/windows/client-management/mdm/nodecache-csp.md @@ -0,0 +1,365 @@ +--- +title: NodeCache CSP +description: NodeCache CSP +ms.assetid: b4dd2b0d-79ef-42ac-ab5b-ee07b3097876 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# NodeCache CSP + + +The NodeCache configuration service provider is used to manage the client cache. This configuration service provider is to be used only by enterprise management servers. It provides a level of abstraction that decouples the management of the node list from a specific backing store. It synchronizes the client cache with the server side cache. It also provides an API for monitoring device-side cache changes. + +NodeCache supports the comparison of hash values instead of actual node values: + +``` syntax + +application/x-nodemon-sha256 + +``` + +NodeCache will hash the values and compare with a hash value that was sent down by the server. This supports checking a parent node and its children recursively. + +The following diagram shows the NodeCache configuration service provider in tree format. + +![nodecache csp](images/provisioning-csp-nodecache.png) + +**./Device/Vendor/MSFT and ./User/Vendor/MSFT** +Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This is a predefined MIME type to identify this managed object in OMA DM syntax. Starting in Windows 10, version 1607 the value is com.microsoft/\/MDM/NodeCache. + +***ProviderID*** +Optional. Group settings per DM server. Each group of settings is distinguished by the server’s Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one *ProviderID* node under **NodeCache**. Scope is dynamic. + +Supported operations are Get, Add, and Delete. + +***ProviderID*/CacheVersion** +Optional. Character string representing the cache version set by the server. Scope is dynamic. + +Data type is string. Supported operations are Get, Add, and Replace. + +***ProviderID*/ChangedNodes** +Optional. List of nodes whose values do not match their expected values as specified in **/*NodeID*/ExpectedValue**. Scope is dynamic. + +Data type is string. Supported operation is Get. + +***ProviderID*/ChangedNodesData** +Added in Windows 10, version 1703. Optional. XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue. + +Suppported operation is Get. + +***ProviderID*/Nodes** +Required. Root node for cached nodes. Scope is dynamic. + +Supported operation is Get. + +**/Nodes/****_NodeID_** +Optional. Information about each cached node is stored under *NodeID* as specified by the server. This value must not contain a comma. Scope is dynamic. + +Supported operations are Get, Add, and Delete. + +**/*NodeID*/NodeURI** +Required. This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree. Scope is dynamic. + +Data type is string. Supported operations are Get, Add, and Delete. + +**/*NodeID*/ExpectedValue** +Required. This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. Scope is dynamic. Supported values are string and x-nodemon-nonexistent. + +Supported operations are Get, Add, and Delete. + +Here's an example for setting the ExpectedValue to nonexistent. + +``` syntax + + 10 + + + ./Vendor/MSFT/NodeCache/MDMSRV1/Nodes/Node_0002/ExpectedValue + + + chr + application/x-nodemon-nonexistent + + + +``` + +**/*NodeID*/AutoSetExpectedValue** +Added in Windows 10, version 1703. Required. This automatically sets the value on the device to match the actual value of the node. The node is specified in NodeURI. + +Supported operations are Add, Get, and Delete. + +## A typical DM session with the NodeCache configuration service provider + + +1. The device connects to a DM server. + +2. The server queries the **NodeCache** version by issuing a Get operation for ./Vendor/MSFT/NodeCache/*ProviderID*/CacheVersion LocURI + +3. If the device **CacheVersion** and the server-side cache differ (due to a device crash or server crash), the server can clear the server-side cache and go to Step 5. + +4. The server updates the server-side cache: + + 1. Sends a Get operation for ./Vendor/MSFT/NodeCache/*ProviderID*/ChangedNodes LocURI + + 2. Response is a list of changed node IDs. Each ID in the list corresponds to a node under ./Vendor/MSFT/NodeCache/*ProviderID*/Nodes root + + 3. For each node in the invalid nodes list, the server sends a `GET` command to retrieve the actual value of the node. For example, `GET `, where `NodeURI` is a full device LocURI that corresponds to the invalid cache node. + + 4. Nodes in the server-side cache are updated with the actual values received from the device. + + 5. For each updated node, a `REPLACE` command is sent to the device to update the device-side cache: + + `REPLACE ./Vendor/MSFT/NodeCache/ProviderID/Nodes/NodeID/ExpectedValue => ActualValue` + + 6. A new cache version is created and sent to the device: + + `REPLACE ./Vendor/MSFT/NodeCache/ProviderID/CacheVersion => new_version` + + The `new_version` value is stored by the server. + +5. The management server retrieves the corresponding value from the server-side cache: + + 1. If a value already exists in the server-side cache, retrieve the value from the server-side cache instead of going to the device. + + 2. If a value does not exist in the server-side cache, do the following: + + 1. Create a new entry with a unique *NodeID* in the server-side cache. + + 2. Query the device to retrieve the actual value of the URI. + + 3. Create a new node under ./Vendor/MSFT/NodeCache/*ProviderID*/Nodes with *NodeID* value. + + 4. Set up **NodeURI** and **ExpectedValue** for the ./Vendor/MSFT/NodeCache/*ProviderID*/Nodes/*NodeID* node. + + 5. Update the **CachedNodes** version. + +## OMA DM examples + + +Creating settings for node caching: + +``` syntax + + 2 + + + ./Vendor/MSFT/NodeCache/MDMSRV1 + + + node + + + + + 4 + + + ./Vendor/MSFT/NodeCache/MDMSRV1/Nodes/Node_0001 + + + node + + + + + 5 + + + ./Vendor/MSFT/NodeCache/MDMSRV1/Nodes/Node_0001/NodeURI + + ./Vendor/MSFT/DeviceLock/Provider/MDMSRV1/DevicePasswordEnabled + + + + 6 + + + ./Vendor/MSFT/NodeCache/MDMSRV1/Nodes/Node_0001/ExpectedValue + + 0 + + + + 8 + + + ./Vendor/MSFT/NodeCache/MDMSRV1/Nodes/Node_0002 + + + node + + + + + 9 + + + ./Vendor/MSFT/NodeCache/MDMSRV1/Nodes/Node_0002/NodeURI + + + ./Vendor/MSFT/DeviceLock/Provider/MDMSRV1/AlphanumericDevicePasswordRequired + + + + + 10 + + + ./Vendor/MSFT/NodeCache/MDMSRV1/Nodes/Node_0002/ExpectedValue + + 0 + + +``` + +Getting nodes under Provider ID MDMSRV1, cache version, changed nodes, node, expected value: + +``` syntax + + 18 + + + ./Vendor/MSFT/NodeCache/MDMSRV1 + + + + + 19 + + + ./Vendor/MSFT/NodeCache/MDMSRV1/CacheVersion + + + + + 20 + + + ./Vendor/MSFT/NodeCache/MDMSRV1/ChangedNodes + + + + + 21 + + + ./Vendor/MSFT/NodeCache/MDMSRV1/Nodes/Node_0001 + + + + + 22 + + + ./Vendor/MSFT/NodeCache/MDMSRV1/Nodes/Node_0001/ExpectedValue + + + +``` + +Replacing the cache version, node URI, and expected value: + +``` syntax + + 2 + + + ./Vendor/MSFT/NodeCache/MDMSRV1/CacheVersion + + SCCM0001@!Replace + + + + 2 + + + ./Vendor/MSFT/NodeCache/MDMSRV1/Nodes/Node_0001/NodeURI + + ./Vendor/MSFT/DeviceLock/DeviceValue/AllowSimpleDevicePassword + + + + 2 + + + ./Vendor/MSFT/NodeCache/MDMSRV1/Nodes/Node_0001/ExpectedValue + + 2 + + +``` + +For AutoSetExpectedValue, a Replace operation with empty data will query the ./DevDetail/Ext/Microsoft/DeviceName. + +```syntax + + 2001 + + + ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20 + + + node + + + + + 2002 + + + ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/NodeURI + + ./DevDetail/Ext/Microsoft/DeviceName + + + + 2003 + + + ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/AutoSetExpectedValue + + + + +``` + +A Get operation on ./Vendor/MSFT/NodeCache/MDM%20SyncML%20Server/Nodes/20/ExpectedValue returns what the Device Name was when the AutoSet was called. + +A Get operation on the ChangedNodesData returns an encoded XML. Here is example: + +```syntax +<Nodes><Node Id="10" Uri=""></Node><Node Id="20" Uri="./DevDetail/Ext/Microsoft/DeviceName">U09NRU5FV1ZBTFVF</Node></Nodes> +``` +It represents this: + +```syntax + + + U09NRU5FV1ZBTFVF + +``` +Id is the node ID that was added by the MDM server, and Uri is the path that the node is tracking. +If a Uri is not set, the node will always be reported as changed, as in Node id 10. + +The value inside of the node tag is the actual value returned by the Uri, which means that for Node Id 20 the DeviceName did not match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously. + + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/nodecache-ddf-file.md b/windows/client-management/mdm/nodecache-ddf-file.md new file mode 100644 index 0000000000..1d3eb141bc --- /dev/null +++ b/windows/client-management/mdm/nodecache-ddf-file.md @@ -0,0 +1,497 @@ +--- +title: NodeCache DDF file +description: NodeCache DDF file +ms.assetid: d7605098-12aa-4423-89ae-59624fa31236 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# NodeCache DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **NodeCache** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + NodeCache + ./User/Vendor/MSFT + + + + + The root node for the NodeCache object. + + + + + + + + + + + com.microsoft/1.2/MDM/NodeCache + + + + + + + + + + + Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one ProviderID node under NodeCache. + + + + + + + + + + ProviderID + + + + + + CacheVersion + + + + + + + Character string representing the cache version set by the server. + + + + + + + + + + + text/plain + + + + + ChangedNodes + + + + + List of nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue + + + + + + + + + + + text/plain + + + + + ChangedNodesData + + + + + XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue + + + + + + + + + + + text/plain + + + + + Nodes + + + + + Root node for cached nodes + + + + + + + + + + + + + + + + + + + + + + Information about each cached node is stored under NodeID as specified by the server. This value must not contain a comma. + + + + + + + + + + NodeID + + + + + + NodeURI + + + + + + + This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree. + + + + + + + + + + + text/plain + + + + + ExpectedValue + + + + + + + This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. + + + + + + + + + + + text/plain + + + + + AutoSetExpectedValue + + + + + + + This will automatically set the value on the device to match the node's actual value. The node is specified in NodeURI. + + + + + + + + + + + text/plain + + + + + + + + + NodeCache + ./Device/Vendor/MSFT + + + + + The root node for the NodeCache object. + + + + + + + + + + + com.microsoft/1.2/MDM/NodeCache + + + + + + + + + + + Group settings per DM server. Each group of settings is distinguished by the server's Provider ID. It should be the same DM server PROVIDER-ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. In Windows Phone 8, only one enterprise management server is supported. That is, there should be only one ProviderID node under NodeCache. + + + + + + + + + + ProviderID + + + + + + CacheVersion + + + + + + + Character string representing the cache version set by the server. + + + + + + + + + + + text/plain + + + + + ChangedNodes + + + + + List of nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue + + + + + + + + + + + text/plain + + + + + ChangedNodesData + + + + + XML containing nodes whose values do not match their expected values as specified in /NodeID/ExpectedValue + + + + + + + + + + + text/plain + + + + + Nodes + + + + + Root node for cached nodes + + + + + + + + + + + + + + + + + + + + + + Information about each cached node is stored under NodeID as specified by the server. This value must not contain a comma. + + + + + + + + + + NodeID + + + + + + NodeURI + + + + + + + This node's value is a complete OMA DM node URI. It can specify either an interior or leaf node in the device management tree. + + + + + + + + + + + text/plain + + + + + ExpectedValue + + + + + + + This is the value that the server expects to be on the device. When the configuration service provider initiates a session, it checks the expected value against the node's actual value. + + + + + + + + + + + text/plain + + + + + AutoSetExpectedValue + + + + + + + This will automatically set the value on the device to match the node's actual value. The node is specified in NodeURI. + + + + + + + + + + + text/plain + + + + + + + + +``` + +## Related topics + + +[NodeCache configuration service provider](nodecache-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md new file mode 100644 index 0000000000..ca215622b9 --- /dev/null +++ b/windows/client-management/mdm/office-csp.md @@ -0,0 +1,165 @@ +--- +title: Office CSP +description: The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device. This CSP was added in Windows 10, version 1703. +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Office CSP + +The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx). +This CSP was added in Windows 10, version 1703. + +For additional information, see [Office DDF](office-ddf.md). + +The following diagram shows the Office configuration service provider in tree format. + +![Office CSP diagram](images/provisioning-csp-office.png) + +**Office** + +

The root node for the Office configuration service provider.

+ +**Installation** + +

Specifies the options for the Microsoft Office installation. + +

The supported operations are Add, Delete, Get, and Replace. + +**id** + +

Specifies a unique identifier that represents the ID of the Microsoft Office product to install. + +

The supported operations are Add, Delete, Get, and Replace. + +**Install** + +

Installs office by using the XML data specified in the configuration.xml file. + +

The supported operations are Get and Execute. + +**Status** + +

The Microsoft Office installation status. + +

The only supported operation is Get. + + +## Examples + +Sample SyncML to install Office 365 Business Retail from current channel. + +```syntax + + + + 7 + + + ./Vendor/MSFT/Office/Installation/0AA79349-F334-4859-96E8-B4AB43E9FEA0/install + + + chr + + <Configuration><Add OfficeClientEdition="32" Channel="Current"><Product ID="O365BusinessRetail"><Language ID="en-us" /></Product></Add><Display Level="None" AcceptEULA="TRUE" /></Configuration> + + + + + +``` + +To uninstall the Office 365 from the system: + +```syntax + + + + 7 + + + ./Vendor/MSFT/Office/Installation/E24B23D8-94A8-4997-9E6E-8FF25025845B/install + + + chr + + <Configuration><Remove All="TRUE"/><Display Level="None" AcceptEULA="TRUE" /></Configuration> + + + + + +``` + +## Status code + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
StatusDescriptionComment
0Installation succeededOK
997Installation in progressWindows Information Protection
13 (ERROR_INVALID_DATA)Cannot verify signature of the downloaded ODTFailure
1460 (ERROR_TIMEOUT)Failed to download ODT Failure
1603 (ERROR_INSTALL_FAILURE)Failed any pre-req check. +
    +
  • SxS (Tried to install when 2016 MSI is installed)
    • +
  • Bit mismatch
    • +
+		Failure
17002Failed to complete the process. Possible reasons:
    +
  • Installation cancelled by user
    • +
  • Installation cancelled by another installation
    • +
  • Out of disk space during installation
    • +
  • Unknown language ID
    • +
Failure
17004Unknown SKUFailure
0x8000ffff (E_UNEXPECTED)Tried to uninstall when there is no C2R Office on the machine.Failure
\ No newline at end of file diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md new file mode 100644 index 0000000000..85f2f48531 --- /dev/null +++ b/windows/client-management/mdm/office-ddf.md @@ -0,0 +1,258 @@ +--- +title: Office DDF +description: This topic shows the OMA DM device description framework (DDF) for the Office configuration service provider. DDF files are used only with OMA DM provisioning XML. +ms.assetid: +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Office DDF + +This topic shows the OMA DM device description framework (DDF) for the **Office** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + Office + ./Vendor/MSFT + + + + + Root of the office CSP. + + + + + + + + + + + com.microsoft/1.0/MDM/Office + + + + Installation + + + + + Installation options for the office CSP. + + + + + + + + + + + + + + + + + + + + + + + A unique identifier which represents the instalation instance id. + + + + + + + + + + id + + + + + + Install + + + + + + The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office. + + + + + + + + + + + text/plain + + + + + Status + + + + + The installation status of the CSP. + + + + + + + + + + + text/plain + + + + + + + + Office + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + + Installation + + + + + + + + + + + + + + + + + + + id + + + + + + + A unique identifier which represents the instalation instance id. + + + + + + + + + + id + + + + + + Install + + + + + + + + + + + + + + + + text/plain + + + + + Status + + + + + + + + + + + + + + + text/plain + + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md new file mode 100644 index 0000000000..8ebb0eebf3 --- /dev/null +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -0,0 +1,385 @@ +--- +title: OMA DM protocol support +description: OMA DM protocol support +ms.assetid: e882aaae-447e-4bd4-9275-463824da4fa0 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + + +# OMA DM protocol support + +The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=267526). + + +## In this topic + +- [OMA DM standards](#oma-dm-standards) + +- [OMA DM protocol common elements](#protocol-common-elements) + +- [Device management session](#device-management-session) + +- [User targeted vs. Device targeted configuration](#user-targeted-vs-device-targeted-configuration) + +- [SyncML response codes](#syncml-response-codes) + + +## OMA DM standards + +The following table shows the OMA DM standards that Windows uses. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
General areaOMA DM standard that is supported

Data transport and session

    +

  • Client-initiated remote HTTPS DM session over SSL.

    • +

  • Remote HTTPS DM session over SSL.

    • +

  • Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.

    • +

  • Remote bootstrap by using WAP Push over SMS. Not used by enterprise management.

    • +

Bootstrap XML

    +

  • OMA Client Provisioning XML.

    • +

DM protocol commands

The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=267526).

+
    +

  • Add (Implicit Add supported)

    • +

  • Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.

    • +

  • Atomic: Note that performing an Add command followed by Replace on the same node within an atomic element is not supported. Nested Atomic and Get commands are not allowed and will generate error code 500.

    • +

  • Delete: Removes a node from the DM tree, and the entire subtree beneath that node if one exists

    • +

  • Exec: Invokes an executable on the client device

    • +

  • Get: Retrieves data from the client device; for interior nodes, the child node names in the Data element are returned in URI-encoded format

    • +

  • Replace: Overwrites data on the client device

    • +

  • Result: Returns the data results of a Get command to the DM server

    • +

  • Sequence: Specifies the order in which a group of commands must be processed

    • +

  • Status: Indicates the completion status (success or failure) of an operation

    • +
+

If an XML element that is not a valid OMA DM command is under one of the following elements, the status code 400 is returned for that element:

+
    +

  • SyncBody

    • +

  • Atomic

    • +

  • Sequence

    • +
+

If no CmdID is provided in the DM command, the client returns blank in the status element and the status code 400.

+

If Atomic elements are nested, the following status codes are returned:

+
    +

  • The nested Atomic command returns 500.

    • +

  • The parent Atomic command returns 507.

    • +
+

For more information about the Atomic command, see OMA DM protocol common elements.

+

Performing an Add command followed by Replace on the same node within an Atomic element is not supported.

+

LocURI cannot start with "/".

+

Meta XML tag in SyncHdr is ignored by the device.

OMA DM standard objects

    +

  • DevInfo

    • +

  • DevDetail

    • +

  • OMA DM DMS account objects (OMA DM version 1.2)

    • +

Security

    +

  • Authenticate DM server initiation notification SMS message (not used by enterprise management)

    • +

  • Application layer Basic and MD5 client authentication

    • +

  • Authenticate server with MD5 credential at application level

    • +

  • Data integrity and authentication with HMAC at application level

    • +

  • SSL level certificate based client/server authentication, encryption, and data integrity check

    • +

Nodes

In the OMA DM tree, the following rules apply for the node name:

+
    +

  • "." can be part of the node name.

    • +

  • The node name cannot be empty.

    • +

  • The node name cannot be only the asterisk (*) character.

    • +

Provisioning Files

Provisioning XML must be well formed and follow the definition in [SyncML Representation Protocol](http://go.microsoft.com/fwlink/p/?LinkId=526905) specification.

+

If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.

+
+Note   +

To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.

+
+
+  +

WBXML support

Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](http://go.microsoft.com/fwlink/p/?LinkId=526905) specification.

Handling of large objects

In Windows 10, version 1511, client support for uploading large objects to the server was added.

+ + + +## OMA DM protocol common elements + +Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1\_1\_2-20030613-A) available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900). + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ElementDescription

Chal

Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.

Cmd

Specifies the name of an OMA DM command referenced in a Status element.

CmdID

Specifies the unique identifier for an OMA DM command.

CmdRef

Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.

Cred

Specifies the authentication credential for the originator of the message.

Final

Indicates that the current message is the last message in the package.

LocName

Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.

LocURI

Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.

MsgID

Specifies a unique identifier for an OMA DM session message.

MsgRef

Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.

RespURI

Specifies the URI that the recipient must use when sending a response to this message.

SessionID

Specifies the identifier of the OMA DM session associated with the containing message.

+
+Note  If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes. +
+
+  +

Source

Specifies the message source address.

SourceRef

Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.

Target

Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.

TargetRef

Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.

VerDTD

Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.

VerProto

Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.

+ + +## Device management session + +A Device Management (DM) session consists of a series of commands exchanged between a DM server and a client device. The server sends commands indicating operations that must be performed on the client device's management tree. The client responds by sending commands that contain the results and any requested status information. + +A short DM session can be summarized as the following: + +A server sends a Get command to a client device to retrieve the contents of one of the nodes of the management tree. The device performs the operation and responds with a Result command that contains the requested contents. + +A DM session can be divided into two phases: +1. **Setup phase**: In response to a trigger event, a client device sends an initiating message to a DM server. The device and server exchange needed authentication and device information. This phase is represented by steps 1, 2, and 3 in the following table. +2. **Management phase**: The DM server is in control. It sends management commands to the device and the device responds. Phase two ends when the DM server stops sending commands and terminates the session. This phase is represented by steps 3, 4, and 5 in the following table. + +The following table shows the sequence of events during a typical DM session. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
StepActionDescription

1

DM client is invoked to call back to the management server

+

Enterprise scenario – The device task schedule invokes the DM client.

The MO server sends a server trigger message to invoke the DM client.

+

The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.

+

Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.

2

The device sends a message, over an IP connection, to initiate the session.

This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.

3

The DM server responds, over an IP connection (HTTPS).

The server sends initial device management commands, if any.

4

The device responds to server management commands.

This message includes the results of performing the specified device management operations.

5

The DM server terminates the session or sends another command.

The DM session ends, or Step 4 is repeated.

+ +  + +The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each additional message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (OMA-TS-DM\_RepPro-V1\_2-20070209-A) available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900). + +During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. In the case of the MD5 authentication, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started. + +If a request includes credentials and the response code to the request is 200, the same credential must be sent within the next request. If the Chal element is included and the MD5 authentication is required, a new digest is created by using the next nonce via the Chal element for next request. + +For more information about Basic or MD5 client authentication, MD5 server authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM\_Security-V1\_2\_1-20080617-A), authentication response code handling and step-by-step samples in OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900). + + +## User targeted vs. Device targeted configuration + +For CSPs and policies that supports per user configuration, MDM server could send user targeted setting values to the device the user that enrolled MDM is actively logged in. The device notifies the server the login status via a device alert (1224) with Alert type = in DM pkg\#1. + +The data part of this alert could be one of following strings: + +- user – the user that enrolled the device is actively login. The MDM server could send user specific configuration for CSPs/policies that support per user configuration +- others – another user login but that user does not have an MDM account. The server can only apply device wide configuration, e.g. configuration applies to all users in the device. +- none – no active user login. The server can only apply device wide configuration and available configuration is restricted to the device environment (no active user login + +Below is an alert example: + +``` + + 1 + 1224 + + + com.microsoft/MDM/LoginStatus + chr + + user + + +``` + +The server notifies the device whether it is a user targeted or device targeted configuration by a prefix to the management node’s LocURL, with ./user for user targeted configuration, or ./device for device targeted configuration. By default, if no prefix with ./device or ./user, it is device targeted configuration. + +The following LocURL shows a per user CSP node configuration: **./user/vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/<PackageFamilyName>/StoreInstall** + +The following LocURL shows a per device CSP node configuration: **./device/vendor/MSFT/RemoteWipe/DoWipe** + + + +## SyncML response status codes + +When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](http://go.microsoft.com/fwlink/p/?LinkId=526905) specification. + +| Status code | Description | +|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 200 | The SyncML command completed successfully. | +| 202 | Accepted for processing. This is usually an asynchronous operation, such as a request to run a remote execution of an application. | +| 212 | Authentication accepted. Normally you'll only see this in response to the SyncHdr element (used for authentication in the OMA-DM standard). You may see this if you look at OMA DM logs, but CSPs do not typically generate this. | +| 214 | Operation cancelled. The SyncML command completed successfully, but no more commands will be processed within the session. | +| 215 | Not executed. A command was not executed as a result of user interaction to cancel the command. | +| 216 | `Atomic` roll back OK. A command was inside an `Atomic` element and `Atomic` failed. This command was rolled back successfully. | +| 400 | Bad request. The requested command could not be performed because of malformed syntax. CSPs do not usually generate this error, however you might see it if your SyncML is malformed. | +| 401 | Invalid credentials. The requested command failed because the requestor must provide proper authentication. CSPs do not usually generate this error. | +| 403 | Forbidden. The requested command failed, but the recipient understood the requested command. | +| 404 | Not found. The requested target was not found. This code will be generated if you query a node that does not exist. | +| 405 | Command not allowed. This respond code will be generated if you try to write to a read-only node. | +| 406 | Optional feature not supported. This response code will be generated if you try to access a property that the CSP doesn't support. | +| 415 | Unsupported type or format. This response code can result from XML parsing or formatting errors. | +| 418 | Already exists. This response code occurs if you attempt to add a node that already exists. | +| 425 | Permission Denied. The requested command failed because the sender does not have adequate access control permissions (ACL) on the recipient. "Access denied" errors usually get translated to this response code. | +| 500 | Command failed. Generic failure. The recipient encountered an unexpected condition which prevented it from fulfilling the request. This response code will occur when the SyncML DPU cannot map the originating error code. | +| 507 | `Atomic` failed. One of the operations in an `Atomic` block failed. | +| 516 | `Atomic` roll back failed. An `Atomic` operation failed and the command was not rolled back successfully. | + +  + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + + + + + + diff --git a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md new file mode 100644 index 0000000000..2ecd4d724f --- /dev/null +++ b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md @@ -0,0 +1,524 @@ +--- +title: On-premise authentication device enrollment +description: This section provides an example of the mobile device enrollment protocol using on-premise authentication policy. +ms.assetid: 626AC8B4-7575-4C41-8D59-185D607E3A47 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# On-premise authentication device enrollment + + +This section provides an example of the mobile device enrollment protocol using on-premise authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347). + +## In this topic + +- [Discovery service](#discovery-service) +- [Enrollment policy web service](#enrollment-policy-web-service) +- [Enrollment web service](#enrollment-web-service) + +For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported). + +## Discovery service + +The discovery web service provides the configuration information necessary for a user to enroll a device with a management service. The service is a restful web service over HTTPS (server authentication only). + +> **Note**  The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com. + +  +The device’s automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc + +The first request is a standard HTTP GET request. + +The following example shows a request via HTTP GET to the discovery server given user@contoso.com as the email address. + +``` +Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc +Content Type: unknown +Header Byte Count: 153 +Body Byte Count: 0 +``` + +``` +GET /EnrollmentServer/Discovery.svc HTTP/1.1 +User-Agent: Windows Phone 8 Enrollment Client +Host: EnterpriseEnrollment.contoso.com +Pragma: no-cache +``` + +``` +Request Full Url: http://EnterpriseEnrollment.contoso.com/EnrollmentServer/Discovery.svc +Content Type: text/html +Header Byte Count: 248 +Body Byte Count: 0 +``` + +``` +HTTP/1.1 200 OK +Connection: Keep-Alive +Pragma: no-cache +Cache-Control: no-cache +Content-Type: text/html +Content-Length: 0 +``` + +After the device gets a response from the server, the device sends a POST request to enterpriseenrollment.*domain\_name*/EnrollmentServer/Discovery.svc. After it gets another response from the server (which should tell the device where the enrollment server is), the next message sent from the device is to enterpriseenrollment.*domain\_name* to the enrollment server. + +The following logic is applied: + +1. The device first tries HTTPS. If the server cert is not trusted by the device, the HTTPS fails. +2. If that fails, the device tries HTTP to see whether it is redirected: + - If the device is not redirected, it prompts the user for the server address. + - If the device is redirected, it prompts the user to allow the redirect. + +The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address + +``` +https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc +``` + +The following example shows the discovery service request. + +``` syntax + + + + + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc + + + + + + user@contoso.com + 3 + 3.0 + WindowsPhone + 10.0.0.0 + + OnPremise + + + + + +``` + +If a domain and user name are provided by the user instead of an email address, the <EmailAddress> tag should contain domain\\username. In this case, the user needs to enter the server address directly. + +<EmailAddress>contoso\\user</EmailAddress> Response + +The discovery response is in the XML format and includes the following fields: + +- Enrollment service URL (EnrollmentServiceUrl) – Specifies the URL of the enrollment endpoint that is exposed by the management service. The device should call this URL after the user has been authenticated. This field is mandatory. +- Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory. +- Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance. + +> **Note**  The HTTP server response must not be chunked; it must be sent as one message. + +  +The following example shows a response received from the discovery web service for OnPremise authentication: + +``` syntax + + + + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse + + + d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8 + + urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478 + + + + + OnPremise + 3.0 + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + + + +``` + +## Enrollment policy web service + +For the OnPremise authentication policy, the UsernameToken in GetPolicies contains the user credential, whose value is based on the authentication policy in discovery. A sample of the request can be found on the MSDN website; the following is another sample, with "user@contoso.com" as the user name and "mypassword" as the password. + +The following example shows the policy web service request. + +``` syntax + + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies + + urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + + user@contoso.com + mypassword + + + + + + + + + + + + + +``` + +After the user is authenticated, the web service retrieves the certificate template that the user should enroll with and creates enrollment policies based on the certificate template properties. A sample of the response can be found on MSDN. + +MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. We will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms. + +> **Note**  The HTTP server response must not be chunked; it must be sent as one message. + +  +The following snippet shows the policy web service response. + +``` syntax + + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse + + urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598 + + + + + + + + + + + 0 + + + CEPUnitTest + 3 + + 1209600 + 172800 + + + true + false + + + 2048 + + + + + + + + 101 + 0 + + + + + + + 0 + + + + + + + + + + + 1.3.14.3.2.29 + 1 + 0 + szOID_OIWSEC_sha1RSASign + + + + + +``` + +## Enrollment web service + +This web service implements the MS-WSTEP protocol. It processes the RequestSecurityToken (RST) message from the client, authenticates the client, requests the certificate from the CA, and returns it in the RequestSecurityTokenResponse (RSTR) to the client. Besides the issued certificate, the response also contains configurations needed to provision the DM client. + +The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on match the certificate template), the client can enroll successfully. + +The RequestSecurityToken will use a custom TokenType (http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken), because our enrollment token is more than an X.509 v3 certificate. For more details, see the Response section. + +The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration. + +> **Note**  The policy service and the enrollment service must be on the same server; that is, they must have the same host name. + +  +The following example shows the enrollment web service request for OnPremise authentication. + +``` syntax + + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep + + urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749 + + http://www.w3.org/2005/08/addressing/anonymous + + + https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC + + + + user@contoso.com + mypassword + + + + + + + + http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken + + + http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue + + DER format PKCS#10 certificate request in Base64 encoding Insterted Here + + + + 4 + + + 10.0.9999.0 + + + MY_WINDOWS_DEVICE + + + FF:FF:FF:FF:FF:FF + + + CC:CC:CC:CC:CC:CC + + + 49015420323756 + + + 30215420323756 + + + Full + + + CIMClient_Windows + + + 10.0.9999.0 + + + 7BA748C8-703E-4DF2-A74A-92984117346A + + + + True + + + + + +``` + +The following example shows the enrollment web service response. + +``` syntax + + + + http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep + + urn:uuid:81a5419a-496b-474f-a627-5cdd33eed8ab + + + 2012-08-02T00:32:59.420Z + 2012-08-02T00:37:59.420Z + + + + + + + + http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken + + + + B64EncodedSampleBinarySecurityToken + + + 0 + + + + + +``` + +The following example shows the encoded provisioning XML. + +``` + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +  + + + + + + diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md new file mode 100644 index 0000000000..8faa4ccb96 --- /dev/null +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -0,0 +1,437 @@ +--- +title: PassportForWork CSP +description: The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). +ms.assetid: 3BAE4827-5497-41EE-B47F-5C071ADB2C51 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# PassportForWork CSP + +The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to login to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards. + +> [!IMPORTANT] +> Starting with Windows 10, version 1607 all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. +  +### User configuration diagram + +The following diagram shows the PassportForWork configuration service provider in tree format. + +![passportforwork csp](images/provisioning-csp-passportforwork.png) + +### Device configuration diagram + +The following diagram shows the PassportForWork configuration service provider in tree format. + +![passportforwork diagram](images/provisioning-csp-passportforwork2.png) + +**PassportForWork** +

Root node for PassportForWork configuration service provider. + +***TenantId*** +

A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. + +***TenantId*/Policies** +

Node for defining the Windows Hello for Business policy settings. + +***TenantId*/Policies/UsePassportForWork** +

Boolean value that sets Windows Hello for Business as a method for signing into Windows. + +

Default value is true. If you set this policy to false, the user cannot provision Windows Hello for Business except on Azure Active Directory joined mobile phones where provisioning is required. + +

Supported operations are Add, Get, Delete, and Replace. + +***TenantId*/Policies/RequireSecurityDevice** +

Boolean value that requires a Trusted Platform Module (TPM) for Windows Hello for Business. TPM provides an additional security benefit over software so that data stored in it cannot be used on other devices. + +

Default value is false. If you set this policy to true, only devices with a usable TPM can provision Windows Hello for Business. If you set this policy to false, all devices can provision Windows Hello for Business using software even if there is not a usable TPM. If you do not configure this setting, all devices can provision Windows Hello for Business using software if the TPM is non-functional or unavailable. + +

Supported operations are Add, Get, Delete, and Replace. + +***TenantId*/Policies/ExcludeSecurityDevices** (only for ./Device/Vendor/MSFT) +

Added in Windows 10, version 1703. Root node for excluded security devices. + +***TenantId*/Policies/ExcludeSecurityDevices/TPM12** (only for ./Device/Vendor/MSFT) +

Added in Windows 10, version 1703. Some Trusted Platform Modules (TPMs) are compliant only with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG). + +

Default value is false. If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. + +

If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business. + +

Supported operations are Add, Get, Delete, and Replace. + +***TenantId*/Policies/EnablePinRecovery** +

Added in Windows 10, version 1703. Boolean value that enables a user to change their PIN by using the Windows Hello for Business PIN recovery service. +This cloud service encrypts a recovery secret, which is stored locally on the client, and can be decrypted only by the cloud service. + +

Default value is false. If you enable this policy setting, the PIN recovery secret will be stored on the device and the user can change their PIN if needed. + +

If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to. + +

Supported operations are Add, Get, Delete, and Replace. + +***TenantId*/Policies/UseCertificateForOnPremAuth** (only for ./Device/Vendor/MSFT) +

Boolean value that enables Windows Hello for Business to use certificates to authenticate on-premise resources. + +

If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN. + +

If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload. + +

Supported operations are Add, Get, Delete, and Replace. + +***TenantId*/Policies/PINComplexity** +

Node for defining PIN settings. + +***TenantId*/Policies/PINComplexity/MinimumPINLength** +

Integer value that sets the minimum number of characters required for the PIN. Default value is 4. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. + +

If you configure this policy setting, the PIN length must be greater than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be greater than or equal to 4. + +> [!NOTE] +> If the conditions specified above for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. + +  +

Value type is int. Supported operations are Add, Get, Delete, and Replace. + +***TenantId*/Policies/PINComplexity/MaximumPINLength** +

Integer value that sets the maximum number of characters allowed for the PIN. Default value is 127. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. + +

If you configure this policy setting, the PIN length must be less than or equal to this number. If you disable or do not configure this policy setting, the PIN length must be less than or equal to 127. + +> [!NOTE] +> If the conditions specified above for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. + +  +

Supported operations are Add, Get, Delete, and Replace. + +***TenantId*/Policies/PINComplexity/UppercaseLetters** +

Integer value that configures the use of uppercase letters in the Windows Hello for Business PIN. + +

Valid values: + +- 0 - Allows the use of uppercase letters in PIN. +- 1 - Requires the use of at least one uppercase letters in PIN. +- 2 - Does not allow the use of uppercase letters in PIN. + +

Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. + +

Supported operations are Add, Get, Delete, and Replace. + +***TenantId*/Policies/PINComplexity/LowercaseLetters** +

Integer value that configures the use of lowercase letters in the Windows Hello for Business PIN. + +

Valid values: + +- 0 - Allows the use of lowercase letters in PIN. +- 1 - Requires the use of at least one lowercase letters in PIN. +- 2 - Does not allow the use of lowercase letters in PIN. + +

Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. + +

Supported operations are Add, Get, Delete, and Replace. + +***TenantId*/Policies/PINComplexity/SpecialCharacters** +

Integer value that configures the use of special characters in the Windows Hello for Business PIN. Valid special characters for Windows Hello for Business PIN gestures include: ! " \# $ % & ' ( ) \* + , - . / : ; < = > ? @ \[ \\ \] ^ \_ \` { | } ~ . + +

Valid values: + +- 0 - Allows the use of special characters in PIN. +- 1 - Requires the use of at least one special character in PIN. +- 2 - Does not allow the use of special characters in PIN. + +

Default value is 2. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. + +

Supported operations are Add, Get, Delete, and Replace. + +***TenantId*/Policies/PINComplexity/Digits** +

Integer value that configures the use of digits in the Windows Hello for Business PIN. + +

Valid values: + +- 0 - Allows the use of digits in PIN. +- 1 - Requires the use of at least one digit in PIN. +- 2 - Does not allow the use of digits in PIN. + +

Default value is 1. Default PIN complexity behavior is that digits are required and all other character sets are not allowed. If all character sets are allowed but none are explicitly required, then the default PIN complexity behavior will apply. + +

Supported operations are Add, Get, Delete, and Replace. + +***TenantId*/Policies/PINComplexity/History** +

Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. This node was added in Windows 10, version 1511. + +

The current PIN of the user is included in the set of PINs associated with the user account. PIN history is not preserved through a PIN reset. + +

Default value is 0. + +

Supported operations are Add, Get, Delete, and Replace. + +***TenantId*/Policies/PINComplexity/Expiration** +

Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. This node was added in Windows 10, version 1511. + +

Default is 0. + +

Supported operations are Add, Get, Delete, and Replace. + +***TenantId*/Policies/Remote** (only for ./Device/Vendor/MSFT) +

Interior node for defining remote Windows Hello for Business policies. This node was added in Windows 10, version 1511. + +***TenantId*/Policies/Remote/UseRemotePassport** (only for ./Device/Vendor/MSFT) +

Boolean value used to enable or disable the use of remote Windows Hello for Business. Remote Windows Hello for Business provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. Remote Windows Hello for Business requires that the desktop be Azure AD joined and that the companion device has a Windows Hello for Business PIN. This node was added in Windows 10, version 1511. + +

Default value is false. If you set this policy to true, Remote Windows Hello for Business will be enabled and a portable, registered device can be used as a companion device for desktop authentication. If you set this policy to false, Remote Windows Hello for Business will be disabled. + +

Supported operations are Add, Get, Delete, and Replace. + +**UseBiometrics** +

This node is deprecated. Use **Biometrics/UseBiometrics** node instead. + +**Biometrics** (only for ./Device/Vendor/MSFT) +

Node for defining biometric settings. This node was added in Windows 10, version 1511. + +**Biometrics/UseBiometrics** (only for ./Device/Vendor/MSFT) +

Boolean value used to enable or disable the use of biometric gestures, such as face and fingerprint, as an alternative to the PIN gesture for Windows Hello for Business. Users must still configure a PIN if they configure biometric gestures to use in case of failures. This node was added in Windows 10, version 1511. + +

Default value is false. If you set this policy to true, biometric gestures are enabled for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business. + +

Supported operations are Add, Get, Delete, and Replace. + +**Biometrics/FacialFeaturesUseEnhancedAntiSpoofing** (only for ./Device/Vendor/MSFT) +

Boolean value used to enable or disable enhanced anti-spoofing for facial feature recognition on Windows Hello face authentication. This node was added in Windows 10, version 1511. + +

Default value is false. If you set this policy to true or don't configure this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. Windows Hello face authentication is disabled on devices that do not support enhanced anti-spoofing. + +

If you set this policy to false, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication. + +

Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices. + +

Supported operations are Add, Get, Delete, and Replace. + +## Examples + +

Here's an example for setting Windows Hello for Business and setting the PIN policies. It also turns on the use of biometrics and TPM. + +``` syntax + + + + 2 + + + + ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F + + + + + + 3 + + + + ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/UsePassportForWork + + + + bool + text/plain + + true + + + + 4 + + + + ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/RequireSecurityDevice + + + + bool + text/plain + + true + + + + 5 + + + + ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/PINComplexity/MinimumPINLength + + + + int + text/plain + + 8 + + + + 6 + + + + ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/PINComplexity/MaximumPINLength + + + + int + text/plain + + 16 + + + + 7 + + + + ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/PINComplexity/UppercaseLetters + + + + int + text/plain + + 0 + + + + 8 + + + + ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/PINComplexity/LowercaseLetters + + + + int + text/plain + + 1 + + + + 9 + + + + ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/PINComplexity/SpecialCharacters + + + + int + text/plain + + 2 + + + + 10 + + + + ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/PINComplexity/Digits + + + + int + text/plain + + 1 + + + + 11 + + + + ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/PINComplexity/History + + + + int + text/plain + + 20 + + + + 12 + + + + ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/PINComplexity/Expiration + + + + int + text/plain + + 70 + + + + 13 + + + + ./Vendor/MSFT/PassportForWork/5NEMDU42-45CC-8CBL-8BPF-D7092646325F/Policies/Remote/UseRemotePassport + + + + bool + text/plain + + true + + + + 14 + + + + ./Vendor/MSFT/PassportForWork/Biometrics/UseBiometrics + + + + bool + text/plain + + true + + + + 15 + + + + ./Vendor/MSFT/PassportForWork/Biometrics/FacialFeatureUseEnhancedAntiSpoofing + + + + bool + text/plain + + true + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md new file mode 100644 index 0000000000..e425bb220d --- /dev/null +++ b/windows/client-management/mdm/passportforwork-ddf.md @@ -0,0 +1,1120 @@ +--- +title: PassportForWork DDF +description: This topic shows the OMA DM device description framework (DDF) for the PassportForWork configuration service provider. DDF files are used only with OMA DM provisioning XML. +ms.assetid: A2182898-1577-4675-BAE5-2A3A9C2AAC9B +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# PassportForWork DDF + +This topic shows the OMA DM device description framework (DDF) for the **PassportForWork** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + PassportForWork + ./User/Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.3/MDM/PassportForWork + + + + + + + + + + + This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management. + + + + + + + + + + TenantId + + + + + + Policies + + + + + + + Root node for policies. + + + + + + + + + + Policies + + + + + + UsePassportForWork + + + + + + + + True + Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards. + +If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users. + +If you disable this policy setting, the device does not provision Windows Hello for Business for any user. + + + + + + + + + + + text/plain + + + + + RequireSecurityDevice + + + + + + + + False + A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices. + +If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business. + +If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable. + + + + + + + + + + + text/plain + + + + + EnablePinRecovery + + + + + + + + False + If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service. + +If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten. + +If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to. + + + + + + + + + + + text/plain + + + + + PINComplexity + + + + + + + Root node for PIN policies + + + + + + + + + + + + + + + MinimumPINLength + + + + + + + + 4 + Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. + +If you configure this policy setting, the PIN length must be greater than or equal to this number. + +If you do not configure this policy setting, the PIN length must be greater than or equal to 4. + +NOTE: If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. + + + + + + + + + + + text/plain + + + + + MaximumPINLength + + + + + + + + 127 + Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. + +If you configure this policy setting, the PIN length must be less than or equal to this number. + +If you do not configure this policy setting, the PIN length must be less than or equal to 127. + +NOTE: If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. + + + + + + + + + + + text/plain + + + + + UppercaseLetters + + + + + + + + 0 + Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN. + +A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN. + +A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN. + +If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN. + + + + + + + + + + + text/plain + + + + + LowercaseLetters + + + + + + + + 0 + Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN. + +A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN. + +A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN. + +If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN. + + + + + + + + + + + text/plain + + + + + SpecialCharacters + + + + + + + + 0 + ? @ [ \ ] ^ _ ` { | } ~ . + +A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN. + +A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN. + +If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.]]> + + + + + + + + + + + text/plain + + + + + Digits + + + + + + + + 0 + Use this policy setting to configure the use of digits in the Windows Hello for Business PIN. + +A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN. + +A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN. + +If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN. + + + + + + + + + + + text/plain + + + + + History + + + + + + + + 0 + This policy specifies the number of past PINs that can be stored in the history that can’t be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset. + + + + + + + + + + + text/plain + + + + + Expiration + + + + + + + + 0 + This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire. + + + + + + + + + + + text/plain + + + + + + + + + PassportForWork + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + + + + + + + + + This policy specifies the Tenant ID in the format of a Globally Unique Identifier (GUID) without curly braces ( { , } ), which will be used as part of Windows Hello for Business provisioning and management. + + + + + + + + + + TenantId + + + + + + Policies + + + + + + + Root node for policies. + + + + + + + + + + Policies + + + + + + UsePassportForWork + + + + + + + + True + Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory account that can replace passwords, Smart Cards, and Virtual Smart Cards. + +If you enable or do not configure this policy setting, the device provisions Windows Hello for Business for all users. + +If you disable this policy setting, the device does not provision Windows Hello for Business for any user. + + + + + + + + + + + text/plain + + + + + RequireSecurityDevice + + + + + + + + False + A Trusted Platform Module (TPM) provides additional security benefits over software because data stored within it cannot be used on other devices. + +If you enable this policy setting, only devices with a usable TPM provision Windows Hello for Business. + +If you disable or do not configure this policy setting, the TPM is still preferred, but all devices provision Windows Hello for Business using software if the TPM is non-functional or unavailable. + + + + + + + + + + + text/plain + + + + + ExcludeSecurityDevices + + + + + + + Root node for excluded security devices. + + + + + + + + + + ExcludeSecurityDevices + + + + + + TPM12 + + + + + + + + False + Some Trusted Platform Modules (TPMs) are only compliant with the older 1.2 revision of the TPM specification defined by the Trusted Computing Group (TCG). + +If you enable this policy setting, TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. + +If you disable or do not configure this policy setting, TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business. + + + + + + + + + + + text/plain + + + + + + EnablePinRecovery + + + + + + + + False + If the user forgets their PIN, it can be changed to a new PIN using the Windows Hello for Business PIN recovery service. This cloud service encrypts a recovery secret which is stored locally on the client, but which can only be decrypted by the cloud service. + +If you enable this policy setting, the PIN recovery secret will be stored on the device and the user will be able to change to a new PIN in case their PIN is forgotten. + +If you disable or do not configure this policy setting, the PIN recovery secret will not be created or stored. If the user's PIN is forgotten, the only way to get a new PIN is by deleting the existing PIN and creating a new one, which will require the user to re-register with any services the old PIN provided access to. + + + + + + + + + + + + text/plain + + + + + UseCertificateForOnPremAuth + + + + + + + + False + Windows Hello for Business can use certificates to authenticate to on-premise resources. + +If you enable this policy setting, Windows Hello for Business will wait until the device has received a certificate payload from the mobile device management server before provisioning a PIN. + +If you disable or do not configure this policy setting, the PIN will be provisioned when the user logs in, without waiting for a certificate payload. + + + + + + + + + + + text/plain + + + + + PINComplexity + + + + + + + Root node for PIN policies + + + + + + + + + + + + + + + MinimumPINLength + + + + + + + + 4 + Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Maximum PIN length policy setting or the number 127, whichever is the lowest. + +If you configure this policy setting, the PIN length must be greater than or equal to this number. + +If you do not configure this policy setting, the PIN length must be greater than or equal to 4. + +NOTE: If the above specified conditions for the minimum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. + + + + + + + + + + + text/plain + + + + + MaximumPINLength + + + + + + + + 127 + Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the Minimum PIN length policy setting or the number 4, whichever is greater. + +If you configure this policy setting, the PIN length must be less than or equal to this number. + +If you do not configure this policy setting, the PIN length must be less than or equal to 127. + +NOTE: If the above specified conditions for the maximum PIN length are not met, default values will be used for both the maximum and minimum PIN lengths. + + + + + + + + + + + text/plain + + + + + UppercaseLetters + + + + + + + + 0 + Use this policy setting to configure the use of uppercase letters in the Windows Hello for Business PIN. + +A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one uppercase letter in their PIN. + +A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using uppercase letters in their PIN. + +If you do not configure this policy setting, Windows Hello for Business does not allow users to use uppercase letters in their PIN. + + + + + + + + + + + text/plain + + + + + LowercaseLetters + + + + + + + + 0 + Use this policy setting to configure the use of lowercase letters in the Windows Hello for Business PIN. + +A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one lowercase letter in their PIN. + +A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using lowercase letters in their PIN. + +If you do not configure this policy setting, Windows Hello for Business does not allow users to use lowercase letters in their PIN. + + + + + + + + + + + text/plain + + + + + SpecialCharacters + + + + + + + + 0 + ? @ [ \ ] ^ _ ` { | } ~ . + +A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one special character in their PIN. + +A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using special characters in their PIN. + +If you do not configure this policy setting, Windows Hello for Business does not allow users to use special characters in their PIN.]]> + + + + + + + + + + + text/plain + + + + + Digits + + + + + + + + 0 + Use this policy setting to configure the use of digits in the Windows Hello for Business PIN. + +A value of 1 corresponds to “Required.” If you configure this policy setting to 1, Windows Hello for Business requires users to include at least one digit in their PIN. + +A value of 2 corresponds to “Disallow.” If you configure this policy setting to 2, Windows Hello for Business prevents users from using digits in their PIN. + +If you do not configure this policy setting, Windows Hello for Business requires users to use digits in their PIN. + + + + + + + + + + + text/plain + + + + + History + + + + + + + + 0 + This policy specifies the number of past PINs that can be stored in the history that can’t be used. Valid values are 0 to 50 inclusive. If this policy is set to 0, then storage of previous PINs is not required. PIN history is not preserved through PIN reset. + + + + + + + + + + + text/plain + + + + + Expiration + + + + + + + + 0 + This policy specifies when the PIN expires (in days). Valid values are 0 to 730 inclusive. If this policy is set to 0, then PINs do not expire. + + + + + + + + + + + text/plain + + + + + + Remote + + + + + + + Root node for phone sign-in policies + + + + + + + + + + + + + + + UseRemotePassport + + + + + + + + False + Boolean that specifies if phone sign-in can be used with a device. Phone sign-in provides the ability for a portable, registered device to be usable as a companion device for desktop authentication. + +Default value is false. If you enable this setting, a desktop device will allow a registered, companion device to be used as an authentication factor. If you disable this setting, a companion device cannot be used in desktop authentication scenarios. + + + + + + + + + + + text/plain + + + + + + + + UseBiometrics + + + + + + + + False + THIS NODE IS DEPRECATED AND WILL BE REMOVED IN A FUTURE VERSION. PLEASE USE Biometrics/UseBiometrics NODE INSTEAD. + +Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures. + +If you enable or do not configure this policy setting, Windows Hello for Business allows the use of biometric gestures. + +If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures. + +NOTE: Disabling this policy prevents the use of biometric gestures on the device for all account types. + + + + + + + + + + + text/plain + + + + + Biometrics + + + + + Root node for biometrics policies + + + + + + + + + + + + + + + UseBiometrics + + + + + + + + False + Windows Hello for Business enables users to use biometric gestures, such as face and fingerprints, as an alternative to the PIN gesture. However, users must still configure a PIN to use in case of failures. + +If you enable or do not configure this policy setting, Windows Hello for Business allows the use of biometric gestures. + +If you disable this policy setting, Windows Hello for Business prevents the use of biometric gestures. + +NOTE: Disabling this policy prevents the use of biometric gestures on the device for all account types. + + + + + + + + + + + text/plain + + + + + FacialFeaturesUseEnhancedAntiSpoofing + + + + + + + + False + This setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication. + +If you enable or don't configure this setting, Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti-spoofing. + +If you disable this setting, Windows doesn't require enhanced anti-spoofing for Windows Hello face authentication. + +Note that enhanced anti-spoofing for Windows Hello face authentication is not required on unmanaged devices. + + + + + + + + + + + text/plain + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md new file mode 100644 index 0000000000..85c52cab60 --- /dev/null +++ b/windows/client-management/mdm/personalization-csp.md @@ -0,0 +1,110 @@ +--- +title: Personalization CSP +description: Personalization CSP +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Personalization CSP + +The Personalization CSP can set the lock screen and desktop background images. Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package. + +This CSP was added in Windows 10, version 1703. + +> [!Note] +> Personalization CSP is supported in Windows 10 Enterprise and Education SKUs. It works in Windows 10 Pro and Windows 10 Pro in S mode if SetEduPolicies in [SharedPC CSP](sharedpc-csp.md) is set. + +The following diagram shows the Personalization configuration service provider in tree format. + +![personalization csp](images/provisioning-csp-personalization.png) + +**./Vendor/MSFT/Personalization** +

Defines the root node for the Personalization configuration service provider.

+ +**DesktopImageUrl** +

Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.

+

Value type is string. Supported operations are Add, Get, Delete, and Replace.

+ +**DesktopImageStatus** +

Represents the status of the desktop image. Valid values:

+
    +
  • 1 - Successfully downloaded or copied.
    • +
  • 2 - Download or copy in progress.
    • +
  • 3 - Download or copy failed.
    • +
  • 4 - Unknown file type.
    • +
  • 5 - Unsupported URL scheme.
    • +
  • 6 - Max retry failed.
    • +
  • 7 - Blocked, SKU not allowed
    • +
+

Supporter operation is Get.

+ +> [!Note] +> This setting is only used to query status. To set the image, use the DesktopImageUrl setting. + +**LockScreenImageUrl** +

Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.

+

Value type is string. Supported operations are Add, Get, Delete, and Replace.

+ + +**LockScreenImageStatus** +

Represents the status of the lock screen image. Valid values:

+
    +
  • 1 - Successfully downloaded or copied.
    • +
  • 2 - Download or copy in progress.
    • +
  • 3 - Download or copy failed.
    • +
  • 4 - Unknown file type.
    • +
  • 5 - Unsupported URL scheme.
    • +
  • 6 - Max retry failed.
    • +
  • 7 - Blocked, SKU not allowed
    • +
+

Supporter operation is Get.

+ +> [!Note] +> This setting is only used to query status. To set the image, use the LockScreenImageStatus setting. + + +## Example SyncML + +``` syntax + + + + 1 + + + + ./Vendor/MSFT/Personalization/LockScreenImageUrl + + + + chr + text/plain + + https://www.contoso.com/desktopimage.jpeg + + + + 2 + + + + ./Vendor/MSFT/Personalization/DesktopImageUrl + + + + chr + text/plain + + https://www.contoso.com/lockscreenimage.JPG + + + + + +``` + + + diff --git a/windows/client-management/mdm/personalization-ddf.md b/windows/client-management/mdm/personalization-ddf.md new file mode 100644 index 0000000000..85d8ef7bb0 --- /dev/null +++ b/windows/client-management/mdm/personalization-ddf.md @@ -0,0 +1,142 @@ +--- +title: Personalization DDF file +description: Personalization DDF file +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Personalization DDF file + +This topic shows the OMA DM device description framework (DDF) for the **Personalization** configuration service provider. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + Personalization + ./Vendor/MSFT + + + + + Configure a PC's personalization settings such as Desktop Image and Lock Screen Image. + + + + + + + + + + + com.microsoft/1.0/MDM/Personalization + + + + DesktopImageUrl + + + + + + + + A http or https Url to a jpg, jpeg or png image that needs to be downloaded and used as the Desktop Image or a file Url to a local image on the file system that needs to used as the Desktop Image. + + + + + + + + + + + text/plain + + + + + DesktopImageStatus + + + + + This represents the status of the DesktopImage. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. + + + + + + + + + + + text/plain + + + + + LockScreenImageUrl + + + + + + + + A http or https Url to a jpg, jpeg or png image that neeeds to be downloaded and used as the Lock Screen Image or a file Url to a local image on the file system that needs to be used as the Lock Screen Image. + + + + + + + + + + + text/plain + + + + + LockScreenImageStatus + + + + + This represents the status of the LockScreenImage. 1 - Successfully downloaded or copied. 2 - Download/Copy in progress. 3 - Download/Copy failed. 4 - Unknown file type. 5 - Unsupported Url scheme. 6 - Max retry failed. + + + + + + + + + + + text/plain + + + + + +``` diff --git a/windows/client-management/mdm/policy-admx-backed.md b/windows/client-management/mdm/policy-admx-backed.md new file mode 100644 index 0000000000..643af44e7a --- /dev/null +++ b/windows/client-management/mdm/policy-admx-backed.md @@ -0,0 +1,4032 @@ +--- +title: Policy CSP - ADMX-backed policies +description: Policy CSP - ADMX-backed policies +ms.assetid: 4F3A1134-D401-44FC-A583-6EDD3070BA4F +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP - ADMX-backed policies + +The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. This reference topic targets only policies which are backed by ADMX. To understand the difference between traditional MDM and ADMX-backed policies please see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md). + +## Table of ADMX-backed policies for Windows 10, version 1703. + +> [!IMPORTANT] +> To navigate the table horizontally, click on the table and then use the left and right scroll keys on your keyboard or use the scroll bar at the bottom of the table. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
MDM CSP setting path/nameGP english nameGP english category pathGP nameGP ADMX file name
ActiveXControls/ApprovedInstallationSitesApproved Installation Sites for ActiveX ControlsWindows Components/ActiveX Installer ServiceApprovedActiveXInstallSitesActiveXInstallService.admx
AppVirtualization/AllowAppVClientEnable App-V ClientSystem/App-VEnableAppVappv.admx
AppVirtualization/AllowDynamicVirtualizationEnable Dynamic VirtualizationSystem/App-V/VirtualizationVirtualization_JITVEnableappv.admx
AppVirtualization/AllowPackageCleanupEnable automatic cleanup of unused appv packagesSystem/App-V/Package ManagementPackageManagement_AutoCleanupEnableappv.admx
AppVirtualization/AllowPackageScriptsEnable Package ScriptsSystem/App-V/ScriptingScripting_Enable_Package_Scriptsappv.admx
AppVirtualization/AllowPublishingRefreshUXEnable Publishing Refresh UXSystem/App-V/PublishingEnable_Publishing_Refresh_UXappv.admx
AppVirtualization/AllowReportingServerReporting ServerSystem/App-V/ReportingReporting_Server_Policyappv.admx
AppVirtualization/AllowRoamingFileExclusionsRoaming File ExclusionsSystem/App-V/IntegrationIntegration_Roaming_File_Exclusionsappv.admx
AppVirtualization/AllowRoamingRegistryExclusionsRoaming Registry ExclusionsSystem/App-V/IntegrationIntegration_Roaming_Registry_Exclusionsappv.admx
AppVirtualization/AllowStreamingAutoloadSpecify what to load in background (aka AutoLoad)System/App-V/StreamingSteaming_Autoloadappv.admx
AppVirtualization/ClientCoexistenceAllowMigrationmodeEnable Migration ModeSystem/App-V/Client CoexistenceClient_Coexistence_Enable_Migration_modeappv.admx
AppVirtualization/IntegrationAllowRootGlobalIntegration Root UserSystem/App-V/IntegrationIntegration_Root_Userappv.admx
AppVirtualization/IntegrationAllowRootUserIntegration Root GlobalSystem/App-V/IntegrationIntegration_Root_Globalappv.admx
AppVirtualization/PublishingAllowServer1Publishing Server 1 SettingsSystem/App-V/PublishingPublishing_Server1_Policyappv.admx
AppVirtualization/PublishingAllowServer2Publishing Server 2 SettingsSystem/App-V/PublishingPublishing_Server2_Policyappv.admx
AppVirtualization/PublishingAllowServer3Publishing Server 3 SettingsSystem/App-V/PublishingPublishing_Server3_Policyappv.admx
AppVirtualization/PublishingAllowServer4Publishing Server 4 SettingsSystem/App-V/PublishingPublishing_Server4_Policyappv.admx
AppVirtualization/PublishingAllowServer5Publishing Server 5 SettingsSystem/App-V/PublishingPublishing_Server5_Policyappv.admx
AppVirtualization/StreamingAllowCertificateFilterForClient_SSLCertificate Filter For Client SSLSystem/App-V/StreamingStreaming_Certificate_Filter_For_Client_SSLappv.admx
AppVirtualization/StreamingAllowHighCostLaunchAllow First Time Application Launches if on a High Cost Windows 8 Metered ConnectionSystem/App-V/StreamingStreaming_Allow_High_Cost_Launchappv.admx
AppVirtualization/StreamingAllowLocationProviderLocation ProviderSystem/App-V/StreamingStreaming_Location_Providerappv.admx
AppVirtualization/StreamingAllowPackageInstallationRootPackage Installation RootSystem/App-V/StreamingStreaming_Package_Installation_Rootappv.admx
AppVirtualization/StreamingAllowPackageSourceRootPackage Source RootSystem/App-V/StreamingStreaming_Package_Source_Rootappv.admx
AppVirtualization/StreamingAllowReestablishmentIntervalReestablishment IntervalSystem/App-V/StreamingStreaming_Reestablishment_Intervalappv.admx
AppVirtualization/StreamingAllowReestablishmentRetriesReestablishment RetriesSystem/App-V/StreamingStreaming_Reestablishment_Retriesappv.admx
AppVirtualization/StreamingSharedContentStoreModeShared Content Store (SCS) modeSystem/App-V/StreamingStreaming_Shared_Content_Store_Modeappv.admx
AppVirtualization/StreamingSupportBranchCacheEnable Support for BranchCacheSystem/App-V/StreamingStreaming_Support_Branch_Cacheappv.admx
AppVirtualization/StreamingVerifyCertificateRevocationListVerify certificate revocation listSystem/App-V/StreamingStreaming_Verify_Certificate_Revocation_Listappv.admx
AppVirtualization/VirtualComponentsAllowListVirtual Component Process Allow ListSystem/App-V/VirtualizationVirtualization_JITVAllowListappv.admx
AttachmentManager/DoNotPreserveZoneInformationDo not preserve zone information in file attachmentsWindows Components/Attachment ManagerAM_MarkZoneOnSavedAtttachmentsAttachmentManager.admx
AttachmentManager/HideZoneInfoMechanismHide mechanisms to remove zone informationWindows Components/Attachment ManagerAM_RemoveZoneInfoAttachmentManager.admx
AttachmentManager/NotifyAntivirusProgramsNotify antivirus programs when opening attachmentsWindows Components/Attachment ManagerAM_CallIOfficeAntiVirusAttachmentManager.admx
Autoplay/DisallowAutoplayForNonVolumeDevicesDisallow Autoplay for non-volume devicesWindows Components/AutoPlay PoliciesNoAutoplayfornonVolumeAutoPlay.admx
Autoplay/SetDefaultAutoRunBehaviorSet the default behavior for AutoRunWindows Components/AutoPlay PoliciesNoAutorunAutoPlay.admx
Autoplay/TurnOffAutoPlayTurn off AutoplayWindows Components/AutoPlay PoliciesAutorunAutoPlay.admx
Connectivity/HardenedUNCPathsHardened UNC PathsNetwork/Network ProviderPol_HardenedPathsnetworkprovider.admx
CredentialProviders/AllowPINLogonTurn on convenience PIN sign-inSystem/LogonAllowDomainPINLogoncredentialproviders.admx
CredentialProviders/BlockPicturePasswordTurn off picture password sign-inSystem/LogonBlockDomainPicturePasswordcredentialproviders.admx
CredentialsUI/DisablePasswordRevealDo not display the password reveal buttonWindows Components/Credential User InterfaceDisablePasswordRevealcredui.admx
CredentialsUI/EnumerateAdministratorsEnumerate administrator accounts on elevationWindows Components/Credential User InterfaceEnumerateAdministratorscredui.admx
DataUsage/SetCost3GSet 3G CostNetwork/WWAN Service/WWAN Media CostSetCost3Gwwansvc.admx
DataUsage/SetCost4GSet 4G CostNetwork/WWAN Service/WWAN Media CostSetCost4Gwwansvc.admx
Desktop/PreventUserRedirectionOfProfileFolders   desktop.admx
DeviceInstallation/PreventInstallationOfMatchingDeviceIDsPrevent installation of devices that match any of these device IDsSystem/Device Installation/Device Installation RestrictionsDeviceInstall_IDs_Denydeviceinstallation.admx
DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClassesPrevent installation of devices using drivers that match these device setup classesSystem/Device Installation/Device Installation RestrictionsDeviceInstall_Classes_Denydeviceinstallation.admx
DeviceLock/PreventLockScreenSlideShow   ControlPanelDisplay.admx
ErrorReporting/CustomizeConsentSettingsCustomize consent settingsWindows Components/Windows Error Reporting/ConsentWerConsentCustomize_2ErrorReporting.admx
ErrorReporting/DisableWindowsErrorReportingDisable Windows Error ReportingWindows Components/Windows Error ReportingWerDisable_2ErrorReporting.admx
ErrorReporting/DisplayErrorNotificationDisplay Error NotificationWindows Components/Windows Error ReportingPCH_ShowUIErrorReporting.admx
ErrorReporting/DoNotSendAdditionalDataDo not send additional dataWindows Components/Windows Error ReportingWerNoSecondLevelData_2ErrorReporting.admx
ErrorReporting/PreventCriticalErrorDisplayPrevent display of the user interface for critical errorsWindows Components/Windows Error ReportingWerDoNotShowUIErrorReporting.admx
EventLogService/ControlEventLogBehaviorControl Event Log behavior when the log file reaches its maximum sizeWindows Components/Event Log Service/ApplicationChannel_Log_Retention_1eventlog.admx
EventLogService/SpecifyMaximumFileSizeApplicationLogSpecify the maximum log file size (KB)Windows Components/Event Log Service/ApplicationChannel_LogMaxSize_1eventlog.admx
EventLogService/SpecifyMaximumFileSizeSecurityLogSpecify the maximum log file size (KB)Windows Components/Event Log Service/SecurityChannel_LogMaxSize_2eventlog.admx
EventLogService/SpecifyMaximumFileSizeSystemLogSpecify the maximum log file size (KB)Windows Components/Event Log Service/SystemChannel_LogMaxSize_4eventlog.admx
InternetExplorer/AddSearchProviderAdd a specific list of search providers to the user's list of search providersWindows Components/Internet ExplorerAddSearchProviderinetres.admx
InternetExplorer/AllowActiveXFilteringTurn on ActiveX FilteringWindows Components/Internet ExplorerTurnOnActiveXFilteringinetres.admx
InternetExplorer/AllowAddOnListAdd-on ListWindows Components/Internet Explorer/Security Features/Add-on ManagementAddonManagement_AddOnListinetres.admx
InternetExplorer/AllowEnhancedProtectedModeTurn on Enhanced Protected ModeWindows Components/Internet Explorer/Internet Control Panel/Advanced PageAdvanced_EnableEnhancedProtectedModeinetres.admx
InternetExplorer/AllowEnterpriseModeFromToolsMenuLet users turn on and use Enterprise Mode from the Tools menuWindows Components/Internet ExplorerEnterpriseModeEnableinetres.admx
InternetExplorer/AllowEnterpriseModeSiteListUse the Enterprise Mode IE website listWindows Components/Internet ExplorerEnterpriseModeSiteListinetres.admx
InternetExplorer/AllowInternetExplorer7PolicyList Use Policy List of Internet Explorer 7 sitesCompatView_UsePolicyListinetres.admx
InternetExplorer/AllowInternetExplorerStandardsModeTurn on Internet Explorer Standards Mode for local intranetWindows Components/Internet Explorer/Compatibility ViewCompatView_IntranetSitesinetres.admx
InternetExplorer/AllowInternetZoneTemplateInternet Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyInternetZoneTemplateinetres.admx
InternetExplorer/AllowIntranetZoneTemplateIntranet Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyIntranetZoneTemplateinetres.admx
InternetExplorer/AllowLocalMachineZoneTemplateLocal Machine Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyLocalMachineZoneTemplateinetres.admx
InternetExplorer/AllowLockedDownInternetZoneTemplateLocked-Down Internet Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyInternetZoneLockdownTemplateinetres.admx
InternetExplorer/AllowLockedDownIntranetZoneTemplateLocked-Down Intranet Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyIntranetZoneLockdownTemplateinetres.admx
InternetExplorer/AllowLockedDownLocalMachineZoneTemplateLocked-Down Local Machine Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyLocalMachineZoneLockdownTemplateinetres.admx
InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplateLocked-Down Restricted Sites Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyRestrictedSitesZoneLockdownTemplateinetres.admx
InternetExplorer/AllowOneWordEntryGo to an intranet site for a one-word entry in the Address barWindows Components/Internet Explorer/Internet Settings/Advanced settings/BrowsingUseIntranetSiteForOneWordEntryinetres.admx
InternetExplorer/AllowSiteToZoneAssignmentListSite to Zone Assignment ListWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_Zonemapsinetres.admx
InternetExplorer/AllowSuggestedSitesTurn on Suggested SitesWindows Components/Internet ExplorerEnableSuggestedSitesinetres.admx
InternetExplorer/AllowTrustedSitesZoneTemplateTrusted Sites Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyTrustedSitesZoneTemplateinetres.admx
InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplateLocked-Down Trusted Sites Zone TemplateIZ_PolicyTrustedSitesZoneLockdownTemplateinetres.admx
InternetExplorer/AllowsRestrictedSitesZoneTemplateRestricted Sites Zone TemplateWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_PolicyRestrictedSitesZoneTemplateinetres.admx
InternetExplorer/DisableAdobeFlashTurn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objectsWindows Components/Internet Explorer/Security Features/Add-on ManagementDisableFlashInIEinetres.admx
InternetExplorer/DisableBypassOfSmartScreenWarnings   inetres.admx
InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles   inetres.admx
InternetExplorer/DisableCustomerExperienceImprovementProgramParticipationPrevent participation in the Customer Experience Improvement ProgramWindows Components/Internet ExplorerSQM_DisableCEIPinetres.admx
InternetExplorer/DisableEnclosureDownloadingPrevent downloading of enclosuresWindows Components/RSS FeedsDisable_Downloading_of_Enclosuresinetres.admx
InternetExplorer/DisableEncryptionSupportTurn off encryption supportWindows Components/Internet Explorer/Internet Control Panel/Advanced PageAdvanced_SetWinInetProtocolsinetres.admx
InternetExplorer/DisableFirstRunWizardPrevent running First Run wizardWindows Components/Internet ExplorerNoFirstRunCustomiseinetres.admx
InternetExplorer/DisableFlipAheadFeatureTurn off the flip ahead with page prediction featureWindows Components/Internet Explorer/Internet Control Panel/Advanced PageAdvanced_DisableFlipAheadinetres.admx
InternetExplorer/DisableHomePageChangeDisable changing home page settingsWindows Components/Internet ExplorerRestrictHomePageinetres.admx
InternetExplorer/DisableProxyChange   inetres.admx
InternetExplorer/DisableSearchProviderChangePrevent changing the default search providerWindows Components/Internet ExplorerNoSearchProviderinetres.admx
InternetExplorer/DisableSecondaryHomePageChangeDisable changing secondary home page settingsWindows Components/Internet ExplorerSecondaryHomePagesinetres.admx
InternetExplorer/DisableUpdateCheck   inetres.admx
InternetExplorer/DoNotAllowUsersToAddSites   inetres.admx
InternetExplorer/DoNotAllowUsersToChangePolicies   inetres.admx
InternetExplorer/DoNotBlockOutdatedActiveXControlsTurn off blocking of outdated ActiveX controls for Internet ExplorerWindows Components/Internet Explorer/Security Features/Add-on ManagementVerMgmtDisableinetres.admx
InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomainsTurn off blocking of outdated ActiveX controls for Internet Explorer on specific domainsWindows Components/Internet Explorer/Security Features/Add-on ManagementVerMgmtDomainAllowlistinetres.admx
InternetExplorer/IncludeAllLocalSitesIntranet Sites: Include all local (intranet) sites not listed in other zonesWindows Components/Internet Explorer/Internet Control Panel/Security PageIZ_IncludeUnspecifiedLocalSitesinetres.admx
InternetExplorer/IncludeAllNetworkPathsIntranet Sites: Include all network paths (UNCs)Windows Components/Internet Explorer/Internet Control Panel/Security PageIZ_UNCAsIntranetinetres.admx
InternetExplorer/InternetZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyAccessDataSourcesAcrossDomains_1inetres.admx
InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyNotificationBarActiveXURLaction_1inetres.admx
InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyNotificationBarDownloadURLaction_1inetres.admx
InternetExplorer/InternetZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyFontDownload_1inetres.admx
InternetExplorer/InternetZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyZoneElevationURLaction_1inetres.admx
InternetExplorer/InternetZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_1inetres.admx
InternetExplorer/InternetZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_Policy_AllowScriptlets_1inetres.admx
InternetExplorer/InternetZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_Policy_Phishing_1inetres.admx
InternetExplorer/InternetZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyUserdataPersistence_1inetres.admx
InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyScriptActiveXNotMarkedSafe_1inetres.admx
InternetExplorer/InternetZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Internet ZoneIZ_PolicyNavigateSubframesAcrossDomains_1inetres.admx
InternetExplorer/IntranetZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyAccessDataSourcesAcrossDomains_3inetres.admx
InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyNotificationBarActiveXURLaction_3inetres.admx
InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyNotificationBarDownloadURLaction_3inetres.admx
InternetExplorer/IntranetZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyFontDownload_3inetres.admx
InternetExplorer/IntranetZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyZoneElevationURLaction_3inetres.admx
InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_3inetres.admx
InternetExplorer/IntranetZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_Policy_AllowScriptlets_3inetres.admx
InternetExplorer/IntranetZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_Policy_Phishing_3inetres.admx
InternetExplorer/IntranetZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyUserdataPersistence_3inetres.admx
InternetExplorer/IntranetZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyScriptActiveXNotMarkedSafe_3inetres.admx
InternetExplorer/IntranetZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet ZoneIZ_PolicyNavigateSubframesAcrossDomains_3inetres.admx
InternetExplorer/LocalMachineZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyAccessDataSourcesAcrossDomains_9inetres.admx
InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyNotificationBarActiveXURLaction_9inetres.admx
InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyNotificationBarDownloadURLaction_9inetres.admx
InternetExplorer/LocalMachineZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyFontDownload_9inetres.admx
InternetExplorer/LocalMachineZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyZoneElevationURLaction_9inetres.admx
InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_9inetres.admx
InternetExplorer/LocalMachineZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_Policy_AllowScriptlets_9inetres.admx
InternetExplorer/LocalMachineZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_Policy_Phishing_9inetres.admx
InternetExplorer/LocalMachineZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyUserdataPersistence_9inetres.admx
InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyScriptActiveXNotMarkedSafe_9inetres.admx
InternetExplorer/LocalMachineZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine ZoneIZ_PolicyNavigateSubframesAcrossDomains_9inetres.admx
InternetExplorer/LockedDownInternetZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyAccessDataSourcesAcrossDomains_2inetres.admx
InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyNotificationBarActiveXURLaction_2inetres.admx
InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyNotificationBarDownloadURLaction_2inetres.admx
InternetExplorer/LockedDownInternetZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyFontDownload_2inetres.admx
InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyZoneElevationURLaction_2inetres.admx
InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_2inetres.admx
InternetExplorer/LockedDownInternetZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_Policy_AllowScriptlets_2inetres.admx
InternetExplorer/LockedDownInternetZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_Policy_Phishing_2inetres.admx
InternetExplorer/LockedDownInternetZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyUserdataPersistence_2inetres.admx
InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyScriptActiveXNotMarkedSafe_2inetres.admx
InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet ZoneIZ_PolicyNavigateSubframesAcrossDomains_2inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyAccessDataSourcesAcrossDomains_4inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyNotificationBarActiveXURLaction_4inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyNotificationBarDownloadURLaction_4inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyFontDownload_4inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyZoneElevationURLaction_4inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_4inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_Policy_AllowScriptlets_4inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_Policy_Phishing_4inetres.admx
InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyUserdataPersistence_4inetres.admx
InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyScriptActiveXNotMarkedSafe_4inetres.admx
InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet ZoneIZ_PolicyNavigateSubframesAcrossDomains_4inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyAccessDataSourcesAcrossDomains_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyNotificationBarActiveXURLaction_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyNotificationBarDownloadURLaction_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyFontDownload_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyZoneElevationURLaction_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_Policy_AllowScriptlets_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_Policy_Phishing_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyUserdataPersistence_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyScriptActiveXNotMarkedSafe_10inetres.admx
InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine ZoneIZ_PolicyNavigateSubframesAcrossDomains_10inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyAccessDataSourcesAcrossDomains_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyNotificationBarActiveXURLaction_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyNotificationBarDownloadURLaction_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyFontDownload_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyZoneElevationURLaction_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_Policy_AllowScriptlets_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_Policy_Phishing_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyUserdataPersistence_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyScriptActiveXNotMarkedSafe_8inetres.admx
InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites ZoneIZ_PolicyNavigateSubframesAcrossDomains_8inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyAccessDataSourcesAcrossDomains_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyNotificationBarActiveXURLaction_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyNotificationBarDownloadURLaction_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyFontDownload_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyZoneElevationURLaction_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_Policy_AllowScriptlets_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_Policy_Phishing_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyUserdataPersistence_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyScriptActiveXNotMarkedSafe_6inetres.admx
InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites ZoneIZ_PolicyNavigateSubframesAcrossDomains_6inetres.admx
InternetExplorer/RestrictedSitesZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyAccessDataSourcesAcrossDomains_7inetres.admx
InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyNotificationBarActiveXURLaction_7inetres.admx
InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyNotificationBarDownloadURLaction_7inetres.admx
InternetExplorer/RestrictedSitesZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyFontDownload_7inetres.admx
InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyZoneElevationURLaction_7inetres.admx
InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_7inetres.admx
InternetExplorer/RestrictedSitesZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_Policy_AllowScriptlets_7inetres.admx
InternetExplorer/RestrictedSitesZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_Policy_Phishing_7inetres.admx
InternetExplorer/RestrictedSitesZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyUserdataPersistence_7inetres.admx
InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyScriptActiveXNotMarkedSafe_7inetres.admx
InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites ZoneIZ_PolicyNavigateSubframesAcrossDomains_7inetres.admx
InternetExplorer/SearchProviderListRestrict search providers to a specific listWindows Components/Internet ExplorerSpecificSearchProviderinetres.admx
InternetExplorer/TrustedSitesZoneAllowAccessToDataSourcesAccess data sources across domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyAccessDataSourcesAcrossDomains_5inetres.admx
InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControlsAutomatic prompting for ActiveX controlsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyNotificationBarActiveXURLaction_5inetres.admx
InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloadsAutomatic prompting for file downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyNotificationBarDownloadURLaction_5inetres.admx
InternetExplorer/TrustedSitesZoneAllowFontDownloadsAllow font downloadsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyFontDownload_5inetres.admx
InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSitesWeb sites in less privileged Web content zones can navigate into this zoneWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyZoneElevationURLaction_5inetres.admx
InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponentsRun .NET Framework-reliant components not signed with AuthenticodeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyUnsignedFrameworkComponentsURLaction_5inetres.admx
InternetExplorer/TrustedSitesZoneAllowScriptletsAllow scriptletsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_Policy_AllowScriptlets_5inetres.admx
InternetExplorer/TrustedSitesZoneAllowSmartScreenIETurn on SmartScreen Filter scanWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_Policy_Phishing_5inetres.admx
InternetExplorer/TrustedSitesZoneAllowUserDataPersistenceUserdata persistenceWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyUserdataPersistence_5inetres.admx
InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControlsInitialize and script ActiveX controls not marked as safeWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyScriptActiveXNotMarkedSafe_5inetres.admx
InternetExplorer/TrustedSitesZoneNavigateWindowsAndFramesNavigate windows and frames across different domainsWindows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites ZoneIZ_PolicyNavigateSubframesAcrossDomains_5inetres.admx
Kerberos/AllowForestSearchOrder ForestSearchKerberos.admx
Kerberos/KerberosClientSupportsClaimsCompoundArmorKerberos client support for claims, compound authentication and Kerberos armoringSystem/KerberosEnableCbacAndArmorKerberos.admx
Kerberos/RequireKerberosArmoringFail authentication requests when Kerberos armoring is not availableSystem/KerberosClientRequireFastKerberos.admx
Kerberos/RequireStrictKDCValidationRequire strict KDC validationSystem/KerberosValidateKDCKerberos.admx
Kerberos/SetMaximumContextTokenSizeSet maximum Kerberos SSPI context token buffer sizeSystem/KerberosMaxTokenSizeKerberos.admx
Power/AllowStandbyWhenSleepingPluggedInAllow standby states (S1-S3) when sleeping (plugged in)System/Power Management/Sleep SettingsAllowStandbyStatesAC_2power.admx
Power/RequirePasswordWhenComputerWakesOnBatteryRequire a password when a computer wakes (on battery)System/Power Management/Sleep SettingsDCPromptForPasswordOnResume_2power.admx
Power/RequirePasswordWhenComputerWakesPluggedInRequire a password when a computer wakes (plugged in)System/Power Management/Sleep SettingsACPromptForPasswordOnResume_2power.admx
Printers/PointAndPrintRestrictionsPoint and Print RestrictionsPrintersPointAndPrint_Restrictions_Win7Printing.admx
Printers/PointAndPrintRestrictions_UserPoint and Print RestrictionsPointAndPrint_RestrictionsPrinting.admx
Printers/PublishPrintersAllow printers to be publishedPrintersPublishPrintersPrinting2.admx
RemoteAssistance/CustomizeWarningMessagesCustomize warning messagesSystem/Remote AssistanceRA_Optionsremoteassistance.admx
RemoteAssistance/SessionLoggingTurn on session loggingSystem/Remote AssistanceRA_Loggingremoteassistance.admx
RemoteAssistance/SolicitedRemoteAssistanceConfigure Solicited Remote AssistanceSystem/Remote AssistanceRA_Solicitremoteassistance.admx
RemoteAssistance/UnsolicitedRemoteAssistanceConfigure Offer Remote AssistanceRA_Unsolicitremoteassistance.admx
RemoteDesktopServices/AllowUsersToConnectRemotelyAllow users to connect remotely by using Remote Desktop ServicesWindows Components/Remote Desktop Services/Remote Desktop Session Host/ConnectionsTS_DISABLE_CONNECTIONSterminalserver.admx
RemoteDesktopServices/ClientConnectionEncryptionLevelSet client connection encryption levelWindows Components/Remote Desktop Services/Remote Desktop Session Host/SecurityTS_ENCRYPTION_POLICYterminalserver.admx
RemoteDesktopServices/DoNotAllowDriveRedirectionDo not allow drive redirectionWindows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource RedirectionTS_CLIENT_DRIVE_Mterminalserver.admx
RemoteDesktopServices/DoNotAllowPasswordSavingDo not allow passwords to be savedWindows Components/Remote Desktop Services/Remote Desktop Connection ClientTS_CLIENT_DISABLE_PASSWORD_SAVING_2terminalserver.admx
RemoteDesktopServices/PromptForPasswordUponConnectionAlways prompt for password upon connectionWindows Components/Remote Desktop Services/Remote Desktop Session Host/SecurityTS_PASSWORDterminalserver.admx
RemoteDesktopServices/RequireSecureRPCCommunicationRequire secure RPC communicationWindows Components/Remote Desktop Services/Remote Desktop Session Host/SecurityTS_RPC_ENCRYPTIONterminalserver.admx
RemoteProcedureCall/RPCEndpointMapperClientAuthenticationEnable RPC Endpoint Mapper Client AuthenticationSystem/Remote Procedure CallRpcEnableAuthEpResolutionrpc.admx
RemoteProcedureCall/RestrictUnauthenticatedRPCClientsRestrict Unauthenticated RPC clientsSystem/Remote Procedure CallRpcRestrictRemoteClientsrpc.admx
Storage/EnhancedStorageDevicesDo not allow Windows to activate Enhanced Storage devicesSystem/Enhanced Storage AccessTCGSecurityActivationDisabledenhancedstorage.admx
System/BootStartDriverInitializationBoot-Start Driver Initialization PolicySystem/Early Launch AntimalwarePOL_DriverLoadPolicy_Nameearlylauncham.admx
System/DisableSystemRestoreTurn off System RestoreSystem/System RestoreSR_DisableSRsystemrestore.admx
WindowsLogon/DisableLockScreenAppNotificationsTurn off app notifications on the lock screenSystem/LogonDisableLockScreenAppNotificationslogon.admx
WindowsLogon/DontDisplayNetworkSelectionUIDo not display network selection UISystem/LogonDontDisplayNetworkSelectionUIlogon.admx
+ + +## List of <AreaName>/<PolicyName> + + +**ActiveXControls/ApprovedInstallationSites** + +

This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL.

+ +

If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. + +If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation.

+ +

Note: Wild card characters cannot be used when specifying the host URLs. +

+ +**AppVirtualization/AllowAppVClient** + +

This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect.

+ +**AppVirtualization/AllowDynamicVirtualization** + +

Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls.

+ +**AppVirtualization/AllowPackageCleanup** + +

N/A

+ +**AppVirtualization/AllowPackageScripts** + +

Enables scripts defined in the package manifest of configuration files that should run.

+ +**AppVirtualization/AllowPublishingRefreshUX** + +

Enables a UX to display to the user when a publishing refresh is performed on the client.

+ +**AppVirtualization/AllowReportingServer** + +

Reporting Server URL: Displays the URL of reporting server.

+ +

Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM. + + Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load. + + Repeat reporting for every (days): The periodical interval in days for sending the reporting data. + + Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again.

+ +

Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections. +

+ +**AppVirtualization/AllowRoamingFileExclusions** + +

Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'.

+ +**AppVirtualization/AllowRoamingRegistryExclusions** + +

Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients.

+ +**AppVirtualization/AllowStreamingAutoload** + +

Specifies how new packages should be loaded automatically by App-V on a specific computer.

+ +**AppVirtualization/ClientCoexistenceAllowMigrationmode** + +

Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.

+ +**AppVirtualization/IntegrationAllowRootGlobal** + +

Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.

+ +**AppVirtualization/IntegrationAllowRootUser** + +

Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.

+ +**AppVirtualization/PublishingAllowServer1** + +

Publishing Server Display Name: Displays the name of publishing server. + + Publishing Server URL: Displays the URL of publishing server. + + Global Publishing Refresh: Enables global publishing refresh (Boolean). + + Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). + + Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. + + Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + + User Publishing Refresh: Enables user publishing refresh (Boolean). + + User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). + + User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. + + User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). +

+ +**AppVirtualization/PublishingAllowServer2** + +

Publishing Server Display Name: Displays the name of publishing server. + + Publishing Server URL: Displays the URL of publishing server. + + Global Publishing Refresh: Enables global publishing refresh (Boolean). + + Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). + + Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. + + Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + + User Publishing Refresh: Enables user publishing refresh (Boolean). + + User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). + + User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. + + User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). +

+ +**AppVirtualization/PublishingAllowServer3** + +

Publishing Server Display Name: Displays the name of publishing server. + + Publishing Server URL: Displays the URL of publishing server. + + Global Publishing Refresh: Enables global publishing refresh (Boolean). + + Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). + + Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. + + Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + + User Publishing Refresh: Enables user publishing refresh (Boolean). + + User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). + + User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. + + User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). +

+ +**AppVirtualization/PublishingAllowServer4** + +

Publishing Server Display Name: Displays the name of publishing server. + + Publishing Server URL: Displays the URL of publishing server. + + Global Publishing Refresh: Enables global publishing refresh (Boolean). + + Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). + + Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. + + Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + + User Publishing Refresh: Enables user publishing refresh (Boolean). + + User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). + + User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. + + User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). +

+ +**AppVirtualization/PublishingAllowServer5** + +

Publishing Server Display Name: Displays the name of publishing server. + + Publishing Server URL: Displays the URL of publishing server. + + Global Publishing Refresh: Enables global publishing refresh (Boolean). + + Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). + + Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. + + Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + + User Publishing Refresh: Enables user publishing refresh (Boolean). + + User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). + + User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. + + User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). +

+ +**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL** + +

Specifies the path to a valid certificate in the certificate store.

+ +**AppVirtualization/StreamingAllowHighCostLaunch** + +

This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G).

+ +**AppVirtualization/StreamingAllowLocationProvider** + +

Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.

+ +**AppVirtualization/StreamingAllowPackageInstallationRoot** + +

Specifies directory where all new applications and updates will be installed.

+ +**AppVirtualization/StreamingAllowPackageSourceRoot** + +

Overrides source location for downloading package content.

+ +**AppVirtualization/StreamingAllowReestablishmentInterval** + +

Specifies the number of seconds between attempts to reestablish a dropped session.

+ +**AppVirtualization/StreamingAllowReestablishmentRetries** + +

Specifies the number of times to retry a dropped session.

+ +**AppVirtualization/StreamingSharedContentStoreMode** + +

Specifies that streamed package contents will be not be saved to the local hard disk.

+ +**AppVirtualization/StreamingSupportBranchCache** + +

If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache

+ +**AppVirtualization/StreamingVerifyCertificateRevocationList** + +

Verifies Server certificate revocation status before streaming using HTTPS.

+ +**AppVirtualization/VirtualComponentsAllowList** + +

Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components.

+ +**AttachmentManager/DoNotPreserveZoneInformation** + +

This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments.

+ +

If you enable this policy setting, Windows does not mark file attachments with their zone information.

+ +

If you disable this policy setting, Windows marks file attachments with their zone information.

+ +

If you do not configure this policy setting, Windows marks file attachments with their zone information.

+ +**AttachmentManager/HideZoneInfoMechanism** + +

This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening.

+ +

If you enable this policy setting, Windows hides the check box and Unblock button.

+ +

If you disable this policy setting, Windows shows the check box and Unblock button.

+ +

If you do not configure this policy setting, Windows hides the check box and Unblock button.

+ +**AttachmentManager/NotifyAntivirusPrograms** + +

This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant.

+ +

If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened.

+ +

If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.

+ +

If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened.

+ +**Autoplay/DisallowAutoplayForNonVolumeDevices** + +

This policy setting disallows AutoPlay for MTP devices like cameras or phones.

+ +

If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones.

+ +

If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices.

+ +**Autoplay/SetDefaultAutoRunBehavior** + +

This policy setting sets the default behavior for Autorun commands.

+ +

Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines.

+ +

Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention.

+ +

This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog.

+ +

If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to:

+ +

a) Completely disable autorun commands, or + b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command.

+ +

If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run.

+ +**Autoplay/TurnOffAutoPlay** + +

This policy setting allows you to turn off the Autoplay feature.

+ +

Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately.

+ +

Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives.

+ +

Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices.

+ +

If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives.

+ +

This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default.

+ +

If you disable or do not configure this policy setting, AutoPlay is enabled.

+ +

Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.

+ +**Connectivity/HardenedUNCPaths** + +

This policy setting configures secure access to UNC paths.

+ +

If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. +

+ +**CredentialProviders/AllowPINLogon** + +

This policy setting allows you to control whether a domain user can sign in using a convenience PIN. In Windows 10, convenience PIN was replaced with Windows Hello PIN, which has stronger security properties. To configure Windows Hello for Business, use the policies under Computer configuration\Administrative Templates\Windows Components\Windows Hello for Business.

+ +

If you enable this policy setting, a domain user can set up and sign in with a convenience PIN.

+ +

If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN.

+ +

Note that the user's domain password will be cached in the system vault when using this feature.

+ +**CredentialProviders/BlockPicturePassword** + +

This policy setting allows you to control whether a domain user can sign in using a picture password.

+ +

If you enable this policy setting, a domain user can't set up or sign in with a picture password.

+ +

If you disable or don't configure this policy setting, a domain user can set up and use a picture password.

+ +

Note that the user's domain password will be cached in the system vault when using this feature.

+ +**CredentialsUI/DisablePasswordReveal** + +

This policy setting allows you to configure the display of the password reveal button in password entry user experiences.

+ +

If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box.

+ +

If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box.

+ +

By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button.

+ +

The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer.

+ +**CredentialsUI/EnumerateAdministrators** + +

This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application.

+ +

If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password.

+ +

If you disable this policy setting, users will always be required to type a user name and password to elevate.

+ +**DataUsage/SetCost3G** + +

This policy setting configures the cost of 3G connections on the local machine.

+ +

If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:

+ +

- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.

+ +

- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.

+ +

- Variable: This connection is costed on a per byte basis.

+ +

If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. +

+ +**DataUsage/SetCost4G** + +

This policy setting configures the cost of 4G connections on the local machine.

+ +

If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine:

+ +

- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.

+ +

- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.

+ +

- Variable: This connection is costed on a per byte basis.

+ +

If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. +

+ +**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs** + +

This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

+ +

If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

+ +

If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.

+ +**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses** + +

This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + +If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

+ +

If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.

+ +**ErrorReporting/CustomizeConsentSettings** + +

This policy setting determines the consent behavior of Windows Error Reporting for specific event types.

+ +

If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4.

+ +

- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.

+ +

- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.

+ +

- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft.

+ +

- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft.

+ +

- 4 (Send all data): Any data requested by Microsoft is sent automatically.

+ +

If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting.

+ +**ErrorReporting/DisableWindowsErrorReporting** + +

This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails.

+ +

If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel.

+ +

If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied.

+ +**ErrorReporting/DisplayErrorNotification** + +

This policy setting controls whether users are shown an error dialog box that lets them report an error.

+ +

If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error.

+ +

If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users.

+ +

If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server.

+ +

See also the Configure Error Reporting policy setting.

+ +**ErrorReporting/DoNotSendAdditionalData** + +

This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.

+ +

If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user.

+ +

If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence.

+ +**ErrorReporting/PreventCriticalErrorDisplay** + +

This policy setting prevents the display of the user interface for critical errors.

+ +

If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.

+ +

If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors.

+ +**EventLogService/ControlEventLogBehavior** + +

This policy setting controls Event Log behavior when the log file reaches its maximum size.

+ +

If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost.

+ +

If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events.

+ +

Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.

+ +**EventLogService/SpecifyMaximumFileSizeApplicationLog** + +

This policy setting specifies the maximum size of the log file in kilobytes.

+ +

If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.

+ +

If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.

+ +**EventLogService/SpecifyMaximumFileSizeSecurityLog** + +

This policy setting specifies the maximum size of the log file in kilobytes.

+ +

If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.

+ +

If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.

+ +**EventLogService/SpecifyMaximumFileSizeSystemLog** + +

This policy setting specifies the maximum size of the log file in kilobytes.

+ +

If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments.

+ +

If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes.

+ +**InternetExplorer/AddSearchProvider** + +

This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website.

+ +

If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.

+ +

If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration.

+ +**InternetExplorer/AllowActiveXFiltering** + +

This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.

+ +

If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions.

+ +

If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.

+ +**InternetExplorer/AllowAddOnList** + +

This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.

+ +

This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied.

+ +

If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information:

+ +

Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.

+ +

Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field.

+ +

If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied.

+ +**InternetExplorer/AllowEnhancedProtectedMode** + +

Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.

+ +

If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.

+ +

If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.

+ +

If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.

+ +**InternetExplorer/AllowEnterpriseModeFromToolsMenu** + +

This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu.

+ +

If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports.

+ +

If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode.

+ +**InternetExplorer/AllowEnterpriseModeSiteList** + +

This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list.

+ +

If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE.

+ +

If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode.

+ +**InternetExplorer/AllowInternetExplorer7PolicyList ** + +

This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.

+ +

If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify.

+ +

If you disable or do not configure this policy setting, the user can add and remove sites from the list.

+ +**InternetExplorer/AllowInternetExplorerStandardsMode** + +

This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone.

+ +

If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box.

+ +

If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.

+ +

If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer.

+ +**InternetExplorer/AllowInternetZoneTemplate** + +

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

+ +

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

+ +

If you disable this template policy setting, no security level is configured.

+ +

If you do not configure this template policy setting, no security level is configured.

+ +

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

+ +

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

+ +**InternetExplorer/AllowIntranetZoneTemplate** + +

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

+ +

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

+ +

If you disable this template policy setting, no security level is configured.

+ +

If you do not configure this template policy setting, no security level is configured.

+ +

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

+ +

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

+ +**InternetExplorer/AllowLocalMachineZoneTemplate** + +

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

+ +

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

+ +

If you disable this template policy setting, no security level is configured.

+ +

If you do not configure this template policy setting, no security level is configured.

+ +

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

+ +

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

+ +**InternetExplorer/AllowLockedDownInternetZoneTemplate** + +

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

+ +

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

+ +

If you disable this template policy setting, no security level is configured.

+ +

If you do not configure this template policy setting, no security level is configured.

+ +

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

+ +

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

+ +**InternetExplorer/AllowLockedDownIntranetZoneTemplate** + +

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

+ +

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

+ +

If you disable this template policy setting, no security level is configured.

+ +

If you do not configure this template policy setting, no security level is configured.

+ +

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

+ +

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

+ +**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate** + +

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

+ +

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

+ +

If you disable this template policy setting, no security level is configured.

+ +

If you do not configure this template policy setting, no security level is configured.

+ +

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

+ +

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

+ +**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate** + +

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

+ +

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

+ +

If you disable this template policy setting, no security level is configured.

+ +

If you do not configure this template policy setting, no security level is configured.

+ +

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

+ +

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

+ +**InternetExplorer/AllowOneWordEntry** + +

This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.

+ +

If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available.

+ +

If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar.

+ +**InternetExplorer/AllowSiteToZoneAssignmentList** + +

This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone.

+ +

Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.)

+ +

If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information:

+ +

Valuename A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict.

+ +

Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4.

+ +

If you disable or do not configure this policy, users may choose their own site-to-zone assignments.

+ +**InternetExplorer/AllowSuggestedSites** + +

This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit.

+ +

If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions.

+ +

If you disable this policy setting, the entry points and functionality associated with this feature are turned off.

+ +

If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature.

+ +**InternetExplorer/AllowTrustedSitesZoneTemplate** + +

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

+ +

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

+ +

If you disable this template policy setting, no security level is configured.

+ +

If you do not configure this template policy setting, no security level is configured.

+ +

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

+ +

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

+ +**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate** + +

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

+ +

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

+ +

If you disable this template policy setting, no security level is configured.

+ +

If you do not configure this template policy setting, no security level is configured.

+ +

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

+ +

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

+ +**InternetExplorer/AllowsRestrictedSitesZoneTemplate** + +

This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High.

+ +

If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults.

+ +

If you disable this template policy setting, no security level is configured.

+ +

If you do not configure this template policy setting, no security level is configured.

+ +

Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent.

+ +

Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets.

+ +**InternetExplorer/DisableAdobeFlash** + +

This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects.

+ +

If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings.

+ +

If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box.

+ +

Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.

+ +**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation** + +

This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).

+ +

If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.

+ +

If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu.

+ +

If you do not configure this policy setting, the user can choose to participate in the CEIP.

+ +**InternetExplorer/DisableEnclosureDownloading** + +

This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.

+ +

If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.

+ +

If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.

+ +**InternetExplorer/DisableEncryptionSupport** + +

This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match.

+ +

If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list.

+ +

If you disable or do not configure this policy setting, the user can select which encryption method the browser supports.

+ +

Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.

+ +**InternetExplorer/DisableFirstRunWizard** + +

This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows.

+ +

If you enable this policy setting, you must make one of the following choices: + Skip the First Run wizard, and go directly to the user's home page. + Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage.

+ +

Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.

+ +

If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation.

+ +**InternetExplorer/DisableFlipAheadFeature** + +

This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.

+ +

Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop.

+ +

If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.

+ +

If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background.

+ +

If you don't configure this setting, users can turn this behavior on or off, using the Settings charm.

+ +**InternetExplorer/DisableHomePageChange** + +

The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run.

+ +

If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies.

+ +

If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page.

+ +**InternetExplorer/DisableSearchProviderChange** + +

This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.

+ +

If you enable this policy setting, the user cannot change the default search provider.

+ +

If you disable or do not configure this policy setting, the user can change the default search provider.

+ +**InternetExplorer/DisableSecondaryHomePageChange** + +

Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.

+ +

If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages.

+ +

If you disable or do not configure this policy setting, the user can add secondary home pages.

+ +

Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages.

+ +**InternetExplorer/DoNotBlockOutdatedActiveXControls** + +

This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

+ +

If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls.

+ +

If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls.

+ +

For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.

+ +**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains** + +

This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.

+ +

If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:

+ +

1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" +2. "hostname". For example, if you want to include http://example, use "example" +3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm"

+ +

If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.

+ +

For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.

+ +**InternetExplorer/IncludeAllLocalSites** + +

This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone.

+ +

If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone.

+ +

If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone).

+ +

If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone.

+ +**InternetExplorer/IncludeAllNetworkPaths** + +

This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.

+ +

If you enable this policy setting, all network paths are mapped into the Intranet Zone.

+ +

If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).

+ +

If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone.

+ +**InternetExplorer/InternetZoneAllowAccessToDataSources** + +

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

+ +

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls** + +

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

+ +

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

+ +

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

+ +

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

+ +**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads** + +

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

+ +

If you enable this setting, users will receive a file download dialog for automatic download attempts.

+ +

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

+ +**InternetExplorer/InternetZoneAllowFontDownloads** + +

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

+ +

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

+ +

If you disable this policy setting, HTML fonts are prevented from downloading.

+ +

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

+ +**InternetExplorer/InternetZoneAllowLessPrivilegedSites** + +

This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

+ +

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

+ +

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

+ +

If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

+ +**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents** + +

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

+ +

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

+ +

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

+ +

If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.

+ +**InternetExplorer/InternetZoneAllowScriptlets** + +

This policy setting allows you to manage whether the user can run scriptlets.

+ +

If you enable this policy setting, the user can run scriptlets.

+ +

If you disable this policy setting, the user cannot run scriptlets.

+ +

If you do not configure this policy setting, the user can enable or disable scriptlets.

+ +**InternetExplorer/InternetZoneAllowSmartScreenIE** + +

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

+ +

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

+ +**InternetExplorer/InternetZoneAllowUserDataPersistence** + +

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

+ +

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls** + +

This policy setting allows you to manage ActiveX controls not marked as safe.

+ +

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

+ +

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

+ +

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +**InternetExplorer/InternetZoneNavigateWindowsAndFrames** + +

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

+ +

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

+ +

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

+ +

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

+ +**InternetExplorer/IntranetZoneAllowAccessToDataSources** + +

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

+ +

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls** + +

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

+ +

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

+ +

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

+ +

If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

+ +**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads** + +

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

+ +

If you enable this setting, users will receive a file download dialog for automatic download attempts.

+ +

If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.

+ +**InternetExplorer/IntranetZoneAllowFontDownloads** + +

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

+ +

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

+ +

If you disable this policy setting, HTML fonts are prevented from downloading.

+ +

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

+ +**InternetExplorer/IntranetZoneAllowLessPrivilegedSites** + +

This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

+ +

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

+ +

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

+ +

If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone.

+ +**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents** + +

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

+ +

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

+ +

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

+ +

If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.

+ +**InternetExplorer/IntranetZoneAllowScriptlets** + +

This policy setting allows you to manage whether the user can run scriptlets.

+ +

If you enable this policy setting, the user can run scriptlets.

+ +

If you disable this policy setting, the user cannot run scriptlets.

+ +

If you do not configure this policy setting, the user can enable or disable scriptlets.

+ +**InternetExplorer/IntranetZoneAllowSmartScreenIE** + +

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

+ +

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

+ +**InternetExplorer/IntranetZoneAllowUserDataPersistence** + +

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

+ +

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls** + +

This policy setting allows you to manage ActiveX controls not marked as safe.

+ +

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

+ +

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

+ +

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +**InternetExplorer/IntranetZoneNavigateWindowsAndFrames** + +

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

+ +

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

+ +

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

+ +

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

+ +**InternetExplorer/LocalMachineZoneAllowAccessToDataSources** + +

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

+ +

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls** + +

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

+ +

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

+ +

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

+ +

If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

+ +**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads** + +

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

+ +

If you enable this setting, users will receive a file download dialog for automatic download attempts.

+ +

If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.

+ +**InternetExplorer/LocalMachineZoneAllowFontDownloads** + +

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

+ +

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

+ +

If you disable this policy setting, HTML fonts are prevented from downloading.

+ +

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

+ +**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites** + +

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

+ +

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

+ +

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

+ +

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

+ +**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents** + +

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

+ +

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

+ +

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

+ +

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

+ +**InternetExplorer/LocalMachineZoneAllowScriptlets** + +

This policy setting allows you to manage whether the user can run scriptlets.

+ +

If you enable this policy setting, the user can run scriptlets.

+ +

If you disable this policy setting, the user cannot run scriptlets.

+ +

If you do not configure this policy setting, the user can enable or disable scriptlets.

+ +**InternetExplorer/LocalMachineZoneAllowSmartScreenIE** + +

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

+ +

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

+ +**InternetExplorer/LocalMachineZoneAllowUserDataPersistence** + +

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

+ +

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls** + +

This policy setting allows you to manage ActiveX controls not marked as safe.

+ +

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

+ +

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

+ +

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +

If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.

+ +**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames** + +

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

+ +

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

+ +

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

+ +

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

+ +**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources** + +

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

+ +

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls** + +

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

+ +

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

+ +

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

+ +

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

+ +**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads** + +

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

+ +

If you enable this setting, users will receive a file download dialog for automatic download attempts.

+ +

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

+ +**InternetExplorer/LockedDownInternetZoneAllowFontDownloads** + +

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

+ +

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

+ +

If you disable this policy setting, HTML fonts are prevented from downloading.

+ +

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

+ +**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites** + +

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

+ +

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

+ +

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

+ +

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

+ +**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents** + +

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

+ +

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

+ +

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

+ +

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

+ +**InternetExplorer/LockedDownInternetZoneAllowScriptlets** + +

This policy setting allows you to manage whether the user can run scriptlets.

+ +

If you enable this policy setting, the user can run scriptlets.

+ +

If you disable this policy setting, the user cannot run scriptlets.

+ +

If you do not configure this policy setting, the user can enable or disable scriptlets.

+ +**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE** + +

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

+ +

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

+ +**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence** + +

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

+ +

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls** + +

This policy setting allows you to manage ActiveX controls not marked as safe.

+ +

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

+ +

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

+ +

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames** + +

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

+ +

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

+ +

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

+ +

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

+ +**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources** + +

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

+ +

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls** + +

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

+ +

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

+ +

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

+ +

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

+ +**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads** + +

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

+ +

If you enable this setting, users will receive a file download dialog for automatic download attempts.

+ +

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

+ +**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads** + +

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

+ +

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

+ +

If you disable this policy setting, HTML fonts are prevented from downloading.

+ +

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

+ +**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites** + +

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

+ +

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

+ +

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

+ +

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

+ +**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents** + +

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

+ +

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

+ +

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

+ +

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

+ +**InternetExplorer/LockedDownIntranetZoneAllowScriptlets** + +

This policy setting allows you to manage whether the user can run scriptlets.

+ +

If you enable this policy setting, the user can run scriptlets.

+ +

If you disable this policy setting, the user cannot run scriptlets.

+ +

If you do not configure this policy setting, the user can enable or disable scriptlets.

+ +**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE** + +

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

+ +

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

+ +**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence** + +

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

+ +

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls** + +

This policy setting allows you to manage ActiveX controls not marked as safe.

+ +

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

+ +

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

+ +

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames** + +

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

+ +

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

+ +

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

+ +

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

+ +**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources** + +

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

+ +

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls** + +

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

+ +

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

+ +

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

+ +

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

+ +**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads** + +

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

+ +

If you enable this setting, users will receive a file download dialog for automatic download attempts.

+ +

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

+ +**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads** + +

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

+ +

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

+ +

If you disable this policy setting, HTML fonts are prevented from downloading.

+ +

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

+ +**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites** + +

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

+ +

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

+ +

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

+ +

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

+ +**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents** + +

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

+ +

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

+ +

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

+ +

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

+ +**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets** + +

This policy setting allows you to manage whether the user can run scriptlets.

+ +

If you enable this policy setting, the user can run scriptlets.

+ +

If you disable this policy setting, the user cannot run scriptlets.

+ +

If you do not configure this policy setting, the user can enable or disable scriptlets.

+ +**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE** + +

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

+ +

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

+ +**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence** + +

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

+ +

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls** + +

This policy setting allows you to manage ActiveX controls not marked as safe.

+ +

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

+ +

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

+ +

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames** + +

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

+ +

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

+ +

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

+ +

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

+ +**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources** + +

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

+ +

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** + +

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

+ +

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

+ +

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

+ +

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

+ +**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** + +

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

+ +

If you enable this setting, users will receive a file download dialog for automatic download attempts.

+ +

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

+ +**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads** + +

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

+ +

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

+ +

If you disable this policy setting, HTML fonts are prevented from downloading.

+ +

If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.

+ +**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites** + +

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

+ +

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

+ +

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

+ +

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

+ +**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents** + +

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

+ +

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

+ +

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

+ +

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

+ +**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets** + +

This policy setting allows you to manage whether the user can run scriptlets.

+ +

If you enable this policy setting, the user can run scriptlets.

+ +

If you disable this policy setting, the user cannot run scriptlets.

+ +

If you do not configure this policy setting, the user can enable or disable scriptlets.

+ +**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE** + +

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

+ +

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

+ +**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence** + +

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

+ +

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls** + +

This policy setting allows you to manage ActiveX controls not marked as safe.

+ +

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

+ +

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

+ +

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames** + +

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

+ +

If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.

+ +

If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.

+ +

If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.

+ +**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources** + +

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

+ +

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls** + +

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

+ +

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

+ +

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

+ +

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

+ +**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads** + +

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

+ +

If you enable this setting, users will receive a file download dialog for automatic download attempts.

+ +

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

+ +**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads** + +

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

+ +

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

+ +

If you disable this policy setting, HTML fonts are prevented from downloading.

+ +

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

+ +**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites** + +

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

+ +

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

+ +

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

+ +

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

+ +**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents** + +

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

+ +

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

+ +

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

+ +

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

+ +**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets** + +

This policy setting allows you to manage whether the user can run scriptlets.

+ +

If you enable this policy setting, the user can run scriptlets.

+ +

If you disable this policy setting, the user cannot run scriptlets.

+ +

If you do not configure this policy setting, the user can enable or disable scriptlets.

+ +**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE** + +

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

+ +

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

+ +**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence** + +

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

+ +

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls** + +

This policy setting allows you to manage ActiveX controls not marked as safe.

+ +

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

+ +

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

+ +

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames** + +

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

+ +

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

+ +

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

+ +

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

+ +**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources** + +

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

+ +

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** + +

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

+ +

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

+ +

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

+ +

If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

+ +**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** + +

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

+ +

If you enable this setting, users will receive a file download dialog for automatic download attempts.

+ +

If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.

+ +**InternetExplorer/RestrictedSitesZoneAllowFontDownloads** + +

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

+ +

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

+ +

If you disable this policy setting, HTML fonts are prevented from downloading.

+ +

If you do not configure this policy setting, users are queried whether to allow HTML fonts to download.

+ +**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites** + +

This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.

+ +

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

+ +

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

+ +

If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

+ +**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents** + +

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

+ +

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

+ +

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

+ +

If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components.

+ +**InternetExplorer/RestrictedSitesZoneAllowScriptlets** + +

This policy setting allows you to manage whether the user can run scriptlets.

+ +

If you enable this policy setting, the user can run scriptlets.

+ +

If you disable this policy setting, the user cannot run scriptlets.

+ +

If you do not configure this policy setting, the user can enable or disable scriptlets.

+ +**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE** + +

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

+ +

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

+ +**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence** + +

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

+ +

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls** + +

This policy setting allows you to manage ActiveX controls not marked as safe.

+ +

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

+ +

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

+ +

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +

If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames** + +

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

+ +

If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains.

+ +

If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains.

+ +

If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains.

+ +**InternetExplorer/SearchProviderList** + +

This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website.

+ +

If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers.

+ +

If you disable or do not configure this policy setting, the user can configure his or her list of search providers.

+ +**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources** + +

This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).

+ +

If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +

If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone.

+ +**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls** + +

This policy setting manages whether users will be automatically prompted for ActiveX control installations.

+ +

If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

+ +

If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.

+ +

If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed.

+ +**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads** + +

This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.

+ +

If you enable this setting, users will receive a file download dialog for automatic download attempts.

+ +

If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts.

+ +**InternetExplorer/TrustedSitesZoneAllowFontDownloads** + +

This policy setting allows you to manage whether pages of the zone may download HTML fonts.

+ +

If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download.

+ +

If you disable this policy setting, HTML fonts are prevented from downloading.

+ +

If you do not configure this policy setting, HTML fonts can be downloaded automatically.

+ +**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites** + +

This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.

+ +

If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur.

+ +

If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control.

+ +

If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur.

+ +**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents** + +

This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.

+ +

If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components.

+ +

If you disable this policy setting, Internet Explorer will not execute unsigned managed components.

+ +

If you do not configure this policy setting, Internet Explorer will execute unsigned managed components.

+ +**InternetExplorer/TrustedSitesZoneAllowScriptlets** + +

This policy setting allows you to manage whether the user can run scriptlets.

+ +

If you enable this policy setting, the user can run scriptlets.

+ +

If you disable this policy setting, the user cannot run scriptlets.

+ +

If you do not configure this policy setting, the user can enable or disable scriptlets.

+ +**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE** + +

This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content.

+ +

If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content.

+ +

If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.

+ +

Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.

+ +**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence** + +

This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.

+ +

If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +

If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk.

+ +**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls** + +

This policy setting allows you to manage ActiveX controls not marked as safe.

+ +

If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.

+ +

If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted.

+ +

If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted.

+ +

If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted.

+ +**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames** + +

This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.

+ +

If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains.

+ +

If you disable this policy setting, users cannot open windows and frames to access applications from different domains.

+ +

If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains.

+ +**Kerberos/AllowForestSearchOrder** + +

This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs).

+ +

If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain.

+ +

If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used.

+ +**Kerberos/KerberosClientSupportsClaimsCompoundArmor** + +

This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. +If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring.

+ +

If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. +

+ +**Kerberos/RequireKerberosArmoring** + +

This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller.

+ +

Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled.

+ +

If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers.

+ +

Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring.

+ +

If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. +

+ +**Kerberos/RequireStrictKDCValidation** + +

This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon.

+ +

If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate.

+ +

If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. +

+ +**Kerberos/SetMaximumContextTokenSize** + +

This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. + +The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token.

+ +

If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller.

+ +

If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value.

+ +

Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes.

+ +

+ +**Power/AllowStandbyWhenSleepingPluggedIn** + +

This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.

+ +

If you enable this policy setting, Windows uses standby states to put the computer in a sleep state.

+ +

If you disable or do not configure this policy setting, the only sleep state a computer may enter is hibernate.

+ +**Power/RequirePasswordWhenComputerWakesOnBattery** + +

This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.

+ +

If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.

+ +

If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.

+ +**Power/RequirePasswordWhenComputerWakesPluggedIn** + +

This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.

+ +

If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep.

+ +

If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep.

+ +**Printers/PointAndPrintRestrictions** + +

This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.

+ +

If you enable this policy setting: + -Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. + -You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.

+ +

If you do not configure this policy setting: + -Windows Vista client computers can point and print to any server. + -Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. + -Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. + -Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.

+ +

If you disable this policy setting: + -Windows Vista client computers can create a printer connection to any server using Point and Print. + -Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. + -Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. + -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. + -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).

+ +**Printers/PointAndPrintRestrictions_User** + +

This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain.

+ +

If you enable this policy setting: + -Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. + -You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated.

+ +

If you do not configure this policy setting: + -Windows Vista client computers can point and print to any server. + -Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. + -Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. + -Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print.

+ +

If you disable this policy setting: + -Windows Vista client computers can create a printer connection to any server using Point and Print. + -Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. + -Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. + -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. + -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs).

+ +**Printers/PublishPrinters** + +

Determines whether the computer's shared printers can be published in Active Directory.

+ +

If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory.

+ +

If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available.

+ +

Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".

+ +**RemoteAssistance/CustomizeWarningMessages** + +

This policy setting lets you customize warning messages.

+ +

The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.

+ +

The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer.

+ +

If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice.

+ +

If you disable this policy setting, the user sees the default warning message.

+ +

If you do not configure this policy setting, the user sees the default warning message.

+ +**RemoteAssistance/SessionLogging** + +

This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.

+ +

If you enable this policy setting, log files are generated.

+ +

If you disable this policy setting, log files are not generated.

+ +

If you do not configure this setting, application-based settings are used.

+ +**RemoteAssistance/SolicitedRemoteAssistance** + +

This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.

+ +

If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings.

+ +

If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer.

+ +

If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.

+ +

If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."

+ +

The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open.

+ +

The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported.

+ +

If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.

+ +**RemoteAssistance/UnsolicitedRemoteAssistance** + +

This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.

+ +

If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.

+ +

If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.

+ +

If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.

+ +

If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance.

+ +

To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format:

+ +

\ or

+ +

\

+ +

If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running.

+ +

Windows Vista and later

+ +

Enable the Remote Assistance exception for the domain profile. The exception must contain: +Port 135:TCP +%WINDIR%\System32\msra.exe +%WINDIR%\System32\raserver.exe

+ +

Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1)

+ +

Port 135:TCP +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +%WINDIR%\System32\Sessmgr.exe

+ +

For computers running Windows Server 2003 with Service Pack 1 (SP1)

+ +

Port 135:TCP +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +Allow Remote Desktop Exception

+ +**RemoteDesktopServices/AllowUsersToConnectRemotely** + +

This policy setting allows you to configure remote access to computers by using Remote Desktop Services.

+ +

If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services.

+ +

If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections.

+ +

If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed.

+ +

Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication.

+ +

You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider. +

+ +**RemoteDesktopServices/ClientConnectionEncryptionLevel** + +

Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.

+ +

If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available:

+ +

* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers.

+ +

* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.

+ +

* Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.

+ +

If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy.

+ +

Important

+ +

FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. +

+ +**RemoteDesktopServices/DoNotAllowDriveRedirection** + +

This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).

+ +

By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format on . You can use this policy setting to override this behavior.

+ +

If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP.

+ +

If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed.

+ +

If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. +

+ +**RemoteDesktopServices/DoNotAllowPasswordSaving** + +

Controls whether passwords can be saved on this computer from Remote Desktop Connection.

+ +

If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted.

+ +

If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection.

+ +**RemoteDesktopServices/PromptForPasswordUponConnection** + +

This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.

+ +

You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.

+ +

By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.

+ +

If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.

+ +

If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client.

+ +

If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. +

+ +**RemoteDesktopServices/RequireSecureRPCCommunication** + +

Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.

+ +

You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.

+ +

If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients.

+ +

If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request.

+ +

If the status is set to Not Configured, unsecured communication is allowed.

+ +

Note: The RPC interface is used for administering and configuring Remote Desktop Services.

+ +**RemoteProcedureCall/RPCEndpointMapperClientAuthentication** + +

This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner.

+ +

If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.

+ +

If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service.

+ +

If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.

+ +

Note: This policy will not be applied until the system is rebooted.

+ +**RemoteProcedureCall/RestrictUnauthenticatedRPCClients** + +

This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.

+ +

This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller.

+ +

If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting.

+ +

If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting.

+ +

If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting.

+ +

-- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied.

+ +

-- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them.

+ +

-- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed.

+ +

Note: This policy setting will not be applied until the system is rebooted.

+ +**Storage/EnhancedStorageDevices** + +

This policy setting configures whether or not Windows will activate an Enhanced Storage device.

+ +

If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices.

+ +

If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices.

+ +**System/BootStartDriverInitialization** + +

N/A

+ +**System/DisableSystemRestore** + +

Allows you to disable System Restore.

+ +

This policy setting allows you to turn off System Restore.

+ +

System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume.

+ +

If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled.

+ +

If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection.

+ +

Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available.

+ +**WindowsLogon/DisableLockScreenAppNotifications** + +

This policy setting allows you to prevent app notifications from appearing on the lock screen.

+ +

If you enable this policy setting, no app notifications are displayed on the lock screen.

+ +

If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.

+ +**WindowsLogon/DontDisplayNetworkSelectionUI** + +

This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.

+ +

If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows.

+ +

If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.

+ + + + + + + diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md new file mode 100644 index 0000000000..6a2a63b9e5 --- /dev/null +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -0,0 +1,17623 @@ +--- +title: Policy CSP +description: Policy CSP +ms.assetid: 4F3A1134-D401-44FC-A583-6EDD3070BA4F +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy CSP + +The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies. + +The Policy configuration service provider has the following sub-categories: + +- Policy/Config/*AreaName* – Handles the policy configuration request from the server. +- Policy/Result/*AreaName* – Provides a read-only path to policies enforced on the device. + +The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning. + +![policy csp diagram](images/provisioning-csp-policy.png) + + +**./Vendor/MSFT/Policy** +

The root node for the Policy configuration service provider. + +

Supported operation is Get. + +**Policy/Config** +

Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. + +

Supported operation is Get. + +**Policy/Config/****_AreaName_** +

The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. + +

Supported operations are Add, Get, and Delete. + +**Policy/Config/****_AreaName/PolicyName_** +

Specifies the name/value pair used in the policy. + +

The following list shows some tips to help you when configuring policies: + +- Separate substring values by the Unicode &\#xF000; in the XML file. + +> [!NOTE] +> A query from a different caller could provide a different value as each caller could have different values for a named policy. + +- In SyncML, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction. +- Supported operations are Add, Get, Delete, and Replace. +- Value type is string. + +**Policy/Result** +

Groups the evaluated policies from all providers that can be configured. + +

Supported operation is Get. + +**Policy/Result/****_AreaName_** +

The area group that can be configured by a single technology independent of the providers. + +

Supported operation is Get. + +**Policy/Result/****_AreaName/PolicyName_** +

Specifies the name/value pair used in the policy. + +

Supported operation is Get. + +**Policy/ConfigOperations** +

Added in Windows 10, version 1703. The root node for grouping different configuration operations. + +

Supported operations are Add, Get, and Delete. + +**Policy/ConfigOperations/ADMXInstall** +

Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Centennial apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed polices for those Win32 or Centennial apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Centennial app policies, see [Win32 and Centennial app policy configuration](win32-and-centennial-app-policy-configuration.md). + +> [!NOTE] +> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](https://technet.microsoft.com/en-us/library/cc179097.aspx). + +

ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}`. + +

Supported operations are Add, Get, and Delete. + +**Policy/ConfigOperations/ADMXInstall/****_AppName_** +

Added in Windows 10, version 1703. Specifies the name of the Win32 or Centennial app associated with the ADMX file. + +

Supported operations are Add, Get, and Delete. + +**Policy/ConfigOperations/ADMXInstall/****_AppName_/Policy** +

Added in Windows 10, version 1703. Specifies that a Win32 or Centennial app policy is to be imported. + +

Supported operations are Add, Get, and Delete. + +**Policy/ConfigOperations/ADMXInstall/****_AppName_/Policy/_UniqueID_** +

Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. + +

Supported operations are Add and Get. Does not support Delete. + +**Policy/ConfigOperations/ADMXInstall/****_AppName_/Preference** +

Added in Windows 10, version 1703. Specifies that a Win32 or Centennial app preference is to be imported. + +

Supported operations are Add, Get, and Delete. + +**Policy/ConfigOperations/ADMXInstall/****_AppName_/Preference/_UniqueID_** +

Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. + +

Supported operations are Add and Get. Does not support Delete. + +> [!Note] +> The policies supported in Windows 10 S is the same as in Windows 10 Pro, except that policies under AppliationsDefaults are not suppported in Windows 10 S. + + +

+ +## Policies + + +**AboveLock/AllowActionCenterNotifications** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + +

Specifies whether to allow Action Center notifications above the device lock screen. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**AboveLock/AllowCortanaAboveLock** + + +

Added in Windows 10, version 1607. Specifies whether or not the user can interact with Cortana using speech while the system is locked. If you enable or don’t configure this setting, the user can interact with Cortana using speech while the system is locked. If you disable this setting, the system will need to be unlocked for the user to interact with Cortana using speech. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**AboveLock/AllowToasts** + + +

Specifies whether to allow toast notifications above the device lock screen. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Accounts/AllowAddingNonMicrosoftAccountsManually** + + +

Specifies whether user is allowed to add non-MSA email accounts. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + +> [!NOTE] +> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md). + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Accounts/AllowMicrosoftAccountConnection** + + +

Specifies whether the user is allowed to use an MSA account for non-email related connection authentication and services. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Accounts/AllowMicrosoftAccountSignInAssistant** + + +

Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "Microsoft Account Sign-In Assistant" (wlidsvc) NT service. + +

The following list shows the supported values: + +- 0 – Disabled. +- 1 (default) – Manual start. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Accounts/DomainNamesForEmailSync** + + +

Specifies a list of the domains that are allowed to sync email on the device. + +

The data type is a string. + +

The default value is an empty string, which allows all email accounts on the device to sync email. Otherwise, the string should contain a pipe-separated list of domains that are allowed to sync email on the device. For example, "contoso.com|fabrikam.net|woodgrove.gov". + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**ActiveXControls/ApprovedInstallationSites** + + +This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on their computers. When this setting is enabled, the administrator can create a list of approved Activex Install sites specified by host URL. + +If you enable this setting, the administrator can create a list of approved ActiveX Install sites specified by host URL. + +If you disable or do not configure this policy setting, ActiveX controls prompt the user for administrative credentials before installation. + +Note: Wild card characters cannot be used when specifying the host URLs. + + + + + + +ADMX Info: +- GP english name: *Approved Installation Sites for ActiveX Controls* +- GP name: *ApprovedActiveXInstallSites* +- GP path: *Windows Components/ActiveX Installer Service* +- GP ADMX file name: *ActiveXInstallService.admx* + + + + +**AppVirtualization/AllowAppVClient** + + +This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to take effect. + + + + + +ADMX Info: +- GP english name: *Enable App-V Client* +- GP name: *EnableAppV* +- GP path: *System/App-V* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/AllowDynamicVirtualization** + + +Enables Dynamic Virtualization of supported shell extensions, browser helper objects, and ActiveX controls. + + + + + +ADMX Info: +- GP english name: *Enable Dynamic Virtualization* +- GP name: *Virtualization_JITVEnable* +- GP path: *System/App-V/Virtualization* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/AllowPackageCleanup** + + +Enables automatic cleanup of appv packages that were added after Windows10 anniversary release. + + + + + +ADMX Info: +- GP english name: *Enable automatic cleanup of unused appv packages* +- GP name: *PackageManagement_AutoCleanupEnable* +- GP path: *System/App-V/Package Management* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/AllowPackageScripts** + + +Enables scripts defined in the package manifest of configuration files that should run. + + + + + +ADMX Info: +- GP english name: *Enable Package Scripts* +- GP name: *Scripting_Enable_Package_Scripts* +- GP path: *System/App-V/Scripting* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/AllowPublishingRefreshUX** + + +Enables a UX to display to the user when a publishing refresh is performed on the client. + + + + + +ADMX Info: +- GP english name: *Enable Publishing Refresh UX* +- GP name: *Enable_Publishing_Refresh_UX* +- GP path: *System/App-V/Publishing* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/AllowReportingServer** + + +Reporting Server URL: Displays the URL of reporting server. + +Reporting Time: When the client data should be reported to the server. Acceptable range is 0~23, corresponding to the 24 hours in a day. A good practice is, don't set this time to a busy hour, e.g. 9AM. + +Delay reporting for the random minutes: The maximum minutes of random delay on top of the reporting time. For a busy system, the random delay will help reduce the server load. + +Repeat reporting for every (days): The periodical interval in days for sending the reporting data. + +Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached, the log file will roll over. When a new record is to be added (bottom of the list), one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log the first time this occurs, and will not be logged again until after the cache has been successfully cleared on transmission and the log has filled up again. + +Data Block Size: This value specifies the maximum size in bytes to transmit to the server at once on a reporting upload, to avoid permanent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server, one block at a time of application records that is less than or equal to the block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global package list data prepended, and these will not factor into the block size calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections. + + + + + + +ADMX Info: +- GP english name: *Reporting Server* +- GP name: *Reporting_Server_Policy* +- GP path: *System/App-V/Reporting* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/AllowRoamingFileExclusions** + + +Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my pictures'. + + + + + +ADMX Info: +- GP english name: *Roaming File Exclusions* +- GP name: *Integration_Roaming_File_Exclusions* +- GP path: *System/App-V/Integration* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/AllowRoamingRegistryExclusions** + + +Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\clients. + + + + + +ADMX Info: +- GP english name: *Roaming Registry Exclusions* +- GP name: *Integration_Roaming_Registry_Exclusions* +- GP path: *System/App-V/Integration* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/AllowStreamingAutoload** + + +Specifies how new packages should be loaded automatically by App-V on a specific computer. + + + + + +ADMX Info: +- GP english name: *Specify what to load in background (aka AutoLoad)* +- GP name: *Steaming_Autoload* +- GP path: *System/App-V/Streaming* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/ClientCoexistenceAllowMigrationmode** + + +Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V. + + + + + +ADMX Info: +- GP english name: *Enable Migration Mode* +- GP name: *Client_Coexistence_Enable_Migration_mode* +- GP path: *System/App-V/Client Coexistence* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/IntegrationAllowRootGlobal** + + +Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration. + + + + + +ADMX Info: +- GP english name: *Integration Root User* +- GP name: *Integration_Root_User* +- GP path: *System/App-V/Integration* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/IntegrationAllowRootUser** + + +Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts, file type associations, etc. are created pointing to this path. If empty, symbolic links are not used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration. + + + + + +ADMX Info: +- GP english name: *Integration Root Global* +- GP name: *Integration_Root_Global* +- GP path: *System/App-V/Integration* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/PublishingAllowServer1** + + +Publishing Server Display Name: Displays the name of publishing server. + +Publishing Server URL: Displays the URL of publishing server. + +Global Publishing Refresh: Enables global publishing refresh (Boolean). + +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). + +Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. + +Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + +User Publishing Refresh: Enables user publishing refresh (Boolean). + +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). + +User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. + +User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + + + + + + +ADMX Info: +- GP english name: *Publishing Server 1 Settings* +- GP name: *Publishing_Server1_Policy* +- GP path: *System/App-V/Publishing* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/PublishingAllowServer2** + + +Publishing Server Display Name: Displays the name of publishing server. + +Publishing Server URL: Displays the URL of publishing server. + +Global Publishing Refresh: Enables global publishing refresh (Boolean). + +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). + +Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. + +Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + +User Publishing Refresh: Enables user publishing refresh (Boolean). + +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). + +User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. + +User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + + + + + + +ADMX Info: +- GP english name: *Publishing Server 2 Settings* +- GP name: *Publishing_Server2_Policy* +- GP path: *System/App-V/Publishing* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/PublishingAllowServer3** + + +Publishing Server Display Name: Displays the name of publishing server. + +Publishing Server URL: Displays the URL of publishing server. + +Global Publishing Refresh: Enables global publishing refresh (Boolean). + +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). + +Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. + +Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + +User Publishing Refresh: Enables user publishing refresh (Boolean). + +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). + +User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. + +User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + + + + + + +ADMX Info: +- GP english name: *Publishing Server 3 Settings* +- GP name: *Publishing_Server3_Policy* +- GP path: *System/App-V/Publishing* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/PublishingAllowServer4** + + +Publishing Server Display Name: Displays the name of publishing server. + +Publishing Server URL: Displays the URL of publishing server. + +Global Publishing Refresh: Enables global publishing refresh (Boolean). + +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). + +Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. + +Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + +User Publishing Refresh: Enables user publishing refresh (Boolean). + +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). + +User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. + +User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + + + + + + +ADMX Info: +- GP english name: *Publishing Server 4 Settings* +- GP name: *Publishing_Server4_Policy* +- GP path: *System/App-V/Publishing* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/PublishingAllowServer5** + + +Publishing Server Display Name: Displays the name of publishing server. + +Publishing Server URL: Displays the URL of publishing server. + +Global Publishing Refresh: Enables global publishing refresh (Boolean). + +Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). + +Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refresh, select 0. + +Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + +User Publishing Refresh: Enables user publishing refresh (Boolean). + +User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). + +User Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh, select 0. + +User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, Day 0-31). + + + + + + +ADMX Info: +- GP english name: *Publishing Server 5 Settings* +- GP name: *Publishing_Server5_Policy* +- GP path: *System/App-V/Publishing* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingAllowCertificateFilterForClient_SSL** + + +Specifies the path to a valid certificate in the certificate store. + + + + + +ADMX Info: +- GP english name: *Certificate Filter For Client SSL* +- GP name: *Streaming_Certificate_Filter_For_Client_SSL* +- GP path: *System/App-V/Streaming* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingAllowHighCostLaunch** + + +This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection (e.g. 4G). + + + + + +ADMX Info: +- GP english name: *Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection* +- GP name: *Streaming_Allow_High_Cost_Launch* +- GP path: *System/App-V/Streaming* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingAllowLocationProvider** + + +Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface. + + + + + +ADMX Info: +- GP english name: *Location Provider* +- GP name: *Streaming_Location_Provider* +- GP path: *System/App-V/Streaming* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingAllowPackageInstallationRoot** + + +Specifies directory where all new applications and updates will be installed. + + + + + +ADMX Info: +- GP english name: *Package Installation Root* +- GP name: *Streaming_Package_Installation_Root* +- GP path: *System/App-V/Streaming* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingAllowPackageSourceRoot** + + +Overrides source location for downloading package content. + + + + + +ADMX Info: +- GP english name: *Package Source Root* +- GP name: *Streaming_Package_Source_Root* +- GP path: *System/App-V/Streaming* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingAllowReestablishmentInterval** + + +Specifies the number of seconds between attempts to reestablish a dropped session. + + + + + +ADMX Info: +- GP english name: *Reestablishment Interval* +- GP name: *Streaming_Reestablishment_Interval* +- GP path: *System/App-V/Streaming* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingAllowReestablishmentRetries** + + +Specifies the number of times to retry a dropped session. + + + + + +ADMX Info: +- GP english name: *Reestablishment Retries* +- GP name: *Streaming_Reestablishment_Retries* +- GP path: *System/App-V/Streaming* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingSharedContentStoreMode** + + +Specifies that streamed package contents will be not be saved to the local hard disk. + + + + + +ADMX Info: +- GP english name: *Shared Content Store (SCS) mode* +- GP name: *Streaming_Shared_Content_Store_Mode* +- GP path: *System/App-V/Streaming* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingSupportBranchCache** + + +If enabled, the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired, this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache + + + + + +ADMX Info: +- GP english name: *Enable Support for BranchCache* +- GP name: *Streaming_Support_Branch_Cache* +- GP path: *System/App-V/Streaming* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/StreamingVerifyCertificateRevocationList** + + +Verifies Server certificate revocation status before streaming using HTTPS. + + + + + +ADMX Info: +- GP english name: *Verify certificate revocation list* +- GP name: *Streaming_Verify_Certificate_Revocation_List* +- GP path: *System/App-V/Streaming* +- GP ADMX file name: *appv.admx* + + + + +**AppVirtualization/VirtualComponentsAllowList** + + +Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions, browser helper objects, etc). Only processes whose full path matches one of these items can use virtual components. + + + + + +ADMX Info: +- GP english name: *Virtual Component Process Allow List* +- GP name: *Virtualization_JITVAllowList* +- GP path: *System/App-V/Virtualization* +- GP ADMX file name: *appv.admx* + + + + +**ApplicationDefaults/DefaultAssociationsConfiguration** + + +

Added in Windows 10, version 1703. This policy allows an administrator to set default file type and protocol associations. When set, default associations will be applied on sign-in to the PC. The association file can be created using the DISM tool (dism /online /export-defaultappassociations:appassoc.xml), and then needs to be base64 encoded before being added to SyncML. + +

If policy is enabled and the client machine is Azure Active Directory joined, the associations assigned in SyncML will be processed and default associations will be applied. + +

To create create the SyncML, follow these steps: +

    +
  1. Install a few apps and change your defaults.
    2. +
  2. From an elevated prompt, run "dism /online /export-defaultappassociations:appassoc.xml"
    3. +
  3. Take the XML output and put it through your favorite base64 encoder app.
    4. +
  4. Paste the base64 encoded XML into the SyncML
    5. +
+ +

Here is an example output from the dism default association export command: + +``` syntax + + + + + + + +Here is the base64 encoded result: + +``` syntax +PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo= +``` + +

Here is the SyncMl example: + +``` syntax + + + + + 101 + + + chr + text/plain + + + ./Vendor/MSFT/Policy/Config/ApplicationDefaults/DefaultAssociationsConfiguration + + PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0bSIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuaHRtbCIgUHJvZ0lkPSJBcHBYNGh4dGFkNzdmYmszamtrZWVya3JtMHplOTR3amYzczkiIEFwcGxpY2F0aW9uTmFtZT0iTWljcm9zb2Z0IEVkZ2UiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucGRmIiBQcm9nSWQ9IkFwcFhkNG5yejhmZjY4c3JuaGY5dDVhOHNianlhcjFjcjcyMyIgQXBwbGljYXRpb25OYW1lPSJNaWNyb3NvZnQgRWRnZSIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Imh0dHAiIFByb2dJZD0iQXBwWHEwZmV2em1lMnB5czYybjNlMGZicWE3cGVhcHlrcjh2IiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iaHR0cHMiIFByb2dJZD0iQXBwWDkwbnY2bmhheTVuNmE5OGZuZXR2N3RwazY0cHAzNWVzIiBBcHBsaWNhdGlvbk5hbWU9Ik1pY3Jvc29mdCBFZGdlIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg0KDQo= + + + + + + +``` + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**ApplicationManagement/AllowAllTrustedApps** + + +

Specifies whether non Windows Store apps are allowed. + +

The following list shows the supported values: + +- 0 – Explicit deny. +- 1 – Explicit allow unlock. +- 65535 (default) – Not configured. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**ApplicationManagement/AllowAppStoreAutoUpdate** + + +

Specifies whether automatic update of apps from Windows Store are allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**ApplicationManagement/AllowDeveloperUnlock** + + +

Specifies whether developer unlock is allowed. + +

The following list shows the supported values: + +- 0 – Explicit deny. +- 1 – Explicit allow unlock. +- 65535 (default) – Not configured. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**ApplicationManagement/AllowGameDVR** + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + +

Specifies whether DVR and broadcasting is allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**ApplicationManagement/AllowSharedUserAppData** + + +

Specifies whether multiple users of the same app can share data. + +

The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**ApplicationManagement/AllowStore** + + +

Specifies whether app store is allowed at the device. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**ApplicationManagement/ApplicationRestrictions** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. + +  +

An XML blob that specifies the application restrictions company want to put to the device. It could be an app allow list, app disallow list, allowed publisher IDs, and so on. For a list of Windows apps and product IDs, see [inbox apps](applocker-csp.md#inboxappsandcomponents). For more information about the XML, see the [ApplicationRestrictions XSD](applicationrestrictions-xsd.md). + +> [!NOTE] +> When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps. +> +> Here's additional guidance for the upgrade process: +> +> - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents). +> - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it. +> - In the SyncML, you must use lowercase product ID. +> - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error. +> - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents). + + +

An application that is running may not be immediately terminated. + +

Value type is chr. + +

Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**ApplicationManagement/DisableStoreOriginatedApps** + + +

Added in Windows 10, version 1607. Boolean value that disables the launch of all apps from Windows Store that came pre-installed or were downloaded. + +

The following list shows the supported values: + +- 0 (default) – Enable launch of apps. +- 1 – Disable launch of apps. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**ApplicationManagement/RequirePrivateStoreOnly** + + +

Allows disabling of the retail catalog and only enables the Private store. + +> [!IMPORTANT] +> This node must be accessed using the following paths: +> +> - **./User/Vendor/MSFT/Policy/Config/ApplicationManagement/RequirePrivateStoreOnly** to set the policy. +> - **./User/Vendor/MSFT/Policy/Result/ApplicationManagement/RequirePrivateStoreOnly** to get the result. + + +

The following list shows the supported values: + +- 0 (default) – Allow both public and Private store. +- 1 – Only Private store is enabled. + +

This is a per user policy. + +

Most restricted value is 1. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**ApplicationManagement/RestrictAppDataToSystemVolume** + + +

Specifies whether application data is restricted to the system drive. + +

The following list shows the supported values: + +- 0 (default) – Not restricted. +- 1 – Restricted. + +

Most restricted value is 1. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**ApplicationManagement/RestrictAppToSystemVolume** + + +

Specifies whether the installation of applications is restricted to the system drive. + +

The following list shows the supported values: + +- 0 (default) – Not restricted. +- 1 – Restricted. + +

Most restricted value is 1. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**AttachmentManager/DoNotPreserveZoneInformation** + + +This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin (such as restricted, Internet, intranet, local). This requires NTFS in order to function correctly, and will fail without notice on FAT32. By not preserving the zone information, Windows cannot make proper risk assessments. + +If you enable this policy setting, Windows does not mark file attachments with their zone information. + +If you disable this policy setting, Windows marks file attachments with their zone information. + +If you do not configure this policy setting, Windows marks file attachments with their zone information. + + + + + +ADMX Info: +- GP english name: *Do not preserve zone information in file attachments* +- GP name: *AM_MarkZoneOnSavedAtttachments* +- GP path: *Windows Components/Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + + +**AttachmentManager/HideZoneInfoMechanism** + + +This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Windows has blocked users from opening. + +If you enable this policy setting, Windows hides the check box and Unblock button. + +If you disable this policy setting, Windows shows the check box and Unblock button. + +If you do not configure this policy setting, Windows hides the check box and Unblock button. + + + + + +ADMX Info: +- GP english name: *Hide mechanisms to remove zone information* +- GP name: *AM_RemoveZoneInfo* +- GP path: *Windows Components/Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + + +**AttachmentManager/NotifyAntivirusPrograms** + + +This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are registered, they will all be notified. If the registered antivirus program already performs on-access checks or scans files as they arrive on the computer's email server, additional calls would be redundant. + +If you enable this policy setting, Windows tells the registered antivirus program to scan the file when a user opens a file attachment. If the antivirus program fails, the attachment is blocked from being opened. + +If you disable this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. + +If you do not configure this policy setting, Windows does not call the registered antivirus programs when file attachments are opened. + + + + + +ADMX Info: +- GP english name: *Notify antivirus programs when opening attachments* +- GP name: *AM_CallIOfficeAntiVirus* +- GP path: *Windows Components/Attachment Manager* +- GP ADMX file name: *AttachmentManager.admx* + + + + +**Authentication/AllowEAPCertSSO** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Allows an EAP cert-based authentication for a single sign on (SSO) to access internal resources. + +> [!IMPORTANT] +> This node must be accessed using the following paths: +> +> - **./User/Vendor/MSFT/Policy/Config/Authentication/AllowEAPCertSSO** to set the policy. +> - **./User/Vendor/MSFT/Policy/Result/Authentication/AllowEAPCertSSO** to get the result. + + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Authentication/AllowFastReconnect** + + +

Allows EAP Fast Reconnect from being attempted for EAP Method TLS. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Authentication/AllowSecondaryAuthenticationDevice** + + +

Added in Windows 10, version 1607. Allows secondary authentication devices to work with Windows. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 – Allowed. + +

The default for this policy must be on for consumer devices (defined as local or Microsoft account connected device) and off for enterprise devices (such as cloud domain-joined, cloud domain-joined in an on-premise only environment, cloud domain-joined in a hybrid environment, and BYOD). + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Autoplay/DisallowAutoplayForNonVolumeDevices** + + +This policy setting disallows AutoPlay for MTP devices like cameras or phones. + +If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. + +If you disable or do not configure this policy setting, AutoPlay is enabled for non-volume devices. + + + + + +ADMX Info: +- GP english name: *Disallow Autoplay for non-volume devices* +- GP name: *NoAutoplayfornonVolume* +- GP path: *Windows Components/AutoPlay Policies* +- GP ADMX file name: *AutoPlay.admx* + + + + +**Autoplay/SetDefaultAutoRunBehavior** + + +This policy setting sets the default behavior for Autorun commands. + +Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. + +Prior to Windows Vista, when media containing an autorun command is inserted, the system will automatically execute the program without user intervention. + +This creates a major security concern as code may be executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. + +If you enable this policy setting, an Administrator can change the default Windows Vista or later behavior for autorun to: + +a) Completely disable autorun commands, or +b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command. + +If you disable or not configure this policy setting, Windows Vista or later will prompt the user whether autorun command is to be run. + + + + + +ADMX Info: +- GP english name: *Set the default behavior for AutoRun* +- GP name: *NoAutorun* +- GP path: *Windows Components/AutoPlay Policies* +- GP ADMX file name: *AutoPlay.admx* + + + + +**Autoplay/TurnOffAutoPlay** + + +This policy setting allows you to turn off the Autoplay feature. + +Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately. + +Prior to Windows XP SP2, Autoplay is disabled by default on removable drives, such as the floppy disk drive (but not the CD-ROM drive), and on network drives. + +Starting with Windows XP SP2, Autoplay is enabled for removable drives as well, including Zip drives and some USB mass storage devices. + +If you enable this policy setting, Autoplay is disabled on CD-ROM and removable media drives, or disabled on all drives. + +This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default. + +If you disable or do not configure this policy setting, AutoPlay is enabled. + +Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration. + + + + + +ADMX Info: +- GP english name: *Turn off Autoplay* +- GP name: *Autorun* +- GP path: *Windows Components/AutoPlay Policies* +- GP ADMX file name: *AutoPlay.admx* + + + + +**Bitlocker/EncryptionMethod** + + +

Specifies the BitLocker Drive Encryption method and cipher strength. + +

The following list shows the supported values: + +- 3- AES 128-bit +- 4- AES 256 +- 6 -XTS 128 +- 7 - XTS 256 + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Bluetooth/AllowAdvertising** + + +

Specifies whether the device can send out Bluetooth advertisements. + +

The following list shows the supported values: + +- 0 – Not allowed. When set to 0, the device will not send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is not received by the peripheral. +- 1 (default) – Allowed. When set to 1, the device will send out advertisements. To verify, use any Bluetooth LE app and enable it to do advertising. Then, verify that the advertisement is received by the peripheral. + +

If this is not set or it is deleted, the default value of 1 (Allow) is used. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Bluetooth/AllowDiscoverableMode** + + +

Specifies whether other Bluetooth-enabled devices can discover the device. + +

The following list shows the supported values: + +- 0 – Not allowed. When set to 0, other devices will not be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that you cannot see the name of the device. +- 1 (default) – Allowed. When set to 1, other devices will be able to detect the device. To verify, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel and verify that you can discover it. + +

If this is not set or it is deleted, the default value of 1 (Allow) is used. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Bluetooth/AllowPrepairing** + + +

Specifies whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default)– Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Bluetooth/LocalDeviceName** + + +

Sets the local Bluetooth device name. + +

If this is set, the value that it is set to will be used as the Bluetooth device name. To verify the policy is set, open the Bluetooth control panel on the device. Then, go to another Bluetooth-enabled device, open the Bluetooth control panel, and verify that the value that was specified. + +

If this policy is not set or it is deleted, the default local radio name is used. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Bluetooth/ServicesAllowedList** + + +

Set a list of allowable services and profiles. String hex formatted array of Bluetooth service UUIDs in canonical format, delimited by semicolons. For example, {782AFCFC-7CAA-436C-8BF0-78CD0FFBD4AF}. + +

The default value is an empty string. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/AllowAddressBarDropdown** + + +

Added in Windows 10, version 1703. Specifies whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality.  + +> [!NOTE] +> Disabling this setting turns off the address bar drop-down functionality. Because search suggestions are shown in the drop-down list, this setting takes precedence over the Browser/AllowSearchSuggestionsinAddressBar setting. + +

The following list shows the supported values: + +- 0 – Not allowed. Address bar drop-down is disabled, which also disables the user-defined setting, "Show search and site suggestions as I type."  +- 1 (default) – Allowed. Address bar drop-down is enabled. + +

Most restricted value is 0. + + + + + + + +**Browser/AllowAutofill** + + +

Specifies whether autofill on websites is allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + +

To verify AllowAutofill is set to 0 (not allowed): + +1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the drop down list, and select **View Advanced Settings**. +4. Verify the setting **Save form entries** is greyed out. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/AllowBrowser** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. For desktop devices, use the [AppLocker CSP](applocker-csp.md) instead. + + +

Specifies whether the browser is allowed on the device. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + +

When this policy is set to 0 (not allowed), the Microsoft Edge for Windows 10 Mobile tile will appear greyed out, and clicking on the tile will display a message indicating theat Internet browsing has been disabled by your administrator. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**Browser/AllowCookies** + + +

Specifies whether cookies are allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + +

To verify AllowCookies is set to 0 (not allowed): + +1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the drop down list, and select **View Advanced Settings**. +4. Verify the setting **Cookies** is greyed out. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes + + + + +**Browser/AllowDeveloperTools** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Specifies whether employees can use F12 Developer Tools on Microsoft Edge. Turning this setting on, or not configuring it, lets employees use F12 Developer Tools. Turning this setting off stops employees from using F12 Developer Tools. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/AllowDoNotTrack** + + +

Specifies whether Do Not Track headers are allowed. + +

The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + +

Most restricted value is 1. + +

To verify AllowDoNotTrack is set to 0 (not allowed): + +1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the drop down list, and select **View Advanced Settings**. +4. Verify the setting **Send Do Not Track requests** is greyed out. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/AllowExtensions** + + +

Added in Windows 10, version 1607. Specifies whether Microsoft Edge extensions are allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/AllowFlash** + + +

Added in Windows 10. Specifies whether Adobe Flash can run in Microsoft Edge. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/AllowFlashClickToRun** + + +

Added in Windows 10, version 1703. Specifies whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. + +

The following list shows the supported values: + +- 0 – Adobe Flash content is automatically loaded and run by Microsoft Edge. +- 1 (default) – Users must click the content, click a Click-to-Run button, or have the site appear on an auto-allow list before Microsoft Edge loads and runs Adobe Flash content. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/AllowInPrivate** + + +

Specifies whether InPrivate browsing is allowed on corporate networks. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/AllowMicrosoftCompatibilityList** + + +

Added in Windows 10, version 1703. Specifies whether to use the Microsoft compatibility list in Microsoft Edge. The Microsoft compatibility list is a Microsoft-provided list that enables sites with known compatibility issues to display properly. +By default, the Microsoft compatibility list is enabled and can be viewed by visiting "about:compat". + +

If you enable or don’t configure this setting, Microsoft Edge periodically downloads the latest version of the compatibility list from Microsoft, applying the updates during browser navigation. Visiting any site on the compatibility list prompts the employee to use Internet Explorer 11 (or enables/disables certain browser features on mobile), where the site is automatically rendered as though it’s run in the version of Internet Explorer necessary for it to display properly. If you disable this setting, the compatibility list isn’t used during browser navigation. + +

The following list shows the supported values: + +- 0 – Not enabled. +- 1 (default) – Enabled. + +

Most restricted value is 0. + + + + + + + +**Browser/AllowPasswordManager** + + +

Specifies whether saving and managing passwords locally on the device is allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + +

To verify AllowPasswordManager is set to 0 (not allowed): + +1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the drop down list, and select **View Advanced Settings**. +4. Verify the settings **Offer to save password** and **Manage my saved passwords** are greyed out. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/AllowPopups** + + +

Specifies whether pop-up blocker is allowed or enabled. + +

The following list shows the supported values: + +- 0 (default) – Pop-up blocker is not allowed. It means that pop-up browser windows are allowed. +- 1 – Pop-up blocker is allowed or enabled. It means that pop-up browser windows are blocked. + +

Most restricted value is 1. + +

To verify AllowPopups is set to 0 (not allowed): + +1. Open Microsoft Edge. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the drop down list, and select **View Advanced Settings**. +4. Verify the setting **Block pop-ups** is greyed out. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/AllowSearchEngineCustomization** + + +

Added in Windows 10, version 1703. Allows search engine customization for MDM-enrolled devices. Users can change their default search engine.  +   +

If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge settings. If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. This policy applies only on domain-joined machines or when the device is MDM-enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy).  + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + + +**Browser/AllowSearchSuggestionsinAddressBar** + + +

Specifies whether search suggestions are allowed in the address bar. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/AllowSmartScreen** + + +

Specifies whether Windows Defender SmartScreen is allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 1. + +

To verify AllowSmartScreen is set to 0 (not allowed): + +1. Open Microsoft Edge or Microsoft Edge for Windows 10 Mobile. +2. In the upper-right corner of the browser, click **…**. +3. Click **Settings** in the drop down list, and select **View Advanced Settings**. +4. Verify the setting **Help protect me from malicious sites and download with SmartScreen Filter** is greyed out. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/ClearBrowsingDataOnExit** + + +

Added in Windows 10, version 1703. Specifies whether to clear browsing data on exiting Microsoft Edge. + +

The following list shows the supported values: + +- 0 – (default) Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings. +- 1 – Browsing data is cleared on exit. + +

Most restricted value is 1. + +

To verify that browsing data is cleared on exit (ClearBrowsingDataOnExit is set to 1): + +1. Open Microsoft Edge and browse to websites. +2. Close the Microsoft Edge window. +3. Open Microsoft Edge and start typing the same URL in address bar. Verify that it does not auto-complete from history. + + + + + + + +**Browser/ConfigureAdditionalSearchEngines** + + +

Added in Windows 10, version 1703. Allows you to add up to 5 additional search engines for MDM-enrolled devices.  +  +

If this policy is enabled, you can add up to 5 additional search engines for your employees. For each additional search engine you want to add, specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). +Employees cannot remove these search engines, but they can set any one as the default. This setting does not affect the default search engine.  + +

If this setting is not configured, the search engines used are the ones that are specified in the App settings. If this setting is disabled, the search engines you added will be deleted from your employee's machine. +  +> [!IMPORTANT] +> Due to Protected Settings (aka.ms/browserpolicy), this setting will apply only on domain-joined machines or when the device is MDM-enrolled.  + +

The following list shows the supported values: + +- 0 (default) – Additional search engines are not allowed. +- 1 – Additional search engines are allowed. + +

Most restricted value is 0. + + + + + + + +**Browser/DisableLockdownOfStartPages** + + +

Added in Windows 10, version 1703. Boolean value that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when the Browser/HomePages policy is in effect.  +   +> [!NOTE] +> This policy has no effect when the Browser/HomePages policy is not configured.  +  +> [!IMPORTANT] +> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy). + +

The following list shows the supported values: + +- 0 (default) – Enable lockdown of the Start pages according to the settings specified in the Browser/HomePages policy. Users cannot change the Start pages.  +- 1 – Disable lockdown of the Start pages and allow users to modify them.   + +

Most restricted value is 0. + + + + + + + +**Browser/EnterpriseModeSiteList** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + +  +

Allows the user to specify an URL of an enterprise site list. + +

The following list shows the supported values: + +- Not configured. The device checks for updates from Microsoft Update. +- Set to a URL location of the enterprise site list. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/EnterpriseSiteListServiceUrl** + + +> [!IMPORTANT] +> This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](#browser-enterprisemodesitelist). + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/FirstRunURL** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Specifies the URL that Microsoft Edge for Windows 10 Mobile. will use when it is opened the first time. + +

The data type is a string. + +

The default value is an empty string. Otherwise, the string should contain the URL of the webpage users will see the first time Microsoft Edge is run. For example, “contoso.com”. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/HomePages** + + +> [!NOTE] +> This policy is only available for Windows 10 for desktop and not supported in Windows 10 Mobile. + +

Specifies your Start pages for MDM-enrolled devices. Turning this setting on lets you configure one or more corporate Start pages. If this setting is turned on, you must also include URLs to the pages, separating multiple pages by using the XML-escaped characters **<** and **>**. For example, "<support.contoso.com><support.microsoft.com>" + +

Starting in Windows 10, version 1607, this policy will be enforced so that the Start pages specified by this policy cannot be changed by the users. + +

Starting in Windows 10, version 1703, if you don’t want to send traffic to Microsoft, you can use the "<about:blank>" value, which is honored for both domain- and non-domain-joined machines, when it’s the only configured URL.  + +> [!NOTE] +> Turning this setting off, or not configuring it, sets your default Start pages to the webpages specified in App settings. + + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/PreventAccessToAboutFlagsInMicrosoftEdge** + + +

Specifies whether users can access the about:flags page, which is used to change developer settings and to enable experimental features. + +

The following list shows the supported values: + +- 0 (default) – Users can access the about:flags page in Microsoft Edge. +- 1 – Users can't access the about:flags page in Microsoft Edge. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/PreventFirstRunPage** + + +

Added in Windows 10, version 1703. Specifies whether to enable or disable the First Run webpage. On the first explicit user-launch of Microsoft Edge, a First Run webpage hosted on Microsoft.com opens automatically via a FWLINK. This policy allows enterprises (such as those enrolled in a zero-emissions configuration) to prevent this page from opening. + +

The following list shows the supported values: + +- 0 (default) – Employees see the First Run webpage. +- 1 – Employees don't see the First Run webpage. + +

Most restricted value is 1. + + + + + + + +**Browser/PreventLiveTileDataCollection** + + +

Added in Windows 10, version 1703. Specifies whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. + +

The following list shows the supported values: + +- 0 (default) – Microsoft servers will be contacted if a site is pinned to Start from Microsoft Edge. +- 1 – Microsoft servers will not be contacted if a site is pinned to Start from Microsoft Edge. + +

Most restricted value is 1. + + + + + + + +**Browser/PreventSmartScreenPromptOverride** + + +

Specifies whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. + +

The following list shows the supported values: + +- 0 (default) – Off. +- 1 – On. + +

Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from going to the site. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about potentially malicious websites and to continue to the site. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/PreventSmartScreenPromptOverrideForFiles** + + +

Specifies whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. Turning this setting on stops users from ignoring the Windows Defender SmartScreen Filter warnings and blocks them from downloading unverified files. Turning this setting off, or not configuring it, lets users ignore the Windows Defender SmartScreen Filter warnings about unverified files and lets them continue the download process. + +

The following list shows the supported values: + +- 0 (default) – Off. +- 1 – On. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/PreventUsingLocalHostIPAddressForWebRTC** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Specifies whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. Turning this setting on hides an user’s localhost IP address while making phone calls using WebRTC. Turning this setting off, or not configuring it, shows an

user’s localhost IP address while making phone calls using WebRTC. + +

The following list shows the supported values: + +- 0 (default) – The localhost IP address is shown. +- 1 – The localhost IP address is hidden. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/SendIntranetTraffictoInternetExplorer** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Specifies whether to send intranet traffic over to Internet Explorer. + +

The following list shows the supported values: + +- 0 (default) – Intranet traffic is sent to Internet Explorer. +- 1 – Intranet traffic is sent to Microsoft Edge. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/SetDefaultSearchEngine** + + +

Added in Windows 10, version 1703. Allows you configure the default search engine for your employees. By default, your employees can change the default search engine at any time. If you want to prevent your employees from changing the default search engine that you set, you can do so by configuring the AllowSearchEngineCustomization policy. + +

You must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). If you want your employees to use the Microsoft Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; otherwise, if you want your employees to use Bing as the default search engine, set the string EDGEBING.  +  +

If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market.    +  +> [!IMPORTANT] +> This setting can be used only with domain-joined or MDM-enrolled devices. For more information, see the Microsoft browser extension policy (aka.ms/browserpolicy). + +

The following list shows the supported values: + +- 0 (default) - The default search engine is set to the one specified in App settings. +- 1 - Allows you to configure the default search engine for your employees. + +

Most restricted value is 0. + + + + + + + +**Browser/ShowMessageWhenOpeningSitesInInternetExplorer** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1607. Specifies whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site List. + +

The following list shows the supported values: + +- 0 (default) – Interstitial pages are not shown. +- 1 – Interstitial pages are shown. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge** + + +

Added in Windows 10, version 1703. Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. +> +> Enabling this setting stops Microsoft Edge favorites from syncing between connected Windows 10 devices. + +

The following list shows the supported values: + +- 0 (default) – Synchronization is off. +- 1 – Synchronization is on. + +

To verify that favorites are in synchronized between Internet Explorer and Microsoft Edge: + +

    +
  1. Open Internet Explorer and add some favorites. +
  2. Open Microsoft Edge, then select Hub > Favorites. +
  3. Verify that the favorites added to Internet Explorer show up in the favorites list in Microsoft Edge. +
+ + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Camera/AllowCamera** + + +

Disables or enables the camera. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**Connectivity/AllowBluetooth** + + +

Allows the user to enable Bluetooth or restrict access. + +

The following list shows the supported values: + +- 0 – Disallow Bluetooth. If this is set to 0, the radio in the Bluetooth control panel will be greyed out and the user will not be able to turn Bluetooth on. +- 1 – Reserved. If this is set to 1, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. + +> [!NOTE] +>  This value is not supported in Windows Phone 8.1 MDM and EAS, Windows 10 for desktop, or Windows 10 Mobile. + +- 2 (default) – Allow Bluetooth. If this is set to 2, the radio in the Bluetooth control panel will be functional and the user will be able to turn Bluetooth on. + +

If this is not set or it is deleted, the default value of 2 (Allow) is used. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**Connectivity/AllowCellularData** + + +

Allows the cellular data channel on the device. Device reboot is not required to enforce the policy. + +

The following list shows the supported values: + +- 0 – Do not allow the cellular data channel. The user can turn it on. This value is not supported in Windows 10, version 1511. +- 1 (default) – Allow the cellular data channel. The user can turn it off. +- 2 - Allow the cellular data channel. The user cannot turn it off. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Connectivity/AllowCellularDataRoaming** + + +

Allows or disallows cellular data roaming on the device. Device reboot is not required to enforce the policy. + +

The following list shows the supported values: + +- 0 – Do not allow cellular data roaming. The user can turn it on. This value is not supported in Windows 10, version 1511. +- 1 (default) – Allow cellular data roaming. +- 2 - Allow cellular data roaming on. The user cannot turn it off. + +

Most restricted value is 0. + +

To validate, the enterprise can confirm by observing the roaming enable switch in the UX. It will be inactive if the roaming policy is being enforced by the enterprise policy. + +

To validate on mobile devices, do the following: + +1. Go to Cellular & SIM. +2. Click on the SIM (next to the signal strength icon) and select **Properties**. +3. On the Properties page, select **Data roaming options**. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**Connectivity/AllowConnectedDevices** + + +> [!NOTE] +> This policy requires reboot to take effect. + +

Added in Windows 10, version 1703. Allows IT Admins the ability to disable the Connected Devices Platform (CDP) component. CDP enables discovery and connection to other devices (either proximally with BT/LAN or through the cloud) to support remote app launching, remote messaging, remote app sessions, and other cross-device experiences. + +

The following list shows the supported values: + +- 1 (default) - Allow (CDP service available). +- 0 - Disable (CDP service not available). + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Connectivity/AllowNFC** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Allows or disallows near field communication (NFC) on the device. + +

The following list shows the supported values: + +- 0 – Do not allow NFC capabilities. +- 1 (default) – Allow NFC capabilities. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Connectivity/AllowUSBConnection** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. + +

Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**Connectivity/AllowVPNOverCellular** + + +

Specifies what type of underlying connections VPN is allowed to use. + +

The following list shows the supported values: + +- 0 – VPN is not allowed over cellular. +- 1 (default) – VPN can use any connection, including cellular. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Connectivity/AllowVPNRoamingOverCellular** + + +

Prevents the device from connecting to VPN when the device roams over cellular networks. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Connectivity/HardenedUNCPaths** + + +This policy setting configures secure access to UNC paths. + +If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements. + + + + + + +ADMX Info: +- GP english name: *Hardened UNC Paths* +- GP name: *Pol_HardenedPaths* +- GP path: *Network/Network Provider* +- GP ADMX file name: *networkprovider.admx* + + + + +**CredentialProviders/AllowPINLogon** + + +This policy setting allows you to control whether a domain user can sign in using a convenience PIN. + +If you enable this policy setting, a domain user can set up and sign in with a convenience PIN. + +If you disable or don't configure this policy setting, a domain user can't set up and use a convenience PIN. + +Note: The user's domain password will be cached in the system vault when using this feature. + +To configure Windows Hello for Business, use the Administrative Template policies under Windows Hello for Business. + + + + + +ADMX Info: +- GP english name: *Turn on convenience PIN sign-in* +- GP name: *AllowDomainPINLogon* +- GP path: *System/Logon* +- GP ADMX file name: *credentialproviders.admx* + + + + +**CredentialProviders/BlockPicturePassword** + + +This policy setting allows you to control whether a domain user can sign in using a picture password. + +If you enable this policy setting, a domain user can't set up or sign in with a picture password. + +If you disable or don't configure this policy setting, a domain user can set up and use a picture password. + +Note that the user's domain password will be cached in the system vault when using this feature. + + + + + +ADMX Info: +- GP english name: *Turn off picture password sign-in* +- GP name: *BlockDomainPicturePassword* +- GP path: *System/Logon* +- GP ADMX file name: *credentialproviders.admx* + + + + +**CredentialsUI/DisablePasswordReveal** + + +This policy setting allows you to configure the display of the password reveal button in password entry user experiences. + +If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box. + +If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box. + +By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button. + +The policy applies to all Windows components and applications that use the Windows system controls, including Internet Explorer. + + + + + +ADMX Info: +- GP english name: *Do not display the password reveal button* +- GP name: *DisablePasswordReveal* +- GP path: *Windows Components/Credential User Interface* +- GP ADMX file name: *credui.admx* + + + + +**CredentialsUI/EnumerateAdministrators** + + +This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By default, administrator accounts are not displayed when the user attempts to elevate a running application. + +If you enable this policy setting, all local administrator accounts on the PC will be displayed so the user can choose one and enter the correct password. + +If you disable this policy setting, users will always be required to type a user name and password to elevate. + + + + + +ADMX Info: +- GP english name: *Enumerate administrator accounts on elevation* +- GP name: *EnumerateAdministrators* +- GP path: *Windows Components/Credential User Interface* +- GP ADMX file name: *credui.admx* + + + + +**Cryptography/AllowFipsAlgorithmPolicy** + + +

Allows or disallows the Federal Information Processing Standard (FIPS) policy. + +

The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1– Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Cryptography/TLSCipherSuites** + + +

Lists the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DataProtection/AllowDirectMemoryAccess** + + +

This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**DataProtection/LegacySelectiveWipeID** + + +> [!IMPORTANT] +> This policy may change in a future release. It may be used for testing purposes, but should not be used in a production environment at this time. + +  +

Setting used by Windows 8.1 Selective Wipe. + +> [!NOTE] +> This policy is not recommended for use in Windows 10. + + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DataUsage/SetCost3G** + + +This policy setting configures the cost of 3G connections on the local machine. + +If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine: + +- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. + +- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. + +- Variable: This connection is costed on a per byte basis. + +If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default. + + + + + + +ADMX Info: +- GP english name: *Set 3G Cost* +- GP name: *SetCost3G* +- GP path: *Network/WWAN Service/WWAN Media Cost* +- GP ADMX file name: *wwansvc.admx* + + + + +**DataUsage/SetCost4G** + + +This policy setting configures the cost of 4G connections on the local machine. + +If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine: + +- Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. + +- Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. + +- Variable: This connection is costed on a per byte basis. + +If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default. + + + + + + +ADMX Info: +- GP english name: *Set 4G Cost* +- GP name: *SetCost4G* +- GP path: *Network/WWAN Service/WWAN Media Cost* +- GP ADMX file name: *wwansvc.admx* + + + + +**Defender/AllowArchiveScanning** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows scanning of archives. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/AllowBehaviorMonitoring** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

Allows or disallows Windows Defender Behavior Monitoring functionality. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/AllowCloudProtection** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/AllowEmailScanning** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows scanning of email. + +

The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/AllowFullScanOnMappedNetworkDrives** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows a full scan of mapped network drives. + +

The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/AllowFullScanRemovableDriveScanning** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows a full scan of removable drives. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/AllowIOAVProtection** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

Allows or disallows Windows Defender IOAVP Protection functionality. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/AllowIntrusionPreventionSystem** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows Windows Defender Intrusion Prevention functionality. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/AllowOnAccessProtection** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows Windows Defender On Access Protection functionality. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/AllowRealtimeMonitoring** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows Windows Defender Realtime Monitoring functionality. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/AllowScanningNetworkFiles** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

Allows or disallows a scanning of network files. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/AllowScriptScanning** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows Windows Defender Script Scanning functionality. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/AllowUserUIAccess** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows or disallows user access to the Windows Defender UI. If disallowed, all Windows Defender notifications will also be suppressed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/AvgCPULoadFactor** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

Represents the average CPU load factor for the Windows Defender scan (in percent). + +

Valid values: 0–100 + +

The default value is 50. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/DaysToRetainCleanedMalware** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

Time period (in days) that quarantine items will be stored on the system. + +

Valid values: 0–90 + +

The default value is 0, which keeps items in quarantine, and does not automatically remove them. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/ExcludedExtensions** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

llows an administrator to specify a list of file type extensions to ignore during a scan. Each file type in the list must be separated by a **|**. For example, "lib|obj". + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/ExcludedPaths** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows an administrator to specify a list of directory paths to ignore during a scan. Each path in the list must be separated by a **|**. For example, "C:\\Example|C:\\Example1". + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/ExcludedProcesses** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Allows an administrator to specify a list of files opened by processes to ignore during a scan. + +> [!IMPORTANT] +> The process itself is not excluded from the scan, but can be by using the **Defender/ExcludedPaths** policy to exclude its path. + +  +

Each file type must be separated by a **|**. For example, "C:\\Example.exe|C:\\Example1.exe". + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/PUAProtection** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Added in Windows 10, version 1607. Specifies the level of detection for potentially unwanted applications (PUAs). Windows Defender alerts you when potentially unwanted software is being downloaded or attempts to install itself on your computer. + +

The following list shows the supported values: + +- 0 (default) – PUA Protection off. Windows Defender will not protect against potentially unwanted applications. +- 1 – PUA Protection on. Detected items are blocked. They will show in history along with other threats. +- 2 – Audit mode. Windows Defender will detect potentially unwanted applications, but take no action. You can review information about the applications Windows Defender would have taken action against by searching for events created by Windows Defender in the Event Viewer. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/RealTimeScanDirection** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Controls which sets of files should be monitored. + +> [!NOTE] +> If **AllowOnAccessProtection** is not allowed, then this configuration can be used to monitor specific files. + + +

The following list shows the supported values: + +- 0 (default) – Monitor all files (bi-directional). +- 1 – Monitor incoming files. +- 2 – Monitor outgoing files. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/ScanParameter** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Selects whether to perform a quick scan or full scan. + +

The following list shows the supported values: + +- 1 (default) – Quick scan +- 2 – Full scan + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/ScheduleQuickScanTime** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

Selects the time of day that the Windows Defender quick scan should run. + +> [!NOTE] +> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. + +  +

Valid values: 0–1380 + +

For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM. + +

The default value is 120 + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/ScheduleScanDay** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Selects the day that the Windows Defender scan should run. + +> [!NOTE] +> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. + + +

The following list shows the supported values: + +- 0 (default) – Every day +- 1 – Monday +- 2 – Tuesday +- 3 – Wednesday +- 4 – Thursday +- 5 – Friday +- 6 – Saturday +- 7 – Sunday +- 8 – No scheduled scan + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/ScheduleScanTime** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + + +

Selects the time of day that the Windows Defender scan should run. + +> [!NOTE] +> The scan type will depends on what scan type is selected in the **Defender/ScanParameter** setting. + + +

Valid values: 0–1380. + +

For example, a value of 0=12:00AM, a value of 60=1:00AM, a value of 120=2:00, and so on, up to a value of 1380=11:00PM. + +

The default value is 120. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/SignatureUpdateInterval** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

Specifies the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. + +

Valid values: 0–24. + +

A value of 0 means no check for new signatures, a value of 1 means to check every hour, a value of 2 means to check every two hours, and so on, up to a value of 24, which means to check every day. + +

The default value is 8. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/SubmitSamplesConsent** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. + +  +

Checks for the user consent level in Windows Defender to send data. If the required consent has already been granted, Windows Defender submits them. If not, (and if the user has specified never to ask), the UI is launched to ask for user consent (when **Defender/AllowCloudProtection** is allowed) before sending data. + +

The following list shows the supported values: + +- 0 – Always prompt. +- 1 (default) – Send safe samples automatically. +- 2 – Never send. +- 3 – Send all samples automatically. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Defender/ThreatSeverityDefaultAction** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop. +  + +

Allows an administrator to specify any valid threat severity levels and the corresponding default action ID to take. + +

This value is a list of threat severity level IDs and corresponding actions, separated by a**|** using the format "*threat level*=*action*|*threat level*=*action*". For example "1=6|2=2|4=10|5=3 + +

The following list shows the supported values for threat severity levels: + +- 1 – Low severity threats +- 2 – Moderate severity threats +- 4 – High severity threats +- 5 – Severe threats + +

The following list shows the supported values for possible actions: + +- 1 – Clean +- 2 – Quarantine +- 3 – Remove +- 6 – Allow +- 8 – User defined +- 10 – Block + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeliveryOptimization/DOAbsoluteMaxCacheSize** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1607. Specifies the maximum size in GB of Delivery Optimization cache. This policy overrides the DOMaxCacheSize policy. The value 0 (zero) means "unlimited" cache. Delivery Optimization will clear the cache when the device is running low on disk space. + +

The default value is 10. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeliveryOptimization/DOAllowVPNPeerCaching** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1703. Specifies whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. This means the device can download from or upload to other domain network devices, either on VPN or on the corporate domain network. + +

The default value is 0 (FALSE). + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeliveryOptimization/DODownloadMode** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Specifies the download method that Delivery Optimization can use in downloads of Windows Updates, Apps and App updates. + +

The following list shows the supported values: + +- 0 –HTTP only, no peering. +- 1 (default) – HTTP blended with peering behind the same NAT. +- 2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2. +- 3 – HTTP blended with Internet peering. +- 99 - Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607. +- 100 - Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeliveryOptimization/DOGroupId** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

This Policy specifies an arbitrary group ID that the device belongs to. Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN. Note that this is a best effort optimization and should not be relied on for an authentication of identity. + +> [!NOTE] +> You must use a GUID as the group ID. + + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeliveryOptimization/DOMaxCacheAge** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files available for uploads to other devices, as long as the cache size has not exceeded. The value 0 is new in Windows 10, version 1607. + +

The default value is 259200 seconds (3 days). + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeliveryOptimization/DOMaxCacheSize** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + +  +

Specifies the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). + +

The default value is 20. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeliveryOptimization/DOMaxDownloadBandwidth** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. +  + +

Added in Windows 10, version 1607. Specifies the maximum download bandwidth in KiloBytes/second that the device can use across all concurrent download activities using Delivery Optimization. + +

The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeliveryOptimization/DOMaxUploadBandwidth** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + +  +

Specifies the maximum upload bandwidth in KiloBytes/second that a device will use across all concurrent upload activity using Delivery Optimization. + +

The default value is 0, which permits unlimited possible bandwidth (optimized for minimal usage of upload bandwidth). + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeliveryOptimization/DOMinBackgroundQos** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1607. Specifies the minimum download QoS (Quality of Service or speed) in KiloBytes/sec for background downloads. This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from the HTTP source to achieve the minimum QoS value set. + +

The default value is 500. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeliveryOptimization/DOMinBatteryPercentageAllowedToUpload** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. + +

Added in Windows 10, version 1703. Specifies any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on battery power. Uploads will automatically pause when the battery level drops below the set minimum battery level. The recommended value to set is 40 (for 40%) if you allow uploads on battery. + +

The default value is 0. The value 0 (zero) means "not limited" and the cloud service default value will be used. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeliveryOptimization/DOMinDiskSizeAllowedToPeer** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1703. Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. Recommended values: 64 GB to 256 GB. + +> [!NOTE] +> If the DOMofidyCacheDrive policy is set, the disk size check will apply to the new working directory specified by this policy. + +

The default value is 32 GB. + + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeliveryOptimization/DOMinFileSizeToCache** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1703. Specifies the minimum content file size in MB enabled to use Peer Caching. The value 0 means "unlimited" which means the cloud service set default value will be used. Recommended values: 1 MB to 100,000 MB. + +

The default value is 100 MB. + + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeliveryOptimization/DOMinRAMAllowedToPeer** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Business, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1703. Specifies the minimum RAM size in GB required to use Peer Caching. The value 0 means "not-limited" which means the cloud service set default value will be used. For example if the minimum set is 1 GB, then devices with 1 GB or higher available RAM will be allowed to use Peer caching. Recommended values: 1 GB to 4 GB. + +

The default value is 4 GB. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeliveryOptimization/DOModifyCacheDrive** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1607. Specifies the drive that Delivery Optimization should use for its cache. The drive location can be specified using environment variables, drive letter or using a full path. + +

By default, %SystemDrive% is used to store the cache. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeliveryOptimization/DOMonthlyUploadDataCap** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1607. Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. + +

The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set. + +

The default value is 20. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeliveryOptimization/DOPercentageMaxDownloadBandwidth** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Pro, Enterprise, and Education editions and not supported in Windows 10 Mobile. + +  +

Added in Windows 10, version 1607. Specifies the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. + +

The default value 0 (zero) means that Delivery Optimization dynamically adjusts to use the available bandwidth for downloads. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Desktop/PreventUserRedirectionOfProfileFolders** + + +Prevents users from changing the path to their profile folders. + +By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box. + +If you enable this setting, users are unable to type a new location in the Target box. + + + + + +ADMX Info: +- GP english name: *Prohibit User from manually redirecting Profile Folders* +- GP name: *DisablePersonalDirChange* +- GP path: *Desktop* +- GP ADMX file name: *desktop.admx* + + + + +**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs** + + +This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + +If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings. + + + + + +ADMX Info: +- GP english name: *Prevent installation of devices that match any of these device IDs* +- GP name: *DeviceInstall_IDs_Deny* +- GP path: *System/Device Installation/Device Installation Restrictions* +- GP ADMX file name: *deviceinstallation.admx* + + + + +**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses** + + +This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. + +If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. + +If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings. + + + + + +ADMX Info: +- GP english name: *Prevent installation of devices using drivers that match these device setup classes* +- GP name: *DeviceInstall_Classes_Deny* +- GP path: *System/Device Installation/Device Installation Restrictions* +- GP ADMX file name: *deviceinstallation.admx* + + + + +**DeviceLock/AllowIdleReturnWithoutPassword** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + +  +

Specifies whether the user must input a PIN or password when the device resumes from an idle state. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + +  +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeviceLock/AllowScreenTimeoutWhileLockedUserConfig** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + +  +

Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + + +

The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + +> [!IMPORTANT] +> If this policy is set to 1 (Allowed), the value set by **DeviceLock/ScreenTimeOutWhileLocked** is ignored. To ensure enterprise control over the screen timeout, set this policy to 0 (Not allowed) and use **DeviceLock/ScreenTimeOutWhileLocked** to set the screen timeout period. + + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeviceLock/AllowSimpleDevicePassword** + + +

Specifies whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**DeviceLock/AlphanumericDevicePasswordRequired** + + +

Determines the type of PIN or password required. This policy only applies if the **DeviceLock/DevicePasswordEnabled** policy is set to 0 (required). + +> [!NOTE] +> This policy must be wrapped in an Atomic command. +> +> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education). + + +

The following list shows the supported values: + +- 0 – Alphanumeric PIN or password required. +- 1 – Numeric PIN or password required. +- 2 (default) – Users can choose: Numeric PIN or password, or Alphanumeric PIN or password. + +> [!NOTE] +> If **AlphanumericDevicePasswordRequired** is set to 1 or 2, then MinDevicePasswordLength = 0 and MinDevicePasswordComplexCharacters = 1. +> +> If **AlphanumericDevicePasswordRequired** is set to 0, then MinDevicePasswordLength = 4 and MinDevicePasswordComplexCharacters = 2. + +  + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**DeviceLock/DevicePasswordEnabled** + + +

Specifies whether device lock is enabled. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. +> +> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. +  + +

The following list shows the supported values: + +- 0 (default) – Enabled +- 1 – Disabled + +> [!IMPORTANT] +> The **DevicePasswordEnabled** setting must be set to 0 (device password is enabled) for the following policy settings to take effect: +> +> - AllowSimpleDevicePassword +> - MinDevicePasswordLength +> - AlphanumericDevicePasswordRequired +> - MaxDevicePasswordFailedAttempts +> - MaxInactivityTimeDeviceLock +> - MinDevicePasswordComplexCharacters +  + +> [!IMPORTANT] +> If **DevicePasswordEnabled** is set to 0 (device password is enabled), then the following policies are set: +> +> - MinDevicePasswordLength is set to 4 +> - MinDevicePasswordComplexCharacters is set to 1 +> +> If **DevicePasswordEnabled** is set to 1 (device password is disabled), then the following DeviceLock policies are set to 0: +> +> - MinDevicePasswordLength +> - MinDevicePasswordComplexCharacters + +> [!Important] +> **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below: +> - **DevicePasswordEnabled** is the parent policy of the following: +> - AllowSimpleDevicePassword +> - MinDevicePasswordLength +> - AlphanumericDevicePasswordRequired +> - MinDevicePasswordComplexCharacters  +> - DevicePasswordExpiration +> - DevicePasswordHistory +> - MaxDevicePasswordFailedAttempts +> - MaxInactivityTimeDeviceLock + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**DeviceLock/DevicePasswordExpiration** + + +

Specifies when the password expires (in days). + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + + +

The following list shows the supported values: + +- An integer X where 0 <= X <= 730. +- 0 (default) - Passwords do not expire. + +

If all policy values = 0 then 0; otherwise, Min policy value is the most secure value. + +

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**DeviceLock/DevicePasswordHistory** + + +

Specifies how many passwords can be stored in the history that can’t be used. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + + +

The following list shows the supported values: + +- An integer X where 0 <= X <= 50. +- 0 (default) + +

The value includes the user's current password. This means that with a setting of 1 the user cannot reuse their current password when choosing a new password, while a setting of 5 means that a user cannot set their new password to their current password or any of their previous four passwords. + +

Max policy value is the most restricted. + +

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**DeviceLock/EnforceLockScreenAndLogonImage** + + +

Added in Windows 10, version 1607. Specifies the default lock screen and logon image shown when no user is signed in. It also sets the specified image for all users, which replaces the default image. The same image is used for both the lock and logon screens. Users will not be able to change this image. + +> [!NOTE] +> This policy is only enforced in Windows 10 Enterprise and Education editions and not supported in Windows 10 Home and Pro. + + +

Value type is a string, which is the full image filepath and filename. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeviceLock/EnforceLockScreenProvider** + + +

Added in Windows 10, version 1607. Restricts lock screen image to a specific lock screen provider. Users will not be able change this provider. + +> [!NOTE] +> This policy is only enforced in Windows 10 for mobile devices. + + +

Value type is a string, which is the AppID. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeviceLock/MaxDevicePasswordFailedAttempts** + + +The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + + +

This policy has different behaviors on the mobile device and desktop. + +- On a mobile device, when the user reaches the value set by this policy, then the device is wiped. +- On a desktop, when the user reaches the value set by this policy, it is not wiped. Instead, the desktop is put on BitLocker recovery mode, which makes the data inaccessible but recoverable. If BitLocker is not enabled, then the policy cannot be enforced. + + Prior to reaching the failed attempts limit, the user is sent to the lock screen and warned that more failed attempts will lock their computer. When the user reaches the limit, the device automatically reboots and shows the BitLocker recovery page. This page prompts the user for the BitLocker recovery key. + +

The following list shows the supported values: + +- An integer X where 4 <= X <= 16 for desktop and 0 <= X <= 999 for mobile devices. +- 0 (default) - The device is never wiped after an incorrect PIN or password is entered. + +

Most secure value is 0 if all policy values = 0; otherwise, Min policy value is the most secure value. + +

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**DeviceLock/MaxInactivityTimeDeviceLock** + + +

Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. Users can select any existing timeout value less than the specified maximum time in the Settings app. Note the Lumia 950 and 950XL have a maximum timeout value of 5 minutes, regardless of the value set by this policy. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + + +

The following list shows the supported values: + +- An integer X where 0 <= X <= 999. +- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined." + +

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx). + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**DeviceLock/MaxInactivityTimeDeviceLockWithExternalDisplay** + + +

Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked while connected to an external display. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. + + +

The following list shows the supported values: + +- An integer X where 0 <= X <= 999. +- 0 (default) - No timeout is defined. The default of "0" is Windows Phone 7.5 parity and is interpreted by as "No timeout is defined." + + + + + + +SKU Support: +- Home: No +- Pro: No +- Business: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**DeviceLock/MinDevicePasswordComplexCharacters** + + +

The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. +> +> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. + +

PIN enforces the following behavior for desktop and mobile devices: + +- 1 - Digits only +- 2 - Digits and lowercase letters are required +- 3 - Digits, lowercase letters, and uppercase letters are required +- 4 - Digits, lowercase letters, uppercase letters, and special characters are required + +

The default value is 1. The following list shows the supported values and actual enforced values: + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Account TypeSupported ValuesActual Enforced Values

Mobile

1,2,3,4

Same as the value set

Desktop Local Accounts

1,2,3

3

Desktop Microsoft Accounts

1,2

Desktop Domain Accounts

Not supported

Not supported

+ + +

Enforced values for Local and Microsoft Accounts: + +- Local accounts support values of 1, 2, and 3, however they always enforce a value of 3. +- Passwords for local accounts must meet the following minimum requirements: + + - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters + - Be at least six characters in length + - Contain characters from three of the following four categories: + + - English uppercase characters (A through Z) + - English lowercase characters (a through z) + - Base 10 digits (0 through 9) + - Special characters (!, $, \#, %, etc.) + +

The enforcement of policies for Microsoft accounts happen on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported and setting this value on the server makes Microsoft accounts non-compliant. + +

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**DeviceLock/MinDevicePasswordLength** + + +

Specifies the minimum number or characters required in the PIN or password. + +> [!NOTE] +> This policy must be wrapped in an Atomic command. +> +> Always use the Replace command instead of Add for this policy in Windows 10 for desktop editions. + + +

The following list shows the supported values: + +- An integer X where 4 <= X <= 16 for mobile devices and desktop. However, local accounts will always enforce a minimum password length of 6. +- Not enforced. +- The default value is 4 for mobile devices and desktop devices. + +

Max policy value is the most restricted. + +

For additional information about this policy, see [Exchange ActiveSync Policy Engine Overview](https://technet.microsoft.com/library/dn282287.aspx) and [KB article](https://support.office.com/article/This-device-doesn-t-meet-the-security-requirements-set-by-your-email-administrator-87132fc7-2c7f-4a71-9de0-779ff81c86ca). + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**DeviceLock/PreventLockScreenSlideShow** + + +Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. + +By default, users can enable a slide show that will run after they lock the machine. + +If you enable this setting, users will no longer be able to modify slide show settings in PC Settings, and no slide show will ever start. + + + + + +ADMX Info: +- GP english name: *Prevent enabling lock screen slide show* +- GP name: *CPL_Personalization_NoLockScreenSlideshow* +- GP path: *Control Panel/Personalization* +- GP ADMX file name: *ControlPanelDisplay.admx* + + + + +**DeviceLock/ScreenTimeoutWhileLocked** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. +  +

Allows an enterprise to set the duration in seconds for the screen timeout while on the lock screen of Windows 10 Mobile devices. + +

Minimum supported value is 10. + +

Maximum supported value is 1800. + +

The default value is 10. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No + + + + +**Display/TurnOffGdiDPIScalingForApps** + + +

GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. + +

This policy setting lets you specify legacy applications that have GDI DPI Scaling turned off. + +

If you enable this policy setting, GDI DPI Scaling is turned off for all applications in the list, even if they are enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest. + +

If you disable or do not configure this policy setting, GDI DPI Scaling might still be turned on for legacy applications. + +

If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off. + +

To validate on Desktop, do the following: + +1. Configure the setting for an app which has GDI DPI scaling enabled via MDM or any other supported mechanisms. +2. Run the app and observe blurry text. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Display/TurnOnGdiDPIScalingForApps** + + +

GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware. + +

This policy setting lets you specify legacy applications that have GDI DPI Scaling turned on. + +

If you enable this policy setting, GDI DPI Scaling is turned on for all legacy applications in the list. + +

If you disable or do not configure this policy setting, GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatibility database, ApplicationCompatibility UI System (Enhanced) setting, or an application manifest. + +

If GDI DPI Scaling is configured to both turn off and turn on an application, the application will be turned off. + +

To validate on Desktop, do the following: + +1. Configure the setting for an app which uses GDI. +2. Run the app and observe crisp text. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**EnterpriseCloudPrint/CloudPrintOAuthAuthority** + + +

Added in Windows 10, version 1703. Specifies the authentication endpoint for acquiring OAuth tokens. This policy must target ./User, otherwise it fails. + +

The datatype is a string. + +

The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://azuretenant.contoso.com/adfs". + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**EnterpriseCloudPrint/CloudPrintOAuthClientId** + + +

Added in Windows 10, version 1703. Specifies the GUID of a client application authorized to retrieve OAuth tokens from the OAuthAuthority. This policy must target ./User, otherwise it fails. + +

The datatype is a string. + +

The default value is an empty string. Otherwise, the value should contain a GUID. For example, "E1CF1107-FF90-4228-93BF-26052DD2C714". + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**EnterpriseCloudPrint/CloudPrintResourceId** + + +

Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the enterprise cloud print client during OAuth authentication. This policy must target ./User, otherwise it fails. + +

The datatype is a string. + +

The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MicrosoftEnterpriseCloudPrint/CloudPrint". + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**EnterpriseCloudPrint/CloudPrinterDiscoveryEndPoint** + + +

Added in Windows 10, version 1703. Specifies the per-user end point for discovering cloud printers. This policy must target ./User, otherwise it fails. + +

The datatype is a string. + +

The default value is an empty string. Otherwise, the value should contain the URL of an endpoint. For example, "https://cloudprinterdiscovery.contoso.com". + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**EnterpriseCloudPrint/DiscoveryMaxPrinterLimit** + + +

Added in Windows 10, version 1703. Defines the maximum number of printers that should be queried from a discovery end point. This policy must target ./User, otherwise it fails. + +

The datatype is an integer. + +

For Windows Mobile, the default value is 20. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**EnterpriseCloudPrint/MopriaDiscoveryResourceId** + + +

Added in Windows 10, version 1703. Specifies the per-user resource URL for which access is requested by the Mopria discovery client during OAuth authentication. This policy must target ./User, otherwise it fails. + +

The datatype is a string. + +

The default value is an empty string. Otherwise, the value should contain a URL. For example, "http://MopriaDiscoveryService/CloudPrint". + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**ErrorReporting/CustomizeConsentSettings** + + +This policy setting determines the consent behavior of Windows Error Reporting for specific event types. + +If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents dialog box. Event types are those for generic, non-fatal errors: crash, no response, and kernel fault errors. For each specified event type, you can set a consent level of 0, 1, 2, 3, or 4. + +- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type. + +- 1 (Always ask before sending data): Windows prompts the user for consent to send reports. + +- 2 (Send parameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, and Windows prompts the user for consent to send any additional data requested by Microsoft. + +- 3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution, as well as data which Windows has determined (within a high probability) does not contain personally identifiable data, and prompts the user for consent to send any additional data requested by Microsoft. + +- 4 (Send all data): Any data requested by Microsoft is sent automatically. + +If you disable or do not configure this policy setting, then the default consent settings that are applied are those specified by the user in Control Panel, or in the Configure Default Consent policy setting. + + + + + +ADMX Info: +- GP english name: *Customize consent settings* +- GP name: *WerConsentCustomize_2* +- GP path: *Windows Components/Windows Error Reporting/Consent* +- GP ADMX file name: *ErrorReporting.admx* + + + + +**ErrorReporting/DisableWindowsErrorReporting** + + +This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. + +If you enable this policy setting, Windows Error Reporting does not send any problem information to Microsoft. Additionally, solution information is not available in Security and Maintenance in Control Panel. + +If you disable or do not configure this policy setting, the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured, user settings in Control Panel for Windows Error Reporting are applied. + + + + + +ADMX Info: +- GP english name: *Disable Windows Error Reporting* +- GP name: *WerDisable_2* +- GP path: *Windows Components/Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + + +**ErrorReporting/DisplayErrorNotification** + + +This policy setting controls whether users are shown an error dialog box that lets them report an error. + +If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Error Reporting policy setting is also enabled, the user can also report the error. + +If you disable this policy setting, users are not notified that errors have occurred. If the Configure Error Reporting policy setting is also enabled, errors are reported, but users receive no notification. Disabling this policy setting is useful for servers that do not have interactive users. + +If you do not configure this policy setting, users can change this setting in Control Panel, which is set to enable notification by default on computers that are running Windows XP Personal Edition and Windows XP Professional Edition, and disable notification by default on computers that are running Windows Server. + +See also the Configure Error Reporting policy setting. + + + + + +ADMX Info: +- GP english name: *Display Error Notification* +- GP name: *PCH_ShowUI* +- GP path: *Windows Components/Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + + +**ErrorReporting/DoNotSendAdditionalData** + + +This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. + +If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically declined, without notification to the user. + +If you disable or do not configure this policy setting, then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting/Consent take precedence. + + + + + +ADMX Info: +- GP english name: *Do not send additional data* +- GP name: *WerNoSecondLevelData_2* +- GP path: *Windows Components/Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + + +**ErrorReporting/PreventCriticalErrorDisplay** + + +This policy setting prevents the display of the user interface for critical errors. + +If you enable this policy setting, Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors. + +If you disable or do not configure this policy setting, Windows Error Reporting displays the user interface for critical errors. + + + + + +ADMX Info: +- GP english name: *Prevent display of the user interface for critical errors* +- GP name: *WerDoNotShowUI* +- GP path: *Windows Components/Windows Error Reporting* +- GP ADMX file name: *ErrorReporting.admx* + + + + +**EventLogService/ControlEventLogBehavior** + + +This policy setting controls Event Log behavior when the log file reaches its maximum size. + +If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. + +If you disable or do not configure this policy setting and a log file reaches its maximum size, new events overwrite old events. + +Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting. + + + + + +ADMX Info: +- GP english name: *Control Event Log behavior when the log file reaches its maximum size* +- GP name: *Channel_Log_Retention_1* +- GP path: *Windows Components/Event Log Service/Application* +- GP ADMX file name: *eventlog.admx* + + + + +**EventLogService/SpecifyMaximumFileSizeApplicationLog** + + +This policy setting specifies the maximum size of the log file in kilobytes. + +If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. + +If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. + + + + + +ADMX Info: +- GP english name: *Specify the maximum log file size (KB)* +- GP name: *Channel_LogMaxSize_1* +- GP path: *Windows Components/Event Log Service/Application* +- GP ADMX file name: *eventlog.admx* + + + + +**EventLogService/SpecifyMaximumFileSizeSecurityLog** + + +This policy setting specifies the maximum size of the log file in kilobytes. + +If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. + +If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. + + + + + +ADMX Info: +- GP english name: *Specify the maximum log file size (KB)* +- GP name: *Channel_LogMaxSize_2* +- GP path: *Windows Components/Event Log Service/Security* +- GP ADMX file name: *eventlog.admx* + + + + +**EventLogService/SpecifyMaximumFileSizeSystemLog** + + +This policy setting specifies the maximum size of the log file in kilobytes. + +If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte increments. + +If you disable or do not configure this policy setting, the maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties dialog and it defaults to 20 megabytes. + + + + + +ADMX Info: +- GP english name: *Specify the maximum log file size (KB)* +- GP name: *Channel_LogMaxSize_4* +- GP path: *Windows Components/Event Log Service/System* +- GP ADMX file name: *eventlog.admx* + + + + +**Experience/AllowCopyPaste** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + +

Specifies whether copy and paste is allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Experience/AllowCortana** + + +

Specifies whether Cortana is allowed on the device. If you enable or don’t configure this setting, Cortana is allowed on the device. If you disable this setting, Cortana is turned off. When Cortana is off, users will still be able to use search to find items on the device. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + +

Benefit to the customer: + +

Before this setting, enterprise customers could not set up Cortana during out-of-box experience (OOBE) at all, even though Cortana is the “voice” that walks you through OOBE. By sending AllowCortana in initial enrollment, enterprise customers can allow their employees to see the Cortana consent page. This enables them to choose to use Cortana and make their lives easier and more productive. + +

Sample scenario: + +

An enterprise employee customer is going through OOBE and enjoys Cortana’s help in this process. The customer is happy to learn during OOBE that Cortana can help them be more productive, and chooses to set up Cortana before OOBE finishes. When their setup is finished, they are immediately ready to engage with Cortana to help manage their schedule and more. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Experience/AllowDeviceDiscovery** + + +

Allows users to turn on/off device discovery UX. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

When set to 0 , the projection pane is disabled. The Win+P and Win+K shortcut keys will not work on. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Experience/AllowFindMyDevice** + + +

Added in Windows 10, version 1703. This policy turns on Find My Device feature. + +

When Find My Device is on, the device and its location are registered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. + +

When Find My Device is off, the device and its location are not registered and the Find My Device feature will not work. + + + + + + + +**Experience/AllowManualMDMUnenrollment** + + +

Specifies whether to allow the user to delete the workplace account using the workplace control panel. + +> [!NOTE] +> The MDM server can always remotely delete the account. + + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Experience/AllowSIMErrorDialogPromptWhenNoSIM** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Specifies whether to display dialog prompt when no SIM card is detected. + +

The following list shows the supported values: + +- 0 – SIM card dialog prompt is not displayed. +- 1 (default) – SIM card dialog prompt is displayed. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Experience/AllowScreenCapture** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Specifies whether screen capture is allowed. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Experience/AllowSyncMySettings** + + +

Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices). + +

The following list shows the supported values: + +- 0 – Sync settings is not allowed. +- 1 (default) – Sync settings allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Experience/AllowTailoredExperiencesWithDiagnosticData** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + +

Added in Windows 10, version 1703. This policy allows you to prevent Windows from using diagnostic data to provide customized experiences to the user. If you enable this policy setting, Windows will not use diagnostic data from this device to customize content shown on the lock screen, Windows tips, Microsoft consumer features, or other related features. If these features are enabled, users will still see recommendations, tips and offers, but they may be less relevant. If you disable or do not configure this policy setting, Microsoft will use diagnostic data to provide personalized recommendations, tips, and offers to tailor Windows for the user's needs and make it work better for them. + +

Diagnostic data can include browser, app and feature usage, depending on the "Diagnostic and usage data" setting value. + +> **Note** This setting does not control Cortana cutomized experiences because there are separate policies to configure it. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + + +**Experience/AllowTaskSwitcher** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Allows or disallows task switching on the device. + +

The following list shows the supported values: + +- 0 – Task switching not allowed. +- 1 (default) – Task switching allowed. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Experience/AllowThirdPartySuggestionsInWindowsSpotlight** + + +> [!NOTE] +> This policy is only available for Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. + + +

Specifies whether to allow app and content suggestions from third-party software publishers in Windows spotlight features like lock screen spotlight, suggested apps in the Start menu, and Windows tips. Users may still see suggestions for Microsoft features, apps, and services. + +

The following list shows the supported values: + +- 0 – Third-party suggestions not allowed. +- 1 (default) – Third-party suggestions allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Experience/AllowVoiceRecording** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Specifies whether voice recording is allowed for apps. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Experience/AllowWindowsConsumerFeatures** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

This policy allows IT admins to turn on experiences that are typically for consumers only, such as Start suggestions, Membership notifications, Post-OOBE app install and redirect tiles. + +> [!IMPORTANT] +> This node must be accessed using the following paths: +> +> - **./User/Vendor/MSFT/Policy/Config/Experience/AllowWindowsConsumerFeatures** to set the policy. +> - **./User/Vendor/MSFT/Policy/Result/Experience/AllowWindowsConsumerFeatures** to get the result. + +  +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Experience/AllowWindowsSpotlight** + + +> [!NOTE] +> This policy is only available for Windows 10 Enterprise and Windows 10 Education. + + +

Specifies whether to turn off all Windows spotlight features at once. If you enable this policy setting, Windows spotlight on lock screen, Windows Tips, Microsoft consumer features and other related features will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices. If you disable or do not configure this policy setting, Windows spotlight features are allowed and may be controlled individually using their corresponding policy settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Experience/AllowWindowsSpotlightOnActionCenter** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + +

Added in Windows 10, version 1703. This policy allows administrators to prevent Windows spotlight notifications from being displayed in the Action Center. If you enable this policy, Windows spotlight notifications will no longer be displayed in the Action Center. If you disable or do not configure this policy, Microsoft may display notifications in the Action Center that will suggest apps or features to help users be more productive on Windows. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + + +**Experience/AllowWindowsSpotlightWindowsWelcomeExperience** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + +

Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature. +The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + + +**Experience/AllowWindowsTips** + + +Enables or disables Windows Tips / soft landing. + +

The following list shows the supported values: + +- 0 – Disabled. +- 1 (default) – Enabled. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Experience/ConfigureWindowsSpotlightOnLockScreen** + + +> [!NOTE] +> This policy is only available for Windows 10 Enterprise and Windows 10 Education. + + +

Allows IT admins to specify whether spotlight should be used on the user's lock screen. If your organization does not have an Enterprise spotlight content service, then this policy will behave the same as a setting of 1. + +

The following list shows the supported values: + +- 0 – None. +- 1 (default) – Windows spotlight enabled. +- 2 – placeholder only for future extension. Using this value has no effect. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Experience/DoNotShowFeedbackNotifications** + + +

Prevents devices from showing feedback questions from Microsoft. + +

If you enable this policy setting, users will no longer see feedback notifications through the Feedback hub app. If you disable or do not configure this policy setting, users may see notifications through the Feedback hub app asking users for feedback. + +

If you disable or do not configure this policy setting, users can control how often they receive feedback questions. + +

The following list shows the supported values: + +- 0 (default) – Feedback notifications are not disabled. The actual state of feedback notifications on the device will then depend on what GP has configured or what the user has configured locally. +- 1 – Feedback notifications are disabled. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Games/AllowAdvancedGamingServices** + + +

Placeholder only. Currently not supported. + + + + + + + +**InternetExplorer/AddSearchProvider** + + +This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally, search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the provider's website. + +If you enable this policy setting, the user can add and remove search providers, but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. + +If you disable or do not configure this policy setting, the user can configure their list of search providers unless another policy setting restricts such configuration. + + + + + +ADMX Info: +- GP english name: *Add a specific list of search providers to the user's list of search providers* +- GP name: *AddSearchProvider* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowActiveXFiltering** + + +This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly. + +If you enable this policy setting, ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering, although they may add per-site exceptions. + +If you disable or do not configure this policy setting, ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off. + + + + + +ADMX Info: +- GP english name: *Turn on ActiveX Filtering* +- GP name: *TurnOnActiveXFiltering* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowAddOnList** + + +This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls like ActiveX Controls, Toolbars, and Browser Helper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages. + +This list can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting, which defines whether add-ons not listed here are assumed to be denied. + +If you enable this policy setting, you can enter a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list, enter the following information: + +Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for example, {000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced. + +Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed, enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-on Manager, enter a 2 (two) into this field. + +If you disable this policy setting, the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in this list are assumed to be denied. + + + + + +ADMX Info: +- GP english name: *Add-on List* +- GP name: *AddonManagement_AddOnList* +- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowEnhancedProtectedMode** + + +Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8, Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system. + +If you enable this policy setting, Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode. + +If you disable this policy setting, Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista. + +If you do not configure this policy, users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog. + + + + + +ADMX Info: +- GP english name: *Turn on Enhanced Protected Mode* +- GP name: *Advanced_EnableEnhancedProtectedMode* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowEnterpriseModeFromToolsMenu** + + +This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally, this policy also lets you specify where to get reports (through post messages) about the websites for which users turn on Enterprise Mode using the Tools menu. + +If you turn this setting on, users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on, but don't specify a report location, Enterprise Mode will still be available to your users, but you won't get any reports. + +If you disable or don't configure this policy setting, the menu option won't appear and users won't be able to run websites in Enterprise Mode. + + + + + +ADMX Info: +- GP english name: *Let users turn on and use Enterprise Mode from the Tools menu* +- GP name: *EnterpriseModeEnable* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowEnterpriseModeSiteList** + + +This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE, instead of Standard mode, because of compatibility issues. Users can't edit this list. + +If you enable this policy setting, Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode), opening all listed websites using Enterprise Mode IE. + +If you disable or don't configure this policy setting, Internet Explorer opens all websites using Standards mode. + + + + + +ADMX Info: +- GP english name: *Use the Enterprise Mode IE website list* +- GP name: *EnterpriseModeSiteList* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowInternetExplorer7PolicyList ** + + +This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View. + +If you enable this policy setting, the user can add and remove sites from the list, but the user cannot remove the entries that you specify. + +If you disable or do not configure this policy setting, the user can add and remove sites from the list. + + + + + +ADMX Info: +- GP english name: *Use Policy List of Internet Explorer 7 sites* +- GP name: *CompatView_UsePolicyList* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowInternetExplorerStandardsMode** + + +This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belongs to the local intranet security zone. + +If you enable this policy setting, Internet Explorer uses the current user agent string for local intranet content. Additionally, all local intranet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior through the Compatibility View Settings dialog box. + +If you disable this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box. + +If you do not configure this policy setting, Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionally, all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages, but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior of Internet Explorer. + + + + + +ADMX Info: +- GP english name: *Turn on Internet Explorer Standards Mode for local intranet* +- GP name: *CompatView_IntranetSites* +- GP path: *Windows Components/Internet Explorer/Compatibility View* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowInternetZoneTemplate** + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + + + +ADMX Info: +- GP english name: *Internet Zone Template* +- GP name: *IZ_PolicyInternetZoneTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowIntranetZoneTemplate** + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + + + +ADMX Info: +- GP english name: *Intranet Zone Template* +- GP name: *IZ_PolicyIntranetZoneTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowLocalMachineZoneTemplate** + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + + + +ADMX Info: +- GP english name: *Local Machine Zone Template* +- GP name: *IZ_PolicyLocalMachineZoneTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowLockedDownInternetZoneTemplate** + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + + + +ADMX Info: +- GP english name: *Locked-Down Internet Zone Template* +- GP name: *IZ_PolicyInternetZoneLockdownTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowLockedDownIntranetZoneTemplate** + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + + + +ADMX Info: +- GP english name: *Locked-Down Intranet Zone Template* +- GP name: *IZ_PolicyIntranetZoneLockdownTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowLockedDownLocalMachineZoneTemplate** + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + + + +ADMX Info: +- GP english name: *Locked-Down Local Machine Zone Template* +- GP name: *IZ_PolicyLocalMachineZoneLockdownTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowLockedDownRestrictedSitesZoneTemplate** + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + + + +ADMX Info: +- GP english name: *Locked-Down Restricted Sites Zone Template* +- GP name: *IZ_PolicyRestrictedSitesZoneLockdownTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowOneWordEntry** + + +This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar. + +If you enable this policy setting, Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar, if it is available. + +If you disable or do not configure this policy setting, Internet Explorer does not go directly to an intranet site for a one-word entry in the Address bar. + + + + + +ADMX Info: +- GP english name: *Go to an intranet site for a one-word entry in the Address bar* +- GP name: *UseIntranetSiteForOneWordEntry* +- GP path: *Windows Components/Internet Explorer/Internet Settings/Advanced settings/Browsing* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowSiteToZoneAssignmentList** + + +This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers have associated security settings that apply to all of the sites in the zone. + +Internet Explorer has 4 security zones, numbered 1-4, and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zone, (2) Trusted Sites zone, (3) Internet zone, and (4) Restricted Sites zone. Security settings can be set for each of these zones through other policy settings, and their default settings are: Trusted Sites zone (Low template), Intranet zone (Medium-Low template), Internet zone (Medium template), and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect your local computer.) + +If you enable this policy setting, you can enter a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are applied to the site. For each entry that you add to the list, enter the following information: + +Valuename A host for an intranet site, or a fully qualified domain name for other sites. The valuename may also includea specificprotocol. For example, if you enter http://www.contoso.comas the valuename, other protocols are not affected.If you enter just www.contoso.com,then all protocolsare affected for that site, including http, https, ftp, and so on. The site may also be expressed as an IP address (e.g., 127.0.0.1) or range (e.g., 127.0.0.1-10). To avoid creating conflicting policies, do not include additional characters after the domain such as trailing slashes or URL path. For example, policy settings for www.contoso.com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer, and would therefore be in conflict. + +Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explorer zones described above are 1-4. + +If you disable or do not configure this policy, users may choose their own site-to-zone assignments. + + + + + +ADMX Info: +- GP english name: *Site to Zone Assignment List* +- GP name: *IZ_Zonemaps* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowSuggestedSites** + + +This policy setting controls the Suggested Sites feature, which recommends websites based on the users browsing activity. Suggested Sites reports a users browsing history to Microsoft to suggest sites that the user might want to visit. + +If you enable this policy setting, the user is not prompted to enable Suggested Sites. The users browsing history is sent to Microsoft to produce suggestions. + +If you disable this policy setting, the entry points and functionality associated with this feature are turned off. + +If you do not configure this policy setting, the user can turn on and turn off the Suggested Sites feature. + + + + + +ADMX Info: +- GP english name: *Turn on Suggested Sites* +- GP name: *EnableSuggestedSites* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowTrustedSitesZoneTemplate** + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + + + +ADMX Info: +- GP english name: *Trusted Sites Zone Template* +- GP name: *IZ_PolicyTrustedSitesZoneTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowsLockedDownTrustedSitesZoneTemplate** + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + + + +ADMX Info: +- GP english name: *Locked-Down Trusted Sites Zone Template* +- GP name: *IZ_PolicyTrustedSitesZoneLockdownTemplate* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/AllowsRestrictedSitesZoneTemplate** + + +This template policy setting allows you to configure policy settings in this zone consistent with a selected security level, for example, Low, Medium Low, Medium, or High. + +If you enable this template policy setting and select a security level, all values for individual settings in the zone will be overwritten by the standard template defaults. + +If you disable this template policy setting, no security level is configured. + +If you do not configure this template policy setting, no security level is configured. + +Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security), the same change should be made to the Locked-Down equivalent. + +Note. It is recommended to configure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Group Policy management features (for example, precedence, inheritance, or enforce) to apply individual settings to specific targets. + + + + + +ADMX Info: +- GP english name: *Restricted Sites Zone Template* +- GP name: *IZ_PolicyRestrictedSitesZoneTemplate* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableAdobeFlash** + + +This policy setting turns off Adobe Flash in Internet Explorer and prevents applications from using Internet Explorer technology to instantiate Flash objects. + +If you enable this policy setting, Flash is turned off for Internet Explorer, and applications cannot use Internet Explorer technology to instantiate Flash objects. In the Manage Add-ons dialog box, the Flash status will be 'Disabled', and users cannot enable Flash. If you enable this policy setting, Internet Explorer will ignore settings made for Adobe Flash through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings. + +If you disable, or do not configure this policy setting, Flash is turned on for Internet Explorer, and applications can use Internet Explorer technology to instantiate Flash objects. Users can enable or disable Flash in the Manage Add-ons dialog box. + +Note that Adobe Flash can still be disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings, even if this policy setting is disabled, or not configured. However, if Adobe Flash is disabled through the "Add-on List" and "Deny all add-ons unless specifically allowed in the Add-on List" policy settings and not through this policy setting, all applications that use Internet Explorer technology to instantiate Flash object can still do so. For more information, see "Group Policy Settings in Internet Explorer 10" in the Internet Explorer TechNet library. + + + + + +ADMX Info: +- GP english name: *Turn off Adobe Flash in Internet Explorer and prevent applications from using Internet Explorer technology to instantiate Flash objects* +- GP name: *DisableFlashInIE* +- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableBypassOfSmartScreenWarnings** + + +This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also prevents the execution of files that are known to be malicious. + +If you enable this policy setting, SmartScreen Filter warnings block the user. + +If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. + + + + + +ADMX Info: +- GP english name: *Prevent bypassing SmartScreen Filter warnings* +- GP name: *DisableSafetyFilterOverride* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles** + + +This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet. + +If you enable this policy setting, SmartScreen Filter warnings block the user. + +If you disable or do not configure this policy setting, the user can bypass SmartScreen Filter warnings. + + + + + +ADMX Info: +- GP english name: *Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet* +- GP name: *DisableSafetyFilterOverrideForAppRepUnknown* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableCustomerExperienceImprovementProgramParticipation** + + +This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP). + +If you enable this policy setting, the user cannot participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. + +If you disable this policy setting, the user must participate in the CEIP, and the Customer Feedback Options command does not appear on the Help menu. + +If you do not configure this policy setting, the user can choose to participate in the CEIP. + + + + + +ADMX Info: +- GP english name: *Prevent participation in the Customer Experience Improvement Program* +- GP name: *SQM_DisableCEIP* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableEnclosureDownloading** + + +This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. + +If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. + +If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs. + + + + + +ADMX Info: +- GP english name: *Prevent downloading of enclosures* +- GP name: *Disable_Downloading_of_Enclosures* +- GP path: *Windows Components/RSS Feeds* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableEncryptionSupport** + + +This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each others list of supported protocols and versions, and they select the most preferred match. + +If you enable this policy setting, the browser negotiates or does not negotiate an encryption tunnel by using the encryption methods that you select from the drop-down list. + +If you disable or do not configure this policy setting, the user can select which encryption method the browser supports. + +Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol, and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0. + + + + + +ADMX Info: +- GP english name: *Turn off encryption support* +- GP name: *Advanced_SetWinInetProtocols* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableFirstRunWizard** + + +This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Internet Explorer or Windows. + +If you enable this policy setting, you must make one of the following choices: +Skip the First Run wizard, and go directly to the user's home page. +Skip the First Run wizard, and go directly to the "Welcome to Internet Explorer" webpage. + +Starting with Windows 8, the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen. + +If you disable or do not configure this policy setting, Internet Explorer may run the First Run wizard the first time the browser is started after installation. + + + + + +ADMX Info: +- GP english name: *Prevent running First Run wizard* +- GP name: *NoFirstRunCustomise* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableFlipAheadFeature** + + +This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website. + +Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature isn't available for Internet Explorer for the desktop. + +If you enable this policy setting, flip ahead with page prediction is turned off and the next webpage isn't loaded into the background. + +If you disable this policy setting, flip ahead with page prediction is turned on and the next webpage is loaded into the background. + +If you don't configure this setting, users can turn this behavior on or off, using the Settings charm. + + + + + +ADMX Info: +- GP english name: *Turn off the flip ahead with page prediction feature* +- GP name: *Advanced_DisableFlipAhead* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Advanced Page* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableHomePageChange** + + +The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer loads whenever it is run. + +If you enable this policy setting, a user cannot set a custom default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Explorer 7, the home page can be set within this policy to override other home page policies. + +If you disable or do not configure this policy setting, the Home page box is enabled and users can choose their own home page. + + + + + +ADMX Info: +- GP english name: *Disable changing home page settings* +- GP name: *RestrictHomePage* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableProxyChange** + + +This policy setting specifies if a user can change proxy settings. + +If you enable this policy setting, the user will not be able to configure proxy settings. + +If you disable or do not configure this policy setting, the user can configure proxy settings. + + + + + +ADMX Info: +- GP english name: *Prevent changing proxy settings* +- GP name: *RestrictProxy* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableSearchProviderChange** + + +This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box. + +If you enable this policy setting, the user cannot change the default search provider. + +If you disable or do not configure this policy setting, the user can change the default search provider. + + + + + +ADMX Info: +- GP english name: *Prevent changing the default search provider* +- GP name: *NoSearchProvider* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableSecondaryHomePageChange** + + +Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the browser is run. This policy setting allows you to set default secondary home pages. + +If you enable this policy setting, you can specify which default home pages should load as secondary home pages. The user cannot set custom default secondary home pages. + +If you disable or do not configure this policy setting, the user can add secondary home pages. + +Note: If the Disable Changing Home Page Settings policy is enabled, the user cannot add secondary home pages. + + + + + +ADMX Info: +- GP english name: *Disable changing secondary home page settings* +- GP name: *SecondaryHomePages* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DisableUpdateCheck** + + +Prevents Internet Explorer from checking whether a new version of the browser is available. + +If you enable this policy, it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new version is available. + +If you disable this policy or do not configure it, Internet Explorer checks every 30 days by default, and then notifies users if a new version is available. + +This policy is intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of the browser. + + + + + +ADMX Info: +- GP english name: *Disable Periodic Check for Internet Explorer software updates* +- GP name: *NoUpdateCheck* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DoNotAllowUsersToAddSites** + + +Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level. + +If you enable this policy, the site management settings for security zones are disabled. (To see the site management settings for security zones, in the Internet Options dialog box, click the Security tab, and then click the Sites button.) + +If you disable this policy or do not configure it, users can add Web sites to or remove sites from the Trusted Sites and Restricted Sites zones, and alter settings for the Local Intranet zone. + +This policy prevents users from changing site management settings for security zones established by the administrator. + +Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from the interface, takes precedence over this policy. If it is enabled, this policy is ignored. + +Also, see the "Security zones: Use only machine settings" policy. + + + + + +ADMX Info: +- GP english name: *Security Zones: Do not allow users to add/delete sites* +- GP name: *Security_zones_map_edit* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DoNotAllowUsersToChangePolicies** + + +Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level. + +If you enable this policy, the Custom Level button and security-level slider on the Security tab in the Internet Options dialog box are disabled. + +If you disable this policy or do not configure it, users can change the settings for security zones. + +This policy prevents users from changing security zone settings established by the administrator. + +Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel), which removes the Security tab from Internet Explorer in Control Panel, takes precedence over this policy. If it is enabled, this policy is ignored. + +Also, see the "Security zones: Use only machine settings" policy. + + + + + +ADMX Info: +- GP english name: *Security Zones: Do not allow users to change policies* +- GP name: *Security_options_edit* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DoNotBlockOutdatedActiveXControls** + + +This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. + +If you enable this policy setting, Internet Explorer stops blocking outdated ActiveX controls. + +If you disable or don't configure this policy setting, Internet Explorer continues to block specific outdated ActiveX controls. + +For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. + + + + + +ADMX Info: +- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer* +- GP name: *VerMgmtDisable* +- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/DoNotBlockOutdatedActiveXControlsOnSpecificDomains** + + +This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone. + +If you enable this policy setting, you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following: + +1. "domain.name.TLD". For example, if you want to include *.contoso.com/*, use "contoso.com" +2. "hostname". For example, if you want to include http://example, use "example" +3. "file:///path/filename.htm". For example, use "file:///C:/Users/contoso/Desktop/index.htm" + +If you disable or don't configure this policy setting, the list is deleted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone. + +For more information, see "Outdated ActiveX Controls" in the Internet Explorer TechNet library. + + + + + +ADMX Info: +- GP english name: *Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains* +- GP name: *VerMgmtDomainAllowlist* +- GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IncludeAllLocalSites** + + +This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet security zone. + +If you enable this policy setting, local sites which are not explicitly mapped into a zone are considered to be in the Intranet Zone. + +If you disable this policy setting, local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone). + +If you do not configure this policy setting, users choose whether to force local sites into the Intranet Zone. + + + + + +ADMX Info: +- GP english name: *Intranet Sites: Include all local (intranet) sites not listed in other zones* +- GP name: *IZ_IncludeUnspecifiedLocalSites* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IncludeAllNetworkPaths** + + +This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone. + +If you enable this policy setting, all network paths are mapped into the Intranet Zone. + +If you disable this policy setting, network paths are not necessarily mapped into the Intranet Zone (other rules might map one there). + +If you do not configure this policy setting, users choose whether network paths are mapped into the Intranet Zone. + + + + + +ADMX Info: +- GP english name: *Intranet Sites: Include all network paths (UNCs)* +- GP name: *IZ_UNCAsIntranet* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowAccessToDataSources** + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowAutomaticPromptingForActiveXControls** + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads** + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowFontDownloads** + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowLessPrivilegedSites** + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. + + + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents** + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. + + + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowScriptlets** + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowSmartScreenIE** + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneAllowUserDataPersistence** + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneInitializeAndScriptActiveXControls** + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/InternetZoneNavigateWindowsAndFrames** + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_1* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowAccessToDataSources** + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + + + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowAutomaticPromptingForActiveXControls** + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowAutomaticPromptingForFileDownloads** + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowFontDownloads** + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowLessPrivilegedSites** + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. + + + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowNETFrameworkReliantComponents** + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. + + + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowScriptlets** + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowSmartScreenIE** + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneAllowUserDataPersistence** + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls** + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/IntranetZoneNavigateWindowsAndFrames** + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_3* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowAccessToDataSources** + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForActiveXControls** + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowAutomaticPromptingForFileDownloads** + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowFontDownloads** + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowLessPrivilegedSites** + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowNETFrameworkReliantComponents** + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowScriptlets** + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowSmartScreenIE** + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneAllowUserDataPersistence** + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneInitializeAndScriptActiveXControls** + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. + + + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LocalMachineZoneNavigateWindowsAndFrames** + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_9* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowAccessToDataSources** + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls** + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads** + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowFontDownloads** + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowLessPrivilegedSites** + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowNETFrameworkReliantComponents** + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowScriptlets** + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE** + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneAllowUserDataPersistence** + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneInitializeAndScriptActiveXControls** + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownInternetZoneNavigateWindowsAndFrames** + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_2* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowAccessToDataSources** + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + + + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls** + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads** + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowFontDownloads** + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowLessPrivilegedSites** + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowNETFrameworkReliantComponents** + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowScriptlets** + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowSmartScreenIE** + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneAllowUserDataPersistence** + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneInitializeAndScriptActiveXControls** + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownIntranetZoneNavigateWindowsAndFrames** + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_4* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowAccessToDataSources** + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls** + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads** + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowFontDownloads** + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowLessPrivilegedSites** + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents** + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowScriptlets** + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowSmartScreenIE** + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneAllowUserDataPersistence** + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneInitializeAndScriptActiveXControls** + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownLocalMachineZoneNavigateWindowsAndFrames** + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_10* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowAccessToDataSources** + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowFontDownloads** + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. + + + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowLessPrivilegedSites** + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents** + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowScriptlets** + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowSmartScreenIE** + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneAllowUserDataPersistence** + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls** + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownRestrictedSitesZoneNavigateWindowsAndFrames** + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. + +If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. + + + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_8* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowAccessToDataSources** + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls** + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads** + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowFontDownloads** + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowLessPrivilegedSites** + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents** + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowScriptlets** + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowSmartScreenIE** + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneAllowUserDataPersistence** + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls** + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/LockedDownTrustedSitesZoneNavigateWindowsAndFrames** + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_6* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources** + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls** + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads** + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, file downloads that are not user-initiated will be blocked, and users will see the Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowFontDownloads** + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, users are queried whether to allow HTML fonts to download. + + + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowLessPrivilegedSites** + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + + + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents** + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will not execute unsigned managed components. + + + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowScriptlets** + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE** + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence** + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls** + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + + + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/RestrictedSitesZoneNavigateWindowsAndFrames** + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open additional windows and frames from other domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow additional windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open other windows and frames from other domains or access applications from different domains. + +If you do not configure this policy setting, users cannot open other windows and frames from different domains or access applications from different domains. + + + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_7* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/SearchProviderList** + + +This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Normally, search providers can be added from third-party toolbars or in Setup, but the user can also add them from a search provider's website. + +If you enable this policy setting, the user cannot configure the list of search providers on his or her computer, and any default providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file. For information about creating this custom administrative template file, see the Internet Explorer documentation on search providers. + +If you disable or do not configure this policy setting, the user can configure his or her list of search providers. + + + + + +ADMX Info: +- GP english name: *Restrict search providers to a specific list* +- GP name: *SpecificSearchProvider* +- GP path: *Windows Components/Internet Explorer* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowAccessToDataSources** + + +This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO). + +If you enable this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-down box, users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you disable this policy setting, users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + +If you do not configure this policy setting, users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. + + + + + +ADMX Info: +- GP english name: *Access data sources across domains* +- GP name: *IZ_PolicyAccessDataSourcesAcrossDomains_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForActiveXControls** + + +This policy setting manages whether users will be automatically prompted for ActiveX control installations. + +If you enable this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + +If you disable this policy setting, ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt. + +If you do not configure this policy setting, users will receive a prompt when a site instantiates an ActiveX control they do not have installed. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for ActiveX controls* +- GP name: *IZ_PolicyNotificationBarActiveXURLaction_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowAutomaticPromptingForFileDownloads** + + +This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads. + +If you enable this setting, users will receive a file download dialog for automatic download attempts. + +If you disable or do not configure this setting, users will receive a file download dialog for automatic download attempts. + + + + + +ADMX Info: +- GP english name: *Automatic prompting for file downloads* +- GP name: *IZ_PolicyNotificationBarDownloadURLaction_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowFontDownloads** + + +This policy setting allows you to manage whether pages of the zone may download HTML fonts. + +If you enable this policy setting, HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-down box, users are queried whether to allow HTML fonts to download. + +If you disable this policy setting, HTML fonts are prevented from downloading. + +If you do not configure this policy setting, HTML fonts can be downloaded automatically. + + + + + +ADMX Info: +- GP english name: *Allow font downloads* +- GP name: *IZ_PolicyFontDownload_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowLessPrivilegedSites** + + +This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone. + +If you enable this policy setting, Web sites from less privileged zones can open new windows in, or navigate into, this zone. The security zone will run without the added layer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box, a warning is issued to the user that potentially risky navigation is about to occur. + +If you disable this policy setting, the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone Elevation feature control. + +If you do not configure this policy setting, a warning is issued to the user that potentially risky navigation is about to occur. + + + + + +ADMX Info: +- GP english name: *Web sites in less privileged Web content zones can navigate into this zone* +- GP name: *IZ_PolicyZoneElevationURLaction_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowNETFrameworkReliantComponents** + + +This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link. + +If you enable this policy setting, Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box, Internet Explorer will prompt the user to determine whether to execute unsigned managed components. + +If you disable this policy setting, Internet Explorer will not execute unsigned managed components. + +If you do not configure this policy setting, Internet Explorer will execute unsigned managed components. + + + + + +ADMX Info: +- GP english name: *Run .NET Framework-reliant components not signed with Authenticode* +- GP name: *IZ_PolicyUnsignedFrameworkComponentsURLaction_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowScriptlets** + + +This policy setting allows you to manage whether the user can run scriptlets. + +If you enable this policy setting, the user can run scriptlets. + +If you disable this policy setting, the user cannot run scriptlets. + +If you do not configure this policy setting, the user can enable or disable scriptlets. + + + + + +ADMX Info: +- GP english name: *Allow scriptlets* +- GP name: *IZ_Policy_AllowScriptlets_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowSmartScreenIE** + + +This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content. + +If you enable this policy setting, SmartScreen Filter scans pages in this zone for malicious content. + +If you disable this policy setting, SmartScreen Filter does not scan pages in this zone for malicious content. + +If you do not configure this policy setting, the user can choose whether SmartScreen Filter scans pages in this zone for malicious content. + +Note: In Internet Explorer 7, this policy setting controls whether Phishing Filter scans pages in this zone for malicious content. + + + + + +ADMX Info: +- GP english name: *Turn on SmartScreen Filter scan* +- GP name: *IZ_Policy_Phishing_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneAllowUserDataPersistence** + + +This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured. + +If you enable this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you disable this policy setting, users cannot preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + +If you do not configure this policy setting, users can preserve information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. + + + + + +ADMX Info: +- GP english name: *Userdata persistence* +- GP name: *IZ_PolicyUserdataPersistence_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneInitializeAndScriptActiveXControls** + + +This policy setting allows you to manage ActiveX controls not marked as safe. + +If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option. + +If you enable this policy setting and select Prompt in the drop-down box, users are queried whether to allow the control to be loaded with parameters or scripted. + +If you disable this policy setting, ActiveX controls that cannot be made safe are not loaded with parameters or scripted. + +If you do not configure this policy setting, users are queried whether to allow the control to be loaded with parameters or scripted. + + + + + +ADMX Info: +- GP english name: *Initialize and script ActiveX controls not marked as safe* +- GP name: *IZ_PolicyScriptActiveXNotMarkedSafe_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**InternetExplorer/TrustedSitesZoneNavigateWindowsAndFrames** + + +This policy setting allows you to manage the opening of windows and frames and access of applications across different domains. + +If you enable this policy setting, users can open windows and frames from othe domains and access applications from other domains. If you select Prompt in the drop-down box, users are queried whether to allow windows and frames to access applications from other domains. + +If you disable this policy setting, users cannot open windows and frames to access applications from different domains. + +If you do not configure this policy setting, users can open windows and frames from othe domains and access applications from other domains. + + + + + +ADMX Info: +- GP english name: *Navigate windows and frames across different domains* +- GP name: *IZ_PolicyNavigateSubframesAcrossDomains_5* +- GP path: *Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone* +- GP ADMX file name: *inetres.admx* + + + + +**Kerberos/AllowForestSearchOrder** + + +This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). + +If you enable this policy setting, the Kerberos client searches the forests in this list, if it is unable to resolve a two-part SPN. If a match is found, the Kerberos client requests a referral ticket to the appropriate domain. + +If you disable or do not configure this policy setting, the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found, NTLM authentication might be used. + + + + + +ADMX Info: +- GP english name: *None* +- GP name: *ForestSearch* +- GP ADMX file name: *Kerberos.admx* + + + + +**Kerberos/KerberosClientSupportsClaimsCompoundArmor** + + +This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. +If you enable this policy setting, the client computers will request claims, provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. + +If you disable or do not configure this policy setting, the client devices will not request claims, provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition. + + + + + + +ADMX Info: +- GP english name: *Kerberos client support for claims, compound authentication and Kerberos armoring* +- GP name: *EnableCbacAndArmor* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +**Kerberos/RequireKerberosArmoring** + + +This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. + +Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic Access Control and Kerberos armoring", then all authentication for all its users will fail from computers with this policy setting enabled. + +If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. + +Note: The Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. + +If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain. + + + + + + +ADMX Info: +- GP english name: *Fail authentication requests when Kerberos armoring is not available* +- GP name: *ClientRequireFast* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +**Kerberos/RequireStrictKDCValidation** + + +This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon. + +If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions, and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the computer is joined to a domain, the Kerberos client requires that the KDC's X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain, the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certificate. + +If you disable or do not configure this policy setting, the Kerberos client requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued to any server. + + + + + + +ADMX Info: +- GP english name: *Require strict KDC validation* +- GP name: *ValidateKDC* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +**Kerberos/SetMaximumContextTokenSize** + + +This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. + +The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. + +If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. + +If you disable or do not configure this policy setting, the Kerberos client or server uses the locally configured value or the default value. + +Note: This policy setting configures the existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters, which was added in Windows XP and Windows Server 2003, with a default value of 12,000 bytes. Beginning with Windows 8 the default is 48,000 bytes. Due to HTTP's base64 encoding of authentication context tokens, it is not advised to set this value more than 48,000 bytes. + + + + + + + +ADMX Info: +- GP english name: *Set maximum Kerberos SSPI context token buffer size* +- GP name: *MaxTokenSize* +- GP path: *System/Kerberos* +- GP ADMX file name: *Kerberos.admx* + + + + +**Licensing/AllowWindowsEntitlementReactivation** + + +

Added in Windows 10, version 1607. Enables or Disable Windows license reactivation on managed devices. + +

The following list shows the supported values: + +- 0 – Disable Windows license reactivation on managed devices. +- 1 (default) – Enable Windows license reactivation on managed devices. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Licensing/DisallowKMSClientOnlineAVSValidation** + + +

Added in Windows 10, version 1607. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. + +

The following list shows the supported values: + +- 0 (default) – Disabled. +- 1 – Enabled. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Location/EnableLocation** + + +

Added in Windows 10, version 1703. Optional policy that allows for IT admin to preconfigure whether or not Location Service's Device Switch is enabled or disabled for the device. Setting this policy is not required for Location Services to function. This policy controls a device wide state that affects all users, apps, and services ability to find the device's latitude and longitude on a map. There is a separate user switch that defines whether the location service is allowed to retrieve a position for the current user. In order to retrieve a position for a specific user, both the Device Switch and the User Switch must be enabled. If either is disabled, positions cannot be retrieved for the user. The user can later change both the User Switch and the Device Switch through the user interface on the Settings -> Privacy -> Location page. + +> [!IMPORTANT] +> This policy is not intended to ever be set, pushed, or refreshed more than one time after the first boot of the device because it is meant as initial configuration. Refreshing this policy might result in the Location Service's Device Switch changing state to something the user did not select, which is not an intended use for this policy. + +

The following list shows the supported values: + +- 0 (default) – Disabled. +- 1 – Enabled. + +

To validate on Desktop, do the following: + +1. Verify that Settings -> Privacy -> Location -> Location for this device is On/Off as expected. +2. Use Windows Maps Application (or similar) to see if a location can or cannot be obtained. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes + + + + +**LockDown/AllowEdgeSwipe** + + +

Added in Windows 10, version 1607. Allows the user to invoke any system user interface by swiping in from any screen edge using touch. + +

The following list shows the supported values: + +- 0 - disallow edge swipe. +- 1 (default, not configured) - allow edge swipe. + +

The easiest way to verify the policy is to restart the explorer process or to reboot after the policy is applied. And then try to swipe from the right edge of the screen. The desired result is for Action Center to not be invoked by the swipe. You can also enter tablet mode and attempt to swipe from the top of the screen to rearrange. That will also be disabled. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Maps/AllowOfflineMapsDownloadOverMeteredConnection** + + +

Added in Windows 10, version 1607. Allows the download and update of map data over metered connections. + +

The following list shows the supported values: + +- 65535 (default) – Not configured. User's choice. +- 0 – Disabled. Force disable auto-update over metered connection. +- 1 – Enabled. Force enable auto-update over metered connection. + +

After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Maps/EnableOfflineMapsAutoUpdate** + + +

Added in Windows 10, version 1607. Disables the automatic download and update of map data. + +

The following list shows the supported values: + +- 65535 (default) – Not configured. User's choice. +- 0 – Disabled. Force off auto-update. +- 1 – Enabled. Force on auto-update. + +

After the policy is applied, you can verify the settings in the user interface in **System** > **Offline Maps**. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Messaging/AllowMMS** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + +

Added in Windows 10, version 1703. Enables or disables the MMS send/receive functionality on the device. For enterprises, this policy can be used to disable MMS on devices as part of the auditing or management requirement. + +

The following list shows the supported values: + +- 0 - Disabled. +- 1 (default) - Enabled. + + + + + + + +**Messaging/AllowMessageSync** + + +

Added in Windows 10, version 1607. Enables text message back up and restore and Messaging Everywhere. This policy allows an organization to disable these features to avoid information being stored on servers outside of their control. + +

The following list shows the supported values: + +- 0 - message sync is not allowed and cannot be changed by the user. +- 1 - message sync is allowed. The user can change this setting. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Messaging/AllowRCS** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + +

Added in Windows 10, version 1703. Enables or disables the RCS send/receive functionality on the device. For enterprises, this policy can be used to disable RCS on devices as part of the auditing or management requirement. + +

The following list shows the supported values: + +- 0 - Disabled. +- 1 (default) - Enabled. + + + + + + + +**NetworkIsolation/EnterpriseCloudResources** + + +

Contains a list of Enterprise resource domains hosted in the cloud that need to be protected. Connections to these resources are considered enterprise data. If a proxy is paired with a cloud resource, traffic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this purpose must also be configured using the **EnterpriseInternalProxyServers** policy. This domain list is a pipe-separated list of cloud resources. Each cloud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address. For example, **<*cloudresource*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|<*cloudresource*>|<*cloudresource*>,<*proxy*>|**. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**NetworkIsolation/EnterpriseIPRange** + + +

Sets the enterprise IP ranges that define the computers in the enterprise network. Data that comes from those computers will be considered part of the enterprise and protected. These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of IPv4 and IPv6 ranges. For example: + +``` syntax +10.0.0.0-10.255.255.255,157.54.0.0-157.54.255.255, +192.168.0.0-192.168.255.255,2001:4898::-2001:4898:7fff:ffff:ffff:ffff:ffff:ffff, +2001:4898:dc05::-2001:4898:dc05:ffff:ffff:ffff:ffff:ffff, +2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff, +fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + +``` + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**NetworkIsolation/EnterpriseIPRangesAreAuthoritative** + + +

Boolean value that tells the client to accept the configured list and not to use heuristics to attempt to find other subnets. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**NetworkIsolation/EnterpriseInternalProxyServers** + + +

This is the comma-separated list of internal proxy servers. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". These proxies have been configured by the admin to connect to specific resources on the Internet. They are considered to be enterprise network locations. The proxies are only leveraged in configuring the **EnterpriseCloudResources** policy to force traffic to the matched cloud resources through these proxies. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**NetworkIsolation/EnterpriseNetworkDomainNames** + + +

This is the list of domains that comprise the boundaries of the enterprise. Data from one of these domains that is sent to a device will be considered enterprise data and protected These locations will be considered a safe destination for enterprise data to be shared to. This is a comma-separated list of domains, for example "contoso.sharepoint.com, Fabrikam.com". + +> [!NOTE] +> The client requires domain name to be canonical, otherwise the setting will be rejected by the client. +  + +

Here are the steps to create canonical domain names: + +1. Transform the ASCII characters (A-Z only) to lower case. For example, Microsoft.COM -> microsoft.com. +2. Call [IdnToAscii](https://msdn.microsoft.com/library/windows/desktop/dd318149.aspx) with IDN\_USE\_STD3\_ASCII\_RULES as the flags. +3. Call [IdnToUnicode](https://msdn.microsoft.com/library/windows/desktop/dd318151.aspx) with no flags set (dwFlags = 0). + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**NetworkIsolation/EnterpriseProxyServers** + + +

This is a comma-separated list of proxy servers. Any server on this list is considered non-enterprise. For example "157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59". + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**NetworkIsolation/EnterpriseProxyServersAreAuthoritative** + + +

Boolean value that tells the client to accept the configured list of proxies and not try to detect other work proxies. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**NetworkIsolation/NeutralResources** + + +

List of domain names that can used for work or personal resource. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Notifications/DisallowNotificationMirroring** + + +

Added in Windows 10, version 1607. Boolean value that turns off notification mirroring. + +

For each user logged into the device, if you enable this policy (set value to 1) the app and system notifications received by this user on this device will not get mirrored to other devices of the same logged in user. If you disable or do not configure this policy (set value to 0) the notifications received by this user on this device will be mirrored to other devices of the same logged in user. This feature can be turned off by apps that do not want to participate in Notification Mirroring. This feature can also be turned off by the user in the Cortana setting page. + +

No reboot or service restart is required for this policy to take effect. + +

The following list shows the supported values: + +- 0 (default)– enable notification mirroring. +- 1 – disable notification mirroring. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Power/AllowStandbyWhenSleepingPluggedIn** + + +This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state. + +If you enable or do not configure this policy setting, Windows uses standby states to put the computer in a sleep state. + +If you disable this policy setting, standby states (S1-S3) are not allowed. + + + + + +ADMX Info: +- GP english name: *Allow standby states (S1-S3) when sleeping (plugged in)* +- GP name: *AllowStandbyStatesAC_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + + +**Power/RequirePasswordWhenComputerWakesOnBattery** + + +This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. + +If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. + +If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. + + + + + +ADMX Info: +- GP english name: *Require a password when a computer wakes (on battery)* +- GP name: *DCPromptForPasswordOnResume_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + + +**Power/RequirePasswordWhenComputerWakesPluggedIn** + + +This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep. + +If you enable or do not configure this policy setting, the user is prompted for a password when the system resumes from sleep. + +If you disable this policy setting, the user is not prompted for a password when the system resumes from sleep. + + + + + +ADMX Info: +- GP english name: *Require a password when a computer wakes (plugged in)* +- GP name: *ACPromptForPasswordOnResume_2* +- GP path: *System/Power Management/Sleep Settings* +- GP ADMX file name: *power.admx* + + + + +**Printers/PointAndPrintRestrictions** + + +This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. + +If you enable this policy setting: +-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. +-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. + +If you do not configure this policy setting: +-Windows Vista client computers can point and print to any server. +-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. +-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. +-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. + +If you disable this policy setting: +-Windows Vista client computers can create a printer connection to any server using Point and Print. +-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. +-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. +-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. +-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). + + + + + +ADMX Info: +- GP english name: *Point and Print Restrictions* +- GP name: *PointAndPrint_Restrictions_Win7* +- GP path: *Printers* +- GP ADMX file name: *Printing.admx* + + + + +**Printers/PointAndPrintRestrictions_User** + + +This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. + +If you enable this policy setting: +-Windows XP and later clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client, a printer connection will be made. If a compatible print driver is not available on the client, no connection will be made. +-You can configure Windows Vista clients so that security warnings and elevated command prompts do not appear when users Point and Print, or when printer connection drivers need to be updated. + +If you do not configure this policy setting: +-Windows Vista client computers can point and print to any server. +-Windows Vista computers will show a warning and an elevated command prompt when users create a printer connection to any server using Point and Print. +-Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. +-Windows Server 2003 and Windows XP client computers can create a printer connection to any server in their forest using Point and Print. + +If you disable this policy setting: +-Windows Vista client computers can create a printer connection to any server using Point and Print. +-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using Point and Print. +-Windows Vista computers will not show a warning or an elevated command prompt when an existing printer connection driver needs to be updated. +-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. +-The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Windows XP SP1 (and later service packs). + + + + + +ADMX Info: +- GP english name: *Point and Print Restrictions* +- GP name: *PointAndPrint_Restrictions* +- GP ADMX file name: *Printing.admx* + + + + +**Printers/PublishPrinters** + + +Determines whether the computer's shared printers can be published in Active Directory. + +If you enable this setting or do not configure it, users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared printers in Active Directory. + +If you disable this setting, this computer's shared printers cannot be published in Active Directory, and the "List in directory" option is not available. + +Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory". + + + + + +ADMX Info: +- GP english name: *Allow printers to be published* +- GP name: *PublishPrinters* +- GP path: *Printers* +- GP ADMX file name: *Printing2.admx* + + + + +**Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts** + + +

Allows or disallows the automatic acceptance of the pairing and privacy user consent dialog when launching apps. + +

The following list shows the supported values: + +- 0 (default)– Not allowed. +- 1 – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/AllowInputPersonalization** + + +

Updated in the next major update of Windows 10. Allows the usage of cloud based speech services for Cortana, dictation, or Store applications. Setting this policy to 1, lets Microsoft use the user's voice data to improve cloud speech services for all users. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. +  + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/DisableAdvertisingId** + + +

Added in Windows 10, version 1607. Enables or disables the Advertising ID. + +

The following list shows the supported values: + +- 0 – Disabled. +- 1 – Enabled. +- 65535 (default)- Not configured. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessAccountInfo** + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access account information. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessAccountInfo_ForceAllowTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessAccountInfo_ForceDenyTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessAccountInfo_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessCalendar** + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access the calendar. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessCalendar_ForceAllowTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessCalendar_ForceDenyTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessCalendar_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessCallHistory** + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access call history. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessCallHistory_ForceAllowTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessCallHistory_ForceDenyTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessCallHistory_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessCamera** + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access the camera. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessCamera_ForceAllowTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessCamera_ForceDenyTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessCamera_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessContacts** + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access contacts. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessContacts_ForceAllowTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessContacts_ForceDenyTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessContacts_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessEmail** + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access email. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessEmail_ForceAllowTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessEmail_ForceDenyTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessEmail_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessLocation** + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access location. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessLocation_ForceAllowTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessLocation_ForceDenyTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessLocation_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessMessaging** + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can read or send messages (text or MMS). + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessMessaging_ForceAllowTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessMessaging_ForceDenyTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessMessaging_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessMicrophone** + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access the microphone. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessMicrophone_ForceAllowTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessMicrophone_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessMotion** + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access motion data. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessMotion_ForceAllowTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessMotion_ForceDenyTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessMotion_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessNotifications** + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access notifications. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessNotifications_ForceAllowTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessNotifications_ForceDenyTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessNotifications_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessPhone** + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can make phone calls. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessPhone_ForceAllowTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessPhone_ForceDenyTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessPhone_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessRadios** + + +

Added in Windows 10, version 1607. Specifies whether Windows apps have access to control radios. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessRadios_ForceAllowTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessRadios_ForceDenyTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessRadios_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessTasks** + + +

Added in Windows 10, version 1703. Specifies whether Windows apps can access tasks. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessTasks_ForceAllowTheseApps** + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessTasks_ForceDenyTheseApps** + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessTasks_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessTrustedDevices** + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can access trusted devices. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessTrustedDevices_ForceAllowTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessTrustedDevices_ForceDenyTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsAccessTrustedDevices_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsGetDiagnosticInfo** + + +

Added in Windows 10, version 1703. Force allow, force deny or give user control of apps that can get diagnostic information about other running apps. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps** + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps** + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to diagnostic information about other running apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsGetDiagnosticInfo_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'get diagnostic info' privacy setting for the listed apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsRunInBackground** + + +

Added in Windows 10, version 1703. Specifies whether Windows apps can run in the background. + +

The following list shows the supported values: + +- 0 – User in control (default). +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. +> [!WARNING] +> Be careful when determining which apps should have their background activity disabled. Communication apps normally update tiles and notifications through background processes. Turning off background activity for these types of apps could cause text message, email, and voicemail notifications to not function. This could also cause background email syncing to not function properly. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsRunInBackground_ForceAllowTheseApps** + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are able to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsRunInBackground_ForceDenyTheseApps** + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied the ability to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsRunInBackground_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1703. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the background apps privacy setting for the listed apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsSyncWithDevices** + + +

Added in Windows 10, version 1607. Specifies whether Windows apps can sync with devices. + +

The following list shows the supported values: + +- 0 – User in control. +- 1 – Force allow. +- 2 - Force deny. + +

Most restricted value is 2. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsSyncWithDevices_ForceAllowTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsSyncWithDevices_ForceDenyTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps** + + +

Added in Windows 10, version 1607. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**RemoteAssistance/CustomizeWarningMessages** + + +This policy setting lets you customize warning messages. + +The "Display warning message before sharing control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer. + +The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a user allows a connection to his or her computer. + +If you enable this policy setting, the warning message you specify overrides the default message that is seen by the novice. + +If you disable this policy setting, the user sees the default warning message. + +If you do not configure this policy setting, the user sees the default warning message. + + + + + +ADMX Info: +- GP english name: *Customize warning messages* +- GP name: *RA_Options* +- GP path: *System/Remote Assistance* +- GP ADMX file name: *remoteassistance.admx* + + + + +**RemoteAssistance/SessionLogging** + + +This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance. + +If you enable this policy setting, log files are generated. + +If you disable this policy setting, log files are not generated. + +If you do not configure this setting, application-based settings are used. + + + + + +ADMX Info: +- GP english name: *Turn on session logging* +- GP name: *RA_Logging* +- GP path: *System/Remote Assistance* +- GP ADMX file name: *remoteassistance.admx* + + + + +**RemoteAssistance/SolicitedRemoteAssistance** + + +This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. + +If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messaging programs to allow connections to this computer, and you can configure additional Remote Assistance settings. + +If you disable this policy setting, users on this computer cannot use email or file transfer to ask someone for help. Also, users cannot use instant messaging programs to allow connections to this computer. + +If you do not configure this policy setting, users can turn on or turn off Solicited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings. + +If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." + +The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email or file transfer can remain open. + +The "Select the method for sending email invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program, you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Windows Vista since SMAPI is the only method supported. + +If you enable this policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications. + + + + + +ADMX Info: +- GP english name: *Configure Solicited Remote Assistance* +- GP name: *RA_Solicit* +- GP path: *System/Remote Assistance* +- GP ADMX file name: *remoteassistance.admx* + + + + +**RemoteAssistance/UnsolicitedRemoteAssistance** + + +This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. + +If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. + +If you disable this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. + +If you do not configure this policy setting, users on this computer cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance. + +If you enable this policy setting, you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer." When you configure this policy setting, you also specify the list of users or user groups that are allowed to offer remote assistance. + +To configure the list of helpers, click "Show." In the window that opens, you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper user or user groups, use the following format: + +\ or + +\ + +If you enable this policy setting, you should also enable firewall exceptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the version of Windows you are running. + +Windows Vista and later + +Enable the Remote Assistance exception for the domain profile. The exception must contain: +Port 135:TCP +%WINDIR%\System32\msra.exe +%WINDIR%\System32\raserver.exe + +Windows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Service Pack 1 (SP1) + +Port 135:TCP +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +%WINDIR%\System32\Sessmgr.exe + +For computers running Windows Server 2003 with Service Pack 1 (SP1) + +Port 135:TCP +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe +%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe +Allow Remote Desktop Exception + + + + + +ADMX Info: +- GP english name: *Configure Offer Remote Assistance* +- GP name: *RA_Unsolicit* +- GP ADMX file name: *remoteassistance.admx* + + + + +**RemoteDesktopServices/AllowUsersToConnectRemotely** + + +This policy setting allows you to configure remote access to computers by using Remote Desktop Services. + +If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect remotely to the target computer by using Remote Desktop Services. + +If you disable this policy setting, users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain any current connections, but will not accept any new incoming connections. + +If you do not configure this policy setting, Remote Desktop Services uses the Remote Desktop setting on the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties sheet. By default, remote connections are not allowed. + +Note: You can limit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication. + +You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Limit number of connections, or by configuring the policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider. + + + + + + +ADMX Info: +- GP english name: *Allow users to connect remotely by using Remote Desktop Services* +- GP name: *TS_DISABLE_CONNECTIONS* +- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections* +- GP ADMX file name: *terminalserver.admx* + + + + +**RemoteDesktopServices/ClientConnectionEncryptionLevel** + + +Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption. + +If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the encryption method specified in this setting. By default, the encryption level is set to High. The following encryption methods are available: + +* High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Session Host servers. + +* Client Compatible: The Client Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption. + +* Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption. + +If you disable or do not configure this setting, the encryption level to be used for remote connections to RD Session Host servers is not enforced through Group Policy. + +Important + +FIPS compliance can be configured through the System cryptography. Use FIPS compliant algorithms for encryption, hashing, and signing settings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client, with the Federal Information Processing Standard (FIPS) 140 encryption algorithms, by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requires the highest level of encryption. + + + + + + +ADMX Info: +- GP english name: *Set client connection encryption level* +- GP name: *TS_ENCRYPTION_POLICY* +- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* +- GP ADMX file name: *terminalserver.admx* + + + + +**RemoteDesktopServices/DoNotAllowDriveRedirection** + + +This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection). + +By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format on . You can use this policy setting to override this behavior. + +If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP. + +If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. + +If you do not configure this policy setting, client drive redirection and Clipboard file copy redirection are not specified at the Group Policy level. + + + + + + +ADMX Info: +- GP english name: *Do not allow drive redirection* +- GP name: *TS_CLIENT_DRIVE_M* +- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection* +- GP ADMX file name: *terminalserver.admx* + + + + +**RemoteDesktopServices/DoNotAllowPasswordSaving** + + +Controls whether passwords can be saved on this computer from Remote Desktop Connection. + +If you enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. + +If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection. + + + + + +ADMX Info: +- GP english name: *Do not allow passwords to be saved* +- GP name: *TS_CLIENT_DISABLE_PASSWORD_SAVING_2* +- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Connection Client* +- GP ADMX file name: *terminalserver.admx* + + + + +**RemoteDesktopServices/PromptForPasswordUponConnection** + + +This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. + +You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client. + +By default, Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client. + +If you enable this policy setting, users cannot automatically log on to Remote Desktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on. + +If you disable this policy setting, users can always log on to Remote Desktop Services automatically by supplying their passwords in the Remote Desktop Connection client. + +If you do not configure this policy setting, automatic logon is not specified at the Group Policy level. + + + + + + +ADMX Info: +- GP english name: *Always prompt for password upon connection* +- GP name: *TS_PASSWORD* +- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* +- GP ADMX file name: *terminalserver.admx* + + + + +**RemoteDesktopServices/RequireSecureRPCCommunication** + + +Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. + +You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests. + +If the status is set to Enabled, Remote Desktop Services accepts requests from RPC clients that support secure requests, and does not allow unsecured communication with untrusted clients. + +If the status is set to Disabled, Remote Desktop Services always requests security for all RPC traffic. However, unsecured communication is allowed for RPC clients that do not respond to the request. + +If the status is set to Not Configured, unsecured communication is allowed. + +Note: The RPC interface is used for administering and configuring Remote Desktop Services. + + + + + +ADMX Info: +- GP english name: *Require secure RPC communication* +- GP name: *TS_RPC_ENCRYPTION* +- GP path: *Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security* +- GP ADMX file name: *terminalserver.admx* + + + + +**RemoteProcedureCall/RPCEndpointMapperClientAuthentication** + + +This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. + +If you disable this policy setting, RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server. + +If you enable this policy setting, RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service. + +If you do not configure this policy setting, it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Service, but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service. + +Note: This policy will not be applied until the system is rebooted. + + + + + +ADMX Info: +- GP english name: *Enable RPC Endpoint Mapper Client Authentication* +- GP name: *RpcEnableAuthEpResolution* +- GP path: *System/Remote Procedure Call* +- GP ADMX file name: *rpc.admx* + + + + +**RemoteProcedureCall/RestrictUnauthenticatedRPCClients** + + +This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. + +This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be applied to a domain controller. + +If you disable this policy setting, the RPC server runtime uses the value of "Authenticated" on Windows Client, and the value of "None" on Windows Server versions that support this policy setting. + +If you do not configure this policy setting, it remains disabled. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None" used for Server SKUs that support this policy setting. + +If you enable this policy setting, it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients may be exempt from this restriction, depending on the selected value for this policy setting. + +-- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied. + +-- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have requested them. + +-- "Authenticated without exceptions" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exceptions are allowed. + +Note: This policy setting will not be applied until the system is rebooted. + + + + + +ADMX Info: +- GP english name: *Restrict Unauthenticated RPC clients* +- GP name: *RpcRestrictRemoteClients* +- GP path: *System/Remote Procedure Call* +- GP ADMX file name: *rpc.admx* + + + + +**Search/AllowIndexingEncryptedStoresOrItems** + + +

Allows or disallows the indexing of items. This switch is for the Windows Search Indexer, which controls whether it will index items that are encrypted, such as the Windows Information Protection (WIP) protected files. + +

When the policy is enabled, WIP protected items are indexed and the metadata about them are stored in an unencrypted location. The metadata includes things like file path and date modified. + +

When the policy is disabled, the WIP protected items are not indexed and do not show up in the results in Cortana or file explorer. There may also be a performance impact on photos and Groove apps if there are a lot of WIP protected media files on the device. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Search/AllowSearchToUseLocation** + + +

Specifies whether search can leverage location information. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**Search/AllowUsingDiacritics** + + +

Allows the use of diacritics. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Search/AlwaysUseAutoLangDetection** + + +

Specifies whether to always use automatic language detection when indexing content and properties. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Search/DisableBackoff** + + +

If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled. + +

The following list shows the supported values: + +- 0 (default) – Disable. +- 1 – Enable. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Search/DisableRemovableDriveIndexing** + + +

This policy setting configures whether or not locations on removable drives can be added to libraries. + +

If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations on removable drives cannot be indexed. + +

If you disable or do not configure this policy setting, locations on removable drives can be added to libraries. In addition, locations on removable drives can be indexed. + +

The following list shows the supported values: + +- 0 (default) – Disable. +- 1 – Enable. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Search/PreventIndexingLowDiskSpaceMB** + + +

Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 2147483647 MB. + +

Enable this policy if computers in your environment have extremely limited hard drive space. + +

When this policy is disabled or not configured, Windows Desktop Search automatically manages your index size. + +

The following list shows the supported values: + +- 0 – Disable. +- 1 (default) – Enable. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Search/PreventRemoteQueries** + + +

If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index.. + +

The following list shows the supported values: + +- 0 – Disable. +- 1 (default) – Enable. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Search/SafeSearchPermissions** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Specifies what level of safe search (filtering adult content) is required. + +

The following list shows the supported values: + +- 0 – Strict, highest filtering against adult content. +- 1 (default) – Moderate filtering against adult content (valid search results will not be filtered). + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Security/AllowAddProvisioningPackage** + + +

Specifies whether to allow the runtime configuration agent to install provisioning packages. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices** + + +> [!NOTE] +> This policy has been deprecated in Windows 10, version 1607 + +
+ +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Security/AllowManualRootCertificateInstallation** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + + +

Specifies whether the user is allowed to manually install root and intermediate CA certificates. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Security/AllowRemoveProvisioningPackage** + + +

Specifies whether to allow the runtime configuration agent to remove provisioning packages. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Security/AntiTheftMode** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile and not supported in Windows 10 for desktop. + +  +

Allows or disallow Anti Theft Mode on the device. + +

The following list shows the supported values: + +- 0 – Don't allow Anti Theft Mode. +- 1 (default) – Anti Theft Mode will follow the default device configuration (region-dependent). + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**. + +

Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined. + +

The following list shows the supported values: + +- 0 (default) – Encryption enabled. +- 1 – Encryption disabled. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Security/RequireDeviceEncryption** + + +> [!NOTE] +> This policy is only enforced in Windows 10 Mobile. In Windows 10 for desktop, you can query encryption status by using the [DeviceStatus CSP](devicestatus-csp.md) node **DeviceStatus/Compliance/EncryptionCompliance**. + +

Allows enterprise to turn on internal storage encryption. + +

The following list shows the supported values: + +- 0 (default) – Encryption is not required. +- 1 – Encryption is required. + +

Most restricted value is 1. + +> [!IMPORTANT] +> If encryption has been enabled, it cannot be turned off by using this policy. + + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**Security/RequireProvisioningPackageSignature** + + +

Specifies whether provisioning packages must have a certificate signed by a device trusted authority. + +

The following list shows the supported values: + +- 0 (default) – Not required. +- 1 – Required. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Security/RequireRetrieveHealthCertificateOnBoot** + + +

Specifies whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service (HAS) when a device boots or reboots. + +

The following list shows the supported values: + +- 0 (default) – Not required. +- 1 – Required. + +

Setting this policy to 1 (Required): + +- Determines whether a device is capable of Remote Device Health Attestation, by verifying if the device has TPM 2.0. +- Improves the performance of the device by enabling the device to fetch and cache data to reduce the latency during Device Health Verification. + +> [!NOTE] +> We recommend that this policy is set to Required after MDM enrollment. +  + +

Most restricted value is 1. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Settings/AllowAutoPlay** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Allows the user to change Auto Play settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +> [!NOTE] +> Setting this policy to 0 (Not allowed) does not affect the autoplay dialog box that appears when a device is connected. + + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Settings/AllowDataSense** + + +

Allows the user to change Data Sense settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Settings/AllowDateTime** + + +

Allows the user to change date and time settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Settings/AllowEditDeviceName** + + +

Allows editing of the device name. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: No +- Education: No +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Settings/AllowLanguage** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Allows the user to change the language settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Settings/AllowPowerSleep** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Allows the user to change power and sleep settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Settings/AllowRegion** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Allows the user to change the region settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Settings/AllowSignInOptions** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Allows the user to change sign-in options. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Settings/AllowVPN** + + +

Allows the user to change VPN settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Settings/AllowWorkplace** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Allows user to change workplace settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Settings/AllowYourAccount** + + +

Allows user to change account settings. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Settings/ConfigureTaskbarCalendar** + + +

Added in Windows 10, version 1703. Allows IT Admins to configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. In this version of Windows 10, supported additional calendars are: Simplified or Traditional Chinese lunar calendar. Turning on one of these calendars will display Chinese lunar dates below the default calendar for the locale. Select "Don't show additional calendars" to prevent showing other calendars besides the default calendar for the locale. + +

The following list shows the supported values: + +- 0 (default) – User will be allowed to configure the setting. +- 1 – Don't show additional calendars. +- 2 - Simplified Chinese (Lunar). +- 3 - Traditional Chinese (Lunar). + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Settings/PageVisibilityList** + + +

Added in Windows 10, version 1703. Allows IT Admins to either prevent specific pages in the System Settings app from being visible or accessible, or to do so for all pages except those specified. The mode will be specified by the policy string beginning with either the string "showonly:" or "hide:".  Pages are identified by a shortened version of their already published URIs, which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. + +

The following example illustrates a policy that would allow access only to the about and bluetooth pages, which have URI "ms-settings:about" and "ms-settings:bluetooth" respectively: + +

showonly:about;bluetooth + +

If the policy is not specified, the behavior will be that no pages are affected. If the policy string is formatted incorrectly, it will be ignored entirely (i.e. treated as not set) to prevent the machine from becoming unserviceable if data corruption occurs. Note that if a page is already hidden for another reason, then it will remain hidden even if it is in a "showonly:" list. + +

The format of the PageVisibilityList value is as follows: + +- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity. +- There are two variants: one that shows only the given pages and one which hides the given pages. +- The first variant starts with the string "showonly:" and the second with the string "hide:". +- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace. +- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:wi-fi" would be just "wi-fi". + +

The default value for this setting is an empty string, which is interpreted as show everything. + +

Example 1, specifies that only the wifi and bluetooth pages should be shown (they have URIs ms-settings:wi-fi and ms-settings:bluetooth). All other pages (and the categories they're in) will be hidden: + +

showonly:wi-fi;bluetooth + +

Example 2, specifies that the wifi page should not be shown: + +

hide:wifi + +

To validate on Desktop, do the following: + +1. Open System Settings and verfiy that the About page is visible and accessible. +2. Configure the policy with the following string: "hide:about". +3. Open System Settings again and verify that the About page is no longer accessible. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**SmartScreen/EnableAppInstallControl** + + +

Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store. + +

The following list shows the supported values: + +- 0 – Turns off Application Installation Control, allowing users to download and install files from anywhere on the web. +- 1 – Turns on Application Installation Control, allowing users to only install apps from the Store. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**SmartScreen/EnableSmartScreenInShell** + + +

Added in Windows 10, version 1703. Allows IT Admins to configure SmartScreen for Windows. + +

The following list shows the supported values: + +- 0 – Turns off SmartScreen in Windows. +- 1 – Turns on SmartScreen in Windows. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**SmartScreen/PreventOverrideForFilesInShell** + + +

Added in Windows 10, version 1703. Allows IT Admins to control whether users can can ignore SmartScreen warnings and run malicious files. + +

The following list shows the supported values: + +- 0 – Employees can ignore SmartScreen warnings and run malicious files. +- 1 – Employees cannot ignore SmartScreen warnings and run malicious files. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Speech/AllowSpeechModelUpdate** + + +

Added in Windows 10, version 1607. Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled, the device will periodically check for updated speech models and then download them from a Microsoft service using the Background Internet Transfer Service (BITS). + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + + + + + + +SKU Support: +- Home: Yes +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Start/ForceStartSize** + + +> [!NOTE] +> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile. + + +

Forces the start screen size. + +

The following list shows the supported values: + +- 0 (default) – Do not force size of Start. +- 1 – Force non-fullscreen size of Start. +- 2 - Force a fullscreen size of Start. + +

If there is policy configuration conflict, the latest configuration request is applied to the device. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Start/HideAppList** + + +> [!NOTE] +> This policy requires reboot to take effect. + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by collapsing or removing the all apps list. + +

The following list shows the supported values: + +- 0 (default) – None. +- 1 – Hide all apps list. +- 2 - Hide all apps list, and Disable "Show app list in Start menu" in Settings app. +- 3 - Hide all apps list, remove all apps button, and Disable "Show app list in Start menu" in Settings app. + +

To validate on Desktop, do the following: + +- 1 - Enable policy and restart explorer.exe +- 2a - If set to '1': Verify that the all apps list is collapsed, and that the Settings toggle is not grayed out. +- 2b - If set to '2': Verify that the all apps list is collapsed, and that the Settings toggle is grayed out. +- 2c - If set to '3': Verify that there is no way of opening the all apps list from Start, and that the Settings toggle is grayed out. + + + + + + + +**Start/HideChangeAccountSettings** + + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Change account settings" from appearing in the user tile. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the user tile, and verify that "Change account settings" is not available. + + + + + + + +**Start/HideFrequentlyUsedApps** + + +> [!NOTE] +> This policy requires reboot to take effect. + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding most used apps. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable "Show most used apps" in the Settings app. +2. Use some apps to get them into the most used group in Start. +3. Enable policy. +4. Restart explorer.exe +5. Check that "Show most used apps" Settings toggle is grayed out. +6. Check that most used apps do not appear in Start. + + + + + + + +**Start/HideHibernate** + + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Hibernate" from appearing in the Power button. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Laptop, do the following: + +1. Enable policy. +2. Open Start, click on the Power button, and verify "Hibernate" is not available. + +> [!NOTE] +> This policy can only be verified on laptops as "Hibernate" does not appear on regular PC's. + + + + + + + +**Start/HideLock** + + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Lock" from appearing in the user tile. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the user tile, and verify "Lock" is not available. + + + + + + + +**Start/HidePowerButton** + + +> [!NOTE] +> This policy requires reboot to take effect. + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the Power button from appearing. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, and verify the power button is not available. + + + + + + + +**Start/HideRecentJumplists** + + +> [!NOTE] +> This policy requires reboot to take effect. + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently opened items in the jumplists from appearing. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable "Show recently opened items in Jump Lists on Start of the taskbar" in Settings. +2. Pin Photos to the taskbar, and open some images in the photos app. +3. Right click the pinned photos app and verify that a jumplist of recently opened items pops up. +4. Toggle "Show recently opened items in Jump Lists on Start of the taskbar" in Settings to clear jump lists. +5. Enable policy. +6. Restart explorer.exe +7. Check that Settings toggle is grayed out. +8. Repeat Step 2. +9. Right Click pinned photos app and verify that there is no jumplist of recent items. + + + + + + + +**Start/HideRecentlyAddedApps** + + +> [!NOTE] +> This policy requires reboot to take effect. + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding recently added apps. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable "Show recently added apps" in the Settings app. +2. Check if there are recently added apps in Start (if not, install some). +3. Enable policy. +4. Restart explorer.exe +5. Check that "Show recently added apps" Settings toggle is grayed out. +6. Check that recently added apps do not appear in Start. + + + + + + + +**Start/HideRestart** + + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Restart" and "Update and restart" from appearing in the Power button. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the Power button, and verify "Restart" and "Update and restart" are not available. + + + + + + + +**Start/HideShutDown** + + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Shut down" and "Update and shut down" from appearing in the Power button. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the Power button, and verify "Shut down" and "Update and shut down" are not available. + + + + + + + +**Start/HideSignOut** + + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sign out" from appearing in the user tile. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the user tile, and verify "Sign out" is not available. + + + + + + + +**Start/HideSleep** + + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Sleep" from appearing in the Power button. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the Power button, and verify that "Sleep" is not available. + + + + + + + +**Start/HideSwitchAccount** + + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding "Switch account" from appearing in the user tile. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Open Start, click on the user tile, and verify that "Switch account" is not available. + + + + + + + +**Start/HideUserTile** + + +> [!NOTE] +> This policy requires reboot to take effect. + +

Added in Windows 10, version 1703. Allows IT Admins to configure Start by hiding the user tile. + +

The following list shows the supported values: + +- 0 (default) – False (do not hide). +- 1 - True (hide). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Log off. +3. Log in, and verify that the user tile is gone from Start. + + + + + + + +**Start/ImportEdgeAssets** + + +> [!NOTE] +> This policy requires reboot to take effect. + +

Added in Windows 10, version 1703. This policy imports Edge assets (e.g. .png/.jpg files) for secondary tiles into its local app data path which allows the StartLayout policy to pin Edge secondary tiles as weblink that tie to the image asset files. + +> [!IMPORTANT] +> Please note that the import happens only when StartLayout policy is changed. So it is better to always change ImportEdgeAssets policy at the same time as StartLayout policy whenever there are Edge secondary tiles to be pinned from StartLayout policy. + +

The value set for this policy is an XML string containing Edge assets. An example XML string is provided in the [Microsoft Edge assets example](#microsoft-edge-assets-example) later in this topic. + +

To validate on Desktop, do the following: + +1. Set policy with an XML for Edge assets. +2. Set StartLayout policy to anything so that it would trigger the Edge assets import. +3. Sign out/in. +4. Verify that all Edge assets defined in XML show up in %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\LocalState path. + + + + + + + +**Start/NoPinningToTaskbar** + + +

Added in Windows 10, version 1703. Allows IT Admins to configure the taskbar by disabling pinning and unpinning apps on the taskbar. + +

The following list shows the supported values: + +- 0 (default) – False (pinning enabled). +- 1 - True (pinning disabled). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Right click on a program pinned to taskbar. +3. Verify that "Unpin from taskbar" menu does not show. +4. Open Start and right click on one of the app list icons. +5. Verify that More->Pin to taskbar menu does not show. + + + + + + + +**Start/StartLayout** + + +> [!IMPORTANT] +> This node is set on a per-user basis and must be accessed using the following paths: +> - **./User/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy. +> - **./User/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy. +> +> +> Added in Windows 10 version 1703: In addition to being able to set this node on a per user-basis, it can now also be set on a per-device basis using the following paths: +> - **./Device/Vendor/MSFT/Policy/Config/Start/StartLayout** to configure the policy. +> - **./Device/Vendor/MSFT/Policy/Result/Start/StartLayout** to query the current value of the policy. + + +

Allows you to override the default Start layout and prevents the user from changing it. If both user and device policies are set, the user policy will be used. Apps pinned to the taskbar can also be changed with this policy + +

This policy is described in [Start/StartLayout Examples](#startlayout-examples) later in this topic. + + + + + + +SKU Support: +- Home: No +- Pro: No +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Storage/EnhancedStorageDevices** + + +This policy setting configures whether or not Windows will activate an Enhanced Storage device. + +If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices. + +If you disable or do not configure this policy setting, Windows will activate unactivated Enhanced Storage devices. + + + + + +ADMX Info: +- GP english name: *Do not allow Windows to activate Enhanced Storage devices* +- GP name: *TCGSecurityActivationDisabled* +- GP path: *System/Enhanced Storage Access* +- GP ADMX file name: *enhancedstorage.admx* + + + + +**System/AllowBuildPreview** + + +> [!NOTE] +> This policy setting applies only to devices running Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, Windows 10 Mobile, and Windows 10 Mobile Enterprise. + + +

This policy setting determines whether users can access the Insider build controls in the Advanced Options for Windows Update. These controls are located under "Get Insider builds," and enable users to make their devices available for downloading and installing Windows preview software. + +

If you enable or do not configure this policy setting, users can download and install Windows preview software on their devices. If you disable this policy setting, the item "Get Insider builds" will be unavailable. + +

The following list shows the supported values: + +- 0 – Not allowed. The item "Get Insider builds" is unavailable, users are unable to make their devices available for preview software. +- 1 – Allowed. Users can make their devices available for downloading and installing preview software. +- 2 (default) – Not configured. Users can make their devices available for downloading and installing preview software. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**System/AllowEmbeddedMode** + + +

Specifies whether set general purpose device to be in embedded mode. + +

The following list shows the supported values: + +- 0 (default) – Not allowed. +- 1 – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes + + + + +**System/AllowExperimentation** + + +> [!NOTE] +> This policy is not supported in Windows 10, version 1607. + +

This policy setting determines the level that Microsoft can experiment with the product to study user preferences or device behavior. + +

The following list shows the supported values: + +- 0 – Disabled. +- 1 (default) – Permits Microsoft to configure device settings only. +- 2 – Allows Microsoft to conduct full experimentations. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**System/AllowFontProviders** + + +

Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. + +

Supported values: + +- false - No traffic to fs.microsoft.com and only locally-installed fonts are available. +- true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them. + +

This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled). + +

This setting is used by lower-level components for text display and fond handling and has not direct effect on web browsers, which may download web fonts used in web content. + +> [!Note] +> Reboot is required after setting the policy; alternatively you can stop and restart the FontCache service. + +

To verify if System/AllowFontProviders is set to true: + +- After a client machine is rebooted, check whether there is any network traffic from client machine to fs.microsoft.com. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes + + + + +**System/AllowLocation** + + +

Specifies whether to allow app access to the Location service. + +

The following list shows the supported values: + +- 0 – Force Location Off. All Location Privacy settings are toggled off and greyed out. Users cannot change the settings, and no apps are allowed access to the Location service, including Cortana and Search. +- 1 (default) – Location service is allowed. The user has control and can change Location Privacy settings on or off. +- 2 – Force Location On. All Location Privacy settings are toggled on and greyed out. Users cannot change the settings and all consent permissions will be automatically suppressed. + +

Most restricted value is 0. + +

While the policy is set to 0 (Force Location Off) or 2 (Force Location On), any Location service call from an app would trigger the value set by this policy. + +

When switching the policy back from 0 (Force Location Off) or 2 (Force Location On) to 1 (User Control), the app reverts to its original Location service setting. + +

For example, an app's original Location setting is Off. The administrator then sets the **AllowLocation** policy to 2 (Force Location On.) The Location service starts working for that app, overriding the original setting. Later, if the administrator switches the **AllowLocation** policy back to 1 (User Control), the app will revert to using its original setting of Off. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**System/AllowStorageCard** + + +

Controls whether the user is allowed to use the storage card for device storage. This setting prevents programmatic access to the storage card. + +

The following list shows the supported values: + +- 0 – SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card. +- 1 (default) – Allow a storage card. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**System/AllowTelemetry** + + +

Allow the device to send diagnostic and usage telemetry data, such as Watson. + +

The following tables describe the supported values: + + +++ + + + + + + + + + + + + + + + + +
Windows 8.1 Values

0 – Not allowed.

+

1 – Allowed, except for Secondary Data Requests.

2 (default) – Allowed.

+ + + +++ + + + + + + + + + + + + + + + + + + + +
Windows 10 Values

0 – Security. Information that is required to help keep Windows more secure, including data about the Connected User Experience and Telemetry component settings, the Malicious Software Removal Tool, and Windows Defender.

+
+Note  This value is only applicable to Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile Enterprise, Windows 10 IoT Core (IoT Core), and Windows Server 2016. Using this setting on other devices is equivalent to setting the value of 1. +
+

1 – Basic. Basic device info, including: quality-related data, app compatibility, app usage data, and data from the Security level.

2 – Enhanced. Additional insights, including: how Windows, Windows Server, System Center, and apps are used, how they perform, advanced reliability data, and data from both the Basic and the Security levels.

3 – Full. All data necessary to identify and help to fix problems, plus data from the Security, Basic, and Enhanced levels.

+ + +> [!IMPORTANT] +> If you are using Windows 8.1 MDM server and set a value of 0 using the legacy AllowTelemetry policy on a Windows 10 Mobile device, then the value is not respected and the telemetry level is silently set to level 1. + + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**System/AllowUserToResetPhone** + + +

Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed to reset to factory default settings. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**System/BootStartDriverInitialization** + + +N/A + + + + + +ADMX Info: +- GP english name: *Boot-Start Driver Initialization Policy* +- GP name: *POL_DriverLoadPolicy_Name* +- GP path: *System/Early Launch Antimalware* +- GP ADMX file name: *earlylauncham.admx* + + + + +**System/DisableOneDriveFileSync** + + +

Added in Windows 10, version 1703. Allows IT Admins to prevent apps and features from working with files on OneDrive. If you enable this policy setting: + +* Users cannot access OneDrive from the OneDrive app or file picker. +* Windows Store apps cannot access OneDrive using the WinRT API. +* OneDrive does not appear in the navigation pane in File Explorer. +* OneDrive files are not kept in sync with the cloud. +* Users cannot automatically upload photos and videos from the camera roll folder. + +

If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. + +

The following list shows the supported values: + +- 0 (default) – False (sync enabled). +- 1 – True (sync disabled). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Restart machine. +3. Verify that OneDrive.exe is not running in Task Manager. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**System/DisableSystemRestore** + + +Allows you to disable System Restore. + +This policy setting allows you to turn off System Restore. + +System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. + +If you enable this policy setting, System Restore is turned off, and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a restore point through System Protection is also disabled. + +If you disable or do not configure this policy setting, users can perform System Restore and configure System Restore settings through System Protection. + +Also, see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is disabled or not configured, the "Turn off System Restore configuration" policy setting is used to determine whether the option to configure System Restore is available. + + + + + +ADMX Info: +- GP english name: *Turn off System Restore* +- GP name: *SR_DisableSR* +- GP path: *System/System Restore* +- GP ADMX file name: *systemrestore.admx* + + + + +**System/TelemetryProxy** + + +

Allows you to specify the fully qualified domain name (FQDN) or IP address of a proxy server to forward Connected User Experiences and Telemetry requests. The format for this setting is *<server>:<port>*. The connection is made over a Secure Sockets Layer (SSL) connection. If the named proxy fails, or if there is no proxy specified when this policy is enabled, the Connected User Experiences and Telemetry data will not be transmitted and will remain on the local device. + +

If you disable or do not configure this policy setting, Connected User Experiences and Telemetry will go to Microsoft using the default proxy configuration. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**TextInput/AllowIMELogging** + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**TextInput/AllowIMENetworkAccess** + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**TextInput/AllowInputPanel** + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the IT admin to disable the touch/handwriting keyboard on Windows. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**TextInput/AllowJapaneseIMESurrogatePairCharacters** + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the Japanese IME surrogate pair characters. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**TextInput/AllowJapaneseIVSCharacters** + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows Japanese Ideographic Variation Sequence (IVS) characters. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**TextInput/AllowJapaneseNonPublishingStandardGlyph** + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the Japanese non-publishing standard glyph. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**TextInput/AllowJapaneseUserDictionary** + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the Japanese user dictionary. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**TextInput/AllowKeyboardTextSuggestions** + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + +

Added in Windows 10, version 1703. Specifies whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. When this policy is set to disabled, text prediction is disabled. + +

The following list shows the supported values: + +- 0 – Disabled. +- 1 (default) – Enabled. + +

Most restricted value is 0. + +

To validate that text prediction is disabled on Windows 10 for desktop, do the following: + +1. Search for and launch the on-screen keyboard. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Use Text Prediction” setting is enabled from the options button. +2. Launch the input panel/touch keyboard by touching a text input field or launching it from the taskbar. Verify that text prediction is disabled by typing some text. Text prediction on the keyboard will be disabled even if the “Show text suggestions as I type” setting is enabled in the Settings app. +3. Launch the handwriting tool from the touch keyboard. Verify that text prediction is disabled when you write using the tool. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**TextInput/AllowKoreanExtendedHanja** + + +

This policy has been deprecated. + + + + + + + +**TextInput/AllowLanguageFeaturesUninstall** + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the uninstall of language features, such as spell checkers, on a device. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**TextInput/ExcludeJapaneseIMEExceptJIS0208** + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the users to restrict character code range of conversion by setting the character filter. + +

The following list shows the supported values: + +- 0 (default) – No characters are filtered. +- 1 – All characters except JIS0208 are filtered. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**TextInput/ExcludeJapaneseIMEExceptJIS0208andEUDC** + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the users to restrict character code range of conversion by setting the character filter. + +

The following list shows the supported values: + +- 0 (default) – No characters are filtered. +- 1 – All characters except JIS0208 and EUDC are filtered. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**TextInput/ExcludeJapaneseIMEExceptShiftJIS** + + +> [!NOTE] +> The policy is only enforced in Windows 10 for desktop. + + +

Allows the users to restrict character code range of conversion by setting the character filter. + +

The following list shows the supported values: + +- 0 (default) – No characters are filtered. +- 1 – All characters except ShiftJIS are filtered. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**TimeLanguageSettings/AllowSet24HourClock** + + +

Allows for the configuration of the default clock setting to be the 24 hour format. Selecting 'Set 24 hour Clock' enables this setting. Selecting 'Locale default setting' uses the default clock as prescribed by the current locale setting. + +

The following list shows the supported values: + +- 0 – Locale default setting. +- 1 (default) – Set 24 hour clock. + + + + + + + +**Update/ActiveHoursEnd** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time. + +> [!NOTE] +> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information. + +

Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. + +

The default is 17 (5 PM). + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/ActiveHoursMaxRange** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time. + +

Supported values are 8-18. + +

The default value is 18 (hours). + + + + + + + +**Update/ActiveHoursStart** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1607. Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time. + +> [!NOTE] +> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information. + +

Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc. + +

The default value is 8 (8 AM). + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/AllowAutoUpdate** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Enables the IT admin to manage automatic update behavior to scan, download, and install updates. + +

Supported operations are Get and Replace. + +

The following list shows the supported values: + +- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. +- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. +- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. +- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. +- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. +- 5 – Turn off automatic updates. + +> [!IMPORTANT] +> This option should be used only for systems under regulatory compliance, as you will not get security updates as well. +  + +

If the policy is not configured, end-users get the default behavior (Auto install and restart). + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/AllowMUUpdateService** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education + + +

Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update. + +

The following list shows the supported values: + +- 0 – Not allowed or not configured. +- 1 – Allowed. Accepts updates received through Microsoft Update. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/AllowNonMicrosoftSignedUpdate** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for 3rd party software and patch distribution. + +

Supported operations are Get and Replace. + +

The following list shows the supported values: + +- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft. +- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer. + +

This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/AllowUpdateService** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Windows Store. + +

Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Windows Store + +

Enabling this policy will disable that functionality, and may cause connection to public services such as the Windows Store to stop working. + +

The following list shows the supported values: + +- 0 – Update service is not allowed. +- 1 (default) – Update service is allowed. + +> [!NOTE] +> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy. + + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/AutoRestartNotificationSchedule** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications. + +

Supported values are 15, 30, 60, 120, and 240 (minutes). + +

The default value is 15 (minutes). + + + + + + + +**Update/AutoRestartRequiredNotificationDismissal** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto-restart required notification is dismissed. + +

The following list shows the supported values: + +- 1 (default) – Auto Dismissal. +- 2 – User Dismissal. + + + + + + + +**Update/BranchReadinessLevel** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. + +

The following list shows the supported values: + +- 16 (default) – User gets all applicable upgrades from Current Branch (CB). +- 32 – User gets upgrades from Current Branch for Business (CBB). + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/DeferFeatureUpdatesPeriodInDays** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. +

Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + +

Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days. + +

Supported values are 0-365 days. + +> [!IMPORTANT] +> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/DeferQualityUpdatesPeriodInDays** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days. + +

Supported values are 0-30. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/DeferUpdatePeriod** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices. + + +

Allows IT Admins to specify update delays for up to 4 weeks. + +

Supported values are 0-4, which refers to the number of weeks to defer updates. + +

In Windows 10 Mobile Enterprise version 1511 devices set to automatic updates, for DeferUpdatePeriod to work, you must set the following: + +- Update/RequireDeferUpgrade must be set to 1 +- System/AllowTelemetry must be set to 1 or higher + +

If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +

If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + + ++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Update categoryMaximum deferralDeferral incrementUpdate type/notes

OS upgrade

8 months

1 month

Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5

Update

1 month

1 week

+Note +If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic. +
+
    +
  • Security Update - 0FA1201D-4330-4FA8-8AE9-B877473B6441
    • +
  • Critical Update - E6CF1350-C01B-414D-A61F-263D14D133B4
    • +
  • Update Rollup - 28BC880E-0592-4CBF-8F95-C79B17911D5F
    • +
  • Service Pack - 68C5B0A3-D1A6-4553-AE49-01D3A7827828
    • +
  • Tools - B4832BD8-E735-4761-8DAF-37F882276DAB
    • +
  • Feature Pack - B54E7D24-7ADD-428F-8B75-90A396FA584F
    • +
  • Update - CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83
    • +
  • Driver - EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0
    • +

Other/cannot defer

No deferral

No deferral

Any update category not specifically enumerated above falls into this category.

+

Definition Update - E0789628-CE08-4437-BE74-2495B842F43B

+ + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/DeferUpgradePeriod** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. +> +> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. +> +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices. + + +

Allows IT Admins to specify additional upgrade delays for up to 8 months. + +

Supported values are 0-8, which refers to the number of months to defer upgrades. + +

If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +

If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/DetectionFrequency** + + +

Added in Windows 10, version 1703. Specifies the scan frequency from every 1 - 22 hours. Default is 22 hours. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/EngagedRestartDeadline** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling). + +

Supported values are 2-30 days. + +

The default value is 0 days (not specified). + + + + + + + +**Update/EngagedRestartSnoozeSchedule** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications. + +

Supported values are 1-3 days. + +

The default value is 3 days. + + + + + + + +**Update/EngagedRestartTransitionSchedule** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending. + +

Supported values are 2-30 days. + +

The default value is 7 days. + + + + + + + +**Update/ExcludeWUDriversInQualityUpdate** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. +> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + +

Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates. + +

The following list shows the supported values: + +- 0 (default) – Allow Windows Update drivers. +- 1 – Exclude Windows Update drivers. + + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/FillEmptyContentUrls** + + +

Added in the April service release of Windows 10, version 1607. Allows Windows Update Agent to determine the download URL when it is missing from the metadata. This scenario will occur when intranet update service stores the metadata files but the download contents are stored in the ISV file cache (specified as the alternate download URL). + +> [!NOTE] +> This setting should only be used in combination with an alternate download URL and configured to use ISV file cache. This setting is used when the intranet update service does not provide download URLs in the update metadata for files which are available on the alternate download server. + +

The following list shows the supported values: + +- 0 (default) – Disabled. +- 1 – Enabled. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: No +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/IgnoreMOAppDownloadLimit** + + +

Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. + +> [!WARNING] +> Setting this policy might cause devices to incur costs from MO operators. + +

The following list shows the supported values: + +- 0 (default) – Do not ignore MO download limit for apps and their updates. +- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates. + +

To validate this policy: + +1. Enable the policy ensure the device is on a cellular network. +2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell: + - `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f` + + - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""` + +3. Verify that any downloads that are above the download size limit will complete without being paused. + + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/IgnoreMOUpdateDownloadLimit** + + +

Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies. + +> [!WARNING] +> Setting this policy might cause devices to incur costs from MO operators. + +

The following list shows the supported values: + +- 0 (default) – Do not ignore MO download limit for OS updates. +- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates. + +

To validate this policy: + +1. Enable the policy and ensure the device is on a cellular network. +2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell: + - `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""` + +3. Verify that any downloads that are above the download size limit will complete without being paused. + + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/PauseDeferrals** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices. + + +

Allows IT Admins to pause updates and upgrades for up to 5 weeks. Paused deferrals will be reset after 5 weeks. + +

The following list shows the supported values: + +- 0 (default) – Deferrals are not paused. +- 1 – Deferrals are paused. + +

If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + +

If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/PauseFeatureUpdates** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education. +

Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect. + + +

Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days. + +

The following list shows the supported values: + +- 0 (default) – Feature Updates are not paused. +- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/PauseFeatureUpdatesStartTime** + + +

Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Feature Updates. + +

Value type is string. Supported operations are Add, Get, Delete, and Replace. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/PauseQualityUpdates** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + +

Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates. + +

The following list shows the supported values: + +- 0 (default) – Quality Updates are not paused. +- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/PauseQualityUpdatesStartTime** + + +

Added in Windows 10, version 1703. Specifies the date and time when the IT admin wants to start pausing the Quality Updates. + +

Value type is string. Supported operations are Add, Get, Delete, and Replace. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/RequireDeferUpgrade** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise +> +> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices. + + +

Allows the IT admin to set a device to CBB train. + +

The following list shows the supported values: + +- 0 (default) – User gets upgrades from Current Branch. +- 1 – User gets upgrades from Current Branch for Business. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/RequireUpdateApproval** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + +
+ +> [!NOTE] +> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead. + + +

Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved. + +

Supported operations are Get and Replace. + +

The following list shows the supported values: + +- 0 – Not configured. The device installs all applicable updates. +- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/ScheduleImminentRestartWarning** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications. + +

Supported values are 15, 30, or 60 (minutes). + +

The default value is 15 (minutes). + + + + + + + +**Update/ScheduleRestartWarning** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart warning reminder notifications. + +

Supported values are 2, 4, 8, 12, or 24 (hours). + +

The default value is 4 (hours). + + + + + + + +**Update/ScheduledInstallDay** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Enables the IT admin to schedule the day of the update installation. + +

The data type is a string. + +

Supported operations are Add, Delete, Get, and Replace. + +

The following list shows the supported values: + +- 0 (default) – Every day +- 1 – Sunday +- 2 – Monday +- 3 – Tuesday +- 4 – Wednesday +- 5 – Thursday +- 6 – Friday +- 7 – Saturday + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/ScheduledInstallTime** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Enables the IT admin to schedule the time of the update installation. + +

The data type is a string. + +

Supported operations are Add, Delete, Get, and Replace. + +

Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM. + +

The default value is 3. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/SetAutoRestartNotificationDisable** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + + +

Added in Windows 10, version 1703. Allows the IT Admin to disable auto-restart notifications for update installations. + +

The following list shows the supported values: + +- 0 (default) – Enabled +- 1 – Disabled + + + + + + + +**Update/SetEDURestart** + + +

Added in Windows 10, version 1703. For devices in a cart, this policy skips the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. + +

The following list shows the supported values: + +- 0 - not configured +- 1 - configured + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/UpdateServiceUrl** + + +> [!NOTE] +> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise + +> [!Important] +> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile. + +

Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premise MDMs that need to update devices that cannot connect to the Internet. + +

Supported operations are Get and Replace. + +

The following list shows the supported values: + +- Not configured. The device checks for updates from Microsoft Update. +- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL. + +Example + +``` syntax + + $CmdID$ + + + chr + text/plain + + + ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl + + http://abcd-srv:8530 + + +``` + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Update/UpdateServiceUrlAlternate** + + +> **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. + +

Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. + +

This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. + +

To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server. + +

Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. + +> [!Note] +> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect. +> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates. +> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**WiFi/AllowWiFiHotSpotReporting** + + +

This policy has been deprecated. + + + + + + + +**Wifi/AllowAutoConnectToWiFiSenseHotspots** + + +

Allow or disallow the device to automatically connect to Wi-Fi hotspots. + +

The following list shows the supported values: + +- 0 – Not allowed. +- 1 (default) – Allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Wifi/AllowInternetSharing** + + +

Allow or disallow internet sharing. + +

The following list shows the supported values: + +- 0 – Do not allow the use of Internet Sharing. +- 1 (default) – Allow the use of Internet Sharing. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**Wifi/AllowManualWiFiConfiguration** + + +

Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. + +

The following list shows the supported values: + +- 0 – No Wi-Fi connection outside of MDM provisioned network is allowed. +- 1 (default) – Adding new network SSIDs beyond the already MDM provisioned ones is allowed. + +

Most restricted value is 0. + +> [!NOTE] +> Setting this policy deletes any previously installed user-configured and Wi-Fi sense Wi-Fi profiles from the device. Certain Wi-Fi profiles that are not user configured nor Wi-Fi sense might not be deleted. In addition, not all non-MDM profiles are completely deleted. + + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**Wifi/AllowWiFi** + + +

Allow or disallow WiFi connection. + +

The following list shows the supported values: + +- 0 – WiFi connection is not allowed. +- 1 (default) – WiFi connection is allowed. + +

Most restricted value is 0. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): Yes + + + + +**Wifi/AllowWiFiDirect** + + +

Added in Windows 10, version 1703. Allow WiFi Direct connection.. + +- 0 - WiFi Direct connection is not allowed. +- 1 - WiFi Direct connection is allowed. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**Wifi/WLANScanMode** + + +

Allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. + +

Supported values are 0-500, where 100 = normal scan frequency and 500 = low scan frequency. + +

The default value is 0. + +

Supported operations are Add, Delete, Get, and Replace. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**WindowsInkWorkspace/AllowSuggestedAppsInWindowsInkWorkspace** + + +

Added in Windows 10, version 1607. Show recommended app suggestions in the ink workspace. + +

Value type is bool. The following list shows the supported values: + +- 0 - app suggestions are not allowed. +- 1 (default) -allow app suggestions. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**WindowsInkWorkspace/AllowWindowsInkWorkspace** + + +

Added in Windows 10, version 1607. Specifies whether to allow the user to access the ink workspace. + +

Value type is int. The following list shows the supported values: + +- 0 - access to ink workspace is disabled. The feature is turned off. +- 1 - ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen. +- 2 (default) - ink workspace is enabled (feature is turned on), and the user is allowed to use it above the lock screen. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**WindowsLogon/DisableLockScreenAppNotifications** + + +This policy setting allows you to prevent app notifications from appearing on the lock screen. + +If you enable this policy setting, no app notifications are displayed on the lock screen. + +If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen. + + + + + +ADMX Info: +- GP english name: *Turn off app notifications on the lock screen* +- GP name: *DisableLockScreenAppNotifications* +- GP path: *System/Logon* +- GP ADMX file name: *logon.admx* + + + + +**WindowsLogon/DontDisplayNetworkSelectionUI** + + +This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. + +If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows. + +If you disable or don't configure this policy setting, any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows. + + + + + +ADMX Info: +- GP english name: *Do not display network selection UI* +- GP name: *DontDisplayNetworkSelectionUI* +- GP path: *System/Logon* +- GP ADMX file name: *logon.admx* + + + + +**WindowsLogon/HideFastUserSwitching** + + +

Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations. + +

Value type is bool. The following list shows the supported values: + +- 0 (default) - Diabled (visible). +- 1 - Enabled (hidden). + +

To validate on Desktop, do the following: + +1. Enable policy. +2. Verify that the Switch account button in Start is hidden. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**WirelessDisplay/AllowProjectionFromPC** + + +

Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC. + +- 0 - your PC cannot discover or project to other devices. +- 1 - your PC can discover and project to other devices + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**WirelessDisplay/AllowProjectionFromPCOverInfrastructure** + + +

Added in Windows 10, version 1703. This policy allows you to turn off projection from a PC over infrastructure. + +- 0 - your PC cannot discover or project to other infrastructure devices, although it is possible to discover and project over WiFi Direct. +- 1 - your PC can discover and project to other devices over infrastructure. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**WirelessDisplay/AllowProjectionToPC** + + +

Added in Windows 10, version 1607. Allow or disallow turning off the projection to a PC. + +

If you set it to 0 (zero), your PC is not discoverable and you cannot project to it. If you set it to 1, your PC is discoverable and you can project to it above the lock screen. The user has an option to turn it always on or always off except for manual launch. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. + +

Value type is integer. Valid value: + +- 0 - projection to PC is not allowed. Always off and the user cannot enable it. +- 1 (default) - projection to PC is allowed. Enabled only above the lock screen. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + + +**WirelessDisplay/AllowProjectionToPCOverInfrastructure** + + +

Added in Windows 10, version 1703. This policy setting allows you to turn off projection to a PC over infrastructure. + +- 0 - your PC is not discoverable and other devices cannot project to it over infrastructure, although it is possible to project to it over WiFi Direct. +- 1 - your PC is discoverable and other devices can project to it over infrastructure. + + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Business: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: Yes +- Mobile Enterprise: Yes +- IoT Core: Yes +- Can be set using Exchange Active Sync (EAS): No + + + + +**WirelessDisplay/AllowUserInputFromWirelessDisplayReceiver** + + +

Added in Windows 10, version 1703. + + + + + + +SKU Support: +- Can be set using Exchange Active Sync (EAS): No + + + + +**WirelessDisplay/RequirePinForPairing** + + +

Added in Windows 10, version 1607. Allow or disallow requirement for a PIN for pairing. + +

If you turn this on, the pairing ceremony for new devices will always require a PIN. If you turn this off or do not configure it, a PIN is not required for pairing. In PCs that support Miracast, after the policy is applied you can verify the setting from the user interface in **Settings** > **System** > **Projecting to this PC**. + +

Value type is integer. Valid value: + +- 0 (default) - PIN is not required. +- 1 - PIN is required. + + + + + +SKU Support: +- Home: No +- Pro: Yes +- Enterprise: Yes +- Education: Yes +- Mobile: No +- Mobile Enterprise: No +- IoT Core: No +- Can be set using Exchange Active Sync (EAS): No + + + +

+ + + + +## Examples + +Set the minimum password length to 4 characters. + +``` syntax + + + + $CmdID$ + + + ./Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength + + + int + + 4 + + + + + +``` + +Do not allow NFC. + +``` syntax + + + + $CmdID$ + + + ./Vendor/MSFT/Policy/Config/Connectivity/AllowNFC + + + int + + 0 + + + + + +``` + +## Start/StartLayout Examples + +### Generating a layout + +The easiest way to generate a layout is to set the Start layout on a PC, and then run the PowerShell cmdlet **Export-StartLayout**. + +` > Export-StartLayout -path c:\users\<`*you*`>\desktop\startlayout.xml` + +Sample layout generated using the cmdlet + +``` syntax + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +### Understanding the schema + +In the previous example, the **DefaultLayoutOverride** element is used to specify a layout that overrides the default Start layout. It contains a **StartLayoutCollection**. **StartLayoutCollection** contains a **StartLayout**, which is made up of a collection of **Groups** which are, in turn, made up of either **Tiles** or **DesktopApplicationTiles**. + +### Manually creating a layout + +For **Tile** elements, the **AppUserModelID** can be retrieved with the PowerShell cmdlet **Get-StartApps**. The app needs to be installed to retrieve this information. + +For **DesktopApplicationTile** elements, the **DesktopApplicationID** can be retrieved with the PowerShell cmdlet **Get-StartApps**. The app needs to be installed to retrieve this information. + +### Secondary tiles + +Creating a layout requires some special notes about secondary tiles. In general, the simplest way to correctly specify a **SecondaryTile** is to generate it using the **Export-StartLayout** PowerShell cmdlet as specified above. + +> [!NOTE] +> Apps that don't encode enough information in their secondary tiles may not be able to be used effectively in the **StartLayout** policy. + + +### Generic webpage shortcuts + +The simplest mechanism to create a link to a webpage is to use a URL file. This can be manually added to the layout file by specifying the URL in the **DesktopApplicationID** attribute. + +``` syntax + +``` + +### Microsoft Edge secondary tiles + +These can be generated by using the **Export-StartLayout** PowerShell cmdlet as specified above. The following example shows a generated secondary tile: + +``` syntax + +``` + +### Microsoft Edge assets example + +An example XML string value for the **[Start/ImportEdgeAssets](#start-importedgeassets)** policy. + +``` syntax + + + + + + + iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAAABGdBTUEAALGPC/xhBQAAEmpJREFUeAHt3X3MvXVdB3BufgaCBkGI4pAySWeIvzKhLKayNq00W1YiUc6HOW096cw1XSVNR82Ws1iscvoHWWzkKFu13NpqCEONBFLQ0XwENJX8iQI+Ab/eH7lvOZz7+p7H6zzd9+u7fTjnfK/v0/U6v++Xc677Otd1xBESAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgsCKBrRX1q9s9KnD48OHHZNfOT3xf4p7ETYnLtra2DuVRIkCAwOoFslA9PPHniW8khtOXk/H6xIHVj9QICBDY1wJZiH488fHEuHRVCpy2r7HsPAECqxHI4nNk4g2JexKTpv9LweesZsR6JUBgXwpk0Tk58W+TrlJD5e7L6wsTjqHuy389dprAEgWy0JyduDUxb/qHNPCwJQ5dVwQI7CeBLDAvTnxt3pVqoP71eV5/WZQIECDQj0AWla3EmwcWmj6ffiaNHexnpFohQGBfC2QxeWji8glWqCtHlPnsiG216UuJZ+5raDtPgMB8AllETkhcnRiV6iD6GxMHRhR6VLa9d8T22lRfNZ8/34jVJkBgXwpk8Xhk4obEqHR3Nv7iDlCrYG3PtqMSf9sqs53/zTyet9OeRwIECIwVyKJxWuLm7UWk9VDHnp462Fir4E6ZbK9jYX/UKredX+d1/fJOHY8ECBBoCmSxeGzi09uLR+vhg9lw6nAjrcId5X41ZUedcHpvtlu0huG8JkDgAYEsEo9JfCIxKl2RjZ3nT7UqPdDDA89S9mcSd7XqJL++Hj7vgRqeESBAYFsgi8MpiXFfAy9JmeYZ6tnWmVrIKfyjiTs6K92f+dU8nNuqL58AgX0okEXhxMRN968Rzf9ePI6mVXNUvdQ5J3Fnq27y62oPPzSqDdsIENgnAlkMjk6MOocqmw+/dRKOKtiVxtVNnXMT9RfHVqqfAj16XDu2EyCwhwWyCNRf7S5rrRLb+W+ZlKDVziT1U/fZiVE/+/nPbD9mkraUIUBgDwpkARh3isEfT7Pbaa8zTdpGKteB+K6LAO60+3d50jyGNmk/yhEgsGECmfjn76wCjcc/nXaXGu0cnqadtHFeos6eb6XfmaY9ZQkQ2HCBrARPTHyltSIk/+8TR067m632Zmjnd1ttJb8Wsx+btk3lCRDYQIFM9rr++qi/CL4/22c6VpR6nWkWpjQ06mc8dWLribO0qw4BAhskMGYh+Fi2nzzr7qRuZ5qlvTRUV4l4X2eD92f+4yztqkOAwIYIZJ6POm5VZ53/wDy70lpcZm0z7dXJrHUeViu9eNa21SNAYI0FMuNPTtzemvnJf9G8w2+1PU+7afOaVrvJ/2LikfO0ry4BAmsokIn9rhET/+19DLnV/qxtp71aZEed5lBdXj5r++oRILCGApnUL6iZ3Uj/nfyZDrIP72qj/alOaxhsM+39fqvNoXw/kh6E85zApgpkYh+bqGtXdaX69HJmX/vW1UHlzdJ+qtVVSodPvagrOHSlTyTzqFn6UYcAgTUSyEQe9SnljX0OtWslqbxZ+ki1ug3YYPp8Xoy6EcarZulHHQIE1kQgE7wuczz8KWVnEfhonhzd51B3Gh5+nLaP1H/NcBt5/euJYxJ16kVX+kIyj5u2L+UJEFgTgUzgv+ia2cmrs8Wf3vcwG31N9QkrbbwoUVccHUx1PtZDarx5/KnBDUPPe/3E2LeP9ggQaAhkIp+eaF2G+G8a1ebKHlo8vv1y0kZT4eUdYz6UvO8dbCOv/ynRleq6WicNlvWcAIENEMjEvbhrRievDlyfvohdaPQ39hNW6j0k8Wcd9b+evGcPjzV5T+kou5P1uuHyXhMgsMYCmbnHJ1rHrv5qUUPfWTGGH0f1l7JPTtRNLYZTLaw/16qbbcMH5Xfq35In3/r62KornwCBNRLIhH31zuwdeqwL5O26201fQx/q69svu9rPxpMSb0l0nRhai+3Ic6uy/WCijsV1pV/o6lMeAQJrJpDZe2Si9Ze0v1zkcLtWjsob7DMvj0u8IdH6jeAns+3Jg3Vaz1Puw4mudGWrjnwCBNZIILP3WV0zeDtvoTdzaPVbPNl2VuJtiTow3kp/nQ0nTMqZsh9oNZT8J0zajnIECKxIIBP1ksYk/sCih9Tot7Lr5z+jUn2q+tlpxpfyj0jUca5WcmXSaUCVJbBsgczcuqnEbY0Z/NJFj6fR76jsz2Xjbyam/llN6lw4quFsu2bR+6t9AgTmEMgkPbsxieuGpJ13a56ju11VG313ZdcVQ1+XePiuRibISL06YN86BpZN30p1QP6UCZpThACBVQhkgl50/1zd9d9/XcZ4dvX64Iw6ifXdieckpr5e/OD4U//yxGBqfTV8xWA9zwkQWCOBzOBrB2fxwPPfWsYwB/obfvrSZPRyBnraedlw43n9Hx15lXXFMvZbHwQITCmQyVlni9d5Vl3p+6dsbqbiXR1X3kyNdVRKUz+ZGD5vq/5SWDdh7Uqf7GhGFgECqxbIbH1S14xN3qeWNbZG/70sWGn75xN13fnBVK8fnzg6UcfputLEp0ksy0k/swnMdRxhti7VWqDAwUbbH2rkb0R2VqA6EfaiDPZdiWMHBn1fnv/K1tbWzYmv5/lHBrYNPl3ouWeDHXm+WAEL1mJ9l916a8G6cdkD6au/LFT16ehfEl0/aP6NLFSDx6g+3OjXgtWA2bRsC9amvWOjx3tGY/NNjfy1zc5CdSDxsgywFqHhqzXcm7xXZrG6ZGgHWgtWb5eAHurPyyUL+EX7ksEX3F3rWE3rq9KChzNb81mo6kfPf5joukfiXcm/IIvVuztab32SfERHWVkbKGDB2sA3bcSQv7Ox7VAjf22ys0jVbefPT7wk8cONgX2wymSxurmx/X8b+a2FvFFc9roKWLDW9Z2ZbVytBevO2ZpbbK0sUielh7pM8wWJ5yZaP8+5O9v+JPGmLFbfyGMrfbmx4bsa+bI3TMCCtWFv2Jjhtn7mUl+jVpqyOD0lA6ivZo9NPG07xp0bVseq3pG4MAvVZ/I4Lt3RKOATVgNGNoGVCWRRqMsJd6Wl/Y+pq/MZ8uoGFFcknjgNZsrXuVhd6avTtKPs+gos7R/y+hLsqZF9M3vT9bXq6OTfswF7Wn/NvDTxznyium0DxmuISxawYC0ZfMHdfT7t11eu4fTdyVj518LhQeV1LbDXJa5KXJZF6to8zpOOa1T+YiNf9oYJWLA27A0bM9zPZXvXglUHtz89pu6iN9df+G5PfCFxQ+KaxLVZpL6Wx77S8Y2GLFgNmE3LtmBt2js2erz1Casr1YK10pSFqXWqQp/jan3CWvvTOvpE2MttOdN9b7279QmrK3WdgNlVbtPzHtfYAZ+wGjCblm3B2rR3bPR4W1/7njq62p7Z+oONPflsI1/2hglYsDbsDRsz3Ksb25fxdazR9VKzDzZ6e38jXzYBAqsSyAlIxyaGL25X5yXVeU2PWsa4qrOutOi+02ddgqZuaNGVnrDo/rW/HAGfsJbjvJRecmC7fsLyXx2d1fv8wo78vZT1jOzMyR07VMevWr897Cgua50FLFjr/O7MNrb3Nqr9UiN/r2Sf19iR92Uh7+WKp432ZRMgMKtAvg89res70XZe6xjPrN3tqtfqe1fBHjPSZ30Vvr3R9yt77EpTBAj0LZCJe11j8v5z330Nt9fod6GfcNLn6xv93pn81hUshofuNQECqxDIJH15YwJXdh3rWVhq9buoDtPfiYkvNfp926L61S4BAj0JZPI+bMQkvrG299TVrmYaC8fCPmGlv3e0+kz+fjn/bNf7IIPARglksv7eiIn8zkXtTKvPRfSXvl7S6i/571lEn9okQGABApmwRyU+OmJCv3oB3R7R6q/vvtLPWYm7G/3VzWTHXRyw7yFpjwCBeQQyac9tTOid7NfO035X3Z2Ghx+7ys6al7bPSdwx3MfA6z+YtW31CBBYoUAm8dsHJnLX04uS2dv5eF0dVF5fBGnquYnhuz9XFzvpI3ny0L760w4BAksUyOStywZftTObG49XJv97+hhWo/25F6y0e0zi4sR9rT6SX+dind7HfmiDAIEVCWQSn5T4n8SoVKcG/FriO+YZZquDOdt8VtoddTyuuq3jVufM04+6BAisiUAm8+MTtybGpY+lwAWJA7MMvdX4jG09Pe3Vp79xqX7w/YJZ+lCHAIE1FcikPjVxw7jZv739tjy+OXHmNLvTanvSNlK/xvjaxPWttoby65PhT0zavnIECGyQQCb3cYn3DE36cS/rpz6/nfiRRN2Bp5laDbUqpPyBxJmJVyT+PXFvYtL0qRR8Uqtt+XtPYGvv7ZI9GieQSV5/FazzsN6UmPYvanXn5esTdVG86xK3JOqWXHWj068k6uanXen4ZJ6SeHTi1ERdHfSsRN1gdZYz7y9NvVflSgyH8igRILDXBbJw1XGtqxOblG7JYH96r7839o8AgQ6BTP6txPMTH0qsc6qrib4mcUzHbsgiQGA/CWQhqEsMvzCxbp+46nSMWqhm+dq4n95C+0pgfwpkcTgj8dbEJKdBpFjv6VBavDTxzITjrPvzn2HnXvvH0Mkic0cgC0YdFH9e4hmJsxPHJvpOdSC/DuDX5Z3rIoNX5WD6PXmUCDxIwIL1IA4vRglk8ao7hR9M1KkEZyQelzgtUXfkOSFRi1nr39Rd2VZ/0aubvd6a+HjipsSNieuyQPV5y/o0Ke1FgdY/rr24r/ZpCQJZ1Dp/N5gFyb+1Jfjv9S56+5X+XoeyfwQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGDfCvw/BqwLpnvdxk0AAAAASUVORK5CYII= + + + + + + + + iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAYAAAB5fY51AAAABGdBTUEAALGPC/xhBQAAEmpJREFUeAHt3X3MvXVdB3BufgaCBkGI4pAySWeIvzKhLKayNq00W1YiUc6HOW096cw1XSVNR82Ws1iscvoHWWzkKFu13NpqCEONBFLQ0XwENJX8iQI+Ab/eH7lvOZz7+p7H6zzd9+u7fTjnfK/v0/U6v++Xc677Otd1xBESAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgsCKBrRX1q9s9KnD48OHHZNfOT3xf4p7ETYnLtra2DuVRIkCAwOoFslA9PPHniW8khtOXk/H6xIHVj9QICBDY1wJZiH488fHEuHRVCpy2r7HsPAECqxHI4nNk4g2JexKTpv9LweesZsR6JUBgXwpk0Tk58W+TrlJD5e7L6wsTjqHuy389dprAEgWy0JyduDUxb/qHNPCwJQ5dVwQI7CeBLDAvTnxt3pVqoP71eV5/WZQIECDQj0AWla3EmwcWmj6ffiaNHexnpFohQGBfC2QxeWji8glWqCtHlPnsiG216UuJZ+5raDtPgMB8AllETkhcnRiV6iD6GxMHRhR6VLa9d8T22lRfNZ8/34jVJkBgXwpk8Xhk4obEqHR3Nv7iDlCrYG3PtqMSf9sqs53/zTyet9OeRwIECIwVyKJxWuLm7UWk9VDHnp462Fir4E6ZbK9jYX/UKredX+d1/fJOHY8ECBBoCmSxeGzi09uLR+vhg9lw6nAjrcId5X41ZUedcHpvtlu0huG8JkDgAYEsEo9JfCIxKl2RjZ3nT7UqPdDDA89S9mcSd7XqJL++Hj7vgRqeESBAYFsgi8MpiXFfAy9JmeYZ6tnWmVrIKfyjiTs6K92f+dU8nNuqL58AgX0okEXhxMRN968Rzf9ePI6mVXNUvdQ5J3Fnq27y62oPPzSqDdsIENgnAlkMjk6MOocqmw+/dRKOKtiVxtVNnXMT9RfHVqqfAj16XDu2EyCwhwWyCNRf7S5rrRLb+W+ZlKDVziT1U/fZiVE/+/nPbD9mkraUIUBgDwpkARh3isEfT7Pbaa8zTdpGKteB+K6LAO60+3d50jyGNmk/yhEgsGECmfjn76wCjcc/nXaXGu0cnqadtHFeos6eb6XfmaY9ZQkQ2HCBrARPTHyltSIk/+8TR067m632Zmjnd1ttJb8Wsx+btk3lCRDYQIFM9rr++qi/CL4/22c6VpR6nWkWpjQ06mc8dWLribO0qw4BAhskMGYh+Fi2nzzr7qRuZ5qlvTRUV4l4X2eD92f+4yztqkOAwIYIZJ6POm5VZ53/wDy70lpcZm0z7dXJrHUeViu9eNa21SNAYI0FMuNPTtzemvnJf9G8w2+1PU+7afOaVrvJ/2LikfO0ry4BAmsokIn9rhET/+19DLnV/qxtp71aZEed5lBdXj5r++oRILCGApnUL6iZ3Uj/nfyZDrIP72qj/alOaxhsM+39fqvNoXw/kh6E85zApgpkYh+bqGtXdaX69HJmX/vW1UHlzdJ+qtVVSodPvagrOHSlTyTzqFn6UYcAgTUSyEQe9SnljX0OtWslqbxZ+ki1ug3YYPp8Xoy6EcarZulHHQIE1kQgE7wuczz8KWVnEfhonhzd51B3Gh5+nLaP1H/NcBt5/euJYxJ16kVX+kIyj5u2L+UJEFgTgUzgv+ia2cmrs8Wf3vcwG31N9QkrbbwoUVccHUx1PtZDarx5/KnBDUPPe/3E2LeP9ggQaAhkIp+eaF2G+G8a1ebKHlo8vv1y0kZT4eUdYz6UvO8dbCOv/ynRleq6WicNlvWcAIENEMjEvbhrRievDlyfvohdaPQ39hNW6j0k8Wcd9b+evGcPjzV5T+kou5P1uuHyXhMgsMYCmbnHJ1rHrv5qUUPfWTGGH0f1l7JPTtRNLYZTLaw/16qbbcMH5Xfq35In3/r62KornwCBNRLIhH31zuwdeqwL5O26201fQx/q69svu9rPxpMSb0l0nRhai+3Ic6uy/WCijsV1pV/o6lMeAQJrJpDZe2Si9Ze0v1zkcLtWjsob7DMvj0u8IdH6jeAns+3Jg3Vaz1Puw4mudGWrjnwCBNZIILP3WV0zeDtvoTdzaPVbPNl2VuJtiTow3kp/nQ0nTMqZsh9oNZT8J0zajnIECKxIIBP1ksYk/sCih9Tot7Lr5z+jUn2q+tlpxpfyj0jUca5WcmXSaUCVJbBsgczcuqnEbY0Z/NJFj6fR76jsz2Xjbyam/llN6lw4quFsu2bR+6t9AgTmEMgkPbsxieuGpJ13a56ju11VG313ZdcVQ1+XePiuRibISL06YN86BpZN30p1QP6UCZpThACBVQhkgl50/1zd9d9/XcZ4dvX64Iw6ifXdieckpr5e/OD4U//yxGBqfTV8xWA9zwkQWCOBzOBrB2fxwPPfWsYwB/obfvrSZPRyBnraedlw43n9Hx15lXXFMvZbHwQITCmQyVlni9d5Vl3p+6dsbqbiXR1X3kyNdVRKUz+ZGD5vq/5SWDdh7Uqf7GhGFgECqxbIbH1S14xN3qeWNbZG/70sWGn75xN13fnBVK8fnzg6UcfputLEp0ksy0k/swnMdRxhti7VWqDAwUbbH2rkb0R2VqA6EfaiDPZdiWMHBn1fnv/K1tbWzYmv5/lHBrYNPl3ouWeDHXm+WAEL1mJ9l916a8G6cdkD6au/LFT16ehfEl0/aP6NLFSDx6g+3OjXgtWA2bRsC9amvWOjx3tGY/NNjfy1zc5CdSDxsgywFqHhqzXcm7xXZrG6ZGgHWgtWb5eAHurPyyUL+EX7ksEX3F3rWE3rq9KChzNb81mo6kfPf5joukfiXcm/IIvVuztab32SfERHWVkbKGDB2sA3bcSQv7Ox7VAjf22ys0jVbefPT7wk8cONgX2wymSxurmx/X8b+a2FvFFc9roKWLDW9Z2ZbVytBevO2ZpbbK0sUielh7pM8wWJ5yZaP8+5O9v+JPGmLFbfyGMrfbmx4bsa+bI3TMCCtWFv2Jjhtn7mUl+jVpqyOD0lA6ivZo9NPG07xp0bVseq3pG4MAvVZ/I4Lt3RKOATVgNGNoGVCWRRqMsJd6Wl/Y+pq/MZ8uoGFFcknjgNZsrXuVhd6avTtKPs+gos7R/y+hLsqZF9M3vT9bXq6OTfswF7Wn/NvDTxznyium0DxmuISxawYC0ZfMHdfT7t11eu4fTdyVj518LhQeV1LbDXJa5KXJZF6to8zpOOa1T+YiNf9oYJWLA27A0bM9zPZXvXglUHtz89pu6iN9df+G5PfCFxQ+KaxLVZpL6Wx77S8Y2GLFgNmE3LtmBt2js2erz1Casr1YK10pSFqXWqQp/jan3CWvvTOvpE2MttOdN9b7279QmrK3WdgNlVbtPzHtfYAZ+wGjCblm3B2rR3bPR4W1/7njq62p7Z+oONPflsI1/2hglYsDbsDRsz3Ksb25fxdazR9VKzDzZ6e38jXzYBAqsSyAlIxyaGL25X5yXVeU2PWsa4qrOutOi+02ddgqZuaNGVnrDo/rW/HAGfsJbjvJRecmC7fsLyXx2d1fv8wo78vZT1jOzMyR07VMevWr897Cgua50FLFjr/O7MNrb3Nqr9UiN/r2Sf19iR92Uh7+WKp432ZRMgMKtAvg89res70XZe6xjPrN3tqtfqe1fBHjPSZ30Vvr3R9yt77EpTBAj0LZCJe11j8v5z330Nt9fod6GfcNLn6xv93pn81hUshofuNQECqxDIJH15YwJXdh3rWVhq9buoDtPfiYkvNfp926L61S4BAj0JZPI+bMQkvrG299TVrmYaC8fCPmGlv3e0+kz+fjn/bNf7IIPARglksv7eiIn8zkXtTKvPRfSXvl7S6i/571lEn9okQGABApmwRyU+OmJCv3oB3R7R6q/vvtLPWYm7G/3VzWTHXRyw7yFpjwCBeQQyac9tTOid7NfO035X3Z2Ghx+7ys6al7bPSdwx3MfA6z+YtW31CBBYoUAm8dsHJnLX04uS2dv5eF0dVF5fBGnquYnhuz9XFzvpI3ny0L760w4BAksUyOStywZftTObG49XJv97+hhWo/25F6y0e0zi4sR9rT6SX+dind7HfmiDAIEVCWQSn5T4n8SoVKcG/FriO+YZZquDOdt8VtoddTyuuq3jVufM04+6BAisiUAm8+MTtybGpY+lwAWJA7MMvdX4jG09Pe3Vp79xqX7w/YJZ+lCHAIE1FcikPjVxw7jZv739tjy+OXHmNLvTanvSNlK/xvjaxPWttoby65PhT0zavnIECGyQQCb3cYn3DE36cS/rpz6/nfiRRN2Bp5laDbUqpPyBxJmJVyT+PXFvYtL0qRR8Uqtt+XtPYGvv7ZI9GieQSV5/FazzsN6UmPYvanXn5esTdVG86xK3JOqWXHWj068k6uanXen4ZJ6SeHTi1ERdHfSsRN1gdZYz7y9NvVflSgyH8igRILDXBbJw1XGtqxOblG7JYH96r7839o8AgQ6BTP6txPMTH0qsc6qrib4mcUzHbsgiQGA/CWQhqEsMvzCxbp+46nSMWqhm+dq4n95C+0pgfwpkcTgj8dbEJKdBpFjv6VBavDTxzITjrPvzn2HnXvvH0Mkic0cgC0YdFH9e4hmJsxPHJvpOdSC/DuDX5Z3rIoNX5WD6PXmUCDxIwIL1IA4vRglk8ao7hR9M1KkEZyQelzgtUXfkOSFRi1nr39Rd2VZ/0aubvd6a+HjipsSNieuyQPV5y/o0Ke1FgdY/rr24r/ZpCQJZ1Dp/N5gFyb+1Jfjv9S56+5X+XoeyfwQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBCYUMCCNSGUYgQIrF7AgrX698AICBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQIAAAQIECBAgQGDfCvw/BqwLpnvdxk0AAAAASUVORK5CYII= + + + + + + + + iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIECAr9//MFC/73CPEJ/PYOJQWV4AAAJsSURBVHgB7dyHcqswEEDRpa2KkcT/f+1zwNHYgtebvHPPtEzPNWXp8r8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBhnOZFxSbnpxB1J+aMtzVoZaswjVMu2hIbBj+FRStbhW5bQ9TKVuF4y0ErW4VpHwSVvcKoldFCPaGQQgoppJBCCinUb1rNF+pqvlClCxTGEJZfLAz9F8bsk9wln3+hMEv3hVOSagg/W3iT3gsXJy+mnyvcpPfCkqSx/URhdNJ7YRzkZP3hwmUP3Lou9HKh/EhhXf5Zey6c5dMwSjX+WOH8EZiydl04yGGKqhqcPIQfKcxyl4p2XZjlUJr9hv+Bwk3uXNG+C8dm17IkOSzfK4xHYNS+CxfZDVpNcsgvhetXpsQWtfPC3ObocpqJ8sFHfVH2wJtq74W380V+Jzv3WiiuXE2J/gvHWlNtcmj/+5S1yvuUmPUNClPdcVbTubBdcdc6JfovvDjUzu1ElLsyyJ1bnqbEou9aGK4KNXp5rJjHX2NUW4V17Z0eU0LVXqGG1J5Bvvl2GNtCjU4OWd+tcPzuvvR5fKagre7n4XAxD4erQp1TnRKdFzY5i55Op/xloZYt6lsVrqcNschhNXJFeJFdiqeLGouRQnWy29qLGk6tFGY53HRXZ142U6iDHIYcwrzJwxDtFM5yJaudQvVy5tVSYXTSctFMYU1sA20VavTyzEc1U1iFUT4Ns9G73GX1491UeFKBQp4Y4qkvntyjkEIKKaSQQgp5O+/0qn3L5FuyRVu86czb6nxxgK9G8OUPvt4CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADezhemI2HJD0xgNwAAAABJRU5ErkJggg== + + + + + + + + iVBORw0KGgoAAAANSUhEUgAAAOEAAADhCAMAAAAJbSJIAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIECAr9//MFC/73CPEJ/PYOJQWV4AAAJsSURBVHgB7dyHcqswEEDRpa2KkcT/f+1zwNHYgtebvHPPtEzPNWXp8r8BAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIBhnOZFxSbnpxB1J+aMtzVoZaswjVMu2hIbBj+FRStbhW5bQ9TKVuF4y0ErW4VpHwSVvcKoldFCPaGQQgoppJBCCinUb1rNF+pqvlClCxTGEJZfLAz9F8bsk9wln3+hMEv3hVOSagg/W3iT3gsXJy+mnyvcpPfCkqSx/URhdNJ7YRzkZP3hwmUP3Lou9HKh/EhhXf5Zey6c5dMwSjX+WOH8EZiydl04yGGKqhqcPIQfKcxyl4p2XZjlUJr9hv+Bwk3uXNG+C8dm17IkOSzfK4xHYNS+CxfZDVpNcsgvhetXpsQWtfPC3ObocpqJ8sFHfVH2wJtq74W380V+Jzv3WiiuXE2J/gvHWlNtcmj/+5S1yvuUmPUNClPdcVbTubBdcdc6JfovvDjUzu1ElLsyyJ1bnqbEou9aGK4KNXp5rJjHX2NUW4V17Z0eU0LVXqGG1J5Bvvl2GNtCjU4OWd+tcPzuvvR5fKagre7n4XAxD4erQp1TnRKdFzY5i55Op/xloZYt6lsVrqcNschhNXJFeJFdiqeLGouRQnWy29qLGk6tFGY53HRXZ142U6iDHIYcwrzJwxDtFM5yJaudQvVy5tVSYXTSctFMYU1sA20VavTyzEc1U1iFUT4Ns9G73GX1491UeFKBQp4Y4qkvntyjkEIKKaSQQgp5O+/0qn3L5FuyRVu86czb6nxxgK9G8OUPvt4CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADezhemI2HJD0xgNwAAAABJRU5ErkJggg== + + + + + + + + iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAK7SURBVHgB7d2JcrJIFIDR1pZGGzC8/9OOaHsLMOs/+8w5tWZPvupcGlKBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/DMdjvnUlT7xuf58qUNZiPWJsc/TtQSxPvB2zG05ifWZfp5qCWJ9OsXDl7FM8R/EMsU/05vi39eb4l8QqwSxxPpnxCpf647pS2KFH9QSq0tfEiukINZ/7VAgllhiiSXWV8QSSyyxDHix/mhiiSWWWNdap5zzPIj1Yqg135yH3c882jrc3Nv0fWmm9FBLM6a7o1jxM6WhPJzTQ95dHb6IdZO3K+ktbVfSKT1cxYoaz5UzpGaMlg+Ohqs8c6Rrus1ftHqx7g7rGjk9neKtiyzWau2M+58wb34tq1h3eX04TKEvi7p5Z7Hqau1cUxjL4tLKidWku0u0abrVtmt28W+ztTq3+RWmeFub9mLF6unj2HfoU6ymFANNrPVcinObc456bYa9FbGaa8yoKS2mU7zDFCPLgG/icDinxXWI08E5xpdYmx8rt3E+PrftU/zAnVhhbofD4Tmrjs9fvnR3KEGsU4tUnysst7HepZYxiNWatEY1NvXlFCNLrDCmRdfHnird1RyT3tZhV6DGnqpt3C99nCUGsXJaPMd6bOrPh7jCHMSq+1PCKa1cyopYw/5iwzWFNrIM+HBIDzGgXt5RrHBMT8eXn7QvQaztRb8cI3/3GrFeJ3yNTf3uNWKF/Wu7l/cTK7ztB9RhP7JsHcI5Pcz7kR+vEStM8XfoJqfda8QKQ62nfNO9jPyhBLE+UmvNixIM+C+JJZZYYon1D+Nf6MQSSyyxDHixxBJLLLFGsdzGzg0S3XrTTV3FciPq4Bbn/2lunu+xDB744VEyHlKEx195sJpH9gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL8BVPKUzB0VBYIAAAAASUVORK5CYII= + + + + + + + + iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAK7SURBVHgB7d2JcrJIFIDR1pZGGzC8/9OOaHsLMOs/+8w5tWZPvupcGlKBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/DMdjvnUlT7xuf58qUNZiPWJsc/TtQSxPvB2zG05ifWZfp5qCWJ9OsXDl7FM8R/EMsU/05vi39eb4l8QqwSxxPpnxCpf647pS2KFH9QSq0tfEiukINZ/7VAgllhiiSXWV8QSSyyxDHix/mhiiSWWWNdap5zzPIj1Yqg135yH3c882jrc3Nv0fWmm9FBLM6a7o1jxM6WhPJzTQ95dHb6IdZO3K+ktbVfSKT1cxYoaz5UzpGaMlg+Ohqs8c6Rrus1ftHqx7g7rGjk9neKtiyzWau2M+58wb34tq1h3eX04TKEvi7p5Z7Hqau1cUxjL4tLKidWku0u0abrVtmt28W+ztTq3+RWmeFub9mLF6unj2HfoU6ymFANNrPVcinObc456bYa9FbGaa8yoKS2mU7zDFCPLgG/icDinxXWI08E5xpdYmx8rt3E+PrftU/zAnVhhbofD4Tmrjs9fvnR3KEGsU4tUnysst7HepZYxiNWatEY1NvXlFCNLrDCmRdfHnird1RyT3tZhV6DGnqpt3C99nCUGsXJaPMd6bOrPh7jCHMSq+1PCKa1cyopYw/5iwzWFNrIM+HBIDzGgXt5RrHBMT8eXn7QvQaztRb8cI3/3GrFeJ3yNTf3uNWKF/Wu7l/cTK7ztB9RhP7JsHcI5Pcz7kR+vEStM8XfoJqfda8QKQ62nfNO9jPyhBLE+UmvNixIM+C+JJZZYYon1D+Nf6MQSSyyxDHixxBJLLLFGsdzGzg0S3XrTTV3FciPq4Bbn/2lunu+xDB744VEyHlKEx195sJpH9gEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAL8BVPKUzB0VBYIAAAAASUVORK5CYII= + + + + + + + + iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJLSURBVHgB7d3Joqo6FEDBbUOCAYT//9nTN/cganz9fakaO1qDjRASAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+G/a7Q/HLgV35P5UhvQmuGrMh+mcfhFbmPeHMqS1YCUvU0nbgtUUvyFWTPGKWKZ4BVP8Aaa4WPeklX87llhipfu6fWwTa8sDtcTqoppYSSyxxBJLLLEuiCVWzv3U1cUSK17ty81YYnVTn/NXkmW4Gkusso9X30nm83YssYYlYhUrxnNjsUoph8Mh5zzGtcEdL85zXMaKeWgoVlzKZTPWGFuxYmk41vbgjm/rWFEajxXzUB9r33qs2NfHiq71WHGsjzU1H2tXH6tvPlYcq2Pl5mKdyovDLr4sVxOIVdKbviZBWms0Vprj091YYk13Y63khmN18Wm4l0CsFJ9KXYK+PpZYk1gvuroEQ8OxyoMDfp8ajrXEh7kuQWk41jA+dse3pHZjdXPNveH6uVeT94an/tZThzEujF1qMtbadPGrbo6V+a2VWHlzKWzrSb1Y43BrkfXXxXuxxvPN5fv5e3VRrO1F+bRBrGVIVbHEGpcupduxxNrnnPeH0zltEWv73vB/EUssscQS6waxxBJLLANerAeJJZZYYq105XTIc1UssSr46yCWWGLZUC6WWGKJJZZYYonVieWAREdvOtRVLAdR/ybm3hHnjxnz4XgW69HPMoj1d37wg/Gv+ZSM2R/Uz/6gfvYHv+8n+wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgGdtQJGPPIrELgAAAABJRU5ErkJggg== + + + + + + + + iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJLSURBVHgB7d3Joqo6FEDBbUOCAYT//9nTN/cganz9fakaO1qDjRASAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+G/a7Q/HLgV35P5UhvQmuGrMh+mcfhFbmPeHMqS1YCUvU0nbgtUUvyFWTPGKWKZ4BVP8Aaa4WPeklX87llhipfu6fWwTa8sDtcTqoppYSSyxxBJLLLEuiCVWzv3U1cUSK17ty81YYnVTn/NXkmW4Gkusso9X30nm83YssYYlYhUrxnNjsUoph8Mh5zzGtcEdL85zXMaKeWgoVlzKZTPWGFuxYmk41vbgjm/rWFEajxXzUB9r33qs2NfHiq71WHGsjzU1H2tXH6tvPlYcq2Pl5mKdyovDLr4sVxOIVdKbviZBWms0Vprj091YYk13Y63khmN18Wm4l0CsFJ9KXYK+PpZYk1gvuroEQ8OxyoMDfp8ajrXEh7kuQWk41jA+dse3pHZjdXPNveH6uVeT94an/tZThzEujF1qMtbadPGrbo6V+a2VWHlzKWzrSb1Y43BrkfXXxXuxxvPN5fv5e3VRrO1F+bRBrGVIVbHEGpcupduxxNrnnPeH0zltEWv73vB/EUssscQS6waxxBJLLANerAeJJZZYYq105XTIc1UssSr46yCWWGLZUC6WWGKJJZZYYonVieWAREdvOtRVLAdR/ybm3hHnjxnz4XgW69HPMoj1d37wg/Gv+ZSM2R/Uz/6gfvYHv+8n+wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgGdtQJGPPIrELgAAAABJRU5ErkJggg== + + + + + + + + iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJSSURBVHgB7d1HcuMwEEBRKBBglu9/WUc6tQBZmhze2832V08XGEwl/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALDbH45dTl+g9MM45WeJprkcljV/kGo47Q/jlKNEUO6WMdclwha/IBG2uFg3bPELbPEb2OJifSVHYon1m2Plr3X71CZWdEMtsbrUJlaU/mJiiSWWWA6l1SpiiSWWWGKJ9UOJJZZDqUPpNHaNWGJN+c1Y5vTkLJZYx/LcZj671dmfJRBrmtOzJdzpnKfzBBZ8n56V8O9DfidWvGe+bpNWHSyxNv2nHXWoDZZY9SU11wdLrE3/YcUvcbDEqo7WKT/ahcESK+rfVvwYzhFitUarz7mkJ7scOZTG0ZqnrjJYYgXrFmmIgyVWRUlP+hIHS6yKMW3CYFnwrdHaHHMgVnO0Sg7Eao/W8fpYYi1iXf/fcCfWDQt+Eevqo0O8ihYr2qUntfszDqXRVimfwmiJ1Rysvn3rT6w4WGue4k1lsaItUXl/XHFnwbdibYXGD8/FOrFeNAbrVHkuJlZjsJb8ZG2NVnrnifTu81G+F+vCuw5DfnH89DRfrMbz6M2ucltLrMZLM0t6MYoVY3UlLvRp/jRaDqXRuuZ3hzhaYl02jaMXcL3aHfmjAbHEEkssscQSSyyHUrHEEksssXzGzgcSfXpTrB9NLB+i9onz3ifObzOXw3EV69afZRDrZ/7gB/OP+SkZuz9dz+5PXL/709/LT/YBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPdXyNW8w51ZgAAAAASUVORK5CYII= + + + + + + + + iVBORw0KGgoAAAANSUhEUgAAASwAAAEsCAMAAABOo35HAAAAM1BMVEUAAAD///////////////////////////////////////////////////////////////+3leKCAAAAEXRSTlMAIFCAr9//QGCPv+8Qn88wcDAhSA0AAAJSSURBVHgB7d1HcuMwEEBRKBBglu9/WUc6tQBZmhze2832V08XGEwl/kwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALDbH45dTl+g9MM45WeJprkcljV/kGo47Q/jlKNEUO6WMdclwha/IBG2uFg3bPELbPEb2OJifSVHYon1m2Plr3X71CZWdEMtsbrUJlaU/mJiiSWWWA6l1SpiiSWWWGKJ9UOJJZZDqUPpNHaNWGJN+c1Y5vTkLJZYx/LcZj671dmfJRBrmtOzJdzpnKfzBBZ8n56V8O9DfidWvGe+bpNWHSyxNv2nHXWoDZZY9SU11wdLrE3/YcUvcbDEqo7WKT/ahcESK+rfVvwYzhFitUarz7mkJ7scOZTG0ZqnrjJYYgXrFmmIgyVWRUlP+hIHS6yKMW3CYFnwrdHaHHMgVnO0Sg7Eao/W8fpYYi1iXf/fcCfWDQt+Eevqo0O8ihYr2qUntfszDqXRVimfwmiJ1Rysvn3rT6w4WGue4k1lsaItUXl/XHFnwbdibYXGD8/FOrFeNAbrVHkuJlZjsJb8ZG2NVnrnifTu81G+F+vCuw5DfnH89DRfrMbz6M2ucltLrMZLM0t6MYoVY3UlLvRp/jRaDqXRuuZ3hzhaYl02jaMXcL3aHfmjAbHEEkssscQSSyyHUrHEEksssXzGzgcSfXpTrB9NLB+i9onz3ifObzOXw3EV69afZRDrZ/7gB/OP+SkZuz9dz+5PXL/709/LT/YBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPdXyNW8w51ZgAAAAASUVORK5CYII= + + + + +``` + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md new file mode 100644 index 0000000000..3a2d11e3db --- /dev/null +++ b/windows/client-management/mdm/policy-ddf-file.md @@ -0,0 +1,41038 @@ +--- +title: Policy DDF file +description: Policy DDF file +ms.assetid: D90791B5-A772-4AF8-B058-5D566865AF8D +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Policy DDF file + +This topic shows the OMA DM device description framework (DDF) for the **Policy** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download the Policy DDF file for Windows 10, version 1703](http://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml) +- [Download the Policy DDF file for Windows 10, version 1607](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the DDF for Windows 10, version 1703. + +``` syntax + +]> + + 1.2 + + Policy + ./User/Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/5.0/MDM/Policy + + + + Config + + + + + + + + + + + + + + + + + + + + + ApplicationManagement + + + + + + + + + + + + + + + + + + + + + RequirePrivateStoreOnly + + + + + + + + + + + + + + + + + + + text/plain + + + + + + AttachmentManager + + + + + + + + + + + + + + + + + + + + + DoNotPreserveZoneInformation + + + + + + + + + + + + + + + + + + + text/plain + + + + + HideZoneInfoMechanism + + + + + + + + + + + + + + + + + + + text/plain + + + + + NotifyAntivirusPrograms + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Authentication + + + + + + + + + + + + + + + + + + + + + AllowEAPCertSSO + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Autoplay + + + + + + + + + + + + + + + + + + + + + DisallowAutoplayForNonVolumeDevices + + + + + + + + + + + + + + + + + + + text/plain + + + + + SetDefaultAutoRunBehavior + + + + + + + + + + + + + + + + + + + text/plain + + + + + TurnOffAutoPlay + + + + + + + + + + + + + + + + + + + text/plain + + + + + + CredentialsUI + + + + + + + + + + + + + + + + + + + + + DisablePasswordReveal + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Desktop + + + + + + + + + + + + + + + + + + + + + PreventUserRedirectionOfProfileFolders + + + + + + + + + + + + + + + + + + + text/plain + + + + + + EnterpriseCloudPrint + + + + + + + + + + + + + + + + + + + + + CloudPrinterDiscoveryEndPoint + + + + + + + + This policy provisions per-user discovery end point to discover cloud printers + + + + + + + + + + + text/plain + + + + + CloudPrintOAuthAuthority + + + + + + + + Authentication endpoint for acquiring OAuth tokens + + + + + + + + + + + text/plain + + + + + CloudPrintOAuthClientId + + + + + + + + A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority + + + + + + + + + + + text/plain + + + + + CloudPrintResourceId + + + + + + + + Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication + + + + + + + + + + + text/plain + + + + + DiscoveryMaxPrinterLimit + + + + + + + + Defines the maximum number of printers that should be queried from discovery end point + + + + + + + + + + + text/plain + + + + + MopriaDiscoveryResourceId + + + + + + + + Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication + + + + + + + + + + + text/plain + + + + + + Experience + + + + + + + + + + + + + + + + + + + + + AllowTailoredExperiencesWithDiagnosticData + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowThirdPartySuggestionsInWindowsSpotlight + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowWindowsConsumerFeatures + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowWindowsSpotlight + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowWindowsSpotlightOnActionCenter + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowWindowsSpotlightWindowsWelcomeExperience + + + + + + + + + + + + + + + + + + + text/plain + + + + + ConfigureWindowsSpotlightOnLockScreen + + + + + + + + + + + + + + + + + + + text/plain + + + + + + InternetExplorer + + + + + + + + + + + + + + + + + + + + + AddSearchProvider + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowActiveXFiltering + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowAddOnList + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowEnhancedProtectedMode + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowEnterpriseModeFromToolsMenu + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowEnterpriseModeSiteList + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowInternetExplorer7PolicyList + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowInternetExplorerStandardsMode + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowInternetZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowIntranetZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowLocalMachineZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowLockedDownInternetZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowLockedDownIntranetZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowLockedDownLocalMachineZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowLockedDownRestrictedSitesZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowOneWordEntry + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowSiteToZoneAssignmentList + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowsLockedDownTrustedSitesZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowsRestrictedSitesZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowSuggestedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowTrustedSitesZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableAdobeFlash + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableBypassOfSmartScreenWarnings + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableBypassOfSmartScreenWarningsAboutUncommonFiles + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableCustomerExperienceImprovementProgramParticipation + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableEnclosureDownloading + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableEncryptionSupport + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableFirstRunWizard + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableFlipAheadFeature + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableHomePageChange + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableProxyChange + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableSearchProviderChange + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableSecondaryHomePageChange + + + + + + + + + + + + + + + + + + + text/plain + + + + + DoNotBlockOutdatedActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + DoNotBlockOutdatedActiveXControlsOnSpecificDomains + + + + + + + + + + + + + + + + + + + text/plain + + + + + IncludeAllLocalSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + IncludeAllNetworkPaths + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + SearchProviderList + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Notifications + + + + + + + + + + + + + + + + + + + + + DisallowNotificationMirroring + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Printers + + + + + + + + + + + + + + + + + + + + + PointAndPrintRestrictions_User + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Settings + + + + + + + + + + + + + + + + + + + + + ConfigureTaskbarCalendar + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Start + + + + + + + + + + + + + + + + + + + + + StartLayout + + + + + + + + + + + + + + + + + + + text/plain + + + + + + System + + + + + + + + + + + + + + + + + + + + + AllowTelemetry + + + + + + + + + + + + + + + + + + + text/plain + + + + + + + Result + + + + + + + + + + + + + + + + + + + ApplicationManagement + + + + + + + + + + + + + + + + + + + RequirePrivateStoreOnly + + + + + + 0 + + + + + + + + + + + text/plain + + + + + + AttachmentManager + + + + + + + + + + + + + + + + + + + DoNotPreserveZoneInformation + + + + + + + + + + + + + + + + + text/plain + + phone + AttachmentManager.admx + AttachmentManager~AT~WindowsComponents~AM_AM + AM_MarkZoneOnSavedAtttachments + + + + HideZoneInfoMechanism + + + + + + + + + + + + + + + + + text/plain + + phone + AttachmentManager.admx + AttachmentManager~AT~WindowsComponents~AM_AM + AM_RemoveZoneInfo + + + + NotifyAntivirusPrograms + + + + + + + + + + + + + + + + + text/plain + + phone + AttachmentManager.admx + AttachmentManager~AT~WindowsComponents~AM_AM + AM_CallIOfficeAntiVirus + + + + + Authentication + + + + + + + + + + + + + + + + + + + AllowEAPCertSSO + + + + + + 0 + + + + + + + + + + + text/plain + + + + + + Autoplay + + + + + + + + + + + + + + + + + + + DisallowAutoplayForNonVolumeDevices + + + + + + + + + + + + + + + + + text/plain + + phone + AutoPlay.admx + AutoPlay~AT~WindowsComponents~AutoPlay + NoAutoplayfornonVolume + + + + SetDefaultAutoRunBehavior + + + + + + + + + + + + + + + + + text/plain + + phone + AutoPlay.admx + AutoPlay~AT~WindowsComponents~AutoPlay + NoAutorun + + + + TurnOffAutoPlay + + + + + + + + + + + + + + + + + text/plain + + phone + AutoPlay.admx + AutoPlay~AT~WindowsComponents~AutoPlay + Autorun + + + + + CredentialsUI + + + + + + + + + + + + + + + + + + + DisablePasswordReveal + + + + + + + + + + + + + + + + + text/plain + + phone + credui.admx + CredUI~AT~WindowsComponents~CredUI + DisablePasswordReveal + + + + + Desktop + + + + + + + + + + + + + + + + + + + PreventUserRedirectionOfProfileFolders + + + + + + + + + + + + + + + + + text/plain + + phone + desktop.admx + desktop~AT~Desktop + DisablePersonalDirChange + + + + + EnterpriseCloudPrint + + + + + + + + + + + + + + + + + + + CloudPrinterDiscoveryEndPoint + + + + + This policy provisions per-user discovery end point to discover cloud printers + + + + + + + + + + + + text/plain + + + + + CloudPrintOAuthAuthority + + + + + Authentication endpoint for acquiring OAuth tokens + + + + + + + + + + + + text/plain + + + + + CloudPrintOAuthClientId + + + + + A GUID identifying the client application authorized to retrieve OAuth tokens from the OAuthAuthority + E1CF1107-FF90-4228-93BF-26052DD2C714 + + + + + + + + + + + text/plain + + + + + CloudPrintResourceId + + + + + Resource URI for which access is being requested by the Enterprise Cloud Print client during OAuth authentication + + + + + + + + + + + + text/plain + + + + + DiscoveryMaxPrinterLimit + + + + + Defines the maximum number of printers that should be queried from discovery end point + 20 + + + + + + + + + + + text/plain + + + + + MopriaDiscoveryResourceId + + + + + Resource URI for which access is being requested by the Mopria discovery client during OAuth authentication + + + + + + + + + + + + text/plain + + + + + + Experience + + + + + + + + + + + + + + + + + + + AllowTailoredExperiencesWithDiagnosticData + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowThirdPartySuggestionsInWindowsSpotlight + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowWindowsConsumerFeatures + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + AllowWindowsSpotlight + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowWindowsSpotlightOnActionCenter + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowWindowsSpotlightWindowsWelcomeExperience + + + + + + 1 + + + + + + + + + + + text/plain + + + + + ConfigureWindowsSpotlightOnLockScreen + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + + InternetExplorer + + + + + + + + + + + + + + + + + + + AddSearchProvider + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + AddSearchProvider + + + + AllowActiveXFiltering + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + TurnOnActiveXFiltering + + + + AllowAddOnList + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement + AddonManagement_AddOnList + + + + AllowEnhancedProtectedMode + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage + Advanced_EnableEnhancedProtectedMode + + + + AllowEnterpriseModeFromToolsMenu + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + EnterpriseModeEnable + + + + AllowEnterpriseModeSiteList + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + EnterpriseModeSiteList + + + + AllowInternetExplorer7PolicyList + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView + CompatView_UsePolicyList + + + + AllowInternetExplorerStandardsMode + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView + CompatView_IntranetSites + + + + AllowInternetZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyInternetZoneTemplate + + + + AllowIntranetZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyIntranetZoneTemplate + + + + AllowLocalMachineZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyLocalMachineZoneTemplate + + + + AllowLockedDownInternetZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyInternetZoneLockdownTemplate + + + + AllowLockedDownIntranetZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyIntranetZoneLockdownTemplate + + + + AllowLockedDownLocalMachineZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyLocalMachineZoneLockdownTemplate + + + + AllowLockedDownRestrictedSitesZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyRestrictedSitesZoneLockdownTemplate + + + + AllowOneWordEntry + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~Browsing + UseIntranetSiteForOneWordEntry + + + + AllowSiteToZoneAssignmentList + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_Zonemaps + + + + AllowsLockedDownTrustedSitesZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyTrustedSitesZoneLockdownTemplate + + + + AllowsRestrictedSitesZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyRestrictedSitesZoneTemplate + + + + AllowSuggestedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + EnableSuggestedSites + + + + AllowTrustedSitesZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyTrustedSitesZoneTemplate + + + + DisableAdobeFlash + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement + DisableFlashInIE + + + + DisableBypassOfSmartScreenWarnings + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + DisableSafetyFilterOverride + + + + DisableBypassOfSmartScreenWarningsAboutUncommonFiles + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + DisableSafetyFilterOverrideForAppRepUnknown + + + + DisableCustomerExperienceImprovementProgramParticipation + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + SQM_DisableCEIP + + + + DisableEnclosureDownloading + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~RSS_Feeds + Disable_Downloading_of_Enclosures + + + + DisableEncryptionSupport + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage + Advanced_SetWinInetProtocols + + + + DisableFirstRunWizard + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + NoFirstRunCustomise + + + + DisableFlipAheadFeature + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage + Advanced_DisableFlipAhead + + + + DisableHomePageChange + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + RestrictHomePage + + + + DisableProxyChange + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + RestrictProxy + + + + DisableSearchProviderChange + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + NoSearchProvider + + + + DisableSecondaryHomePageChange + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + SecondaryHomePages + + + + DoNotBlockOutdatedActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement + VerMgmtDisable + + + + DoNotBlockOutdatedActiveXControlsOnSpecificDomains + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement + VerMgmtDomainAllowlist + + + + IncludeAllLocalSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_IncludeUnspecifiedLocalSites + + + + IncludeAllNetworkPaths + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_UNCAsIntranet + + + + InternetZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyAccessDataSourcesAcrossDomains_1 + + + + InternetZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyNotificationBarActiveXURLaction_1 + + + + InternetZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyNotificationBarDownloadURLaction_1 + + + + InternetZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyFontDownload_1 + + + + InternetZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyZoneElevationURLaction_1 + + + + InternetZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyUnsignedFrameworkComponentsURLaction_1 + + + + InternetZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_Policy_AllowScriptlets_1 + + + + InternetZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_Policy_Phishing_1 + + + + InternetZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyUserdataPersistence_1 + + + + InternetZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyScriptActiveXNotMarkedSafe_1 + + + + InternetZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyNavigateSubframesAcrossDomains_1 + + + + IntranetZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyAccessDataSourcesAcrossDomains_3 + + + + IntranetZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyNotificationBarActiveXURLaction_3 + + + + IntranetZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyNotificationBarDownloadURLaction_3 + + + + IntranetZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyFontDownload_3 + + + + IntranetZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyZoneElevationURLaction_3 + + + + IntranetZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyUnsignedFrameworkComponentsURLaction_3 + + + + IntranetZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_Policy_AllowScriptlets_3 + + + + IntranetZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_Policy_Phishing_3 + + + + IntranetZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyUserdataPersistence_3 + + + + IntranetZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyScriptActiveXNotMarkedSafe_3 + + + + IntranetZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyNavigateSubframesAcrossDomains_3 + + + + LocalMachineZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyAccessDataSourcesAcrossDomains_9 + + + + LocalMachineZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyNotificationBarActiveXURLaction_9 + + + + LocalMachineZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyNotificationBarDownloadURLaction_9 + + + + LocalMachineZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyFontDownload_9 + + + + LocalMachineZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyZoneElevationURLaction_9 + + + + LocalMachineZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyUnsignedFrameworkComponentsURLaction_9 + + + + LocalMachineZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_Policy_AllowScriptlets_9 + + + + LocalMachineZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_Policy_Phishing_9 + + + + LocalMachineZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyUserdataPersistence_9 + + + + LocalMachineZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyScriptActiveXNotMarkedSafe_9 + + + + LocalMachineZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyNavigateSubframesAcrossDomains_9 + + + + LockedDownInternetZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyAccessDataSourcesAcrossDomains_2 + + + + LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyNotificationBarActiveXURLaction_2 + + + + LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyNotificationBarDownloadURLaction_2 + + + + LockedDownInternetZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyFontDownload_2 + + + + LockedDownInternetZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyZoneElevationURLaction_2 + + + + LockedDownInternetZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyUnsignedFrameworkComponentsURLaction_2 + + + + LockedDownInternetZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_Policy_AllowScriptlets_2 + + + + LockedDownInternetZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_Policy_Phishing_2 + + + + LockedDownInternetZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyUserdataPersistence_2 + + + + LockedDownInternetZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyScriptActiveXNotMarkedSafe_2 + + + + LockedDownInternetZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyNavigateSubframesAcrossDomains_2 + + + + LockedDownIntranetZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyAccessDataSourcesAcrossDomains_4 + + + + LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyNotificationBarActiveXURLaction_4 + + + + LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyNotificationBarDownloadURLaction_4 + + + + LockedDownIntranetZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyFontDownload_4 + + + + LockedDownIntranetZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyZoneElevationURLaction_4 + + + + LockedDownIntranetZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyUnsignedFrameworkComponentsURLaction_4 + + + + LockedDownIntranetZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_Policy_AllowScriptlets_4 + + + + LockedDownIntranetZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_Policy_Phishing_4 + + + + LockedDownIntranetZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyUserdataPersistence_4 + + + + LockedDownIntranetZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyScriptActiveXNotMarkedSafe_4 + + + + LockedDownIntranetZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyNavigateSubframesAcrossDomains_4 + + + + LockedDownLocalMachineZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyAccessDataSourcesAcrossDomains_10 + + + + LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyNotificationBarActiveXURLaction_10 + + + + LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyNotificationBarDownloadURLaction_10 + + + + LockedDownLocalMachineZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyFontDownload_10 + + + + LockedDownLocalMachineZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyZoneElevationURLaction_10 + + + + LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyUnsignedFrameworkComponentsURLaction_10 + + + + LockedDownLocalMachineZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_Policy_AllowScriptlets_10 + + + + LockedDownLocalMachineZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_Policy_Phishing_10 + + + + LockedDownLocalMachineZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyUserdataPersistence_10 + + + + LockedDownLocalMachineZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyScriptActiveXNotMarkedSafe_10 + + + + LockedDownLocalMachineZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyNavigateSubframesAcrossDomains_10 + + + + LockedDownRestrictedSitesZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyAccessDataSourcesAcrossDomains_8 + + + + LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyNotificationBarActiveXURLaction_8 + + + + LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyNotificationBarDownloadURLaction_8 + + + + LockedDownRestrictedSitesZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyFontDownload_8 + + + + LockedDownRestrictedSitesZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyZoneElevationURLaction_8 + + + + LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyUnsignedFrameworkComponentsURLaction_8 + + + + LockedDownRestrictedSitesZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_Policy_AllowScriptlets_8 + + + + LockedDownRestrictedSitesZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_Policy_Phishing_8 + + + + LockedDownRestrictedSitesZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyUserdataPersistence_8 + + + + LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyScriptActiveXNotMarkedSafe_8 + + + + LockedDownRestrictedSitesZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyNavigateSubframesAcrossDomains_8 + + + + LockedDownTrustedSitesZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyAccessDataSourcesAcrossDomains_6 + + + + LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyNotificationBarActiveXURLaction_6 + + + + LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyNotificationBarDownloadURLaction_6 + + + + LockedDownTrustedSitesZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyFontDownload_6 + + + + LockedDownTrustedSitesZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyZoneElevationURLaction_6 + + + + LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyUnsignedFrameworkComponentsURLaction_6 + + + + LockedDownTrustedSitesZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_Policy_AllowScriptlets_6 + + + + LockedDownTrustedSitesZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_Policy_Phishing_6 + + + + LockedDownTrustedSitesZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyUserdataPersistence_6 + + + + LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyScriptActiveXNotMarkedSafe_6 + + + + LockedDownTrustedSitesZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyNavigateSubframesAcrossDomains_6 + + + + RestrictedSitesZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyAccessDataSourcesAcrossDomains_7 + + + + RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyNotificationBarActiveXURLaction_7 + + + + RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyNotificationBarDownloadURLaction_7 + + + + RestrictedSitesZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyFontDownload_7 + + + + RestrictedSitesZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyZoneElevationURLaction_7 + + + + RestrictedSitesZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyUnsignedFrameworkComponentsURLaction_7 + + + + RestrictedSitesZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_Policy_AllowScriptlets_7 + + + + RestrictedSitesZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_Policy_Phishing_7 + + + + RestrictedSitesZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyUserdataPersistence_7 + + + + RestrictedSitesZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyScriptActiveXNotMarkedSafe_7 + + + + RestrictedSitesZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyNavigateSubframesAcrossDomains_7 + + + + SearchProviderList + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + SpecificSearchProvider + + + + TrustedSitesZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyAccessDataSourcesAcrossDomains_5 + + + + TrustedSitesZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyNotificationBarActiveXURLaction_5 + + + + TrustedSitesZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyNotificationBarDownloadURLaction_5 + + + + TrustedSitesZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyFontDownload_5 + + + + TrustedSitesZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyZoneElevationURLaction_5 + + + + TrustedSitesZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyUnsignedFrameworkComponentsURLaction_5 + + + + TrustedSitesZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_Policy_AllowScriptlets_5 + + + + TrustedSitesZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_Policy_Phishing_5 + + + + TrustedSitesZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyUserdataPersistence_5 + + + + TrustedSitesZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyScriptActiveXNotMarkedSafe_5 + + + + TrustedSitesZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyNavigateSubframesAcrossDomains_5 + + + + + Notifications + + + + + + + + + + + + + + + + + + + DisallowNotificationMirroring + + + + + + 0 + + + + + + + + + + + text/plain + + + + + + Printers + + + + + + + + + + + + + + + + + + + PointAndPrintRestrictions_User + + + + + + + + + + + + + + + + + text/plain + + phone + Printing.admx + Printing~AT~ControlPanel~CplPrinters + PointAndPrint_Restrictions + + + + + Settings + + + + + + + + + + + + + + + + + + + ConfigureTaskbarCalendar + + + + + + 0 + + + + + + + + + + + text/plain + + + + + + Start + + + + + + + + + + + + + + + + + + + StartLayout + + + + + + + + + + + + + + + + + text/plain + + phone + + + + + System + + + + + + + + + + + + + + + + + + + AllowTelemetry + + + + + + 3 + + + + + + + + + + + text/plain + + + + + + + + Policy + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/5.0/MDM/Policy + + + + ConfigOperations + + + + + + + Policy CSP ConfigOperations + + + + + + + + + + + + + + + ADMXInstall + + + + + + + Win32 App ADMX Ingestion + + + + + + + + + + + + + + + * + + + + + + + Win32 App Name + + + + + + + + + + + + + + + * + + + + + + + Setting Type of Win32 App. Policy Or Preference + + + + + + + + + + + + + + + * + + + + + + + Unique ID of ADMX file + + + + + + + + + + + + + + + + + + + + Config + + + + + + + + + + + + + + + + + + + + + AboveLock + + + + + + + + + + + + + + + + + + + + + AllowActionCenterNotifications + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowCortanaAboveLock + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowToasts + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Accounts + + + + + + + + + + + + + + + + + + + + + AllowAddingNonMicrosoftAccountsManually + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowMicrosoftAccountConnection + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowMicrosoftAccountSignInAssistant + + + + + + + + + + + + + + + + + + + text/plain + + + + + DomainNamesForEmailSync + + + + + + + + + + + + + + + + + + + text/plain + + + + + + ActiveXControls + + + + + + + + + + + + + + + + + + + + + ApprovedInstallationSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + + ApplicationDefaults + + + + + + + + + + + + + + + + + + + + + DefaultAssociationsConfiguration + + + + + + + + + + + + + + + + + + + text/plain + + + + + + ApplicationManagement + + + + + + + + + + + + + + + + + + + + + AllowAllTrustedApps + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowAppStoreAutoUpdate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowDeveloperUnlock + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowGameDVR + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowSharedUserAppData + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowStore + + + + + + + + + + + + + + + + + + + text/plain + + + + + ApplicationRestrictions + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableStoreOriginatedApps + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictAppDataToSystemVolume + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictAppToSystemVolume + + + + + + + + + + + + + + + + + + + text/plain + + + + + + AppVirtualization + + + + + + + + + + + + + + + + + + + + + AllowAppVClient + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowDynamicVirtualization + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowPackageCleanup + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowPackageScripts + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowPublishingRefreshUX + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowReportingServer + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowRoamingFileExclusions + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowRoamingRegistryExclusions + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowStreamingAutoload + + + + + + + + + + + + + + + + + + + text/plain + + + + + ClientCoexistenceAllowMigrationmode + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntegrationAllowRootGlobal + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntegrationAllowRootUser + + + + + + + + + + + + + + + + + + + text/plain + + + + + PublishingAllowServer1 + + + + + + + + + + + + + + + + + + + text/plain + + + + + PublishingAllowServer2 + + + + + + + + + + + + + + + + + + + text/plain + + + + + PublishingAllowServer3 + + + + + + + + + + + + + + + + + + + text/plain + + + + + PublishingAllowServer4 + + + + + + + + + + + + + + + + + + + text/plain + + + + + PublishingAllowServer5 + + + + + + + + + + + + + + + + + + + text/plain + + + + + StreamingAllowCertificateFilterForClient_SSL + + + + + + + + + + + + + + + + + + + text/plain + + + + + StreamingAllowHighCostLaunch + + + + + + + + + + + + + + + + + + + text/plain + + + + + StreamingAllowLocationProvider + + + + + + + + + + + + + + + + + + + text/plain + + + + + StreamingAllowPackageInstallationRoot + + + + + + + + + + + + + + + + + + + text/plain + + + + + StreamingAllowPackageSourceRoot + + + + + + + + + + + + + + + + + + + text/plain + + + + + StreamingAllowReestablishmentInterval + + + + + + + + + + + + + + + + + + + text/plain + + + + + StreamingAllowReestablishmentRetries + + + + + + + + + + + + + + + + + + + text/plain + + + + + StreamingSharedContentStoreMode + + + + + + + + + + + + + + + + + + + text/plain + + + + + StreamingSupportBranchCache + + + + + + + + + + + + + + + + + + + text/plain + + + + + StreamingVerifyCertificateRevocationList + + + + + + + + + + + + + + + + + + + text/plain + + + + + VirtualComponentsAllowList + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Authentication + + + + + + + + + + + + + + + + + + + + + AllowFastReconnect + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowSecondaryAuthenticationDevice + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Autoplay + + + + + + + + + + + + + + + + + + + + + DisallowAutoplayForNonVolumeDevices + + + + + + + + + + + + + + + + + + + text/plain + + + + + SetDefaultAutoRunBehavior + + + + + + + + + + + + + + + + + + + text/plain + + + + + TurnOffAutoPlay + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Bitlocker + + + + + + + + + + + + + + + + + + + + + EncryptionMethod + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Bluetooth + + + + + + + + + + + + + + + + + + + + + AllowAdvertising + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowDiscoverableMode + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowPrepairing + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalDeviceName + + + + + + + + + + + + + + + + + + + text/plain + + + + + ServicesAllowedList + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Browser + + + + + + + + + + + + + + + + + + + + + AllowAddressBarDropdown + + + + + + + + This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. + + + + + + + + + + + text/plain + + + + + AllowAutofill + + + + + + + + This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. + + + + + + + + + + + text/plain + + + + + AllowBrowser + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowCookies + + + + + + + + This setting lets you configure how your company deals with cookies. + + + + + + + + + + + text/plain + + + + + AllowDeveloperTools + + + + + + + + This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. + + + + + + + + + + + text/plain + + + + + AllowDoNotTrack + + + + + + + + This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. + + + + + + + + + + + text/plain + + + + + AllowExtensions + + + + + + + + This setting lets you decide whether employees can load extensions in Microsoft Edge. + + + + + + + + + + + text/plain + + + + + AllowFlash + + + + + + + + This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. + + + + + + + + + + + text/plain + + + + + AllowFlashClickToRun + + + + + + + + Configure the Adobe Flash Click-to-Run setting. + + + + + + + + + + + text/plain + + + + + AllowInPrivate + + + + + + + + This setting lets you decide whether employees can browse using InPrivate website browsing. + + + + + + + + + + + text/plain + + + + + AllowMicrosoftCompatibilityList + + + + + + + + This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. + +If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. + +If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. + + + + + + + + + + + text/plain + + + + + AllowPasswordManager + + + + + + + + This setting lets you decide whether employees can save their passwords locally, using Password Manager. + + + + + + + + + + + text/plain + + + + + AllowPopups + + + + + + + + This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. + + + + + + + + + + + text/plain + + + + + AllowSearchEngineCustomization + + + + + + + + Allow search engine customization for MDM enrolled devices. Users can change their default search engine. + +If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. +If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. + +This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). + + + + + + + + + + + text/plain + + + + + AllowSearchSuggestionsinAddressBar + + + + + + + + This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. + + + + + + + + + + + text/plain + + + + + AllowSmartScreen + + + + + + + + This setting lets you decide whether to turn on Windows Defender SmartScreen. + + + + + + + + + + + text/plain + + + + + ClearBrowsingDataOnExit + + + + + + + + Specifies whether to always clear browsing history on exiting Microsoft Edge. + + + + + + + + + + + text/plain + + + + + ConfigureAdditionalSearchEngines + + + + + + + + Allows you to add up to 5 additional search engines for MDM-enrolled devices. + +If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. + +If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. + +Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + + + + + + + + + + + text/plain + + + + + DisableLockdownOfStartPages + + + + + + + + Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect. + +Note: This policy has no effect when Browser/HomePages is not configured. + +Important +This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). + + + + + + + + + + + text/plain + + + + + EnterpriseModeSiteList + + + + + + + + This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. + + + + + + + + + + + text/plain + + + + + EnterpriseSiteListServiceUrl + + + + + + + + + + + + + + + + + + + text/plain + + + + + FirstRunURL + + + + + + + + Configure first run URL. + + + + + + + + + + + text/plain + + + + + HomePages + + + + + + + + Configure the Start page URLs for your employees. +Example: +If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support. +Encapsulate each string with greater than and less than characters like any other XML tag. + +Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL. + + + + + + + + + + + text/plain + + + + + PreventAccessToAboutFlagsInMicrosoftEdge + + + + + + + + Prevent access to the about:flags page in Microsoft Edge. + + + + + + + + + + + text/plain + + + + + PreventFirstRunPage + + + + + + + + Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. + +Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + + + + + + + + + + + text/plain + + + + + PreventLiveTileDataCollection + + + + + + + + This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. + +Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + + + + + + + + + + + text/plain + + + + + PreventSmartScreenPromptOverride + + + + + + + + Don't allow Windows Defender SmartScreen warning overrides + + + + + + + + + + + text/plain + + + + + PreventSmartScreenPromptOverrideForFiles + + + + + + + + Don't allow Windows Defender SmartScreen warning overrides for unverified files. + + + + + + + + + + + text/plain + + + + + PreventUsingLocalHostIPAddressForWebRTC + + + + + + + + Prevent using localhost IP address for WebRTC + + + + + + + + + + + text/plain + + + + + SendIntranetTraffictoInternetExplorer + + + + + + + + Sends all intranet traffic over to Internet Explorer. + + + + + + + + + + + text/plain + + + + + SetDefaultSearchEngine + + + + + + + + Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. + +If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. + +If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. + +Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + + + + + + + + + + + text/plain + + + + + ShowMessageWhenOpeningSitesInInternetExplorer + + + + + + + + Show message when opening sites in Internet Explorer + + + + + + + + + + + text/plain + + + + + SyncFavoritesBetweenIEAndMicrosoftEdge + + + + + + + + Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. + + + + + + + + + + + text/plain + + + + + + Camera + + + + + + + + + + + + + + + + + + + + + AllowCamera + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Connectivity + + + + + + + + + + + + + + + + + + + + + AllowBluetooth + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowCellularData + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowCellularDataRoaming + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowConnectedDevices + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowNFC + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowUSBConnection + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowVPNOverCellular + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowVPNRoamingOverCellular + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisallowNetworkConnectivityActiveTests + + + + + + + + + + + + + + + + + + + text/plain + + + + + HardenedUNCPaths + + + + + + + + + + + + + + + + + + + text/plain + + + + + + CredentialProviders + + + + + + + + + + + + + + + + + + + + + AllowPINLogon + + + + + + + + + + + + + + + + + + + text/plain + + + + + BlockPicturePassword + + + + + + + + + + + + + + + + + + + text/plain + + + + + + CredentialsUI + + + + + + + + + + + + + + + + + + + + + DisablePasswordReveal + + + + + + + + + + + + + + + + + + + text/plain + + + + + EnumerateAdministrators + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Cryptography + + + + + + + + + + + + + + + + + + + + + AllowFipsAlgorithmPolicy + + + + + + + + + + + + + + + + + + + text/plain + + + + + TLSCipherSuites + + + + + + + + + + + + + + + + + + + text/plain + + + + + + DataProtection + + + + + + + + + + + + + + + + + + + + + AllowDirectMemoryAccess + + + + + + + + + + + + + + + + + + + text/plain + + + + + LegacySelectiveWipeID + + + + + + + + + + + + + + + + + + + text/plain + + + + + + DataUsage + + + + + + + + + + + + + + + + + + + + + SetCost3G + + + + + + + + + + + + + + + + + + + text/plain + + + + + SetCost4G + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Defender + + + + + + + + + + + + + + + + + + + + + AllowArchiveScanning + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowBehaviorMonitoring + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowCloudProtection + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowEmailScanning + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowFullScanOnMappedNetworkDrives + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowFullScanRemovableDriveScanning + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowIntrusionPreventionSystem + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowIOAVProtection + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowOnAccessProtection + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowRealtimeMonitoring + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowScanningNetworkFiles + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowScriptScanning + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowUserUIAccess + + + + + + + + + + + + + + + + + + + text/plain + + + + + AvgCPULoadFactor + + + + + + + + + + + + + + + + + + + text/plain + + + + + DaysToRetainCleanedMalware + + + + + + + + + + + + + + + + + + + text/plain + + + + + ExcludedExtensions + + + + + + + + + + + + + + + + + + + text/plain + + + + + ExcludedPaths + + + + + + + + + + + + + + + + + + + text/plain + + + + + ExcludedProcesses + + + + + + + + + + + + + + + + + + + text/plain + + + + + PUAProtection + + + + + + + + + + + + + + + + + + + text/plain + + + + + RealTimeScanDirection + + + + + + + + + + + + + + + + + + + text/plain + + + + + ScanParameter + + + + + + + + + + + + + + + + + + + text/plain + + + + + ScheduleQuickScanTime + + + + + + + + + + + + + + + + + + + text/plain + + + + + ScheduleScanDay + + + + + + + + + + + + + + + + + + + text/plain + + + + + ScheduleScanTime + + + + + + + + + + + + + + + + + + + text/plain + + + + + SignatureUpdateInterval + + + + + + + + + + + + + + + + + + + text/plain + + + + + SubmitSamplesConsent + + + + + + + + + + + + + + + + + + + text/plain + + + + + ThreatSeverityDefaultAction + + + + + + + + + + + + + + + + + + + text/plain + + + + + + DeliveryOptimization + + + + + + + + + + + + + + + + + + + + + DOAbsoluteMaxCacheSize + + + + + + + + + + + + + + + + + + + text/plain + + + + + DOAllowVPNPeerCaching + + + + + + + + + + + + + + + + + + + text/plain + + + + + DODownloadMode + + + + + + + + + + + + + + + + + + + text/plain + + + + + DOGroupId + + + + + + + + + + + + + + + + + + + text/plain + + + + + DOMaxCacheAge + + + + + + + + + + + + + + + + + + + text/plain + + + + + DOMaxCacheSize + + + + + + + + + + + + + + + + + + + text/plain + + + + + DOMaxDownloadBandwidth + + + + + + + + + + + + + + + + + + + text/plain + + + + + DOMaxUploadBandwidth + + + + + + + + + + + + + + + + + + + text/plain + + + + + DOMinBackgroundQos + + + + + + + + + + + + + + + + + + + text/plain + + + + + DOMinBatteryPercentageAllowedToUpload + + + + + + + + + + + + + + + + + + + text/plain + + + + + DOMinDiskSizeAllowedToPeer + + + + + + + + + + + + + + + + + + + text/plain + + + + + DOMinFileSizeToCache + + + + + + + + + + + + + + + + + + + text/plain + + + + + DOMinRAMAllowedToPeer + + + + + + + + + + + + + + + + + + + text/plain + + + + + DOModifyCacheDrive + + + + + + + + + + + + + + + + + + + text/plain + + + + + DOMonthlyUploadDataCap + + + + + + + + + + + + + + + + + + + text/plain + + + + + DOPercentageMaxDownloadBandwidth + + + + + + + + + + + + + + + + + + + text/plain + + + + + + DeviceInstallation + + + + + + + + + + + + + + + + + + + + + PreventInstallationOfMatchingDeviceIDs + + + + + + + + + + + + + + + + + + + text/plain + + + + + PreventInstallationOfMatchingDeviceSetupClasses + + + + + + + + + + + + + + + + + + + text/plain + + + + + + DeviceLock + + + + + + + + + + + + + + + + + + + + + AllowIdleReturnWithoutPassword + + + + + + + + Specifies whether the user must input a PIN or password when the device resumes from an idle state. + + + + + + + + + + + text/plain + + + + + AllowScreenTimeoutWhileLockedUserConfig + + + + + + + + Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. + + + + + + + + + + + text/plain + + + + + AllowSimpleDevicePassword + + + + + + + + Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords. + + + + + + + + + + + text/plain + + + + + AlphanumericDevicePasswordRequired + + + + + + + + Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0 + + + + + + + + + + + text/plain + + + + + DevicePasswordEnabled + + + + + + + + Specifies whether device lock is enabled. + + + + + + + + + + + text/plain + + + + + DevicePasswordExpiration + + + + + + + + Specifies when the password expires (in days). + + + + + + + + + + + text/plain + + + + + DevicePasswordHistory + + + + + + + + Specifies how many passwords can be stored in the history that can’t be used. + + + + + + + + + + + text/plain + + + + + EnforceLockScreenAndLogonImage + + + + + + + + + + + + + + + + + + + text/plain + + + + + EnforceLockScreenProvider + + + + + + + + + + + + + + + + + + + text/plain + + + + + MaxDevicePasswordFailedAttempts + + + + + + + + + + + + + + + + + + + text/plain + + + + + MaxInactivityTimeDeviceLock + + + + + + + + The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. + + + + + + + + + + + text/plain + + + + + MaxInactivityTimeDeviceLockWithExternalDisplay + + + + + + + + Sets the maximum timeout value for the external display. + + + + + + + + + + + text/plain + + + + + MinDevicePasswordComplexCharacters + + + + + + + + The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. + + + + + + + + + + + text/plain + + + + + MinDevicePasswordLength + + + + + + + + Specifies the minimum number or characters required in the PIN or password. + + + + + + + + + + + text/plain + + + + + PreventLockScreenSlideShow + + + + + + + + + + + + + + + + + + + text/plain + + + + + ScreenTimeoutWhileLocked + + + + + + + + Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. + + + + + + + + + + + text/plain + + + + + + Display + + + + + + + + + + + + + + + + + + + + + TurnOffGdiDPIScalingForApps + + + + + + + + This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. + + + + + + + + + + + text/plain + + + + + TurnOnGdiDPIScalingForApps + + + + + + + + This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. + + + + + + + + + + + text/plain + + + + + + ErrorReporting + + + + + + + + + + + + + + + + + + + + + CustomizeConsentSettings + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableWindowsErrorReporting + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisplayErrorNotification + + + + + + + + + + + + + + + + + + + text/plain + + + + + DoNotSendAdditionalData + + + + + + + + + + + + + + + + + + + text/plain + + + + + PreventCriticalErrorDisplay + + + + + + + + + + + + + + + + + + + text/plain + + + + + + EventLogService + + + + + + + + + + + + + + + + + + + + + ControlEventLogBehavior + + + + + + + + + + + + + + + + + + + text/plain + + + + + SpecifyMaximumFileSizeApplicationLog + + + + + + + + + + + + + + + + + + + text/plain + + + + + SpecifyMaximumFileSizeSecurityLog + + + + + + + + + + + + + + + + + + + text/plain + + + + + SpecifyMaximumFileSizeSystemLog + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Experience + + + + + + + + + + + + + + + + + + + + + AllowCopyPaste + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowCortana + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowDeviceDiscovery + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowFindMyDevice + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowManualMDMUnenrollment + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowSaveAsOfOfficeFiles + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowScreenCapture + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowSharingOfOfficeFiles + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowSIMErrorDialogPromptWhenNoSIM + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowSyncMySettings + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowTaskSwitcher + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowVoiceRecording + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowWindowsTips + + + + + + + + + + + + + + + + + + + text/plain + + + + + DoNotShowFeedbackNotifications + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Games + + + + + + + + + + + + + + + + + + + + + AllowAdvancedGamingServices + + + + + + + + Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. + + + + + + + + + + + text/plain + + + + + + InternetExplorer + + + + + + + + + + + + + + + + + + + + + AddSearchProvider + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowActiveXFiltering + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowAddOnList + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowEnhancedProtectedMode + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowEnterpriseModeFromToolsMenu + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowEnterpriseModeSiteList + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowInternetExplorer7PolicyList + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowInternetExplorerStandardsMode + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowInternetZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowIntranetZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowLocalMachineZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowLockedDownInternetZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowLockedDownIntranetZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowLockedDownLocalMachineZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowLockedDownRestrictedSitesZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowOneWordEntry + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowSiteToZoneAssignmentList + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowsLockedDownTrustedSitesZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowsRestrictedSitesZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowSuggestedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowTrustedSitesZoneTemplate + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableAdobeFlash + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableBypassOfSmartScreenWarnings + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableBypassOfSmartScreenWarningsAboutUncommonFiles + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableCustomerExperienceImprovementProgramParticipation + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableEnclosureDownloading + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableEncryptionSupport + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableFirstRunWizard + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableFlipAheadFeature + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableProxyChange + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableSearchProviderChange + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableSecondaryHomePageChange + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableUpdateCheck + + + + + + + + + + + + + + + + + + + text/plain + + + + + DoNotAllowUsersToAddSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + DoNotAllowUsersToChangePolicies + + + + + + + + + + + + + + + + + + + text/plain + + + + + DoNotBlockOutdatedActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + DoNotBlockOutdatedActiveXControlsOnSpecificDomains + + + + + + + + + + + + + + + + + + + text/plain + + + + + IncludeAllLocalSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + IncludeAllNetworkPaths + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + InternetZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + IntranetZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LocalMachineZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownInternetZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownIntranetZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownLocalMachineZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownRestrictedSitesZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + LockedDownTrustedSitesZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + RestrictedSitesZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + SearchProviderList + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowFontDownloads + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowScriptlets + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + + + text/plain + + + + + TrustedSitesZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Kerberos + + + + + + + + + + + + + + + + + + + + + AllowForestSearchOrder + + + + + + + + + + + + + + + + + + + text/plain + + + + + KerberosClientSupportsClaimsCompoundArmor + + + + + + + + + + + + + + + + + + + text/plain + + + + + RequireKerberosArmoring + + + + + + + + + + + + + + + + + + + text/plain + + + + + RequireStrictKDCValidation + + + + + + + + + + + + + + + + + + + text/plain + + + + + SetMaximumContextTokenSize + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Licensing + + + + + + + + + + + + + + + + + + + + + AllowWindowsEntitlementReactivation + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisallowKMSClientOnlineAVSValidation + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Location + + + + + + + + + + + + + + + + + + + + + EnableLocation + + + + + + + + + + + + + + + + + + + text/plain + + + + + + LockDown + + + + + + + + + + + + + + + + + + + + + AllowEdgeSwipe + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Maps + + + + + + + + + + + + + + + + + + + + + AllowOfflineMapsDownloadOverMeteredConnection + + + + + + + + + + + + + + + + + + + text/plain + + + + + EnableOfflineMapsAutoUpdate + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Messaging + + + + + + + + + + + + + + + + + + + + + AllowMessageSync + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowMMS + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowRCS + + + + + + + + + + + + + + + + + + + text/plain + + + + + + NetworkIsolation + + + + + + + + + + + + + + + + + + + + + EnterpriseCloudResources + + + + + + + + + + + + + + + + + + + text/plain + + + + + EnterpriseInternalProxyServers + + + + + + + + + + + + + + + + + + + text/plain + + + + + EnterpriseIPRange + + + + + + + + + + + + + + + + + + + text/plain + + + + + EnterpriseIPRangesAreAuthoritative + + + + + + + + + + + + + + + + + + + text/plain + + + + + EnterpriseNetworkDomainNames + + + + + + + + + + + + + + + + + + + text/plain + + + + + EnterpriseProxyServers + + + + + + + + + + + + + + + + + + + text/plain + + + + + EnterpriseProxyServersAreAuthoritative + + + + + + + + + + + + + + + + + + + text/plain + + + + + NeutralResources + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Power + + + + + + + + + + + + + + + + + + + + + AllowStandbyWhenSleepingPluggedIn + + + + + + + + + + + + + + + + + + + text/plain + + + + + RequirePasswordWhenComputerWakesOnBattery + + + + + + + + + + + + + + + + + + + text/plain + + + + + RequirePasswordWhenComputerWakesPluggedIn + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Printers + + + + + + + + + + + + + + + + + + + + + PointAndPrintRestrictions + + + + + + + + + + + + + + + + + + + text/plain + + + + + PublishPrinters + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Privacy + + + + + + + + + + + + + + + + + + + + + AllowAutoAcceptPairingAndPrivacyConsentPrompts + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowInputPersonalization + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableAdvertisingId + + + + + + + + + + + + + + + + + + + text/plain + + + + + LetAppsAccessAccountInfo + + + + + + + + This policy setting specifies whether Windows apps can access account information. + + + + + + + + + + + text/plain + + + + + LetAppsAccessAccountInfo_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessAccountInfo_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessAccountInfo_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessCalendar + + + + + + + + This policy setting specifies whether Windows apps can access the calendar. + + + + + + + + + + + text/plain + + + + + LetAppsAccessCalendar_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessCalendar_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessCalendar_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessCallHistory + + + + + + + + This policy setting specifies whether Windows apps can access call history. + + + + + + + + + + + text/plain + + + + + LetAppsAccessCallHistory_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessCallHistory_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessCallHistory_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessCamera + + + + + + + + This policy setting specifies whether Windows apps can access the camera. + + + + + + + + + + + text/plain + + + + + LetAppsAccessCamera_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessCamera_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessCamera_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessContacts + + + + + + + + This policy setting specifies whether Windows apps can access contacts. + + + + + + + + + + + text/plain + + + + + LetAppsAccessContacts_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessContacts_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessContacts_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessEmail + + + + + + + + This policy setting specifies whether Windows apps can access email. + + + + + + + + + + + text/plain + + + + + LetAppsAccessEmail_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessEmail_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessEmail_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessLocation + + + + + + + + This policy setting specifies whether Windows apps can access location. + + + + + + + + + + + text/plain + + + + + LetAppsAccessLocation_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessLocation_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessLocation_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessMessaging + + + + + + + + This policy setting specifies whether Windows apps can read or send messages (text or MMS). + + + + + + + + + + + text/plain + + + + + LetAppsAccessMessaging_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessMessaging_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessMessaging_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessMicrophone + + + + + + + + This policy setting specifies whether Windows apps can access the microphone. + + + + + + + + + + + text/plain + + + + + LetAppsAccessMicrophone_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessMicrophone_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessMicrophone_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessMotion + + + + + + + + This policy setting specifies whether Windows apps can access motion data. + + + + + + + + + + + text/plain + + + + + LetAppsAccessMotion_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessMotion_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessMotion_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessNotifications + + + + + + + + This policy setting specifies whether Windows apps can access notifications. + + + + + + + + + + + text/plain + + + + + LetAppsAccessNotifications_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessNotifications_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessNotifications_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessPhone + + + + + + + + This policy setting specifies whether Windows apps can make phone calls + + + + + + + + + + + text/plain + + + + + LetAppsAccessPhone_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessPhone_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessPhone_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessRadios + + + + + + + + This policy setting specifies whether Windows apps have access to control radios. + + + + + + + + + + + text/plain + + + + + LetAppsAccessRadios_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessRadios_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessRadios_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessTasks + + + + + + + + This policy setting specifies whether Windows apps can access tasks. + + + + + + + + + + + text/plain + + + + + LetAppsAccessTasks_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessTasks_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessTasks_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessTrustedDevices + + + + + + + + This policy setting specifies whether Windows apps can access trusted devices. + + + + + + + + + + + text/plain + + + + + LetAppsAccessTrustedDevices_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessTrustedDevices_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsAccessTrustedDevices_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsGetDiagnosticInfo + + + + + + + + This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names. + + + + + + + + + + + text/plain + + + + + LetAppsGetDiagnosticInfo_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. + + + + + + + + + + + text/plain + + + + + LetAppsGetDiagnosticInfo_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. + + + + + + + + + + + text/plain + + + + + LetAppsGetDiagnosticInfo_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. + + + + + + + + + + + text/plain + + + + + LetAppsRunInBackground + + + + + + + + This policy setting specifies whether Windows apps can run in the background. + + + + + + + + + + + text/plain + + + + + LetAppsRunInBackground_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. + + + + + + + + + + + text/plain + + + + + LetAppsRunInBackground_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. + + + + + + + + + + + text/plain + + + + + LetAppsRunInBackground_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. + + + + + + + + + + + text/plain + + + + + LetAppsSyncWithDevices + + + + + + + + This policy setting specifies whether Windows apps can sync with devices. + + + + + + + + + + + text/plain + + + + + LetAppsSyncWithDevices_ForceAllowTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsSyncWithDevices_ForceDenyTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + LetAppsSyncWithDevices_UserInControlOfTheseApps + + + + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + + + + + + + + + text/plain + + + + + + RemoteAssistance + + + + + + + + + + + + + + + + + + + + + CustomizeWarningMessages + + + + + + + + + + + + + + + + + + + text/plain + + + + + SessionLogging + + + + + + + + + + + + + + + + + + + text/plain + + + + + SolicitedRemoteAssistance + + + + + + + + + + + + + + + + + + + text/plain + + + + + UnsolicitedRemoteAssistance + + + + + + + + + + + + + + + + + + + text/plain + + + + + + RemoteDesktopServices + + + + + + + + + + + + + + + + + + + + + AllowUsersToConnectRemotely + + + + + + + + + + + + + + + + + + + text/plain + + + + + ClientConnectionEncryptionLevel + + + + + + + + + + + + + + + + + + + text/plain + + + + + DoNotAllowDriveRedirection + + + + + + + + + + + + + + + + + + + text/plain + + + + + DoNotAllowPasswordSaving + + + + + + + + + + + + + + + + + + + text/plain + + + + + PromptForPasswordUponConnection + + + + + + + + + + + + + + + + + + + text/plain + + + + + RequireSecureRPCCommunication + + + + + + + + + + + + + + + + + + + text/plain + + + + + + RemoteProcedureCall + + + + + + + + + + + + + + + + + + + + + RestrictUnauthenticatedRPCClients + + + + + + + + + + + + + + + + + + + text/plain + + + + + RPCEndpointMapperClientAuthentication + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Search + + + + + + + + + + + + + + + + + + + + + AllowIndexingEncryptedStoresOrItems + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowSearchToUseLocation + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowStoringImagesFromVisionSearch + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowUsingDiacritics + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowWindowsIndexer + + + + + + + + + + + + + + + + + + + text/plain + + + + + AlwaysUseAutoLangDetection + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableBackoff + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableRemovableDriveIndexing + + + + + + + + + + + + + + + + + + + text/plain + + + + + PreventIndexingLowDiskSpaceMB + + + + + + + + + + + + + + + + + + + text/plain + + + + + PreventRemoteQueries + + + + + + + + + + + + + + + + + + + text/plain + + + + + SafeSearchPermissions + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Security + + + + + + + + + + + + + + + + + + + + + AllowAddProvisioningPackage + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowManualRootCertificateInstallation + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowRemoveProvisioningPackage + + + + + + + + + + + + + + + + + + + text/plain + + + + + AntiTheftMode + + + + + + + + + + + + + + + + + + + text/plain + + + + + PreventAutomaticDeviceEncryptionForAzureADJoinedDevices + + + + + + + + + + + + + + + + + + + text/plain + + + + + RequireDeviceEncryption + + + + + + + + + + + + + + + + + + + text/plain + + + + + RequireProvisioningPackageSignature + + + + + + + + + + + + + + + + + + + text/plain + + + + + RequireRetrieveHealthCertificateOnBoot + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Settings + + + + + + + + + + + + + + + + + + + + + AllowAutoPlay + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowDataSense + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowDateTime + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowEditDeviceName + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowLanguage + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowPowerSleep + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowRegion + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowSignInOptions + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowVPN + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowWorkplace + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowYourAccount + + + + + + + + + + + + + + + + + + + text/plain + + + + + PageVisibilityList + + + + + + + + + + + + + + + + + + + text/plain + + + + + + SmartScreen + + + + + + + + + + + + + + + + + + + + + EnableAppInstallControl + + + + + + + + + + + + + + + + + + + text/plain + + + + + EnableSmartScreenInShell + + + + + + + + + + + + + + + + + + + text/plain + + + + + PreventOverrideForFilesInShell + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Speech + + + + + + + + + + + + + + + + + + + + + AllowSpeechModelUpdate + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Start + + + + + + + + + + + + + + + + + + + + + AllowPinnedFolderDocuments + + + + + + + + This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + + + + + text/plain + + + + + AllowPinnedFolderDownloads + + + + + + + + This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + + + + + text/plain + + + + + AllowPinnedFolderFileExplorer + + + + + + + + This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + + + + + text/plain + + + + + AllowPinnedFolderHomeGroup + + + + + + + + This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + + + + + text/plain + + + + + AllowPinnedFolderMusic + + + + + + + + This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + + + + + text/plain + + + + + AllowPinnedFolderNetwork + + + + + + + + This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + + + + + text/plain + + + + + AllowPinnedFolderPersonalFolder + + + + + + + + This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + + + + + text/plain + + + + + AllowPinnedFolderPictures + + + + + + + + This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + + + + + text/plain + + + + + AllowPinnedFolderSettings + + + + + + + + This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + + + + + text/plain + + + + + AllowPinnedFolderVideos + + + + + + + + This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + + + + + + + + + + + text/plain + + + + + ForceStartSize + + + + + + + + + + + + + + + + + + + text/plain + + + + + HideAppList + + + + + + + + Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + + + HideChangeAccountSettings + + + + + + + + Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. + + + + + + + + + + + text/plain + + + + + HideFrequentlyUsedApps + + + + + + + + Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + + + HideHibernate + + + + + + + + Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. + + + + + + + + + + + text/plain + + + + + HideLock + + + + + + + + Enabling this policy hides "Lock" from appearing in the user tile in the start menu. + + + + + + + + + + + text/plain + + + + + HidePowerButton + + + + + + + + Enabling this policy hides the power button from appearing in the start menu. + + + + + + + + + + + text/plain + + + + + HideRecentJumplists + + + + + + + + Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + + + HideRecentlyAddedApps + + + + + + + + Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. + + + + + + + + + + + text/plain + + + + + HideRestart + + + + + + + + Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. + + + + + + + + + + + text/plain + + + + + HideShutDown + + + + + + + + Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. + + + + + + + + + + + text/plain + + + + + HideSignOut + + + + + + + + Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. + + + + + + + + + + + text/plain + + + + + HideSleep + + + + + + + + Enabling this policy hides "Sleep" from appearing in the power button in the start menu. + + + + + + + + + + + text/plain + + + + + HideSwitchAccount + + + + + + + + Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. + + + + + + + + + + + text/plain + + + + + HideUserTile + + + + + + + + Enabling this policy hides the user tile from appearing in the start menu. + + + + + + + + + + + text/plain + + + + + ImportEdgeAssets + + + + + + + + This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified. + + + + + + + + + + + text/plain + + + + + NoPinningToTaskbar + + + + + + + + This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. + + + + + + + + + + + text/plain + + + + + StartLayout + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Storage + + + + + + + + + + + + + + + + + + + + + EnhancedStorageDevices + + + + + + + + + + + + + + + + + + + text/plain + + + + + + System + + + + + + + + + + + + + + + + + + + + + AllowBuildPreview + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowEmbeddedMode + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowExperimentation + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowFontProviders + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowLocation + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowStorageCard + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowTelemetry + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowUserToResetPhone + + + + + + + + + + + + + + + + + + + text/plain + + + + + BootStartDriverInitialization + + + + + + + + + + + + + + + + + + + text/plain + + + + + DisableOneDriveFileSync + + + + + + + + This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. + + + + + + + + + + + text/plain + + + + + DisableSystemRestore + + + + + + + + + + + + + + + + + + + text/plain + + + + + TelemetryProxy + + + + + + + + + + + + + + + + + + + text/plain + + + + + + TextInput + + + + + + + + + + + + + + + + + + + + + AllowIMELogging + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowIMENetworkAccess + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowInputPanel + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowJapaneseIMESurrogatePairCharacters + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowJapaneseIVSCharacters + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowJapaneseNonPublishingStandardGlyph + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowJapaneseUserDictionary + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowKeyboardTextSuggestions + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowLanguageFeaturesUninstall + + + + + + + + + + + + + + + + + + + text/plain + + + + + ExcludeJapaneseIMEExceptJIS0208 + + + + + + + + + + + + + + + + + + + text/plain + + + + + ExcludeJapaneseIMEExceptJIS0208andEUDC + + + + + + + + + + + + + + + + + + + text/plain + + + + + ExcludeJapaneseIMEExceptShiftJIS + + + + + + + + + + + + + + + + + + + text/plain + + + + + + TimeLanguageSettings + + + + + + + + + + + + + + + + + + + + + AllowSet24HourClock + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Update + + + + + + + + + + + + + + + + + + + + + ActiveHoursEnd + + + + + + + + + + + + + + + + + + + text/plain + + + + + ActiveHoursMaxRange + + + + + + + + + + + + + + + + + + + text/plain + + + + + ActiveHoursStart + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowAutoUpdate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowMUUpdateService + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowNonMicrosoftSignedUpdate + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowUpdateService + + + + + + + + + + + + + + + + + + + text/plain + + + + + AutoRestartDeadlinePeriodInDays + + + + + + + + + + + + + + + + + + + text/plain + + + + + AutoRestartNotificationSchedule + + + + + + + + + + + + + + + + + + + text/plain + + + + + AutoRestartRequiredNotificationDismissal + + + + + + + + + + + + + + + + + + + text/plain + + + + + BranchReadinessLevel + + + + + + + + + + + + + + + + + + + text/plain + + + + + DeferFeatureUpdatesPeriodInDays + + + + + + + + + + + + + + + + + + + text/plain + + + + + DeferQualityUpdatesPeriodInDays + + + + + + + + + + + + + + + + + + + text/plain + + + + + DeferUpdatePeriod + + + + + + + + + + + + + + + + + + + text/plain + + + + + DeferUpgradePeriod + + + + + + + + + + + + + + + + + + + text/plain + + + + + DetectionFrequency + + + + + + + + + + + + + + + + + + + text/plain + + + + + EngagedRestartDeadline + + + + + + + + + + + + + + + + + + + text/plain + + + + + EngagedRestartSnoozeSchedule + + + + + + + + + + + + + + + + + + + text/plain + + + + + EngagedRestartTransitionSchedule + + + + + + + + + + + + + + + + + + + text/plain + + + + + ExcludeWUDriversInQualityUpdate + + + + + + + + + + + + + + + + + + + text/plain + + + + + FillEmptyContentUrls + + + + + + + + + + + + + + + + + + + text/plain + + + + + IgnoreMOAppDownloadLimit + + + + + + + + + + + + + + + + + + + text/plain + + + + + IgnoreMOUpdateDownloadLimit + + + + + + + + + + + + + + + + + + + text/plain + + + + + PauseDeferrals + + + + + + + + + + + + + + + + + + + text/plain + + + + + PauseFeatureUpdates + + + + + + + + + + + + + + + + + + + text/plain + + + + + PauseFeatureUpdatesStartTime + + + + + + + + + + + + + + + + + + + text/plain + + + + + PauseQualityUpdates + + + + + + + + + + + + + + + + + + + text/plain + + + + + PauseQualityUpdatesStartTime + + + + + + + + + + + + + + + + + + + text/plain + + + + + PhoneUpdateRestrictions + + + + + + + + + + + + + + + + + + + text/plain + + + + + RequireDeferUpgrade + + + + + + + + + + + + + + + + + + + text/plain + + + + + RequireUpdateApproval + + + + + + + + + + + + + + + + + + + text/plain + + + + + ScheduledInstallDay + + + + + + + + + + + + + + + + + + + text/plain + + + + + ScheduledInstallTime + + + + + + + + + + + + + + + + + + + text/plain + + + + + ScheduleImminentRestartWarning + + + + + + + + + + + + + + + + + + + text/plain + + + + + ScheduleRestartWarning + + + + + + + + + + + + + + + + + + + text/plain + + + + + SetAutoRestartNotificationDisable + + + + + + + + + + + + + + + + + + + text/plain + + + + + SetEDURestart + + + + + + + + + + + + + + + + + + + text/plain + + + + + UpdateServiceUrl + + + + + + + + + + + + + + + + + + + text/plain + + + + + UpdateServiceUrlAlternate + + + + + + + + + + + + + + + + + + + text/plain + + + + + + Wifi + + + + + + + + + + + + + + + + + + + + + AllowAutoConnectToWiFiSenseHotspots + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowInternetSharing + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowManualWiFiConfiguration + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowWiFi + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowWiFiDirect + + + + + + + + + + + + + + + + + + + text/plain + + + + + WLANScanMode + + + + + + + + + + + + + + + + + + + text/plain + + + + + + WindowsInkWorkspace + + + + + + + + + + + + + + + + + + + + + AllowSuggestedAppsInWindowsInkWorkspace + + + + + + + + + + + + + + + + + + + text/plain + + + + + AllowWindowsInkWorkspace + + + + + + + + + + + + + + + + + + + text/plain + + + + + + WindowsLogon + + + + + + + + + + + + + + + + + + + + + DisableLockScreenAppNotifications + + + + + + + + + + + + + + + + + + + text/plain + + + + + DontDisplayNetworkSelectionUI + + + + + + + + + + + + + + + + + + + text/plain + + + + + HideFastUserSwitching + + + + + + + + This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations. + + + + + + + + + + + text/plain + + + + + + WirelessDisplay + + + + + + + + + + + + + + + + + + + + + AllowProjectionFromPC + + + + + + + + This policy allows you to turn off projection from a PC. + If you set it to 0, your PC cannot discover or project to other devices. + If you set it to 1, your PC can discover and project to other devices. + + + + + + + + + + + text/plain + + + + + AllowProjectionFromPCOverInfrastructure + + + + + + + + This policy allows you to turn off projection from a PC over infrastructure. + If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct. + If you set it to 1, your PC can discover and project to other devices over infrastructure. + + + + + + + + + + + text/plain + + + + + AllowProjectionToPC + + + + + + + + This policy setting allows you to turn off projection to a PC + If you set it to 0, your PC isn't discoverable and can't be projected to + If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too. + + + + + + + + + + + text/plain + + + + + AllowProjectionToPCOverInfrastructure + + + + + + + + This policy setting allows you to turn off projection to a PC over infrastructure. + If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. + If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. + + + + + + + + + + + text/plain + + + + + AllowUserInputFromWirelessDisplayReceiver + + + + + + + + + + + + + + + + + + + text/plain + + + + + RequirePinForPairing + + + + + + + + This policy setting allows you to require a pin for pairing. + If you turn this on, the pairing ceremony for new devices will always require a PIN + If you turn it off or don't configure it, a pin isn't required for pairing. + + + + + + + + + + + text/plain + + + + + + + Result + + + + + + + + + + + + + + + + + + + AboveLock + + + + + + + + + + + + + + + + + + + AllowActionCenterNotifications + + + + + + 1 + + + + + + + + + + + text/plain + + desktop + + + + AllowCortanaAboveLock + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowToasts + + + + + + 1 + + + + + + + + + + + text/plain + + + + + + Accounts + + + + + + + + + + + + + + + + + + + AllowAddingNonMicrosoftAccountsManually + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowMicrosoftAccountConnection + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowMicrosoftAccountSignInAssistant + + + + + + 1 + + + + + + + + + + + text/plain + + + + + DomainNamesForEmailSync + + + + + + + + + + + + + + + + + text/plain + + + + + + ActiveXControls + + + + + + + + + + + + + + + + + + + ApprovedInstallationSites + + + + + + + + + + + + + + + + + text/plain + + phone + ActiveXInstallService.admx + ActiveXInstallService~AT~WindowsComponents~AxInstSv + ApprovedActiveXInstallSites + + + + + ApplicationDefaults + + + + + + + + + + + + + + + + + + + DefaultAssociationsConfiguration + + + + + + + + + + + + + + + + + text/plain + + phone + + + + + ApplicationManagement + + + + + + + + + + + + + + + + + + + AllowAllTrustedApps + + + + + + 65535 + + + + + + + + + + + text/plain + + + + + AllowAppStoreAutoUpdate + + + + + + 2 + + + + + + + + + + + text/plain + + + + + AllowDeveloperUnlock + + + + + + 65535 + + + + + + + + + + + text/plain + + + + + AllowGameDVR + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowSharedUserAppData + + + + + + 0 + + + + + + + + + + + text/plain + + + + + AllowStore + + + + + + 1 + + + + + + + + + + + text/plain + + desktop + + + + ApplicationRestrictions + + + + + + + + + + + + + + + + + text/plain + + desktop + + + + DisableStoreOriginatedApps + + + + + + 0 + + + + + + + + + + + text/plain + + + + + RestrictAppDataToSystemVolume + + + + + + 0 + + + + + + + + + + + text/plain + + + + + RestrictAppToSystemVolume + + + + + + 0 + + + + + + + + + + + text/plain + + + + + + AppVirtualization + + + + + + + + + + + + + + + + + + + AllowAppVClient + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV + EnableAppV + + + + AllowDynamicVirtualization + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Virtualization + Virtualization_JITVEnable + + + + AllowPackageCleanup + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_PackageManagement + PackageManagement_AutoCleanupEnable + + + + AllowPackageScripts + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Scripting + Scripting_Enable_Package_Scripts + + + + AllowPublishingRefreshUX + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Publishing + Enable_Publishing_Refresh_UX + + + + AllowReportingServer + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Reporting + Reporting_Server_Policy + + + + AllowRoamingFileExclusions + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Integration + Integration_Roaming_File_Exclusions + + + + AllowRoamingRegistryExclusions + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Integration + Integration_Roaming_Registry_Exclusions + + + + AllowStreamingAutoload + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Streaming + Steaming_Autoload + + + + ClientCoexistenceAllowMigrationmode + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Client_Coexistence + Client_Coexistence_Enable_Migration_mode + + + + IntegrationAllowRootGlobal + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Integration + Integration_Root_User + + + + IntegrationAllowRootUser + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Integration + Integration_Root_Global + + + + PublishingAllowServer1 + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Publishing + Publishing_Server1_Policy + + + + PublishingAllowServer2 + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Publishing + Publishing_Server2_Policy + + + + PublishingAllowServer3 + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Publishing + Publishing_Server3_Policy + + + + PublishingAllowServer4 + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Publishing + Publishing_Server4_Policy + + + + PublishingAllowServer5 + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Publishing + Publishing_Server5_Policy + + + + StreamingAllowCertificateFilterForClient_SSL + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Streaming + Streaming_Certificate_Filter_For_Client_SSL + + + + StreamingAllowHighCostLaunch + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Streaming + Streaming_Allow_High_Cost_Launch + + + + StreamingAllowLocationProvider + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Streaming + Streaming_Location_Provider + + + + StreamingAllowPackageInstallationRoot + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Streaming + Streaming_Package_Installation_Root + + + + StreamingAllowPackageSourceRoot + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Streaming + Streaming_Package_Source_Root + + + + StreamingAllowReestablishmentInterval + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Streaming + Streaming_Reestablishment_Interval + + + + StreamingAllowReestablishmentRetries + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Streaming + Streaming_Reestablishment_Retries + + + + StreamingSharedContentStoreMode + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Streaming + Streaming_Shared_Content_Store_Mode + + + + StreamingSupportBranchCache + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Streaming + Streaming_Support_Branch_Cache + + + + StreamingVerifyCertificateRevocationList + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Streaming + Streaming_Verify_Certificate_Revocation_List + + + + VirtualComponentsAllowList + + + + + + + + + + + + + + + + + text/plain + + phone + appv.admx + appv~AT~System~CAT_AppV~CAT_Virtualization + Virtualization_JITVAllowList + + + + + Authentication + + + + + + + + + + + + + + + + + + + AllowFastReconnect + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowSecondaryAuthenticationDevice + + + + + + 0 + + + + + + + + + + + text/plain + + + + + + Autoplay + + + + + + + + + + + + + + + + + + + DisallowAutoplayForNonVolumeDevices + + + + + + + + + + + + + + + + + text/plain + + phone + AutoPlay.admx + AutoPlay~AT~WindowsComponents~AutoPlay + NoAutoplayfornonVolume + + + + SetDefaultAutoRunBehavior + + + + + + + + + + + + + + + + + text/plain + + phone + AutoPlay.admx + AutoPlay~AT~WindowsComponents~AutoPlay + NoAutorun + + + + TurnOffAutoPlay + + + + + + + + + + + + + + + + + text/plain + + phone + AutoPlay.admx + AutoPlay~AT~WindowsComponents~AutoPlay + Autorun + + + + + Bitlocker + + + + + + + + + + + + + + + + + + + EncryptionMethod + + + + + + 6 + + + + + + + + + + + text/plain + + + + + + Bluetooth + + + + + + + + + + + + + + + + + + + AllowAdvertising + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowDiscoverableMode + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowPrepairing + + + + + + 1 + + + + + + + + + + + text/plain + + + + + LocalDeviceName + + + + + + + + + + + + + + + + + text/plain + + + + + ServicesAllowedList + + + + + + + + + + + + + + + + + text/plain + + + + + + Browser + + + + + + + + + + + + + + + + + + + AllowAddressBarDropdown + + + + + This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft services. + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowAutofill + + + + + This setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft Edge. + 0 + + + + + + + + + + + text/plain + + + + + AllowBrowser + + + + + + 1 + + + + + + + + + + + text/plain + + desktop + + + + AllowCookies + + + + + This setting lets you configure how your company deals with cookies. + 2 + + + + + + + + + + + text/plain + + + + + AllowDeveloperTools + + + + + This setting lets you decide whether employees can use F12 Developer Tools on Microsoft Edge. + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowDoNotTrack + + + + + This setting lets you decide whether employees can send Do Not Track headers to websites that request tracking info. + 0 + + + + + + + + + + + text/plain + + + + + AllowExtensions + + + + + This setting lets you decide whether employees can load extensions in Microsoft Edge. + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowFlash + + + + + This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge. + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowFlashClickToRun + + + + + Configure the Adobe Flash Click-to-Run setting. + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowInPrivate + + + + + This setting lets you decide whether employees can browse using InPrivate website browsing. + 1 + + + + + + + + + + + text/plain + + + + + AllowMicrosoftCompatibilityList + + + + + This policy setting lets you decide whether the Microsoft Compatibility List is enabled or disabled in Microsoft Edge. This feature uses a Microsoft-provided list to ensure that any sites with known compatibility issues are displayed correctly when a user navigates to them. By default, the Microsoft Compatibility List is enabled and can be viewed by navigating to about:compat. + +If you enable or don’t configure this setting, Microsoft Edge will periodically download the latest version of the list from Microsoft and will apply the configurations specified there during browser navigation. If a user visits a site on the Microsoft Compatibility List, he or she will be prompted to open the site in Internet Explorer 11. Once in Internet Explorer, the site will automatically be rendered as if the user is viewing it in the previous version of Internet Explorer it requires to display correctly. + +If you disable this setting, the Microsoft Compatibility List will not be used during browser navigation. + 1 + + + + + + + + + + + text/plain + + + + + AllowPasswordManager + + + + + This setting lets you decide whether employees can save their passwords locally, using Password Manager. + 1 + + + + + + + + + + + text/plain + + + + + AllowPopups + + + + + This setting lets you decide whether to turn on Pop-up Blocker and whether to allow pop-ups to appear in secondary windows. + 0 + + + + + + + + + + + text/plain + + phone + + + + AllowSearchEngineCustomization + + + + + Allow search engine customization for MDM enrolled devices. Users can change their default search engine. + +If this setting is turned on or not configured, users can add new search engines and change the default used in the address bar from within Microsoft Edge Settings. +If this setting is disabled, users will be unable to add search engines or change the default used in the address bar. + +This policy will only apply on domain joined machines or when the device is MDM enrolled. For more information, see Microsoft browser extension policy (aka.ms/browserpolicy). + 1 + + + + + + + + + + + text/plain + + + + + AllowSearchSuggestionsinAddressBar + + + + + This setting lets you decide whether search suggestions should appear in the Address bar of Microsoft Edge. + 1 + + + + + + + + + + + text/plain + + + + + AllowSmartScreen + + + + + This setting lets you decide whether to turn on Windows Defender SmartScreen. + 1 + + + + + + + + + + + text/plain + + + + + ClearBrowsingDataOnExit + + + + + Specifies whether to always clear browsing history on exiting Microsoft Edge. + 0 + + + + + + + + + + + text/plain + + phone + + + + ConfigureAdditionalSearchEngines + + + + + Allows you to add up to 5 additional search engines for MDM-enrolled devices. + +If this setting is turned on, you can add up to 5 additional search engines for your employee. For each additional search engine you wish to add, you must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. This policy does not affect the default search engine. Employees will not be able to remove these search engines, but they can set any one of these as the default. + +If this setting is not configured, the search engines are the ones specified in the App settings. If this setting is disabled, the search engines you had added will be deleted from your employee's machine. + +Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + + + + + + + + + + + + text/plain + + + + + DisableLockdownOfStartPages + + + + + Boolean policy that specifies whether the lockdown on the Start pages is disabled. This policy works with the Browser/HomePages policy, which locks down the Start pages that the users cannot modify. You can use the DisableLockdownOfStartPages policy to allow users to modify the Start pages when Browser/HomePages policy is in effect. + +Note: This policy has no effect when Browser/HomePages is not configured. + +Important +This setting can only be used with domain-joined or MDM-enrolled devices. For more info, see the Microsoft browser extension policy (aka.ms/browserpolicy). + 0 + + + + + + + + + + + text/plain + + phone + + + + EnterpriseModeSiteList + + + + + This setting lets you configure whether your company uses Enterprise Mode and the Enterprise Mode Site List to address common compatibility problems with legacy websites. + + + + + + + + + + + + text/plain + + phone + + + + EnterpriseSiteListServiceUrl + + + + + + + + + + + + + + + + + text/plain + + phone + + + + FirstRunURL + + + + + Configure first run URL. + + + + + + + + + + + + text/plain + + desktop + + + + HomePages + + + + + Configure the Start page URLs for your employees. +Example: +If you wanted to allow contoso.com and fabrikam.com then you would append /support to the site strings like contoso.com/support and fabrikam.com/support. +Encapsulate each string with greater than and less than characters like any other XML tag. + +Version 1703 or later:  If you don't want to send traffic to Microsoft, you can use the about:blank value (encapsulate with greater than and less than characters like any other XML tag), which is honored for both domain- and non-domain-joined machines, when it's the only configured URL. + + + + + + + + + + + + text/plain + + phone + + + + PreventAccessToAboutFlagsInMicrosoftEdge + + + + + Prevent access to the about:flags page in Microsoft Edge. + 0 + + + + + + + + + + + text/plain + + + + + PreventFirstRunPage + + + + + Specifies whether the First Run webpage is prevented from automatically opening on the first launch of Microsoft Edge. This policy is only available for Windows 10 version 1703 or later for desktop. + +Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + 0 + + + + + + + + + + + text/plain + + phone + + + + PreventLiveTileDataCollection + + + + + This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu. + +Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + 0 + + + + + + + + + + + text/plain + + + + + PreventSmartScreenPromptOverride + + + + + + + + Don't allow Windows Defender SmartScreen warning overrides + + + + + + + + + + + text/plain + + + + + PreventSmartScreenPromptOverrideForFiles + + + + + + + + Don't allow Windows Defender SmartScreen warning overrides for unverified files. + + + + + + + + + + + text/plain + + + + + PreventUsingLocalHostIPAddressForWebRTC + + + + + Prevent using localhost IP address for WebRTC + 0 + + + + + + + + + + + text/plain + + + + + SendIntranetTraffictoInternetExplorer + + + + + Sends all intranet traffic over to Internet Explorer. + 0 + + + + + + + + + + + text/plain + + phone + + + + SetDefaultSearchEngine + + + + + Sets the default search engine for MDM-enrolled devices. Users can still change their default search engine. + +If this setting is turned on, you are setting the default search engine that you would like your employees to use. Employees can still change the default search engine, unless you apply the AllowSearchEngineCustomization policy which will disable the ability to change it. You must specify a link to the OpenSearch XML file that contains, at minimum, the short name and the URL to the search engine. If you would like for your employees to use the Edge factory settings for the default search engine for their market, set the string EDGEDEFAULT; if you would like for your employees to use Bing as the default search engine, set the string EDGEBING. + +If this setting is not configured, the default search engine is set to the one specified in App settings and can be changed by your employees. If this setting is disabled, the policy-set search engine will be removed, and, if it is the current default, the default will be set back to the factory Microsoft Edge search engine for the market. + +Due to Protected Settings (aka.ms/browserpolicy), this policy will only apply on domain-joined machines or when the device is MDM-enrolled. + + + + + + + + + + + + text/plain + + + + + ShowMessageWhenOpeningSitesInInternetExplorer + + + + + Show message when opening sites in Internet Explorer + 0 + + + + + + + + + + + text/plain + + phone + + + + SyncFavoritesBetweenIEAndMicrosoftEdge + + + + + Specifies whether favorites are kept in sync between Internet Explorer and Microsoft Edge. Changes to favorites in one browser are reflected in the other, including: additions, deletions, modifications, and ordering. + 0 + + + + + + + + + + + text/plain + + phone + + + + + Camera + + + + + + + + + + + + + + + + + + + AllowCamera + + + + + + 1 + + + + + + + + + + + text/plain + + + + + + Connectivity + + + + + + + + + + + + + + + + + + + AllowBluetooth + + + + + + 2 + + + + + + + + + + + text/plain + + + + + AllowCellularData + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowCellularDataRoaming + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowConnectedDevices + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowNFC + + + + + + 1 + + + + + + + + + + + text/plain + + desktop + + + + AllowUSBConnection + + + + + + 1 + + + + + + + + + + + text/plain + + desktop + + + + AllowVPNOverCellular + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowVPNRoamingOverCellular + + + + + + 1 + + + + + + + + + + + text/plain + + + + + DisallowNetworkConnectivityActiveTests + + + + + + 0 + + + + + + + + + + + text/plain + + + + + HardenedUNCPaths + + + + + + + + + + + + + + + + + text/plain + + phone + networkprovider.admx + NetworkProvider~AT~Network~Cat_NetworkProvider + Pol_HardenedPaths + + + + + CredentialProviders + + + + + + + + + + + + + + + + + + + AllowPINLogon + + + + + + + + + + + + + + + + + text/plain + + phone + credentialproviders.admx + CredentialProviders~AT~System~Logon + AllowDomainPINLogon + + + + BlockPicturePassword + + + + + + + + + + + + + + + + + text/plain + + phone + credentialproviders.admx + CredentialProviders~AT~System~Logon + BlockDomainPicturePassword + + + + + CredentialsUI + + + + + + + + + + + + + + + + + + + DisablePasswordReveal + + + + + + + + + + + + + + + + + text/plain + + phone + credui.admx + CredUI~AT~WindowsComponents~CredUI + DisablePasswordReveal + + + + EnumerateAdministrators + + + + + + + + + + + + + + + + + text/plain + + phone + credui.admx + CredUI~AT~WindowsComponents~CredUI + EnumerateAdministrators + + + + + Cryptography + + + + + + + + + + + + + + + + + + + AllowFipsAlgorithmPolicy + + + + + + 0 + + + + + + + + + + + text/plain + + + + + TLSCipherSuites + + + + + + + + + + + + + + + + + text/plain + + + + + + DataProtection + + + + + + + + + + + + + + + + + + + AllowDirectMemoryAccess + + + + + + 1 + + + + + + + + + + + text/plain + + + + + LegacySelectiveWipeID + + + + + + + + + + + + + + + + + text/plain + + + + + + DataUsage + + + + + + + + + + + + + + + + + + + SetCost3G + + + + + + + + + + + + + + + + + text/plain + + wwansvc.admx + wwansvc~AT~Network~WwanSvc_Category~NetworkCost_Category + SetCost3G + + + + SetCost4G + + + + + + + + + + + + + + + + + text/plain + + wwansvc.admx + wwansvc~AT~Network~WwanSvc_Category~NetworkCost_Category + SetCost4G + + + + + Defender + + + + + + + + + + + + + + + + + + + AllowArchiveScanning + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowBehaviorMonitoring + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowCloudProtection + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowEmailScanning + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + AllowFullScanOnMappedNetworkDrives + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + AllowFullScanRemovableDriveScanning + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowIntrusionPreventionSystem + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowIOAVProtection + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowOnAccessProtection + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowRealtimeMonitoring + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowScanningNetworkFiles + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + AllowScriptScanning + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowUserUIAccess + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AvgCPULoadFactor + + + + + + 50 + + + + + + + + + + + text/plain + + phone + + + + DaysToRetainCleanedMalware + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + ExcludedExtensions + + + + + + + + + + + + + + + + + text/plain + + phone + + + + ExcludedPaths + + + + + + + + + + + + + + + + + text/plain + + phone + + + + ExcludedProcesses + + + + + + + + + + + + + + + + + text/plain + + phone + + + + PUAProtection + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + RealTimeScanDirection + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + ScanParameter + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + ScheduleQuickScanTime + + + + + + 120 + + + + + + + + + + + text/plain + + phone + + + + ScheduleScanDay + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + ScheduleScanTime + + + + + + 120 + + + + + + + + + + + text/plain + + phone + + + + SignatureUpdateInterval + + + + + + 8 + + + + + + + + + + + text/plain + + phone + + + + SubmitSamplesConsent + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + ThreatSeverityDefaultAction + + + + + + + + + + + + + + + + + text/plain + + phone + + + + + DeliveryOptimization + + + + + + + + + + + + + + + + + + + DOAbsoluteMaxCacheSize + + + + + + 10 + + + + + + + + + + + text/plain + + phone + + + + DOAllowVPNPeerCaching + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + DODownloadMode + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + DOGroupId + + + + + + + + + + + + + + + + + text/plain + + phone + + + + DOMaxCacheAge + + + + + + 259200 + + + + + + + + + + + text/plain + + phone + + + + DOMaxCacheSize + + + + + + 20 + + + + + + + + + + + text/plain + + phone + + + + DOMaxDownloadBandwidth + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + DOMaxUploadBandwidth + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + DOMinBackgroundQos + + + + + + 500 + + + + + + + + + + + text/plain + + phone + + + + DOMinBatteryPercentageAllowedToUpload + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + DOMinDiskSizeAllowedToPeer + + + + + + 32 + + + + + + + + + + + text/plain + + phone + + + + DOMinFileSizeToCache + + + + + + 100 + + + + + + + + + + + text/plain + + phone + + + + DOMinRAMAllowedToPeer + + + + + + 4 + + + + + + + + + + + text/plain + + phone + + + + DOModifyCacheDrive + + + + + + %SystemDrive% + + + + + + + + + + + text/plain + + phone + + + + DOMonthlyUploadDataCap + + + + + + 20 + + + + + + + + + + + text/plain + + phone + + + + DOPercentageMaxDownloadBandwidth + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + + DeviceInstallation + + + + + + + + + + + + + + + + + + + PreventInstallationOfMatchingDeviceIDs + + + + + + + + + + + + + + + + + text/plain + + phone + deviceinstallation.admx + DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category + DeviceInstall_IDs_Deny + + + + PreventInstallationOfMatchingDeviceSetupClasses + + + + + + + + + + + + + + + + + text/plain + + phone + deviceinstallation.admx + DeviceInstallation~AT~System~DeviceInstall_Category~DeviceInstall_Restrictions_Category + DeviceInstall_Classes_Deny + + + + + DeviceLock + + + + + + + + + + + + + + + + + + + AllowIdleReturnWithoutPassword + + + + + Specifies whether the user must input a PIN or password when the device resumes from an idle state. + 1 + + + + + + + + + + + text/plain + + desktop + + + + AllowScreenTimeoutWhileLockedUserConfig + + + + + Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. + 0 + + + + + + + + + + + text/plain + + + + + AllowSimpleDevicePassword + + + + + Specifies whether PINs or passwords such as 1111 or 1234 are allowed. For the desktop, it also controls the use of picture passwords. + 1 + + + + + + + + + + + text/plain + + + + + AlphanumericDevicePasswordRequired + + + + + Determines the type of PIN or password required. This policy only applies if the DeviceLock/DevicePasswordEnabled policy is set to 0 + 2 + + + + + + + + + + + text/plain + + + + + DevicePasswordEnabled + + + + + Specifies whether device lock is enabled. + 1 + + + + + + + + + + + text/plain + + + + + DevicePasswordExpiration + + + + + Specifies when the password expires (in days). + 0 + + + + + + + + + + + text/plain + + + + + DevicePasswordHistory + + + + + Specifies how many passwords can be stored in the history that can’t be used. + 0 + + + + + + + + + + + text/plain + + + + + EnforceLockScreenAndLogonImage + + + + + + + + + + + + + + + + + text/plain + + phone + + + + EnforceLockScreenProvider + + + + + + + + + + + + + + + + + text/plain + + + + + MaxDevicePasswordFailedAttempts + + + + + + 0 + + + + + + + + + + + text/plain + + + + + MaxInactivityTimeDeviceLock + + + + + The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. + 0 + + + + + + + + + + + text/plain + + + + + MaxInactivityTimeDeviceLockWithExternalDisplay + + + + + Sets the maximum timeout value for the external display. + 0 + + + + + + + + + + + text/plain + + desktop + + + + MinDevicePasswordComplexCharacters + + + + + The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. + 1 + + + + + + + + + + + text/plain + + + + + MinDevicePasswordLength + + + + + Specifies the minimum number or characters required in the PIN or password. + 4 + + + + + + + + + + + text/plain + + + + + PreventLockScreenSlideShow + + + + + + + + + + + + + + + + + text/plain + + phone + ControlPanelDisplay.admx + ControlPanelDisplay~AT~ControlPanel~Personalization + CPL_Personalization_NoLockScreenSlideshow + + + + ScreenTimeoutWhileLocked + + + + + Specifies whether to show a user-configurable setting to control the screen timeout while on the lock screen of Windows 10 Mobile devices. + 10 + + + + + + + + + + + text/plain + + + + + + Display + + + + + + + + + + + + + + + + + + + TurnOffGdiDPIScalingForApps + + + + + This policy allows to force turn off GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. + + + + + + + + + + + + text/plain + + phone + + + + TurnOnGdiDPIScalingForApps + + + + + This policy allows to turn on GDI DPI Scaling for a semicolon separated list of applications. Applications can be specified either by using full path or just filename and extension. + + + + + + + + + + + + text/plain + + phone + + + + + ErrorReporting + + + + + + + + + + + + + + + + + + + CustomizeConsentSettings + + + + + + + + + + + + + + + + + text/plain + + phone + ErrorReporting.admx + ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting + WerConsentCustomize_2 + + + + DisableWindowsErrorReporting + + + + + + + + + + + + + + + + + text/plain + + phone + ErrorReporting.admx + ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting + WerDisable_2 + + + + DisplayErrorNotification + + + + + + + + + + + + + + + + + text/plain + + phone + ErrorReporting.admx + ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting + PCH_ShowUI + + + + DoNotSendAdditionalData + + + + + + + + + + + + + + + + + text/plain + + phone + ErrorReporting.admx + ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting + WerNoSecondLevelData_2 + + + + PreventCriticalErrorDisplay + + + + + + + + + + + + + + + + + text/plain + + phone + ErrorReporting.admx + ErrorReporting~AT~WindowsComponents~CAT_WindowsErrorReporting + WerDoNotShowUI + + + + + EventLogService + + + + + + + + + + + + + + + + + + + ControlEventLogBehavior + + + + + + + + + + + + + + + + + text/plain + + phone + eventlog.admx + EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Application + Channel_Log_Retention_1 + + + + SpecifyMaximumFileSizeApplicationLog + + + + + + + + + + + + + + + + + text/plain + + phone + eventlog.admx + EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Application + Channel_LogMaxSize_1 + + + + SpecifyMaximumFileSizeSecurityLog + + + + + + + + + + + + + + + + + text/plain + + phone + eventlog.admx + EventLog~AT~WindowsComponents~EventLogCategory~EventLog_Security + Channel_LogMaxSize_2 + + + + SpecifyMaximumFileSizeSystemLog + + + + + + + + + + + + + + + + + text/plain + + phone + eventlog.admx + EventLog~AT~WindowsComponents~EventLogCategory~EventLog_System + Channel_LogMaxSize_4 + + + + + Experience + + + + + + + + + + + + + + + + + + + AllowCopyPaste + + + + + + 1 + + + + + + + + + + + text/plain + + desktop + + + + AllowCortana + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowDeviceDiscovery + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowFindMyDevice + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowManualMDMUnenrollment + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowSaveAsOfOfficeFiles + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowScreenCapture + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowSharingOfOfficeFiles + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowSIMErrorDialogPromptWhenNoSIM + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowSyncMySettings + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowTaskSwitcher + + + + + + 1 + + + + + + + + + + + text/plain + + desktop + + + + AllowVoiceRecording + + + + + + 1 + + + + + + + + + + + text/plain + + desktop + + + + AllowWindowsTips + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + DoNotShowFeedbackNotifications + + + + + + 0 + + + + + + + + + + + text/plain + + + + + + Games + + + + + + + + + + + + + + + + + + + AllowAdvancedGamingServices + + + + + Specifies whether advanced gaming services can be used. These services may send data to Microsoft or publishers of games that use these services. + 1 + + + + + + + + + + + text/plain + + + + + + InternetExplorer + + + + + + + + + + + + + + + + + + + AddSearchProvider + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + AddSearchProvider + + + + AllowActiveXFiltering + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + TurnOnActiveXFiltering + + + + AllowAddOnList + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement + AddonManagement_AddOnList + + + + AllowEnhancedProtectedMode + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage + Advanced_EnableEnhancedProtectedMode + + + + AllowEnterpriseModeFromToolsMenu + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + EnterpriseModeEnable + + + + AllowEnterpriseModeSiteList + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + EnterpriseModeSiteList + + + + AllowInternetExplorer7PolicyList + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView + CompatView_UsePolicyList + + + + AllowInternetExplorerStandardsMode + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~CategoryCompatView + CompatView_IntranetSites + + + + AllowInternetZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyInternetZoneTemplate + + + + AllowIntranetZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyIntranetZoneTemplate + + + + AllowLocalMachineZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyLocalMachineZoneTemplate + + + + AllowLockedDownInternetZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyInternetZoneLockdownTemplate + + + + AllowLockedDownIntranetZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyIntranetZoneLockdownTemplate + + + + AllowLockedDownLocalMachineZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyLocalMachineZoneLockdownTemplate + + + + AllowLockedDownRestrictedSitesZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyRestrictedSitesZoneLockdownTemplate + + + + AllowOneWordEntry + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetSettings~Advanced~Browsing + UseIntranetSiteForOneWordEntry + + + + AllowSiteToZoneAssignmentList + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_Zonemaps + + + + AllowsLockedDownTrustedSitesZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyTrustedSitesZoneLockdownTemplate + + + + AllowsRestrictedSitesZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyRestrictedSitesZoneTemplate + + + + AllowSuggestedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + EnableSuggestedSites + + + + AllowTrustedSitesZoneTemplate + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_PolicyTrustedSitesZoneTemplate + + + + DisableAdobeFlash + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement + DisableFlashInIE + + + + DisableBypassOfSmartScreenWarnings + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + + + + DisableBypassOfSmartScreenWarningsAboutUncommonFiles + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + + + + DisableCustomerExperienceImprovementProgramParticipation + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + SQM_DisableCEIP + + + + DisableEnclosureDownloading + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~RSS_Feeds + Disable_Downloading_of_Enclosures + + + + DisableEncryptionSupport + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage + Advanced_SetWinInetProtocols + + + + DisableFirstRunWizard + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + NoFirstRunCustomise + + + + DisableFlipAheadFeature + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~AdvancedPage + Advanced_DisableFlipAhead + + + + DisableProxyChange + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + + + + DisableSearchProviderChange + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + NoSearchProvider + + + + DisableSecondaryHomePageChange + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + SecondaryHomePages + + + + DisableUpdateCheck + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + NoUpdateCheck + + + + DoNotAllowUsersToAddSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + Security_zones_map_edit + + + + DoNotAllowUsersToChangePolicies + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + Security_options_edit + + + + DoNotBlockOutdatedActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement + VerMgmtDisable + + + + DoNotBlockOutdatedActiveXControlsOnSpecificDomains + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~SecurityFeatures~IESF_AddOnManagement + VerMgmtDomainAllowlist + + + + IncludeAllLocalSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_IncludeUnspecifiedLocalSites + + + + IncludeAllNetworkPaths + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage + IZ_UNCAsIntranet + + + + InternetZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyAccessDataSourcesAcrossDomains_1 + + + + InternetZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyNotificationBarActiveXURLaction_1 + + + + InternetZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyNotificationBarDownloadURLaction_1 + + + + InternetZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyFontDownload_1 + + + + InternetZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyZoneElevationURLaction_1 + + + + InternetZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyUnsignedFrameworkComponentsURLaction_1 + + + + InternetZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_Policy_AllowScriptlets_1 + + + + InternetZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_Policy_Phishing_1 + + + + InternetZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyUserdataPersistence_1 + + + + InternetZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyScriptActiveXNotMarkedSafe_1 + + + + InternetZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZone + IZ_PolicyNavigateSubframesAcrossDomains_1 + + + + IntranetZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyAccessDataSourcesAcrossDomains_3 + + + + IntranetZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyNotificationBarActiveXURLaction_3 + + + + IntranetZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyNotificationBarDownloadURLaction_3 + + + + IntranetZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyFontDownload_3 + + + + IntranetZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyZoneElevationURLaction_3 + + + + IntranetZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyUnsignedFrameworkComponentsURLaction_3 + + + + IntranetZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_Policy_AllowScriptlets_3 + + + + IntranetZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_Policy_Phishing_3 + + + + IntranetZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyUserdataPersistence_3 + + + + IntranetZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyScriptActiveXNotMarkedSafe_3 + + + + IntranetZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZone + IZ_PolicyNavigateSubframesAcrossDomains_3 + + + + LocalMachineZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyAccessDataSourcesAcrossDomains_9 + + + + LocalMachineZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyNotificationBarActiveXURLaction_9 + + + + LocalMachineZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyNotificationBarDownloadURLaction_9 + + + + LocalMachineZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyFontDownload_9 + + + + LocalMachineZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyZoneElevationURLaction_9 + + + + LocalMachineZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyUnsignedFrameworkComponentsURLaction_9 + + + + LocalMachineZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_Policy_AllowScriptlets_9 + + + + LocalMachineZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_Policy_Phishing_9 + + + + LocalMachineZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyUserdataPersistence_9 + + + + LocalMachineZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyScriptActiveXNotMarkedSafe_9 + + + + LocalMachineZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZone + IZ_PolicyNavigateSubframesAcrossDomains_9 + + + + LockedDownInternetZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyAccessDataSourcesAcrossDomains_2 + + + + LockedDownInternetZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyNotificationBarActiveXURLaction_2 + + + + LockedDownInternetZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyNotificationBarDownloadURLaction_2 + + + + LockedDownInternetZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyFontDownload_2 + + + + LockedDownInternetZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyZoneElevationURLaction_2 + + + + LockedDownInternetZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyUnsignedFrameworkComponentsURLaction_2 + + + + LockedDownInternetZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_Policy_AllowScriptlets_2 + + + + LockedDownInternetZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_Policy_Phishing_2 + + + + LockedDownInternetZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyUserdataPersistence_2 + + + + LockedDownInternetZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyScriptActiveXNotMarkedSafe_2 + + + + LockedDownInternetZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_InternetZoneLockdown + IZ_PolicyNavigateSubframesAcrossDomains_2 + + + + LockedDownIntranetZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyAccessDataSourcesAcrossDomains_4 + + + + LockedDownIntranetZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyNotificationBarActiveXURLaction_4 + + + + LockedDownIntranetZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyNotificationBarDownloadURLaction_4 + + + + LockedDownIntranetZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyFontDownload_4 + + + + LockedDownIntranetZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyZoneElevationURLaction_4 + + + + LockedDownIntranetZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyUnsignedFrameworkComponentsURLaction_4 + + + + LockedDownIntranetZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_Policy_AllowScriptlets_4 + + + + LockedDownIntranetZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_Policy_Phishing_4 + + + + LockedDownIntranetZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyUserdataPersistence_4 + + + + LockedDownIntranetZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyScriptActiveXNotMarkedSafe_4 + + + + LockedDownIntranetZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_IntranetZoneLockdown + IZ_PolicyNavigateSubframesAcrossDomains_4 + + + + LockedDownLocalMachineZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyAccessDataSourcesAcrossDomains_10 + + + + LockedDownLocalMachineZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyNotificationBarActiveXURLaction_10 + + + + LockedDownLocalMachineZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyNotificationBarDownloadURLaction_10 + + + + LockedDownLocalMachineZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyFontDownload_10 + + + + LockedDownLocalMachineZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyZoneElevationURLaction_10 + + + + LockedDownLocalMachineZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyUnsignedFrameworkComponentsURLaction_10 + + + + LockedDownLocalMachineZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_Policy_AllowScriptlets_10 + + + + LockedDownLocalMachineZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_Policy_Phishing_10 + + + + LockedDownLocalMachineZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyUserdataPersistence_10 + + + + LockedDownLocalMachineZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyScriptActiveXNotMarkedSafe_10 + + + + LockedDownLocalMachineZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_LocalMachineZoneLockdown + IZ_PolicyNavigateSubframesAcrossDomains_10 + + + + LockedDownRestrictedSitesZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyAccessDataSourcesAcrossDomains_8 + + + + LockedDownRestrictedSitesZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyNotificationBarActiveXURLaction_8 + + + + LockedDownRestrictedSitesZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyNotificationBarDownloadURLaction_8 + + + + LockedDownRestrictedSitesZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyFontDownload_8 + + + + LockedDownRestrictedSitesZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyZoneElevationURLaction_8 + + + + LockedDownRestrictedSitesZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyUnsignedFrameworkComponentsURLaction_8 + + + + LockedDownRestrictedSitesZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_Policy_AllowScriptlets_8 + + + + LockedDownRestrictedSitesZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_Policy_Phishing_8 + + + + LockedDownRestrictedSitesZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyUserdataPersistence_8 + + + + LockedDownRestrictedSitesZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyScriptActiveXNotMarkedSafe_8 + + + + LockedDownRestrictedSitesZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZoneLockdown + IZ_PolicyNavigateSubframesAcrossDomains_8 + + + + LockedDownTrustedSitesZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyAccessDataSourcesAcrossDomains_6 + + + + LockedDownTrustedSitesZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyNotificationBarActiveXURLaction_6 + + + + LockedDownTrustedSitesZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyNotificationBarDownloadURLaction_6 + + + + LockedDownTrustedSitesZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyFontDownload_6 + + + + LockedDownTrustedSitesZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyZoneElevationURLaction_6 + + + + LockedDownTrustedSitesZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyUnsignedFrameworkComponentsURLaction_6 + + + + LockedDownTrustedSitesZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_Policy_AllowScriptlets_6 + + + + LockedDownTrustedSitesZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_Policy_Phishing_6 + + + + LockedDownTrustedSitesZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyUserdataPersistence_6 + + + + LockedDownTrustedSitesZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyScriptActiveXNotMarkedSafe_6 + + + + LockedDownTrustedSitesZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZoneLockdown + IZ_PolicyNavigateSubframesAcrossDomains_6 + + + + RestrictedSitesZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyAccessDataSourcesAcrossDomains_7 + + + + RestrictedSitesZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyNotificationBarActiveXURLaction_7 + + + + RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyNotificationBarDownloadURLaction_7 + + + + RestrictedSitesZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyFontDownload_7 + + + + RestrictedSitesZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyZoneElevationURLaction_7 + + + + RestrictedSitesZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyUnsignedFrameworkComponentsURLaction_7 + + + + RestrictedSitesZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_Policy_AllowScriptlets_7 + + + + RestrictedSitesZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_Policy_Phishing_7 + + + + RestrictedSitesZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyUserdataPersistence_7 + + + + RestrictedSitesZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyScriptActiveXNotMarkedSafe_7 + + + + RestrictedSitesZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_RestrictedSitesZone + IZ_PolicyNavigateSubframesAcrossDomains_7 + + + + SearchProviderList + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer + SpecificSearchProvider + + + + TrustedSitesZoneAllowAccessToDataSources + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyAccessDataSourcesAcrossDomains_5 + + + + TrustedSitesZoneAllowAutomaticPromptingForActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyNotificationBarActiveXURLaction_5 + + + + TrustedSitesZoneAllowAutomaticPromptingForFileDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyNotificationBarDownloadURLaction_5 + + + + TrustedSitesZoneAllowFontDownloads + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyFontDownload_5 + + + + TrustedSitesZoneAllowLessPrivilegedSites + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyZoneElevationURLaction_5 + + + + TrustedSitesZoneAllowNETFrameworkReliantComponents + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyUnsignedFrameworkComponentsURLaction_5 + + + + TrustedSitesZoneAllowScriptlets + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_Policy_AllowScriptlets_5 + + + + TrustedSitesZoneAllowSmartScreenIE + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_Policy_Phishing_5 + + + + TrustedSitesZoneAllowUserDataPersistence + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyUserdataPersistence_5 + + + + TrustedSitesZoneInitializeAndScriptActiveXControls + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyScriptActiveXNotMarkedSafe_5 + + + + TrustedSitesZoneNavigateWindowsAndFrames + + + + + + + + + + + + + + + + + text/plain + + phone + inetres.admx + inetres~AT~WindowsComponents~InternetExplorer~InternetCPL~IZ_SecurityPage~IZ_TrustedSitesZone + IZ_PolicyNavigateSubframesAcrossDomains_5 + + + + + Kerberos + + + + + + + + + + + + + + + + + + + AllowForestSearchOrder + + + + + + + + + + + + + + + + + text/plain + + phone + Kerberos.admx + Kerberos~AT~System~kerberos + ForestSearch + + + + KerberosClientSupportsClaimsCompoundArmor + + + + + + + + + + + + + + + + + text/plain + + phone + Kerberos.admx + Kerberos~AT~System~kerberos + EnableCbacAndArmor + + + + RequireKerberosArmoring + + + + + + + + + + + + + + + + + text/plain + + phone + Kerberos.admx + Kerberos~AT~System~kerberos + ClientRequireFast + + + + RequireStrictKDCValidation + + + + + + + + + + + + + + + + + text/plain + + phone + Kerberos.admx + Kerberos~AT~System~kerberos + ValidateKDC + + + + SetMaximumContextTokenSize + + + + + + + + + + + + + + + + + text/plain + + phone + Kerberos.admx + Kerberos~AT~System~kerberos + MaxTokenSize + + + + + Licensing + + + + + + + + + + + + + + + + + + + AllowWindowsEntitlementReactivation + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + DisallowKMSClientOnlineAVSValidation + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + + Location + + + + + + + + + + + + + + + + + + + EnableLocation + + + + + + 0 + + + + + + + + + + + text/plain + + + + + + LockDown + + + + + + + + + + + + + + + + + + + AllowEdgeSwipe + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + + Maps + + + + + + + + + + + + + + + + + + + AllowOfflineMapsDownloadOverMeteredConnection + + + + + + 65535 + + + + + + + + + + + text/plain + + + + + EnableOfflineMapsAutoUpdate + + + + + + 65535 + + + + + + + + + + + text/plain + + + + + + Messaging + + + + + + + + + + + + + + + + + + + AllowMessageSync + + + + + + 1 + + + + + + + + + + + text/plain + + desktop + + + + AllowMMS + + + + + + 1 + + + + + + + + + + + text/plain + + desktop + + + + AllowRCS + + + + + + 1 + + + + + + + + + + + text/plain + + desktop + + + + + NetworkIsolation + + + + + + + + + + + + + + + + + + + EnterpriseCloudResources + + + + + + + + + + + + + + + + + text/plain + + + + + EnterpriseInternalProxyServers + + + + + + + + + + + + + + + + + text/plain + + + + + EnterpriseIPRange + + + + + + + + + + + + + + + + + text/plain + + + + + EnterpriseIPRangesAreAuthoritative + + + + + + 0 + + + + + + + + + + + text/plain + + + + + EnterpriseNetworkDomainNames + + + + + + + + + + + + + + + + + text/plain + + + + + EnterpriseProxyServers + + + + + + + + + + + + + + + + + text/plain + + + + + EnterpriseProxyServersAreAuthoritative + + + + + + 0 + + + + + + + + + + + text/plain + + + + + NeutralResources + + + + + + + + + + + + + + + + + text/plain + + + + + + Power + + + + + + + + + + + + + + + + + + + AllowStandbyWhenSleepingPluggedIn + + + + + + + + + + + + + + + + + text/plain + + phone + power.admx + Power~AT~System~PowerManagementCat~PowerSleepSettingsCat + AllowStandbyStatesAC_2 + + + + RequirePasswordWhenComputerWakesOnBattery + + + + + + + + + + + + + + + + + text/plain + + phone + power.admx + Power~AT~System~PowerManagementCat~PowerSleepSettingsCat + DCPromptForPasswordOnResume_2 + + + + RequirePasswordWhenComputerWakesPluggedIn + + + + + + + + + + + + + + + + + text/plain + + phone + power.admx + Power~AT~System~PowerManagementCat~PowerSleepSettingsCat + ACPromptForPasswordOnResume_2 + + + + + Printers + + + + + + + + + + + + + + + + + + + PointAndPrintRestrictions + + + + + + + + + + + + + + + + + text/plain + + phone + Printing.admx + Printing~AT~ControlPanel~CplPrinters + PointAndPrint_Restrictions_Win7 + + + + PublishPrinters + + + + + + + + + + + + + + + + + text/plain + + phone + Printing2.admx + Printing2~AT~Printers + PublishPrinters + + + + + Privacy + + + + + + + + + + + + + + + + + + + AllowAutoAcceptPairingAndPrivacyConsentPrompts + + + + + + 0 + + + + + + + + + + + text/plain + + desktop + + + + AllowInputPersonalization + + + + + + 1 + + + + + + + + + + + text/plain + + 10.0.10240 + + + + DisableAdvertisingId + + + + + + 65535 + + + + + + + + + + + text/plain + + + + + LetAppsAccessAccountInfo + + + + + This policy setting specifies whether Windows apps can access account information. + 0 + + + + + + + + + + + text/plain + + + + + LetAppsAccessAccountInfo_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessAccountInfo_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to account information. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessAccountInfo_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the account information privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessAccountInfo policy setting for the specified Windows apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessCalendar + + + + + This policy setting specifies whether Windows apps can access the calendar. + 0 + + + + + + + + + + + text/plain + + + + + LetAppsAccessCalendar_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessCalendar_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to the calendar. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessCalendar_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the calendar privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCalendar policy setting for the specified Windows apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessCallHistory + + + + + This policy setting specifies whether Windows apps can access call history. + 0 + + + + + + + + + + + text/plain + + + + + LetAppsAccessCallHistory_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessCallHistory_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are denied access to call history. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessCallHistory_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the call history privacy setting for the listed Windows apps. This setting overrides the default LetAppsAccessCallHistory policy setting for the specified Windows apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessCamera + + + + + This policy setting specifies whether Windows apps can access the camera. + 0 + + + + + + + + + + + text/plain + + + + + LetAppsAccessCamera_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessCamera_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the camera. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessCamera_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the camera privacy setting for the listed apps. This setting overrides the default LetAppsAccessCamera policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessContacts + + + + + This policy setting specifies whether Windows apps can access contacts. + 0 + + + + + + + + + + + text/plain + + + + + LetAppsAccessContacts_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessContacts_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to contacts. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessContacts_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the contacts privacy setting for the listed apps. This setting overrides the default LetAppsAccessContacts policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessEmail + + + + + This policy setting specifies whether Windows apps can access email. + 0 + + + + + + + + + + + text/plain + + + + + LetAppsAccessEmail_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessEmail_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to email. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessEmail_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the email privacy setting for the listed apps. This setting overrides the default LetAppsAccessEmail policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessLocation + + + + + This policy setting specifies whether Windows apps can access location. + 0 + + + + + + + + + + + text/plain + + + + + LetAppsAccessLocation_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessLocation_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to location. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessLocation_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the location privacy setting for the listed apps. This setting overrides the default LetAppsAccessLocation policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessMessaging + + + + + This policy setting specifies whether Windows apps can read or send messages (text or MMS). + 0 + + + + + + + + + + + text/plain + + + + + LetAppsAccessMessaging_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessMessaging_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to read or send messages (text or MMS). This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessMessaging_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the messaging privacy setting for the listed apps. This setting overrides the default LetAppsAccessMessaging policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessMicrophone + + + + + This policy setting specifies whether Windows apps can access the microphone. + 0 + + + + + + + + + + + text/plain + + + + + LetAppsAccessMicrophone_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessMicrophone_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to the microphone. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessMicrophone_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the microphone privacy setting for the listed apps. This setting overrides the default LetAppsAccessMicrophone policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessMotion + + + + + This policy setting specifies whether Windows apps can access motion data. + 0 + + + + + + + + + + + text/plain + + + + + LetAppsAccessMotion_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessMotion_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to motion data. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessMotion_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the motion privacy setting for the listed apps. This setting overrides the default LetAppsAccessMotion policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessNotifications + + + + + This policy setting specifies whether Windows apps can access notifications. + 0 + + + + + + + + + + + text/plain + + + + + LetAppsAccessNotifications_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessNotifications_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to notifications. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessNotifications_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the notifications privacy setting for the listed apps. This setting overrides the default LetAppsAccessNotifications policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessPhone + + + + + This policy setting specifies whether Windows apps can make phone calls + 0 + + + + + + + + + + + text/plain + + + + + LetAppsAccessPhone_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessPhone_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are not allowed to make phone calls. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessPhone_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the phone call privacy setting for the listed apps. This setting overrides the default LetAppsAccessPhone policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessRadios + + + + + This policy setting specifies whether Windows apps have access to control radios. + 0 + + + + + + + + + + + text/plain + + + + + LetAppsAccessRadios_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessRadios_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to control radios. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessRadios_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the radios privacy setting for the listed apps. This setting overrides the default LetAppsAccessRadios policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessTasks + + + + + This policy setting specifies whether Windows apps can access tasks. + 0 + + + + + + + + + + + text/plain + + + + + LetAppsAccessTasks_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are allowed access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessTasks_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps are denied access to tasks. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessTasks_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the tasks privacy setting for the listed apps. This setting overrides the default LetAppsAccessTasks policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessTrustedDevices + + + + + This policy setting specifies whether Windows apps can access trusted devices. + 0 + + + + + + + + + + + text/plain + + + + + LetAppsAccessTrustedDevices_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessTrustedDevices_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to trusted devices. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsAccessTrustedDevices_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'trusted devices' privacy setting for the listed apps. This setting overrides the default LetAppsAccessTrustedDevices policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsGetDiagnosticInfo + + + + + This policy setting specifies whether Windows apps can get diagnostic information about other apps, including user names. + 0 + + + + + + + + + + + text/plain + + + + + LetAppsGetDiagnosticInfo_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. + + + + + + + + + + + + text/plain + + + + + LetAppsGetDiagnosticInfo_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to get diagnostic information about other apps, including user names. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. + + + + + + + + + + + + text/plain + + + + + LetAppsGetDiagnosticInfo_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the app diagnostics privacy setting for the listed Windows apps. This setting overrides the default LetAppsGetDiagnosticInfo policy setting for the specified Windows apps. + + + + + + + + + + + + text/plain + + + + + LetAppsRunInBackground + + + + + This policy setting specifies whether Windows apps can run in the background. + 0 + + + + + + + + + + + text/plain + + + + + LetAppsRunInBackground_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. + + + + + + + + + + + + text/plain + + + + + LetAppsRunInBackground_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows apps. Listed Windows apps are not allowed to run in the background. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. + + + + + + + + + + + + text/plain + + + + + LetAppsRunInBackground_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows apps. The user is able to control the background apps privacy setting for the listed Windows apps. This setting overrides the default LetAppsRunInBackground policy setting for the specified Windows apps. + + + + + + + + + + + + text/plain + + + + + LetAppsSyncWithDevices + + + + + This policy setting specifies whether Windows apps can sync with devices. + 0 + + + + + + + + + + + text/plain + + + + + LetAppsSyncWithDevices_ForceAllowTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsSyncWithDevices_ForceDenyTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. Listed apps will not have access to sync with devices. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + LetAppsSyncWithDevices_UserInControlOfTheseApps + + + + + List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the 'sync with devices' privacy setting for the listed apps. This setting overrides the default LetAppsSyncWithDevices policy setting for the specified apps. + + + + + + + + + + + + text/plain + + + + + + RemoteAssistance + + + + + + + + + + + + + + + + + + + CustomizeWarningMessages + + + + + + + + + + + + + + + + + text/plain + + phone + remoteassistance.admx + RemoteAssistance~AT~System~RemoteAssist + RA_Options + + + + SessionLogging + + + + + + + + + + + + + + + + + text/plain + + phone + remoteassistance.admx + RemoteAssistance~AT~System~RemoteAssist + RA_Logging + + + + SolicitedRemoteAssistance + + + + + + + + + + + + + + + + + text/plain + + phone + remoteassistance.admx + RemoteAssistance~AT~System~RemoteAssist + RA_Solicit + + + + UnsolicitedRemoteAssistance + + + + + + + + + + + + + + + + + text/plain + + phone + remoteassistance.admx + RemoteAssistance~AT~System~RemoteAssist + RA_Unsolicit + + + + + RemoteDesktopServices + + + + + + + + + + + + + + + + + + + AllowUsersToConnectRemotely + + + + + + + + + + + + + + + + + text/plain + + phone + terminalserver.admx + TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_CONNECTIONS + TS_DISABLE_CONNECTIONS + + + + ClientConnectionEncryptionLevel + + + + + + + + + + + + + + + + + text/plain + + phone + terminalserver.admx + TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY + TS_ENCRYPTION_POLICY + + + + DoNotAllowDriveRedirection + + + + + + + + + + + + + + + + + text/plain + + phone + terminalserver.admx + TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_REDIRECTION + TS_CLIENT_DRIVE_M + + + + DoNotAllowPasswordSaving + + + + + + + + + + + + + + + + + text/plain + + phone + terminalserver.admx + TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_CLIENT + TS_CLIENT_DISABLE_PASSWORD_SAVING_2 + + + + PromptForPasswordUponConnection + + + + + + + + + + + + + + + + + text/plain + + phone + terminalserver.admx + TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY + TS_PASSWORD + + + + RequireSecureRPCCommunication + + + + + + + + + + + + + + + + + text/plain + + phone + terminalserver.admx + TerminalServer~AT~WindowsComponents~TS_GP_NODE~TS_TERMINAL_SERVER~TS_SECURITY + TS_RPC_ENCRYPTION + + + + + RemoteProcedureCall + + + + + + + + + + + + + + + + + + + RestrictUnauthenticatedRPCClients + + + + + + + + + + + + + + + + + text/plain + + phone + rpc.admx + RPC~AT~System~Rpc + RpcRestrictRemoteClients + + + + RPCEndpointMapperClientAuthentication + + + + + + + + + + + + + + + + + text/plain + + phone + rpc.admx + RPC~AT~System~Rpc + RpcEnableAuthEpResolution + + + + + Search + + + + + + + + + + + + + + + + + + + AllowIndexingEncryptedStoresOrItems + + + + + + 0 + + + + + + + + + + + text/plain + + + + + AllowSearchToUseLocation + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowStoringImagesFromVisionSearch + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowUsingDiacritics + + + + + + 0 + + + + + + + + + + + text/plain + + + + + AllowWindowsIndexer + + + + + + 3 + + + + + + + + + + + text/plain + + + + + AlwaysUseAutoLangDetection + + + + + + 0 + + + + + + + + + + + text/plain + + + + + DisableBackoff + + + + + + 0 + + + + + + + + + + + text/plain + + + + + DisableRemovableDriveIndexing + + + + + + 0 + + + + + + + + + + + text/plain + + + + + PreventIndexingLowDiskSpaceMB + + + + + + 1 + + + + + + + + + + + text/plain + + + + + PreventRemoteQueries + + + + + + 1 + + + + + + + + + + + text/plain + + + + + SafeSearchPermissions + + + + + + 1 + + + + + + + + + + + text/plain + + desktop + + + + + Security + + + + + + + + + + + + + + + + + + + AllowAddProvisioningPackage + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowManualRootCertificateInstallation + + + + + + 1 + + + + + + + + + + + text/plain + + desktop + + + + AllowRemoveProvisioningPackage + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AntiTheftMode + + + + + + 1 + + + + + + + + + + + text/plain + + desktop + + + + PreventAutomaticDeviceEncryptionForAzureADJoinedDevices + + + + + + 0 + + + + + + + + + + + text/plain + + + + + RequireDeviceEncryption + + + + + + 0 + + + + + + + + + + + text/plain + + + + + RequireProvisioningPackageSignature + + + + + + 0 + + + + + + + + + + + text/plain + + + + + RequireRetrieveHealthCertificateOnBoot + + + + + + 0 + + + + + + + + + + + text/plain + + + + + + Settings + + + + + + + + + + + + + + + + + + + AllowAutoPlay + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowDataSense + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowDateTime + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowEditDeviceName + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowLanguage + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowPowerSleep + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowRegion + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowSignInOptions + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowVPN + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowWorkplace + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowYourAccount + + + + + + 1 + + + + + + + + + + + text/plain + + + + + PageVisibilityList + + + + + + + + + + + + + + + + + text/plain + + + + + + SmartScreen + + + + + + + + + + + + + + + + + + + EnableAppInstallControl + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + EnableSmartScreenInShell + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + PreventOverrideForFilesInShell + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + + Speech + + + + + + + + + + + + + + + + + + + AllowSpeechModelUpdate + + + + + + 1 + + + + + + + + + + + text/plain + + + + + + Start + + + + + + + + + + + + + + + + + + + AllowPinnedFolderDocuments + + + + + This policy controls the visibility of the Documents shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + 65535 + + + + + + + + + + + text/plain + + phone + + + + AllowPinnedFolderDownloads + + + + + This policy controls the visibility of the Downloads shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + 65535 + + + + + + + + + + + text/plain + + phone + + + + AllowPinnedFolderFileExplorer + + + + + This policy controls the visibility of the File Explorer shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + 65535 + + + + + + + + + + + text/plain + + phone + + + + AllowPinnedFolderHomeGroup + + + + + This policy controls the visibility of the HomeGroup shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + 65535 + + + + + + + + + + + text/plain + + phone + + + + AllowPinnedFolderMusic + + + + + This policy controls the visibility of the Music shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + 65535 + + + + + + + + + + + text/plain + + phone + + + + AllowPinnedFolderNetwork + + + + + This policy controls the visibility of the Network shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + 65535 + + + + + + + + + + + text/plain + + phone + + + + AllowPinnedFolderPersonalFolder + + + + + This policy controls the visibility of the PersonalFolder shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + 65535 + + + + + + + + + + + text/plain + + phone + + + + AllowPinnedFolderPictures + + + + + This policy controls the visibility of the Pictures shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + 65535 + + + + + + + + + + + text/plain + + phone + + + + AllowPinnedFolderSettings + + + + + This policy controls the visibility of the Settings shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + 65535 + + + + + + + + + + + text/plain + + phone + + + + AllowPinnedFolderVideos + + + + + This policy controls the visibility of the Videos shortcut on the Start menu. The possible values are 0 - means that the shortcut should be hidden and grays out the corresponding toggle in the Settings app, 1 - means that the shortcut should be visible and grays out the corresponding toggle in the Settings app, 65535 - means that there is no enforced configuration and the setting can be changed by the user. + 65535 + + + + + + + + + + + text/plain + + phone + + + + ForceStartSize + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + HideAppList + + + + + Setting the value of this policy to 1 or 2 collapses the app list. Setting the value of this policy to 3 removes the app list entirely. Setting the value of this policy to 2 or 3 disables the corresponding toggle in the Settings app. + 0 + + + + + + + + + + + text/plain + + phone + + + + HideChangeAccountSettings + + + + + Enabling this policy hides "Change account settings" from appearing in the user tile in the start menu. + 0 + + + + + + + + + + + text/plain + + + + + HideFrequentlyUsedApps + + + + + Enabling this policy hides the most used apps from appearing on the start menu and disables the corresponding toggle in the Settings app. + 0 + + + + + + + + + + + text/plain + + phone + + + + HideHibernate + + + + + Enabling this policy hides "Hibernate" from appearing in the power button in the start menu. + 0 + + + + + + + + + + + text/plain + + + + + HideLock + + + + + Enabling this policy hides "Lock" from appearing in the user tile in the start menu. + 0 + + + + + + + + + + + text/plain + + + + + HidePowerButton + + + + + Enabling this policy hides the power button from appearing in the start menu. + 0 + + + + + + + + + + + text/plain + + + + + HideRecentJumplists + + + + + Enabling this policy hides recent jumplists from appearing on the start menu/taskbar and disables the corresponding toggle in the Settings app. + 0 + + + + + + + + + + + text/plain + + phone + + + + HideRecentlyAddedApps + + + + + Enabling this policy hides recently added apps from appearing on the start menu and disables the corresponding toggle in the Settings app. + 0 + + + + + + + + + + + text/plain + + phone + + + + HideRestart + + + + + Enabling this policy hides "Restart/Update and restart" from appearing in the power button in the start menu. + 0 + + + + + + + + + + + text/plain + + + + + HideShutDown + + + + + Enabling this policy hides "Shut down/Update and shut down" from appearing in the power button in the start menu. + 0 + + + + + + + + + + + text/plain + + + + + HideSignOut + + + + + Enabling this policy hides "Sign out" from appearing in the user tile in the start menu. + 0 + + + + + + + + + + + text/plain + + + + + HideSleep + + + + + Enabling this policy hides "Sleep" from appearing in the power button in the start menu. + 0 + + + + + + + + + + + text/plain + + + + + HideSwitchAccount + + + + + Enabling this policy hides "Switch account" from appearing in the user tile in the start menu. + 0 + + + + + + + + + + + text/plain + + + + + HideUserTile + + + + + Enabling this policy hides the user tile from appearing in the start menu. + 0 + + + + + + + + + + + text/plain + + + + + ImportEdgeAssets + + + + + This policy setting allows you to import Edge assets to be used with StartLayout policy. Start layout can contain secondary tile from Edge app which looks for Edge local asset file. Edge local asset would not exist and cause Edge secondary tile to appear empty in this case. This policy only gets applied when StartLayout policy is modified. + + + + + + + + + + + + text/plain + + phone + + + + NoPinningToTaskbar + + + + + This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar. If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar. + 0 + + + + + + + + + + + text/plain + + phone + + + + StartLayout + + + + + + + + + + + + + + + + + text/plain + + phone + + + + + Storage + + + + + + + + + + + + + + + + + + + EnhancedStorageDevices + + + + + + + + + + + + + + + + + text/plain + + phone + enhancedstorage.admx + EnhancedStorage~AT~System~EnStorDeviceAccess + TCGSecurityActivationDisabled + + + + + System + + + + + + + + + + + + + + + + + + + AllowBuildPreview + + + + + + 2 + + + + + + + + + + + text/plain + + + + + AllowEmbeddedMode + + + + + + 0 + + + + + + + + + + + text/plain + + + + + AllowExperimentation + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowFontProviders + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowLocation + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowStorageCard + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowTelemetry + + + + + + 3 + + + + + + + + + + + text/plain + + + + + AllowUserToResetPhone + + + + + + 1 + + + + + + + + + + + text/plain + + + + + BootStartDriverInitialization + + + + + + + + + + + + + + + + + text/plain + + phone + earlylauncham.admx + EarlyLaunchAM~AT~System~ELAMCategory + POL_DriverLoadPolicy_Name + + + + DisableOneDriveFileSync + + + + + This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: users can’t access OneDrive from the OneDrive app and file picker; Windows Store apps can’t access OneDrive using the WinRT API; OneDrive doesn’t appear in the navigation pane in File Explorer; OneDrive files aren’t kept in sync with the cloud; Users can’t automatically upload photos and videos from the camera roll folder. If you disable or do not configure this policy setting, apps and features can work with OneDrive file storage. + 0 + + + + + + + + + + + text/plain + + + + + DisableSystemRestore + + + + + + + + + + + + + + + + + text/plain + + phone + systemrestore.admx + SystemRestore~AT~System~SR + SR_DisableSR + + + + TelemetryProxy + + + + + + + + + + + + + + + + + text/plain + + + + + + TextInput + + + + + + + + + + + + + + + + + + + AllowIMELogging + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowIMENetworkAccess + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowInputPanel + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowJapaneseIMESurrogatePairCharacters + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowJapaneseIVSCharacters + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowJapaneseNonPublishingStandardGlyph + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowJapaneseUserDictionary + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowKeyboardTextSuggestions + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowLanguageFeaturesUninstall + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + ExcludeJapaneseIMEExceptJIS0208 + + + + + + 0 + + + + + + + + + + + text/plain + + + + + ExcludeJapaneseIMEExceptJIS0208andEUDC + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + ExcludeJapaneseIMEExceptShiftJIS + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + + TimeLanguageSettings + + + + + + + + + + + + + + + + + + + AllowSet24HourClock + + + + + + 0 + + + + + + + + + + + text/plain + + desktop + + + + + Update + + + + + + + + + + + + + + + + + + + ActiveHoursEnd + + + + + + 17 + + + + + + + + + + + text/plain + + + + + ActiveHoursMaxRange + + + + + + 18 + + + + + + + + + + + text/plain + + + + + ActiveHoursStart + + + + + + 8 + + + + + + + + + + + text/plain + + + + + AllowAutoUpdate + + + + + + 2 + + + + + + + + + + + text/plain + + + + + AllowMUUpdateService + + + + + + 0 + + + + + + + + + + + text/plain + + phone + + + + AllowNonMicrosoftSignedUpdate + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowUpdateService + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AutoRestartDeadlinePeriodInDays + + + + + + 7 + + + + + + + + + + + text/plain + + + + + AutoRestartNotificationSchedule + + + + + + 15 + + + + + + + + + + + text/plain + + + + + AutoRestartRequiredNotificationDismissal + + + + + + 1 + + + + + + + + + + + text/plain + + + + + BranchReadinessLevel + + + + + + 16 + + + + + + + + + + + text/plain + + + + + DeferFeatureUpdatesPeriodInDays + + + + + + 0 + + + + + + + + + + + text/plain + + + + + DeferQualityUpdatesPeriodInDays + + + + + + 0 + + + + + + + + + + + text/plain + + + + + DeferUpdatePeriod + + + + + + 0 + + + + + + + + + + + text/plain + + + + + DeferUpgradePeriod + + + + + + 0 + + + + + + + + + + + text/plain + + + + + DetectionFrequency + + + + + + 22 + + + + + + + + + + + text/plain + + + + + EngagedRestartDeadline + + + + + + 14 + + + + + + + + + + + text/plain + + + + + EngagedRestartSnoozeSchedule + + + + + + 3 + + + + + + + + + + + text/plain + + + + + EngagedRestartTransitionSchedule + + + + + + 7 + + + + + + + + + + + text/plain + + + + + ExcludeWUDriversInQualityUpdate + + + + + + 0 + + + + + + + + + + + text/plain + + + + + FillEmptyContentUrls + + + + + + 0 + + + + + + + + + + + text/plain + + + + + IgnoreMOAppDownloadLimit + + + + + + 0 + + + + + + + + + + + text/plain + + + + + IgnoreMOUpdateDownloadLimit + + + + + + 0 + + + + + + + + + + + text/plain + + + + + PauseDeferrals + + + + + + 0 + + + + + + + + + + + text/plain + + + + + PauseFeatureUpdates + + + + + + 0 + + + + + + + + + + + text/plain + + + + + PauseFeatureUpdatesStartTime + + + + + + + + + + + + + + + + + text/plain + + + + + PauseQualityUpdates + + + + + + 0 + + + + + + + + + + + text/plain + + + + + PauseQualityUpdatesStartTime + + + + + + + + + + + + + + + + + text/plain + + + + + PhoneUpdateRestrictions + + + + + + 4 + + + + + + + + + + + text/plain + + + + + RequireDeferUpgrade + + + + + + 0 + + + + + + + + + + + text/plain + + + + + RequireUpdateApproval + + + + + + 0 + + + + + + + + + + + text/plain + + + + + ScheduledInstallDay + + + + + + 0 + + + + + + + + + + + text/plain + + + + + ScheduledInstallTime + + + + + + 3 + + + + + + + + + + + text/plain + + + + + ScheduleImminentRestartWarning + + + + + + 15 + + + + + + + + + + + text/plain + + + + + ScheduleRestartWarning + + + + + + 4 + + + + + + + + + + + text/plain + + + + + SetAutoRestartNotificationDisable + + + + + + 0 + + + + + + + + + + + text/plain + + + + + SetEDURestart + + + + + + 0 + + + + + + + + + + + text/plain + + + + + UpdateServiceUrl + + + + + + CorpWSUS + + + + + + + + + + + text/plain + + + + + UpdateServiceUrlAlternate + + + + + + + + + + + + + + + + + text/plain + + phone + + + + + Wifi + + + + + + + + + + + + + + + + + + + AllowAutoConnectToWiFiSenseHotspots + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowInternetSharing + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowManualWiFiConfiguration + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowWiFi + + + + + + 1 + + + + + + + + + + + text/plain + + + + + AllowWiFiDirect + + + + + + 1 + + + + + + + + + + + text/plain + + + + + WLANScanMode + + + + + + 0 + + + + + + + + + + + text/plain + + + + + + WindowsInkWorkspace + + + + + + + + + + + + + + + + + + + AllowSuggestedAppsInWindowsInkWorkspace + + + + + + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowWindowsInkWorkspace + + + + + + 2 + + + + + + + + + + + text/plain + + phone + + + + + WindowsLogon + + + + + + + + + + + + + + + + + + + DisableLockScreenAppNotifications + + + + + + + + + + + + + + + + + text/plain + + phone + logon.admx + Logon~AT~System~Logon + DisableLockScreenAppNotifications + + + + DontDisplayNetworkSelectionUI + + + + + + + + + + + + + + + + + text/plain + + phone + logon.admx + Logon~AT~System~Logon + DontDisplayNetworkSelectionUI + + + + HideFastUserSwitching + + + + + This policy setting allows you to hide the Switch User interface in the Logon UI, the Start menu and the Task Manager. If you enable this policy setting, the Switch User interface is hidden from the user who is attempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon UI, the Start menu and the Task Manager. If you disable or do not configure this policy setting, the Switch User interface is accessible to the user in the three locations. + 0 + + + + + + + + + + + text/plain + + + + + + WirelessDisplay + + + + + + + + + + + + + + + + + + + AllowProjectionFromPC + + + + + This policy allows you to turn off projection from a PC. + If you set it to 0, your PC cannot discover or project to other devices. + If you set it to 1, your PC can discover and project to other devices. + 1 + + + + + + + + + + + text/plain + + + + + AllowProjectionFromPCOverInfrastructure + + + + + This policy allows you to turn off projection from a PC over infrastructure. + If you set it to 0, your PC cannot discover or project to other infrastructure devices, though it may still be possible to discover and project over WiFi Direct. + If you set it to 1, your PC can discover and project to other devices over infrastructure. + 1 + + + + + + + + + + + text/plain + + + + + AllowProjectionToPC + + + + + This policy setting allows you to turn off projection to a PC + If you set it to 0, your PC isn't discoverable and can't be projected to + If you set it to 1, your PC is discoverable and can be projected to above the lock screen only. The user has an option to turn it always on or off except for manual launch, too. + 1 + + + + + + + + + + + text/plain + + phone + + + + AllowProjectionToPCOverInfrastructure + + + + + This policy setting allows you to turn off projection to a PC over infrastructure. + If you set it to 0, your PC cannot be discoverable and can't be projected to over infrastructure, though it may still be possible to project over WiFi Direct. + If you set it to 1, your PC can be discoverable and can be projected to over infrastructure. + 1 + + + + + + + + + + + text/plain + + + + + AllowUserInputFromWirelessDisplayReceiver + + + + + + 1 + + + + + + + + + + + text/plain + + + + + RequirePinForPairing + + + + + This policy setting allows you to require a pin for pairing. + If you turn this on, the pairing ceremony for new devices will always require a PIN + If you turn it off or don't configure it, a pin isn't required for pairing. + 0 + + + + + + + + + + + text/plain + + + + + + + +``` \ No newline at end of file diff --git a/windows/client-management/mdm/policymanager-csp.md b/windows/client-management/mdm/policymanager-csp.md new file mode 100644 index 0000000000..8124940a17 --- /dev/null +++ b/windows/client-management/mdm/policymanager-csp.md @@ -0,0 +1,965 @@ +--- +title: PolicyManager CSP +description: PolicyManager CSP +ms.assetid: 048427b1-6024-4660-8660-bd91c583f7f9 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# PolicyManager CSP + + +The PolicyManager configuration service provider enables the enterprise to configure company policies on Windows 10 Mobile. + +> **Note**   The PolicyManager CSP is supported in Windows 10 Mobile for backward compatibility. For Windows 10 devices you should use [Policy CSP](policy-configuration-service-provider.md), which replaces PolicyManager CSP. You can continue to use PolicyManager CSP for Windows Phone 8.1 and Windows Phone 8.1 GDR devices. The PolicyManager CSP will be deprecated some time in the future. + +  + +The PolicyManager CSP has the following sub-categories: + +- PolicyManager/My/*AreaName* – Handles the policy configuration request from the server. + +- PolicyManager/Device/*AreaName* – Provides a read-only path to policies enforced on the device. + +The configuration policies for the same *AreaName* must be wrapped in an Atomic command. + +The following image shows the PolicyManager configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. + +![provisioning\-csp\-policymanager](images/provisioning-csp-policymanager.png) + +The following list describes the characteristics and parameters. + +**./Vendor/MSFT/PolicyManager** +The root node for the PolicyManager configuration service provider. + +Supported operation is Get. + +**My** +Node for policies for a specific provider that can be retrieved, modified, or deleted. + +Supported operation is Get. + +**My/****_<AreaName>_** +The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. + +Supported operations are Add, Get, and Delete. + +**My/_<AreaName>_/****_<PolicyName>_** +Specifies the name/value pair used in the policy. The following list shows some tips to help you when configuring policies: + +- Separate multistring values by the Unicode &\#xF000; in the XML file. + +- End multistrings with &\#xF000; For example, One string&\#xF000;two string&\#xF000;red string&\#xF000;blue string&\#xF000;&\#xF000;. Note that a query from different caller could provide a different value as each caller could have different values for a named policy. + +- In Syncml, wrap this policy with the Atomic command so that the policy settings are treated as a single transaction. + +- Supported operations are Add, Get, Delete, and Replace. + +- Value type is string. + +For possible area and policy names, see [Supported company policies](#bkmk-supportedpolicies) below. + +**Device** +Groups the evaluated policies from all providers that can be configured. Supported operations is Get. + +**Device/****_<AreaName>_** +The area group that can be configured by a single technology independent of the providers. Supported operation is Get. + +**Device/_<AreaName>_/****_<PolicyName>_** +Specifies the name/value pair used in the policy. Supported operation is Get. + +## List of *<AreaName>*/*<PolicyName>* + + +**DeviceLock/DevicePasswordEnabled** +Specifies whether device lock is enabled. + +The following list shows the supported values: + +- 0 (default) - Enabled + +- 1 – Disabled + +> **Important**   +>The DevicePasswordEnabled setting must be set to 0 (device password is enabled) for the following settings to take effect: +> +> - AllowSimpleDevicePassword +> - MinDevicePasswordLength +> - AlphanumericDevicePasswordRequired +> - MaxDevicePasswordFailedAttempts +> - MaxInactivityTimeDeviceLock +> - MinDevicePasswordComplexCharacters + +  + +Supported via MDM and EAS + +EAS policy name - DevicePasswordEnabled + +Min policy value is the most restricted + +**DeviceLock/AllowSimpleDevicePassword** +Specifies whether passwords like “1111” or “1234” are allowed. + +The following list shows the supported values: + +- 0 - Not allowed. + +- 1 (default) – Allowed. + +Supported via MDM and EAS + +EAS policy name - AllowSimpleDevicePassword + +Min policy value is the most restricted + +**DeviceLock/MinDevicePasswordLength** +Specifies the minimum number or characters required in the PIN. + +The following list shows the supported values: + +- An integer X where + + 4 <= X <= 16. + +- 0- Not enforced. + +- Default: 4. + +Supported via MDM and EAS + +EAS policy name - MinDevicePasswordLength + +Max policy value is the most restricted + +**DeviceLock/AlphanumericDevicePasswordRequired** +Determines the type of password required. This policy only applies if DevicedPasswordEnabled policy is set to 0 (required). + +The following list shows the supported values: + +- 0 - Alphanumeric password required. + +- 1 - Numeric password required. + +- 2 (default) - Users can choose: Numeric Password, or Alphanumeric Password. + +Supported via MDM and EAS + +EAS policy name - AlphanumericDevicePasswordRequired + +Min policy value is the most restricted + +**DeviceLock/DevicePasswordExpiration** +Specifies when the password expires (in days). + +The following list shows the supported values: + +- An integer X where + + 0 <= X <= 730. + +- 0 (default) - Passwords do not expire. + +Supported via MDM and EAS + +EAS policy name - DevicePasswordExpiration + +If all policy values = 0 then 0; otherwise, Min policy value is the most secure value + +**DeviceLock/DevicePasswordHistory** +Specifies how many passwords can be stored in the history that can’t be used. + +The following list shows the supported values: + +- An integer X where + + 0 <= X <=50. + +- Default: 0 + +Supported via MDM and EAS + +EAS policy name - DevicePasswordHistory + +Max policy value is the most restricted + +**DeviceLock/MaxDevicePasswordFailedAttempts** +The number of authentication failures allowed before the device will be wiped. A value of 0 disables device wipe functionality. + +The following list shows the supported values: + +- An integer X where + + 0 <= X <= 999. + +- Default: 0. The device is never wiped after wrong passwords are entered. + +Supported via MDM and EAS + +EAS policy name - MaxDevicePasswordFailedAttempts + +If all policy values = 0 then 0; otherwise, Min policy value is the most restricted value. + +**DeviceLock/MaxInactivityTimeDeviceLock** +Specifies the amount of time (in minutes) after the device is idle that will cause the device to become password locked. + +The following list shows the supported values: + +- An integer X where + + 0 <= X <= 999. + +- 0 (default) - No timeout is defined. The default of "0" is Mango parity and is interpreted by as "No timeout is defined." + +Supported via MDM and EAS + +EAS policy name - MaxInactivityTimeDeviceLock + +Min policy value (except ‘0’) is the most restricted value. + +**DeviceLock/MinDevicePasswordComplexCharacters** +The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong password. + +The following list shows the supported values: + +- An integer X where + + 1 <= X <= 4. + +The default value is 1. + +Supported via MDM and EAS. + +EAS policy name - MinDevicePasswordComplexCharacters + +Max policy value is the most restricted + +**DeviceLock/AllowIdleReturnWithoutPassword** +Force the user to input password every time the device returns from an idle state. + +> **Note**  This policy is only supported in Windows 10 Mobile. + +  + +The following list shows the supported values: + +- 0 - user is not able to set the password grace period timer, and the value is set as "each time." + + 1 (default) - user is able to set the password grace period timer. + +Supported via MDM and EAS. + +Most restricted value is 0. + +**WiFi/AllowWiFi** +Allow or disallow Wi-Fi connection. (Configurable by Exchange as well – definition will be consistent with EAS definition.) + +> **Note**  The policy is only supported in Windows 10 Mobile. + +  + +The following list shows the supported values: + +- 0 – Use Wi-Fi connection is disallowed. + +- 1 (default) – Use Wi-Fi connection is allowed. + +Supported via MDM and EAS. + +EAS policy name - AllowWiFi + +Most restricted value is 0. + +**WiFi/AllowInternetSharing** +Allow or disallow internet sharing. + +(Configurable by Exchange as well – definition will be consistent with EAS definition.) + +The following list shows the supported values: + +- 0 – Do not allow the use of Internet Sharing. + +- 1 (default) – Allow the use of Internet Sharing. + +Supported via MDM and EAS. + +EAS policy name - AllowInternetSharing + +Most restricted value is 0. + +**WiFi/AllowAutoConnectToWiFiSenseHotspots** +Allow or disallow the device to automatically connect to Wi-Fi hotspots and friend social network. + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Most restricted value is 0. + +**WiFi/AllowWiFiHotSpotReporting** +Allow or disallow Wi-Fi Hotspot information reporting to Microsoft. Once disallowed, the user cannot turn it on. + +The following list shows the supported values: + +- 0 – HotSpot reporting is not allowed. + +- 1 (default) – HotSpot reporting is allowed. + +Most restricted value is 0. + +**WiFi/AllowManualWiFiConfiguration** +Allow or disallow connecting to Wi-Fi outside of MDM server-installed networks. + +> **Note**  The policy is only supported in Windows 10 Mobile. + +  + +The following list shows the supported values: + +- 0 – No Wi-Fi connection outside of MDM provisioned network is allowed. + +- 1 (default) – Adding new network SSIDs beyond the already MDM provisioned ones is allowed. + +Most restricted value is 0. + +**Connectivity/AllowNFC** +Allow or disallow near field communication (NFC) on the device. + +> **Note**  This policy is only supported in Windows 10 Mobile. + +  + +The following list shows the supported values: + +- 0 – Do not allow NFC capabilities. + +- 1 (default) – Allow NFC capabilities. + +Most restricted value is 0. + +**Connectivity/AllowCellularDataRoaming** +Allows or disallows cellular data roaming on the device. + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Most restricted value is 0. + +**Connectivity/AllowUSBConnection** +Enables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications. Changing this policy does not affect USB charging. + +Both Media Transfer Protocol (MTP) and IP over USB are disabled when this policy is enforced. + +> **Note**  This policy is only supported in Windows 10 Mobile. + +  + +The following list shows the supported values: + +- 0 - Not allowed. + +- 1 (default) - Allowed. + +Most restricted value is 0. + +**Connectivity/AllowVPNOverCellular** +This policy specifies what type of underlying connections VPN is allowed to use. + +The following list shows the supported values: + +- 0 - VPN is not allowed over cellular. + +- 1 (default) – VPN could use any connection including cellular. + +Most restricted value is 0. + +**Connectivity/AllowVPNRoamingOverCellular** +This policy, when enforced, will prevent the device from connecting VPN when the device roams over cellular networks. + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) - Allowed. + +Most restricted value is 0. + +**Connectivity/AllowBluetooth** +Allow the user to enable Bluetooth or restrict access. + +The following list shows the possible values: + +- 0 – Disable Bluetooth. + +- 1 – Not supported in Windows 10 Mobile for MDM and EAS Disable Bluetooth, but allow the configuration of hands-free profiles. + +- 2 (default) – Allow Bluetooth. + +Supported via MDM and EAS. + +EAS policy name - AllowBluetooth + +Most restricted value is 0. + +**System/AllowStorageCard** +Controls whether the user is allowed to use the storage card for device storage. This setting does not prevent programmatic access to the storage card, it only prevents the user from using the card as a storage location. + +The following list shows the supported values: + +- 0 – SD card use is not allowed. This does not prevent programmatic access to the storage card. + +- 1 (default) – Allow a storage card. + +EAS policy name - AllowStorageCard + +Most restricted value is 0. + +**System/AllowLocation** +Specifies whether to allow a location service. + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Most restricted value is 0. + +**System/AllowTelemetry** +Allow the device to send telemetry information (such as Software Quality Management (SQM) and Watson). + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 – Allowed, except for Secondary Data Requests. + +- 2 (default) – Allowed. + +Most restricted value is 0. + +**System/AllowUserToResetPhone** +Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination. + +> **Note**  This policy is only supported in Windows 10 Mobile. + +  + +The following list shows the possible values: + +- 0 - Not allowed. + +- 1 (default) - Allowed to reset to factory default settings. + +Most restricted value is 0. + +**Experience/AllowSaveAsOfOfficeFiles** +Specifies whether the user is allowed to save a file on the device as an office file. + +> **Note**  This policy is not supported and deprecated in Windows 10. + +  + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Most restricted value is 0. + +**Experience/AllowCopyPaste** +Specifies whether copy and paste is allowed. + +> **Note**  This policy is only supported in Windows 10 Mobile. + +  + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Most restricted value is 0. + +**Experience/AllowScreenCapture** +Specifies whether screen capture is allowed. + +> **Note**  This policy is only supported in Windows 10 Mobile. + +  + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Most restricted value is 0. + +**Experience/AllowVoiceRecording** +Specifies whether voice recording is allowed. + +> **Note**  This policy is only supported in Windows 10 Mobile. + +  + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Most restricted value is 0. + +**Experience/AllowCortana** +Specifies whether Cortana is allowed on the device. + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Most restricted value is 0. + +**Experience/AllowSyncMySettings** +Allows the enterprise to disallow roaming settings among devices (in/from a device). If not enforced, whether or not roaming is allowed may depend on other factors. + +The following list shows the supported values: + +- 0 – Roaming is not allowed. + +- 1 (default) – The enterprise does not enforce roaming restrictions. + +Most restricted value is 0. + + **Experience/AllowManualMDMUnenrollment** +Specifies whether to allow the user to delete the workplace account using the workplace control panel. The MDM server can always remotely delete the account. + +- 0 - Not allowed server. + +- 1 – Allowed. + +Most restricted value is 0. + + **Experience/AllowSharingOfOfficeFiles** +Specifies whether the user is allowed to share Office files. + +The following list shows the supported values: + +> **Note**  This policy is not supported in Windows 10. + +  + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Most restricted value is 0. + +**Accounts/AllowMicrosoftAccountConnection** +Specifies whether user is allowed to use an MSA account for non-email related connection authentication and services. + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Most restricted value is 0. + +**Accounts/AllowAddingNonMicrosoftAccountsManually** +Specifies whether user is allowed to add non-MSA email accounts. + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Most restricted value is 0. + +**Security/AllowManualRootCertificateInstallation** +Specifies whether the user is allowed to manually install root and intermediate CAP certificates. + +> **Note**  This policy is only supported in Windows 10 Mobile. + +  + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Most restricted value is 0. + +**Security/RequireDeviceEncryption** +Allows enterprise to turn on internal storage encryption. Note that once turned on, it cannot be turned off via policy. + +The following list shows the supported values: + +- 0 (default) – Encryption is not required. + +- 1 – Encryption is required. + +Supported via MDM and EAS. + +EAS policy name - RequireDeviceEncryption + +Most restricted value is 1. + +**Browser/AllowBrowser** +Specifies whether Internet Explorer is allowed in the device. + +> **Note**  This policy in only supported in Windows 10 Mobile. + +  + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Supported via MDM and EAS. + +EAS policy name - AllowBrowser + +Most restricted value is 0. + +**Camera/AllowCamera** +Disables or enables the camera. + +The following list shows the supported values: + +- 0 – Use of camera is disallowed. + +- 1 (default) – Use of camera is allowed. + +Most restricted value is 0. + +**ApplicationManagement/AllowStore** +Specifies whether app store is allowed at the device. + +> **Note**  This policy is only supported in Windows 10 Mobile. + +  + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Most restricted value is 0. + +**ApplicationManagement/ApplicationRestrictions** +An XML blob that specifies the application restrictions company want to put to the device. It could be app allow list, app disallow list, allowed publisher IDs, etc. An application that is running may not be immediately terminated. + +> **Note**  This policy is only supported in Windows 10 Mobile. + +  + +> **Note**  List of known issues: +- When you upgrade Windows Phone 8.1 devices to Windows 10 Mobile with a list of allowed apps, some Windows inbox apps get blocked causing unexpected behavior. To work around this issue, you must include the [inbox apps](applocker-csp.md#inboxappsandcomponents) that you need to your list of allowed apps. + + Here's additional guidance for the upgrade process: + + - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents). + - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it. + - In the SyncML, you must use lowercase product ID. + - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error. + + For a sample SyncML, see [Examples](#examples). + +- You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents). +- When ApplicationManagement/ApplicationRestrictions policy is deployed to Windows 10 Mobile, installation and update of apps dependent on Microsoft Frameworks may get blocked with error 0x80073CF9. To work around this issue, you must include the Microsoft Framework Id to your list of allowed apps. + + ``` syntax + + ``` + +  + +Value type is chr. + +Value evaluation rule - The information for PolicyManager is opaque. There is no most restricted value evaluation. Whenever there is a change to the value, the device parses the node value and enforces specified policies. + +**ApplicationManagement/AllowDeveloperUnlock** +Specifies whether developer unlock is allowed at the device. + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Most restricted value is 0. + +**Search/AllowSearchToUseLocation** +Specifies whether search could leverage location information. + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Most restricted value is 0. + +**Search/SafeSearchPermissions** +Specifies what level of safe search (filtering adult content) is required. + +> **Note**  This policy is only supported in Windows 10 Mobile. + +  + +The following list shows the supported values: + +- 0 – Strict, highest filtering against adult content. + +- 1 (default) – Moderate filtering against adult content (valid search results will not be filtered. + +Most restricted value is 0. + +**Search/AllowStoringImagesFromVisionSearch** +Specifies whether to allow Bing Vision to store the contents of the images captured when performing Bing Vision search. + +> **Note**  This policy is not supported in Windows 10. + +  + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Most restricted value is 0. + +**AboveLock/AllowActionCenterNotifications** +Specifies whether to allow action center notifications above the device lock screen. + +> **Note**  This policy is only supported in Windows 10 Mobile. + +  + +The following list shows the supported values: + +- 0 – Not allowed. + +- 1 (default) – Allowed. + +Most restricted value is 0. + +## Examples + + +Here is an example SyncML for ApplicationRestrictions for adding all the inbox apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents). + +``` syntax + + + + 144-0 + + 144-1 + + + ./Vendor/MSFT/PolicyManager/My/ApplicationManagement/ApplicationRestrictions + + + chr + text/plain + + +<AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"> +<Allow> + + <!-- Alarms and clock --> + <App ProductId="{44f7d2b4-553d-4bec-a8b7-634ce897ed5f}" /> + <!--Calculator --> + <App ProductId="{b58171c6-c70c-4266-a2e8-8f9c994f4456}" /> + <!--Camera --> + <App ProductId="{f0d8fefd-31cd-43a1-a45a-d0276db069f1}" /> + + <App ProductId="{0db5fcff-4544-458a-b320-e352dfd9ca2b}" /> + <!--Cortana --> + <App ProductId="{fd68dcf4-166f-4c55-a4ca-348020f71b94}" /> + <!--Excel --> + <App ProductId="{ead3e7c0-fae6-4603-8699-6a448138f4dc}" /> + <!--Facebook --> + <App ProductId="{82a23635-5bd9-df11-a844-00237de2db9e}" /> + <!--File Explorer --> + <App ProductId="{c5e2524a-ea46-4f67-841f-6a9465d9d515}" /> + <!--FM Radio --> + <App ProductId="{f725010e-455d-4c09-ac48-bcdef0d4b626}" /> + <!--Get Started --> + <App ProductId="{b3726308-3d74-4a14-a84c-867c8c735c3c}" /> + <!--Groove Music --> + <App ProductId="{d2b6a184-da39-4c9a-9e0a-8b589b03dec0}" /> + <!--Maps --> + <App ProductId="{ed27a07e-af57-416b-bc0c-2596b622ef7d}" /> + + <!--Messaging --> + <App ProductId="{27e26f40-e031-48a6-b130-d1f20388991a}" /> + <!--Microsoft Edge --> + <App ProductId="{395589fb-5884-4709-b9df-f7d558663ffd}" /> + <!--Money --> + <App ProductId="{1e0440f1-7abf-4b9a-863d-177970eefb5e}" /> + <!--Movies and TV --> + <App ProductId="{6affe59e-0467-4701-851f-7ac026e21665}" /> + <!--News --> + <App ProductId="{9c3e8cad-6702-4842-8f61-b8b33cc9caf1}" /> + <!--OneDrive --> + <App ProductId="{ad543082-80ec-45bb-aa02-ffe7f4182ba8}" /> + <!--OneNote --> + <App ProductId="{ca05b3ab-f157-450c-8c49-a1f127f5e71d}" /> + <!--Outlook Mail Calendar --> + <App ProductId="{a558feba-85d7-4665-b5d8-a2ff9c19799b}" /> + <!--People --> + <App ProductId="{60be1fb8-3291-4b21-bd39-2221ab166481}" /> + <!--Phone (dialer) --> + <App ProductId="{f41b5d0e-ee94-4f47-9cfe-3d3934c5a2c7}" /> + <!--Photos --> + <App ProductId="{fca55e1b-b9a4-4289-882f-084ef4145005}" /> + + <!--Podcasts --> + <App ProductId="{c3215724-b279-4206-8c3e-61d1a9d63ed3}" /> + <!--Powerpoint --> + <App ProductId="{b50483c4-8046-4e1b-81ba-590b24935798}" /> + <!--Settings --> + <App ProductId="{2a4e62d8-8809-4787-89f8-69d0f01654fb}" /> + <!--Skype --> + <App ProductId="{c3f8e570-68b3-4d6a-bdbb-c0a3f4360a51}" /> + <!--Skype Video GUID is same as Messaging --> + <!--Sports --> + <App ProductId="{0f4c8c7e-7114-4e1e-a84c-50664db13b17}" /> + <!--Storage --> + <App ProductId="{5b04b775-356b-4aa0-aaf8-6491ffea564d}" /> + <!--Store --> + <App ProductId="{7d47d89a-7900-47c5-93f2-46eb6d94c159}" /> + + <!--Voice recorder --> + <App ProductId="{7311b9c5-a4e9-4c74-bc3c-55b06ba95ad0}" /> + <!--Wallet --> + <App ProductId="{587a4577-7868-4745-a29e-f996203f1462}" /> + <!--Weather --> + <App ProductId="{63c2a117-8604-44e7-8cef-df10be3a57c8}" /> + + <App ProductId="{7604089d-d13f-4a2d-9998-33fc02b63ce3}" /> + <!--Word --> + <App ProductId="{258f115c-48f4-4adb-9a68-1387e634459b}" /> + <!--Xbox --> + <App ProductId="{b806836f-eebe-41c9-8669-19e243b81b83}" /> + + <!-- CloudExperienceHost --> + <App ProductId="{3a4fae89-7b7e-44b4-867b-f7e2772b8253}" /> + <!-- AAD BrokerPlugin --> + <App ProductId="{e5f8b2c4-75ae-45ee-9be8-212e34f77747}" /> + <!-- Ringtone --> + <App ProductId="{3e962450-486b-406b-abb5-d38b4ee7e6fe}" /> + <!-- Advanced Info --> + <App ProductId="{b6e3e590-9fa5-40c0-86ac-ef475de98e88}" /> + <!-- Glance --> + <App ProductId="{106e0a97-8b19-42cf-8879-a8ed2598fcbb}" /> + <!-- Connect --> + <App ProductId="{af7d2801-56c0-4eb1-824b-dd91cdf7ece5}" /> + <!-- Miracast View --> + <App ProductId="{906beeda-b7e6-4ddc-ba8d-ad5031223ef9}" /> + <!-- PrintDialog --> + <App ProductId="{0d32eeb1-32f0-40da-8558-cea6fcbec4a4}" /> + + <!-- Music downloads--> + <App ProductId="{3da8a0c1-f7e5-47c0-a680-be8fd013f747}" /> + <!-- App downloads--> + <App ProductId="{20bf77a0-19c7-4daa-8db5-bc3dfdfa44ac}" /> + <!-- Podcast downloads--> + <App ProductId="{063773e7-f26f-4a92-81f0-aa71a1161e30}" /> + <!-- Email and accounts--> + <App ProductId="{39cf127b-8c67-c149-539a-c02271d07060}" /> + <!-- Assigned Access Lock app--> + <App ProductId="{b84f4722-313e-4f85-8f41-cf5417c9c5cb}" /> + <!-- Windows Hello Setup--> + <App ProductId="{01293c37-72ec-3c8b-0eb3-1de4f7d0cdc4}" /> + <!-- Purchase Dialog--> + <App ProductId="{c60e79ca-063b-4e5d-9177-1309357b2c3f}" /> + <!-- Xbox Identity Provider--> + <App ProductId="{ba88225b-059a-45a2-a8eb-d3580283e49d}" /> + <!-- Block and Filter--> + <App ProductId="{59553c14-5701-49a2-9909-264d034deb3d}" /> + <!-- Sharing--> + <App ProductId="{b0894dfd-4671-4bb9-bc17-a8b39947ffb6}" /> + <!-- Setup wizard--> + <App ProductId="{07d87655-e4f0-474b-895a-773790ad4a32}" /> + <!-- Phone Reset Dialog--> + <App ProductId="{2864278d-09b5-46f7-b502-1c24139ecbdd}" /> + <!-- SaveRingtone--> + <App ProductId="{d8cf8ec7-ec6d-4892-aab9-1e3a4b5fa24b}" /> + <!-- HAP Update Background Worker--> + <App ProductId="{73c73cdd-4dea-462c-bd83-fa983056a4ef}" /> + <!-- Windows Default Lock Screen--> + <App ProductId="{cdd63e31-9307-4ccb-ab62-1ffa5721b503}" /> + <!-- navigation bar--> + <App ProductId="{2cd23676-8f68-4d07-8dd2-e693d4b01279}" /> + <!-- SSMHost--> + <App ProductId="{e232aa77-2b6d-442c-b0c3-f3bb9788af2a}" /> + <!-- Bing lock images--> + <App ProductId="{5f28c179-2780-41df-b966-27807b8de02c}" /> + <!-- CertInstaller--> + <App ProductId="{4c4ad968-7100-49de-8cd1-402e198d869e}" /> + <!-- Age Out Worker--> + <App ProductId="{09296e27-c9f3-4ab9-aa76-ecc4497d94bb}" /> + <!-- EnterpriseInstall App--> + <App ProductId="{da52fa01-ac0f-479d-957f-bfe4595941cb}" /> + <!-- Hands-Free Activation--> + <App ProductId="{df6c9621-e873-4e86-bb56-93e9f21b1d6f}" /> + <!-- Hands-Free Activation--> + <App ProductId="{72803bd5-4f36-41a4-a349-e83e027c4722}" /> + + + <!--Field Medic --> + <App ProductId="{73c58570-d5a7-46f8-b1b2-2a90024fc29c}" /> + <!--Windows Insider --> + <App ProductId="{ed2b1421-6414-4544-bd8d-06d58ee402a5}" /> + + <!-- Microsoft Frameworks --> + <App ProductId="{00000000-0000-0000-0000-000000000000}" PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" /> + + </Allow> +</AppPolicy> + + + + + + + + +``` + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md new file mode 100644 index 0000000000..9ae10f0f2c --- /dev/null +++ b/windows/client-management/mdm/provisioning-csp.md @@ -0,0 +1,66 @@ +--- +title: Provisioning CSP +description: The Provisioning configuration service provider is used for bulk user enrollment to an MDM service. +ms.assetid: 5D6C17BE-727A-4AFA-9F30-B34C1EA1D2AE +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Provisioning CSP + + +The Provisioning configuration service provider is used for bulk user enrollment to an MDM service. + +> **Note**  Bulk enrollment does not work when two factor authentication is enabled. + +  + +For bulk enrollment step-by-step guide, see [Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md). + +The following diagram shows the Provisioning configuration service provider in tree format. + +![provisioning csp diagram](images/provisioning-csp-provisioning.png) + +**./Vendor/MSFT** +Root node for Provisioning CSP. + +**Provisioning/Enrollments** +Node for defining bulk enrollment of users into an MDM service. + +**Provisioning/Enrollments/****_UPN_** +Unique identifier for the enrollment. For bulk enrollment, this must a service account that is allowed to enroll multiple users. Example, "generic-device@contoso.com" + +**Provisioning/Enrollments/*UPN*/DiscoveryServiceFullURL** +The full URL for the discovery service. + +**Provisioning/Enrollments/*UPN*/Secret** +This information is dependent on the AuthPolicy being used. Possible values: + +- Password string for on-premise authentication enrollment +- Federated security token for federated enrollment +- Certificate thumb print for certificated based enrollment + +**Provisioning/Enrollments/*UPN*/AuthPolicy** +Specifies the authentication policy used by the MDM service. Valid values: + +- OnPremise +- Certificate + +**Provisioning/Enrollments/*UPN*/PolicyServiceFullURL** +Specifies the policy service URL. + +**Provisioning/Enrollments/*UPN*/EnrollmentServiceFullURL** +Specifies the enrollment service URL. + +  + +  + + + + + + diff --git a/windows/client-management/mdm/proxy-csp.md b/windows/client-management/mdm/proxy-csp.md new file mode 100644 index 0000000000..65e4ceb727 --- /dev/null +++ b/windows/client-management/mdm/proxy-csp.md @@ -0,0 +1,107 @@ +--- +title: PROXY CSP +description: PROXY CSP +ms.assetid: 9904d44c-4a1e-4ae7-a6c7-5dba06cb16ce +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# PROXY CSP + + +The PROXY configuration service provider is used to configure proxy connections. + +> **Note**  Use [CM\_ProxyEntries CSP](cm-proxyentries-csp.md) instead of PROXY CSP, which will be deprecated in a future release. + +This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. + +  + +For the PROXY CSP, you cannot use the Replace command unless the node already exists. + +The following diagram shows the PROXY configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider. + +![proxy csp (dm)](images/provisioning-csp-proxy.png) + +**./Vendor/MSFT/Proxy** +Root node for the proxy connection. + +***ProxyName*** +Defines the name of a proxy connection. + +It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two proxy connections, use "PROXY0" and "PROXY1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead). + +The addition, update, and deletion of this sub-tree of nodes have be specified in a single atomic transaction. + +***ProxyName*/PROXYID** +Specifies the unique identifier of the proxy connection. + +***ProxyName*/NAME** +Specifies the user-friendly name of the proxy connection. + +***ProxyName*/ADDR** +Specifies the address of the proxy server. + +This value may be the network name of the server, or any other string (such as an IP address) used to uniquely identify the proxy connection. + +***ProxyName*/ADDRTYPE** +Specifies the type of address used to identify the proxy server. + +The valid values are IPV4, IPV6, E164, ALPHA. + +***ProxyName*/PROXYTYPE** +Specifies the type of proxy connection. + +Depending on the ProxyID, the valid values are ISA, WAP, SOCKS, or NULL. + +***ProxyName*/Ports** +Node for port information. + +***ProxyName*/Ports/****_PortName_** +Defines the name of a port. + +It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two ports, use "PORT0" and "PORT1" as the element names. + +***ProxyName*/Ports/*PortName*/PortNbr** +Specifies the port number to be associated with the parent port. + +***ProxyName*/Ports/*PortName*/Services** +Node for services information. + +***ProxyName*/Ports/Services/****_ServiceName_** +Defines the name of a service. + +It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two services, use "SERVICE0" and "SERVICE1" as the element names. + +***ProxyName*/Ports/Services/*ServiceName*/ServiceName** +Specifies the protocol to be associated with the parent port. + +One commonly used value is "HTTP". + +***ProxyName*/ConRefs** +Node for connection reference information + +***ProxyName*/ConRefs/****_ConRefName_** +Defines the name of a connection reference. + +It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two connection references, use "CONREF0" and "CONREF1" as the element names. + +***ProxyName*/ConRefs/*ConRefName*/ConRef** +Specifies one single connectivity object associated with the proxy connection. + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md new file mode 100644 index 0000000000..e34d5f94f2 --- /dev/null +++ b/windows/client-management/mdm/push-notification-windows-mdm.md @@ -0,0 +1,88 @@ +--- +title: Push notification support for device management +description: The DMClient CSP supports the ability to configure push-initiated device management sessions. +MS-HAID: +- 'p\_phdevicemgmt.push\_notification\_support\_for\_device\_management' +- 'p\_phDeviceMgmt.push\_notification\_windows\_mdm' +ms.assetid: 9031C4FE-212A-4481-A1B0-4C3190B388AE +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + + +# Push notification support for device management + +The [DMClient CSP](dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](http://go.microsoft.com/fwlink/p/?linkid=528800), a management server can request a device to establish a management session with the server through a push notification. A device is configured to support push by the management server by providing the device with a PFN for an application. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting). + +To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token that it can use to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a device management session with a device, it can utilize its token and the device ChannelURI and begin communicating with the device. + +For more information about how to get push credentials (SID and client secret) and PFN to use in WNS, see [Get WNS credentials and PFN for MDM push notification](#get-wns-credentials-and-pfn-for-mdm-push-notification). + +Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview (Windows Runtime apps)](http://go.microsoft.com/fwlink/p/?LinkId=733254). + +Note the following restrictions related to push notifications and WNS: + +- Push for device management uses raw push notifications. This means that these raw push notifications do not support or utilize push notification payloads. +- Receipt of push notifications are sensitive to the Battery Saver and Data Sense settings on the device. For example, if the battery drops below certain thresholds, the persistent connection of the device with WNS will be terminated. Additionally, if the user is utilizing Data Sense and has exceeded their monthly allotment of data, the persistent connection of the device with WNS will also be terminated. +- A ChannelURI provided to the management server by the device is only valid for 30 days. The device automatically renews the ChannelURI after 15 days and triggers a management session on successful renewal of the ChannelURI. It is strongly recommended that, during every management session, the management server queries the ChannelURI value to ensure that it has received the latest value. This will ensure that the management server will not attempt to use a ChannelURI that has expired. +- Push is not a replacement for having a polling schedule. +- WNS reserves the right to block push notifications to your PFN if improper use of notifications is detected. Any devices being managed using this PFN will cease to have push initiated device management support. +- On Windows 10, version 1511 as well as Windows 8 and 8.1, MDM Push may fail to renew the WNS Push channel automatically causing it to expire. It can also potentially hang when setting the PFN for the channel. + + To workaround this issue, when a 410 is returned by the WNS server when attempting to send a Push notification to the device the PFN should be set during the next sync session. To prevent the push channel from expiring on older builds, servers can reset the PFN before the channel expires (~30 days). If they’re already running Windows 10, there should be an update available that they can install that should fix the issue. + +- On Windows 10, version 1511, we use the following retry logic for the DMClient: + - If ExpiryTime is greater than 15 days a schedule is set for when 15 days are left. + - If ExpiryTime is between now and 15 days a schedule set for 4 +/- 1 hours from now. + - If ExpiryTime has passed a schedule is set for 1 day +/- 4 hours from now. + + +- On Windows 10, version 1607, we check for network connectivity before retrying. We do not check for internet connectivity. If network connectivity is not available we will skip the retry and set schedule for 4+/-1 hours to try again. + + +## Get WNS credentials and PFN for MDM push notification + +To get a PFN and WNS credentials, you must create an Windows Store app. + +1. Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account. + + ![mdm push notification](images/push-notification1.png) +2. Create a new app. + + ![mdm push notification](images/push-notification2.png) +3. Reserve an app name. + + ![mdm push notification](images/push-notification3.png) +4. Click **Services**. + + ![mdm push notification](images/push-notification4.png) +5. Click **Push notifications**. + + ![mdm push notification](images/push-notification5.png) +6. Click **Live Services site**. A new window opens for the **Application Registration Portal** page. + + ![mdm push notification](images/push-notification6.png) +7. In the **Application Registration Portal** page, you will see the properties for the app that you created, such as: + - Application Id + - Application Secrets + - Windows Store Package SID, Application Identity, and Publisher. + + ![mdm push notification](images/push-notification7.png) +8. Click **Save**. +9. Close the **Application Registration Portal** window and go back to the Windows Dev Center Dashboard. +10. Select your app from the list on the left. +11. From the left nav, expand **App management** and then click **App identity**. + + ![mdm push notification](images/push-notification10.png) +12. In the **App identity** page, you will see the **Package Family Name (PFN)** of your app. + +  + + + + + + diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md new file mode 100644 index 0000000000..d3391b6066 --- /dev/null +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -0,0 +1,156 @@ +--- +title: PXLOGICAL configuration service provider +description: PXLOGICAL configuration service provider +ms.assetid: b5fc84d4-aa32-4edd-95f1-a6a9c0feb459 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# PXLOGICAL configuration service provider + + +The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques. + +> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. + +  + +The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider. + +![pxlogical csp (cp) (initial bootstrapping)](images/provisioning-csp-pxlogical-cp.png) + +The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider. + +![pxlogical csp (cp) (update bootstrapping)](images/provisioning-csp-pxlogical-cp-2.png) + +**PXPHYSICAL** +Defines a group of logical proxy settings. + +The element's mwid attribute is a Microsoft provisioning XML attribute, and is optional when adding a NAP or a proxy. It is required when updating and deleting existing NAPs and proxies and must have its value set to 1. + +**DOMAIN** +Specifies the domain associated with the proxy (for example, "\*.com"). + +A Windows device supports only one proxy that does not have a DOMAIN parameter, or has an empty DOMAIN value. That is, the device only supports one default proxy. All other proxy configurations must have a DOMAIN parameter with a non-empty value. A query of this parameter returns a semicolon delimited string of all domains associated with the proxy. + +**NAME** +Specifies the name of the logical proxy. + +When a list of proxies is displayed to the user they are displayed together in a single line, so the length of this value should be short for readability. + +**PORT** +Defines the bindings between a port number and one or more protocols or services. + +This configuration service provider can accept a maximum of two ports per physical proxy. A query of this characteristic returns information relating only to the first port. + +**PORTNBR** +Specifies the port number associated with some services on this proxy. + +If the PORTNBR is 80 or 443, or the PORT characteristic is missing, it is treated as an HTTP proxy. + +**SERVICE** +Specifies the service associated with the port number. + +Windows supports accepting WAP push connectionless sessions over a Short Message Service (SMS) bearer for WAP push messages. Internet Explore uses HTTP protocol, not WAP proxy. A query of this parameter returns a semicolon-delimited string of services for only the first port. + +**PUSHENABLED** +Specifies whether or not push operations are enabled. + +If this element is used in PXLOGICAL, it applies to all of the PXPHYSICAL elements embedded in the PXLOGICAL element. A value of "0" indicates that the proxy does not support push operations. A value of "1" indicates that the proxy supports push operations. + +**PROXY-ID** +Used during initial bootstrapping. Specifies the unique identifier of the logical proxy. + +***PROXY-ID*** +Used during bootstrapping updates. Specifies the unique identifier of the logical proxy. + +The name of the **PROXY-ID** element is the same as the value passed during initial bootstrapping. + +**TRUST** +Specifies whether or not the physical proxies in this logical proxy are privileged. The SECPOLICY\_TRUSTED\_WAP\_PROXY security policy (4121) governs what roles can set this element. + +**PXPHYSICAL** +Defines a group of physical proxy settings associated with the parent logical proxy. + +The element's mwid attribute is a Microsoft provisioning XML attribute, and is optional when adding a NAP or a proxy. It is required when updating and deleting existing NAPs and proxies and must have its value set to 1. + +**PHYSICAL-PROXY-ID** +Used during initial bootstrapping. Specifies the identifier of the physical proxy. + +When a list of proxies is displayed to the user they are displayed together in a single line, so the length of this value should be short for readability. + +***PHYSICAL-PROXY-ID*** +Used during bootstrapping updates. Specifies the identifier of the physical proxy. + +The name of the **PHYSICAL-PROXY-ID** element is the same as the value passed during initial bootstrapping. + +**PXADDR** +Specifies the address of the physical proxy. + +**PXADDRTYPE** +Specifies the format and protocol of the PXADDR element for a physical proxy. + +The only values supported are "E164" and "IPv4". + +**TO-NAPID** +Specifies the network access point associated with this physical proxy. Only one per proxy is supported. + +If **TO-NAPID** is used, the NAP whose **NAPID** is referred to by **TO-NAPID** must also be added. + +## Microsoft Custom Elements + + +The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning. + +These features are available only for the device technique. In addition, the parameter-query and characteristic-query features are not supported for all PXPHYSICAL proxy parameters for all PXADDR types. All parameters can be queried when the PXPHYSICAL proxy PXADDRType is IPv4. For example, if a mobile operator queries the TO-NAPID parameter of a PXPHYSICAL proxy and the PXADDR Type is E164, a noparm is returned. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
FeatureAvailable

parm-query

Yes

noparm

Yes

nocharacteristic

Yes

characteristic-query

Yes

+ +  + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/reboot-csp.md b/windows/client-management/mdm/reboot-csp.md new file mode 100644 index 0000000000..6180829e89 --- /dev/null +++ b/windows/client-management/mdm/reboot-csp.md @@ -0,0 +1,60 @@ +--- +title: Reboot CSP +description: Reboot CSP +ms.assetid: 4E3F1225-BBAD-40F5-A1AB-FF221B6BAF48 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Reboot CSP + + +The Reboot configuration service provider is used to configure reboot settings. + +The following diagram shows the Reboot configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. + +![reboot](images/reboot-csp.png) + +**./Vendor/MSFT/Reboot** +

The root node for the Reboot configuration service provider.

+ +

The supported operation is Get.

+ +**RebootNow** +

This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work.

+ +> [!Note]   +> If this node is set to execute during a sync session, the device will reboot at the end of the sync session. + +

The supported operations are Execute and Get. + +**Schedule** +

The supported operation is Get.

+ +**Schedule/Single** +

This node will execute a reboot at a scheduled date and time. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. For example: 2015-12-15T07:36:25Z

+ +

The supported operations are Get, Add, Replace, and Delete.

+ +**Schedule/DailyRecurrent** +

This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. For example: 2015-12-15T07:36:25Z

+ +

The supported operations are Get, Add, Replace, and Delete.

+ +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/reboot-ddf-file.md b/windows/client-management/mdm/reboot-ddf-file.md new file mode 100644 index 0000000000..714d7255ec --- /dev/null +++ b/windows/client-management/mdm/reboot-ddf-file.md @@ -0,0 +1,161 @@ +--- +title: Reboot DDF file +description: This topic shows the OMA DM device description framework (DDF) for the Reboot configuration service provider. DDF files are used only with OMA DM provisioning XML. +ms.assetid: ABBD850C-E744-462C-88E7-CA3F43D80DB1 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Reboot DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **Reboot** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + Reboot + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + + RebootNow + + + + + + + + + + + + + + + RebootNow + + text/plain + + + + + Schedule + + + + + + + + + + + + + + + + + + + Single + + + + + + + + Value in ISO8601, both the date and time are required. A reboot will be scheduled at the configured date time. Setting a null (empty) date will delete the existing schedule. + + + + + + + + + + Single + + text/plain + + + + + DailyRecurrent + + + + + + + + Value in ISO8601, time is required. A reboot will be scheduled each day at the configured time starting at the date and time. Setting a null (empty) date will delete the existing schedule. + + + + + + + + + + DailyRecurrent + + text/plain + + + + + + + +``` + +## Related topics + + +[Reboot configuration service provider](reboot-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/reclaim-seat-from-user.md b/windows/client-management/mdm/reclaim-seat-from-user.md new file mode 100644 index 0000000000..ee5bc80e60 --- /dev/null +++ b/windows/client-management/mdm/reclaim-seat-from-user.md @@ -0,0 +1,134 @@ +--- +title: Reclaim seat from user +description: The Reclaim seat from user operation returns reclaimed seats for a user in the Windows Store for Business. +ms.assetid: E2C3C899-D0AD-469A-A319-31A420472A4C +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Reclaim seat from user + +The **Reclaim seat from user** operation returns reclaimed seats for a user in the Windows Store for Business. + +## Request + + ++++ + + + + + + + + + + + + +
MethodRequest URI

POST

https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}

+ + +### URI parameters + +The following parameters may be specified in the request URI. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + +
ParameterTypeDescription

productId

string

Required. Product identifier for an application that is used by the Store for Business.

skuId

string

Required. Product identifier that specifies a specific SKU of an application.

username

string

Requires UserPrincipalName (UPN). User name of the target user account.

+ +  +## Response + +### Response body + +The response body contain [SeatDetails](data-structures-windows-store-for-business.md#seatdetails). + + +++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Error codeDescriptionRetryData fieldDetails

400

Invalid parameters

No

Parameter name

+

Reason: Invalid parameter

+

Details: String

Invalid can include productId, skuId or userName

404

Not found

Item type: Inventory, User, Seat

+

Values: ProductId/SkuId, UserName, ProductId/SkuId/UserName

ItemType: Inventory, User, Seat

+

Values: ProductId/SkuId, UserName, ProductId/SkuId/UserName

409

Conflict

Reason: Not online

+ +  + +  + + + + + diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md new file mode 100644 index 0000000000..344a2176e6 --- /dev/null +++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md @@ -0,0 +1,51 @@ +--- +title: Register your free Azure Active Directory subscription +description: If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. +ms.assetid: 97DCD303-BB11-4AFF-84FE-B7F14CDF64F7 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Register your free Azure Active Directory subscription + +If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. Here's a step-by-step guide to register your free Azure AD subscription using an Office 365 Premium Business subscription. + +> **Note**  If you don't have any Microsoft service that comes with a free Azure AD subscription, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal. + +  +## Register your free Azure Active Directory subscription + +1. Sign in to the Office 365 portal at using your organization's account. + + ![register azuread](images/azure-ad-add-tenant10.png) + +2. On the **Home** page, click on the Admin tools icon. + + ![register azuread](images/azure-ad-add-tenant11.png) + +3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information. + + ![register azuread](images/azure-ad-add-tenant12.png) + +4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**. + + ![register azuread](images/azure-ad-add-tenant13.png) + +5. It may take a few minutes to process the request. + + ![register azuread](images/azure-ad-add-tenant14.png) + +6. You will see a welcome page when the process completes. + + ![register azuread](images/azure-ad-add-tenant15.png) + +  + + + + + + diff --git a/windows/client-management/mdm/registry-csp.md b/windows/client-management/mdm/registry-csp.md new file mode 100644 index 0000000000..3874d0f2d7 --- /dev/null +++ b/windows/client-management/mdm/registry-csp.md @@ -0,0 +1,157 @@ +--- +title: Registry CSP +description: Registry CSP +ms.assetid: 2307e3fd-7b61-4f00-94e1-a639571f2c9d +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Registry CSP + + +The Registry configuration service provider is used to update registry settings. However, if there is configuration service provider that is specific to the settings that need to be updated, use the specific configuration service provider. + +> **Note**   The Registry CSP is only supported in Windows 10 Mobile for OEM configuration. Do not use this CSP for enterprise remote management. +For Windows 10 Mobile only, this configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application. + +  + +For the Registry CSP, you cannot use the Replace command unless the node already exists. + +The Registry configuration service provider can be managed over both the OMA Client Provisioning and the OMA DM protocol. When using OMA DM to add a registry key, a child registry value must also be added in the XML code. + +For OMA Client Provisioning, the follows notes apply: + +- Querying the registry at the top level is not allowed. All parameters must be queried individually. The underlying data store of the Registry is typed. Be sure to use the **datatype** attribute of the *<parm>* tag. + +- This documentation describes the default characteristics. Additional characteristics may be added. + +- Because the **Registry** configuration service provider uses the backslash (\) character as a separator between key names, backslashes which occur in the name of a registry key must be escaped. Backslashes can be escaped by using two sequential backslashes (\\\). + +The default security role maps to each subnode unless specific permission is granted to the subnode. The security role for subnodes is implementation specific, and can be changed by OEMs and mobile operators. + +## Microsoft Custom Elements + + +The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning. + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + +
ElementsAvailable

parm-query

Yes

noparm

Yes

nocharacteristic

Yes

characteristic-query

Yes

+

Recursive query: Yes

+

Top level query: No

+ +  + +Use these elements to build standard OMA Client Provisioning configuration XML. For information about specific elements, see MSPROV DTD elements. + +## Supported Data Types + + +The following table shows the data types this configuration service provider supports. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
XML Data TypeNative Registry TypeXML Format

integer

REG_DWORD

Integer. A query of this parameter returns an integer type.

boolean

REG_DWORD

Integer value of 1 or 0. A query of this parameter returns an integer type.

float

REG_SZ

Float. A query of this parameter returns a string type.

string

REG_SZ

String. A query of this parameter returns a string type.

multiplestring

REG_MULTI_SZ

Multiple strings are separated by &#xF000; and ended with two &#xF000; - A query of this parameter returns a multistring type.

binary

REG_BINARY

Base64 encoded. A query of this parameter returns a binary type.

time

FILETIME in REG_BINARY

The time format conforms to the ISO8601 standard, with the date portion optional. If the date portion is omitted, also omit the "T" delimiter. A query of this parameter returns a binary type.

date

FILETIME in REG_BINARY

The date format conforms to the ISO8601 standard, with the time portion optional. If the time portion is omitted, also omit the "T" delimiter. A query of this parameter returns a binary type.

+ +  + +It is not possible to access registry keys nested under the current path by using the Registry configuration service provider. Instead, the values of the subkey must be accessed separately by using a new characteristic. + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/registry-ddf-file.md b/windows/client-management/mdm/registry-ddf-file.md new file mode 100644 index 0000000000..5ee429e5ca --- /dev/null +++ b/windows/client-management/mdm/registry-ddf-file.md @@ -0,0 +1,127 @@ +--- +title: Registry DDF file +description: Registry DDF file +ms.assetid: 29b5cc07-f349-4567-8a77-387d816a9d15 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Registry DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **Registry** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +``` syntax + + 1.2 + + Registry + ./Vendor/MSFT + + + + + + + + + + + + + + The root node of registry + + + HKCR + + + + + + + + + + + + + + HK_CLASSES_ROOT portion of device registry. + + + + HKCU + + + + + + + + + + + + + + HK_CURRENT_USER portion of device registry. + + + + HKLM + + + + + + + + + + + + + + HK_LOCAL_MACHINE portion of device registry. + + + + HKU + + + + + + + + + + + + + + HK_USERS portion of device registry. + + + + +``` + +## Related topics + + +[Registry configuration service provider](registry-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/remotefind-csp.md b/windows/client-management/mdm/remotefind-csp.md new file mode 100644 index 0000000000..29447d3ed2 --- /dev/null +++ b/windows/client-management/mdm/remotefind-csp.md @@ -0,0 +1,176 @@ +--- +title: RemoteFind CSP +description: The RemoteFind configuration service provider retrieves the location information for a particular device. +ms.assetid: 2EB02824-65BF-4B40-A338-672D219AF5A0 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# RemoteFind CSP + + +The RemoteFind configuration service provider retrieves the location information for a particular device. + +The following diagram shows the RemoteFind configuration service provider management object in tree format as used by OMA Client Provisioning. + +![remotefind csp](images/provisioning-csp-remotefind.png) + +**DesiredAccuracy** +Optional. The node accepts the requested radius value in meters. Valid values for accuracy are any value between 1 and 1000 meters. + +The default value is 50. Replacing this value only replaces it for the current session. The value is not retained. + +Supported operations are Replace and Get. The Add command is not supported. + +**Timeout** +Optional. Value is DWORD in seconds. + +The default value is 7, and the range is 0 to 1800 seconds. Replacing this value only replaces it for the current session. The value is not retained. + +Supported operations are Replace and Get. The Add command is not supported. + +**MaximumAge** +Optional. The value represents the desired time window in minutes that the server will accept a successful location retrieval. The node enables the server to set the requested age value in 100 nanoseconds. Valid values for accuracy include any integer value between 0 and 1440 minutes. + +The default value is 60. Replacing this value only replaces it for the current session. The value is not retained. + +Supported operations are Replace and Get. The Add command is not supported. + +**Location** +Required. Nodes under this path must be queried atomically in order to succeed. This is to prevent servers from querying incomplete sets of data. + +**Latitude** +Required. Provides the latitude of the last successful remote find. + +The value returned is double. + +The default value is Null. + +Supported operation is Get. + +**Longitude** +Required. Provides the longitude of the last successful remote find. + +The value returned is double. + +The default value is Null. + +Supported operation is Get. + +**Altitude** +Required. Provides the altitude of the last successful remote find. + +The value returned is double. + +The default value is Null. + +Supported operation is Get. + +**Accuracy** +Required. Provides the accuracy in meters of the location fix of the last successful remote find. Values range from 0 – 1000 meters. + +The value returned is an integer. + +The default value is 0. + +Supported operation is Get. + +**AltitudeAccuracy** +Required. Provides the altitude accuracy in meters of the location fix of the last successful remote find. Values range from 0 – 1000 meters. + +The value returned is an integer. + +The default value is 0. + +Supported operation is Get. + +**Age** +Required. Provides the age in 100 nanoseconds for current location data. + +The value returned is an integer. + +The default value is 0. + +Supported operation is Get. + +## Examples + + +``` syntax + + + + 1 + + 10 + + 30 + + + ./Vendor/MSFT/RemoteFind/Location/Latitude + + + + + 40 + + + ./Vendor/MSFT/RemoteFind/Location/Longitude + + + + + 40 + + + ./Vendor/MSFT/RemoteFind/Location/Altitude + + + + + 45 + + + ./Vendor/MSFT/RemoteFind/Location/Accuracy + + + + + 50 + + + ./Vendor/MSFT/RemoteFind/Location/AltitudeAccuracy + + + + + 60 + + + ./Vendor/MSFT/RemoteFind/Location/Age + + + + + + + +``` + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/remotefind-ddf-file.md b/windows/client-management/mdm/remotefind-ddf-file.md new file mode 100644 index 0000000000..c30856f87d --- /dev/null +++ b/windows/client-management/mdm/remotefind-ddf-file.md @@ -0,0 +1,309 @@ +--- +title: RemoteFind DDF file +description: This topic shows the OMA DM device description framework (DDF) for the RemoteFind configuration service provider. DDF files are used only with OMA DM provisioning XML. +ms.assetid: 5864CBB8-2030-459E-BCF6-9ACB69206FEA +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# RemoteFind DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **RemoteFind** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + RemoteFind + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + + DesiredAccuracy + + + + + + 50 + + + + + + + + + + + + + DesiredAccuracy + + text/plain + + + + + MaximumAge + + + + + + 60 + + + + + + + + + + + + + MaximumAge + + text/plain + + + + + Timeout + + + + + + 7 + + + + + + + + + + + + + Timeout + + text/plain + + + + + Location + + + + + + + + + + + + + + + + + Location + + + + + + Latitude + + + + + + + + + + + + + + + + + Latitude + + text/plain + + + + + Longitude + + + + + + + + + + + + + + + + + Longitude + + text/plain + + + + + Altitude + + + + + + + + + + + + + + + + + Altitude + + text/plain + + + + + Accuracy + + + + + + + + + + + + + + + + + Accuracy + + text/plain + + + + + AltitudeAccuracy + + + + + + + + + + + + + + + + + AltitudeAccuracy + + text/plain + + + + + Age + + + + + + + + + + + + + + + + Age + + text/plain + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/remotelock-csp.md b/windows/client-management/mdm/remotelock-csp.md new file mode 100644 index 0000000000..1ac58b24af --- /dev/null +++ b/windows/client-management/mdm/remotelock-csp.md @@ -0,0 +1,166 @@ +--- +title: RemoteLock CSP +description: RemoteLock CSP +ms.assetid: c7889331-5aa3-4efe-9a7e-20d3f433659b +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# RemoteLock CSP + + +The RemoteLock CSP supports the ability to lock a device that has a PIN set on the device or reset the PIN on a device that may or may not have a PIN set. + +> [!Note] +> The RemoteLock CSP is only supported in Windows 10 Mobile. + +  +The following diagram shows the RemoteLock configuration service provider in a tree format. + +![provisioning\-csp\-remotelock](images/provisioning-csp-remotelock.png) + +**./Vendor/MSFT/RemoteLock** +

Defines the root node for the RemoteLock configuration service provider.

+ +**Lock** +Required. The setting accepts requests to lock the device screen. The device screen will lock immediately if a PIN has been set. If no PIN is set, the lock request is ignored and the OMA DM (405) Forbidden error is returned over the management channel. All OMA DM errors are listed [here](http://go.microsoft.com/fwlink/p/?LinkId=522607) in the protocol specification. The supported operations are Get and Exec. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + +
StatusDescriptionMeaning [Standard]

(200) OK

The device was successfully locked.

The command and the associated Alert action are completed successfully.

(405)

The device could not be locked because there is no PIN currently set on the device.

The requested command is not allowed on the target.

(500) Command failed

The device was not locked for some unknown reason.

Non-specific errors were created by the recipient while attempting to complete the command.

+ +  + +**LockAndResetPIN** +This setting can be used to lock and reset the PIN on the device. It is used in conjunction with the NewPINValue node. After the **Exec** operation is called successfully on this node, the previous PIN will no longer work and cannot be recovered. The supported operation is Exec. + +This node will return the following status. All OMA DM errors are listed [here](http://go.microsoft.com/fwlink/p/?LinkId=522607) in the protocol specification. + + +++++ + + + + + + + + + + + + + + + + + + + +
StatusDescriptionMeaning

(200) OK

The device has been locked with a new password which has been reset.

The command and the associated Alert action are completed successfully.

(500) Command failed

N/A

Non-specific errors were created by the recipient while attempting to complete the command.

+ +**LockAndRecoverPIN** +Added in Windows 10, version 1703. This setting performs a similar function to the LockAndResetPIN node. With LockAndResetPIN any Windows Hello keys associated with the PIN gets deleted, but with LockAndRecoverPIN those keys are saved. After the Exec operation is called successfully on this setting, the new PIN can be retrieved from the NewPINValue setting. The previous PIN will no longer work. + +Executing this node requires a ticket from the Microsoft credential reset service. Additionally, the execution of this setting is only supported when the [EnablePinRecovery](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/passportforwork-csp#tenantid-policies-enablepinrecovery) policy is set on the client. + + +**NewPINValue** +This setting contains the PIN after Exec has been called on /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin. If LockAndResetPIN or LockAndResetPIN has never been called, the value will be null. If Get is called on this node after a successful Exec call on /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin, then the new PIN will be provided. If another Get command is called on this node, the value will be null. If you need to reset the PIN again, then another LockAndResetPIN Exec can be communicated to the device to generate a new PIN. The PIN value will conform to the minimum PIN complexity requirements of the merged policies that are set on the device. If no PIN policy has been set on the device, the generated PIN will conform to the default policy of the device. + +The data type returned is a string. + +The supported operation is Get. + +A Get operation on this node must follow an Exec operation on the /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin node in the proper order and in the same SyncML message. The Sequence tag can be used to guarantee the order in which commands are processed. + +## Examples + + +Initiate a remote lock of the device. + +``` syntax + + 1 + + + ./Vendor/MSFT/RemoteLock/Lock + + + +``` + +Initiate a remote lock and PIN reset of the device. To successfully retrieve the new device-generated PIN, the commands must be executed together and in the proper sequence as shown below. + +``` syntax + + 1 + + 2 + + + ./Vendor/MSFT/RemoteLock/LockAndResetPIN + + + + + 3 + + + ./Vendor/MSFT/RemoteLock/NewPINValue + + + + +``` + + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/remotelock-ddf-file.md b/windows/client-management/mdm/remotelock-ddf-file.md new file mode 100644 index 0000000000..1f09e6508c --- /dev/null +++ b/windows/client-management/mdm/remotelock-ddf-file.md @@ -0,0 +1,153 @@ +--- +title: RemoteLock DDF file +description: RemoteLock DDF file +ms.assetid: A301AE26-1BF1-4328-99AB-1ABBA4960797 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# RemoteLock DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **RemoteLock** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + + +]> + + 1.2 + + RemoteLock + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + + Lock + + + + + + + + + + + + + + + + text/plain + + + + + LockAndResetPIN + + + + + + + + + + + + + + + + text/plain + + + + + LockAndRecoverPIN + + + + + + + + + + + + + + + + text/plain + + + + + NewPINValue + + + + + + + + + + + + + + + text/plain + + + + + +``` + +## Related topics + + +[RemoteLock configuration service provider](remotelock-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md new file mode 100644 index 0000000000..4f16070cb7 --- /dev/null +++ b/windows/client-management/mdm/remotering-csp.md @@ -0,0 +1,50 @@ +--- +title: RemoteRing CSP +description: RemoteRing CSP +ms.assetid: 70015243-c07f-46cb-a0f9-4b4ad13a5609 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# RemoteRing CSP + + +The RemoteRing configuration service provider can be used to remotely trigger a device to produce an audible ringing sound regardless of the volume that is set on the device. + +The following diagram shows the RemoteRing configuration service provider in tree format. + +![provisioning\-csp\-remotering](images/provisioning-csp-remotering.png) + +**Ring** +Required. The node accepts requests to ring the device. + +The supported operation is Exec. + +## Examples + + +The following sample shows how to initiate a remote ring on the device. + +``` syntax + + 5 + + + ./Vendor/MSFT/RemoteRing/Ring + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/remotering-ddf-file.md b/windows/client-management/mdm/remotering-ddf-file.md new file mode 100644 index 0000000000..8d690e645e --- /dev/null +++ b/windows/client-management/mdm/remotering-ddf-file.md @@ -0,0 +1,105 @@ +--- +title: RemoteRing DDF file +description: This topic shows the OMA DM device description framework (DDF) for the RemoteRing configuration service provider. DDF files are used only with OMA DM provisioning XML. +ms.assetid: 6815267F-212B-4370-8B72-A457E8000F7B +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# RemoteRing DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **RemoteRing** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + RemoteRing + ./User/Vendor/MSFT + + + + + + + + + + + + + + + + + + + Ring + + + + + Required. The node accepts requests to ring the device. The supported operation is Exec + + + + + + + + + + + text/plain + + + + + + Root + ./Device/Vendor/MSFT + + + + + + + + + + + + + + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md new file mode 100644 index 0000000000..81a742eab8 --- /dev/null +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -0,0 +1,68 @@ +--- +title: RemoteWipe CSP +description: RemoteWipe CSP +ms.assetid: 6e89bd37-7680-4940-8a67-11ed062ffb70 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# RemoteWipe CSP + + +The RemoteWipe configuration service provider can be used by mobile operators DM server or enterprise management server to remotely wipe a device. The RemoteWipe configuration service provider can make the data stored in memory and hard disks difficult to recover if the device is remotely wiped after being lost or stolen. + +The following diagram shows the RemoteWipe configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. Enterprise IT Professionals can update these settings by using the Exchange Server. + +![remotewipe csp (dm,cp)](images/provisioning-csp-remotewipe-dmandcp.png) + +**doWipe** +Specifies that a remote wipe of the device should be performed. The return status code indicates whether the device accepted the Exec command. + +When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. + +Supported operation is Exec. + +**doWipePersistProvisionedData** +Specifies that provisioning data should be backed up to a persistent location, and then a remote wipe of the device should be performed. + +Supported operation is Exec. + +When used with OMA Client Provisioning, a dummy value of "1" should be included for this element. + +The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. + +**doWipeProtected** +Added in Windows 10, version 1703. Exec on this node performs a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code indicates whether the device accepted the Exec command. + +The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which can be easily circumvented by simply power cycling the device, doWipeProtected will keep trying to reset the device until it’s done. + +Supported operation is Exec. + +## The Remote Wipe Process + + +The remote wipe command is sent as an XML provisioning file to the device. Since the RemoteWipe Configuration Service Provider uses OMA DM and WAP, authentication between client and server and delivery of the XML provisioning file is handled by provisioning. + +In Windows 10 Mobile, the remote wipe command is implemented on the device by using the **ResetPhone** function. On the desktop, the remote wipe triggers the **Reset this PC** functionality with the **Remove everything** option. + +> **Note**  On the desktop, the remote wipe effectively performs a factory reset and the PC does not retain any information about the command once the wipe completes. Any response from the device about the actual status or result of the command may be inconsistent and unreliable because the MDM information has been removed. + +  + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md new file mode 100644 index 0000000000..fa91cdb835 --- /dev/null +++ b/windows/client-management/mdm/remotewipe-ddf-file.md @@ -0,0 +1,127 @@ +--- +title: RemoteWipe DDF file +description: RemoteWipe DDF file +ms.assetid: 10ec4fb7-f911-4d0c-9a8f-e96bf5faea0c +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# RemoteWipe DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **RemoteWipe** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip). + +``` syntax + +]> + + 1.2 + + RemoteWipe + ./Vendor/MSFT + + + + + + + + + + + + + + + + + The root node for remote wipe function. + + + doWipe + + + + + + + + + + + + + + + text/plain + + Exec on this node will perform a remote wipe on the device. The return status code shows whether the device accepted the Exec command. + + + + doWipePersistProvisionedData + + + + + + + + + + + + + + + text/plain + + Exec on this node will back up provisioning data to a persistent location and perform a remote wipe on the device. The information that was backed up will be restored and applied to the device when it resumes. The return status code shows whether the device accepted the Exec command. + + + + doWipeProtected + + + + + + + + + + + + + + + text/plain + + Exec on this node will perform a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code shows whether the device accepted the Exec command. + + + + +``` + +## Related topics + + +[RemoteWipe configuration service provider](remotewipe-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md new file mode 100644 index 0000000000..83d3d3f5b5 --- /dev/null +++ b/windows/client-management/mdm/reporting-csp.md @@ -0,0 +1,160 @@ +--- +title: Reporting CSP +description: The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs. +ms.assetid: 148441A6-D9E1-43D8-ADEE-FB62E85A39F7 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Reporting CSP + + +The Reporting configuration service provider is used to retrieve Windows Information Protection (formerly known as Enterprise Data Protection) and security auditing logs. This CSP was added in Windows 10, version 1511. + +The following diagram shows the Reporting configuration service provider in tree format. + +![reporting csp diagram](images/provisioning-csp-reporting.png) + +**Reporting** +Root node. + +**Reporting/EnterpriseDataProtection** +Interior node for retrieving the Windows Information Protection (formerly known as Enterprise Data Protection) logs. + +**Reporting/SecurityAuditing** (for mobile only) +Interior node for retrieving the security auditing logs. This node is only for mobile devices. + +**RetrieveByTimeRange** +Returns the logs that exist within the StartTime and StopTime. The StartTime and StopTime are expressed in ISO 8601 format. If the StartTime and StopTime are not specified, then the values are interpreted as either first existing or last existing time. + +Here are the other possible scenarios: + +- If the StartTime and StopTime are not specified, then it returns all existing logs. +- If the StopTime is specified, but the StartTime is not specified, then all logs that exist before the StopTime are returned. +- If the StartTime is specified, but the StopTime is not specified, then all that logs that exist from the StartTime are returned. + +**RetrieveByCount** +Interior node for retrieving a specified number of logs from the StartTime. The StartTime is expressed in ISO 8601 format. You can set the number of logs required by setting LogCount and StartTime. It returns the specified number of log or less, if the total number logs is less than LogCount. + +**Logs** +Contains the reporting logs. + +Value type is XML. + +Supported operations is Get. + +**StartTime** +Specifies the starting time for retrieving logs. + +Value type is string. Use ISO 8601 format. + +Supported operations are Get and Replace. + +**StopTime** +Specifies the ending time for retrieving logs. + +Value type is string. Use ISO 8601 format. + +Supported operations are Get and Replace. + +**Type** +Added in Windows 10, version 1703. Specifies the type of logs to retrieve. You can use this to retrieve the WIP learning logs. + +Value type is integer. + +Supported operations are Get and Replace. + +**LogCount** +Specifies the number of logs to retrieve from the StartTime. + +Value type is int. + +Supported operations are Get and Replace. + +## Examples + +Retrieve all available Windows Information Protection (formerly known as Enterprise Data Protection) logs starting from the specified StartTime. + +``` syntax + + + + 2 + + ./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/StartTime + 2012-11-30T01:48:14.233Z + + + + 4 + + ./Vendor/MSFT/Reporting/EnterpriseDataProtection/RetrieveByTimeRange/Logs + + + + + +``` + +Retrieve a specified number of security auditing logs starting from the specified StartTime. + +``` syntax + + + + 1 + + + + ./Vendor/MSFT/Reporting/SecurityAuditing/RetrieveByCount/LogCount + + + + int + text/plain + + 10 + + + + 2 + + + + ./Vendor/MSFT/Reporting/SecurityAuditing/RetrieveByCount/StartTime + + + + chr + text/plain + + 2015-08-12T08:15:30:27 + + + + 3 + + + + ./Vendor/MSFT/Reporting/SecurityAuditing/RetrieveByCount/Logs + + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/reporting-ddf-file.md b/windows/client-management/mdm/reporting-ddf-file.md new file mode 100644 index 0000000000..ff3de3aab3 --- /dev/null +++ b/windows/client-management/mdm/reporting-ddf-file.md @@ -0,0 +1,298 @@ +--- +title: Reporting DDF file +description: This topic shows the OMA DM device description framework (DDF) for the Reporting configuration service provider. This CSP was added in Windows 10, version 1511. Support for desktop security auditing was added for the desktop in Windows 10, version 1607. +ms.assetid: 7A5B79DB-9571-4F7C-ABED-D79CD08C1E35 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Reporting DDF file + + +This topic shows the OMA DM device description framework (DDF) for the Reporting configuration service provider. This CSP was added in Windows 10, version 1511. Support for desktop security auditing was added for the desktop in Windows 10, version 1607. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for the desktop CSP. + +``` syntax + +]> + + 1.2 + + Reporting + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/2.0/MDM/Reporting + + + + EnterpriseDataProtection + + + + + + + + + + + + + + + + + + + RetrieveByTimeRange + + + + + A time range is supported by setting a start and stop time in ISO 8601 format. If the start/stop value is not preset and a GetValue is called to RetrieveByTimeRange then the missing values will be interpreted as either the first existing or the last existing. For example, not setting a start date and setting an end date will return all known logs that exist before the end date. Setting a start date but not an end date will return all the logs that exist from the start date. Not setting a start and end date will return all logs. + + + + + + + + + + + + + + + Logs + + + + + + + + + + + + + + + text/plain + + + + + StartTime + + + + + + Use ISO 8601 format. + + + + + + + + + + + text/plain + + + + + StopTime + + + + + + Use ISO 8601 format. + + + + + + + + + + + text/plain + + + + + Type + + + + + + 0 + Specifies the type of logs to retrieve + + + + + + + + + + + text/plain + + + + + + RetrieveByCount + + + + + The count range will return the configured number of logs starting from the StartTime value. The start time is expressed in ISO8601 formt. The caller will configure the number of desired logs by calling set on the LogCount and StartTime, then retrieve the logs by calling get on Logs node. The call will return the number of desired logs or less if the total number of logs are less than the desired number of logs. The logs are returned from StartTime forward. + + + + + + + + + + + + + + + Logs + + + + + + + + + + + + + + + text/plain + + + + + LogCount + + + + + + + + + + + + + + + + text/plain + + + + + StartTime + + + + + + Use ISO 8601 format. + + + + + + + + + + + text/plain + + + + + Type + + + + + + 0 + Specifies the type of logs to retrieve + + + + + + + + + + + text/plain + + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md new file mode 100644 index 0000000000..87ad349555 --- /dev/null +++ b/windows/client-management/mdm/rest-api-reference-windows-store-for-business.md @@ -0,0 +1,69 @@ +--- +title: REST API reference for Windows Store for Business +description: REST API reference for Windows Store for Business +MS-HAID: +- 'p\_phdevicemgmt.business\_store\_portal\_management\_rest\_api\_reference' +- 'p\_phDeviceMgmt.rest\_api\_reference\_windows\_store\_for\_Business' +ms.assetid: 8C48A879-525A-471F-B0FD-506E743A7D2F +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# REST API reference for Windows Store for Business + +Here's the list of available operations: + +- [Get Inventory](get-inventory.md) +- [Get product details](get-product-details.md) +- [Get localized product details](get-localized-product-details.md) +- [Get offline license](get-offline-license.md) +- [Get product packages](get-product-packages.md) +- [Get product package](get-product-package.md) +- [Get seats](get-seats.md) +- [Get seat](get-seat.md) +- [Assign seats](assign-seats.md) +- [Reclaim seat from user](reclaim-seat-from-user.md) +- [Bulk assign and reclaim seats for users](bulk-assign-and-reclaim-seats-from-user.md) +- [Get seats assigned to a user](get-seats-assigned-to-a-user.md) + +Here's the list of data structures: + +- [AlternateIdentifier](data-structures-windows-store-for-business.md#alternateidentifier) +- [BulkSeatOperationResultSet](data-structures-windows-store-for-business.md#bulkseatoperationresultset) +- [FailedSeatRequest](data-structures-windows-store-for-business.md#failedseatrequest) +- [FrameworkPackageDetails](data-structures-windows-store-for-business.md#frameworkpackagedetails) +- [InventoryDistributionPolicy](data-structures-windows-store-for-business.md#inventorydistributionpolicy) +- [InventoryEntryDetails](data-structures-windows-store-for-business.md#inventoryentrydetails) +- [InventoryResultSet](data-structures-windows-store-for-business.md#inventoryresultset) +- [InventoryStatus](data-structures-windows-store-for-business.md#inventorystatus) +- [LicenseType](data-structures-windows-store-for-business.md#licensetype) +- [LocalizedProductDetail](data-structures-windows-store-for-business.md#localizedproductdetail) +- [OfflineLicense](data-structures-windows-store-for-business.md#offlinelicense) +- [PackageLocation](data-structures-windows-store-for-business.md#packagelocation) +- [ProductArchitectures](data-structures-windows-store-for-business.md#productarchitectures) +- [ProductDetails](data-structures-windows-store-for-business.md#productdetails) +- [ProductImage](data-structures-windows-store-for-business.md#productimage) +- [ProductKey](data-structures-windows-store-for-business.md#productkey) +- [ProductPackageDetails](data-structures-windows-store-for-business.md#productpackagedetails) +- [ProductPackageFormat](data-structures-windows-store-for-business.md#productpackageformat) +- [ProductPackageSet](data-structures-windows-store-for-business.md#productpackageset) +- [ProductPlatform](data-structures-windows-store-for-business.md#productplatform) +- [PublisherDetails](data-structures-windows-store-for-business.md#publisherdetails) +- [SeatAction](data-structures-windows-store-for-business.md#seataction) +- [SeatDetails](data-structures-windows-store-for-business.md#seatdetails) +- [SeatDetailsResultSet](data-structures-windows-store-for-business.md#seatdetailsresultset) +- [SeatState](data-structures-windows-store-for-business.md#seatstate) +- [SupportedProductPlatform](data-structures-windows-store-for-business.md#supportedproductplatform) +- [VersionInfo](data-structures-windows-store-for-business.md#versioninfo) + + +  + + + + + + diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md new file mode 100644 index 0000000000..ae0852dd78 --- /dev/null +++ b/windows/client-management/mdm/rootcacertificates-csp.md @@ -0,0 +1,93 @@ +--- +title: RootCATrustedCertificates CSP +description: RootCATrustedCertificates CSP +ms.assetid: F2F25DEB-9DB3-40FB-BC3C-B816CE470D61 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# RootCATrustedCertificates CSP + +The RootCATrustedCertificates configuration service provider enables the enterprise to set the Root Certificate Authority (CA) certificates. + +> [!Note] +> The **./User/** configuration is not supported for **RootCATrustedCertificates/Root/**. + +  +The following image shows the RootCATrustedCertificates configuration service provider in tree format. + +![roocacertificate](images/provisioning-csp-rootcacertificate.png) + +**Device or User** +For device certificates, use **./Device/Vendor/MSFT** path and for user certificates use **./User/Vendor/MSFT** path. + +**RootCATrustedCertificates** +The root node for the RootCATrustedCertificates configuration service provider. + +**RootCATrustedCertificates/Root/** +Defines the certificate store that contains root, or self-signed certificates, in this case, the computer store. + +> [!Note] +> The **./User/** configuration is not supported for **RootCATrustedCertificates/Root/**. + +  +**RootCATrustedCertificates/CA** +Node for CA certificates. + +**RootCATrustedCertificates/TrustedPublisher** +Node for trusted publisher certificates. + +**RootCATrustedCertificates/TrustedPeople** +Node for trusted people certificates. + +**_CertHash_** +Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. + +The supported operations are Get and Delete. + +**/EncodedCertificate** +Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + +The supported operations are Add, Get, and Replace. + +**/IssuedBy** +Returns the name of the certificate issuer. This is equivalent to the **Issuer** member in the CERT\_INFO data structure. + +The only supported operation is Get. + +**/IssuedTo** +Returns the name of the certificate subject. This is equivalent to the **Subject** member in the CERT\_INFO data structure. + +The only supported operation is Get. + +**/ValidFrom** +Returns the starting date of the certificate's validity. This is equivalent to the **NotBefore** member in the CERT\_INFO data structure. + +The only supported operation is Get. + +**/ValidTo** +Returns the expiration date of the certificate. This is equivalent to the **NotAfter** member in the CERT\_INFO data structure. + +The only supported operation is Get. + +**/TemplateName** +Returns the certificate template name. + +The only supported operation is Get. + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/rootcacertificates-ddf-file.md b/windows/client-management/mdm/rootcacertificates-ddf-file.md new file mode 100644 index 0000000000..e825e38ead --- /dev/null +++ b/windows/client-management/mdm/rootcacertificates-ddf-file.md @@ -0,0 +1,833 @@ +--- +title: RootCATrustedCertificates DDF file +description: RootCATrustedCertificates DDF file +ms.assetid: 06D8787B-D3E1-4D4B-8A21-8045A8F85C1C +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# RootCATrustedCertificates DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **RootCACertificates** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + RootCATrustedCertificates + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + + Root + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + + + + CertHash + + + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + text/plain + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + + + + text/plain + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + + + + text/plain + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. Supported operation is Get. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + + + + text/plain + + + + + ValidTo + + + + + Returns the expiration date of the certificate. Supported operation is Get. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + + + + text/plain + + + + + TemplateName + + + + + Returns the certificate template name. Supported operation is Get. + + + + + + + + + + + + + + text/plain + + + + + + + CA + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + + + + CertHash + + + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + text/plain + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + text/plain + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + text/plain + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + text/plain + + + + + ValidTo + + + + + Returns the expiration date of the certificate. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + text/plain + + + + + TemplateName + + + + + Returns the certificate template name. + + + + + + + + + + + text/plain + + + + + + + TrustedPublisher + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + + + + CertHash + + + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + text/plain + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + + + + text/plain + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + + + + text/plain + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + + + + text/plain + + + + + ValidTo + + + + + Returns the expiration date of the certificate. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + + + + text/plain + + + + + TemplateName + + + + + Returns the certificate template name. + + + + + + + + + + + + + + text/plain + + + + + + + TrustedPeople + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value + + + + + + + + + + + + + CertHash + + + + + + EncodedCertificate + + + + + + + Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. + + + + + + + + + + + + + + text/plain + + + + + IssuedBy + + + + + Returns the name of the certificate issuer. This is equivalent to the Issuer member in the CERT_INFO data structure. + + + + + + + + + + + + + + text/plain + + + + + IssuedTo + + + + + Returns the name of the certificate subject. This is equivalent to the Subject member in the CERT_INFO data structure. + + + + + + + + + + + + + + text/plain + + + + + ValidFrom + + + + + Returns the starting date of the certificate's validity. This is equivalent to the NotBefore member in the CERT_INFO structure. + + + + + + + + + + + + + + text/plain + + + + + ValidTo + + + + + Returns the expiration date of the certificate. This is equivalent to the NotAfter member in the CERT_INFO structure + + + + + + + + + + + + + + text/plain + + + + + TemplateName + + + + + Returns the certificate template name. + + + + + + + + + + + + + + text/plain + + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md b/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md new file mode 100644 index 0000000000..8ab213e4cf --- /dev/null +++ b/windows/client-management/mdm/samples-for-writing-a-custom-configuration-service-provider.md @@ -0,0 +1,48 @@ +--- +title: Samples for writing a custom configuration service provider +description: Samples for writing a custom configuration service provider +ms.assetid: ccda4d62-7ce1-483b-912f-25d50c974270 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Samples for writing a custom configuration service provider + +The following example shows how to retrieve Integrated Circuit Card Identifier (ICCID) and International Mobile Subscriber Identity (IMSI) for a dual SIM phone. + +## Retrieving ICCID and IMSI for a dual SIM phone + +The following sample is used in the [IConfigServiceProvider2::ConfigManagerNotification](iconfigserviceprovider2configmanagernotification.md) method implementation. It first retrieves the IConfigSession2 object, and then queries the ICCID with the IConfigSession2::GetSessionVariable method. To retrieve the IMSI, replace L”ICCID” with L”IMSI”. + +``` syntax +case CFGMGR_NOTIFICATION_SETSESSIONOBJ: + if (NULL != lpParam) + { + m_pSession = reinterpret_cast(lpParam); +        m_pSession->AddRef(); +    } + +    bstrContext = SysAllocString(L"ICCID"); +    if (NULL == bstrContext) +    { +    hr = E_OUTOFMEMORY; +    goto Error; +    } + +    hr = m_pSession->GetSessionVariable(bstrContext, &varValue); +    if (FAILED(hr)) +    { +     goto Error; +    } +    break; +``` + +  + + + + + diff --git a/windows/client-management/mdm/secureassessment-csp.md b/windows/client-management/mdm/secureassessment-csp.md new file mode 100644 index 0000000000..8f671e0d21 --- /dev/null +++ b/windows/client-management/mdm/secureassessment-csp.md @@ -0,0 +1,68 @@ +--- +title: SecureAssessment CSP +description: SecureAssessment CSP +ms.assetid: 6808BE4B-961E-4638-BF15-FD7841D1C00A +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# SecureAssessment CSP + +The SecureAssessment configuration service provider is used to provide configuration information for the secure assessment browser. + +The following diagram shows the SecureAssessment configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. + +![secureassessment](images/secureassessment-csp.png) + +**./Vendor/MSFT/SecureAssessment** +The root node for the SecureAssessment configuration service provider. + +The supported operation is Get. + +**LaunchURI** +URI Link to an assessment that's automatically loaded when the secure assessment browser is launched. + +The supported operations are Add, Delete, Get, and Replace. + +**TesterAccount** +The user name of the test taking account. + +- To specify a domain account, use domain\\user. +- To specify an AAD account, use username@tenant.com. +- To specify a local account, use the username. + +The supported operations are Add, Delete, Get, and Replace. + +**AllowScreenMonitoring** +Added in Windows 10, version 1703. Boolean value that indicates whether screen capture is allowed by the app. + +Supported operations are Get and Replace. + +**RequirePrinting** +Added in Windows 10, version 1703. Boolean value that indicates whether printing is allowed by the app. + +Supported operations are Get and Replace. + +**AllowTextSuggestions** +Added in Windows 10, version 1703. Boolean value that indicates whether keyboard text suggestions are allowed by the app. + +Supported operations are Get and Replace. + +## Related topics + +[Set up Take a Test on multiple PCs](https://technet.microsoft.com/en-us/edu/windows/take-a-test-multiple-pcs) + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/secureassessment-ddf-file.md b/windows/client-management/mdm/secureassessment-ddf-file.md new file mode 100644 index 0000000000..57601f53e0 --- /dev/null +++ b/windows/client-management/mdm/secureassessment-ddf-file.md @@ -0,0 +1,195 @@ +--- +title: SecureAssessment DDF file +description: This topic shows the OMA DM device description framework (DDF) for the SecureAssessment configuration service provider. DDF files are used only with OMA DM provisioning XML. +ms.assetid: 68D17F2A-FAEA-4608-8727-DBEC1D7BE48A +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# SecureAssessment DDF file + +This topic shows the OMA DM device description framework (DDF) for the **SecureAssessment** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + SecureAssessment + ./Vendor/MSFT + + + + + Settings related to the configuration of the Secure Assessment Browser. + + + + + + + + + + + com.microsoft/1.1/MDM/SecureAssessment + + + + LaunchURI + + + + + + + + Link to an assessment that's automatically loaded when the Secure Assessment Browser is launched. + + + + + + + + + + + + + + text/plain + + + + + TesterAccount + + + + + + + + The user name of the test taking account. To specify a domain account, use domain\user. To specify an AAD account, use username@tenant.com. To specify a local account, use the username. + + + + + + + + + + + + + + text/plain + + + + + AllowScreenMonitoring + + + + + + false + Indicates if screen monitoring is allowed by the app. + + + + + + + + + + + + + + text/plain + + + + + RequirePrinting + + + + + + false + Indicates if printing is required by the app. + + + + + + + + + + + + + + text/plain + + + + + AllowTextSuggestions + + + + + + false + Indicates if keyboard text suggestions are allowed by the app. + + + + + + + + + + + + + + text/plain + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md new file mode 100644 index 0000000000..28e87b7c43 --- /dev/null +++ b/windows/client-management/mdm/securitypolicy-csp.md @@ -0,0 +1,305 @@ +--- +title: SecurityPolicy CSP +description: SecurityPolicy CSP +ms.assetid: 6014f8fe-f91b-49f3-a357-bdf625545bc9 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# SecurityPolicy CSP + + +The SecurityPolicy configuration service provider is used to configure security policy settings for WAP push, OMA Client Provisioning, OMA DM, Service Indication (SI), Service Loading (SL), and MMS. + +> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_SECURITY\_POLICIES capabilities to be accessed from a network configuration application. + +  + +For the SecurityPolicy CSP, you cannot use the Replace command unless the node already exists. + +The following diagram shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. + +![securitypolicy csp (dm,cp)](images/provisioning-csp-securitypolicy-dmandcp.png) + +***PolicyID*** +Defines the security policy identifier as a decimal value. + +The following security policies are supported. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PolicyIDPolicy namePolicy description

4104

+

Hex:1008

TPS Policy

This setting indicates whether mobile operators can be assigned the Trusted Provisioning Server (TPS) SECROLE_OPERATOR_TPS role.

+

Default value: 1

+

Supported values:

+

0: The TPS role assignment is disabled.

+

1: The TPS role assignment is enabled, and can be assigned to mobile operators.

4105

+

Hex:1009

Message Authentication Retry Policy

This setting specifies the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message.

+

Default value: 3

+

Possible values: 0 through 256.

4108

+

Hex:100c

Service Loading Policy

This setting indicates whether SL messages are accepted, by specifying the security roles that can accept SL messages. An SL message downloads new services or provisioning XML to the device.

+

Default value: 256 (SECROLE_KNOWN_PPG)

+

Supported values: SECROLE_ANY_PUSH_SOURCE, SECROLE_KNOWN_PPG

+

4109

+

Hex:100d

Service Indication Policy

This setting indicates whether SI messages are accepted, by specifying the security roles that can accept SI messages. An SI message is sent to the device to notify users of new services, service updates, and provisioning services.

+

Default value: 256 (SECROLE_KNOWN_PPG)

+

Supported values: SECROLE_ANY_PUSH_SOURCE, SECROLE_KNOWN_PPG

4111

+

Hex:100f

OTA Provisioning Policy

This setting determines whether PIN signed OMA Client Provisioning messages will be processed. This policy's value specifies a role mask. If a message contains at least one of the following roles in the role mask, then the message is processed. To ensure properly signed OMA Client Provisioning messages are accepted by the configuration client, all of the roles that are set in 4141, 4142, and 4143 policies must also be set in this policy. For example, to ensure properly signed USERNETWPIN signed OMA Client Provisioning messages are accepted by the device, if policy 4143 is set to 4096 (SECROLE_ANY_PUSH_SOURCE) for an carrier-unlocked device, policy 4111 must also have the SECROLE_ANY_PUSH_SOURCE role set.

+

Default value: 384 (SECROLE_OPERATOR_TPS | SECROLE_KNOWN_PPG)

+

Supported values: SECROLE_KNOWN_PPG, SECROLE_ANY_PUSH_SOURCE, SECROLE_OPERATOR_TPS

+

4113

+

Hex:1011

WSP Push Policy

This setting indicates whether Wireless Session Protocol (WSP) notifications from the WAP stack are routed.

+

Default value: 1

+

Supported values:

+

0: Routing of WSP notifications is not allowed.

+

1: Routing of WSP notifications is allowed.

4132

+

Hex:1024

Network PIN signed OTA Provision Message User Prompt Policy

This policy specifies whether the device will prompt a UI to get the user confirmation before processing a pure network pin signed OTA Provisioning message. If prompt, the user has the ability to discard the OTA provisioning message.

+

Default value: 0

+

Supported values:

+

0: The device prompts a UI to get user confirmation when the OTA WAP provisioning message is signed purely with network pin.

+

1: There is no user prompt.

4141

+

Hex:102d

OMA CP NETWPIN Policy

This setting determines whether the OMA network PIN signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.

+

Default value: 0

+

Supported values: SECROLE_KNOWN_PPG, SECROLE_ANY_PUSH_SOURCE , SECROLE_OPERATOR_TPS

+

4142

+

Hex:102e

OMA CP USERPIN Policy

This setting determines whether the OMA user PIN or user MAC signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.

+

Default value: 256

+

Supported values: SECROLE_OPERATOR_TPS, SECROLE_ANY_PUSH_SOURCE, SECROLE_KNOWN_PPG

4143

+

Hex:102f

OMA CP USERNETWPIN Policy

This setting determines whether the OMA user network PIN signed message will be accepted. The message's role mask and the policy's role mask are combined using the AND operator. If the result is non-zero, then the message is accepted.

+

Default value: 256

+

Supported values: SECROLE_KNOWN_PPG, SECROLE_ANY_PUSH_SOURCE, SECROLE_OPERATOR_TPS

+

4144

+

Hex:1030

MMS Message Policy

This setting determines whether MMS messages will be processed. This policy's value specifies a role mask. If a message contains at least one of the roles in the role mask, then the message is processed.

+

Default value: 256 (SECROLE_KNOWN_PPG)

+

Supported values: SECROLE_KNOWN_PPG, SECROLE_ANY_PUSH_SOURCE

+ +  + +## Remarks + + +Security roles allow or restrict access to device resources. The security role is based on the message origin and how the message is signed. You can assign multiple roles to a message in the security policy XML document by combining the decimal values of the roles that you want to assign. For example, to assign both the SECROLE\_KNOWN\_PPG and SECROLE\_OPERATOR\_TPS roles, use the decimal value 384 (256+128). + +The following security roles are supported. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + +
Security roleDecimal valueDescription

SECROLE_OPERATOR_TPS

128

Trusted Provisioning Server.

+

Assigned to WAP messages that come from a Push Initiator that is authenticated (SECROLE_PPG_AUTH) by a trusted Push Proxy Gateway (SECROLE_TRUSTED_PPG), and where the Uniform Resource Identifier (URI) of the Push Initiator corresponds to the URI of the Trusted Provisioning Server (TPS) on the device.

+

The mobile operator can determine whether this role and the SECROLE_OPERATOR role require the same permissions.

SECROLE_KNOWN_PPG

256

Known Push Proxy Gateway.

+

Messages assigned this role indicate that the device knows the address to the Push Proxy Gateway.

SECROLE_ANY_PUSH_SOURCE

4096

Push Router.

+

Messages received by the push router will be assigned to this role.

+ +  + +## OMA Client Provisioning examples + + +Setting a security policy: + +``` syntax + + + + + +``` + +Querying a security policy: + +``` syntax + + + + + +``` + +## OMA DM examples + + +Setting a security policy: + +``` syntax + + + … + + + + 1 + + ./Vendor/MSFT/SecurityPolicy/4141 + + int + + 0 + + + + + +``` + +Querying a security policy: + +``` syntax + + + … + + + + 1 + + ./Vendor/MSFT/SecurityPolicy/4141 + + + + + +``` + +## Microsoft Custom Elements + + +The following table shows the Microsoft custom elements that this Configuration Service Provider supports for OMA Client Provisioning. + + ++++ + + + + + + + + + + + + + + + + +
ElementsAvailable

parm-query

Yes

noparm

Yes. If this is used, then the policy is set to 0 by default (corresponding to the most restrictive of policy values).

+ +  + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/server-requirements-windows-mdm.md b/windows/client-management/mdm/server-requirements-windows-mdm.md new file mode 100644 index 0000000000..0ced05ef07 --- /dev/null +++ b/windows/client-management/mdm/server-requirements-windows-mdm.md @@ -0,0 +1,38 @@ +--- +title: Server requirements for using OMA DM to manage Windows devices +description: Server requirements for using OMA DM to manage Windows devices +MS-HAID: +- 'p\_phDeviceMgmt.server\_requirements\_for\_oma\_dm' +- 'p\_phDeviceMgmt.server\_requirements\_windows\_mdm' +ms.assetid: 5b90b631-62a6-4949-b53a-01275fd304b2 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Server requirements for using OMA DM to manage Windows devices + +The following list shows the general server requirements for using OMA DM to manage Windows devices: + +- The OMA DM server must support the OMA DM v1.1.2 or later protocol. + +- Secure Sockets Layer (SSL) must be on the OMA DM server, and it must provide server certificate-based authentication, data integrity check, and data encryption. If the certificate is not issued by a commercial Certification Authority whose root certificate is pre-installed in the device, you must provision the enterprise root certificate in the device's Root store. + +- To authenticate the client at the application level, you must use either Basic or MD5 client authentication. + +- The server MD5 nonce must be renewed in each DM session. The DM client sends the new server nonce for the next session to the server over the Status element in every DM session. + +- The MD5 binary nonce is send over XML B64 encoded format, but the octal form of the binary data should be used when the service calculates the hash. + + For more information about Basic or MD5 client authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM\_Security-V1\_2\_1-20080617-A), available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900). + +- The server must support HTTPS. + +  + + + + + diff --git a/windows/client-management/mdm/sharedpc-csp.md b/windows/client-management/mdm/sharedpc-csp.md new file mode 100644 index 0000000000..e8b16b4a18 --- /dev/null +++ b/windows/client-management/mdm/sharedpc-csp.md @@ -0,0 +1,200 @@ +--- +title: SharedPC CSP +description: SharedPC CSP +ms.assetid: 31273166-1A1E-4F96-B176-CB42ECB80957 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# SharedPC CSP + + +The SharedPC configuration service provider is used to configure settings for Shared PC usage. + +The following diagram shows the SharedPC configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. + +![sharedpc](images/sharedpc-csp.png) + +**./Vendor/MSFT/SharedPC** +The root node for the SharedPC configuration service provider. + +The supported operation is Get. + +**EnableSharedPCMode** +A boolean value that specifies whether Shared PC mode is enabled. + +The supported operations are Get and Replace. + +Setting this value to True triggers the action to configure a device to Shared PC mode. + +The default value is False. + +**SetEduPolicies** +A boolean value that specifies whether the policies for education environment are enabled. Setting this value to true triggers the action to configure a device as education environment. + +The supported operations are Get and Replace. + +The default value changed to false in Windows 10, version 1703. This node needs to be configured independent of EnableSharedPCMode. In Windows 10, version 1607, the default value is true and education environment is automatically configured when SharedPC mode is configured. + +**SetPowerPolicies** +Optional. A boolean value that specifies that the power policies should be set when configuring SharedPC mode. + +> [!Note] +> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. + +The supported operations are Get and Replace. + +The default value is True. + +**MaintenanceStartTime** +Optional. An integer value that specifies the daily start time of maintenance hour. Given in minutes from midnight. The range is 0-1440. + +> [!Note] +>  If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. + +The supported operations are Get and Replace. + +The default value is 0 (12 AM). + +**SignInOnResume** +Optional. A boolean value that, when set to True, requires sign in whenever the device wakes up from sleep mode. + +> [!Note] +> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. + +The supported operations are Get and Replace. + +The default value is True. + +**SleepTimeout** +The amount of time in seconds before the PC sleeps. 0 means the PC never sleeps. Default is 5 minutes. This node is optional. + +> [!Note] +> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. + +The supported operations are Get and Replace. + +The default value changed to 300 in Windows 10, version 1703. The default value is 3600 in Windows 10, version 1607. + +**EnableAccountManager** +A boolean that enables the account manager for shared PC mode. + +> [!Note] +> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. + +The supported operations are Get and Replace. + +The default value is True. + +**AccountModel** +Configures which type of accounts are allowed to use the PC. + +> [!Note] +> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. + +The supported operations are Get and Replace. + +The following list shows the supported values: + +- 0 (default) - Only guest accounts are allowed. +- 1 - Only domain-joined accounts are enabled. +- 2 - Domain-joined and guest accounts are allowed. + +**DeletionPolicy** +Configures when accounts are deleted. + +> [!Note] +> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. + +The supported operations are Get and Replace. + +For Windows 10, version 1607, here is the list shows the supported values: + +- 0 - Delete immediately. +- 1 (default) - Delete at disk space threshold. + +For Windows 10, version 1703, here is the list of supported values: + +- 0 - Delete immediately +- 1 - Delete at disk space threshold +- 2 - Delete at disk space threshold and inactive threshold + +**DiskLevelDeletion** +Sets the percentage of disk space remaining on a PC before cached accounts will be deleted to free disk space. Accounts that have been inactive the longest will be deleted first. + +> [!Note] +> If used, this value must be set before the action on the **EnableSharedPCMode** node is taken. + +The default value is 25. + +For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless whether the PC is actively in use or not. + +The supported operations are Get and Replace. + +**DiskLevelCaching** +Sets the percentage of available disk space a PC should have before it stops deleting cached accounts. + +> [!Note] +> If used, this value must set before the action on the **EnableSharedPCMode** node is taken. + +The default value is 50. + +For example, if the **DiskLevelCaching** number is set to 50 and the **DiskLevelDeletion** number is set to 25 (both default values). Accounts will be cached while the free disk space is above 25%. When the free disk space is less than 25% (the deletion number) during a maintenance period, accounts will be deleted (oldest last used first) until the free disk space is above 50% (the caching number). Accounts will be deleted immediately at sign off of an account if free space is under the deletion threshold and disk space is very low, regardless whether the PC is actively in use or not. + + +**RestrictLocalStorage** +Added in Windows 10, version 1703. Restricts the user from using local storage. This node is optional. + +Default value is true Value type is bool. Supported operations are Get and Replace. + +> [!Note] +> If used, this value must set before the action on the **EnableSharedPCMode** node is taken. + +**KioskModeAUMID** +Added in Windows 10, version 1703. Specifies the AUMID of the app to use with assigned access. This node is optional. + +Value type is string. Supported operations are Get and Replace. + +> [!Note] +> If used, this value must set before the action on the **EnableSharedPCMode** node is taken. + +**KioskModeUserTileDisplayText** +Added in Windows 10, version 1703. Specifies the display text for the account shown on the sign-in screen which launches the app specified by KioskModeAUMID. This node is optional. + +Value type is string. Supported operations are Get and Replace. + +> [!Note] +> If used, this value must set before the action on the **EnableSharedPCMode** node is taken. + +**InactiveThreshold** +Added in Windows 10, version 1703. Accounts will start being deleted when they have not been logged on during the specified period, given as number of days. + +Default value is 30. Value type is integer. Supported operations are Get and Replace. + +**MaxPageFileSizeMB** +Added in Windows 10, version 1703. Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. This node is optional. + +> [!Note] +> If used, this value must set before the action on the **EnableSharedPCMode** node is taken. + +Default value is 1024. Value type is integer. Supported operations are Get and Replace. + + + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/sharedpc-ddf-file.md b/windows/client-management/mdm/sharedpc-ddf-file.md new file mode 100644 index 0000000000..e666ac45e9 --- /dev/null +++ b/windows/client-management/mdm/sharedpc-ddf-file.md @@ -0,0 +1,450 @@ +--- +title: SharedPC DDF file +description: SharedPC DDF file +ms.assetid: 70234197-07D4-478E-97BB-F6C651C0B970 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# SharedPC DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **SharedPC** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the DDF for Windows 10, version 1703. + +``` syntax + +]> + + 1.2 + + SharedPC + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.1/MDM/SharedPC + + + + EnableSharedPCMode + + + + + + false + Setting this node to "true" triggers the action to configure a device to Shared PC mode. + + + + + + + + + + Enable shared PC mode + + text/plain + + + + + SetEduPolicies + + + + + + false + Set a list of EDU policies. This node is independent of EnableSharedPCMode. + + + + + + + + + + Set EDU policies + + text/plain + + + + + SetPowerPolicies + + + + + + true + Specify that the power policies should be set when configuring SharedPC mode. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken. + + + + + + + + + + Set power policies + + text/plain + + + + + MaintenanceStartTime + + + + + + 0 + Daily start time of maintenance hour. Given in minutes from midnight. Default is 0 (12am). This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken. + + + + + + + + + + Maintenance start time + + text/plain + + + + + SignInOnResume + + + + + + true + Require signing in on waking up from sleep. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken. + + + + + + + + + + Sign-in on resume + + text/plain + + + + + SleepTimeout + + + + + + 300 + The amount of time before the PC sleeps, giving in seconds. 0 means the PC never sleeps. Default is 5 minutes. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken. + + + + + + + + + + Sleep timeout + + text/plain + + + + + EnableAccountManager + + + + + + true + Enable the account manager for shared PC mode. + + + + + + + + + + Enable account manager + + text/plain + + + + + AccountModel + + + + + + 0 + Configures which type of accounts are allowed to use the PC. Allowed values: 0 (only guest), 1 (domain-joined only), 2 (domain-joined and guest). + + + + + + + + + + Account model + + text/plain + + + + + DeletionPolicy + + + + + + 1 + Configures when accounts will be deleted. Allowed values: 0 (delete immediately), 1 (delete at disk space threshold). + + + + + + + + + + Account deletion policy + + text/plain + + + + + DiskLevelDeletion + + + + + + 25 + Accounts will start being deleted when available disk space falls below this threshold, given as percent of total disk capacity. Accounts that have been inactive the longest will be deleted first. + + + + + + + + + + Disk space threshold for account deletion + + text/plain + + + + + DiskLevelCaching + + + + + + 50 + Stop deleting accounts when available disk space reaches this threshold, given as percent of total disk capacity. + + + + + + + + + + Disk space threshold for account caching + + text/plain + + + + + RestrictLocalStorage + + + + + + true + Restricts the user from using local storage. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken. + + + + + + + + + + Restrict local storage + + text/plain + + + + + KioskModeAUMID + + + + + + Specifies the AUMID of the app to use with assigned access. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken. + + + + + + + + + + Kiosk mode AUMID + + text/plain + + + + + KioskModeUserTileDisplayText + + + + + + Specifies the display text for the account shown on the sign-in screen which launches the app specified by KioskModeAUMID. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken. + + + + + + + + + + Kiosk mode user tile display text + + text/plain + + + + + InactiveThreshold + + + + + + 30 + Accounts will start being deleted when they have not been logged on during the specified period, given as number of days. + + + + + + + + + + Account inactive threshold + + text/plain + + + + + MaxPageFileSizeMB + + + + + + 1024 + Maximum size of the paging file in MB. Applies only to systems with less than 32 GB storage and at least 3 GB of RAM. This node is optional. If used, it needs to be set before the action on "EnableSharedPCMode" node is taken. + + + + + + + + + + Maximum PageFile size + + text/plain + + + + + +``` + +## Related topics + + +[SharedPC configuration service provider](sharedpc-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/storage-csp.md b/windows/client-management/mdm/storage-csp.md new file mode 100644 index 0000000000..e383685013 --- /dev/null +++ b/windows/client-management/mdm/storage-csp.md @@ -0,0 +1,47 @@ +--- +title: Storage CSP +description: Storage CSP +ms.assetid: b19bdb54-53ed-42ce-a5a1-269379013f57 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Storage CSP + + +The Storage enterprise configuration service provider is used to configure the storage card settings. Currently, the only setting that needs to be configured is to enable or disable storage cards. + +> **Note** The Storage CSP is deprecated in Windows 10 and it is only supported in Windows 10 Mobile for backward compatibility. Use System/AllowStorageCard in [Policy CSP](policy-configuration-service-provider.md) instead. + +  + +The following diagram shows the Storage configuration service provider in tree format. + +![provisioning\-csp\-storage](images/provisioning-csp-storage.png) + +**Disable** +Required. A Boolean value that specifies whether to enable or disable a storage card. A value of **True** disables the storage card. A value of **False** enables the storage card. The default value is **False**. The value is case sensitive. + +The supported operations are Get and Replace. + +> **Note**   If the device returns a 404 error code when the server applies the Get command to ./Vendor/MSFT/Storage/Disable, it means that the device does not have an SD card. + +  + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/storage-ddf-file.md b/windows/client-management/mdm/storage-ddf-file.md new file mode 100644 index 0000000000..2cf0a17551 --- /dev/null +++ b/windows/client-management/mdm/storage-ddf-file.md @@ -0,0 +1,88 @@ +--- +title: Storage DDF file +description: Storage DDF file +ms.assetid: 247062A3-4DFB-4B14-A3D1-68D02C27703C +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Storage DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **Storage** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + + +]> + + 1.2 + + Storage + ./Vendor/MSFT + + + + + Root node for Storage CSP. + + + + + + + + + + + + + + + Disable + + + + + + Specifies whether to enable or disable a storage card. A Boolean value of true disables the storage card. The default value is False. The value is case sensitive. + + + + + + + + + + + text/plain + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md new file mode 100644 index 0000000000..031e69f53b --- /dev/null +++ b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md @@ -0,0 +1,195 @@ +--- +title: Structure of OMA DM provisioning files +description: Structure of OMA DM provisioning files +ms.assetid: 7bd3ef57-c76c-459b-b63f-c5a333ddc2bc +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Structure of OMA DM provisioning files + +OMA DM commands are transmitted between the server and the client device in messages. A message can contain one or more commands. For a list of commands supported, see the table in [OMA DM protocol support](oma-dm-protocol-support.md). + +A DM message is an XML document. The structure and content of the document is defined in the OMA DM Representation Protocol (OMA-SyncML-DevInfo-DTD-V1\_1\_2-20030505-D.dtd) available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900). + +Each message is composed of a header, specified by the SyncHdr element, and a message body, specified by the SyncBody element. + +The following table shows the OMA DM versions that are supported. + + ++++ + + + + + + + + + + + + + + + + +
VersionFormat

OMA DM version 1.1.2

<SyncML xmlns='SYNCML:SYNCML1.1'>

+

</SyncML>

OMA DM version 1.2

<SyncML xmlns='SYNCML:SYNCML1.2'>

+

</SyncML>

+ +  + +## File format + +The following example shows the general structure of the XML document sent by the server using OMA DM version 1.2.1 for demonstration purposes only. The initial XML packages exchanged between client and server could contain additional XML tags. For a detailed description and samples for those packages, see the [OMA Device Management Protocol 1.2.1](http://go.microsoft.com/fwlink/p/?LinkId=526902) specification. + +``` syntax + + + 1.2 + DM/1.2 + 1 + 1 + + {unique device ID} + + + https://www.contoso.com/mgmt-server + + + + + + 2 + + + ./DevDetail/SwV + + + + + + + + +``` + +## SyncHdr element + +SyncHdr includes the following information: + +- Document Type Definition (DTD) and protocol version numbers + +- Session and message identifiers. Each message in the same DM session must have a different MsgID. + +- Message source and destination Uniform Resource Identifiers (URIs) + +- Credentials for authentication + +This information is used to by the client device to properly manage the DM session. + + +**Code example** + +The following example shows the header component of a DM message. In this case, OMA DM version 1.2 is used as an example only. + +> **Note**   The <LocURI> node value for the <Source> element in the SyncHdr of the device-generated DM package should be the same as the value of ./DevInfo/DevID. For more information about DevID, see [DevInfo configuration service provider](devinfo-csp.md). + +  + +``` syntax + + 1.2 + DM/1.2 + 1 + 1 + + {unique device ID} + + + https://www.contoso.com/mgmt-server + + +``` + +## SyncBody element + +SyncBody contains one or more DM commands. The SyncBody can contain multiple DM commands; each command must have a different CmdID value. + +**Code example** + +The following example shows the body component of a DM message. In this example, SyncBody contains only one command, Get. This is indicated by the <Final /> tag that occurs immediately after the terminating tag for the Get command. + +``` syntax + + + + 2 + + + ./DevDetail/SwV + + + + + +``` + +When using SyncML for OMA DM provisioning, a LocURI in SyncBody can have a "." as a valid segment name only in the first segment. However, a "." is not a valid segment name for the other segments. For example, the following LocURI is not valid because the segment name of the seventh segment is a ".". + +``` +./Vendor/MSFT/Registry/HKLM/Security/./Test +``` + +## Update device settings example + +The Replace command is used to update a device setting. + +The following example illustrates how to use the Replace command to update a device setting. + +``` syntax + + 1.2 + DM/1.2 + 1 + 1 + + {unique device ID} + + + https://www.contoso.com/mgmt-server + + + + + + 2 + + + ./Vendor/MSFT/PolicyManager/My/DeviceLock/MinDevicePasswordLength + + + text/plain + int + + 6 + + + + +``` + +  + + + + + + diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md new file mode 100644 index 0000000000..150ca95701 --- /dev/null +++ b/windows/client-management/mdm/supl-csp.md @@ -0,0 +1,561 @@ +--- +title: SUPL CSP +description: SUPL CSP +ms.assetid: afad0120-1126-4fc5-8e7a-64b9f2a5eae1 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# SUPL CSP + + +The SUPL configuration service provider is used to configure the location client, as shown in the following table. + + +++++ + + + + + + + + + + + + + + + + + + + +
Location ServiceSUPLV2 UPL

Connection type

All connections other than CDMA

CDMA

Configuration

    +

  • Settings that need to get pushed to the GNSS driver to configure the SUPL behavior:

    +
      +

    • Address of the Home SUPL (H-SLP) server.

      • +

    • H-SLP server certificate.

      • +

    • Positioning method.

      • +

    • Version of the protocol to use by default.

      • +
    • +

  • MCC/MNC value pairs which are used to specify which networks' UUIC the SUPL account matches.

    • +
    +

  • Address of the server—a mobile positioning center for non-trusted mode.

    • +

  • The positioning method used by the MPC for non-trusted mode.

    • +
+ +  + +The SUPL or V2 UPL connection will be reconfigured every time the device is rebooted, a new UICC is inserted, or new settings are provisioned by using OMA Client Provisioning, OMA DM, or test tools. When the device is in roaming mode, it reverts to Mobile Station Standalone mode, in which only the built–in Microsoft location components are used. + +The following diagram shows the SUPL configuration service provider management object in tree format as used by OMA DM and OMA Client Provisioning. + +> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION capability to be accessed from a network configuration application. + +  + +![supl csp (dm,cp)](images/provisioning-csp-supl-dmandcp.png) + + + +**SUPL1** +Required for SUPL. Defines the account for the SUPL Enabled Terminal (SET) node. Only one SUPL account is supported at a given time. + +**AppID** +Required. The AppID for SUPL is automatically set to `"ap0004"`. This is a read-only value. + +**Addr** +Optional. Specifies the address of the Home SUPL Location Platform (H-SLP) server for non-proxy mode. The value is a server address specified as a fully qualified domain name, and the port specified as an integer, with the format *server*: *port*. + +If this value is not specified, the device infers the H-SLP address from the IMSI as defined in the SUPL standard. To use automatic generation of the H-SLP address based on the IMSI, the MNC length must be set correctly on the UICC. Generally, this value is 2 or 3. + +For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + +**Version** +Optional. Determines the version of the SUPL protocol to use. For SUPL 1.0, set this value to `1`. For SUPL 2.0, set this value to `2`. The default is 1. + +**MCCMNCPairs** +Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network do not match, the device uses the default location service and does not use SUPL. + +This value is a string with the format "(X1,Y1)(X2,Y2)…(Xn,Yn)", in which `X` is a MCC and `Y` is an MNC. + +For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + +**HighAccPositioningMethod** +Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The value can be one of the following integers: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ValueDescription

0

None: The device uses the default positioning method. In this default mode, the GNSS obtains assistance (time injection, coarse position injection and ephemeris data) from the Microsoft Positioning Service.

1

Mobile Station Assisted: The device contacts the H-SLP server to obtain a position. The H-SLP does the calculation of the position and returns it to the device.

2

Mobile Station Based: The device obtains location-aiding data (almanac, ephemeris data, time and coarse initial position of the device) from the H-SLP server, and the device uses this information to help GPS obtain a fix. All position calculations are done in the device.

3

Mobile Station Standalone: The device obtains assistance as required from the Microsoft location services.

4

OTDOA

5

AFLT

+ +  + +The default is 0. The default method in Windows devices provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator’s network or location services. + +> **Important**   The Mobile Station Assisted, OTDOA, and AFLT positioning methods must only be configured for test purposes. + +  + +For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + +**LocMasterSwitchDependencyNII** +Optional. Boolean. Specifies whether the location toggle on the **location** screen in **Settings** is also used to manage SUPL network-initiated (NI) requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. The default value is 1. + +This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Location toggle settingLocMasterSwitchDependencyNII settingNI request processing allowed

On

0

Yes

On

1

Yes

Off

0

Yes

Off

1

No (unless privacyOverride is set)

+ +  + +When the location toggle is set to Off and this value is set to 1, the following application requests will fail: + +- `noNotificationNoVerification` + +- `notificationOnly` + +- `notificationAndVerficationAllowedNA` + +- `notificationAndVerficationDeniedNA` + +However, if `privacyOverride` is set in the message, the location will be returned. + +When the location toggle is set to Off and this value is set to 0, the location toggle does not prevent SUPL network-initiated requests from working. + +For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + +**NIDefaultTimeout** +Optional. Time in seconds that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended. + +This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used. + +**ServerAccessInterval** +Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60. + +**RootCertificate** +Required. Specifies the root certificate for the H-SLP server. Windows does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. + +**RootCertificate/Name** +Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + +**RootCertificate/Data** +The base 64 encoded blob of the H-SLP root certificate. + +**RootCertificate2/Name** +Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + +**RootCertificate2/Data** +The base 64 encoded blob of the H-SLP root certificate. + +**RootCertificate3/Name** +Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer. + +**RootCertificate3/Data** +The base 64 encoded blob of the H-SLP root certificate. + +**V2UPL1** +Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time. + +**MPC** +Optional. The address of the mobile positioning center (MPC), in the format *ipAddress*: *portNumber*. For non-trusted mode of operation, this parameter is mandatory and the PDE parameter must be empty. + +**PDE** +Optional. The address of the Position Determination Entity (PDE), in the format *ipAddress*: *portNumber*. For non-trusted mode of operation, this parameter must be empty. + +**PositioningMethod\_MR** +Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The value can be one of the following integers: + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ValueDescription

0

None: The device uses the default positioning method. In this default mode, the GNSS obtains assistance (time injection, coarse position injection and ephemeris data) from the Microsoft Positioning Service.

1

Mobile Station Assisted: The device contacts the H-SLP server to obtain a position. The H-SLP does the calculation of the position and returns it to the device.

2

Mobile Station Based: The device obtains location-aiding data (almanac, ephemeris data, time and coarse initial position of the device) from the H-SLP server, and the device uses this information to help GPS obtain a fix. All position calculations are done in the device.

3

Mobile Station Standalone: The device obtains assistance as required from the Microsoft location services.

4

AFLT

+ +  + +The default is 0. The default method provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator’s network or location services. + +> **Important**   The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes. + +  + +For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + +**LocMasterSwitchDependencyNII** +Optional. Boolean. Specifies whether the location toggle on the **location** screen in **Settings** is also used to manage network-initiated requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. For CDMA devices, this value must be set to 1. The default value is 1. + +This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Location toggle settingLocMasterSwitchDependencyNII settingNI request processing allowed

On

0

Yes

On

1

Yes

Off

0

Yes

Off

1

No (unless privacyOverride is set)

+ +  + +When the location toggle is set to Off and this value is set to 1, the following application requests will fail: + +- `noNotificationNoVerification` + +- `notificationOnly` + +- `notificationAndVerficationAllowedNA` + +- `notificationAndVerficationDeniedNA` + +However, if `privacyOverride` is set in the message, the location will be returned. + +When the location toggle is set to Off and this value is set to 0, the location toggle does not prevent SUPL network-initiated requests from working. + +For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + +**ApplicationTypeIndicator\_MR** +Required. This value must always be set to `00000011`. + +**NIDefaultTimeout** +Optional. Time in seconds that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended. + +This value manages the settings for both SUPL and v2 UPL. If a device is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used. + +**ServerAccessInterval** +Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60. + +## Unsupported Nodes + + +The following optional nodes are not supported on Windows devices. + +- ProviderID + +- Name + +- PrefConRef + +- ToConRef + +- ToConRef/<X> + +- ToConRef/<X>/ConRef + +- AddrType + +If the configuration application tries to set, delete or query these nodes, a response indicating this node is not implemented will be returned over OMA DM. In OMA Client Provisioning, the request to set this node will be ignored and the configuration service provider will continue processing the rest of the nodes. + +If a mobile operator requires the communication with the H-SLP to take place over a specific connection rather than a default cellular connection, then this must be configured by using the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md) and the [CM\_ProxyEntries configuration service provider](cm-proxyentries-csp.md) to map the H-SLP server with the required connection. + +## OMA Client Provisioning examples + + +Adding new configuration information for a H-SLP server for SUPL. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value. + +``` syntax + + + + + + + + + + + + + + + + + + + +``` + +Adding a SUPL and a V2 UPL account to the same device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value. + +``` syntax + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## OMA DM examples + + +Adding a SUPL account to a device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value. + +``` syntax + + + + Add FQDN + + ./Vendor/MSFT/SUPL/SUPL1/Addr + + chr + + supl.abc.def.example.com:2222 + + + + Add MCCMNC + + ./Vendor/MSFT/SUPL/SUPL1/Ext/Microsoft/MCCMNCPairs + + chr + + (111,000)(222,111)(333,333)(444,222) + + + + Add HighAccPositioningMethod + + ./Vendor/MSFT/SUPL/SUPL1/Ext/Microsoft/HighAccPositioningMethod + + int + + 2 + + + + Add LocMasterSWDepend + + ./Vendor/MSFT/SUPL/SUPL1/Ext/Microsoft/LocMasterSwitchDependencyNII + + int + + 1 + + + + Add Cert name + + + ./Vendor/MSFT/SUPL/SUPL1/Ext/Microsoft/RootCertificate/Name + + chr + + certName.cer + + + + Add Cert data - 200 + + + ./Vendor/MSFT/SUPL/SUPL1/Ext/Microsoft/RootCertificate/Data + + b64 + + + + + + + +``` + +## Microsoft Custom Elements + + +The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning. + + ++++ + + + + + + + + + + + + + + + + +
ElementsAvailable

parm-query

Yes

characteristic-query

Yes

+

Recursive query: No

+

Top level query: No

+ +  + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md new file mode 100644 index 0000000000..266c2dcaf6 --- /dev/null +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -0,0 +1,677 @@ +--- +title: SUPL DDF file +description: This topic shows the OMA DM device description framework (DDF) for the SUPL configuration service provider. +ms.assetid: 514B7854-80DC-4ED9-9805-F5276BF38034 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# SUPL DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **SUPL** configuration service provider. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + SUPL + ./Vendor/MSFT/ + + + + + + + + + + + + + + + + + + + SUPL1 + + + + + Required for SUPL. Defines the account for the SUPL Enabled Terminal (SET) node. Only one SUPL account is supported at a given time. + + + + + + + + + + + + + + + AppID + + + + + Required. The AppID for SUPL is automatically set to "ap0004". This is a read-only value. + + + + + + + + + + + + + + + + Addr + + + + + + Optional. Specifies the address of the Home SUPL Location Platform (H-SLP) server for non-proxy mode. The value is a server address specified as a fully qualified domain name, and the port specified as an integer, with the format server: port. + + + + + + + + + + + text/plain + + + + + Ext + + + + + + + + + + + + + + + + + + + Microsoft + + + + + + + + + + + + + + + + + + + Version + + + + + + 1 + Optional. Determines the version of the SUPL protocol to use. For SUPL 1.0, set this value to 1. For SUPL 2.0, set this value to 2. The default is 1. + + + + + + + + + + + text/plain + + + + + MCCMNPairs + + + + + + Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network do not match, the phone uses the default location service and does not use SUPL. + + + + + + + + + + + text/plain + + + + + HighAccPositioningMethod + + + + + + 0 + Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator’s network or location services. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + + + + + + + + + + + text/plain + + + + + LocMasterSwitchDependencyNII + + + + + + 1 + This setting is deprecated in Windows 10. Optional. Boolean. Specifies whether the location toggle on the location screen in Settings is also used to manage SUPL network-initiated (NI) requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. The default value is 1. Note that most clients do not support this behavior. This value manages the settings for both SUPL and v2 UPL. If a phone is configured for both SUPL and V2 UPL and these values differ, the SUPL setting will always be used. + + + + + + + + + + + text/plain + + + + + NIDefaultTimeout + + + + + + 30 + Optional. Time in seconds that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended. + + + + + + + + + + + text/plain + + + + + ServerAccessInterval + + + + + + 60 + Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60. + + + + + + + + + + + text/plain + + + + + RootCertificate + + + + + Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. + + + + + + + + + + + + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + text/plain + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + + + RootCertificate2 + + + + + Specifies the root certificate for the H-SLP server. + + + + + + + + + + + + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + text/plain + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + + + RootCertificate3 + + + + + Specifies the root certificate for the H-SLP server. + + + + + + + + + + + + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + text/plain + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + + + + + + V2UPL1 + + + + + Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time. + + + + + + + + + + + + + + + MPC + + + + + + Optional. The address of the mobile positioning center (MPC), in the format ipAddress: portNumber. For non-trusted mode of operation, this parameter is mandatory and the PDE parameter must be empty. + + + + + + + + + + + text/plain + + + + + PDE + + + + + + Optional. The address of the Position Determination Entity (PDE), in the format ipAddress: portNumber. For non-trusted mode of operation, this parameter must be empty. + + + + + + + + + + + text/plain + + + + + PositioningMethod_MR + + + + + + 0 + Optional. Specifies the positioning method that the SUPL client will use for mobile originated position requests. The default is 0. The default method in Windows Phones provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator’s network or location services. The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. + + + + + + + + + + + text/plain + + + + + LocMasterSwitchDependencyNII + + + + + + 1 + Optional. Boolean. Specifies whether the location toggle on the location screen in Settings is also used to manage network-initiated requests for location. If the value is set to 0, the NI behavior is independent from the current location toggle setting. If the value is set to 1, the NI behavior follows the current location toggle setting. For CDMA phones, this value must be set to 1. The default value is 1. + + + + + + + + + + + text/plain + + + + + ApplicationTypeIndicator_MR + + + + + Required. This value must always be set to 00000011. + + + + + + + + + + + + + + + + NIDefaultTimeout + + + + + + 30 + Optional. Time in seconds that the network-initiated location request is displayed to the user, while awaiting a response and before doing the default action. The default is 30 seconds. A value between 20 and 60 seconds is recommended. + + + + + + + + + + + text/plain + + + + + ServerAccessInterval + + + + + + 60 + Optional. Integer. Defines the minimum interval of time in seconds between mobile originated requests sent to the server to prevent overloading the mobile operator's network. The default value is 60. + + + + + + + + + + + text/plain + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md new file mode 100644 index 0000000000..f751e53b34 --- /dev/null +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -0,0 +1,523 @@ +--- +title: SurfaceHub CSP +description: The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511. +ms.assetid: 36FBBC32-AD6A-41F1-86BF-B384891AA693 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# SurfaceHub CSP + +The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511. + +The following diagram shows the SurfaceHub CSP management objects in tree format. + +![surface hub diagram](images/provisioning-csp-surfacehub.png) + +**./Vendor/MSFT/SurfaceHub** +

The root node for the Surface Hub configuration service provider. + +**DeviceAccount** +

Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account. + +

To use a device account from Azure Active Directory + +1. Set the UserPrincipalName (for Azure AD). +2. Set a valid Password. +3. Execute ValidateAndCommit to validate the specified username and password combination against Azure AD. +4. Get the ErrorContext in case something goes wrong during validation. + +> [!NOTE] +> If the device cannot auto-discover the Exchange server and Session Initiation Protocol (SIP) address from this information, you should specify the ExchangeServer and SipAddress. + +  +

Here's a SyncML example. + +``` syntax + + + + 1 + + + ./Vendor/MSFT/SurfaceHub/DeviceAccount/UserPrincipalName + + + chr + + user@contoso.com + + + + 2 + + + ./Vendor/MSFT/SurfaceHub/DeviceAccount/Password + + + chr + + password + + + + 3 + + + ./Vendor/MSFT/SurfaceHub/DeviceAccount/ValidateAndCommit + + + + + 4 + + + ./Vendor/MSFT/SurfaceHub/DeviceAccount/ErrorContext + + + + + + +``` + +

To use a device account from Active Directory + +1. Set the DomainName. +2. Set the UserName. +3. Set a valid Password. +4. Execute the ValidateAndCommit node. + +**DeviceAccount/DomainName** +

Domain of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. + +

The data type is char. Supported operation is Get and Replace. + +**DeviceAccount/UserName** +

Username of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. + +

The data type is char. Supported operation is Get and Replace. + +**DeviceAccount/UserPrincipalName** +

User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account. + +

The data type is char. Supported operation is Get and Replace. + +**DeviceAccount/SipAddress** +

Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails. + +

The data type is char. Supported operation is Get and Replace. + +**DeviceAccount/Password** +

Password for the device account. + +

The data type is char. Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank. + +**DeviceAccount/ValidateAndCommit** +

This method validates the data provided and then commits the changes. + +

The data type is char. Supported operation is Execute. + +**DeviceAccount/Email** +

Email address of the device account. + +

The data type is char. + +**DeviceAccount/PasswordRotationPeriod** +

Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD). + +

Valid values: + +- 0 - password rotation enabled +- 1 - disabled + +

The data type is int. Supported operation is Get and Replace. + +**DeviceAccount/ExchangeServer** +

Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails. + +

The data type is char. Supported operation is Get and Replace. + +**DeviceAccount/CalendarSyncEnabled** +

Specifies whether calendar sync and other Exchange server services is enabled. + +

The data type is bool. Supported operation is Get and Replace. + +**DeviceAccount/ErrorContext** +

If there is an error calling ValidateAndCommit, there is additional context for that error in this node. Here are the possible error values: + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ErrorContext valueStage where error occuredDescription and suggestions

1

Unknown

2

Populating account

Unable to retrieve account details using the username and password you provided.

+
    +
  • For Azure AD accounts, ensure that UserPrincipalName and Password are valid.
    • +
  • For AD accounts, ensure that DomainName, UserName, and Password are valid.
    • +
  • Ensure that the specified account has an Exchange server mailbox.
    • +

3

Populating Exchange server address

Unable to auto-discover your Exchange server address. Try to manually specify the Exchange server address using the ExchangeServer field.

4

Validating Exchange server address

Unable to validate the Exchange server address. Ensure that the ExchangeServer field is valid.

5

Saving account information

Unable to save account details to the system.

6

Validating EAS policies

The device account uses an unsupported EAS policy. Make sure the EAS policy is configured correctly according to the admin guide.

+  +

The data type is int. Supported operation is Get. + +**MaintenanceHoursSimple/Hours** +

Node for maintenance schedule. + +**MaintenanceHoursSimple/Hours/StartTime** +

Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120. + +

The data type is int. Supported operation is Get and Replace. + +**MaintenanceHoursSimple/Hours/Duration** +

Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180. + +

The data type is int. Supported operation is Get and Replace. + +**InBoxApps** +

Node for the in-box app settings. + +**InBoxApps/SkypeForBusiness** +

Added in Windows 10, version 1703. Node for the Skype for Business settings. + +**InBoxApps/SkypeForBusiness/DomainName** +

Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see [Set up Skype for Business Online](https://support.office.com/en-us/article/Set-up-Skype-for-Business-Online-40296968-e779-4259-980b-c2de1c044c6e?ui=en-US&rs=en-US&ad=US#bkmk_users). + +

The data type is char. Supported operation is Get and Replace. + +**InBoxApps/Welcome** +

Node for the welcome screen. + +**InBoxApps/Welcome/AutoWakeScreen** +

Automatically turn on the screen using motion sensors. + +

The data type is bool. Supported operation is Get and Replace. + +**InBoxApps/Welcome/CurrentBackgroundPath** +

Background image for the welcome screen. To set this, specify a https URL to a PNG file (only PNGs are supported for security reasons). + +

The data type is string. Supported operation is Get and Replace. + +**InBoxApps/Welcome/MeetingInfoOption** +

Meeting information displayed on the welcome screen. + +

Valid values: + +- 0 - Organizer and time only +- 1 - Organizer, time, and subject. Subject is hidden in private meetings. + +

The data type is int. Supported operation is Get and Replace. + +**InBoxApps/WirelessProjection** +

Node for the wireless projector app settings. + +**InBoxApps/WirelessProjection/PINRequired** +

Users must enter a PIN to wirelessly project to the device. + +

The data type is bool. Supported operation is Get and Replace. + +**InBoxApps/WirelessProjection/Enabled** +

Enables wireless projection to the device. + +

The data type is bool. Supported operation is Get and Replace. + +**InBoxApps/WirelessProjection/Channel** +

Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. + + ++++ + + + + + + + + + + + + + + +

Works with all Miracast senders in all regions

1, 3, 4, 5, 6, 7, 8, 9, 10, 11

Works with all 5ghz band Miracast senders in all regions

36, 40, 44, 48

Works with all 5ghz band Miracast senders in all regions except Japan

149, 153, 157, 161, 165

+ +  +

The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for). + +

The data type is int. Supported operation is Get and Replace. + +**InBoxApps/Connect** +

Added in Windows 10, version 1703. Node for the Connect app. + +**InBoxApps/Connect/AutoLaunch** +

Added in Windows 10, version 1703. Specifies whether to automatically launch the Connect app whenever a projection is initiated. + +

If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings. + +

The data type is bool. Supported operation is Get and Replace. + +**Properties** +

Node for the device properties. + +**Properties/FriendlyName** +

Friendly name of the device. Specifies the name that users see when they want to wirelessly project to the device. + +

The data type is string. Supported operation is Get and Replace. + +**Properties/DefaultVolume** +

Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45. + +

The data type is int. Supported operation is Get and Replace. + +**Properties/ScreenTimeout** +

Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off. + +

The following table shows the permitted values. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ValueDescription
0Never timeout
11 minute
22 minutes
33 minutes
55 minutes (default)
1010 minutes
1515 minutes
3030 minutes
601 hour
1202 hours
2404 hours
+ +

The data type is int. Supported operation is Get and Replace. + +**Properties/SessionTimeout** +

Added in Windows 10, version 1703. Specifies the number of minutes until the session times out. + +

The following table shows the permitted values. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ValueDescription
0Never timeout
11 minute (default)
22 minutes
33 minutes
55 minutes
1010 minutes
1515 minutes
3030 minutes
601 hour
1202 hours
2404 hours
+ +

The data type is int. Supported operation is Get and Replace. + +**Properties/SleepTimeout** +

Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode. + +

The following table shows the permitted values. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ValueDescription
0Never timeout
11 minute
22 minutes
33 minutes
55 minutes (default)
1010 minutes
1515 minutes
3030 minutes
601 hour
1202 hours
2404 hours
+ +

The data type is int. Supported operation is Get and Replace. + +**Properties/AllowSessionResume** +

Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. + +

If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated. + +

The data type is bool. Supported operation is Get and Replace. + +**Properties/AllowAutoProxyAuth** +

Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication. + +

If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used. + +

The data type is bool. Supported operation is Get and Replace. + +**Properties/DisableSigninSuggestions** +

Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. + +

If this setting is true, the sign-in dialog will not be populated. If false, the dialog will auto-populate. + +

The data type is bool. Supported operation is Get and Replace. + +**Properties/DoNotShowMyMeetingsAndFiles** +

Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365. + +

If this setting is true, the “My meetings and files” feature will not be shown. When false, the “My meetings and files” feature will be shown. + +

The data type is bool. Supported operation is Get and Replace. + +**MOMAgent** +

Node for the Microsoft Operations Management Suite. + +**MOMAgent/WorkspaceID** +

GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent. + +

The data type is string. Supported operation is Get and Replace. + +**MOMAgent/WorkspaceKey** +

Primary key for authenticating with the workspace. + +

The data type is string. Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string. + +  + +  + + + + + + diff --git a/windows/client-management/mdm/surfacehub-ddf-file.md b/windows/client-management/mdm/surfacehub-ddf-file.md new file mode 100644 index 0000000000..590539f3bb --- /dev/null +++ b/windows/client-management/mdm/surfacehub-ddf-file.md @@ -0,0 +1,1017 @@ +--- +title: SurfaceHub DDF file +description: This topic shows the OMA DM device description framework (DDF) for the SurfaceHub configuration service provider. This CSP was added in Windows 10, version 1511. +ms.assetid: D34DA1C2-09A2-4BA3-BE99-AC483C278436 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# SurfaceHub DDF file + +This topic shows the OMA DM device description framework (DDF) for the SurfaceHub configuration service provider. This CSP was added in Windows 10, version 1511. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + SurfaceHub + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.0/MDM/SurfaceHub + + + + DeviceAccount + + + + + + + + + + + + + + + + + + + + + + DomainName + + + + + + + + + + + + + + + + text/plain + + + + + UserName + + + + + + + + + + + + + + + + text/plain + + + + + UserPrincipalName + + + + + + + + + + + + + + + + text/plain + + + + + Password + + + + + + Get is allowed here, but will always return a blank. + + + + + + + + + + + text/plain + + + + + ValidateAndCommit + + + + + + + + + + + + + + + text/plain + + + + + ExchangeServer + + + + + + + + + + + + + + + + text/plain + + + + + SipAddress + + + + + + + + + + + + + + + + text/plain + + + + + Email + + + + + + + + + + + + + + + + text/plain + + + + + CalendarSyncEnabled + + + + + + + + + + + + + + + + text/plain + + + + + ErrorContext + + + + + If there is an error calling ValidateAndCommit, there will be additional context for that error in this node. + + + + + + + + + + + text/plain + + + + + PasswordRotationPeriod + + + + + + + + + + + + + + + + text/plain + + + + + + MaintenanceHoursSimple + + + + + + + + + + + + + + + + + + + + Hours + + + + + + + + + + + + + + + + + + + StartTime + + + + + + Start time for maintenance hours in minutes from midnight + + + + + + + + + + + text/plain + + + + + Duration + + + + + + Duration of maintenance window + + + + + + + + + + + text/plain + + + + + + + InBoxApps + + + + + + + + + + + + + + + + + + + SkypeForBusiness + + + + + + + + + + + + + + + + + + + DomainName + + + + + + + + + + + + + + + + text/plain + + + + + + Welcome + + + + + + + + + + + + + + + + + + + AutoWakeScreen + + + + + + Setting for the screen to wake up and stay on with sensor activity. + + + + + + + + + + + text/plain + + + + + CurrentBackgroundPath + + + + + + + + + + + + + + + + + + text/plain + + + + + MeetingInfoOption + + + + + + + + + + + + + + + + text/plain + + + + + + WirelessProjection + + + + + + + + + + + + + + + + + + + PINRequired + + + + + + + + + + + + + + + + text/plain + + + + + Enabled + + + + + + + + + + + + + + + + text/plain + + + + + Channel + + + + + + + + + + + + + + + + text/plain + + + + + + Connect + + + + + + + + + + + + + + + + + + + AutoLaunch + + + + + + + + + + + + + + + + text/plain + + + + + + + Properties + + + + + + + + + + + + + + + + + + + FriendlyName + + + + + + + + + + + + + + + + text/plain + + + + + DefaultVolume + + + + + + 65 + + + + + + + + + + + text/plain + + + + + ScreenTimeout + + + + + + 5 + + + + + + + + + + + text/plain + + + + + SessionTimeout + + + + + + 1 + + + + + + + + + + + text/plain + + + + + SleepTimeout + + + + + + 5 + + + + + + + + + + + text/plain + + + + + AllowSessionResume + + + + + + true + + + + + + + + + + + text/plain + + + + + AllowAutoProxyAuth + + + + + + true + + + + + + + + + + + text/plain + + + + + DisableSigninSuggestions + + + + + + false + + + + + + + + + + + text/plain + + + + + DoNotShowMyMeetingsAndFiles + + + + + + false + + + + + + + + + + + text/plain + + + + + + Management + + + + + + + + + + + + + + + + + + + GroupName + + + + + + The name of the domain admin group to add to the administrators group on the device. + + + + + + + + + + + text/plain + + + + + GroupSid + + + + + + The sid of the domain admin group to add to the administrators group on the device. + + + + + + + + + + + text/plain + + + + + + MOMAgent + + + + + + + + + + + + + + + + + + + WorkspaceID + + + + + + GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent. + + + + + + + + + + + text/plain + + + + + WorkspaceKey + + + + + + Primary key for authenticating with workspace. Will always return an empty string. + + + + + + + + + + + text/plain + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md new file mode 100644 index 0000000000..a308149484 --- /dev/null +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -0,0 +1,579 @@ +--- +title: Understanding ADMX-backed policies +description: Starting in Windows 10, version 1703, you can use ADMX-backed policies for Windows 10 mobile device management (MDM) across Windows 10 devices. +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Understanding ADMX-backed policies + +Due to increased simplicity and the ease with which devices can be targeted, enterprise businesses are finding it increasingly advantageous to move their PC management to a cloud-based device management solution. Unfortunately, current Windows PC device-management solutions lack the critical policy and app settings configuration capabilities that are supported in a traditional PC management solution. + +Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support will be expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the Policy configuration service provider (CSP). This expanded access ensures that enterprises do not need to compromise security of their devices in the cloud. + +## In this section + +- [Background](#background) +- [ADMX files and the Group Policy Editor](#admx-files-and-the-group-policy-editor) +- [ADMX-backed policy examples](#admx-backed-policy-examples) + - [Enabling a policy](#enabling-a-policy) + - [Disabling a policy](#disabling-a-policy) + - [Setting a policy to not configured](#setting-a-policy-to-not-configured) +- [Sample SyncML for various ADMX elements](#sample-syncml-for-various-admx-elements) + - [Text Element](#text-element) + - [MultiText Element](#multitext-element) + - [List Element (and its variations)](#list-element) + - [No Elements](#no-elements) + - [Enum](#enum) + - [Decimal Element](#decimal-element) + - [Boolean Element](#boolean-element) + +## Background + +In addition to standard policies, the Policy CSP can now also handle ADMX-backed policies. In an ADMX-backed policy, an administrative template contains the metadata of a Window Group Policy and can be edited in the Local Group Policy Editor on a PC. Each administrative template specifies the registry keys (and their values) that are associated with a Group Policy and defines the policy settings that can be managed. Administrative templates organize Group Policies in a hierarchy in which each segment in the hierarchical path is defined as a category. Each setting in a Group Policy administrative template corresponds to a specific registry value. These Group Policy settings are defined in a standards-based, XML file format known as an ADMX file. For more information, see [Group Policy ADMX Syntax Reference Guide](https://technet.microsoft.com/en-us/library/cc753471(v=ws.10).aspx). + +ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe settings of applications, which are separate from the OS and can usually be downloaded and installed on a PC. +Depending on the specific category of the settings that they control (OS or application), the administrative template settings are found in the following two locations in the Local Group Policy Editor: +- OS settings: Computer Configuration/Administrative Templates +- Application settings: User Configuration/Administrative Templates + +In a domain controller/Group Policy ecosystem, Group Policies are automatically added to the registry of the client computer or user profile by the Administrative Templates Client Side Extension (CSE) whenever the client computer processes a Group Policy. Conversely, in an MDM-managed client, ADMX files are leveraged to define policies independent of Group Policies. Therefore, in an MDM-managed client, a Group Policy infrastructure, including the Group Policy Service (gpsvc.exe), is not required. + +An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP does not rely upon any aspect of the Group Policy client stack, including the PC’s Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM. + +Windows maps the name and category path of a Group Policy to a MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX-backed policies supported by MDM, see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-admx-backed). + +## ADMX files and the Group Policy Editor + +To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrator must use a UI, such as the Group Policy Editor (gpedit.msc), to gather the necessary data. The MDM ISV console UI determines how to gather the needed Group Policy data from the IT administrator. ADMX-backed Group Policies are organized in a hierarchy and can have a scope of machine, user, or both. The Group Policy example in the next section uses a machine-wide Group Policy named “Publishing Server 2 Settings.” When this Group Policy is selected, its available states are **Not Configured**, **Enabled**, and **Disabled**. + +The ADMX file that the MDM ISV uses to determine what UI to display to the IT administrator is the same ADMX file that the client uses for the policy definition. The ADMX file is processed either by the OS at build time or set by the client at OS runtime. In either case, the client and the MDM ISV must be synchronized with the ADMX policy definitions. Each ADMX file corresponds to a Group Policy category and typically contains several policy definitions, each of which represents a single Group Policy. For example, the policy definition for the “Publishing Server 2 Settings” is contained in the appv.admx file, which holds the policy definitions for the Microsoft Application Virtualization (App-V) Group Policy category. + +Group Policy option button setting: +- If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur: + - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data. + - The MDM client stack receives this data, which causes the Policy CSP to update the device’s registry per the ADMX-backed policy definition. + +- If **Disabled** is selected and you click **Apply**, the following events occur: + - The MDM ISV server sets up a Replace SyncML command with a payload set to ``. + - The MDM client stack receives this command, which causes the Policy CSP to either delete the device’s registry settings, set the registry keys, or both, per the state change directed by the ADMX-backed policy definition. + +- If **Not Configured** is selected and you click **Apply**, the following events occur: + - MDM ISV server sets up a Delete SyncML command. + - The MDM client stack receives this command, which causes the Policy CSP to delete the device’s registry settings per the ADMX-backed policy definition. + +The following diagram shows the main display for the Group Policy Editor. + +![Group Policy editor](images/group-policy-editor.png) + +The following diagram shows the settings for the "Publishing Server 2 Settings" Group Policy in the Group Policy Editor. + +![Group Policy publisher server 2 settings](images/group-policy-publisher-server-2-settings.png) + +Note that most Group Policies are a simple Boolean type. For a Boolean Group Policy, if you select **Enabled**, the options panel contains no data input fields and the payload of the SyncML is simply ``. However, if there are data input fields in the options panel, the MDM server must supply this data. The following *Enabling a Group Policy* example illustrates this complexity. In this example, 10 name-value pairs are described by `` tags in the payload, which correspond to the 10 data input fields in the Group Policy Editor options panel for the "Publishing Server 2 Settings" Group Policy. The ADMX file, which defines the Group Policies, is consumed by the MDM server, similarly to how the Group Policy Editor consumes it. The Group Policy Editor displays a UI to receive the complete Group Policy instance data, which the MDM server’s IT administrator console must also do. For every `` element and id attribute in the ADMX policy definition, there must be a corresponding `` element and id attribute in the payload. The ADMX file drives the policy definition and is required by the MDM server via the SyncML protocol. + +> [!IMPORTANT] +> Any data entry field that is displayed in the Group Policy page of the Group Policy Editor must be supplied in the encoded XML of the SyncML payload. The SyncML data payload is equivalent to the user-supplied Group Policy data through GPEdit.msc. + +For more information about the Group Policy description format, see [Administrative Template File (ADMX) format](https://msdn.microsoft.com/en-us/library/aa373476(v=vs.85).aspx). Elements can be Text, MultiText, Boolean, Enum, Decimal, or List (for more information, see [policy elements](https://msdn.microsoft.com/en-us/library/dn606004(v=vs.85).aspx)). + +For example, if you search for the string, "Publishing_Server2_Name_Prompt" in both the *Enabling a policy* example and its corresponding ADMX policy definition in the appv.admx file, you will find the following occurrences: + +Enabling a policy example: +```XML +`` +``` + +Appv.admx file: +```XML + + +``` + + +## ADMX-backed policy examples + +The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX-backed policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use the [Coder’s Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii) online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +### Enabling a policy + +**Payload** +```XML + + + + + + + + + + + +``` +**Request SyncML** +```XML + + + + + 2 + + + chr + text/plain + + + ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2 + + ]]> + + + + + +``` + +**Response SyncML** +```XML + + 2 + 1 + 2 + Replace + 200 + +``` + +### Disabling a policy + +**Payload** +```XML + +``` + +**Request SyncML** +```XML + + + + + 2 + + + chr + text/plain + + + ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2 + + <disabled/> + + + + + +'''' + +**Response SyncML** +```XML + + 2 + 1 + 2 + Replace + 200 + +``` + +### Setting a policy to not configured + +**Payload** + +(None) + +**Request SyncML** +``` + + + + + 1 + + + ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2 + + + + + + +``` + +**Response SyncML** +``` + + 2 + 1 + 1 + Delete + 200 + +``` + +## Sample SyncML for various ADMX elements + +This section describes sample SyncML for the various ADMX elements like Text, Multi-Text, Decimal, Boolean, and List. + +### How a Group Policy policy category path and name are mapped to a MDM area and policy name + +Below is the internal OS mapping of a Group Policy to a MDM area and name. This is part of a set of Windows manifests (extension **wm.xml**) that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store.  ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User. + +`./[Device|User]/Vendor/MSFT/Policy/Config/[config|result]//` + +The **wm.xml** for each mapped area can be found in its own directory under: + +`\\SDXROOT\onecoreuap\admin\enterprisemgmt\policymanager\policydefinition\` + +Note that the data payload of the SyncML needs to be encoded so that it does not conflict with the boilerplate SyncML XML tags. Use this online tool for encoding and encoding the policy data [Coder's Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii) + +**Snippet of wm.xml for AppVirtualization area:** + +```XML + + + + +. +. +. + + + + +. +. +. +``` + +The **LocURI** for the above GP policy is: + +`.\Device\Vendor\MSFT\Policy\Config\AppVirtualization\PublishingAllowServer2` + +To construct SyncML for your area/policy using the samples below, you need to update the **data id** and the **value** in the `` section of the SyncML. The items prefixed with an '&' character are the escape characters needed and can be retained as shown. + +### Text Element + +The `text` element simply corresponds to a string and correspondingly to an edit box in a policy panel display by gpedit.msc. The string is stored in the registry of type REG_SZ. + +**ADMX file: inetres.admx** + +```XML + + + + + + + +``` + +#### Corresponding SyncML: + +```XML + + + + + $CmdId$ + + + chr + text/plain + + + ./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHomePageChange + + ]]> + + + + + +``` + +### MultiText Element + +The `multiText` element simply corresponds to a REG_MULTISZ registry string and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc.  Note that it is expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: ``) + +```XML + + + + + + + +``` + +#### Corresponding SyncML: + +```XML + + + + + 2 + + + chr + text/plain + + + ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/VirtualComponentsAllowList + + <enabled/><data id="Virtualization_JITVAllowList_Prompt" value="C:\QuickPatch\TEST\snot.exeC:\QuickPatch\TEST\foo.exeC:\QuickPatch\TEST\bar.exe"/> + + + + + +``` + +### List Element (and its variations) + +The `list` element simply corresponds to a hive of REG_SZ registry strings and correspondingly to a grid to enter multiple strings in a policy panel display by gpedit.msc. How this is represented in SyncML is as a string containing pairs of strings. Each pair is a REG_SZ name/value key. It is best to apply the policy through gpedit.msc (run as Administrator) and go to the registry hive location and see how the list values are stored. This will give you an idea of the way the name/value pairs are stored to express it through SyncML. + +> [!NOTE] +> It is expected that each string in the SyncML is to be separated by the Unicode character 0xF000 (encoded version: ``). + +Variations of the `list` element are dictated by attributes. These attributes are ignored by the Policy Manager runtime. It is expected that the MDM server manages the name/value pairs. See below for a simple writeup of Group Policy List. + +**ADMX file: inetres.admx** + +```XML + + + + + + + +``` + +#### Corresponding SyncML: + +```XML + + + + 2 + + + chr + text/plain + + + ./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableSecondaryHomePageChange + + <Enabled/><Data id="SecondaryHomePagesList" value="http://name1http://name1http://name2http://name2"/> + + + + + +``` + +### No Elements + +```XML + + + + +``` + +#### Corresponding SyncML: + +```XML + + + + 2 + + + chr + text/plain + + + ./Device/Vendor/MSFT/Policy/Config/InternetExplorer/DisableUpdateCheck + + <Enabled/> + + + + + +``` + +### Enum + +```XML + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +#### Corresponding SyncML: + +```XML + + + + 2 + + + ./Device/Vendor/MSFT/Policy/Config/BitLocker/EncryptionMethodByDriveType + + + <enabled/> + <data id="EncryptionMethodWithXtsOsDropDown_Name" value="4"/> + + + + + + +``` + +### Decimal Element + +```XML + + + + + + + +``` + +#### Corresponding SyncML: + +```XML + + + + 2 + + + ./Device/Vendor/MSFT/Policy/Config/AppVirtualization/StreamingAllowReestablishmentInterval + + + <enabled/> + <data id="Streaming_Reestablishment_Interval_Prompt" value="4"/> + + + + + + +``` + +### Boolean Element + +```XML + + + + + + + + + + + + + + + + + + + + + +``` + +#### Corresponding SyncML: + +```XML + + + + + 2 + + + chr + text/plain + + + ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses + + + <enabled/><data id="DeviceInstall_Classes_Deny_Retroactive" value="true"/> + <Data id="DeviceInstall_Classes_Deny_List" value="1deviceId12deviceId2"/> + + + + + + +``` diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md new file mode 100644 index 0000000000..8ef347d5c5 --- /dev/null +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -0,0 +1,248 @@ +--- +title: UnifiedWriteFilter CSP +description: The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type. +ms.assetid: F4716AC6-0AA5-4A67-AECE-E0F200BA95EB +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# UnifiedWriteFilter CSP + + +The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type. + +> **Note**  The UnifiedWriteFilter CSP is only supported in Windows 10 Enterprise and Windows 10 Education. + +  + +The following diagram shows the UWF configuration service provider in tree format. + +![universalwritefilter csp](images/provisioning-csp-uwf.png) + +**CurrentSession** +Required. Represents the current UWF configuration in the current session (power cycle). + +**CurrentSession/FilterEnabled** +Required. Indicates if UWF is enabled for the current session. + +The only supported operation is Get. + +**CurrentSession/OverlayConsumption** +Required. The current size, in megabytes, of the UWF overlay. + +The only supported operation is Get. + +**CurrentSession/AvailableOverlaySpace** +Required. The amount of free space, in megabytes, available for the UWF overlay. + +The only supported operation is Get. + +**CurrentSession/CriticalOverlayThreshold** +Required. The critical threshold size, in megabytes. UWF sends a critical threshold notification event when the UWF overlay size reaches or exceeds this value. + +Supported operations are Get and Replace. + +**CurrentSession/WarningOverlayThreshold** +Required. The warning threshold size, in megabytes. UWF sends a warning threshold notification event when the UWF overlay size reaches or exceeds this value. + +Supported operations are Get and Replace. + +**CurrentSession/OverlayType** +Required. Indicates the type of overlay in the current session. + +The only supported operation is Get. + +**CurrentSession/MaximumOverlaySize** +Required. Indicates the maximum cache size, in megabytes, of the overlay in the current session. + +The only supported operation is Get. + +**CurrentSession/PersisitDomainSecretKey** +Required. Indicates if the domain secret registry key is in the registry exclusion list. If the registry key is not in the exclusion list, changes do not persist after a restart. + +The only supported operation is Get. + +**CurrentSession/PersistTSCAL** +Required. Indicates if the Terminal Server Client Access License (TSCAL) registry key is in the UWF registry exclusion list. If the registry key is not in the exclusion list, changes do not persist after a restart. + +The only supported operation is Get. + +**CurrentSession/RegistryExclusions** +Required. The root node that contains all registry exclusions. + +**CurrentSession/RegistryExclusions/****_ExcludedRegistry_** +Optional. A registry key in the registry exclusion list for UWF in the current session. + +The only supported operation is Get. + +**CurrentSession/ServicingEnabled** +Required. Indicates when servicing is enabled in the current session. + +The only supported operation is Get. + +**CurrentSession/Volume** +Required. The root node to contain all volumes protected by UWF in the current session. + +**CurrentSession/Volume/****_Volume_** +Optional. Represents a specific volume in the current session. + +**CurrentSession/Volume/*Volume*/Protected** +Required. Indicates if the volume is currently protected by UWF in the current session. + +The only supported operation is Get. + +**CurrentSession/Volume/*Volume*/BindByDriveLetter** +Required. Indicates the type of binding that the volume uses in the current session. + +The only supported operation is Get. + +**CurrentSession/Volume/*Volume*/DriveLetter** +Required. The drive letter of the volume. If the volume does not have a drive letter, this value is NULL. + +The only supported operation is Get. + +**CurrentSession/Volume/*Volume*/Exclusions** +Required. The root node that contains all file exclusions for the volume. + +**CurrentSession/Volume/*Volume*/Exclusions/****_ExclusionPath_** +Optional. A string that contains the full path of the file or folder relative to the volume. + +The only supported operation is Get. + +**CurrentSession/Volume/*Volume*/CommitFile** +Required. This method commits changes from the overlay to the physical volume for a specified file on a volume protected by Unified Write Filter (UWF). + +Supported operations are Get and Execute. + +**CurrentSession/Volume/*Volume*/CommitFileDeletion** +Required. This method deletes the specified file and commits the deletion to the physical volume. + +Supported operations are Get and Execute. + +**CurrentSession/ShutdownPending** +Required. This value is True if the system is pending on shutdown. Otherwise, it is False. + +The only supported operation is Get. + +**CurrentSession/CommitRegistry** +Required. This method commits changes to the specified registry key and value. + +Supported operations are Get and Execute. + +**CurrentSession/CommitRegistryDeletion** +Required. This method deletes the specified registry key or registry value and commits the deletion. + +Supported operations are Get and Execute. + +**NextSession** +Required. + +The root node that contains settings for the next UWF session (after a reboot). + +**NextSession/FilterEnabled** +Required. Boolean value that indicates if UWF is enabled for the next session. + +Supported operations are Get and Replace. + +**NextSession/HORMEnabled** +Added in Windows 10, version 1607. Required. Boolean value that indicates if Hibernate Once/Resume Many (HORM) is enabled for the next session. + +Supported operations are Get and Replace. + +**NextSession/OverlayType** +Required. Indicates the type of overlay for the next session. + +Supported operations are Get and Replace. + +**NextSession/MaximumOverlaySize** +Required. Indicates the maximum cache size, in megabytes, of the overlay for the next session. + +Supported operations are Get and Replace. + +**NextSession/PersisitDomainSecretKey** +Required. Indicates if the domain secret registry key is in the registry exclusion list. If the registry key is not in the exclusion list, changes do not persist after a restart. + +Supported operations are Get and Replace. + +**NextSession/PersistTSCAL** +Required. Indicates if the Terminal Server Client Access License (TSCAL) registry key is in the UWF registry exclusion list. If the registry key is not in the exclusion list, changes do not persist after a restart. + +Supported operations are Get and Replace. + +**NextSession/RegistryExclusions** +Required. The root node that contains all registry exclusions for the next session. + +Supported operations are Add, Delete, and Replace. + +**NextSession/RegistryExclusions/****_ExcludedRegistry_** +Optional. A registry key in the registry exclusion list for UWF. + +Supported operations are Add, Delete, Get, and Replace. + +**NextSession/ServicingEnabled** +Required. Indicates when to enable servicing. + +Supported operations are Get and Replace. + +**NextSession/Volume** +Required. The root node that contains all volumes protected by UWF for the next session. + +**NextSession/Volume/****_Volume_** +Optional. Represents a specific volume in the next session. + +Supported operations are Add, Delete, and Replace. + +**NextSession/Volume/*Volume*/Protected** +Required. Indicates if the volume is currently protected by UWF in the next session. + +Supported operations are Get and Replace. + +**NextSession/Volume/*Volume*/BindByDriveLetter** +Required. Indicates the type of binding that the volume uses in the next session. + +Supported operations are Get and Replace. + +**NextSession/Volume/*Volume*/DriveLetter** +The drive letter of the volume. If the volume does not have a drive letter, this value is NULL. + +The only supported operation is Get. + +**NextSession/Volume/*Volume*/Exclusions** +Required. The root node that contains all file exclusions for this volume in the next session. + +**NextSession/Volume/*Volume*/Exclusions/****_ExclusionPath_** +Optional. A string that contains the full path of the file or folder relative to the volume. + +Supported operations are Add, Delete, Get, and Replace. + +**ResetSettings** +Required. Restores UWF settings to the original state that was captured at installation time. + +Supported operations are Get and Execute. + +**ShutdownSystem** +Required. Safely shuts down a system protected by UWF, even if the overlay is full. + +Supported operations are Get and Execute. + +**RestartSystem** +Required. Safely restarts a system protected by UWF, even if the overlay is full. + +Supported operations are Get and Execute. + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + diff --git a/windows/client-management/mdm/unifiedwritefilter-ddf.md b/windows/client-management/mdm/unifiedwritefilter-ddf.md new file mode 100644 index 0000000000..ae3e8f02e5 --- /dev/null +++ b/windows/client-management/mdm/unifiedwritefilter-ddf.md @@ -0,0 +1,1055 @@ +--- +title: UnifiedWriteFilter DDF File +description: UnifiedWriteFilter DDF File +ms.assetid: 23A7316E-A298-43F7-9407-A65155C8CEA6 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# UnifiedWriteFilter DDF File + + +This topic shows the OMA DM device description framework (DDF) for the **UnifiedWriteFilter** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +``` syntax + +]> + + 1.2 + + UnifiedWriteFilter + ./Vendor/MSFT + + + + + Root node of UWF(Unified Write Filter) CSP + + + + + + + + + + + com.microsoft/1.0/MDM/UWF + + + + CurrentSession + + + + + Represent the UWF configuration in the current session (power cycle). + + + + + + + + + + + + + + + FilterEnabled + + + + + 0 + Indicates if UWF is enabled for the current session. + + + + + + + + + + + text/plain + + + + + OverlayConsumption + + + + + The current size, in megabytes, of the UWF overlay. + + + + + + + + + + + text/plain + + + + + AvailableOverlaySpace + + + + + The amount of free space, in megabytes, available to the UWF overlay. + + + + + + + + + + + text/plain + + + + + CriticalOverlayThreshold + + + + + + 1024 + The critical threshold size, in megabytes. UWF sends a critical threshold notification event when the UWF overlay size reaches or exceeds this value. + + + + + + + + + + + text/plain + + + + + WarningOverlayThreshold + + + + + + 512 + The warning threshold size, in megabytes. UWF sends a warning threshold notification event when the UWF overlay size reaches or exceeds this value. + + + + + + + + + + + text/plain + + + + + OverlayType + + + + + 0 + Indicates the type of overlay in the current session. + + + + + + + + + + + text/plain + + + + + MaximumOverlaySize + + + + + 1024 + Indicates the maximum cache size, in megabytes, of the overlay in the current session. + + + + + + + + + + + text/plain + + + + + PersistDomainSecretKey + + + + + 1 + Indicates if the domain secret registry key is in the registry exclusion list. If the registry key is not in the exclusion list, changes are not persisted after a restart. + + + + + + + + + + + text/plain + + + + + PersistTSCAL + + + + + 1 + Indicates if the Terminal Server Client Access License (TSCAL) registry key is in the UWF registry exclusion list. If the registry key is not in the exclusion list, changes are not persisted after a restart. + + + + + + + + + + + text/plain + + + + + RegistryExclusions + + + + + The root node to contain all the registry exclusions. + + + + + + + + + + + + + + + + + + + + A registry key in the registry exclusion list for UWF in the current session. + + + + + + + + + + ExcludedRegistry + + text/plain + + + + + + ServicingEnabled + + + + + 0 + Indicates when servicing is enabled in the current session. + + + + + + + + + + + text/plain + + + + + Volume + + + + + The root node to contain all the volumes protected by UWF in the current session. + + + + + + + + + + + + + + + + + + + + Represents a volume in the current session. + + + + + + + + + + Volume + + + + + + Protected + + + + + Indicates whether the volume is protected by UWF in the current session. + + + + + + + + + + + text/plain + + + + + BindByDriveLetter + + + + + Indicates the type of binding that the volume uses in the current session. + + + + + + + + + + + text/plain + + + + + DriveLetter + + + + + The drive letter of the volume. If the volume does not have a drive letter, this value is NULL. + + + + + + + + + + + text/plain + + + + + Exclusions + + + + + The root node to contain all the file exclusions for the volume. + + + + + + + + + + + + + + + + + + + + A string that contains the full path of the file or folder relative to the volume. + + + + + + + + + + ExclusionPath + + text/plain + + + + + + CommitFile + + + + + + This method commits changes from the overlay to the physical volume for a specified file on a volume protected by UWF. + + + + + + + + + + + text/plain + + + + + CommitFileDeletion + + + + + + This method deletes the specified file and commits the deletion to the physical volume. + + + + + + + + + + + text/plain + + + + + + + ShutdownPending + + + + + This value is true if the system is pending on shutdown, else false. + + + + + + + + + + + text/plain + + + + + CommitRegistry + + + + + + This method commits changes to the specified registry key and value. + + + + + + + + + + + text/plain + + + + + CommitRegistryDeletion + + + + + + This method deletes the specified registry key or registry value and commits the deletion. + + + + + + + + + + + text/plain + + + + + + NextSession + + + + + Contains settings for next UWF session(post reboot). + + + + + + + + + + + + + + + FilterEnabled + + + + + + 0 + Indicates if UWF is enabled for the current session. + + + + + + + + + + + text/plain + + + + + HORMEnabled + + + + + + 0 + Indicates if HORM is enabled for the current session. + + + + + + + + + + + text/plain + + + + + OverlayType + + + + + + 0 + Indicates the type of overlay for the next session. + + + + + + + + + + + text/plain + + + + + MaximumOverlaySize + + + + + + 1024 + Indicates the maximum cache size, in megabytes, of the overlay for the next session. + + + + + + + + + + + text/plain + + + + + PersistDomainSecretKey + + + + + + 1 + Indicates if the domain secret registry key is in the registry exclusion list. If the registry key is not in the exclusion list, changes are not persisted after a restart. + + + + + + + + + + + text/plain + + + + + PersistTSCAL + + + + + + 1 + Indicates if the Terminal Server Client Access License (TSCAL) registry key is in the UWF registry exclusion list. If the registry key is not in the exclusion list, changes are not persisted after a restart. + + + + + + + + + + + text/plain + + + + + RegistryExclusions + + + + + The root node to contains all the registry exclusions for the next session. + + + + + + + + + + + + + + + + + + + + + + + A registry key in the registry exclusion list for UWF. + + + + + + + + + + ExcludedRegistry + + text/plain + + + + + + ServicingEnabled + + + + + + 0 + Indicates when to enable servicing. + + + + + + + + + + + text/plain + + + + + Volume + + + + + The root node to contain all the volumes protected by UWF for the next session. + + + + + + + + + + + + + + + + + + + + + + + Represents a volume in the next session. + + + + + + + + + + Volume + + + + + + Protected + + + + + + Indicates whether the volume is protected by UWF in the next session. + + + + + + + + + + + text/plain + + + + + BindByDriveLetter + + + + + + Indicates the type of binding that the volume uses in the next session. + + + + + + + + + + + text/plain + + + + + DriveLetter + + + + + The drive letter of the volume. If the volume does not have a drive letter, this value is NULL. + + + + + + + + + + + text/plain + + + + + Exclusions + + + + + The root node to contain all the file exclusions for the volume in the next session. + + + + + + + + + + + + + + + + + + + + + + + A string that contains the full path of the file or folder relative to the volume. + + + + + + + + + + ExclusionPath + + text/plain + + + + + + + + + ResetSettings + + + + + + Restores UWF settings to the original state that was captured at install time. + + + + + + + + + + + text/plain + + + + + ShutdownSystem + + + + + + Safely shuts down a system protected by UWF, even if the overlay is full. + + + + + + + + + + + text/plain + + + + + RestartSystem + + + + + + Safely restarts a system protected by UWF, even if the overlay is full. + + + + + + + + + + + text/plain + + + + + +``` + +## Related topics + + +[UnifiedWriteFilter CSP](unifiedwritefilter-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md new file mode 100644 index 0000000000..61923798e2 --- /dev/null +++ b/windows/client-management/mdm/update-csp.md @@ -0,0 +1,163 @@ +--- +title: Update CSP +description: Update CSP +ms.assetid: F1627B57-0749-47F6-A066-677FDD3D7359 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Update CSP + +The Update configuration service provider enables IT administrators to manage and control the rollout of new updates. + +The following diagram shows the Update configuration service provider in tree format. + +![update csp diagram](images/provisioning-csp-update.png) + +**Update** +

The root node. + +

Supported operation is Get. + +**ApprovedUpdates** +

Node for update approvals and EULA acceptance on behalf of the end-user. + +> [!NOTE] +> When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. + +

The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. + +

The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (i.e., updates to the virus and spyware definitions on devices) and Security Updates (i.e., product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. + +> [!NOTE] +> For the Windows 10 build, the client may need to reboot after additional updates are added. + +

Supported operations are Get and Add. + +**ApprovedUpdates/****_Approved Update Guid_** +

Specifies the update GUID. + +

To auto-approve a class of updates, you can specify the [Update Classifications](http://go.microsoft.com/fwlink/p/?LinkId=526723) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. + +

Supported operations are Get and Add. + +

Sample syncml: +

+./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d + + +**ApprovedUpdates/*Approved Update Guid*/ApprovedTime** +

Specifies the time the update gets approved. + +

Supported operations are Get and Add. + +**FailedUpdates** +

Specifies the approved updates that failed to install on a device. + +

Supported operation is Get. + +**FailedUpdates/****_Failed Update Guid_** +

Update identifier field of the UpdateIdentity GUID that represent an update that failed to download or install. + +

Supported operation is Get. + +**FailedUpdates/*Failed Update Guid*/HResult** +

The update failure error code. + +

Supported operation is Get. + +**FailedUpdates/*Failed Update Guid*/Status** +

Specifies the failed update status (for example, download, install). + +

Supported operation is Get. + +**FailedUpdates/*Failed Update Guid*/RevisionNumber** +

Added in the next major update of Windows 10. The revision number for the update that must be passed in server to server sync to get the metadata for the update. + +

Supported operation is Get. + +**InstalledUpdates** +

The updates that are installed on the device. + +

Supported operation is Get. + +**InstalledUpdates/****_Installed Update Guid_** +

UpdateIDs that represent the updates installed on a device. + +

Supported operation is Get. + +**InstalledUpdates/*Installed Update Guid*/RevisionNumber** +

Added in the next major update of Windows 10. The revision number for the update that must be passed in server to server sync to get the metadata for the update. + +

Supported operation is Get. + +**InstallableUpdates** +

The updates that are applicable and not yet installed on the device. This includes updates that are not yet approved. + +

Supported operation is Get. + +**InstallableUpdates/****_Installable Update Guid_** +

Update identifiers that represent the updates applicable and not installed on a device. + +

Supported operation is Get. + +**InstallableUpdates/*Installable Update Guid*/Type** +

The UpdateClassification value of the update. Valid values are: + +- 0 - None +- 1 - Security +- 2 = Critical + +

Supported operation is Get. + +**InstallableUpdates/*Installable Update Guid*/RevisionNumber** +

The revision number for the update that must be passed in server to server sync to get the metadata for the update. + +

Supported operation is Get. + +**PendingRebootUpdates** +

The updates that require a reboot to complete the update session. + +

Supported operation is Get. + +**PendingRebootUpdates/****_Pending Reboot Update Guid_** +

Update identifiers for the pending reboot state. + +

Supported operation is Get. + +**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime** +

The time the update is installed. + +

Supported operation is Get. + +**PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber** +

Added in the next major update of Windows 10. The revision number for the update that must be passed in server to server sync to get the metadata for the update. + +

Supported operation is Get. + +**LastSuccessfulScanTime** +

The last successful scan time. + +

Supported operation is Get. + +**DeferUpgrade** +

Upgrades deferred until the next period. + +

Supported operation is Get. + +## Related topics + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/update-ddf-file.md b/windows/client-management/mdm/update-ddf-file.md new file mode 100644 index 0000000000..a7617b44d2 --- /dev/null +++ b/windows/client-management/mdm/update-ddf-file.md @@ -0,0 +1,553 @@ +--- +title: Update DDF file +description: Update DDF file +ms.assetid: E236E468-88F3-402A-BA7A-834ED38DD388 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Update DDF file + +This topic shows the OMA DM device description framework (DDF) for the **Update** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + Update + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + + ApprovedUpdates + + + + + + + Approve of specific updates to be installed on a device and accept the EULA associated with the update on behalf of the end-user + + + + + + + + + + Approved Updates + + + + + + + + + + + UpdateID field of the UpdateIdentity is used to display relevant update metadata to IT and approved updates to be installed on the device + + + + + + + + + + Approved Update Guid + + + + + + ApprovedTime + + + + + 0 + The time updates get approved + + + + + + + + + The time update get approved + + text/plain + + + + + + + FailedUpdates + + + + + Approved updates that failed to install on a device + + + + + + + + + + Failed Updates + + + + + + + + + + + UpdateID field of the UpdateIdentity GUID that represent an update that failed to install + + + + + + + + + + + + + Failed Update Guid + + + + + + HResult + + + + + 0 + Update failure error code + + + + + + + + + + HResult + + text/plain + + + + + Status + + + + + Update failure status + + + + + + + + + + + + + Failed update status + + text/plain + + + + + RevisionNumber + + + + + The revision number of the update + + + + + + + + + + Update's revision number + + text/plain + + + + + + + InstalledUpdates + + + + + Updates that are installed on the device + + + + + + + + + + Installed Updates + + + + + + + + + + + UpdateIDs that represent the updates installed on a device + + + + + + + + + + Installed Update Guid + + + + + + RevisionNumber + + + + + The revision number of the update + + + + + + + + + + Update's revision number + + text/plain + + + + + + + InstallableUpdates + + + + + Updates that are applicable and not yet installed on the device + + + + + + + + + + Installable Updates + + + + + + + + + + + UpdateIDs that represent the updates applicable and not installed on a device + + + + + + + + + + Installable Update Guid + + + + + + Type + + + + + + The UpdateClassification value of the update + Values: + 0 = None + 1 = Security + 2 = Critical + + + + + + + + + + + Type of update + + text/plain + + + + + RevisionNumber + + + + + The revision number of the update + + + + + + + + + + Update's revision number + + text/plain + + + + + + + PendingRebootUpdates + + + + + + + + + + + + + + + + + + + + + + + + Devices in the pending reboot state + + + + + + + + + + + + + Pending Reboot Update Guid + + + + + + InstalledTime + + + + + The time the update installed. + + + + + + + + + InstalledTime + + text/plain + + + + + RevisionNumber + + + + + The revision number of the update + + + + + + + + + + Update's revision number + + text/plain + + + + + + + LastSuccessfulScanTime + + + + + 0 + Last success scan time. + + + + + + + + + + + + LastSuccessfulScanTime + + text/plain + + + + + DeferUpgrade + + + + + 0 + Defer upgrades till the next upgrade period (at least a few months). + + + + + + + + + + + + + + text/plain + + + + + +``` + +## Related topics + + +[Update CSP](update-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md new file mode 100644 index 0000000000..8eda2844e1 --- /dev/null +++ b/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider.md @@ -0,0 +1,227 @@ +--- +title: Using PowerShell scripting with the WMI Bridge Provider +description: This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, as well as how to invoke methods through the WMI Bridge Provider. +ms.assetid: 238D45AD-3FD8-46F9-B7FB-6AEE42BE4C08 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Using PowerShell scripting with the WMI Bridge Provider + +This topic covers using PowerShell Cmdlet scripts to configure per-user and per-device policy settings, as well as how to invoke methods through the [WMI Bridge Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx). + + +## Configuring per-device policy settings + +This section provides a PowerShell Cmdlet sample script to configure per-device settings through the [WMI Bridge Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx). If a class supports device settings, there must be a class level qualifier defined for InPartition("local-system"). + +For all device settings, the WMI Bridge client must be executed under local system user. To do that, download the psexec tool from and run `psexec.exe -i -s cmd.exe` from an elevated admin command prompt. + +The script example in this section uses the class [MDM\_Policy\_Config01\_WiFi02](https://msdn.microsoft.com/library/windows/desktop/dn905246.aspx): + +```ManagedCPlusPlus +[dynamic, provider("DMWmiBridgeProv"), InPartition("local-system")] +class MDM_Policy_Config01_WiFi02 +{ + string InstanceID; + string ParentID; + sint32 AllowInternetSharing; + sint32 AllowAutoConnectToWiFiSenseHotspots; + sint32 WLANScanMode; +}; +``` + +The following script describes how to create, enumerate, query, modify, and delete instances. + +```PowerShell +$namespaceName = "root\cimv2\mdm\dmmap" +$className = "MDM_Policy_Config01_WiFi02" + +# Create a new instance for MDM_Policy_Config01_WiFi02 +New-CimInstance -Namespace $namespaceName -ClassName $className -Property @{ParentID="./Vendor/MSFT/Policy/Config";InstanceID="WiFi";AllowInternetSharing=1;AllowAutoConnectToWiFiSenseHotspots=0;WLANScanMode=100} + +# Enumerate all instances available for MDM_Policy_Config01_WiFi02 +Get-CimInstance -Namespace $namespaceName -ClassName $className + +# Query instances with matching properties +Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID='./Vendor/MSFT/Policy/Config' and InstanceID='WiFi'" + +# Modify existing instance +$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID='./Vendor/MSFT/Policy/Config' and InstanceID='WiFi'" +$obj.WLANScanMode=500 +Set-CimInstance -CimInstance $obj + +# Delete existing instance +try +{ + $obj = Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID='./Vendor/MSFT/Policy/Config' and InstanceID='WiFi'" + Remove-CimInstance -CimInstance $obj +} +catch [Exception] +{ + write-host $_ | out-string +} +``` + +## Configuring per-user settings + +This section provides a PowerShell Cmdlet sample script to configure per-user settings through the WMI Bridge. If a class supports user settings, there must be a class level qualifier defined for InPartition("local-user"). + +The script example in this section uses the class [MDM\_Policy\_User\_Config01\_Authentication02](https://msdn.microsoft.com/library/windows/desktop/mt146854.aspx): + +```ManagedCPlusPlus +[dynamic, provider("DMWmiBridgeProv"), InPartition("local-user")] +class MDM_Policy_User_Config01_Authentication02 +{ + string InstanceID; + string ParentID; + sint32 AllowEAPCertSSO; +}; +``` + +> **Note**  If the currently logged on user is trying to access or modify user settings for themselves, it is much easier to use the per-device settings script from the previous section. All PowerShell cmdlets must be executed under an elevated admin command prompt. + +  + +If accessing or modifying settings for a different user, then the PowerShell script is more complicated because the WMI Bridge expects the user SID to be set in MI Custom Context, which is not supported in native PowerShell cmdlets. + +> **Note**   All commands must executed under local system. + +  + +A user SID can be obtained by Windows command `wmic useraccount get name, sid`. The following script example assumes the user SID is S-1-5-21-4017247134-4237859428-3008104844-1001. + +```PowerShell +$namespaceName = "root\cimv2\mdm\dmmap" +$className = "MDM_Policy_User_Config01_Authentication02" + +# Configure CIM operation options with target user info +$options = New-Object Microsoft.Management.Infrastructure.Options.CimOperationOptions +$options.SetCustomOption("PolicyPlatformContext_PrincipalContext_Type", "PolicyPlatform_UserContext", $false) +$options.SetCustomOption("PolicyPlatformContext_PrincipalContext_Id", "S-1-5-21-4017247134-4237859428-3008104844-1001", $false) + +# Construct session used for all operations +$session = New-CimSession + +########################################################################## +# Create a new instance for MDM_Policy_User_Config01_Authentication02 +########################################################################## +$newInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName +$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", './Vendor/MSFT/Policy/Config', "string", "Key") +$newInstance.CimInstanceProperties.Add($property) +$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", 'Authentication', "String", "Key") +$newInstance.CimInstanceProperties.Add($property) +$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("AllowEAPCertSSO", 1, "Sint32", "Property") +$newInstance.CimInstanceProperties.Add($property) +try +{ + $session.CreateInstance($namespaceName, $newInstance, $options) +} +catch [Exception] +{ + write-host $_ | out-string +} + +########################################################################## +# Enumerate all instances for MDM_Policy_User_Config01_Authentication02 +########################################################################## +$session.EnumerateInstances($namespaceName, $className, $options) + +########################################################################## +# Query instance for MDM_Policy_User_Config01_Authentication02 +# with matching properties +########################################################################## +$getInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName +$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", './Vendor/MSFT/Policy/Config', "string", "Key") +$getInstance.CimInstanceProperties.Add($property) +$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", 'Authentication', "String", "Key") +$getInstance.CimInstanceProperties.Add($property) +try +{ + $session.GetInstance($namespaceName, $getInstance, $options) +} +catch [Exception] +{ + write-host $_ | out-string +} + +########################################################################## +# Modify existing instance for MDM_Policy_User_Config01_Authentication02 +########################################################################## +$getInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName +$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", './Vendor/MSFT/Policy/Config', "string", "Key") +$getInstance.CimInstanceProperties.Add($property) +$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", 'Authentication', "String", "Key") +$getInstance.CimInstanceProperties.Add($property) +try +{ + $updateInstance = $session.GetInstance($namespaceName, $getInstance, $options)[0] + $updateInstance.AllowEAPCertSSO = 0 + $session.ModifyInstance($namespaceName, $updateInstance, $options) +} +catch [Exception] +{ + write-host $_ | out-string +} + +########################################################################## +# Delete existing instance for MDM_Policy_User_Config01_Authentication02 +########################################################################## +$getInstance = New-Object Microsoft.Management.Infrastructure.CimInstance $className, $namespaceName +$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("ParentID", './Vendor/MSFT/Policy/Config', "string", "Key") +$getInstance.CimInstanceProperties.Add($property) +$property = [Microsoft.Management.Infrastructure.CimProperty]::Create("InstanceID", 'Authentication', "String", "Key") +$getInstance.CimInstanceProperties.Add($property) +try +{ + $deleteInstance = $session.GetInstance($namespaceName, $getInstance, $options)[0] + $session.DeleteInstance($namespaceName, $deleteInstance, $options) +} +catch [Exception] +{ + write-host $_ | out-string +} +``` + +## Invoking methods + +This section provides a PowerShell Cmdlet sample script to invoke a WMI Bridge object method. The following script must be executed under local system user. To do that, download the psexec tool from and run `psexec.exe -i -s cmd.exe` from an elevated admin command prompt. + +The script example in this section uses the [UpgradeEditionWithProductKeyMethod](https://msdn.microsoft.com/library/windows/desktop/mt599805.aspx) method of the [MDM\_WindowsLicensing](https://msdn.microsoft.com/library/windows/desktop/dn948453.aspx) class. + +```PowerShell +$namespaceName = "root\cimv2\mdm\dmmap" +$className = "MDM_WindowsLicensing" +$methodName = "UpgradeEditionWithProductKeyMethod" +$fakeProductKey = "7f1a3659-3fa7-4c70-93ce-0d354e8e158e" + +$session = New-CimSession + +$params = New-Object Microsoft.Management.Infrastructure.CimMethodParametersCollection +$param = [Microsoft.Management.Infrastructure.CimMethodParameter]::Create("param", $fakeProductKey, "String", "In") +$params.Add($param) + +try +{ + $instance = Get-CimInstance -Namespace $namespaceName -ClassName $className -Filter "ParentID='./Vendor/MSFT' and InstanceID='WindowsLicensing'" + $session.InvokeMethod($namespaceName, $instance, $methodName, $params) +} +catch [Exception] +{ + write-host $_ | out-string +} +``` + +## Related topics + +[WMI Bridge Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) + +  + + + + + diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md new file mode 100644 index 0000000000..7310156f21 --- /dev/null +++ b/windows/client-management/mdm/vpn-csp.md @@ -0,0 +1,299 @@ +--- +title: VPN CSP +description: VPN CSP +ms.assetid: 05ca946a-1c0b-4e11-8d7e-854e14740707 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# VPN CSP + + +The VPN configuration service provider allows the MDM server to configure the VPN profile of the device. Windows 10 supports both IKEv2 VPN and SSL VPN profiles. For information about IKEv2, see [Configure IKEv2-based Remote Access](http://technet.microsoft.com/library/ff687731%28v=ws.10%29.aspx). + +> **Note**   The VPN CSP is deprecated in Windows 10 and it only supported in Windows 10 Mobile for backward compatibility. Use [VPNv2 CSP](vpnv2-csp.md) instead. + +  + +Important considerations: + +- For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. This is particularly critical for forced tunnel VPN. + +- VPN configuration commands must be wrapped with an Atomic command as shown in the example below. + +- Only one VPN profile provisioning per one OMA request is supported. Multiple VPN profiles per one OMA message request are not supported. + +- For the VPN CSP, you cannot use the Replace command unless the node already exists. + +The following diagram shows the VPN configuration service provider in tree format. + +![provisioning\-csp\-vpn](images/provisioning-csp-vpn.png) + +***ProfileName*** +Unique alpha numeric Identifier for the profile. The profile name must not include a forward slash (/). + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**Server** +Required. Public or routable IP address or DNS name for the VPN gateway server farm. It can point to the external IP of a gateway or a virtual IP for a server farm. + +Supported operations are Get, Add, and Replace. + +Value type is chr. Some examples are 208.23.45.130 or vpn.contoso.com. + +**TunnelType** +Optional, but required when deploying a 3rd party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release. + +Value type is chr. Supported operations are Get and Add. + +**ThirdParty** +Optional, but required if deploying 3rd party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning. + +Supported operations are Get and Add. + +**ThirdParty/Name** +Required when ThirdParty is defined for SSL-VPN profile provisioning. + +Value type is chr. Supported operations are Get and Add. + +Valid values: + +- JunOS Pulse + +- SonicWall Mobile Connect + +- F5 Big-IP Edge Client + +- Checkpoint Mobile VPN + +**ThirdParty/AppID** +Optional, but required when deploying a 3rd party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized. + +Value type is chr. Supported operations are Get, Add, Replace, and Delete. + +**ThirdParty/CustomStoreURL** +Optional, but required if an enterprise is deploying a 3rd party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the 3rd party SSL-VPN plugin app. + +Value type is chr. Supported operations are Get, Add, Replace, and Delete. + +**ThirdParty/CustomConfiguration** +Optional. This is an HTML encoded XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins. + +Value type is char. Supported operations are Get, Add, Replace, and Delete. + +**RoleOrGroup** +Not Implemented. Optional. + +Value type is char. Supported operations are Get, Add, Delete, and Replace. + +**Authentication** +Optional node for ThirdParty VPN profiles, but required for IKEv2. This is a collection of configuration objects to ensure that the correct authentication policy is used on the device based on the chosen TunnelType. + +Supported operations are Get and Add. + +**Authentication/Method** +Required for IKEv2 profiles and optional for third party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles. + +Supported operations are Get and Add. + +Value type is chr. + +> **Note**  For EAP, use Authentication/EAP instead. + +  + +**Authentication/Certificate** +Optional node. A collection of nodes that enables simpler authentication experiences for end users when using VPN. This and its subnodes should not be used for IKEv2 profiles. + +Supported operations are Get and Add. + +**Authentication/Certificate/Issuer** +Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used in conjunction with EKU for more granular filtering. + +Value type is chr. Supported operations are Get, Add, Delete, and Replace. + +> **Note**  Do not use this element for IKev2 profiles. + +  + +**Authentication/Certificate/EKU** +Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this in conjunction with ISSUER for a more granular filtering. + +Value type is chr. Supported operations are Get, Add, Delete, and Replace. + +> **Note**  Do not use this element for IKev2 profiles. + +  + +**Authentication/Certificate/CacheLifeTimeForProtectedCert** +Not Implemented. Optional. + +Value type is int. Supported operations are Get, Add, Replace, and Delete. + +**Authentication/EAP** +Required when IKEv2 is selected. Defines the EAP blob to be used for IKEv2 authentication. You can use EAP-MSCHAPv2 or EAP-TLS. EAP blob is HTML encoded XML as defined in EAP Host Config schemas. You can find the schemas in [Microsoft EAP MsChapV2 Schema](http://go.microsoft.com/fwlink/p/?LinkId=523885) and [Microsoft EAP TLS Schema](http://go.microsoft.com/fwlink/p/?LinkId=523884). + +Supported operations are Get, Add, and Replace. + +Value type is chr. + +**Proxy** +Optional node. A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile will be applied when this profile is active and connected. + +Supported operations are Add, Delete, and Replace. + +**Proxy/Manual/Server** +Optional. Set this element together with PORT. The value is the proxy server address as a fully qualified hostname or an IP address, for example, proxy.constoso.com. + +Supported operations are Get, Add, Replace, and Delete. + +Value type is chr. + +**Proxy/Manual/Port** +Optional. Set this element together with Server. The value is the proxy server port number in the range of 1-65535, for example, 8080. + +Supported operations are Get, Add, Replace, and Delete. + +Value type is int. + +**Proxy/BypassForLocal** +Optional. When this setting is enabled, any web requests to resources in the intranet zone will not be sent to the proxy. When this is false, the setting should be disabled and all requests should go to the proxy. When this is true, the setting is enabled and intranet requests will not go to the proxy. + +Supported operations are Get, Add, Replace, and Delete. + +Value type is bool. + +Default is False. + +**SecuredResources** +Optional node. A collection of configuration objects that define the inclusion resource lists for what can be secured over VPN. Allowed lists are applied only when Policies/SplitTunnel element is set to True. VPN exclusions are not supported.. + +**SecuredResources/AppAllowedList/AppAllowedList** +Optional. Specifies one or more ProductIDs for the enterprise line of business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is auto-triggered, VPN is triggered automatically by these apps. + +Supported operations are Get, Add, Replace and Delete. + +Value type is chr. + +Examples are {F05DC613-E223-40AD-ABA9-CCCE04277CD9} and ContosoApp.ContosoCorp\_jlsnulm3s397u. + +**SecuredResources/NetworkAllowedList/NetworkAllowedList** +Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, they’ll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is auto-triggered, the VPN is triggered automatically by these protected networks. + +Supported operations are Get, Add, Replace, and Delete. + +Value type is chr. + +An example is 172.31.0.0/16. + +**SecuredResources/NameSpaceAllowedList/NameSpaceAllowedList** +Optional. Specifies one or more namespaces that you want secured over VPN. All requests to the specified namespaces are secured over VPN. Applications connecting to namespaces are secured over VPN. Otherwise, they’ll continue to connect directly. Namespaces are defined in the format \*.corp.contoso.com. Restrictions such as \* or \*.\* or \*.com.\* are not allowed. NetworkAllowedList is required for IKEv2 profiles for routing the traffic correctly over split tunnel. + +Supported operations are Get, Add, Replace, and Delete. + +Value type is chr. + +An example is \*.corp.contoso.com. + +**SecuredResources/ExcluddedAppList/ExcludedAppList** +Optional. Specifies one or more ProductIDs for enterprise line of business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection. + +Supported operations are Get, Add, Replace, and Delete. + +Value type is chr. + +Examples are {F05DC613-E223-40AD-ABA9-CCCE04277CD9} and ContosoApp.ContosoCorp\_jlsnulm3s397u. + +**SecuredResources/ExcludedNetworkList/ExcludedNetworkList** +Optional. Specifies one or more IP addresses that will never use VPN. Any app connecting to the configured excluded IP list will use the internet directly and bypass VPN. Values are defined in the format 10.0.0.0/8. + +Supported operations are Get, Add, Replace, and Delete. + +Value type is chr. + +An example is 172.31.0.0/16. + +**SecuredResources/ExcludedNameSpaceList/ExcludedNameSpaceList** +Optional. Specifies one or more namespaces of hosts that will never use VPN. Any app connecting to the configured excluded host list will use the internet and bypass VPN. Restrictions such as \* or \*.\* or \*.com.\* are not allowed. + +Supported operations are Get, Add, Replace, and Delete. + +Value type is chr. + +An example is \*.corp.contoso.com. + +**SecuredResources/DNSSuffixSearchList/DNSSuffixSearchList** +Optional. Specifies one or many DNS suffixes that will be appended to shortname URLs for DNS resolution and connectivity. + +Supported operations are Get, Add, Replace, and Delete. + +Value type is chr. + +An example is .corp.contoso.com. + +**Policies** +Optional node. A collection of configuration objects you can use to enforce profile-specific restrictions. + +**Policies/SplitTunnel** +Optional. When this is False, all traffic goes to the VPN gateway in force tunnel mode. When this is True, only the specific traffic to defined secured resources goes to the VPN gateway. + +Supported operations are Get, Add, Replace, and Delete. + +Value type is bool. + +Default value is True. + +**Policies/ByPassForLocal** +Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. + +Supported operations are Get, Add, Replace, and Delete. + +Value type is bool. + +Default value is False. + +**Policies/TrustedNetworkDetection** +Optional. When this setting is set to True, the VPN cannot connect when the user is on their corporate wireless network where protected resources are directly accessible to the device. When this is False, the VPN connects over corporate wireless network. This node has a dependency on the DNSSuffix node setting to detect the corporate wireless network. + +Supported operations are Get, Add, Replace, and Delete. + +Value type is bool. + +Default value is False. + +**Policies/ConnectionType** +Optional. Valid values are: + +- Triggering: A VPN automatically connects as applications require connectivity to protected resources. The life cycle of the VPN is based on applications using the VPN. Recommended setting for optimizing usage of power resources. + +- Manual: User must manually connect / disconnect VPN. + +Supported operations are Get, Add, and Replace. + +Value type is chr. + +Default value is Triggering. + +**DNSSuffix** +Optional, but it is required to set the specific DNS suffix of the primary connection. Supported operations are Get, Add, Delete, and Replace. + +Value type is chr. + +An example is corp.contoso.com. + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + diff --git a/windows/client-management/mdm/vpn-ddf-file.md b/windows/client-management/mdm/vpn-ddf-file.md new file mode 100644 index 0000000000..d5e1303442 --- /dev/null +++ b/windows/client-management/mdm/vpn-ddf-file.md @@ -0,0 +1,1396 @@ +--- +title: VPN DDF file +description: VPN DDF file +ms.assetid: 728FCD9C-0B8E-413B-B54A-CD72C9F2B9EE +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# VPN DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **VPN** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +``` syntax + + +]> + + 1.2 + + MSFT + ./Vendor + + + + + + + + + + + + + + + + + + + VPN + + + + + + + + + + + + + + + + + Root + + + + + + + + + + + + + + + + + + + + + + + + + + Profile Name + + + + + + Server + + + + + + + + + + + + + + + + + + + VPN Gateway Server + + text/plain + + + + + TunnelType + + + + + + + + + + + + + + + + + + + + TunnelType + + text/plain + + + + + ThirdParty + + + + + + + + + + + + + + + + + Third Party + + + + + + Name + + + + + + + + + + + + + + + + + + + Third Party Name + + text/plain + + + + + AppID + + + + + + + + + + + + + + + + APPID + + text/plain + + + + + CustomStoreURL + + + + + + + + + + + + + + + + + + + + Custom Store URL + + text/plain + + + + + CustomConfiguration + + + + + + + + + + + + + + + + + + + + Custom Configuration + + text/plain + + + + + + RoleOrGroup + + + + + + + + + + + + + + + + + + + + RoleOrGroup + + text/plain + + + + + Authentication + + + + + + + + + + + + + + + + + + + Authentication + + + + + + Method + + + + + + + + + + + + + + + + + + + Method + + text/plain + + + + + Certificate + + + + + + + + + + + + + + + + + + + + Certificate + + + + + + Issuer + + + + + + + + + + + + + + + + + + + + Issuer + + text/plain + + + + + EKU + + + + + + + + + + + + + + + + + + + + EKU + + text/plain + + + + + ChacheLifeTimeForProtectedCert + + + + + + + + + + + + + + + + + + + + ChacheLifeTimeForProtectedCert + + text/plain + + + + + + MultiAuth + + + + + + + + + + + + + + + + + + + + MultiAuth + + + + + + StartURL + + + + + + + + + + + + + + + + + + + StartURL + + text/plain + + + + + EndURL + + + + + + + + + + + + + + + + + + + EndURL + + text/plain + + + + + + EAP + + + + + + + + + + + + + + + + + + + + EAP + + text/plain + + + + + + Proxy + + + + + + + + + + + + + + + + + + + Proxy + + + + + + Automatic + + + + + + + + + + + + + + + + + + + + Automatic + + text/plain + + + + + Manual + + + + + + + + + + + + + + + + + + + + Manual + + + + + + Server + + + + + + + + + + + + + + + + + + + Server + + text/plain + + + + + Port + + + + + + + + + + + + + + + + + + + Port + + text/plain + + + + + + BypassProxyForLocal + + + + + + + + false + + + + + + + + + + + + + BypassProxyForLocal + + text/plain + + + + + + SecuredResources + + + + + + + + + + + + + + + + + + + + SecuredResources + + + + + + AppPublisherNameList + + + + + + + + + + + + + + + + + + + + AppPublisherNameList + + + + + + + + + + + + + + + + + + + + + + + + + + AppPublisherName* + + text/plain + + + + + + AppAllowedList + + + + + + + + + + + + + + + + + + + + AppAllowedList + + + + + + + + + + + + + + + + + + + + + + + + + Apps* + + text/plain + + + + + + NetworkAllowedList + + + + + + + + + + + + + + + + + + + + NetworkAllowedList + + + + + + + + + + + + + + + + + + + + + + + + + + Networks* + + text/plain + + + + + + NameSpaceAllowedList + + + + + + + + + + + + + + + + + + + + NameSpaceAllowedList + + + + + + + + + + + + + + + + + + + + + + + NameSpace* + + text/plain + + + + + + ExcludedAppList + + + + + + + + + + + + + + + + + + + + ExcludedAppList + + + + + + + + + + + + + + + + + + + + + + + + + + ExcludedAppList* + + text/plain + + + + + + ExcludedNetworkList + + + + + + + + + + + + + + + + + + + + ExcludedNetworkList + + + + + + + + + + + + + + + + + + + + + + + + + + ExcludedNetworkList* + + text/plain + + + + + + ExcludedNameSpaceList + + + + + + + + + + + + + + + + + + + + ExcludedNameSpaceList + + + + + + + + + + + + + + + + + + + + + + + + + + ExcludedNamespaceList* + + text/plain + + + + + + DNSSuffixSearchList + + + + + + + + + + + + + + + + + + + + DNSSuffixSearchList + + + + + + + + + + + + + + + + + + + + + + + + + + DNSSuffixSearchList* + + text/plain + + + + + + + Policies + + + + + + + + + + + + + + + + + + + + Policies + + + + + + RememberCredentials + + + + + + + + true + + + + + + + + + + + + + RememberCredentials + + text/plain + + + + + SplitTunnel + + + + + + + + true + + + + + + + + + + + + + SplitTunnel + + text/plain + + + + + BypassForLocal + + + + + + + + true + + + + + + + + + + + + + BypassForLocal + + text/plain + + + + + TrustedNetworkDetection + + + + + + + + true + + + + + + + + + + + + + TrustedNetworkDetection + + text/plain + + + + + ConnectionType + + + + + + + + Triggering + + + + + + + + + + + + + ConnectionType + + text/plain + + + + + + DNSSuffix + + + + + + + + + + + + + + + + + + + + DNSSuffix + + + + + + + + + +``` + +## Related topics + + +[VPN configurtion service provider](vpn-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md new file mode 100644 index 0000000000..5b48d34a09 --- /dev/null +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -0,0 +1,1275 @@ +--- +title: VPNv2 CSP +description: VPNv2 CSP +ms.assetid: 51ADA62E-1EE5-4F15-B2AD-52867F5B2AD2 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# VPNv2 CSP + + +The VPNv2 configuration service provider allows the mobile device management (MDM) server to configure the VPN profile of the device. + +Here are the requirements for this CSP: + +- VPN configuration commands must be wrapped in an Atomic block in SyncML. +- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you are using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure WIP policies. +- Instead of changing individual properties, follow these steps to make any changes: + + - Send a Delete command for the ProfileName to delete the entire profile. + - Send the entire profile again with new values wrapped in an Atomic block. + + In certain conditions you can change some properties directly, but we do not recommend it. + +The XSDs for all EAP methods are shipped in the box and can be found at the following locations: + +- C:\\Windows\\schemas\\EAPHost +- C:\\Windows\\schemas\\EAPMethods + +The following diagram shows the VPNv2 configuration service provider in tree format. + +![vpnv2 csp diagram](images/provisioning-csp-vpnv2-rs1.png) + +**Device or User profile** +For user profile, use **./User/Vendor/MSFT** path and for device profile, use **./Device/Vendor/MSFT** path. + +**VPNv2/***ProfileName* +Unique alpha numeric identifier for the profile. The profile name must not include a forward slash (/). + +Supported operations include Get, Add, and Delete. + +> **Note**  If the profile name has a space or other non-alphanumeric character, it must be properly escaped according to the URL encoding standard. + +  + +**VPNv2/***ProfileName***/AppTriggerList** +Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect. + +**VPNv2/***ProfileName***/AppTriggerList/***appTriggerRowId* +A sequential integer identifier which allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. + +Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/AppTriggerList/***appTriggerRowId***/App** +App Node under the Row Id. + +**VPNv2/***ProfileName***/AppTriggerList/***appTriggerRowId***/App/Id** +App identity, which is either an app’s package family name or file path. The type is inferred by the Id, and therefore cannot be specified in the get only App/Type field + +**VPNv2/***ProfileName***/AppTriggerList/***appTriggerRowId***/App/Type** +Returns the type of **App/Id**. This value can be either of the following: + +- PackageFamilyName - When this is returned, the App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of the Windows Store application. +- FilePath - When this is returned, the App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`. + +Value type is chr. Supported operation is Get. + +**VPNv2/***ProfileName***/RouteList/** +Optional node. List of routes to be added to the routing table for the VPN interface. This is required for split tunneling case where the VPN server site has more subnets that the default subnet based on the IP assigned to the interface. + +Every computer that runs TCP/IP makes routing decisions. These decisions are controlled by the IP routing table. Adding values under this node updates the routing table with routes for the VPN interface post connection. The values under this node represent the destination prefix of IP routes. A destination prefix consists of an IP address prefix and a prefix length. + +Adding a route here allows the networking stack to identify the traffic that needs to go over the VPN interface for split tunnel VPN. Some VPN servers can configure this during connect negotiation and do not need this information in the VPN Profile. Please check with your VPN server administrator to determine whether you need this information in the VPN profile. + +**VPNv2/***ProfileName***/RouteList/***routeRowId* +A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. + +Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/RouteList/***routeRowId***/Address** +Subnet address in IPv4/v6 address format which, along with the prefix will be used to determine the destination prefix to send via the VPN Interface. This is the IP address part of the destination prefix. + +Supported operations include Get, Add, Replace, and Delete. Value type is chr. Example, `192.168.0.0` + +**VPNv2/***ProfileName***/RouteList/***routeRowId***/PrefixSize** +The subnet prefix size part of the destination prefix for the route entry. This, along with the address will be used to determine the destination prefix to route through the VPN Interface. + +Value type is int. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/RouteList/***routeRowId***/ExclusionRoute** +Added in Windows 10, version 1607. A boolean value that specifies if the route being added should point to the VPN Interface or the Physical Interface as the Gateway. Valid values: + +- False (default) - This route will direct traffic over the VPN +- True - This route will direct traffic over the physical interface. + +Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/DomainNameInformationList** +Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile. + +The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface. + +**VPNv2/***ProfileName***/DomainNameInformationList/***dniRowId* +A sequential integer identifier for the Domain Name information. Sequencing must start at 0. + +Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/DomainNameInformationList/***dniRowId***/DomainName** +Used to indicate the namespace to which the policy applies. When a Name query is issued, the DNS client compares the name in the query to all of the namespaces under DomainNameInformationList to find a match. This parameter can be one of the following types: + +- FQDN - Fully qualified domain name +- Suffix - A domain suffix that will be appended to the shortname query for DNS resolution. To specify a suffix, prepend a **.** to the DNS suffix. + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/DomainNameInformationList/***dniRowId***/DomainNameType** +Returns the namespace type. This value can be one of the following: + +- FQDN - If the DomainName was not prepended with a **.** and applies only to the fully qualified domain name (FQDN) of a specified host. +- Suffix - If the DomainName was prepended with a **.** and applies to the specified namespace, all records in that namespace, and all subdomains. + +Value type is chr. Supported operation is Get. + +**VPNv2/***ProfileName***/DomainNameInformationList/***dniRowId***/DnsServers** +List of comma separated DNS Server IP addresses to use for the namespace. + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/DomainNameInformationList/***dniRowId***/WebProxyServers** +Optional. Web Proxy Server IP address if you are redirecting traffic through your intranet. + +> **Note**  Currently only one web proxy server is supported. + +  + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/DomainNameInformationList/***dniRowId***/AutoTrigger** +Added in Windows 10, version 1607. Optional. Boolean to determine whether this domain name rule will trigger the VPN. + +If set to False, this DomainName rule will not trigger the VPN. + +If set to True, this DomainName rule will trigger the VPN + +By default, this value is false. + +Value type is bool. Persistent + +**VPNv2/***ProfileName***/DomainNameInformationList/***dniRowId***/Persistent** +Added in Windows 10, version 1607. A boolean value that specifies if the rule being added should persist even when the VPN is not connected. Value values: + +- False (default) - This DomainName rule will only be applied when VPN is connected. +- True - This DomainName rule will always be present and applied. + +Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/TrafficFilterList** +An optional node that specifies a list of rules. Only traffic that matches these rules can be sent via the VPN Interface. + +> **Note**  Once a TrafficFilterList is added, all traffic are blocked other than the ones matching the rules. + +  + +When adding multiple rules, each rule operates based on an OR with the other rules. Within each rule, each property operates based on an AND with each other. + +**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId* +A sequential integer identifier for the Traffic Filter rules. Sequencing must start at 0. + +**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/App** +Per app VPN rule. This will allow only the apps specified to be allowed over the VPN interface. Value type is chr. + +**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/App/Id** +App identity for the app-based traffic filter. + +The value for this node can be one of the following: + +- PackageFamilyName - This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Windows Store application. +- FilePath - This App/Id value represents the full file path of the app. For example, `C:\Windows\System\Notepad.exe`. +- SYSTEM – This value enables Kernel Drivers to send traffic through VPN (for example, PING or SMB). + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/App/Type** +Returns the type of ID of the **App/Id**. + +Value type is chr. Supported operation is Get. + +**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/Claims** +Reserved for future use. + +**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/Protocol** +Numeric value from 0-255 representing the IP protocol to allow. For example, TCP = 6 and UDP = 17. + +Value type is int. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/LocalPortRanges** +A list of comma separated values specifying local port ranges to allow. For example, `100-120, 200, 300-320`. + +> **Note**  Ports are only valid when the protocol is set to TCP=6 or UDP=17. + +  + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/RemotePortRanges** +A list of comma separated values specifying remote port ranges to allow. For example, `100-120, 200, 300-320`. + +> **Note**  Ports are only valid when the protocol is set to TCP=6 or UDP=17. + +  + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/LocalAddressRanges** +A list of comma separated values specifying local IP address ranges to allow. + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/RemoteAddressRanges** +A list of comma separated values specifying remote IP address ranges to allow. + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/TrafficFilterList/***trafficFilterId***/RoutingPolicyType** +Specifies the routing policy if an App or Claims type is used in the traffic filter. The scope of this property is for this traffic filter rule alone. The value can be one of the following: + +- SplitTunnel - For this traffic filter rule, only the traffic meant for the VPN interface (as determined by the networking stack) goes over the interface. Internet traffic can continue to go over the other interfaces. +- ForceTunnel - For this traffic rule all IP traffic must go through the VPN Interface only. + +This is only applicable for App ID based Traffic Filter rules. + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/EdpModeId** +Enterprise ID, which is required for connecting this VPN profile with an WIP policy. When this is set, the networking stack looks for this Enterprise ID in the app token to determine if the traffic is allowed to go over the VPN. If the profile is active, it also automatically triggers the VPN to connect. We recommend having only one such profile per device. + +Additionally when connecting with Windows Information Protection (WIP)(formerly known as Enterprise Data Protection), the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced config is needed) because the WIP policies and App lists automatically takes effect. + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/RememberCredentials** +Boolean value (true or false) for caching credentials. Default is false, which means do not cache credentials. If set to true, credentials are cached whenever possible. + +Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/AlwaysOn** +An optional flag to enable Always On mode. This will automatically connect the VPN at sign-in and will stay connected until the user manually disconnects. + +> **Note**  Always On only works for the active profile. The first profile provisioned that can be auto triggered will automatically be set as active. + +  + +Valid values: + +- False (default) - Always On is turned off. +- True - Always On is turned on. + +Value type is bool. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/LockDown** +Lockdown profile. + +Valid values: + +- False (default) - this is not a LockDown profile. +- True - this is a LockDown profile. + +When the LockDown profile is turned on, it does the following things: + +- First, it automatically becomes an "always on" profile. +- Second, it can never be disconnected. +- Third, if the profile is not connected, then the user has no network. +- Fourth, no other profiles may be connected or modified. + +A Lockdown profile must be deleted before you can add, remove, or connect other profiles. + +Value type is bool. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/DnsSuffix** +Optional. Specifies one or more comma separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/ByPassForLocal** +Reserved for future use. + +**VPNv2/***ProfileName***/TrustedNetworkDetection** +Optional. Comma separated string to identify the trusted network. VPN will not connect automatically when the user is on their corporate wireless network where protected resources are directly accessible to the device. + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/ProfileXML** +Added in Windows 10, version 1607. The XML schema for provisioning all the fields of a VPN. For the XSD, see [ProfileXML XSD](vpnv2-profile-xsd.md). + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/Proxy** +A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile is applied when this profile is active and connected. + +**VPNv2/***ProfileName***/Proxy/Manual** +Optional node containing the manual server settings. + +**VPNv2/***ProfileName***/Proxy/Manual/Server** +Optional. Proxy server address as a fully qualified hostname or an IP address. You should set this element together with Port. Example, proxy.contoso.com. + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/Proxy/AutoConfigUrl** +Optional. URL to automatically retrieve the proxy settings. + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/APNBinding** +Reserved for future use. + +**VPNv2/***ProfileName***/APNBinding/ProviderId** +Reserved for future use. Optional node. + +**VPNv2/***ProfileName***/APNBinding/AccessPointName** +Reserved for future use. + +**VPNv2/***ProfileName***/APNBinding/UserName** +Reserved for future use. + +**VPNv2/***ProfileName***/APNBinding/Password** +Reserved for future use. + +**VPNv2/***ProfileName***/APNBinding/IsCompressionEnabled** +Reserved for future use. + +**VPNv2/***ProfileName***/APNBinding/AuthenticationType** +Reserved for future use. + +**VPNv2/***ProfileName***/DeviceCompliance** +Added in Windows 10, version 1607. Nodes under DeviceCompliance can be used to enable AAD-based Conditional Access for VPN. + +**VPNv2/***ProfileName***/DeviceCompliance/Enabled** +Added in Windows 10, version 1607. Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory. + +Value type is bool. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/DeviceCompliance/Sso** +Added in Windows 10, version 1607. Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance. + +**VPNv2/***ProfileName***/DeviceCompliance/Sso/Enabled** +Added in Windows 10, version 1607. If this field is set to True, the VPN Client will look for a separate certificate for Kerberos Authentication. + +Value type is bool. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/DeviceCompliance/Sso/IssuerHash** +Added in Windows 10, version 1607. Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication. + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/DeviceCompliance/Sso/Eku** +Added in Windows 10, version 1607. Comma Separated list of EKUs for the VPN Client to look for the correct certificate for Kerberos Authentication. + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/PluginProfile** +Nodes under the PluginProfile are required when using a Windows Store based VPN plugin. + +**VPNv2/***ProfileName***/PluginProfile/ServerUrlList** +Required for plug-in profiles. Comma separated list of servers in URL, hostname, or IP format. + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/PluginProfile/CustomConfiguration** +Optional. This is an HTML encoded XML blob for SSL-VPN plug-in specific configuration including authentication information that is deployed to the device to make it available for SSL-VPN plug-ins. Contact the plugin provider for format and other details. Most plugins can also configure values based on the server negotiations as well as defaults. + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/PluginProfile/PluginPackageFamilyName** +Required for plug-in profiles. Package family name for the SSL-VPN plug-in. + +Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/PluginProfile/CustomStoreUrl** +Reserved for future use. + +**VPNv2/***ProfileName***/NativeProfile** +Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP). + +**VPNv2/***ProfileName***/NativeProfile/Servers** +Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/NativeProfile/RoutingPolicyType** +Optional for native profiles. Type of routing policy. This value can be one of the following: + +- SplitTunnel - Traffic can go over any interface as determined by the networking stack. +- ForceTunnel - All IP traffic must go over the VPN interface. + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/NativeProfile/NativeProtocolType** +Required for native profiles. Type of tunneling protocol used. This value can be one of the following: + +- PPTP +- L2TP +- IKEv2 +- Automatic + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/NativeProfile/Authentication** +Required node for native profile. It contains authentication information for the native VPN profile. + +**VPNv2/***ProfileName***/NativeProfile/Authentication/UserMethod** +This value can be one of the following: + +- EAP +- MSChapv2 (This is not supported for IKEv2) + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/NativeProfile/Authentication/MachineMethod** +This is only supported in IKEv2. + +This value can be one of the following: + +- Certificate + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/NativeProfile/Authentication/Eap** +Required when the native profile specifies EAP authentication. EAP configuration XML. + +Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/NativeProfile/Authentication/Eap/Configuration** +HTML encoded XML of the EAP configuration. For more information about EAP configuration XML, see [EAP configuration](eap-configuration.md). + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/NativeProfile/Authentication/Eap/Type** +Reserved for future use. + +**VPNv2/***ProfileName***/NativeProfile/Authentication/Certificate** +Reserved for future use. + +**VPNv2/***ProfileName***/NativeProfile/Authentication/Certificate/Issuer** +Reserved for future use. + +**VPNv2/***ProfileName***/NativeProfile/Authentication/Certificate/Eku** +Reserved for future use. + +**VPNv2/***ProfileName***/NativeProfile/CryptographySuite** +Added in Windows 10, version 1607. Properties of IPSec tunnels. + +**VPNv2/***ProfileName***/NativeProfile/CryptographySuite/AuthenticationTransformConstants** +Added in Windows 10, version 1607. + +The following list contains the valid values: + +- MD596 +- SHA196 +- SHA256128 +- GCMAES128 +- GCMAES192 +- GCMAES256 + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/NativeProfile/CryptographySuite/CipherTransformConstants** +Added in Windows 10, version 1607. + +The following list contains the valid values: + +- DES +- DES3 +- AES128 +- AES192 +- AES256 +- GCMAES128 +- GCMAES192 +- GCMAES256 + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/NativeProfile/CryptographySuite/EncryptionMethod** +Added in Windows 10, version 1607. + +The following list contains the valid values: + +- DES +- DES3 +- AES128 +- AES192 +- AES256 + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/NativeProfile/CryptographySuite/IntegrityCheckMethod** +Added in Windows 10, version 1607. + +The following list contains the valid values: + +- MD5 +- SHA196 +- SHA256 +- SHA384 + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/NativeProfile/CryptographySuite/DHGroup** +Added in Windows 10, version 1607. + +The following list contains the valid values: + +- Group1 +- Group2 +- Group14 +- ECP256 +- ECP384 +- Group24 + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/NativeProfile/CryptographySuite/PfsGroup** +Added in Windows 10, version 1607. + +The following list contains the valid values: + +- PFS1 +- PFS2 +- PFS2048 +- ECP256 +- ECP384 +- PFSMM +- PFS24 + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +**VPNv2/***ProfileName***/NativeProfile/L2tpPsk** +Added in Windows 10, version 1607. The preshared key used for an L2TP connection. + +Value type is chr. Supported operations include Get, Add, Replace, and Delete. + +## Examples + + +Profile example + +``` syntax + + + + 10000 + + + + 10001 + + + ./Vendor/MSFT/VPNv2/VPN_Demo/ProfileXML + + <VPNProfile> + <ProfileName>VPN_Demo</ProfileName> + <NativeProfile> + <Servers>VPNServer.contoso.com</Servers> + <NativeProtocolType>Automatic</NativeProtocolType> + <Authentication> + <UserMethod>Eap</UserMethod> + <Eap> + <Configuration> +<EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <EapMethod> <Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type> <VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId> <VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType> <AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId> </EapMethod> <Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>25</Type> <EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <FastReconnect>true</FastReconnect> <InnerEapOptional>false</InnerEapOptional> <Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"> <Type>13</Type> <EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1"> <CredentialsSource> <CertificateStore> <SimpleCertSelection>false</SimpleCertSelection> </CertificateStore> </CredentialsSource> <ServerValidation> <DisableUserPromptForServerValidation>false</DisableUserPromptForServerValidation> <ServerNames></ServerNames> </ServerValidation> <DifferentUsername>false</DifferentUsername> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2">false</AcceptServerName> <TLSExtensions xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV2"> <FilteringInfo xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV3"> <EKUMapping> <EKUMap> <EKUName>Unknown Key Usage</EKUName> <EKUOID>1.3.6.1.4.1.311.87</EKUOID> </EKUMap> </EKUMapping> <ClientAuthEKUList Enabled="true"> <EKUMapInList> <EKUName>Unknown Key Usage</EKUName> </EKUMapInList> </ClientAuthEKUList> </FilteringInfo> </TLSExtensions> </EapType> </Eap> <EnableQuarantineChecks>false</EnableQuarantineChecks> <RequireCryptoBinding>false</RequireCryptoBinding> <PeapExtensions> <PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation> <AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName> </PeapExtensions> </EapType> </Eap> </Config> </EapHostConfig> + </Configuration> + </Eap> + </Authentication> + <RoutingPolicyType>SplitTunnel</RoutingPolicyType> + </NativeProfile> + <DomainNameInformation> + <DomainName>.contoso.com</DomainName> + <DNSServers>10.5.5.5</DNSServers> + </DomainNameInformation> + <TrafficFilter> + <App>%ProgramFiles%\Internet Explorer\iexplore.exe</App> + </TrafficFilter> + <TrafficFilter> + <App>Microsoft.MicrosoftEdge_8wekyb3d8bbwe</App> + </TrafficFilter> + <Route> + <Address>10.0.0.0</Address> + <PrefixSize>8</PrefixSize> + </Route> + <Route> + <Address>25.0.0.0</Address> + <PrefixSize>8</PrefixSize> + </Route> + <RememberCredentials>true</RememberCredentials> + </VPNProfile> + + + + + + + +``` + +AppTriggerList + +``` syntax + + + 10013 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/0/App/Id + + %PROGRAMFILES%\Internet Explorer\iexplore.exe + + + + 10014 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/1/App/Id + + %PROGRAMFILES% (x86)\Internet Explorer\iexplore.exe + + + + + 10015 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/2/App/Id + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe + + +``` + +RouteList and ExclusionRoute + +``` syntax + + + 10008 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/Address + + 192.168.0.0 + + + + 10009 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/PrefixSize + + + int + + 24 + + + + 10010 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/ExclusionRoute + + + bool + + true + + + +``` + +DomainNameInformationList + +``` syntax + + + + 10013 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DomainName + + .contoso.com + + + + 10014 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DnsServers + + 192.168.0.11,192.168.0.12 + + + + + + 10013 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/DomainName + + .contoso.com + + + + + 10015 + + +./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/WebProxyServers + + 192.168.0.100:8888 + + + + + + + 10016 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DomainName + + finance.contoso.com + + + + 10017 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DnsServers + + 192.168.0.11,192.168.0.12 + + + + + + + 10016 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/DomainName + + finance.contoso.com + + + + 10017 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/WebProxyServers + + 192.168.0.11:8080 + + + + + + 10016 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DomainName + + . + + + + 10017 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DnsServers + + 192.168.0.11,192.168.0.12 + + + + + + + 10016 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/DomainName + + . + + + + 10017 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/WebProxyServers + + 192.168.0.11 + + +``` + +AutoTrigger + +``` syntax + + 10010 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/AutoTrigger + + + bool + + true + + +``` + +Persistent + +``` syntax + + 10010 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/Persistent + + + bool + + true + + +``` + +TrafficFilterLIst App + +``` syntax + Desktop App + + 10013 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/0/App/Id + + %ProgramFiles%\Internet Explorer\iexplore.exe + + + Store App + + 10014 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/1/App/Id + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe + + + SYSTEM + + 10015 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/App/Id + + SYSTEM + + +``` + +Protocol, LocalPortRanges, RemotePortRanges, LocalAddressRanges, RemoteAddressRanges, RoutingPolicyType, EDPModeId, RememberCredentials, AlwaysOn, Lockdown, DnsSuffix, TrustedNetworkDetection + +``` syntax +Protocol + + $CmdID$ + + + ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/Protocol + + + int + + 6 + + + LocalPortRanges + + $CmdID$ + + + ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/LocalPortRanges + + 10,20-50,100-200 + + + + RemotePortRanges + + $CmdID$ + + + ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/RemotePortRanges + + 20-50,100-200,300 + + + + LocalAddressRanges + + $CmdID$ + + + ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/LocalAddressRanges/LocURI> + + 3.3.3.3/32,1.1.1.1-2.2.2.2 + + + + RemoteAddressRanges + + $CmdID$ + + + ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/3/RemoteAddressRanges + + 30.30.0.0/16,10.10.10.10-20.20.20.20 + + + + RoutingPolicyType + + $CmdID$ + + + ./Vendor/MSFT/VPNv2/VPNProfileName/TrafficFilterList/0/RoutingPolicyType + + ForceTunnel + + + + EDPModeId + + $CmdID$ + + + ./Vendor/MSFT/VPNv2/VPNProfileName/EDPModeID + + corp.contoso.com + + + + RememberCredentials + + $CmdID$ + + + ./Vendor/MSFT/VPNv2/VPNProfileName/RememberCredentials + + + bool + + true + + + + AlwaysOn + + $CmdID$ + + + ./Vendor/MSFT/VPNv2/VPNProfileName/AlwaysOn + + + bool + + true + + + + Lockdown + + $CmdID$ + + + ./Vendor/MSFT/VPNv2/VPNProfileName/Lockdown + + + bool + + true + + + + DnsSuffix + + $CmdID$ + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DnsSuffix + + Adatum.com + + + + TrustedNetworkDetection + + + $CmdID$ + + + ./Vendor/MSFT/VPNv2/VPNProfileName/TrustedNetworkDetection + + Adatum.com + + +``` + +Proxy - Manual or AutoConfigUrl + +``` syntax +Manual + + $CmdID$ + + + ./Vendor/MSFT/VPNv2/VPNProfileName/Proxy/Manual/Server + + 192.168.0.100:8888 + + + + AutoConfigUrl + + $CmdID$ + + + ./Vendor/MSFT/VPNv2/VPNProfileName/Proxy/AutoConfigUrl + + HelloWorld.com + + +``` + +Device Compliance - Sso + +``` syntax + Enabled + + 10011 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/Enabled + + + bool + + true + + + + IssuerHash + + 10011 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/IssuerHash + + ffffffffffffffffffffffffffffffffffffffff;ffffffffffffffffffffffffffffffffffffffee + + + + Eku + + 10011 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DeviceCompliance/SSO/EKU + + 1.3.6.1.5.5.7.3.2 + + +``` + +PluginProfile + +``` syntax +PluginPackageFamilyName + + + 10001 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/ServerUrlList + + selfhost.corp.contoso.com + + + + + + 10002 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/PluginPackageFamilyName + + TestVpnPluginApp-SL_8wekyb3d8bbwe + + + + + + 10003 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/PluginProfile/CustomConfiguration + + <pluginschema><ipAddress>auto</ipAddress><port>443</port><networksettings><routes><includev4><route><address>172.10.10.0</address><prefix>24</prefix></route></includev4></routes><namespaces><namespace><space>.vpnbackend.com</space><dnsservers><server>172.10.10.11</server></dnsservers></namespace></namespaces></networksettings></pluginschema> + + +``` + +NativeProfile + +``` syntax +Servers + + 10001 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Servers + + Selfhost.corp.contoso.com + + + + RoutingPolicyType + + 10007 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/RoutingPolicyType + + ForceTunnel + + + + NativeProtocolType + + + 10002 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/NativeProtocolType + + Automatic + + + + Authentication + UserMethod + + + 10003 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/UserMethod + + Eap + + + + MachineMethod + + + 10004 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/MachineMethod + + Eap + + + + CryptographySuite + + 10004 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/AuthenticationTransformConstants + + SHA196 + + + + 10004 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/CipherTransformConstants + + AES192 + + + + 10004 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/EncryptionMethod + + PFS2048 + + + + 10004 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/IntegrityCheckMethod + + Eap + + + + Group14 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/DHGroup + + SHA256 + + + + 10004 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/Authentication/CryptographySuite/PfsGroup + + AES128 + + + + DisableClassBasedDefaultRoute + 10011 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/NativeProfile/DisableClassBasedDefaultRoute + + + bool + + true + + +``` + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/vpnv2-ddf-file.md b/windows/client-management/mdm/vpnv2-ddf-file.md new file mode 100644 index 0000000000..b91f59555f --- /dev/null +++ b/windows/client-management/mdm/vpnv2-ddf-file.md @@ -0,0 +1,4267 @@ +--- +title: VPNv2 DDF file +description: This topic shows the OMA DM device description framework (DDF) for the VPNv2 configuration service provider. +ms.assetid: 4E2F36B7-D2EE-4F48-AD1A-6BDE7E72CC94 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# VPNv2 DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **VPNv2** configuration service provider. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + + +]> + + 1.2 + + VPNv2 + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.2/MDM/VPNv2 + + + + + + + + + + + + + + + + + + + + + ProfileName + + + + + + AppTriggerList + + + + + List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + appTriggerRowId + + + + + + App + + + + + + + + + + + + + + + + + + + Id + + + + + + + + App Identity. Specified, based on the Type Field.. + + + + + + + + + + + text/plain + + + + + Type + + + + + + PackageFamilyName + FQBN + FilePath + + + + + + + + + + + + text/plain + + + + + + + + RouteList + + + + + List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + routeRowId + + + + + + Address + + + + + + + + Subnet address + + + + + + + + + + + text/plain + + + + + PrefixSize + + + + + + + + Subnet Prefix + + + + + + + + + + + text/plain + + + + + Metric + + + + + + + + The route's metric. + + + + + + + + + + + text/plain + + + + + ExclusionRoute + + + + + + + + + False = This Route will direct traffic over the VPN + True = This Route will direct traffic over the physical interface + By default, this value is false. + + + + + + + + + + + + text/plain + + + + + + + DomainNameInformationList + + + + + NRPT (Name Resolution Policy Table) Rules for the VPN Profile + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + dniRowId + + + + + + DomainName + + + + + + + + Value based on the DomainNameType field + + + + + + + + + + + text/plain + + + + + DomainNameType + + + + + + a. FQDN: Select this if the policy applies only to the fully qualified domain name (FQDN) of a specified host. Do not use the FQDN of a domain. + + b. Suffix: Select this if the policy applies to the specified namespace, all records in that namespace, and all subdomains. + + c. Prefix: Select this if the policy applies only to a hostname. This policy will be triggered only if the hostname portion of the query matches the name configured here. A flat name (dotless name) must be configured here. + + d. Any: Use this if the policy applies to all. + + + + + + + + + + + + text/plain + + + + + DnsServers + + + + + + + + Comma Seperated list of IP addresses for the DNS Servers to use for the domain name. + + + + + + + + + + + text/plain + + + + + WebProxyServers + + + + + + + + [Optional] If you are redirecting traffic through your intranet Web proxy servers, add the webproxyserver (Singular) + + + + + + + + + + + text/plain + + + + + AutoTrigger + + + + + + + + + False = This DomainName Rule will not trigger the VPN + True = This DomainName Rule will trigger the VPN + By default, this value is false. + + + + + + + + + + + + text/plain + + + + + Persistent + + + + + + + + + False = This DomainName Rule will only be plumbed when the VPN is connected + True = This DomainName Rule will always be plumbed. + By default, this value is false. + + + + + + + + + + + + text/plain + + + + + + + TrafficFilterList + + + + + + A list of rules allowing traffic over the VPN Interface. + + Each Rule ID is ORed. + Within each rule ID each Filter type is AND'ed + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + trafficFilterId + + + + + + App + + + + + Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface + + + + + + + + + + + + + + + Id + + + + + + + + App Identity. Specified, based on the Type Field.. + + + + + + + + + + + text/plain + + + + + Type + + + + + + PackageFamilyName + FQBN + FilePath + + + + + + + + + + + + text/plain + + + + + + Claims + + + + + + + + Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token + + + + + + + + + + + text/plain + + + + + Protocol + + + + + + + + + 0-255 number representing the ip protocol (TCP = 6, UDP = 17) + + + + + + + + + + + + text/plain + + + + + LocalPortRanges + + + + + + + + + Comma Separated list of ranges for eg. + 100-120,200,300-320 + + + + + + + + + + + LocalPortRanges + + text/plain + + + + + RemotePortRanges + + + + + + + + + Comma Separated list of ranges for eg. + 100-120,200,300-320 + + + + + + + + + + + + text/plain + + + + + LocalAddressRanges + + + + + + + + Comma Separated list of IP ranges + + + + + + + + + + + text/plain + + + + + RemoteAddressRanges + + + + + + + + Comma Separated list of IP ranges + + + + + + + + + + + text/plain + + + + + RoutingPolicyType + + + + + + + + + SplitTunnel - For this Rule, you are allowed to go over the VPN as well as the Internet. Other traffic may not go over the VPN Interface. + ForceTunnel - All Traffic matching this rule must go over only the VPN Interface. + + Only Applicable for App and Claims type. + + + + + + + + + + + + text/plain + + + + + + + EdpModeId + + + + + + + + + Enterprise ID for the EDP Policy that this VPN Profile is supposed to interace with. + + + + + + + + + + + + text/plain + + + + + RememberCredentials + + + + + + + + + False = Remember credentials is turned off + True = Remember credentials is turned on + If True, Credentials will be cached wherever applicable. + + + + + + + + + + + + text/plain + + + + + AlwaysOn + + + + + + + + + False = Always on in not turned On + True = Always is on is turned on + + Note: Always On will work only for the active profile. + + + + + + + + + + + + text/plain + + + + + LockDown + + + + + + + + + False = This is not a LockDown profile. + True = This is a LockDown profile. + + If turned on a lockdown profile does four things. + First, it automatically becomes an always on profile. + Second, it can never be disconnected. + Third, if the profile is not connected, then the user + has no network connectivity. + Fourth, no other profiles may be connected or modified. + + A lockdown profile must be deleted before any other + profiles can be added, removed, or connected. + + + + + + + + + + + + text/plain + + + + + DnsSuffix + + + + + + + + Connection Specific DNS Suffix. for eg. corp.contoso.com + + + + + + + + + + + text/plain + + + + + ByPassForLocal + + + + + + + + + False : Do not Bypass for Local traffic + True : ByPass VPN Interface for Local Traffic + + Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. + + + + + + + + + + + + text/plain + + + + + TrustedNetworkDetection + + + + + + + + + String + Optional.String to identify the trusted network. VPN will not connect when the user is on their corporate wireless network where protected resources are directly accessible to the device. + + + + + + + + + + + + text/plain + + + + + ProfileXML + + + + + + + + + Xml schema for provisioning all the fields of a VPN + + + + + + + + + + + + text/plain + + + + + Proxy + + + + + + + + + + + + + + + + + + + Manual + + + + + + + + + + + + + + + + + + + Server + + + + + + + + Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80 + + + + + + + + + + + text/plain + + + + + + AutoConfigUrl + + + + + + + + Optional. Set a URL to automatically retrieve the proxy settings. + + + + + + + + + + + text/plain + + + + + + APNBinding + + + + + Reserved for Future Use + + + + + + + + + + + + + + + ProviderId + + + + + + + + + + + + + + + + + + text/plain + + + + + AccessPointName + + + + + + + + + + + + + + + + + + text/plain + + + + + UserName + + + + + + + + + + + + + + + + + + text/plain + + + + + Password + + + + + + + + + + + + + + + + + + text/plain + + + + + IsCompressionEnabled + + + + + + + + + + + + + + + + + + text/plain + + + + + AuthenticationType + + + + + + + + + + + + + + + + + + text/plain + + + + + + DeviceCompliance + + + + + + Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN + + + + + + + + + + + + + + + Enabled + + + + + + + + Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory + + + + + + + + + + + text/plain + + + + + Sso + + + + + + Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance + + + + + + + + + + + text/plain + + + + Enabled + + + + + + + + If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication + + + + + + + + + + + text/plain + + + + + IssuerHash + + + + + + + + Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication + + + + + + + + + + + text/plain + + + + + Eku + + + + + + + + Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication + + + + + + + + + + + text/plain + + + + + + + PluginProfile + + + + + + + + + + + + + + + + + + + + ServerUrlList + + + + + + + + Required. URL for VPN Server + + + + + + + + + + + text/plain + + + + + CustomConfiguration + + + + + + + + Optional. This is an XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins + + + + + + + + + + + text/plain + + + + + PluginPackageFamilyName + + + + + + + + Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app + + + + + + + + + + + text/plain + + + + + CustomStoreUrl + + + + + + + + TO be Deleted + + + + + + + + + + + text/plain + + + + + + NativeProfile + + + + + + Inbox VPN Profile + + + + + + + + + + + + + + + Servers + + + + + + + + + Server + + + Required. Public or routable IP address or DNS name for the VPN gateway server farm. It can point to the external IP of a gateway or a virtual IP for a server farm + Some examples are 208.23.45.130 or vpn.contoso.com. + + + + + + + + + + + + text/plain + + + + + RoutingPolicyType + + + + + + + + + SplitTunnel - For this Connection, Traffic can go over any interface as determined by the networking stack. + + ForceTunnel - All IP Traffic must go over only the VPN Interface. + + + + + + + + + + + + text/plain + + + + + NativeProtocolType + + + + + + + + + Supported Values : + + Pptp + L2tp + Ikev2 + Automatic + + + + + + + + + + + + text/plain + + + + + Authentication + + + + + + + + + + + + + + + + + + + UserMethod + + + + + + + + + Supported Values + + Mschapv2 + Eap + + + + + + + + + + + + text/plain + + + + + MachineMethod + + + + + + + + + Supported Values + + Eap + Certificate + PresharedKey + + + + + + + + + + + + text/plain + + + + + Eap + + + + + + + + + + + + + + + + + + + Configuration + + + + + + + + XML Configuration for EAP Method + + + + + + + + + + + text/plain + + + + + Type + + + + + + + + + Required node for EAP profiles. This specifies the EAP Type ID + 13 = EAP-TLS + 26 = Ms-Chapv2 + 27 = Peap + + + + + + + + + + + + text/plain + + + + + + Certificate + + + + + Reserved for future Use + + + + + + + + + + + + + + + Issuer + + + + + + + + Reserved for future Use + + + + + + + + + + + text/plain + + + + + Eku + + + + + + + + Reserved for future Use + + + + + + + + + + + text/plain + + + + + + + CryptographySuite + + + + + Properties of IPSec tunnels. + + + + + + + + + + + + + + + AuthenticationTransformConstants + + + + + + + + + Choices are: + -- MD596 + -- SHA196 + -- SHA256128 + -- GCMAES128 + -- GCMAES192 + -- GCMAES256 + + + + + + + + + + + + text/plain + + + + + CipherTransformConstants + + + + + + + + + Choices Are: + -- DES + -- DES3 + -- AES128 + -- AES192 + -- AES256 + -- GCMAES128 + -- GCMAES192 + -- GCMAES256 + + + + + + + + + + + + text/plain + + + + + EncryptionMethod + + + + + + + + + Choices are: + -- DES + -- DES3 + -- AES128 + -- AES192 + -- AES256 + + + + + + + + + + + + text/plain + + + + + IntegrityCheckMethod + + + + + + + + + Choices are: + -- MD5 + -- SHA196 + -- SHA256 + -- SHA384 + + + + + + + + + + + + text/plain + + + + + DHGroup + + + + + + + + + Choices are: + -- Group1 + -- Group2 + -- Group14 + -- ECP256 + -- ECP384 + -- Group24 + + + + + + + + + + + + text/plain + + + + + PfsGroup + + + + + + + + + Choices are: + -- PFS1 + -- PFS2 + -- PFS2048 + -- ECP256 + -- ECP384 + -- PFSMM + -- PFS24 + + + + + + + + + + + + text/plain + + + + + + L2tpPsk + + + + + + + + The preshared key used for an L2TP connection + + + + + + + + + + + text/plain + + + + + DisableClassBasedDefaultRoute + + + + + + + + + When false this VPN connection will plumb class based default routes. + i.e. + If the interface IP begins with 10, it assumes a class a IP + and pushes the route 10.0.0.0/8 + + + + + + + + + + + + text/plain + + + + + + + + VPNv2 + ./User/Vendor/MSFT + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + ProfileName + + + + + + AppTriggerList + + + + + List of applications set to trigger the VPN. If any of these apps are launched and the VPN Profile is currently the active Profile, this VPN Profile will be triggered to connect + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + appTriggerRowId + + + + + + App + + + + + + + + + + + + + + + + + + + Id + + + + + + + + App Identity. Specified, based on the Type Field.. + + + + + + + + + + + text/plain + + + + + Type + + + + + + PackageFamilyName + FQBN + FilePath + + + + + + + + + + + + text/plain + + + + + + + + RouteList + + + + + List of routes to be added to the Routing table for the VPN Interface. Required in the Split Tunneling case where the VPN Server site has more subnets than the default subnet based on the IP assigned to Interface + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + routeRowId + + + + + + Address + + + + + + + + Subnet address + + + + + + + + + + + text/plain + + + + + PrefixSize + + + + + + + + Subnet Prefix + + + + + + + + + + + text/plain + + + + + Metric + + + + + + + + The route's metric. + + + + + + + + + + + text/plain + + + + + ExclusionRoute + + + + + + + + Is this a route to never go over the VPN + + + + + + + + + + + text/plain + + + + + + + DomainNameInformationList + + + + + NRPT (Name Resolution Policy Table) Rules for the VPN Profile + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + dniRowId + + + + + + DomainName + + + + + + + + Value based on the DomainNameType field + + + + + + + + + + + text/plain + + + + + DomainNameType + + + + + + a. FQDN: Select this if the policy applies only to the fully qualified domain name (FQDN) of a specified host. Do not use the FQDN of a domain. + + b. Suffix: Select this if the policy applies to the specified namespace, all records in that namespace, and all subdomains. + + c. Prefix: Select this if the policy applies only to a hostname. This policy will be triggered only if the hostname portion of the query matches the name configured here. A flat name (dotless name) must be configured here. + + d. Any: Use this if the policy applies to all. + + + + + + + + + + + + text/plain + + + + + DnsServers + + + + + + + + Comma Seperated list of IP addresses for the DNS Servers to use for the domain name. + + + + + + + + + + + text/plain + + + + + WebProxyServers + + + + + + + + [Optional] If you are redirecting traffic through your intranet Web proxy servers, add the webproxyserver (Singular) + + + + + + + + + + + text/plain + + + + + AutoTrigger + + + + + + + + + False = This DomainName Rule will not trigger the VPN + True = This DomainName Rule will trigger the VPN + By default, this value is false. + + + + + + + + + + + + text/plain + + + + + Persistent + + + + + + + + + False = This DomainName Rule will only be plumbed when the VPN is connected + True = This DomainName Rule will always be plumbed. + By default, this value is false. + + + + + + + + + + + + text/plain + + + + + + + TrafficFilterList + + + + + + A list of rules allowing traffic over the VPN Interface. + + Each Rule ID is ORed. + Within each rule ID each Filter type is AND'ed + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + trafficFilterId + + + + + + App + + + + + Per App VPN Rule. This will Allow only the Apps specified to be allowed over VPN Interface + + + + + + + + + + + + + + + Id + + + + + + + + App Identity. Specified, based on the Type Field.. + + + + + + + + + + + text/plain + + + + + Type + + + + + + PackageFamilyName + FQBN + FilePath + + + + + + + + + + + + text/plain + + + + + + Claims + + + + + + + + Specifies a rule in Security Descriptor Definition Language (SDDL) format to check against local user token + + + + + + + + + + + text/plain + + + + + Protocol + + + + + + + + + 0-255 number representing the ip protocol (TCP = 6, UDP = 17) + + + + + + + + + + + + text/plain + + + + + LocalPortRanges + + + + + + + + + Comma Separated list of ranges for eg. + 100-120,200,300-320 + + + + + + + + + + + LocalPortRanges + + text/plain + + + + + RemotePortRanges + + + + + + + + + Comma Separated list of ranges for eg. + 100-120,200,300-320 + + + + + + + + + + + + text/plain + + + + + LocalAddressRanges + + + + + + + + Comma Separated list of IP ranges + + + + + + + + + + + text/plain + + + + + RemoteAddressRanges + + + + + + + + Comma Separated list of IP ranges + + + + + + + + + + + text/plain + + + + + RoutingPolicyType + + + + + + + + + SplitTunnel - For this Rule, you are allowed to go over the VPN as well as the Internet. Other traffic may not go over the VPN Interface. + ForceTunnel - All Traffic matching this rule must go over only the VPN Interface. + + Only Applicable for App and Claims type. + + + + + + + + + + + + text/plain + + + + + + + EdpModeId + + + + + + + + + Enterprise ID for the EDP Policy that this VPN Profile is supposed to interace with. + + + + + + + + + + + + text/plain + + + + + RememberCredentials + + + + + + + + + False = Remember credentials is turned off + True = Remember credentials is turned on + If True, Credentials will be cached wherever applicable. + + + + + + + + + + + + text/plain + + + + + AlwaysOn + + + + + + + + + False = Always on in not turned On + True = Always is on is turned on + + Note: Always On will work only for the active profile. + + + + + + + + + + + + text/plain + + + + + DnsSuffix + + + + + + + + Connection Specific DNS Suffix. for eg. corp.contoso.com + + + + + + + + + + + text/plain + + + + + ByPassForLocal + + + + + + + + + False : Do not Bypass for Local traffic + True : ByPass VPN Interface for Local Traffic + + Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed. + + + + + + + + + + + + text/plain + + + + + TrustedNetworkDetection + + + + + + + + + String + Optional.String to identify the trusted network. VPN will not connect when the user is on their corporate wireless network where protected resources are directly accessible to the device. + + + + + + + + + + + + text/plain + + + + + ProfileXML + + + + + + + + + Xml schema for provisioning all the fields of a VPN + + + + + + + + + + + + text/plain + + + + + Proxy + + + + + + + + + + + + + + + + + + + Manual + + + + + + + + + + + + + + + + + + + Server + + + + + + + + Optional. The value is the proxy server address as a fully qualified hostname or an IP address, with port appended after a colon for example, proxy.constoso.com:80 + + + + + + + + + + + text/plain + + + + + + AutoConfigUrl + + + + + + + + Optional. Set a URL to automatically retrieve the proxy settings. + + + + + + + + + + + text/plain + + + + + + APNBinding + + + + + Reserved for Future Use + + + + + + + + + + + + + + + ProviderId + + + + + + + + + + + + + + + + + + text/plain + + + + + AccessPointName + + + + + + + + + + + + + + + + + + text/plain + + + + + UserName + + + + + + + + + + + + + + + + + + text/plain + + + + + Password + + + + + + + + + + + + + + + + + + text/plain + + + + + IsCompressionEnabled + + + + + + + + + + + + + + + + + + text/plain + + + + + AuthenticationType + + + + + + + + + + + + + + + + + + text/plain + + + + + + DeviceCompliance + + + + + + Nodes under DeviceCompliance can be used to enable AAD based Conditional Access for VPN + + + + + + + + + + + + + + + Enabled + + + + + + + + Enables the Device Compliance flow from the client. If marked as True, the VPN Client will attempt to communicate with AAD to get a certificate to use for authentication. The VPN should be set up to use Certificate Auth and the VPN Server must trust the Server returned by Azure Active Directory + + + + + + + + + + + text/plain + + + + + Sso + + + + + + Nodes under SSO can be used to choose a certificate different from the VPN Authentication cert for the Kerberos Authentication in the case of Device Compliance + + + + + + + + + + + text/plain + + + + Enabled + + + + + + + + If this field is set to True the VPN Client will look for a separate certificate for Kerberos Authentication + + + + + + + + + + + text/plain + + + + + IssuerHash + + + + + + + + Comma Separated list of Issuer Hashes for the VPN Client to look for the correct certificate for Kerberos Authentication + + + + + + + + + + + text/plain + + + + + Eku + + + + + + + + Comma Separated list of EKU's for the VPN Client to look for the correct certificate for Kerberos Authentication + + + + + + + + + + + text/plain + + + + + + + PluginProfile + + + + + + + + + + + + + + + + + + + + ServerUrlList + + + + + + + + Required. URL for VPN Server + + + + + + + + + + + text/plain + + + + + CustomConfiguration + + + + + + + + Optional. This is an XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins + + + + + + + + + + + text/plain + + + + + PluginPackageFamilyName + + + + + + + + Required for Plugin Profiles. This node specifies the Package Family Name of the SSL-VPN plugin app + + + + + + + + + + + text/plain + + + + + CustomStoreUrl + + + + + + + + TO be Deleted + + + + + + + + + + + text/plain + + + + + + NativeProfile + + + + + + Inbox VPN Profile + + + + + + + + + + + + + + + Servers + + + + + + + + + Server + + + Required. Public or routable IP address or DNS name for the VPN gateway server farm. It can point to the external IP of a gateway or a virtual IP for a server farm + Some examples are 208.23.45.130 or vpn.contoso.com. + + + + + + + + + + + + text/plain + + + + + RoutingPolicyType + + + + + + + + + SplitTunnel - For this Connection, Traffic can go over any interface as determined by the networking stack. + + ForceTunnel - All IP Traffic must go over only the VPN Interface. + + + + + + + + + + + + text/plain + + + + + NativeProtocolType + + + + + + + + + Supported Values : + + Pptp + L2tp + Ikev2 + Automatic + + + + + + + + + + + + text/plain + + + + + Authentication + + + + + + + + + + + + + + + + + + + UserMethod + + + + + + + + + Supported Values + + Mschapv2 + Eap + + + + + + + + + + + + text/plain + + + + + MachineMethod + + + + + + + + + Supported Values + + Eap + Certificate + PresharedKey + + + + + + + + + + + + text/plain + + + + + Eap + + + + + + + + + + + + + + + + + + + Configuration + + + + + + + + XML Configuration for EAP Method + + + + + + + + + + + text/plain + + + + + Type + + + + + + + + + Required node for EAP profiles. This specifies the EAP Type ID + 13 = EAP-TLS + 26 = Ms-Chapv2 + 27 = Peap + + + + + + + + + + + + text/plain + + + + + + Certificate + + + + + Reserved for future Use + + + + + + + + + + + + + + + Issuer + + + + + + + + Reserved for future Use + + + + + + + + + + + text/plain + + + + + Eku + + + + + + + + Reserved for future Use + + + + + + + + + + + text/plain + + + + + + + CryptographySuite + + + + + Properties of IPSec tunnels. + + + + + + + + + + + + + + + AuthenticationTransformConstants + + + + + + + + + Choices are: + -- MD596 + -- SHA196 + -- SHA256128 + -- GCMAES128 + -- GCMAES192 + -- GCMAES256 + + + + + + + + + + + + text/plain + + + + + CipherTransformConstants + + + + + + + + + Choices Are: + -- DES + -- DES3 + -- AES128 + -- AES192 + -- AES256 + -- GCMAES128 + -- GCMAES192 + -- GCMAES256 + + + + + + + + + + + + text/plain + + + + + EncryptionMethod + + + + + + + + + Choices are: + -- DES + -- DES3 + -- AES128 + -- AES192 + -- AES256 + + + + + + + + + + + + text/plain + + + + + IntegrityCheckMethod + + + + + + + + + Choices are: + -- MD5 + -- SHA196 + -- SHA256 + -- SHA384 + + + + + + + + + + + + text/plain + + + + + DHGroup + + + + + + + + + Choices are: + -- Group1 + -- Group2 + -- Group14 + -- ECP256 + -- ECP384 + -- Group24 + + + + + + + + + + + + text/plain + + + + + PfsGroup + + + + + + + + + Choices are: + -- PFS1 + -- PFS2 + -- PFS2048 + -- ECP256 + -- ECP384 + -- PFSMM + -- PFS24 + + + + + + + + + + + + text/plain + + + + + + L2tpPsk + + + + + + + + The preshared key used for an L2TP connection + + + + + + + + + + + text/plain + + + + + DisableClassBasedDefaultRoute + + + + + + + + + When false this VPN connection will plumb class based default routes. + i.e. + If the interface IP begins with 10, it assumes a class a IP + and pushes the route 10.0.0.0/8 + + + + + + + + + + + + text/plain + + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md new file mode 100644 index 0000000000..8099da7143 --- /dev/null +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -0,0 +1,409 @@ +--- +title: ProfileXML XSD +description: Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples. +ms.assetid: 2F32E14B-F9B9-4760-AE94-E57F1D4DFDB3 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# ProfileXML XSD + + +Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some profile examples. + +## XSD for the VPN profile + + +``` syntax + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +## Native profile example + + +``` + + + testServer.VPN.com + IKEv2 + + Eap + Eap + + + + + 25 + 0 + 0 + 0 + + + + 25 + + + true + + d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2 + d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74 + + true + false + + 13 + + + + true + + + + true + + d2 d3 8e ba 60 ca a1 c1 20 55 a2 e1 c8 3b 15 ad 45 01 10 c2 + d1 76 97 cc 20 6e d2 6e 1a 51 f5 bb 96 e9 35 6d 6d 61 0b 74 + + false + true + false + + + + + AAD Conditional Access + 1.3.6.1.4.1.311.87 + + + + + AAD Conditional Access + + + + + + + false + true + + true + false + + + + + + + + + SplitTunnel + true + + + +

192.168.0.0
+ 24 + + +
10.10.0.0
+ 16 + + + + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe + + + + + C:\windows\system32\ping.exe + + + + + + + %ProgramFiles%\Internet Explorer\iexplore.exe + + 6 + 10,20-50,100-200 + 20-50,100-200,300 + 30.30.0.0/16,10.10.10.10-20.20.20.20 + ForceTunnel + + + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe + + 3.3.3.3/32,1.1.1.1-2.2.2.2 + + + + + hrsite.corporate.contoso.com + 1.2.3.4,5.6.7.8 + 5.5.5.5 + true + + + .corp.contoso.com + 10.10.10.10,20.20.20.20 + 100.100.100.100 + + + corp.contoso.com + true + false + corp.contoso.com + contoso.com + + + HelloServer + + Helloworld.Com + + + + true + + true + This is my Eku + This is my issuer hash + + + +``` + +## Plug-in profile example + + +``` syntax + + + testserver1.contoso.com;testserver2.contoso..com + JuniperNetworks.JunosPulseVpn_cw5n1h2txyewy + <pulse-schema><isSingleSignOnCredential>true</isSingleSignOnCredential></pulse-schema> + + +
192.168.0.0
+ 24 + + +
10.10.0.0
+ 16 + + + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe + + + + + %ProgramFiles%\Internet Explorer\iexplore.exe + + + + + %ProgramFiles%\Internet Explorer\iexplore.exe + + 6 + 10,20-50,100-200 + 20-50,100-200,300 + 30.30.0.0/16,10.10.10.10-20.20.20.20 + + + + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe + + 3.3.3.3/32,1.1.1.1-2.2.2.2 + + + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe + + O:SYG:SYD:(A;;CC;;;AU) + + + + corp.contoso.com + 1.2.3.4,5.6.7.8 + 5.5.5.5 + false + + + corp.contoso.com + 10.10.10.10,20.20.20.20 + 100.100.100.100 + + + true + false + corp.contoso.com + contoso.com,test.corp.contoso.com + + + HelloServer + + Helloworld.Com + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md new file mode 100644 index 0000000000..1559b6350d --- /dev/null +++ b/windows/client-management/mdm/w4-application-csp.md @@ -0,0 +1,89 @@ +--- +title: w4 APPLICATION CSP +description: w4 APPLICATION CSP +ms.assetid: ef42b82a-1f04-49e4-8a48-bd4e439fc43a +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# w4 APPLICATION CSP + + +Use an **APPLICATION** configuration service provider that has an APPID of w4 to configure Multimedia Messaging Service (MMS). + +The default security roles are defined in the root characteristic, and map to each subnode unless specific permission is granted to the subnode. The default security roles are Manager, Operator, and Operator – TPS. + +> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_W4\_APPLICATION capabilities to be accessed from a network configuration application. + +  + +The following diagram shows the configuration service provider in tree format as used by OMA Client Provisioning. + +![w4 application csp (cp)](images/provisioning-csp-w4-application-cp.png) + +**APPID** +Required. This parameter takes a string value. The only supported value for configuring MMS is "w4". + +**NAME** +Optional. Specifies a user–readable application identity. This parameter is also used to define part of the registry path for the APPLICATION parameters. + +This parameter takes a string value. The possible values to configure the NAME parameter are: + +- Character string containing the name. + +- no value specified + +> **Note**  MDM servers should resend APPLICATION/NAME to DMAcc after an upgrade because this value is displayed in the UI but not saved in Windows Phone 8.1 and cannot be migrated to Windows 10. + +  + +If no value is specified, the registry location will default to <unnamed>. + +If `Name` is greater than 40 characters, it will be truncated to 40 characters. + +**TO-PROXY** +Required. Specifies one logical proxy with a matching PROXY-ID. It is only possible to refer to proxies defined within the same provisioning file. Only one proxy can be listed. + +The TO-PROXY value must be set to the value of the PROXY ID in PXLOGICAL that defines the MMS specific-proxy. + +**TO-NAPID** +Required. Specifies the network access point identification name (NAPID) defined in the provisioning file. This parameter takes a string value. It is only possible to refer to network access points defined within the same provisioning file (except if the INTERNET attribute is set in the NAPDEF characteristic). For more information about the NAPDEF characteristic, see [NAPDEF configuration service provider](napdef-csp.md). + +**ADDR** +Required. Specifies the address of the MMS application server, as a string. The possible values to configure the ADDR parameter are: + +- A Uniform Resource Identifier (URI) + +- An IPv4 address represented in decimal format with dots as delimiters + +- A fully qualified Internet domain name + +**MS** +Optional. The maximum authorized size, in KB, for multimedia content. This parameter takes a numeric value in string format. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized. + +## Remarks + + +Windows Phone MMS does not support user–selectable profiles. While multiple MMS profiles can be provisioned and saved simultaneously, only the last received profile is active. + +If provisioning XML is received for a profile with an existing name, the values in that profile will be overwritten with the new values. + +For more information about the parameters used by the w4 APPLICATION configuration service provider and how they are used, see the OMA MMS Conformance Document (OMA-TS-MMS-CONF-V1\_3-20051027-C) available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900). + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md new file mode 100644 index 0000000000..cc931c7f9a --- /dev/null +++ b/windows/client-management/mdm/w7-application-csp.md @@ -0,0 +1,178 @@ +--- +title: w7 APPLICATION CSP +description: w7 APPLICATION CSP +ms.assetid: 10f8aa16-5c89-455d-adcd-d7fb45d4e768 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# w7 APPLICATION CSP + + +The APPLICATION configuration service provider that has an APPID of w7 is used for bootstrapping a device with an OMA DM account. Although this configuration service provider is used to set up an OMA DM account, it is managed over OMA Client Provisioning. + +> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. + +  + +The following image shows the configuration service provider in tree format as used by OMA Client Provisioning. + +![w7 application csp (dm)](images/provisioning-csp-w7-application-dm.png) + +> **Note**   All parm names and characteristic types are case sensitive and must use all uppercase. +Both APPSRV and CLIENT credentials must be provided in provisioning XML. + +  + +**APPADDR** +This characteristic is used in the w7 APPLICATION characteristic to specify the DM server address. + +**APPADDR/ADDR** +Optional. The ADDR parameter is used in the APPADDR characteristic to get or set the address of the OMA DM server. This parameter takes a string value. + +**APPADDR/ADDRTYPE** +Optional. The ADDRTYPE parameter is used in the APPADDR characteristic to get or set the format of the ADDR parameter. This parameter takes a string value. + +In OMA DM XML, if there are multiple instances of this parameter, the first valid parameter value is used. + +**APPADDR/PORT** +This characteristic is used in the APPADDR characteristic to specify port information. + +**APPADDR/PORT/PORTNBR** +Required. The PORTNBR parameter is used in the PORT characteristic to get or set the number of the port to connect to. This parameter takes a numeric value in string format. + +**APPAUTH** +This characteristic is used in the w7 APPLICATION characteristic to specify authentication information. + +**APPAUTH/AAUTHDATA** +Optional. The AAUTHDATA parameter is used in the APPAUTH characteristic to get or set additional data used in authentication. This parameter is used to convey the nonce for digest authentication type. This parameter takes a string value. The value of this parameter is a base64-encoded in the form of a series of bytes. Note that if the AAUTHTYPE is DIGEST, this is used as a nonce value in the MD5 hash calculation, and the octal form of the binary data should be used when calculating the hash at the server side and device side. + +**APPAUTH/AAUTHLEVEL** +Required. The AAUTHLEVEL parameter is used in the APPAUTH characteristic to indicate whether credentials are for server authentication or client authentication. This parameter takes a string value. You can set this value. + +Valid values: + +- APPSRV - specifies that the client authenticates itself to the OMA DM Server at the DM protocol level. + +- CLIENT - specifies that the server authenticates itself to the OMA DM Client at the DM protocol level. + +**APPAUTH/AAUTHNAME** +Optional. The AAUTHNAME parameter is used in the APPAUTH characteristic to differentiate OMA DM client names. This parameter takes a string value. You can set this value. + +**APPAUTH/AAUTHSECRET** +Required. The AAUTHSECRET parameter is used in the APPAUTH characteristic to get or set the authentication secret used to authenticate the user. This parameter takes a string value. + +**APPAUTH/AAUTHTYPE** +Optional. The AAUTHTYPE parameter of the APPAUTH characteristic is used to get or set the method of authentication. This parameter takes a string value. + +Valid values: + +- BASIC - specifies that the SyncML DM 'syncml:auth-basic' authentication type. + +- DIGEST - specifies that the SyncML DM 'syncml:auth-md5' authentication type. + +- When AAUTHLEVEL is CLIENT, then AAUTHTYPE must be DIGEST. When AAUTHLEVEL is APPSRV, AAUTHTYPE can be BASIC or DIGEST. + +**APPID** +Required. The APPID parameter is used in the APPLICATION characteristic to differentiate the types of available application services and protocols. This parameter takes a string value. You can get or set this value. The only valid value to configure the OMA Client Provisioning bootstrap APPID is w7. + +**BACKCOMPATRETRYDISABLED** +Optional. The BACKCOMPATRETRYDISABLED parameter is used in the APPLICATION characteristic to specify whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr (not including the first time). + +> **Note**   This parameter does not contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled. + +  + +**CONNRETRYFREQ** +Optional. The CONNRETRYFREQ parameter is used in the APPLICATION characteristic to specify how many retries the DM client performs when there are Connection Manager-level or WinInet-level errors. This parameter takes a numeric value in string format. The default value is “3”. You can set this parameter. + +**DEFAULTENCODING** +Optional. The DEFAULTENCODING parameter is used in the APPLICATION characteristic to specify whether the DM client should use WBXML or XML for the DM package when communicating with the server. You can get or set this parameter. + +The valid values are: + +- application/vnd.syncml.dm+xml (Default) + +- application/vnd.syncml.dm+wbxml + +**INIT** +Optional. The INIT parameter is used in the APPLICATION characteristic to indicate that the management server wants the client to initiate a management session immediately after settings approval. If the current w7 APPLICATION document will be put in ROM, the INIT parameter must not be present. + +> **Note**   This node is only for mobile operators and MDM servers that try to use this will fail. This node is not supported in the enterprise MDM enrollment scenario. +This parameter forces the device to attempt to connect with the OMA DM server. The connection attempt fails if the XML is set during the coldinit phase. A common cause of this failure is that immediately after coldinit is finished the radio is not yet ready. + +  + +**INITIALBACKOFFTIME** +Optional. The INITIALBACKOFFTIME parameter is used in the APPLICATION characteristic to specify the initial wait time in milliseconds when the DM client retries for the first time. The wait time grows exponentially. This parameter takes a numeric value in string format. The default value is “16000”. You can get or set this parameter. + +**MAXBACKOFFTIME** +Optional. The MAXBACKOFFTIME parameter is used in the APPLICATION characteristic to specify the maximum number of milliseconds to sleep after package-sending failure. This parameter takes numeric value in string format. The default value is “86400000”. You can set this parameter. + +**NAME** +Optional. The NAME parameter is used in the APPLICATION characteristic to specify a user readable application identity. This parameter is used to define part of the registry path for the APPLICATION parameters. You can set this parameter. + +The NAME parameter can be a string or null (no value). If no value is specified, the registry location will default to <unnamed>. + +**PROTOVER** +Optional. The PROTOVER parameter is used in the APPLICATION characteristic to specify the OMA DM Protocol version the server supports. No default value is assumed. The protocol version set by this node will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this node is not specified when adding a DM server account, the latest DM protocol version that the client supports is used. In Windows Phone this is 1.2. This is a Microsoft custom parameter. You can set this parameter. + +Possible values: + +- 1.1 + +- 1.2 + +**PROVIDER-ID** +Optional. The PROVIDER-ID parameter is used in the APPLICATION characteristic to differentiate OMA DM servers. It specifies the server identifier for a management server used in the current management session. This parameter takes a string value. You can set this parameter. + +**ROLE** +Optional. The ROLE parameter is used in the APPLICATION characteristic to specify the security application chamber that the DM session should run with when communicating with the DM server. The only supported roles are 8 (mobile operator) and 32 (enterprise). If this parameter is not present, the mobile operator role is assumed. The enterprise role can only be set by the enterprise enrollment client. The enterprise client cannot set the mobile operator role. This is a Microsoft custom parameter. This parameter takes a numeric value in string format. You can get or set this parameter. + +**TO-NAPID** +Optional. The TO-NAPID parameter is used in the APPLICATION characteristic to specify the Network Access Point the client will use to connect to the OMA DM server. If multiple TO-NAPID parameters are specified, only the first TO-NAPID value will be stored. This parameter takes a string value. You can set this parameter. + +**USEHWDEVID** +Optional. The USEHWDEVID parameter is used in the APPLICATION characteristic to specify use of device hardware identification. It does not have a value. + +- If the parameter is not present, the default behavior is to use an application-specific GUID used rather than the hardware device ID. + +- If the parameter is present, the hardware device ID will be provided at the **./DevInfo/DevID** node and in the Source LocURI for the DM package sent to the server. International Mobile Subscriber Identity (IMEI) is returned for a GSM device. + +**SSLCLIENTCERTSEARCHCRITERIA** +Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter is used in the APPLICATION characteristic to specify the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it is ignored. + +The string is a concatenation of name/value pairs, each member of the pair delimited by the "&" character. The name and values are delimited by the "=" character. If there are multiple values, each value is delimited by the Unicode character "U+F000". If the name or value contains characters not in the UNRESERVED set (as specified in RFC2396), then those characters are URI-escaped per the RFC. + +The supported names are Subject and Stores; wildcard certificate search is not supported. + +Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name is not case sensitive. + +> **Note**   %EF%80%80 is the UTF8-encoded character U+F000. + +  + +Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following: + +``` syntax + +``` + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md new file mode 100644 index 0000000000..d1ed9593eb --- /dev/null +++ b/windows/client-management/mdm/wifi-csp.md @@ -0,0 +1,222 @@ +--- +title: WiFi CSP +description: WiFi CSP +ms.assetid: f927cb5f-9555-4029-838b-03fb68937f06 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# WiFi CSP + + +The WiFi configuration service provider provides the functionality to add or delete Wi-Fi networks on a Windows device. The configuration service provider accepts SyncML input and converts it to a network profile that is installed on the device. This profile enables the device to connect to the Wi-Fi network when it is in range. + +Programming considerations: + +- If the authentication method needs a certificate, for example, EAP-TLS requires client certificates, you must configure it through the CertificateStore configuration service provider. The WiFi configuration service provider does not provide that functionality; instead, the Wi-Fi profile can specify characteristics of the certificate to be used for choosing the right certificate for that network. The server must successfully enroll the certificate first before deploying the Wi-Fi network configuration. For example, for an EAP-TLS profile, the server must successfully configure and enroll the required client certificate before deploying the Wi-Fi profile. Self-signed certificate works for EAP-TLS/PEAP-MSCHAPv2, but it is not supported in EAP-TLS. +- Because the Windows 10 Mobile emulator does not support Wi-Fi, you cannot test the Wi-Fi configuration with an emulator. You can still provision a Wi-Fi network using the WiFi CSP, then check it in the Wi-Fi settings page, but you cannot test the network connectivity in the emulator. +- For WEP, WPA, and WPA2-based networks, include the passkey in the network configuration in plaintext. The passkey is encrypted automatically when it is stored on the device. +- The SSID of the Wi-Fi network part of the LocURI node must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported. +- The <name>*name\_goes\_here*</name><SSIDConfig> must match <SSID><name> *name\_goes\_here*</name></SSID>. +- For the WiFi CSP, you cannot use the Replace command unless the node already exists. +- Using Proxyis only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) will result in failure. + +The following image shows the WiFi configuration service provider in tree format. + +![wi-fi csp diagram](images/provisioning-csp-wifi.png) + +The following list shows the characteristics and parameters. + +**Profile** +Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network – for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks. + +Supported operation is Get. + +***<SSID>*** +Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. The SSID is added when the WlanXML node is added. When the SSID node is deleted, then all the subnodes are also deleted. + +SSID is the name of network you are connecting to, while Profile name is the name of the Profile which contains the WiFi settings information. If the Profile name is not set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, <LocURI>./Vendor/MSFT/WiFi/Profile/<*MUST BE NAME OF PROFILE AS PER WIFI XML*>/WlanXml</LocURI>. + +The supported operations are Add, Get, Delete, and Replace. + +**WlanXML** +The XML that describes the network configuration and follows the [WLAN\_profile Schema](http://go.microsoft.com/fwlink/p/?LinkId=325608) on MSDN. + +Supported operations are Get, Add, Delete, and Replace. + +Value type is chr. + +The profile XML must be escaped, as shown in the examples below. + +If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](http://go.microsoft.com/fwlink/p/?LinkId=523870). + +> **Note**  If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](http://go.microsoft.com/fwlink/p/?LinkId=618963). + +  + +The supported operations are Add, Get, Delete, and Replace. + +**Proxy** +Optional. Specifies the configuration of the network proxy. A proxy server host and port can be specified per connection for Windows 10 Mobile. This proxy configuration is only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions will result in failure. + +The format is *host:port*, where host can be one of the following: + +- A registered host name, such as server name, FQDN, or Single Label Name, such as myweb instead of myweb.contoso.com. +- IPV4 address +- IPv6/IPvFuture address. + +If it is an IPvFuture address, then it must be specified as an IP literal as "\[" (IP v6 address / IPvFuture ) "\]", such as "\[2441:4880:28:3:204:76ff:f43f:6eb\]:8080". + +Supported operations are Get, Add, Delete, and Replace. + +**DisableInternetConnectivityChecks** +Added in Windows 10, version 1511.Optional. Disable the internet connectivity check for the profile. + +Value type is chr. + +- True - internet connectivity check is disabled. +- False - internet connectivity check is enabled. + +Supported operations are Get, Add, Delete, and Replace. + +**ProxyPacUrl** +Added in Windows 10, version 1607. Optional. Specifies the value of the URL to the Proxy auto-config (PAC) file location. This proxy configuration is only supported in Windows 10 Mobile. + +Value type is chr, e.g. http://www.contoso.com/wpad.dat. + +**ProxyWPAD** +Added in Windows 10, version 1607. Optional. When set to true it enables Web Proxy Auto-Discovery Protocol (WPAD) for proxy lookup.This proxy configuration is only supported in Windows 10 Mobile. + +Value type is bool. + +## Examples + + +These XML examples show how to perform various tasks using OMA DM. + +### Add a network + +The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwork,' a proxy URL 'testproxy,' and port 80. + +``` syntax + + + + 301 + + 302 + + + ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml + + + chr + + <?xml version="1.0"?><WLANProfile xmlns="http://contoso.com/networking/WLAN/profile/v1"><name>MyNetwork</name><SSIDConfig><SSID><hex>412D4D534654574C414E</hex><name>MyNetwork</name></SSID><nonBroadcast>false</nonBroadcast></SSIDConfig><connectionType>ESS</connectionType><connectionMode>manual</connectionMode><MSM><security><authEncryption><authentication>WPA2</authentication><encryption>AES</encryption><useOneX>true</useOneX></authEncryption><OneX xmlns="http://contoso.com/networking/OneX/v1"><authMode>user</authMode><EAPConfig><EapHostConfig xmlns="http://contoso.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://contoso.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://contoso.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://contoso.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://contoso.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://contoso.com/provisioning/EapHostConfig"><Eap xmlns="http://contoso.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames></ServerNames></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://contoso.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://contoso.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV2">false</PerformServerValidation><AcceptServerName xmlns="http://contoso.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></WLANProfile> + + + + $CmdID$ + + + ./Vendor/MSFT/WiFi/Profile/MyNetwork/Proxy + + + chr + + testproxy:80 + + + + + + +``` + +### Query network profiles + +The following example shows how to query Wi-Fi profiles installed on an MDM server. + +``` syntax + + 301 + + + ./Vendor/MSFT/WiFi/Profile + + + +``` + +The following example shows the response. + +``` syntax + + 3 + 1 + 301 + + ./Vendor/MSFT/WiFi/Profile + node + TestWLAN1/TestWLAN2 + + +``` + +### Remove a network + +The following example shows how to remove a network with SSID ‘MyNetwork’ and no proxy. Removing all network authentication types is done in this same manner. + +``` syntax + + 300 + + 301 + + + ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml + + + + +``` + +### Add a network and certification authority for a server certificate + +The following example shows how to add PEAP-MSCHAPv2 network with SSID ‘MyNetwork’ and root CA validation for server certificate. + +``` syntax + + 300 + + 301 + + + ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml + + + chr + + <?xml version="1.0"?><WLANProfile xmlns="http://www.microsoft.com/networking/WLAN/profile/v1"><name>MyNetwork</name><SSIDConfig><SSID><name>MyNetwork</name></SSID><nonBroadcast>false</nonBroadcast></SSIDConfig><connectionType>ESS</connectionType><connectionMode>manual</connectionMode><MSM><security><authEncryption><authentication>WPA2</authentication><encryption>AES</encryption><useOneX>true</useOneX></authEncryption><OneX xmlns="http://www.microsoft.com/networking/OneX/v1"><authMode>user</authMode><EAPConfig><EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.com/provisioning/EapCommon">25</Type><VendorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorId><VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType><AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId></EapMethod><Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>25</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV1"><ServerValidation><DisableUserPromptForServerValidation>true</DisableUserPromptForServerValidation><ServerNames></ServerNames><TrustedRootCA> InsertCertThumbPrintHere </TrustedRootCA></ServerValidation><FastReconnect>true</FastReconnect><InnerEapOptional>false</InnerEapOptional><Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1"><Type>26</Type><EapType xmlns="http://www.microsoft.com/provisioning/MsChapV2ConnectionPropertiesV1"><UseWinLogonCredentials>false</UseWinLogonCredentials></EapType></Eap><EnableQuarantineChecks>false</EnableQuarantineChecks><RequireCryptoBinding>false</RequireCryptoBinding><PeapExtensions><PerformServerValidation xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">true</PerformServerValidation><AcceptServerName xmlns="http://www.microsoft.com/provisioning/MsPeapConnectionPropertiesV2">false</AcceptServerName></PeapExtensions></EapType></Eap></Config></EapHostConfig></EAPConfig></OneX></security></MSM></WLANProfile> + + + +``` + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md new file mode 100644 index 0000000000..4443fab25f --- /dev/null +++ b/windows/client-management/mdm/wifi-ddf-file.md @@ -0,0 +1,32 @@ +--- +title: WiFi DDF file +description: WiFi DDF file +ms.assetid: 00DE1DA7-23DE-4871-B3F0-28EB29A62D61 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# WiFi DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **WiFi** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +Content under development and will be published soon. + +## Related topics + + +[WiFi configuration service provider](wifi-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md new file mode 100644 index 0000000000..17d48bf9fe --- /dev/null +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -0,0 +1,479 @@ +--- +title: Win32 and Desktop Bridge app policy configuration +description: Starting in Windows 10, version 1703, you can import ADMX files and set those ADMX-backed policies for Win32 and Desktop Bridge apps. +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Win32 and Desktop Bridge app policy configuration + +## In this section + +- [Overview](#overview) +- [Ingesting an app ADMX file](#ingesting-an-app-admx-file) +- [URI format for configuring an app policy](#uri-format-for-configuring-an-app-policy) +- [ADMX-backed app policy examples](#admx-backed-app-policy-examples) + - [Enabling an app policy](#enabling-an-app-policy) + - [Disabling an app policy](#disabling-an-app-policy) + - [Setting an app policy to not configured](#setting-an-app-policy-to-not-configured) + +## Overview + +Starting in Windows 10, version 1703, you can import ADMX files (also called ADMX ingestion) and set those ADMX-backed policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. + +When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys. + + +## Ingesting an app ADMX file + +The following ADMX file example shows how to ingest a Win32 or Desktop Bridge app ADMX file and set policies from the file. The ADMX file defines eight policies. + +**Payload** +```XML + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +**Request Syncml** + +The ADMX file is escaped and sent in SyncML format through the Policy CSP URI, `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{FileUid or AdmxFileName}`. +When the ADMX file is imported, the policy states for each new policy are the same as those in a regular MDM policy: Enabled, Disabled, or Not Configured. + +The following example shows an ADMX file in SyncML format: + +```XML + + + + 102 + + + chr + text/plain + + + ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/ContosoCompanyApp/Policy/AppAdmxFile01 + + <policyDefinitions revision="1.0" schemaVersion="1.0"> + <categories> + <category name="ParentCategoryArea"/> + <category name="Category1"> + <parentCategory ref="ParentCategoryArea" /> + </category> + <category name="Category2"> + <parentCategory ref="ParentCategoryArea" /> + </category> + <category name="Category3"> + <parentCategory ref="Category2" /> + </category> + </categories> + <policies> + <policy name="L_PolicyConfigurationMode" class="Machine" displayName="$(string.L_PolicyConfigurationMode)" explainText="$(string.L_ExplainText_ConfigurationMode)" presentation="$(presentation.L_PolicyConfigurationMode)" key="software\policies\contoso\companyApp" valueName="configurationmode"> + <parentCategory ref="Category1" /> + <supportedOn ref="windows:SUPPORTED_Windows7" /> + <enabledValue> + <decimal value="1" /> + </enabledValue> + <disabledValue> + <decimal value="0" /> + </disabledValue> + <elements> + <text id="L_ServerAddressInternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressinternal" required="true" /> + <text id="L_ServerAddressExternal_VALUE" key="software\policies\contoso\companyApp" valueName="serveraddressexternal" required="true" /> + </elements> + </policy> + <policy name="L_PolicyEnableSIPHighSecurityMode" class="Machine" displayName="$(string.L_PolicyEnableSIPHighSecurityMode)" explainText="$(string.L_ExplainText_EnableSIPHighSecurityMode)" presentation="$(presentation.L_PolicyEnableSIPHighSecurityMode)" key="software\policies\contoso\companyApp" valueName="enablesiphighsecuritymode"> + <parentCategory ref="Category1" /> + <supportedOn ref="windows:SUPPORTED_Windows7" /> + <enabledValue> + <decimal value="1" /> + </enabledValue> + <disabledValue> + <decimal value="0" /> + </disabledValue> + </policy> + <policy name="L_PolicySipCompression" class="Machine" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression)" key="software\policies\contoso\companyApp"> + <parentCategory ref="Category1" /> + <supportedOn ref="windows:SUPPORTED_Windows7" /> + <elements> + <enum id="L_PolicySipCompression" valueName="sipcompression"> + <item displayName="$(string.L_SipCompressionVal0)"> + <value> + <decimal value="0" /> + </value> + </item> + <item displayName="$(string.L_SipCompressionVal1)"> + <value> + <decimal value="1" /> + </value> + </item> + <item displayName="$(string.L_SipCompressionVal2)"> + <value> + <decimal value="2" /> + </value> + </item> + <item displayName="$(string.L_SipCompressionVal3)"> + <value> + <decimal value="3" /> + </value> + </item> + </enum> + </elements> + </policy> + <policy name="L_PolicyPreventRun" class="Machine" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun)" key="software\policies\contoso\companyApp" valueName="preventrun"> + <parentCategory ref="Category1" /> + <supportedOn ref="windows:SUPPORTED_Windows7" /> + <enabledValue> + <decimal value="1" /> + </enabledValue> + <disabledValue> + <decimal value="0" /> + </disabledValue> + </policy> + <policy name="L_PolicyConfiguredServerCheckValues" class="Machine" displayName="$(string.L_PolicyConfiguredServerCheckValues)" explainText="$(string.L_ExplainText_ConfiguredServerCheckValues)" presentation="$(presentation.L_PolicyConfiguredServerCheckValues)" key="software\policies\contoso\companyApp"> + <parentCategory ref="Category2" /> + <supportedOn ref="windows:SUPPORTED_Windows7" /> + <elements> + <text id="L_ConfiguredServerCheckValues_VALUE" valueName="configuredservercheckvalues" required="true" /> + </elements> + </policy> + <policy name="L_PolicySipCompression_1" class="User" displayName="$(string.L_PolicySipCompression)" explainText="$(string.L_ExplainText_SipCompression)" presentation="$(presentation.L_PolicySipCompression_1)" key="software\policies\contoso\companyApp"> + <parentCategory ref="Category2" /> + <supportedOn ref="windows:SUPPORTED_Windows7" /> + <elements> + <enum id="L_PolicySipCompression" valueName="sipcompression"> + <item displayName="$(string.L_SipCompressionVal0)"> + <value> + <decimal value="0" /> + </value> + </item> + <item displayName="$(string.L_SipCompressionVal1)"> + <value> + <decimal value="1" /> + </value> + </item> + <item displayName="$(string.L_SipCompressionVal2)"> + <value> + <decimal value="2" /> + </value> + </item> + <item displayName="$(string.L_SipCompressionVal3)"> + <value> + <decimal value="3" /> + </value> + </item> + </enum> + </elements> + </policy> + <policy name="L_PolicyPreventRun_1" class="User" displayName="$(string.L_PolicyPreventRun)" explainText="$(string.L_ExplainText_PreventRun)" presentation="$(presentation.L_PolicyPreventRun_1)" key="software\policies\contoso\companyApp" valueName="preventrun"> + <parentCategory ref="Category3" /> + <supportedOn ref="windows:SUPPORTED_Windows7" /> + <enabledValue> + <decimal value="1" /> + </enabledValue> + <disabledValue> + <decimal value="0" /> + </disabledValue> + </policy> + <policy name="L_PolicyGalDownloadInitialDelay_1" class="User" displayName="$(string.L_PolicyGalDownloadInitialDelay)" explainText="$(string.L_ExplainText_GalDownloadInitialDelay)" presentation="$(presentation.L_PolicyGalDownloadInitialDelay_1)" key="software\policies\contoso\companyApp"> + <parentCategory ref="Category3" /> + <supportedOn ref="windows:SUPPORTED_Windows7" /> + <elements> + <decimal id="L_GalDownloadInitialDelay_VALUE" valueName="galdownloadinitialdelay" minValue="0" required="true" /> + </elements> + </policy> + </policies> + </policyDefinitions> + + + + + +``` + +**Response Syncml** +```XML +21102Add200 +``` + +### URI format for configuring an app policy + +The following example shows how to derive a Win32 or Desktop Bridge app policy name and policy area name: + +```XML + + + + + + + + + + + + + + + + + + + + + + +``` + +As documented in [Policy CSP](policy-configuration-service-provider.md), the URI format to configure a policy via Policy CSP is: +'./{user or device}/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}'. + +**User or device policy** + +In the policy class, the attribute is defined as "User" and the URI is prefixed with `./user`. +If the attribute value is "Machine", the URI is prefixed with `./device`. +If the attribute value is "Both", the policy can be configured either as a user or a device policy. + +The policy {AreaName} format is {AppName}~{SettingType}~{CategoryPathFromAdmx}. +{AppName} and {SettingType} are derived from the URI that is used to import the ADMX file. In this example, the URI is: `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/ContosoCompanyApp/Policy/AppAdmxFile01`. + +{CategoryPathFromAdmx} is derived by traversing the parentCategory parameter. In this example, {CategoryPathFromAdmx} is ParentCategoryArea~Category2~Category3. Therefore, {AreaName} is ContosoCompanyApp~ Policy~ ParentCategoryArea~Category2~Category3. + +Therefore, from the example: + - Class: User + - Policy name: L_PolicyPreventRun_1 + - Policy area name: ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3 + - URI: `./user/Vendor/MSFT/Policy/Config/ContosoCompanyApp~Policy~ParentCategoryArea~Category2~Category3/L_PolicyPreventRun_1` + +## ADMX-backed app policy examples + +The following examples describe how to set an ADMX-ingested app policy. + +### Enabling an app policy + +**Payload** +```XML + + + +``` + +**Request Syncml** +```XML + + + + 103 + + + chr + text/plain + + + ./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode + + <enabled/><data id="L_ServerAddressInternal_VALUE" value="TextValue1"/><data id="L_ServerAddressExternal_VALUE" value="TextValue2"/> + + + + + +``` + +**Response SyncML** +```XML +21103Replace200 +``` + +### Disabling an app policy + +**Payload** +```XML + +``` + +**Request SyncML** +```XML + + + + 104 + + + chr + text/plain + + + ./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode + + <disabled/> + + + + + +``` + +**Response SyncML** +```XML +21104Replace200 +``` + +### Setting an app policy to not configured + +**Payload** + +(None) + +**Request SyncML** +```XML + + + + 105 + + + ./Device/Vendor/MSFT/Policy/Config/ContosoCompanyApp~ Policy~ParentCategoryArea~Category1/L_PolicyConfigurationMode + + + + + + +``` + +**Response SyncML** +```XML +21105Delete200 +``` diff --git a/windows/client-management/mdm/win32appinventory-csp.md b/windows/client-management/mdm/win32appinventory-csp.md new file mode 100644 index 0000000000..935df946c0 --- /dev/null +++ b/windows/client-management/mdm/win32appinventory-csp.md @@ -0,0 +1,91 @@ +--- +title: Win32AppInventory CSP +description: Win32AppInventory CSP +ms.assetid: C0DEDD51-4EAD-4F8E-AEE2-CBE9658BCA22 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Win32AppInventory CSP + + +The Win32AppInventory configuration service provider is used to provide an inventory of installed applications on a device. + +The following diagram shows the Win32AppInventory configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM. + +![win32appinventory csp diagram](images/provisioning-csp-win32appinventory.png) + +**./Vendor/MSFT/Win32AppInventory** +The root node for the Win32AppInventory configuration service provider. + +The supported operation is Get. + +**Win32InstalledProgram** +This represents an inventory of installed Win32 applications on the device. + +The supported operation is Get. + +**Win32InstalledProgram/***InstalledProgram* +A node that contains information for a specific application. + +**Win32InstalledProgram/***InstalledProgram***/Name** +A string that specifies the name of the application. + +The supported operation is Get. + +**Win32InstalledProgram/***InstalledProgram***/Publisher** +A string that specifies the publisher of the application. + +The supported operation is Get. + +**Win32InstalledProgram/***InstalledProgram***/Version** +A string that specifies the version of the application. + +The supported operation is Get. + +**Win32InstalledProgram/***InstalledProgram***/Language** +A string that specifies the language of the application. + +The supported operation is Get. + +**Win32InstalledProgram/***InstalledProgram***/RegKey** +A string that specifies product code or registry subkey. + +For MSI-based applications this is the product code. + +For applications found in Add/Remove Programs, this is the registry subkey. + +The supported operation is Get. + +**Win32InstalledProgram/***InstalledProgram***/Source** +A string that specifies where the application was discovered, such as MSI or Add/Remove Programs. + +The supported operation is Get. + +**Win32InstalledProgram/***InstalledProgram***/MsiProductCode** +A GUID that uniquely identifies a particular MSI product. + +The supported operation is Get. + +**Win32InstalledProgram/***InstalledProgram***/MsiPackageCode** +A GUID that identifies an MSI package. Multiple products can make up a single package. + +The supported operation is Get. + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/win32appinventory-ddf-file.md b/windows/client-management/mdm/win32appinventory-ddf-file.md new file mode 100644 index 0000000000..97eafeb66c --- /dev/null +++ b/windows/client-management/mdm/win32appinventory-ddf-file.md @@ -0,0 +1,288 @@ +--- +title: Win32AppInventory DDF file +description: Win32AppInventory DDF file +ms.assetid: F6BCC10B-BFE4-40AB-AEEE-34679A4E15B0 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Win32AppInventory DDF file + + +This topic shows the OMA DM device description framework (DDF) for the **Win32AppInventory** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + Win32AppInventory + ./Vendor/MSFT + + + + + + + + + + + + + + + + + + + Win32InstalledProgram + + + + + The Win32InstalledProgram class represents installed applications. + + + + + + + + + + Win32InstalledProgram + + + + + + + + + + + The InstalledProgram class represents an installed application. + + + + + + + + + + InstalledProgram + + + + + + Name + + + + + Application name + + + + + + + + + + Name + + text/plain + + + + + Publisher + + + + + Application publisher + + + + + + + + + + Publisher + + text/plain + + + + + Version + + + + + Application version + + + + + + + + + + Version + + text/plain + + + + + Language + + + + + Application language + + + + + + + + + + Language + + text/plain + + + + + RegKey + + + + + For MSI this is the product code. For ARP this is the registry subkey. + + + + + + + + + + RegKey + + text/plain + + + + + Source + + + + + The source of the installation info + + + + + + + + + + Source + + text/plain + + + + + MsiProductCode + + + + + GUID that uniquely identifies a particular product. + + + + + + + + + + MsiProductCode + + text/plain + + + + + MsiPackageCode + + + + + GUID that identifies a Windows Installer package. + + + + + + + + + + MsiPackageCode + + text/plain + + + + + + + +``` + +## Related topics + + +[Win32AppInventory configuration service provider](win32appinventory-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md new file mode 100644 index 0000000000..51943be64f --- /dev/null +++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md @@ -0,0 +1,49 @@ +--- +title: Enterprise settings, policies, and app management +description: The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. +MS-HAID: +- 'p\_phdevicemgmt.enterprise\_settings\_\_policies\_\_and\_app\_management' +- 'p\_phDeviceMgmt.windows\_mdm\_enterprise\_settings' +ms.assetid: 92711D65-3022-4789-924B-602BE3187E23 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# Enterprise settings, policies, and app management + +The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=267526). + +Windows currently supports one MDM server. The DM client that is configured via the enrollment process is granted access to enterprise related settings. Enterprise MDM settings are exposed via various configuration service providers to the DM client. For the list of available configuration service providers, see [Configuration service provider reference](configuration-service-provider-reference.md). + +The DM client is configured during the enrollment process to be invoked by the task scheduler to periodically poll the MDM server. + +The following diagram shows the work flow between server and client. + +![windows client and server mdm diagram](images/enterprise-workflow.png) + + +## Management workflow + +This protocol defines an HTTPS-based client/server communication with DM SyncML XML as the package payload that carries management requests and execution results. The configuration request is addressed via a managed object (MO). The settings supported by the managed object are represented in a conceptual tree structure. This logical view of configurable device settings simplifies the way the server addresses the device settings by isolating the implementation details from the conceptual tree structure. + +To facilitate security-enhanced communication with the remote server for enterprise management, Windows supports certificate-based mutual authentication over an encrypted SSL HTTP channel between the DM client and management service. The server and client certificates are provisioned during the enrollment process. + +The DM client configuration, company policy enforcement, business application management, and device inventory are all exposed or expressed via configuration service providers (CSPs). CSPs are the Windows term for managed objects. The DM client communicates with the server and sends configuration request to CSPs. The server only needs to know the logical local URIs defined by those CSP nodes in order to use the DM protocol XML to manage the device. + +Here is a summary of the DM tasks supported for enterprise management: + +- Company policy management: Company policies are supported via the Policy CSP allows the enterprise to manage various settings. It enables the management service to configure device lock related policies, disable/enable the storage card, and query the device encryption status. The RemoteWipe CSP allows IT pros to remotely fully wipe the internal user data storage. +- Enterprise application management: This is addressed via the Enterprise ModernApp Management CSP and several ApplicationManagement-related policies. It is used to install the enterprise token, query installed business application names and versions, etc. This CSP is only accessible by the enterprise service. +- Certificate management: CertificateStore CSP, RootCACertificate CSP, and ClientCertificateInstall CSP are used to install certificates. +- Basic device inventory and asset management: Some basic device information can be retrieved via the DevInfo CSP, DevDetail CSPs and the DeviceStatus CSP. These provide basic device information such as OEM name, device model, hardware version, OS version, processor types, etc. This is for asset management and device targeting. The NodeCache CSP enables the device to only send out delta inventory settings to the server to reduce over-the-air data usage. The NodeCache CSP is only accessible by the enterprise service. + +  + + + + + + diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md new file mode 100644 index 0000000000..bced249094 --- /dev/null +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -0,0 +1,198 @@ +--- +title: WindowsAdvancedThreatProtection CSP +description: WindowsAdvancedThreatProtection CSP +ms.assetid: 6C3054CA-9890-4C08-9DB6-FBEEB74699A8 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# WindowsAdvancedThreatProtection CSP + +The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP. + +The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). + +![windowsadvancedthreatprotection csp diagram](images/provisioning-csp-watp.png) + +The following list describes the characteristics and parameters. + +**./Device/Vendor/MSFT/WindowsAdvancedThreatProtection** +

The root node for the Windows Defender Advanced Threat Protection configuration service provider. + +

Supported operation is Get. + +**Onboarding** +

Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection. + +

The data type is a string. + +

Supported operations are Get and Replace. + +**HealthState** +

Node that represents the Windows Defender Advanced Threat Protection health state. + +**HealthState/LastConnected** +

Contains the timestamp of the last successful connection. + +

Supported operation is Get. + +**HealthState/SenseIsRunning** +

Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state. + +

The default value is false. + +

Supported operation is Get. + +**HealthState/OnboardingState** +

Represents the onboarding state. + +

Supported operation is Get. + +

The following list shows the supported values: + +- 0 (default) – Not onboarded. +- 1 – Onboarded + +**HealthState/OrgId** +

String that represents the OrgID. + +

Supported operation is Get. + +**Configuration** +

Represents Windows Defender Advanced Threat Protection configuration. + +**Configuration/SampleSharing** +

Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter. + +

The following list shows the supported values: + +- 0 – None +- 1 (default)– All + +

Supported operations are Get and Replace. + +**Configuration/TelemetryReportingFrequency** +

Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection telemetry reporting frequency. + +

The following list shows the supported values: + +- 1 (default) – Normal +- 2 - Expedite + +

Supported operations are Get and Replace. + +**Offboarding** +

Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection. + +

The data type is a string. + +

Supported operations are Get and Replace. + +## Examples + + +``` syntax + + + + 11 + + + + ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding + + + + + + 1 + + + + ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/LastConnected + + + + + + 2 + + + + ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState + + + + + + 3 + + + + ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning + + + + + + 4 + + + + ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId + + + + + + 5 + + + + ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing + + + + + + 6 + + + + ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/TelemetryReportingFrequency + + + + + + 99 + + + + ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding + + + + + + + +``` + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md new file mode 100644 index 0000000000..135648a616 --- /dev/null +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-ddf.md @@ -0,0 +1,287 @@ +--- +title: WindowsAdvancedThreatProtection DDF file +description: WindowsAdvancedThreatProtection DDF file +ms.assetid: 0C62A790-4351-48AF-89FD-7D46C42D13E0 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# WindowsAdvancedThreatProtection DDF file + +This topic shows the OMA DM device description framework (DDF) for the **WindowsAdvancedThreatProtection** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + WindowsAdvancedThreatProtection + ./Device/Vendor/MSFT + + + + + Windows Defender Advanced Threat Protection + + + + + + + + + + + com.microsoft/1.1/MDM/WindowsAdvancedThreatProtection + + + + Onboarding + + + + + + Set Windows Defender Advanced Threat Protection Onboarding blob and initiate onboarding to Windows Defender Advanced Threat Protection + + + + + + + + + + + text/plain + + + + + HealthState + + + + + Represents Windows Defender Advanced Threat Protection Health State + + + + + + + + + + + + + + + LastConnected + + + + + The last successful connection. + + + + + + + + + + text/plain + + + + + SenseIsRunning + + + + + false + Return Windows Defender Advanced Threat Protection service running state + + + + + + + + + + + text/plain + + + + + OnboardingState + + + + + 0 + Return Windows Defender Advanced Threat Protection onboarding state: 0 – not onboarded; 1 - onboarded + + + + + + + + + + + text/plain + + + + + OrgId + + + + + Onboarded Org ID. + + + + + + + + + + + text/plain + + + + + + Configuration + + + + + Represents Windows Defender Advanced Threat Protection Configuration + + + + + + + + + + + + + + + SampleSharing + + + + + + 1 + Return or set Windows Defender Advanced Threat Protection Sample Sharing configuration parameter: 0 - none, 1 - All + + + + + + + + + + + text/plain + + + + + TelemetryReportingFrequency + + + + + + 1 + Return or set Windows Defender Advanced Threat Protection telemetry reporting frequency. Allowed values are: 1 - Normal, 2 - Expedite + + + + + + + + + + Telemetry reporting frequency + + text/plain + + + + + + Offboarding + + + + + + Set Windows Defender Advanced Threat Protection Offboarding blob and initiate offboarding + + + + + + + + + + + text/plain + + + + + +``` + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md new file mode 100644 index 0000000000..bdc1b02533 --- /dev/null +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -0,0 +1,305 @@ +--- +title: WindowsLicensing CSP +description: WindowsLicensing CSP +ms.assetid: E6BC6B0D-1F16-48A5-9AC4-76D69A7EDDA6 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# WindowsLicensing CSP + +The WindowsLicensing configuration service provider is designed for licensing related management scenarios. Currently the scope is limited to edition upgrades of Windows 10 desktop and mobile devices, such as Windows 10 Pro to Windows 10 Enterprise. In addition, this CSP provides the capability to activate or change the product key of Windows 10 desktop devices. + +The following diagram shows the WindowsLicensing configuration service provider in tree format. + +![windowslicensing csp diagram](images/provisioning-csp-windowslicensing.png) + +**./Device/Vendor/MSFT/WindowsLicensing** +This is the root node for the WindowsLicensing configuration service provider. + +The supported operation is Get. + +**UpgradeEditionWithProductKey** +Enters a product key for an edition upgrade of Windows 10 desktop devices. + +> [!NOTE]   +> This upgrade process requires a system restart. + +  + +The date type is a chr. + +The supported operation is Exec. + +When a product key is pushed from an MDM server to a user's device, **changepk.exe** runs using the product key. After it completes, a notification is shown to the user that a new edition of Windows 10 is available. The user can then restart their system manually or, after two hours, the device will restart automatically to complete the upgrade. The user will receive a reminder notification 10 minutes before the automatic restart. + +After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade. + +> [!IMPORTANT]   +> If another policy requires a system reboot that occurs when **changepk.exe** is running, the edition upgrade will fail. + +  + +If a product key is entered in a provisioning package and the user begins installation of the package, a notification is shown to the user that their system will restart to complete the package installation. Upon explicit consent from the user to proceed, the package continues installation and **changepk.exe** runs using the product key. The user will receive a reminder notification 30 seconds before the automatic restart. + +After the device restarts, the edition upgrade process completes. The user will receive a notification of the successful upgrade. + +This node can also be used to activate or change a product key on a particular edition of Windows 10 desktop device by entering a product key. Activation or changing a product key does not require a reboot and is a silent process for the user. + +> [!IMPORTANT]   +> The product key entered must be 29 characters (that is, it should include dashes), otherwise the activation, edition upgrade, or product key change on Windows 10 desktop devices will fail. The product key is acquired from Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal. + +  + +The following are valid edition upgrade paths when using this node through an MDM: + +- Windows 10 Enterprise to Windows 10 Education +- Windows 10 Home to Windows 10 Education +- Windows 10 Pro to Windows 10 Education +- Windows 10 Pro to Windows 10 Enterprise + +Activation or changing a product key can be carried out on the following editions: + +- Windows 10 Education +- Windows 10 Enterprise +- Windows 10 Home +- Windows 10 Pro + +**Edition** +Returns a value that maps to the Windows 10 edition running on desktop or mobile devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information. + +The data type is an Int. + +The supported operation is Get. + +**Status** +Returns the status of an edition upgrade on Windows 10 desktop or mobile devices. The status corresponds to one of the following values: + +- 0 = Failed +- 1 = Pending +- 2 = In progress +- 3 = Completed +- 4 = Unknown + +The data type is an Int. + +The supported operation is Get. + +**UpgradeEditionWithLicense** +Provides a license for an edition upgrade of Windows 10 mobile devices. + +> [!NOTE]   +> This upgrade process does not require a system restart. + +  + +The date type is XML. + +The supported operation is Execute. + +> [!IMPORTANT]   +> The XML license file contents must be properly escaped (that is, it should not simply be a copied XML), otherwise the edition upgrade on Windows 10 mobile devices will fail. For more information on proper escaping of the XML license file, see Section 2.4 of the [W3C XML spec](http://www.w3.org/TR/xml/) . The XML license file is acquired from the Microsoft Volume Licensing Service Center. Your organization must have a Volume Licensing contract with Microsoft to access the portal. + +  + +The following are valid edition upgrade paths when using this node through an MDM or provisioning package: + +- Windows 10 Mobile to Windows 10 Mobile Enterprise + +**LicenseKeyType** +Returns the parameter type used by Windows 10 devices for an edition upgrade, activation, or product key change. + +- Windows 10 for desktop devices require a product key. +- Windows 10 Mobile devices require a XML license file for an edition upgrade. + +The data type is a chr. + +The supported operation is Get. + +**CheckApplicability** +Returns TRUE if the entered product key can be used for an edition upgrade, activation or changing a product key of Windows 10 for desktop devices. + +The data type is a chr. + +The supported operation is Exec. + +**ChangeProductKey** +Added in Windows 10, version 1703. Installs a product key for Windows 10 desktop devices. Does not reboot. + +The data type is a chr. + +The supported operation is Execute. + +**Subscriptions** +Added in Windows 10, version 1607. Node for subscriptions. + +**Subscriptions/SubscriptionId** +Added in Windows 10, version 1607. Node for subscription IDs. + +**Subscriptions/SubscriptionId/Status** +Added in Windows 10, version 1607. Returns the status of the subscription. + +The data type is an Int. + +The supported operation is Get. + +**Subscriptions/SubscriptionId/Name** +Added in Windows 10, version 1607. Returns the name of the subscription. + +The data type is a chr. + +The supported operation is Get. + + + + +## SyncML examples + + +**CheckApplicability** + +``` syntax + + + + 3 + + + ./Device/Vendor/MSFT/WindowsLicensing/CheckApplicability + + + chr + + XXXXX-XXXXX-XXXXX-XXXXX-XXXXX + + + + + +``` + +> [!NOTE]   +> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key. + +  + +**Edition** + +``` syntax + + + + 17 + + + ./Device/Vendor/MSFT/WindowsLicensing/Edition + + + + + + +``` + +**LicenseKeyType** + +``` syntax + + + + 17 + + + ./Device/Vendor/MSFT/WindowsLicensing/LicenseKeyType + + + + + + +``` + +**Status** + +``` syntax + + + + 17 + + + ./Device/Vendor/MSFT/WindowsLicensing/Status + + + + + + +``` + +**UpgradeEditionWithProductKey** + +``` syntax + + + + 3 + + + ./Device/Vendor/MSFT/WindowsLicensing/UpgradeEditionWithProductKey + + + chr + + XXXXX-XXXXX-XXXXX-XXXXX-XXXXX + + + + + +``` + +> [!NOTE]   +> `XXXXX-XXXXX-XXXXX-XXXXX-XXXXX` in the **Data** tag should be replaced with your product key. + +  + +**UpgradeEditionWithLicense** + +``` syntax + + + + 2 + + + ./Device/Vendor/MSFT/WindowsLicensing/UpgradeEditionWithLicense + + + chr + + + + + + + +``` + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md new file mode 100644 index 0000000000..5ac78fc98d --- /dev/null +++ b/windows/client-management/mdm/windowslicensing-ddf-file.md @@ -0,0 +1,316 @@ +--- +title: WindowsLicensing DDF file +description: WindowsLicensing DDF file +ms.assetid: 2A24C922-A167-4CEE-8F74-08E7453800D2 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# WindowsLicensing DDF file + +This topic shows the OMA DM device description framework (DDF) for the **WindowsLicensing** configuration service provider. DDF files are used only with OMA DM provisioning XML. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + WindowsLicensing + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.2/MDM/WindowsLicensing + + + + UpgradeEditionWithProductKey + + + + + Enter a product key for an edition upgrade of Windows 10 desktop devices. Requires reboot. + + + + + + + + + + + + + + text/plain + + + + + ChangeProductKey + + + + + Installs a product key for Windows 10 desktop devices. Does not reboot. + + + + + + + + + + + + + + text/plain + + + + + Edition + + + + + Returns a value that maps to the Windows 10 edition running on desktop or mobile devices. Take the value, convert it into its hexadecimal equivalent and search the GetProductInfo function page on MSDN for edition information. + + + + + + + + + + + + + + text/plain + + + + + Status + + + + + Returns the status of an edition upgrade on Windows 10 desktop and mobile devices. Status: 0 = Failed, 1 = Pending, 2 = In progress, 3 = Completed, 4 = Unknown + + + + + + + + + + + + + + text/plain + + + + + UpgradeEditionWithLicense + + + + + Provide a license for an edition upgrade of Windows 10 mobile devices. Does not require reboot. + + + + + + + + + + + + + + text/plain + + + + + LicenseKeyType + + + + + Returns the parameter type used by Windows 10 devices for an edition upgrade. Windows 10 desktop devices require a product key for an edition upgrade. Windows 10 mobile devices require a license for an edition upgrade. + + + + + + + + + + + + + + text/plain + + + + + CheckApplicability + + + + + Returns TRUE if the entered product key can be used for an edition upgrade of Windows 10 desktop devices. + + + + + + + + + + + + + + text/plain + + + + + Subscriptions + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + SubscriptionId + + + + + + Status + + + + + + + + + + + + + + + text/plain + + + + + Name + + + + + + + + + + + + + + + text/plain + + + + + + + +``` + +## Related topics + + +[WindowsLicensing configuration service provider](windowslicensing-csp.md) + +  + +  + + + + + + diff --git a/windows/client-management/mdm/windowssecurityauditing-csp.md b/windows/client-management/mdm/windowssecurityauditing-csp.md new file mode 100644 index 0000000000..686a058d93 --- /dev/null +++ b/windows/client-management/mdm/windowssecurityauditing-csp.md @@ -0,0 +1,72 @@ +--- +title: WindowsSecurityAuditing CSP +description: The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511. +ms.assetid: 611DF7FF-21CE-476C-AAB5-3D09C1CDF08A +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# WindowsSecurityAuditing CSP + + +The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511. + +The following diagram shows the WindowsSecurityAuditing configuration service provider in tree format. + +![windowssecurityauditing csp diagram](images/provisioning-csp-windowssecurityauditing.png) + +**WindowsSecurityAuditing** +Root node. + +**ConfigurationSettings** +Interior node for handling all the audit configuration settings. Do not use the Get operation in this node. It is only used of grouping configuration settings. + +**ConfigurationSettings/EnableSecurityAuditing** +Specifies whether to enable or disable auditing for the device. + +Value type is boolean. If true, a default set of audit events will be captured to a log file for upload; if false, auditing is disabled and events are not logged. Default value is false. + +Supported operations are Get and Replace. + +## Examples + + +Enable logging of audit events. + +``` syntax + + + + 1 + + + + ./Vendor/MSFT/WindowsSecurityAuditing/ConfigurationSettings/EnableSecurityAuditing + + + + bool + text/plain + + true + + + + + +``` + +For more information about Windows security auditing, see [What's new in security auditing](https://technet.microsoft.com/itpro/windows/whats-new/security-auditing). + +  + +  + + + + + + diff --git a/windows/client-management/mdm/windowssecurityauditing-ddf-file.md b/windows/client-management/mdm/windowssecurityauditing-ddf-file.md new file mode 100644 index 0000000000..cd9ef72d61 --- /dev/null +++ b/windows/client-management/mdm/windowssecurityauditing-ddf-file.md @@ -0,0 +1,109 @@ +--- +title: WindowsSecurityAuditing DDF file +description: This topic shows the OMA DM device description framework (DDF) for the WindowsSecurityAuditing configuration service provider. This CSP was added in Windows 10, version 1511. +ms.assetid: B1F9A5FA-185B-48C6-A7F4-0F0F23B971F0 +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# WindowsSecurityAuditing DDF file + + +This topic shows the OMA DM device description framework (DDF) for the WindowsSecurityAuditing configuration service provider. This CSP was added in Windows 10, version 1511. + +You can download the DDF files from the links below: + +- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip) +- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip) + +The XML below is the current version for this CSP. + +``` syntax + +]> + + 1.2 + + WindowsSecurityAuditing + ./Vendor/MSFT + + + + + + + + + + + + + + + com.microsoft/1.0/MDM/WindowsSecurityAuditing + + + + ConfigurationSettings + + + + + This branch handles all the audit configuration settings for the device. This node should not be used for a get/set but is simply a grouping interior node for all configuration functionality. + + + + + + + + + + Configuration Settings + + + + + + EnableSecurityAuditing + + + + + + false + Specifies whether to enable or disable auditing for the device. If the value is true, a default set of audit events will be captured to a log file for upload. If the value is false, auditing will be disabled and events will no longer be logged. + + + + + + + + + + Enable Security Auditing + + text/plain + + + + + + +``` + +  + +  + + + + + + diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md new file mode 100644 index 0000000000..ade8ecd858 --- /dev/null +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -0,0 +1,313 @@ +--- +title: WMI providers supported in Windows 10 +description: WMI providers supported in Windows 10 +MS-HAID: +- 'p\_phdevicemgmt.wmi\_providers\_supported\_in\_windows\_10\_technical\_preview' +- 'p\_phDeviceMgmt.wmi\_providers\_supported\_in\_windows' +ms.assetid: 7D533044-AAD7-4B8F-B71B-9D52C15A168A +ms.author: maricia +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nickbrower +--- + +# WMI providers supported in Windows 10 + +Windows Management Infrastructure (WMI) providers (and the classes they support) are used to manage settings and applications on devices that subscribe to the Mobile Device Management (MDM) service. The following subsections show the list WMI MDM classes that are supported in Windows 10. + +> **Note**  Applications installed using WMI classes are not removed when the MDM account is removed from device. + +  + +The child node names of the result from a WMI query are separated by a forward slash (/) and not URI escaped. Here is an example query. + +Get the list of network adapters from the device. + +``` syntax + + + ./cimV2/Win32_NetworkAdapter + + +``` + +Result + +``` syntax + + + ./cimV2/Win32_NetworkAdapter + + + node + + Win32_NetworkAdapter.DeviceID="0"/Win32_NetworkAdapter.DeviceID="1"/Win32_NetworkAdapter.DeviceID="2" + +``` + +## MDM Bridge WMI classes + + +For links to these classes, see [**MDM Bridge WMI Provider**](https://msdn.microsoft.com/library/windows/hardware/dn905224). + +## MDM WMI classes + + ++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ClassTest completed in Windows 10 for desktop
[MDM_AppInstallJob](https://msdn.microsoft.com/library/windows/hardware/dn610368)

Currently testing.

[MDM_Application](https://msdn.microsoft.com/library/windows/hardware/dn610369)

Currently testing.

[MDM_ApplicationFramework](https://msdn.microsoft.com/library/windows/hardware/dn610370)

Currently testing.

[MDM_ApplicationSetting](https://msdn.microsoft.com/library/windows/hardware/dn610382)

Currently testing.

[MDM_BrowserSecurityZones](https://msdn.microsoft.com/library/windows/hardware/dn610383)cross mark
[MDM_BrowserSettings](https://msdn.microsoft.com/library/windows/hardware/dn610384)cross mark
[MDM_Certificate](https://msdn.microsoft.com/library/windows/hardware/dn610385)cross mark
[MDM_CertificateEnrollment](https://msdn.microsoft.com/library/windows/hardware/dn610386)cross mark
[MDM_Client](https://msdn.microsoft.com/library/windows/hardware/dn610387)

Currently testing.

[MDM_ConfigSetting](https://msdn.microsoft.com/library/windows/hardware/dn610388)cross mark
[MDM_DeviceRegistrationInfo](https://msdn.microsoft.com/library/windows/hardware/dn610389)
[MDM_EASPolicy](https://msdn.microsoft.com/library/windows/hardware/dn610390)cross mark
[MDM_MgMtAuthority](https://msdn.microsoft.com/library/windows/hardware/dn610391)cross mark
MDM_MsiApplication
MDM_MsiInstallJob
[MDM_RemoteApplication](https://msdn.microsoft.com/library/windows/hardware/dn610371)

Test not started.

[MDM_RemoteAppUseCookie](https://msdn.microsoft.com/library/windows/hardware/dn610372)

Test not started.

[MDM_Restrictions](https://msdn.microsoft.com/library/windows/hardware/dn610392)cross mark
[MDM_RestrictionsUser](https://msdn.microsoft.com/library/windows/hardware/dn610393)

Test not started.

[MDM_SecurityStatus](https://msdn.microsoft.com/library/windows/hardware/dn610394)cross mark
[MDM_SideLoader](https://msdn.microsoft.com/library/windows/hardware/dn610395)
[MDM_SecurityStatusUser](https://msdn.microsoft.com/library/windows/hardware/dn920104)

Currently testing.

[MDM_Updates](https://msdn.microsoft.com/library/windows/hardware/dn920105)cross mark
[MDM_VpnApplicationTrigger](https://msdn.microsoft.com/library/windows/hardware/dn610396)cross mark
MDM_VpnConnection
[MDM_WebApplication](https://msdn.microsoft.com/library/windows/hardware/dn610373)

Currently testing.

[MDM_WirelessProfile](https://msdn.microsoft.com/library/windows/hardware/dn610397)cross mark
[MDM_WirelesssProfileXML](https://msdn.microsoft.com/library/windows/hardware/dn610398)cross mark
[MDM_WNSChannel](https://msdn.microsoft.com/library/windows/hardware/dn610399)cross mark
[MDM_WNSConfiguration](https://msdn.microsoft.com/library/windows/hardware/dn610400)cross mark
[MSFT_NetFirewallProfile](https://msdn.microsoft.com/library/windows/hardware/jj676842)cross mark
[MSFT_VpnConnection](https://msdn.microsoft.com/library/windows/hardware/jj206647)cross mark
[SoftwareLicensingProduct](https://msdn.microsoft.com/library/windows/hardware/cc534596)
[SoftwareLicensingService](https://msdn.microsoft.com/library/windows/hardware/cc534597)
+ +  + +### Parental control WMI classes + +| Class | Test completed in Windows 10 for desktop | +|--------------------------------------------------------------------------|------------------------------------------| +| [**wpcappoverride**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | +| [**wpcgameoverride**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | +| [**wpcgamessettings**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | +| [**wpcrating**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | +| [**wpcRatingsDescriptor**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | | +| [**wpcratingssystem**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | +| [**wpcsystemsettings**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | +| [**wpcurloverride**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | +| [**wpcusersettings**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | +| [**wpcwebsettings**](https://msdn.microsoft.com/library/windows/hardware/ms711334) | ![cross mark](images/checkmark.png) | + +  + +### Win32 WMI classes + +| Class | Test completed in Windows 10 for desktop | +|--------------------------------------------------------------------------|------------------------------------------| +[**Win32\_1394Controller**](https://msdn.microsoft.com/library/windows/hardware/aa394059) | +[**Win32\_BaseBoard**](https://msdn.microsoft.com/library/windows/hardware/aa394072) | +[**Win32\_Battery**](https://msdn.microsoft.com/library/windows/hardware/aa394074) | ![cross mark](images/checkmark.png) +[**Win32\_BIOS**](https://msdn.microsoft.com/library/windows/hardware/aa394077) | ![cross mark](images/checkmark.png) +[**Win32\_CDROMDrive**](https://msdn.microsoft.com/library/windows/hardware/aa394081) | +[**Win32\_ComputerSystem**](https://msdn.microsoft.com/library/windows/hardware/aa394102) | ![cross mark](images/checkmark.png) +[**Win32\_ComputerSystemProduct**](https://msdn.microsoft.com/library/windows/hardware//aa394105) | ![cross mark](images/checkmark.png) +[**Win32\_CurrentTime**](https://msdn.microsoft.com/library/windows/hardware/aa394114) | ![cross mark](images/checkmark.png) +[**Win32\_Desktop**](https://msdn.microsoft.com/library/windows/hardware/aa394121) | +[**Win32\_DesktopMonitor**](https://msdn.microsoft.com/library/windows/hardware/aa394122) |![cross mark](images/checkmark.png) +[**Win32\_DiskDrive**](https://msdn.microsoft.com/library/windows/hardware/aa394132) | ![cross mark](images/checkmark.png) +[**Win32\_DiskPartition**](https://msdn.microsoft.com/library/windows/hardware/aa394135) | +[**Win32\_DisplayConfiguration**](https://msdn.microsoft.com/library/windows/hardware/aa394137) | ![cross mark](images/checkmark.png) +[**Win32\_DMAChannel**](https://msdn.microsoft.com/library/windows/hardware/aa394139) | +[**Win32\_DriverVXD**](https://msdn.microsoft.com/library/windows/hardware/aa394141) | +[**Win32\_EncryptableVolume**](https://msdn.microsoft.com/library/windows/hardware/aa376483) | +[**Win32\_Environment**](https://msdn.microsoft.com/library/windows/hardware/aa394143) | +[**Win32\_IDEController**](https://msdn.microsoft.com/library/windows/hardware/aa394155) | +[**Win32\_InfraredDevice**](https://msdn.microsoft.com/library/windows/hardware/aa394158) | +[**Win32\_IRQResource**](https://msdn.microsoft.com/library/windows/hardware/aa394164) | +[**Win32\_Keyboard**](https://msdn.microsoft.com/library/windows/hardware/aa394166) | +[**Win32\_LoadOrderGroup**](https://msdn.microsoft.com/library/windows/hardware/aa394168) | +[**Win32\_LocalTime**](https://msdn.microsoft.com/library/windows/hardware/aa394171) | ![cross mark](images/checkmark.png) +[**Win32\_LoggedOnUser**](https://msdn.microsoft.com/library/windows/hardware/aa394172) | +[**Win32\_LogicalDisk**](https://msdn.microsoft.com/library/windows/hardware/aa394173) | ![cross mark](images/checkmark.png) +[**Win32\_MotherboardDevice**](https://msdn.microsoft.com/library/windows/hardware/aa394204) | +[**Win32\_NetworkAdapter**](https://msdn.microsoft.com/library/windows/hardware/aa394216) | ![cross mark](images/checkmark.png) +[**Win32\_NetworkAdapterConfiguration**](https://msdn.microsoft.com/library/windows/hardware/aa394217) | +[**Win32\_NetworkClient**](https://msdn.microsoft.com/library/windows/hardware/aa394219) | +[**Win32\_NetworkLoginProfile**](https://msdn.microsoft.com/library/windows/hardware/aa394221) | +[**Win32\_NetworkProtocol**](https://msdn.microsoft.com/library/windows/hardware/aa394223) | +[**Win32\_NTEventlogFile**](https://msdn.microsoft.com/library/windows/hardware/aa394225) | +[**Win32\_OperatingSystem**](https://msdn.microsoft.com/library/windows/hardware/aa394239) | ![cross mark](images/checkmark.png) +[**Win32\_OSRecoveryConfiguration**](https://msdn.microsoft.com/library/windows/hardware/aa394242) | +[**Win32\_PageFileSetting**](https://msdn.microsoft.com/library/windows/hardware/aa394245) | +[**Win32\_ParallelPort**](https://msdn.microsoft.com/library/windows/hardware/aa394247) | +[**Win32\_PCMCIAController**](https://msdn.microsoft.com/library/windows/hardware/aa394251) | +[**Win32\_PhysicalMedia**](https://msdn.microsoft.com/en-us/library/windows/hardware/aa394346) | +[**Win32\_PhysicalMemory**](https://msdn.microsoft.com/library/windows/hardware/aa394347) | ![cross mark](images/checkmark.png) +[**Win32\_PnPDevice**](https://msdn.microsoft.com/library/windows/hardware/aa394352) | +[**Win32\_PnPEntity**](https://msdn.microsoft.com/library/windows/hardware/aa394353) | +[**Win32\_PointingDevice**](https://msdn.microsoft.com/library/windows/hardware/aa394356) | +[**Win32\_PortableBattery**](https://msdn.microsoft.com/library/windows/hardware/aa394357) | +[**Win32\_PortResource**](https://msdn.microsoft.com/library/windows/hardware/aa394359) | +[**Win32\_POTSModem**](https://msdn.microsoft.com/library/windows/hardware/aa394360) | +[**Win32\_Printer**](https://msdn.microsoft.com/library/windows/hardware/aa394363) | +[**Win32\_PrinterConfiguration**](https://msdn.microsoft.com/library/windows/hardware/aa394364) | +[**Win32\_Processor**](https://msdn.microsoft.com/library/windows/hardware/aa394373) | ![cross mark](images/checkmark.png) +[**Win32\_QuickFixEngineering**](https://msdn.microsoft.com/library/windows/hardware/aa394391) | ![cross mark](images/checkmark.png) +[**Win32\_Registry**](https://msdn.microsoft.com/library/windows/hardware/aa394394) | +[**Win32\_SCSIController**](https://msdn.microsoft.com/library/windows/hardware/aa394400) | +[**Win32\_SerialPort**](https://msdn.microsoft.com/library/windows/hardware/aa394413) | +[**Win32\_SerialPortConfiguration**](https://msdn.microsoft.com/library/windows/hardware/aa394414) | +[**Win32\_ServerFeature**](https://msdn.microsoft.com/library/windows/hardware/cc280268) | +[**Win32\_Service**](https://msdn.microsoft.com/library/windows/hardware/aa394418) | ![cross mark](images/checkmark.png) +[**Win32\_Share**](https://msdn.microsoft.com/library/windows/hardware/aa394435) | ![cross mark](images/checkmark.png) +[**Win32\_SoundDevice**](https://msdn.microsoft.com/library/windows/hardware/aa394463) | +[**Win32\_SystemAccount**](https://msdn.microsoft.com/library/windows/hardware/aa394466) | +[**Win32\_SystemBIOS**](https://msdn.microsoft.com/library/windows/hardware/aa394467) | ![cross mark](images/checkmark.png) +[**Win32\_SystemDriver**](https://msdn.microsoft.com/library/windows/hardware/aa394472) | +[**Win32\_SystemEnclosure**](https://msdn.microsoft.com/library/windows/hardware/aa394474) | ![cross mark](images/checkmark.png) +[**Win32\_TapeDrive**](https://msdn.microsoft.com/library/windows/hardware/aa394491) | +[**Win32\_TimeZone**](https://msdn.microsoft.com/library/windows/hardware/aa394498) | ![cross mark](images/checkmark.png) +[**Win32\_UninterruptiblePowerSupply**](https://msdn.microsoft.com/library/windows/hardware/aa394503) | +[**Win32\_USBController**](https://msdn.microsoft.com/library/windows/hardware/aa394504) | +[**Win32\_UTCTime**](https://msdn.microsoft.com/library/windows/hardware/aa394510) | ![cross mark](images/checkmark.png) +[**Win32\_VideoController**](https://msdn.microsoft.com/library/windows/hardware/aa394505) | +**Win32\_WindowsUpdateAgentVersion** | +  + +## Related topics + + +[Configuration service provider reference](configuration-service-provider-reference.md) + +  + +  + +10/10/2016 + + + + diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index 2d0e3ccf37..29b5b23d90 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -6,7 +6,7 @@ keywords: ["MDM", "Group Policy"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/client-management/reset-a-windows-10-mobile-device.md b/windows/client-management/reset-a-windows-10-mobile-device.md index 7a18801dd0..ea6eb5cda2 100644 --- a/windows/client-management/reset-a-windows-10-mobile-device.md +++ b/windows/client-management/reset-a-windows-10-mobile-device.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: mobile -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 4236b5e7da..10733f5cf7 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: high -author: jdeckerMS +author: jdeckerms --- # Change history for Configure Windows 10 diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md index f45dbd39c6..0cdcbc76fc 100644 --- a/windows/configuration/changes-to-start-policies-in-windows-10.md +++ b/windows/configuration/changes-to-start-policies-in-windows-10.md @@ -6,7 +6,7 @@ keywords: ["group policy", "start menu", "start screen"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/configure-devices-without-mdm.md b/windows/configuration/configure-devices-without-mdm.md index 1c9093477b..93a12aba20 100644 --- a/windows/configuration/configure-devices-without-mdm.md +++ b/windows/configuration/configure-devices-without-mdm.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: mobile, devices -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index 9ba2624f45..7b332830bc 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -5,7 +5,7 @@ keywords: ["taskbar layout","pin apps"] ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- # Configure Windows 10 taskbar diff --git a/windows/configuration/configure-windows-telemetry-in-your-organization.md b/windows/configuration/configure-windows-telemetry-in-your-organization.md index 3cc807c64a..10b155e2d8 100644 --- a/windows/configuration/configure-windows-telemetry-in-your-organization.md +++ b/windows/configuration/configure-windows-telemetry-in-your-organization.md @@ -98,7 +98,7 @@ Windows telemetry also helps Microsoft better understand how customers use (or d ### Insights into your own organization -Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). +Sharing information with Microsoft helps make Windows and other products better, but it can also help make your internal processes and user experiences better, as well. Microsoft is in the process of developing a set of analytics customized for your internal use. The first of these, called [Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). #### Upgrade Readiness diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index a7c154e348..adf99d68fe 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -6,7 +6,7 @@ keywords: ["start screen"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 170d81d10d..816c2dfba0 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -6,7 +6,7 @@ keywords: ["Start layout", "start menu", "layout", "group policy"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index 5255a639ff..3a731ffc48 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -6,7 +6,7 @@ keywords: ["start screen", "start menu"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 842bde95de..2046f28cd5 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -6,7 +6,7 @@ keywords: ["Start layout", "start menu"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index 07ca5a5dc2..9e4397cd87 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -32,7 +32,8 @@ "externalReference": [], "globalMetadata": { "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json" + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows" }, "fileMetadata": {}, "template": [], diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 0c36993eea..fc598eebe1 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -5,7 +5,7 @@ keywords: ["kiosk", "lockdown", "assigned access"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/index.md b/windows/configuration/index.md index 28bf0e8e33..1432e34058 100644 --- a/windows/configuration/index.md +++ b/windows/configuration/index.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: high -author: jdeckerMS +author: jdeckerms --- # Configure Windows 10 diff --git a/windows/configuration/kiosk-shared-pc.md b/windows/configuration/kiosk-shared-pc.md index d5d72c26b4..97daba286f 100644 --- a/windows/configuration/kiosk-shared-pc.md +++ b/windows/configuration/kiosk-shared-pc.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: medium -author: jdeckerMS +author: jdeckerms --- # Configure kiosk and shared devices running Windows desktop editions diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 4430902cec..fd04412683 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: edu, security -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/lock-down-windows-10.md b/windows/configuration/lock-down-windows-10.md index d4ab1e35cb..3d2b718c3d 100644 --- a/windows/configuration/lock-down-windows-10.md +++ b/windows/configuration/lock-down-windows-10.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security, mobile -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/lockdown-features-windows-10.md b/windows/configuration/lockdown-features-windows-10.md index 7c72bb6e2b..c7ee249a2d 100644 --- a/windows/configuration/lockdown-features-windows-10.md +++ b/windows/configuration/lockdown-features-windows-10.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: jdeckerMS +author: jdeckerms localizationpriority: high --- @@ -36,12 +36,12 @@ Many of the lockdown features available in Windows Embedded 8.1 Industry have be

[Hibernate Once/Resume Many (HORM)](https://go.microsoft.com/fwlink/p/?LinkId=626758): Quick boot to device

N/A -

HORM is supported in Windows 10, version 1607.

+

HORM is supported in Windows 10, version 1607 and later.

[Unified Write Filter](https://go.microsoft.com/fwlink/p/?LinkId=626757): protect a device's physical storage media

[Unified Write Filter](https://msdn.microsoft.com/en-us/library/windows/hardware/mt572001.aspx) -

The Unified Write Filter is continued in Windows 10, with the exception of HORM which has been deprecated.

+

The Unified Write Filter is continued in Windows 10.

[Keyboard Filter]( https://go.microsoft.com/fwlink/p/?LinkId=626761): block hotkeys and other key combinations

diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index e95ca70d41..18fc7be5b4 100644 --- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -25,7 +25,7 @@ If you want to minimize connections from Windows to Microsoft services, or confi You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. -To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. You should not extract this package to the the windows\\system32 folder because it will not apply correctly. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article. +To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. You should not extract this package to the windows\\system32 folder because it will not apply correctly. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article. We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. @@ -549,9 +549,11 @@ The following Microsoft Edge MDM policies are available in the [Policy CSP](http |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| | Browser/AllowAutoFill | Choose whether employees can use autofill on websites.
Default: Allowed | | Browser/AllowDoNotTrack | Choose whether employees can send Do Not Track headers.
Default: Not allowed | +| Browser/AllowMicrosoftCompatbilityList | Specify the Microsoft compatibility list in Microsoft Edge.
Default: Enabled | | Browser/AllowPasswordManager | Choose whether employees can save passwords locally on their devices.
Default: Allowed | | Browser/AllowSearchSuggestionsinAddressBar | Choose whether the address bar shows search suggestions..
Default: Allowed | | Browser/AllowSmartScreen | Choose whether SmartScreen is turned on or off.
Default: Allowed | +| Browser/FirstRunURL | Choose the home page for Microsoft Edge on Windows Mobile 10.
Default: blank | For a complete list of the Microsoft Edge policies, see [Available policies for Microsoft Edge](http://technet.microsoft.com/library/mt270204.aspx). diff --git a/windows/configuration/manage-tips-and-suggestions.md b/windows/configuration/manage-tips-and-suggestions.md index 4b28a45ad9..de1c017907 100644 --- a/windows/configuration/manage-tips-and-suggestions.md +++ b/windows/configuration/manage-tips-and-suggestions.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: devices -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/mobile-devices/configure-mobile.md b/windows/configuration/mobile-devices/configure-mobile.md index db4bb93e0f..ecb327e4a5 100644 --- a/windows/configuration/mobile-devices/configure-mobile.md +++ b/windows/configuration/mobile-devices/configure-mobile.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: high -author: jdeckerMS +author: jdeckerms --- # Configure Windows 10 Mobile devices diff --git a/windows/configuration/mobile-devices/lockdown-xml.md b/windows/configuration/mobile-devices/lockdown-xml.md index a6904b3499..054f2423b3 100644 --- a/windows/configuration/mobile-devices/lockdown-xml.md +++ b/windows/configuration/mobile-devices/lockdown-xml.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security, mobile -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md index 4ae14d1eaa..33a512ae37 100644 --- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md +++ b/windows/configuration/mobile-devices/mobile-lockdown-designer.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: medium -author: jdeckerMS +author: jdeckerms --- # Use the Lockdown Designer app to create a Lockdown XML file diff --git a/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md b/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md index f2a3295ba9..a3076896bb 100644 --- a/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md +++ b/windows/configuration/mobile-devices/product-ids-in-windows-10-mobile.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: mobile -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md index 40dbf0878d..07adaea24d 100644 --- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md +++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md @@ -7,7 +7,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: high -author: jdeckerMS +author: jdeckerms --- # Use Windows Configuration Designer to configure Windows 10 Mobile devices diff --git a/windows/configuration/mobile-devices/provisioning-nfc.md b/windows/configuration/mobile-devices/provisioning-nfc.md index 96659b0229..e9da325a36 100644 --- a/windows/configuration/mobile-devices/provisioning-nfc.md +++ b/windows/configuration/mobile-devices/provisioning-nfc.md @@ -4,7 +4,7 @@ description: ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/mobile-devices/provisioning-package-splitter.md b/windows/configuration/mobile-devices/provisioning-package-splitter.md index a6842ac37c..3204fd85b1 100644 --- a/windows/configuration/mobile-devices/provisioning-package-splitter.md +++ b/windows/configuration/mobile-devices/provisioning-package-splitter.md @@ -4,7 +4,7 @@ description: ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md index 6eb9545022..32ff70af9b 100644 --- a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md +++ b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: mobile -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md index 6e0e342400..5f5c0e2193 100644 --- a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md +++ b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: mobile -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/mobile-devices/start-layout-xml-mobile.md b/windows/configuration/mobile-devices/start-layout-xml-mobile.md index 8096be33e4..fb967c625a 100644 --- a/windows/configuration/mobile-devices/start-layout-xml-mobile.md +++ b/windows/configuration/mobile-devices/start-layout-xml-mobile.md @@ -5,7 +5,7 @@ keywords: ["start screen"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md index 80b0bc6cb7..655266907f 100644 --- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md +++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md @@ -5,7 +5,7 @@ ms.assetid: 25C1FDCA-0E10-42A1-A368-984FFDB2B7B6 ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md index eba24fd12d..8c55fb568e 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md +++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md @@ -6,7 +6,7 @@ keywords: ["runtime provisioning", "provisioning package"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md index 65013e78c7..de91fcd4cb 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md @@ -5,7 +5,7 @@ keywords: ["runtime provisioning", "provisioning package"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md index 90927d2a53..835fa8a371 100644 --- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md +++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md @@ -5,7 +5,7 @@ keywords: ["runtime provisioning", "provisioning package"] ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md index bc88e92479..5ff8a5efe4 100644 --- a/windows/configuration/provisioning-packages/provisioning-apply-package.md +++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md @@ -4,7 +4,7 @@ description: Provisioning packages can be applied to a device during the first-r ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md index a2e16343b0..79a293c1b6 100644 --- a/windows/configuration/provisioning-packages/provisioning-command-line.md +++ b/windows/configuration/provisioning-packages/provisioning-command-line.md @@ -4,7 +4,7 @@ description: ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md index 3beb70be19..6607c821d3 100644 --- a/windows/configuration/provisioning-packages/provisioning-create-package.md +++ b/windows/configuration/provisioning-packages/provisioning-create-package.md @@ -4,7 +4,7 @@ description: With Windows 10, you can create provisioning packages that let you ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md index 4b9527c0a8..e5acff9568 100644 --- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md +++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md @@ -4,7 +4,7 @@ description: A provisioning package (.ppkg) is a container for a collection of c ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md index f403af024d..ba730bf0b5 100644 --- a/windows/configuration/provisioning-packages/provisioning-install-icd.md +++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md @@ -4,7 +4,7 @@ description: Learn how to install and run Windows Configuration Designer. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md index 77755fdf5a..9a54b72f77 100644 --- a/windows/configuration/provisioning-packages/provisioning-multivariant.md +++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md @@ -4,7 +4,7 @@ description: Create a provisioning package with multivariant settings to customi ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md index 41222e1796..3b50ac1ed9 100644 --- a/windows/configuration/provisioning-packages/provisioning-packages.md +++ b/windows/configuration/provisioning-packages/provisioning-packages.md @@ -5,7 +5,7 @@ ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md index 508bada17f..28621fa4b0 100644 --- a/windows/configuration/provisioning-packages/provisioning-powershell.md +++ b/windows/configuration/provisioning-packages/provisioning-powershell.md @@ -4,7 +4,7 @@ description: ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md index d4b208b83a..e53ee20836 100644 --- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md +++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md @@ -4,7 +4,7 @@ description: With Windows 10, you can create provisioning packages that let you ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md index e4ee9c442e..fcfca68990 100644 --- a/windows/configuration/provisioning-packages/provisioning-uninstall-package.md +++ b/windows/configuration/provisioning-packages/provisioning-uninstall-package.md @@ -4,7 +4,7 @@ description: This topic lists the settings that are reverted when you uninstall ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/set-up-a-device-for-anyone-to-use.md b/windows/configuration/set-up-a-device-for-anyone-to-use.md index cecb14db32..cce5f6428b 100644 --- a/windows/configuration/set-up-a-device-for-anyone-to-use.md +++ b/windows/configuration/set-up-a-device-for-anyone-to-use.md @@ -6,7 +6,7 @@ keywords: ["kiosk", "lockdown", "assigned access"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index e45dd65373..e7a7a025ab 100644 --- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -6,7 +6,7 @@ keywords: ["assigned access", "kiosk", "lockdown"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md index d89c6c3063..7a88e367cf 100644 --- a/windows/configuration/set-up-shared-or-guest-pc.md +++ b/windows/configuration/set-up-shared-or-guest-pc.md @@ -5,7 +5,7 @@ keywords: ["shared pc mode"] ms.prod: W10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index 5e6da82bec..c103eb3576 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -5,7 +5,7 @@ keywords: ["start screen"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md index 83495bc80c..7480c4532f 100644 --- a/windows/configuration/start-secondary-tiles.md +++ b/windows/configuration/start-secondary-tiles.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: high -author: jdeckerMS +author: jdeckerms --- # Add image for secondary Microsoft Edge tiles diff --git a/windows/configuration/start-taskbar-lockscreen.md b/windows/configuration/start-taskbar-lockscreen.md index 13d4aba28d..cad0f022bc 100644 --- a/windows/configuration/start-taskbar-lockscreen.md +++ b/windows/configuration/start-taskbar-lockscreen.md @@ -6,7 +6,7 @@ ms.mktglfcycl: manage ms.sitesec: library ms.pagetype: security localizationpriority: high -author: jdeckerMS +author: jdeckerms --- # Configure Start layout, taskbar, and lock screen for Windows 10 PCs diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md index b43919e728..5fc6d0a993 100644 --- a/windows/configuration/windows-10-start-layout-options-and-policies.md +++ b/windows/configuration/windows-10-start-layout-options-and-policies.md @@ -6,7 +6,7 @@ keywords: ["start screen", "start menu"] ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- @@ -64,7 +64,7 @@ There are three categories of apps that might be pinned to a taskbar: * Apps pinned by the enterprise, such as in an unattended Windows setup >[!NOTE] - >The earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file is deprecated in Windows 10, version 1607. + >We recommend using [the layoutmodification.xml method](configure-windows-10-taskbar.md) to configure taskbar options, rather than the earlier method of using [TaskbarLinks](https://go.microsoft.com/fwlink/p/?LinkId=761230) in an unattended Windows setup file. The following example shows how apps will be pinned - Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using XML to the right (green square). @@ -97,7 +97,7 @@ The new taskbar layout for upgrades to Windows 10, version 1607 or later, will a * If the user didn't pin the app and the app is in the updated layout file, the app will be pinned to the right. * New apps specified in updated layout file are pinned to right of user's pinned apps. -[Learn how to onfigure Windows 10 taskbar](configure-windows-10-taskbar.md). +[Learn how to configure Windows 10 taskbar](configure-windows-10-taskbar.md). ## Related topics diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md index 42bb79449f..c68dd7afa0 100644 --- a/windows/configuration/windows-spotlight.md +++ b/windows/configuration/windows-spotlight.md @@ -6,7 +6,7 @@ keywords: ["lockscreen"] ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index 652028bf85..3c58607382 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -32,7 +32,8 @@ "externalReference": [], "globalMetadata": { "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json" + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows" }, "fileMetadata": {}, "template": [], diff --git a/windows/deployment/images/security-update.png b/windows/deployment/images/security-update.png new file mode 100644 index 0000000000..f7ca20f34e Binary files /dev/null and b/windows/deployment/images/security-update.png differ diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index 2e289b8a5b..fa59c94780 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -68,7 +68,7 @@ To run the Upgrade Readiness deployment script: 5. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system. -The deployment script displays the following exit codes to let ddfyou know if it was successful, or if an error was encountered. +The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
@@ -259,5 +259,26 @@ The deployment script displays the following exit codes to let ddfyou know if it + + + + + + + + + + + + + + + + + + + + +
43 - Function **EndImpersonatingLoggedOnUser** failed with an unexpected exception. Check the logs for the exception message and HResult.
44 - Diagtrack.dll version is old, so Auth Proxy will not work.Update the PC using Windows Update/Windows Server Update Services.
45 - Diagrack.dll was not found.Update the PC using Windows Update/Windows Server Update Services.
46 - **DisableEnterpriseAuthProxy** property should be set to **1** for **ClientProxy=Telemetry** to work.Set the **DisableEnterpriseAuthProxy** registry property to **1** at key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**.
47 - **TelemetryProxyServer** is not present in key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**.**ClientProxy** selected is **Telemetry**, but you need to add **TelemetryProxyServer** in key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**.
48 - **CommercialID** mentioned in RunConfig.bat should be a GUID.**CommercialID** is mentioned in RunConfig.bat, but it is not a GUID. Copy the commercialID from your workspace. To find the commercialID, in the OMS portal click **Upgrade Readiness > Settings**.
diff --git a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md index 1e852d5221..b4ee02d408 100644 --- a/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-by-proxy-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Activate by Proxy an Active Directory Forest diff --git a/windows/deployment/volume-activation/activate-forest-vamt.md b/windows/deployment/volume-activation/activate-forest-vamt.md index 082bac639c..3e03e5a68b 100644 --- a/windows/deployment/volume-activation/activate-forest-vamt.md +++ b/windows/deployment/volume-activation/activate-forest-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Activate an Active Directory Forest Online diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md index 14ca79684a..9b9225de42 100644 --- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md +++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md index e26a0f7fc6..acf1786ec8 100644 --- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md +++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/deployment/volume-activation/add-manage-products-vamt.md b/windows/deployment/volume-activation/add-manage-products-vamt.md index 88d5145472..70623ebb01 100644 --- a/windows/deployment/volume-activation/add-manage-products-vamt.md +++ b/windows/deployment/volume-activation/add-manage-products-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Add and Manage Products diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md index 2ad22c3d7f..5efb1a8409 100644 --- a/windows/deployment/volume-activation/add-remove-computers-vamt.md +++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md @@ -5,7 +5,7 @@ ms.assetid: cb6f3a78-ece0-4dc7-b086-cb003d82cd52 ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -author: jdeckerMS +author: jdeckerms ms.pagetype: activation --- diff --git a/windows/deployment/volume-activation/add-remove-product-key-vamt.md b/windows/deployment/volume-activation/add-remove-product-key-vamt.md index d659ae2507..61f1cd59da 100644 --- a/windows/deployment/volume-activation/add-remove-product-key-vamt.md +++ b/windows/deployment/volume-activation/add-remove-product-key-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Add and Remove a Product Key diff --git a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md index c8b4b71449..1ea07efda6 100644 --- a/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md +++ b/windows/deployment/volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- # Appendix: Information sent to Microsoft during activation diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md index c5334ea193..6168096a40 100644 --- a/windows/deployment/volume-activation/configure-client-computers-vamt.md +++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Configure Client Computers diff --git a/windows/deployment/volume-activation/import-export-vamt-data.md b/windows/deployment/volume-activation/import-export-vamt-data.md index d33f27e139..91604fe914 100644 --- a/windows/deployment/volume-activation/import-export-vamt-data.md +++ b/windows/deployment/volume-activation/import-export-vamt-data.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Import and Export VAMT Data diff --git a/windows/deployment/volume-activation/install-configure-vamt.md b/windows/deployment/volume-activation/install-configure-vamt.md index eb904768ad..3c4cd55263 100644 --- a/windows/deployment/volume-activation/install-configure-vamt.md +++ b/windows/deployment/volume-activation/install-configure-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/deployment/volume-activation/install-kms-client-key-vamt.md b/windows/deployment/volume-activation/install-kms-client-key-vamt.md index f1774ca7c8..5a296869a0 100644 --- a/windows/deployment/volume-activation/install-kms-client-key-vamt.md +++ b/windows/deployment/volume-activation/install-kms-client-key-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/deployment/volume-activation/install-product-key-vamt.md b/windows/deployment/volume-activation/install-product-key-vamt.md index eed5461a87..0418bd6a7c 100644 --- a/windows/deployment/volume-activation/install-product-key-vamt.md +++ b/windows/deployment/volume-activation/install-product-key-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md index e88d197a83..767086f01e 100644 --- a/windows/deployment/volume-activation/install-vamt.md +++ b/windows/deployment/volume-activation/install-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md index 133b8e6966..06e3d0da40 100644 --- a/windows/deployment/volume-activation/introduction-vamt.md +++ b/windows/deployment/volume-activation/introduction-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Introduction to VAMT diff --git a/windows/deployment/volume-activation/kms-activation-vamt.md b/windows/deployment/volume-activation/kms-activation-vamt.md index beed3fb86f..ed9eb06fee 100644 --- a/windows/deployment/volume-activation/kms-activation-vamt.md +++ b/windows/deployment/volume-activation/kms-activation-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Perform KMS Activation diff --git a/windows/deployment/volume-activation/local-reactivation-vamt.md b/windows/deployment/volume-activation/local-reactivation-vamt.md index 72b132e799..00e5d02250 100644 --- a/windows/deployment/volume-activation/local-reactivation-vamt.md +++ b/windows/deployment/volume-activation/local-reactivation-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Perform Local Reactivation diff --git a/windows/deployment/volume-activation/manage-activations-vamt.md b/windows/deployment/volume-activation/manage-activations-vamt.md index effac81fd1..ff91afb865 100644 --- a/windows/deployment/volume-activation/manage-activations-vamt.md +++ b/windows/deployment/volume-activation/manage-activations-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Manage Activations diff --git a/windows/deployment/volume-activation/manage-product-keys-vamt.md b/windows/deployment/volume-activation/manage-product-keys-vamt.md index a495718fe7..dd978d039a 100644 --- a/windows/deployment/volume-activation/manage-product-keys-vamt.md +++ b/windows/deployment/volume-activation/manage-product-keys-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Manage Product Keys diff --git a/windows/deployment/volume-activation/manage-vamt-data.md b/windows/deployment/volume-activation/manage-vamt-data.md index 00bbd3982f..5062e4e819 100644 --- a/windows/deployment/volume-activation/manage-vamt-data.md +++ b/windows/deployment/volume-activation/manage-vamt-data.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Manage VAMT Data diff --git a/windows/deployment/volume-activation/online-activation-vamt.md b/windows/deployment/volume-activation/online-activation-vamt.md index 65311aa3e8..adfdc41abf 100644 --- a/windows/deployment/volume-activation/online-activation-vamt.md +++ b/windows/deployment/volume-activation/online-activation-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Perform Online Activation diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md index a4038a2e4d..93bf083b08 100644 --- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md +++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms localizationpriority: medium --- diff --git a/windows/deployment/volume-activation/proxy-activation-vamt.md b/windows/deployment/volume-activation/proxy-activation-vamt.md index ab273007b8..62def8d290 100644 --- a/windows/deployment/volume-activation/proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/proxy-activation-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Perform Proxy Activation diff --git a/windows/deployment/volume-activation/remove-products-vamt.md b/windows/deployment/volume-activation/remove-products-vamt.md index da875ea27e..5d72e09b0c 100644 --- a/windows/deployment/volume-activation/remove-products-vamt.md +++ b/windows/deployment/volume-activation/remove-products-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Remove Products diff --git a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md index 385af084f9..6643bb09c6 100644 --- a/windows/deployment/volume-activation/scenario-kms-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-kms-activation-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Scenario 3: KMS Client Activation diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md index a5c448c186..2d818a946e 100644 --- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Scenario 1: Online Activation diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md index 8059e34cae..4298e90b11 100644 --- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Scenario 2: Proxy Activation diff --git a/windows/deployment/volume-activation/update-product-status-vamt.md b/windows/deployment/volume-activation/update-product-status-vamt.md index 0e7af45fec..caf624b267 100644 --- a/windows/deployment/volume-activation/update-product-status-vamt.md +++ b/windows/deployment/volume-activation/update-product-status-vamt.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Update Product Status diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md index cc99819630..0322aa4208 100644 --- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md +++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index 3d285f1e56..b461b29aa7 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Use VAMT in Windows PowerShell diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md index 2e9ac12d08..b2eaf3b2bc 100644 --- a/windows/deployment/volume-activation/vamt-known-issues.md +++ b/windows/deployment/volume-activation/vamt-known-issues.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # VAMT Known Issues diff --git a/windows/deployment/volume-activation/vamt-requirements.md b/windows/deployment/volume-activation/vamt-requirements.md index 99379424ef..6e4a94c8e3 100644 --- a/windows/deployment/volume-activation/vamt-requirements.md +++ b/windows/deployment/volume-activation/vamt-requirements.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # VAMT Requirements diff --git a/windows/deployment/volume-activation/vamt-step-by-step.md b/windows/deployment/volume-activation/vamt-step-by-step.md index 5582bd3417..7d6fd78f4d 100644 --- a/windows/deployment/volume-activation/vamt-step-by-step.md +++ b/windows/deployment/volume-activation/vamt-step-by-step.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # VAMT Step-by-Step Scenarios diff --git a/windows/deployment/volume-activation/volume-activation-management-tool.md b/windows/deployment/volume-activation/volume-activation-management-tool.md index 887c116352..e315f32f6f 100644 --- a/windows/deployment/volume-activation/volume-activation-management-tool.md +++ b/windows/deployment/volume-activation/volume-activation-management-tool.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms --- # Volume Activation Management Tool (VAMT) Technical Reference diff --git a/windows/deployment/volume-activation/volume-activation-windows-10.md b/windows/deployment/volume-activation/volume-activation-windows-10.md index 2ed015e7ba..a9746eeb19 100644 --- a/windows/deployment/volume-activation/volume-activation-windows-10.md +++ b/windows/deployment/volume-activation/volume-activation-windows-10.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -author: jdeckerMS +author: jdeckerms localizationpriority: high --- diff --git a/windows/device-security/auditing/audit-other-object-access-events.md b/windows/device-security/auditing/audit-other-object-access-events.md index 4501674589..ed9fe36ec9 100644 --- a/windows/device-security/auditing/audit-other-object-access-events.md +++ b/windows/device-security/auditing/audit-other-object-access-events.md @@ -22,9 +22,9 @@ Audit Other Object Access Events allows you to monitor operations with scheduled | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | |-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICPM DoS attack. | -| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICPM DoS attack. | -| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICPM DoS attack. | +| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICMP DoS attack. | +| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICMP DoS attack. | +| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICMP DoS attack. | **Events List:** diff --git a/windows/device-security/auditing/event-5148.md b/windows/device-security/auditing/event-5148.md index 7751cd9686..305afcbee8 100644 --- a/windows/device-security/auditing/event-5148.md +++ b/windows/device-security/auditing/event-5148.md @@ -15,7 +15,7 @@ author: Mir0sh - Windows Server 2016 -In most circumstances, this event occurs very rarely. It is designed to be generated when an ICPM DoS attack starts or was detected. +In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack starts or was detected. There is no example of this event in this document. diff --git a/windows/device-security/auditing/event-5149.md b/windows/device-security/auditing/event-5149.md index 24b3f6ab89..82a1d84b8e 100644 --- a/windows/device-security/auditing/event-5149.md +++ b/windows/device-security/auditing/event-5149.md @@ -15,7 +15,7 @@ author: Mir0sh - Windows Server 2016 -In most circumstances, this event occurs very rarely. It is designed to be generated when an ICPM DoS attack ended. +In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack ended. There is no example of this event in this document. diff --git a/windows/device-security/change-history-for-device-security.md b/windows/device-security/change-history-for-device-security.md index 20d4edb47f..f5c4e6001a 100644 --- a/windows/device-security/change-history-for-device-security.md +++ b/windows/device-security/change-history-for-device-security.md @@ -15,6 +15,7 @@ This topic lists new and updated topics in the [Device security](index.md) docum |New or changed topic |Description | |---------------------|------------| | [BitLocker Group Policy settings](bitlocker/bitlocker-group-policy-settings.md) | Changed startup PIN minimun length from 4 to 6. | +| [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md) | New security policy setting. | ## March 2017 |New or changed topic |Description | diff --git a/windows/device-security/docfx.json b/windows/device-security/docfx.json index b0f818ea94..c0e36621af 100644 --- a/windows/device-security/docfx.json +++ b/windows/device-security/docfx.json @@ -32,7 +32,8 @@ "externalReference": [], "globalMetadata": { "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json" + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows" }, "fileMetadata": {}, "template": [], diff --git a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md index f28eab1191..6c96f4605e 100644 --- a/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md +++ b/windows/device-security/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md @@ -1,4 +1,4 @@ ---- +--- title: Network access - Restrict clients allowed to make remote calls to SAM description: Security policy setting that controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database. ms.prod: w10 @@ -6,7 +6,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security localizationpriority: high -author: brianlic-msft +author: justinha --- # Network access: Restrict clients allowed to make remote calls to SAM @@ -23,64 +23,77 @@ author: brianlic-msft - Windows Server 2008 R2 with [KB 4012218](https://support.microsoft.com/en-us/help/4012218/march-2017-preview-of-monthly-quality-rollup-for-windows-7-sp1-and-windows-server-2008-r2-sp1) installed -The **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database. The setting was first supported by Windows 10 version 1607 and Windows Server 2016 (RTM) and can be configured on earlier Windows client and server operating systems by installing updates from the the KB articles listed in **Applies to** section of this topic. +The **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting controls which users can enumerate users and groups in the local Security Accounts Manager (SAM) database and Active Directory. +The setting was first supported by Windows 10 version 1607 and Windows Server 2016 (RTM) and can be configured on earlier Windows client and server operating systems by installing updates from the the KB articles listed in **Applies to** section of this topic. -This topic describes the default values for this security policy setting in different versions of Windows, related events, and how to enable audit mode before constraining the security principals that are allowed to remotely enumerate users and groups in the SAM so that your environment remains secure without adversely impacting application compatibility. +This topic describes the default values for this security policy setting in different versions of Windows. +By default, computers beginning with Windows 10 version 1607 and Windows Server 2016 are more restrictive than earlier versions of Windows. +This means that if you have a mix of computers, such as member servers that run both Windows Server 2016 and Windows Server 2012 R2, the servers that run Windows Server 2016 may fail to enumerate accounts by default where the servers that run Windows Server 2012 R2 succeed. + +This topic also covers related events, and how to enable audit mode before constraining the security principals that are allowed to remotely enumerate users and groups so that your environment remains secure without impacting application compatibility. ## Reference -The SAMRPC protocol makes it possible for a low privileged user to query a machine on a network for data. For example, a user can use SAMRPC to enumerate users, including privileged accounts such as local or domain administrators, or to enumerate groups and group memberships from the local SAM and Active Directory. This information can provide important context and serve as a starting point for an attacker to compromise a domain or networking environment. +The SAMRPC protocol makes it possible for a low privileged user to query a machine on a network for data. +For example, a user can use SAMRPC to enumerate users, including privileged accounts such as local or domain administrators, or to enumerate groups and group memberships from the local SAM and Active Directory. +This information can provide important context and serve as a starting point for an attacker to compromise a domain or networking environment. -To mitigate this risk, you can configure the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting to force the security accounts manager (SAM) to do an access check against remote calls. The access check allows or denies remote RPC connections to SAM and Active Directory for users and groups that you define. +To mitigate this risk, you can configure the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting to force the security accounts manager (SAM) to do an access check against remote calls. +The access check allows or denies remote RPC connections to SAM and Active Directory for users and groups that you define. -By default, the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting is not defined. If you define it, you can edit the default Security Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make remote calls to the SAM. If the policy setting is left blank after the policy is defined, the policy is not enforced. +By default, the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting is not defined. +If you define it, you can edit the default Security Descriptor Definition Language (SDDL) string to explicitly allow or deny users and groups to make remote calls to the SAM. +If the policy setting is left blank after the policy is defined, the policy is not enforced. -The default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (built-in) Administrators group remote access to SAM on non-domain controllers, and allows Everyone access on domain controllers. You can edit the default security descriptor to allow or deny other users and groups, including the built-in Administrators. +The default security descriptor on computers beginning with Windows 10 version 1607 and Windows Server 2016 allows only the local (built-in) Administrators group remote access to SAM on non-domain controllers, and allows Everyone access on domain controllers. +You can edit the default security descriptor to allow or deny other users and groups, including the built-in Administrators. -The default security descriptor on computers that run earlier versions of Windows does not restrict any remote calls to SAM, but an administrator can edit the security descriptor to enforce restrictions. This less restrictive default allows for testing the impact of enabling restrictions on existing applications. +The default security descriptor on computers that run earlier versions of Windows does not restrict any remote calls to SAM, but an administrator can edit the security descriptor to enforce restrictions. +This less restrictive default allows for testing the impact of enabling restrictions on existing applications. -This means that if you have a mix of computers, such as servers that run both Windows Server 2016 and Windows Server 2012 R2, the servers that run Windows Server 2016 may fail to enumerate accounts by default where the servers that run Windows Server 2012 R2 succeed. +## Policy and Registry Names -## Possible values -- Not defined -- Defined, along with the security descriptor for users and groups who are allowed or denied remote access to local SAM and Active directory using SAMRPC. +| | | +|----|---| +| Policy Name | Network access: Restrict clients allowed to make remote calls to SAM | +| Location | Computer Configuration\|Windows Settings\|Security Settings\|Local Policies\|Security Options | +| Possible values |
- Not defined
- Defined, along with the security descriptor for users and groups who are allowed or denied to use SAMRPC to remotely access either the local SAM or Active Directory. | +| Registry location | `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSam` | +| Registry type | REG_SZ | +| Registry value | A string that will contain the SDDL of the security descriptor to be deployed. | -## Location +The Group Policy setting is only available on computers that run Windows Server 2016 or Windows 10, version 1607 and later. +This is the only option to configure this setting by using a user interface (UI). -Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - -This policy setting controls a string that will contain the SDDL of the security descriptor to be deployed to the following registry setting: - -HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSam +On computers that run earlier versions of Windows, you need to edit the registry setting directly or use Group Policy Preferences. +To avoid setting it manually in this case, you can configure the GPO itself on a computer that runs Windows Server 2016 or Windows 10, version 1607 or later and have it apply to all computers within the scope of the GPO because the same registry key exists on every computer after the corresponding KB is installed. > [!NOTE] -This policy is implemented similarly to other Network access policies in that there is a single policy element at the registry path listed. There is no notion of a local policy versus an enterprise policy; there is just one policy setting and whichever writes last wins. For example, suppose a local administrator configures this setting as part of a local policy using the Local Security Policy snap-in (Secpol.msc), which edits that same registry path. If an enterprise administrator configures this setting as part of an enterprise GPO, that enterprise GPO will overwrite the same registry path. +> This policy is implemented similarly to other "Network access" policies in that there is a single policy element at the registry path listed. There is no notion of a local policy versus an enterprise policy; there is just one policy setting and whichever writes last wins. + +> For example, suppose a local administrator configures this setting as part of a local policy using the Local Security Policy snap-in (Secpol.msc), which edits that same registry path. If an enterprise administrator configures this setting as part of an enterprise GPO, that enterprise GPO will overwrite the same registry path. ## Default values -Beginning with Windows 10, version 1607 and Windows Server 2016, computers have hard-coded and more restrictive default values than earlier versions of Windows. The different default values help strike a balance where recent Windows versions are more secure by default and older versions don’t undergo any disruptive behavior changes. Computers that run earlier versions of Windows do not perform any access check by default. That includes domain controllers and non-domain controllers. This allows administrators to test whether applying the same restriction (that is, granting READ_CONTROL access only to members of the local Administrators group) will cause compatibility problems for existing applications before implementing this security policy setting in a production environment. +Beginning with Windows 10, version 1607 and Windows Server 2016, computers have hard-coded and more restrictive default values than earlier versions of Windows. +The different default values help strike a balance where recent Windows versions are more secure by default and older versions don’t undergo any disruptive behavior changes. +Administrators can test whether applying the same restriction earlier versions of Windows will cause compatibility problems for existing applications before implementing this security policy setting in a production environment. In other words, the hotfix in each KB article provides the necessary code and functionality, but you need to configure the restriction after you install the hotfix—no restrictions are enabled by default after the hotfix is installed on earlier versions of Windows. -### Default values beginning with Windows 10 version 1607 and Windows Server 2016 -The following default values apply to computers beginning with Windows Server 2016 and Windows 10, version 1607. The default security descriptor for non-domain controllers grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. - - | |Default SDDL |Translated SDDL| Comments |---|---|---|---| -|Domain controller (reading Active Directory|“”|-|Everyone has read permissions to preserve compatibility. -|Non-domain controller|(O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
DACL:
• Revision: 0x02
• Size: 0x0020
• Ace Count: 0x001
• Ace[00]------------------------- AceType:0x00
(ACCESS_ALLOWED_ACE_TYPE)
AceSize:0x0018
InheritFlags:0x00
Access Mask:0x00020000
AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544)

SACL: Not present |Only members of the local (built-in) Administrators group get access.| - -### Default values for earlier versions of Windows - -The following sections explain how to enable audit only mode to test the restriction while using applications you plan to run. +|Windows Server 2016 domain controller (reading Active Directory)|“”|-|Everyone has read permissions to preserve compatibility.| +|Earlier domain controller |-|-|No access check is performed by default.| +|Windows 10, version 1607 non-domain controller|(O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18)
DACL:
• Revision: 0x02
• Size: 0x0020
• Ace Count: 0x001
• Ace[00]-------------------------
  AceType:0x00
  (ACCESS\_ALLOWED_ACE_TYPE)
  AceSize:0x0018
  InheritFlags:0x00
  Access Mask:0x00020000
  AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544)

  SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. | +|Earlier non-domain controller |-|-|No access check is performed by default.| ## Policy management -This section explains how to configure audit-only mode, how to analyze related events that are logged when the Network access: Restrict clients allowed to make remote calls to SAM security policy setting is enabled, and how to configure event throttling to prevent flooding the event log. +This section explains how to configure audit-only mode, how to analyze related events that are logged when the **Network access: Restrict clients allowed to make remote calls to SAM** security policy setting is enabled, and how to configure event throttling to prevent flooding the event log. ### Audit only mode -Audit only mode configures the SAM interface to do the access check against the currently configured security descriptor but will not fail the call if the access check fails. Instead, the call will be allowed, but the SAM interface will log an event describing what would have happened if the feature had been enabled. This provides administrators a way to test their applications before enabling the policy in production. Audit only mode is not configured by default. To configure it, add the following registry setting. +Audit only mode configures the SAMRPC protocol to do the access check against the currently configured security descriptor but will not fail the call if the access check fails. Instead, the call will be allowed, but SAMRPC will log an event describing what would have happened if the feature had been enabled. This provides administrators a way to test their applications before enabling the policy in production. Audit only mode is not configured by default. To configure it, add the following registry setting. |Registry|Details| |---|---| @@ -95,9 +108,7 @@ Audit only mode configures the SAM interface to do the access check against the There are corresponding events that indicate when remote calls to the SAM are restricted, what accounts attempted to read from the SAM database, and more. The following workflow is recommended to identify applications that may be affected by restricting remote calls to SAM: 1. Dump event logs to a common share. 2. Parse them with the [Events 16962 - 16969 Reader](https://gallery.technet.microsoft.com/Events-16962-16969-Reader-2eae5f1d) script. -3. Look for the following events:
-• For domain controllers, events are logged in the Directory Services log in Event Viewer with event source Directory-Service-SAM (from Event ID 16962 to 16969, as listed in the following table).
-• For non-domain controllers, the same event IDs are logged in the System log with event source Directory-Service-SAM. +3. Review Event IDs 16962 to 16969, as listed in the following table, in the System log with event source Directory-Service-SAM. 4. Identify which security contexts are enumerating users or groups in the SAM database. 5. Prioritize the callers, determine if they should be allowed or not, then include the allowed callers in the SDDL string. diff --git a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md index 27fa6ec7db..8203714148 100644 --- a/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/device-security/tpm/trusted-platform-module-services-group-policy-settings.md @@ -21,29 +21,14 @@ The TPM Services Group Policy settings are located at: **Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\** -| Setting | Windows 10, version 1607 and Windows Server 2016 | Windows 10, version 1511 and Windows 10, version 1507 | -|-----------------|--------------------------------------------------|-------------------------------------------------------| -| [Turn on TPM backup to Active Directory Domain Services](#turn-on-tpm-backup-to-active-directory-domain-services) | | X | -| [Configure the list of blocked TPM commands](#configure-the-list-of-blocked-tpm-commands) | X | X | -| [Ignore the default list of blocked TPM commands](#ignore-the-default-list-of-blocked-tpm-commands) | X | X | -| [Ignore the local list of blocked TPM commands](#ignore-the-local-list-of-blocked-tpm-commands) | X | X | -| [Configure the level of TPM owner authorization information available to the operating system](#configure-the-level-of-tpm-owner-authorization-information-available-to-the-operating-system) | X | X | -| [Standard User Lockout Duration](#standard-user-lockout-duration) | X | X | -| [Standard User Individual Lockout Threshold](#standard-user-individual-lockout-threshold) | X | X | -| [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold) | X | X | +### Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0 -### Turn on TPM backup to Active Directory Domain Services +Introduced in Windows 10, version 1703, this policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if: a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607, and b) the System has a TPM 2.0. -This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of TPM owner information. +Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to: +a) disable it from group policy and b) clear the TPM on the system. -TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can be run only by the TPM owner. This hash authorizes the TPM to run these commands. - -> [!IMPORTANT] -> The **Turn on TPM backup to Active Directory Domain Services** is not available in the Windows 10, version 1607 and Windows Server 2016 and later versions of the ADMX files. - -If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password. When this policy setting is enabled, a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS backup succeeds. - -If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS. +**The following Group Policy settings were introduced in Window 10:** ### Configure the list of blocked TPM commands @@ -164,6 +149,13 @@ An administrator with the TPM owner password can fully reset the TPM's hardware If you do not configure this policy setting, a default value of 9 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure. +> [!IMPORTANT] +> The **Turn on TPM backup to Active Directory Domain Services** is not available in the Windows 10, version 1607 and Windows Server 2016 and later versions of the ADMX files. + +If you enable this policy setting, TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password. When this policy setting is enabled, a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS backup succeeds. + +If you disable or do not configure this policy setting, TPM owner information will not be backed up to AD DS. + ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) diff --git a/windows/hub/breadcrumb/toc.yml b/windows/hub/breadcrumb/toc.yml index c435a3c156..f876a162da 100644 --- a/windows/hub/breadcrumb/toc.yml +++ b/windows/hub/breadcrumb/toc.yml @@ -21,6 +21,10 @@ - name: Client management tocHref: /windows/client-management/ topicHref: /windows/client-management/index + items: + - name: Mobile Device Management + tocHref: /windows/client-management/mdm + topicHref: /windows/client-management/mdm/index - name: Access protection tocHref: /windows/access-protection/ topicHref: /windows/access-protection/index diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index 863fc12d71..e134b0e320 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -34,7 +34,8 @@ "externalReference": [], "globalMetadata": { "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json" + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows" }, "fileMetadata": {}, "template": [], diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index bd6bc5f1e7..c0eb96f69d 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -25,7 +25,7 @@ #### [Investigate files](windows-defender-atp\investigate-files-windows-defender-advanced-threat-protection.md) #### [Investigate an IP address](windows-defender-atp\investigate-ip-windows-defender-advanced-threat-protection.md) #### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md) -#### [View and organize the Machines view](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md) +#### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md) #### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md) ##### [Search for specific alerts](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-alerts) ##### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date) @@ -72,8 +72,10 @@ #### [Turn on advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md) #### [Turn on preview experience](windows-defender-atp\preview-settings-windows-defender-advanced-threat-protection.md) #### [Configure email notifications](windows-defender-atp\configure-email-notifications-windows-defender-advanced-threat-protection.md) +#### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md) +#### [Enable Threat intel API](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md) ### [Windows Defender ATP settings](windows-defender-atp\settings-windows-defender-advanced-threat-protection.md) -### [Windows Defender ATP service status](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) +### [Windows Defender ATP service health](windows-defender-atp\service-status-windows-defender-advanced-threat-protection.md) ### [Troubleshoot Windows Defender ATP](windows-defender-atp\troubleshoot-windows-defender-advanced-threat-protection.md) ### [Review events and errors on endpoints with Event Viewer](windows-defender-atp\event-error-codes-windows-defender-advanced-threat-protection.md) ### [Windows Defender Antivirus compatibility](windows-defender-atp\defender-compatibility-windows-defender-advanced-threat-protection.md) @@ -156,4 +158,4 @@ ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) -## [Change history for Threat Protection](change-history-for-threat-protection.md) \ No newline at end of file +## [Change history for Threat Protection](change-history-for-threat-protection.md) diff --git a/windows/threat-protection/change-history-for-threat-protection.md b/windows/threat-protection/change-history-for-threat-protection.md index e9175ab33a..07f61a5d85 100644 --- a/windows/threat-protection/change-history-for-threat-protection.md +++ b/windows/threat-protection/change-history-for-threat-protection.md @@ -14,11 +14,8 @@ This topic lists new and updated topics in the [Threat protection](index.md) doc ## March 2017 |New or changed topic |Description | |---------------------|------------| -|[Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune.md)|Updated based on Windows 10, version 1703.| |[How to collect Windows Information Protection (WIP) audit event logs](windows-information-protection\collect-wip-audit-event-logs.md) |New | |[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](windows-information-protection\mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. | -|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) |Updated based on Windows 10, version 1703. | -|[Deploy your Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune.md) |Updated based on Windows 10, version 1703. |[Limitations while using Windows Information Protection (WIP)](windows-information-protection\limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703.| |[Windows Defender SmartScreen overview](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)|New | |[Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)|New | diff --git a/windows/threat-protection/docfx.json b/windows/threat-protection/docfx.json index 5614b0a94c..1078120934 100644 --- a/windows/threat-protection/docfx.json +++ b/windows/threat-protection/docfx.json @@ -32,7 +32,8 @@ "externalReference": [], "globalMetadata": { "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json" + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows" }, "fileMetadata": {}, "template": [], diff --git a/windows/threat-protection/images/security-update.png b/windows/threat-protection/images/security-update.png new file mode 100644 index 0000000000..f7ca20f34e Binary files /dev/null and b/windows/threat-protection/images/security-update.png differ diff --git a/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png new file mode 100644 index 0000000000..42864aafbb Binary files /dev/null and b/windows/threat-protection/windows-defender-antivirus/images/defender/wdav-wdsc-defs.png differ diff --git a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md index e65cadaeee..751a8801d2 100644 --- a/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md @@ -1,6 +1,6 @@ --- title: Manage how and where Windows Defender AV receives updates -description: Manage how Windows Defender Antivirus receives protection updates. +description: Manage the fallback order for how Windows Defender Antivirus receives protection updates. keywords: updates, security baselines, protection, fallback order, ADL, MMPC, UNC, file path, share, wsus search.product: eADQiWindows 10XVcnh ms.pagetype: security @@ -12,14 +12,14 @@ localizationpriority: medium author: iaanw --- -# Manage Windows Defender Antivirus protection and definition updates +# Manage the sources for Windows Defender Antivirus protection updates **Applies to** - Windows 10 **Audience** -- Network administrators +- Enterprise security administrators **Manageability available with** @@ -31,40 +31,60 @@ author: iaanw -Windows Defender AV uses both [cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) (also called the Microsoft Advanced Protection Service or MAPS) and periodically downloaded protection updates to provide protection. These protection updates are also known as "definitions" or "signature updates". - -The cloud-delivered protection is “always-on” and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). - There are two components to managing protection updates - where the updates are downloaded from, and when updates are downloaded and applied. -This topic describes the locations +This topic describes where you can specify the updates should be downloaded from, also known as the fallback order. + +See the [Manage Windows Defender AV updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) topic for an overview on how updates work, and how to configure other aspects of updates (such as scheduling updates). -## Manage the fallback order for downloading protection updates -There are five locations where you can specify where an endpoint should obtain updates. Typically, you would configure each endpoint to individually download the updates from a primary source and specify fallback sources in case the primary source is unavailable. +There are five locations where you can specify where an endpoint should obtain updates. Typically, you would configure endpoints to individually download the updates from a primary source, followed by the other sources in order of priority based on your network configuration. + +Updates will be obtained from the sources in the order you specify. If a source is not available, the next source in the list will be used. + +You can use the following sources: + + +- Microsoft Update - [Windows Server Update Service (WSUS)](https://technet.microsoft.com/windowsserver/bb332157.aspx) -- Microsoft Update. -- The [Microsoft Malware Protection Center definitions page (MMPC)](http://www.microsoft.com/security/portal/definitions/adl.aspx) +- System Center Configuration Manager - A network file share -- Configuration manager +- The [Microsoft Malware Protection Center definitions page (MMPC)](http://www.microsoft.com/security/portal/definitions/adl.aspx) -Each location has typical scenarios (in addition to acting as fallback locations) for when you would use that source, as described in the following table: + +When updates are published, some logic will be applied to minimize the size of the update. In most cases, only the "delta" (or the differences between the latest update and the update that is currently installed on the endpoint) will be downloaded and applied. However, the size of the delta depends on: + +- How old the current update on the endpoint is +- Which source you use + + +The older the updates on an endpoint, the larger the download. However, you must also consider frequency versus size - a more frequent update schedule may result in more ad hoc network usage, while a less-frequent schedule may result in larger file sizes. + +Microsoft Update allows for rapid releases, which means it will download small deltas on a frequent basis. This ensures the best protection, but may increase network bandwidth. + +The WSUS, Configuration Manager and MMPC sources will deliver less frequent updates. The size of the updates may be slightly larger than the frequent release from Microsoft Update (as the delta, or differences between the latest version and what is on the endpoint will be larger). This ensures consistent protection without increasing ad hoc network usage (although the amount of data may be the same or increased as the updates will be fewer, but may be slightly larger). + +Each source has typical scenarios that depend on how your network is configured, in addition to how often they publish updates, as described in the following table: Location | Sample scenario ---|--- -WSUS | You are using WSUS to manage updates for your network -Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network. -MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). -File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments. +WSUS | You are using WSUS to manage updates for your network. +Microsoft Update | You want your endpoints to connect directly to Microsoft Update. This can be useful for endpoints that irregularly connect to your enterprise network, or if you do not use WSUS to manage your updates. +File share | You have non-Internet-connected devices (such as VMs). You can use your Internet-connected VM host to download the updates to a network share, from which the VMs can obtain the updates. See the [VDI deployment guide](deployment-vdi-windows-defender-antivirus.md) for how file shares can be used in virtual desktop infrastructure (VDI) environments. Configuration Manager | You are using System Center Configuration Manager to update your endpoints. - +MMPC | You need to download the latest protection updates because of a recent infection or to help provision a strong, base image for [VDI deployment](deployment-vdi-windows-defender-antivirus.md). This option should generally be used only as a final fallback source, and not the primary source. + + You can manage the order in which update sources are used with Group Policy, System Center Configuration Manager, PowerShell cmdlets, and WMI. > [!IMPORTANT] > If you set WSUS as a download location, you must approve the updates - regardless of what management tool you use to specify the location. You can set up an automatic approval rule with WSUS, which may be useful as updates arrive at least once a day. See [To synchronize endpoint protection updates in standalone WSUS](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-definitions-wsus#to-synchronize-endpoint-protection-definition-updates-in-standalone-wsus) for more details. +The procedures in this article first describe how to set the order, and then how to set up the **File share** option if you have enabled it. + + **Use Group Policy to manage the update location:** 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. @@ -77,7 +97,7 @@ You can manage the order in which update sources are used with Group Policy, Sys 1. Double-click the **Define the order of sources for downloading definition updates** setting and set the option to **Enabled**. - 2. Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, shown in the following screenshot. + 2. Enter the order of sources, separated by a single pipe, for example: `InternalDefinitionUpdateServer|MicrosoftUpdateServer|MMPC`, as shown in the following screenshot. ![Screenshot of group policy setting listing the order of sources](images/defender/wdav-order-update-sources.png) @@ -131,11 +151,11 @@ See the following for more information: ## Related topics -- [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md) -- [Manage Windows Defender Antivirus updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) +- [Deploy, manage updates, and report on Windows Defender AV](deploy-manage-report-windows-defender-antivirus.md) +- [Manage Windows Defender AV updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md) - [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) - [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md) - [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md) -- [Manage updates for mobile devices and virtual machines (VMs)](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) -- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md) +- [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md) +- [Windows Defender AV in Windows 10](windows-defender-antivirus-in-windows-10.md) diff --git a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md index ebc8b9c83d..0a4d40cb54 100644 --- a/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md @@ -89,13 +89,15 @@ This section describes how to perform some of the most common tasks when reviewi 4. Click **Advanced scan** to specify different types of scans, such as a full scan. - -**Download protection updates in the Windows Defender Security Center app** + +**Review the definition update version and download the latest updates in the Windows Defender Security Center app** 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). -3. Click **Protection updates**. +3. Click **Protection updates**. The currently installed version is displayed along with some information about when it was downloaded. You can check this against the latest version available for manual download, or review the change log for that version. + +![Definition version number information](images/defender/wdav-wdsc-defs.png) 4. Click **Check for updates** to download new protection updates (if there are any). @@ -129,15 +131,16 @@ This section describes how to perform some of the most common tasks when reviewi 5. Click the plus icon to choose the type and set the options for each exclusion. -**Review threat detection history in the Windows Defender Security Center app** -1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. - -2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). - -3. Click **Scan history**. - -4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**). - +**Review threat detection history in the Windows Defender Security Center app** +1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**. + +2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar). + +3. Click **Scan history**. + +4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**). + + diff --git a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md index 1bcbb15c46..e32f2b9d8d 100644 --- a/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md @@ -20,6 +20,21 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) +Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Windows Defender ATP with. + +Turn on the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations: + +## Block file +This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled. + +If your organization satisfies this condition, the feature is enabled by default. This feature enables you to block potentially malicious files in your network. This operation will prevent it from being read, written, or executed on machines in your organization. + +## Office 365 Security Center integration +This feature is only available if you have an active Office 365 E5 or the Threat Intelligence add-on. For more information, see the Office 365 Enterprise E5 product page. + +When you enable this feature, you'll be able to incorporate data from Office 365 Advanced Threat Protection into the Windows Defender ATP portal to conduct a holistic security investigation across Office 365 mailboxes and Windows machines. + + 1. In the navigation pane, select **Preferences setup** > **Advanced features**. 2. Select the advanced feature you want to configure and toggle the setting between **On** and **Off**. 3. Click **Save preferences**. diff --git a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md index b720246c1e..5ae7bf350c 100644 --- a/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md @@ -35,19 +35,23 @@ To see a list of alerts, click any of the queues under the **Alerts queue** opti > [!NOTE] > By default, alerts in the queues are sorted from newest to oldest. -## Sort and filter the alerts +![Image of alerts queue](images/atp-alertsq2.png) + +## Sort, filter, and group the alerts list You can sort and filter the alerts using the available filters or clicking on a column's header that will sort the view in ascending or descending order. -![Alerts queue with numbers](images/alerts-queue-numbered.png) +**Time period**
+- 1 day +- 3 days +- 7 days +- 30 days +- 6 months -Highlighted area|Area name|Description -:---|:---|:--- -1 | Alert filters | Filter the list of alerts by severity, detection source, time period, or change the view from flat to grouped. -2 | Alert selected | Select an alert to bring up the **Alert management** pane to manage and see details about the alert. -3 | Alert management pane | View and manage alerts without leaving the alerts queue view. - -### Sort, filter, and group the alerts list -You can use the following filters to limit the list of alerts displayed during an investigation: +**OS Platform**
+ - Windows 10 + - Windows Server 2012 R2 + - Windows Server 2016 + - Other **Severity**
@@ -67,22 +71,17 @@ Reviewing the various alerts and their severity can help you decide on the appro >[!NOTE] >The Windows Defender Antivirus filter will only appear if your endpoints are using Windows Defender as the default real-time protection antimalware product. -**Time period**
-- 1 day -- 3 days -- 7 days -- 30 days -- 6 months - **View**
- **Flat view** - Lists alerts individually with alerts having the latest activity displayed at the top. - **Grouped view** - Groups alerts by alert ID, file hash, malware family, or other attribute to enable more efficient alert triage and management. Alert grouping reduces the number of rows in the queue by aggregating similar alerts together. -The grouped view allows efficient alert triage and management. +The grouped view allows for efficient alert triage and management. ### Use the Alert management pane Selecting an alert brings up the **Alert management** pane where you can manage and see details about the alert. +![Image of an alert selected](images/atp-alerts-selected.png) + You can take immediate action on an alert and see details about an alert in the **Alert management** pane: - Change the status of an alert from new, to in progress, or resolved. @@ -101,6 +100,11 @@ You can take immediate action on an alert and see details about an alert in the >[!NOTE] >You can also access the **Alert management** pane from the machine details view by selecting an alert in the **Alerts related to this machine** section. +### Use the User details pane +Selecting a user brings up the **User details** pane where you can see information such as machine details, related alerts, last IP address, when the machine was first and last seen reporting to the service, and information on the logged on users. + +![Alerts queue with numbers](images/atp-alerts-queue-user.png) + ### Bulk edit alerts Select multiple alerts (Ctrl or Shift select) and manage or edit alerts together, which allows resolving multiple similar alerts in one action. diff --git a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md index 22861fbaa2..eba6caa7cc 100644 --- a/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md @@ -24,16 +24,25 @@ localizationpriority: high The sensor health tile provides information on the individual endpoint’s ability to provide sensor data and communicate with the Windows Defender ATP service. It reports how many machines require attention and helps you identify problematic machines and take action to correct known issues. -![Windows Defender ATP sensor health tile](images/atp-sensor-health-filter.png) +![Windows Defender ATP sensor health tile](images/atp-portal-sensor.png) There are two status indicators on the tile that provide information on the number of machines that are not reporting properly to the service: - **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month. - **Misconfigured** - These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected. -Clicking any of the groups directs you to Machines view, filtered according to your choice. +Clicking any of the groups directs you to Machines list, filtered according to your choice. ![Windows Defender ATP sensor filter](images/atp-sensor-filter.png) + + +You can also download the entire list in CSV format using the **Export to CSV** feature. For more information on filters, see [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md). + You can filter the health state list by the following status: - **Active** - Machines that are actively reporting to the Windows Defender ATP service. - **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service. @@ -45,7 +54,7 @@ You can view the machine details when you click on a misconfigured or inactive m ![Windows Defender ATP sensor filter](images/atp-machine-health-details.png) -In the **Machines view**, you can download a full list of all the machines in your organization in a CSV format. To download, click the **Manage Alert** menu icon on the top corner of the page. +In the **Machines list**, you can download a full list of all the machines in your organization in a CSV format. To download, click the **Manage Alert** menu icon on the top corner of the page. >[!NOTE] >Export the list in CSV format to display the unfiltered data. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself and can take a significant amount of time to download, depending on how large your organization is. diff --git a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md index 8084bd32aa..494eb84889 100644 --- a/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md @@ -35,7 +35,7 @@ The email notification includes basic information about the alert and a link to ## Set up email notifications for alerts The email notifications feature is turned off by default. Turn it on to start receiving email notifications. -1. On the navigation pane, select **Preferences Setup** > **Email Notifications**. +1. On the navigation pane, select **Preferences setup** > **Email Notifications**. 2. Toggle the setting between **On** and **Off**. 3. Select the alert severity level that you’d like your recipients to receive: - **High** – Select this level to send notifications for high-severity alerts. diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md index c6e02becaf..703871c3fd 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md @@ -28,7 +28,7 @@ localizationpriority: high ## Onboard endpoints 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Select **Group Policy**, click **Download package** and save the .zip file. @@ -74,6 +74,31 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa >[!NOTE] > If you don't set a value, the default value is to enable sample collection. +### Configure reporting frequency settings +Windows Defender ATP reporting frequency was tested over a large number of machines and is optimized to provide a recommended balance between speed and performance. + +In cases where high-value assets or machines are at high risk, you can configure the reporting frequency to expedite mode, allowing the machine to report at a higher frequency. + +> [!NOTE] +> Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical. + +For each endpoint, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal. + +The configuration is set through the following registry key entry: + +``` +Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” +Name: "latency" +Value: Normal or Expedite +``` +Where:
+Key type is a string.
+Possible values are: +- Normal - sets reporting frequency from the endpoint to Normal mode for the optimal speed and performance balance +- Expedite - sets reporting frequency from the endpoint to Expedite mode + +The default value in case the registry key doesn’t exist is Normal. + ### Offboard endpoints For security reasons, the package used to offboard endpoints will expire 30 days after the date it was downloaded. Expired offboarding packages sent to an endpoint will be rejected. When downloading an offboarding package you will be notified of the packages expiry date and it will also be included in the package name. @@ -82,7 +107,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Click the **Endpoint offboarding** section. @@ -104,16 +129,20 @@ For security reasons, the package used to offboard endpoints will expire 30 days 9. Click **OK** and close any open GPMC windows. +> [!IMPORTANT] +> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. + + ## Monitor endpoint configuration With Group Policy there isn’t an option to monitor deployment of policies on the endpoints. Monitoring can be done directly on the portal, or by using the different deployment tools. ## Monitor endpoints using the portal 1. Go to the [Windows Defender ATP portal](https://securitycenter.windows.com/). -2. Click **Machines view**. +2. Click **Machines list**. 3. Verify that endpoints are appearing. > [!NOTE] -> It can take several days for endpoints to start showing on the **Machines view**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. +> It can take several days for endpoints to start showing on the **Machines list**. This includes the time it takes for the policies to be distributed to the endpoint, the time it takes before the user logs on, and the time it takes for the endpoint to start reporting. ## Related topics diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index d714ae09df..a17a666708 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -33,7 +33,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Select **Endpoint Management** on the **Navigation pane**. + a. Select **Endpoint management** on the **Navigation pane**. b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file. @@ -80,7 +80,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre ![Microsoft Intune manage deployment](images/atp-intune-manage-deployment.png) -When the policy is deployed and is propagated, endpoints will be shown in the **Machines view**. +When the policy is deployed and is propagated, endpoints will be shown in the **Machines list**. You can use the following onboarding policies to deploy configuration settings on endpoints. These policies can be sub-categorized to: - Onboarding @@ -99,12 +99,13 @@ Configuration for onboarded machines: telemetry reporting frequency | ./Device/V > [!NOTE] > - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated. > - Configuration of telemetry reporting frequency is only available for machines on Windows 10, version 1703. +> - Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical. ### Using the Azure Intune Portal to deploy Windows Defender Advanced Threat Protection policies on Windows 10 1607 and higher 1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Select **Endpoint Management** on the **Navigation pane**. + a. Select **Endpoint management** on the **Navigation pane**. b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file. @@ -156,7 +157,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Click the **Endpoint offboarding** section. @@ -180,6 +181,8 @@ Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/W > [!NOTE] > The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated. +> [!IMPORTANT] +> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. ## Related topics - [Configure endpoints using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md index 89f4c7887d..cb875edc71 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md @@ -26,6 +26,9 @@ localizationpriority: high ## Configure endpoints using System Center Configuration Manager (current branch) version 1606 System Center Configuration Manager (current branch) version 1606, has UI integrated support for configuring and managing Windows Defender ATP on endpoints. For more information, see [Support for Windows Defender Advanced Threat Protection service](https://go.microsoft.com/fwlink/p/?linkid=823682). +>[!NOTE] +> If you’re using SCCM client version 1606 with server version 1610 or above, you must upgrade the client version to match the server version. + ## Configure endpoints using System Center Configuration Manager earlier versions You can use System Center Configuration Manager’s existing functionality to create a policy to configure your endpoints. This is supported in the following System Center Configuration Manager versions: @@ -39,7 +42,7 @@ You can use System Center Configuration Manager’s existing functionality to cr 1. Open the SCCM configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Select **System Center Configuration Manager 2012/2012 R2/1511/1602**, click **Download package**, and save the .zip file. @@ -61,7 +64,7 @@ This rule should be a *remediating* compliance rule configuration item that sets The configuration is set through the following registry key entry: -```text +``` Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” Name: "AllowSampleCollection" Value: 0 or 1 @@ -76,6 +79,31 @@ The default value in case the registry key doesn’t exist is 1. For more information about System Center Configuration Manager Compliance see [Compliance Settings in Configuration Manager](https://technet.microsoft.com/library/gg681958.aspx). +### Configure reporting frequency settings +Windows Defender ATP reporting frequency was tested over a large number of machines and is optimized to provide a recommended balance between speed and performance. + +In cases where high-value assets or machines are at high risk, you can configure the reporting frequency to expedite mode, allowing the machine to report at a higher frequency. + +> [!NOTE] +> Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical. + +For each endpoint, you can configure a registry key value that determines how frequent a machine reports sensor data to the portal. + +The configuration is set through the following registry key entry: + +``` +Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” +Name: "latency" +Value: Normal or Expedite +``` +Where:
+Key type is a string.
+Possible values are: +- Normal - sets reporting frequency from the endpoint to Normal mode for the optimal speed and performance balance +- Expedite - sets reporting frequency from the endpoint to Expedite mode + +The default value in case the registry key doesn’t exist is Normal. + ### Offboard endpoints @@ -86,7 +114,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Click the **Endpoint offboarding** section. @@ -94,12 +122,14 @@ For security reasons, the package used to offboard endpoints will expire 30 days 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATPOffboardingScript_valid_until_YYYY-MM-DD.cmd*. -3. Import the configuration package by following the steps in the [How to Create Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682112.aspx#BKMK_Import) topic. - -4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic. +3. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic. a. Choose a predefined device collection to deploy the package to. +> [!IMPORTANT] +> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. + + ### Monitor endpoint configuration Monitoring with SCCM consists of two parts: diff --git a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md index 31b9b673c4..1bde6ab2f6 100644 --- a/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -23,10 +23,13 @@ localizationpriority: high You can also manually onboard individual endpoints to Windows Defender ATP. You might want to do this first when testing the service before you commit to onboarding all endpoints in your network. +> [!NOTE] +> The script has been optimized to be used on a limited number of machines (1-10 machines). To deploy to scale, use other deployment options. For more information on using other deployment options, see [Configure Windows Defender ATP endpoints](configure-endpoints-windows-defender-advanced-threat-protection.md). + ## Onboard endpoints 1. Open the GP configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Select **Local Script**, click **Download package** and save the .zip file. @@ -54,7 +57,7 @@ You can manually configure the sample sharing setting on the endpoint by using * The configuration is set through the following registry key entry: -```text +``` Path: “HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection” Name: "AllowSampleCollection" Value: 0 or 1 @@ -76,7 +79,7 @@ For security reasons, the package used to offboard endpoints will expire 30 days 1. Get the offboarding package from the [Windows Defender ATP portal](https://securitycenter.windows.com/): - a. Click **Endpoint Management** on the **Navigation pane**. + a. Click **Endpoint management** on the **Navigation pane**. b. Click the **Endpoint offboarding** section. @@ -96,6 +99,10 @@ For security reasons, the package used to offboard endpoints will expire 30 days 5. Press the **Enter** key or click **OK**. +> [!IMPORTANT] +> Offboarding causes the machine to stop sending sensor data to the portal but data from the machine, including reference to any alerts it has had will be retained for up to 6 months. + + ## Monitor endpoint configuration You can follow the different verification steps in the [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) to verify that the script completed successfully and the agent is running. @@ -104,7 +111,7 @@ Monitoring can also be done directly on the portal, or by using the different de ### Monitor endpoints using the portal 1. Go to the Windows Defender ATP portal. -2. Click **Machines view**. +2. Click **Machines list**. 3. Verify that endpoints are appearing. diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 914544f7c1..6c9b1b4da5 100644 --- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -86,10 +86,6 @@ Europe |```*.blob.core.windows.net```
```crl.microsoft.com```
```eu.vorte If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs. - If you selected US as your region, you should permit anonymous traffic for URLs listed in both Central US and East US (2). - - If you selected EU as your region, you should permit anonymous traffic for URLs listed in both West Europe and North Europe. - ## Verify client connectivity to Windows Defender ATP service URLs diff --git a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md index e8de1cb1b4..07eb913511 100644 --- a/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/dashboard-windows-defender-advanced-threat-protection.md @@ -24,10 +24,12 @@ localizationpriority: high The **Dashboard** displays a snapshot of: - The latest active alerts on your network -- Machines reporting -- Top machines with active alerts -- The overall status of Windows Defender ATP for the past 30 days -- Machines with active malware detections +- Daily machines reporting +- Machines at risk +- Users at risk +- Machines with active malware alerts +- Sensor health +- Service health You can explore and investigate alerts and machines to quickly determine if, where, and when suspicious activities occurred in your network to help you understand the context they appeared in. @@ -38,7 +40,7 @@ It also has clickable tiles that give visual cues on the overall health state of ## ATP alerts You can view the overall number of active ATP alerts from the last 30 days in your network from the **ATP alerts** tile. Alerts are grouped into **New** and **In progress**. -![Click on each slice or severity to see a list of alerts from the past 30 days](images/atp.png) +![Click on each slice or severity to see a list of alerts from the past 30 days](images/atp-alerts-tile.png) Each group is further sub-categorized into their corresponding alert severity levels. Click the number of alerts inside each alert ring to see a sorted view of that category's queue (**New** or **In progress**). @@ -51,9 +53,9 @@ This tile shows you a list of machines with the highest number of active alerts. ![The Machines at risk tile shows a list of machines with the highest number of alerts, and a breakdown of the severity of the alerts](images/atp-machines-at-risk.png) -Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). +Click the name of the machine to see details about that machine. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md). -You can also click **Machines list** at the top of the tile to go directly to the **Machines view**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines view](investigate-machines-windows-defender-advanced-threat-protection.md). +You can also click **Machines list** at the top of the tile to go directly to the **Machines list**, sorted by the number of active alerts. For more information see, [Investigate machines in the Windows Defender Advanced Threat Protection Machines list](investigate-machines-windows-defender-advanced-threat-protection.md). ## Users at risk The tile shows you a list of user accounts with the most active alerts. The total number of alerts for each user is shown in a circle next to the user account, and then further categorized by severity levels at the far end of the tile (hover over each severity bar to see its label). @@ -69,19 +71,20 @@ Active malware is defined as threats that were actively executing at the time of Hover over each bar to see the number of active malware detections (as **Malware detections**) and the number of endpoints with at least one active detection (as **Machines**) over the past 30 days. -![The Machines with active malware detections tile shows the number of threats and machines for each threat category](images/machines-active-threats-tile.png) +![The Machines with active malware detections tile shows the number of threats and machines for each threat category](images/atp-machines-active-threats-tile.png) The chart is sorted into five categories: -- **Password stealer** - threats that attempt to steal credentials. - **Ransomware** - threats that prevent user access to a machine or its files and demand payment to restore access. +- **Credential theft** - threats that attempt to steal credentials. - **Exploit** - threats that use software vulnerabilities to infect machines. -- **Threat** - all other threats that don't fit into the **Password stealer**, **Ransomware**, or **Exploit** categories. This includes trojans, worms, backdoors, and viruses. -- **Low severity** - threats with low severity, including adware and potentially unwanted software such as browser modifiers. +- **Backdoor** - threats that gives a malicious hacker access to and control of machines. +- **General** - threats that perform unwanted actions, including actions that can disrupt, cause direct damage, and facilitate intrusion and data theft. +- **PUA** - applications that install and perform undesirable activity without adequate user consent. Threats are considered "active" if there is a very high probability that the malware was executing on your network, as opposed to statically located on-disk. -Clicking on any of these categories will navigate to the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine. +Clicking on any of these categories will navigate to the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md), filtered by the appropriate category. This lets you see a detailed breakdown of which machines have active malware detections, and how many threats were detected per machine. > [!NOTE] > The **Machines with active malware detections** tile will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. @@ -93,21 +96,21 @@ The **Sensor health** tile provides information on the individual endpoint’s a There are two status indicators that provide information on the number of machines that are not reporting properly to the service: - **Inactive** - Machines that have stopped reporting to the Windows Defender ATP service for more than seven days in the past month. -- **Misconfigured** – These machines might partially be reporting telemetry to the Windows Defender ATP service and might have configuration errors that need to be corrected. +- **Misconfigured** – These machines might partially be reporting sensor data to the Windows Defender ATP service and might have configuration errors that need to be corrected. -When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor health state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). +When you click any of the groups, you’ll be directed to machines list, filtered according to your choice. For more information, see [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) and [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md). ## Service health The **Service health** tile informs you if the service is active or if there are issues. ![The Service health tile shows an overall indicator of the service](images/status-tile.png) -For more information on the service status, see [Check the Windows Defender ATP service status](service-status-windows-defender-advanced-threat-protection.md). +For more information on the service health, see [Check the Windows Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md). ## Daily machines reporting The **Daily machines reporting** tile shows a bar graph that represents the number of machines reporting alerts daily in the last 30 days. Hover over individual bars on the graph to see the exact number of machines reporting in each day. -![The Machines reporting tile shows the number of machines reporting each day for the past 30 days](images/machines-reporting-tile.png) +![Image of daily machines reporting tile](images/atp-daily-machines-reporting.png) ## Related topics - [View and organize the Windows Defender Advanced Threat Protection Alerts queue ](alerts-queue-windows-defender-advanced-threat-protection.md) @@ -115,8 +118,8 @@ The **Daily machines reporting** tile shows a bar graph that represents the numb - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP ](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md index da53066333..588dc98570 100644 --- a/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md @@ -31,8 +31,8 @@ Before you can create custom threat intelligence (TI) using REST API, you'll nee 3. Copy the individual values or select **Save details to file** to download a file that contains all the values. - WARNING:
- The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
+ >[!WARNING] + >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). 4. Select **Generate tokens** to get an access and refresh token. diff --git a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md index e995968888..53cc303fdd 100644 --- a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -29,14 +29,14 @@ Enable security information and event management (SIEM) integration so you can p 2. Select **Enable SIEM integration**. This activates the **SIEM connector access details** section with pre-populated values and an application is created under you Azure Active Directory (AAD) tenant. - WARNING:
- The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
+ > [!WARNING] + >The client secret is only displayed once. Make sure you keep a copy of it in a safe place.
For more information about getting a new secret see, [Learn how to get a new secret](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md#learn-how-to-get-a-new-client-secret). 3. Choose the SIEM type you use in your organization. - NOTE:
- If you select HP ArcSight, you'll need to save these two configuration files:
+ > [!NOTE] + > If you select HP ArcSight, you'll need to save these two configuration files:
- WDATP-connector.jsonparser.properties - WDATP-connector.properties
diff --git a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md index a301137ca4..8b5493c587 100644 --- a/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md @@ -36,7 +36,7 @@ A reinstalled or renamed machine will generate a new machine entity in Windows D **Machine was offboarded**
If the machine was offboarded it will still appear in machines list. After 7 days, the machine health state should change to inactive. -Do you expect a machine to be in ‘Active’ status? [Open a CSS ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). +Do you expect a machine to be in ‘Active’ status? [Open a support ticket ticket](https://support.microsoft.com/en-us/getsupport?wf=0&tenant=ClassicCommercial&oaspworkflow=start_1.0.0.0&locale=en-us&supportregion=en-us&pesid=16055&ccsid=636206786382823561). ## Misconfigured machines Misconfigured machines can further be classified to: diff --git a/windows/threat-protection/windows-defender-atp/images/alerts-q-bulk.png b/windows/threat-protection/windows-defender-atp/images/alerts-q-bulk.png index 9aad1b64aa..22be821960 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/alerts-q-bulk.png and b/windows/threat-protection/windows-defender-atp/images/alerts-q-bulk.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png b/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png new file mode 100644 index 0000000000..61ff260c38 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue-user.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue.png b/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue.png new file mode 100644 index 0000000000..5bf942065e Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alerts-queue.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-selected.png b/windows/threat-protection/windows-defender-atp/images/atp-alerts-selected.png new file mode 100644 index 0000000000..8cf482904e Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alerts-selected.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alerts-tile.png b/windows/threat-protection/windows-defender-atp/images/atp-alerts-tile.png new file mode 100644 index 0000000000..ed3cf79941 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alerts-tile.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alertsq1.png b/windows/threat-protection/windows-defender-atp/images/atp-alertsq1.png new file mode 100644 index 0000000000..22a72d1306 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alertsq1.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-alertsq2.png b/windows/threat-protection/windows-defender-atp/images/atp-alertsq2.png new file mode 100644 index 0000000000..2b0253847e Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-alertsq2.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png b/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png index dd7fe7dc4d..f62d84df10 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png and b/windows/threat-protection/windows-defender-atp/images/atp-azure-ui-user-access.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png b/windows/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png new file mode 100644 index 0000000000..e46f058e86 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-daily-machines-reporting.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png new file mode 100644 index 0000000000..a1e3309e81 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-export.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png new file mode 100644 index 0000000000..51e693533e Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machine-timeline-filter.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-active-threats-tile.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-active-threats-tile.png new file mode 100644 index 0000000000..fd0625088a Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machines-active-threats-tile.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png index 219e958d7d..cfa3cbda3e 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png and b/windows/threat-protection/windows-defender-atp/images/atp-machines-at-risk.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-list-misconfigured.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-misconfigured.png new file mode 100644 index 0000000000..3de8f88a28 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-misconfigured.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png new file mode 100644 index 0000000000..746d043732 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machines-list-view.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-machines-timeline.png b/windows/threat-protection/windows-defender-atp/images/atp-machines-timeline.png new file mode 100644 index 0000000000..b58b0f29b0 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-machines-timeline.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-main-portal.png b/windows/threat-protection/windows-defender-atp/images/atp-main-portal.png index 2aa75b7dca..3336f8a1ac 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-main-portal.png and b/windows/threat-protection/windows-defender-atp/images/atp-main-portal.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-portal-sensor.png b/windows/threat-protection/windows-defender-atp/images/atp-portal-sensor.png new file mode 100644 index 0000000000..4a41dff7b6 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-portal-sensor.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-portal.png b/windows/threat-protection/windows-defender-atp/images/atp-portal.png new file mode 100644 index 0000000000..5f39939886 Binary files /dev/null and b/windows/threat-protection/windows-defender-atp/images/atp-portal.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png b/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png index b82d66a85a..e59480d960 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png and b/windows/threat-protection/windows-defender-atp/images/atp-sensor-health-filter.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/atp-users-at-risk.png b/windows/threat-protection/windows-defender-atp/images/atp-users-at-risk.png index cd43cdf607..c2b81ca99a 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/atp-users-at-risk.png and b/windows/threat-protection/windows-defender-atp/images/atp-users-at-risk.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/components.png b/windows/threat-protection/windows-defender-atp/images/components.png index 840f1cb0df..04ab864727 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/components.png and b/windows/threat-protection/windows-defender-atp/images/components.png differ diff --git a/windows/threat-protection/windows-defender-atp/images/rules-legend.png b/windows/threat-protection/windows-defender-atp/images/rules-legend.png index a48783c6e3..7739ccfda2 100644 Binary files a/windows/threat-protection/windows-defender-atp/images/rules-legend.png and b/windows/threat-protection/windows-defender-atp/images/rules-legend.png differ diff --git a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md index 58805fa39c..e456a18096 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md @@ -79,8 +79,8 @@ Selecting an alert detail brings up the **Details pane** where you'll be able to - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md index d0e04eabe5..b107b3b042 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md @@ -49,8 +49,8 @@ The **Communication with URL in organization** section provides a chronological - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md index e45a3d17d3..ebf5a67b89 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md @@ -57,8 +57,8 @@ This allows for greater accuracy in defining entities to display such as if and - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md index 1b792ae89e..b531ee93f6 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md @@ -57,8 +57,8 @@ Clicking any of the machine names will take you to that machine's view, where yo - [Investigate Windows Defender Advanced Threat Protection alerts](investigate-alerts-windows-defender-advanced-threat-protection.md) - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md index 5073e541f6..1fc73cb046 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- -title: Investigate machines in the Windows Defender ATP Machines view -description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines view. +title: Investigate machines in the Windows Defender ATP Machines list +description: Investigate affected machines in your network by reviewing alerts, network connection information, and service health on the Machines list. keywords: machines, endpoints, machine, endpoint, alerts queue, alerts, machine name, domain, last seen, internal IP, active alerts, threat category, filter, sort, review alerts, network, connection, type, password stealer, ransomware, exploit, threat, low severity search.product: eADQiWindows 10XVcnh ms.prod: w10 @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Investigate machines in the Windows Defender ATP Machines view +# Investigate machines in the Windows Defender ATP Machines list **Applies to:** @@ -26,7 +26,7 @@ Investigate the details of an alert raised on a specific machine to identify oth You can click on affected machines whenever you see them in the portal to open a detailed report about that machine. Affected machines are identified in the following areas: -- The [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- The [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - The [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md) - The [Dashboard](dashboard-windows-defender-advanced-threat-protection.md) - Any individual alert @@ -34,53 +34,83 @@ You can click on affected machines whenever you see them in the portal to open a - Any IP address or domain details view When you investigate a specific machine, you'll see: -- Machine details, Logged on user, and Machine Reporting +- Machine details, Logged on users, and Machine Reporting - Alerts related to this machine - Machine timeline ![Image of machine details page](images/atp-machine-details-view.png) -The machine details, total logged on users and machine reporting sections display various attributes about the machine. You’ll see details such as machine name, health state, actions you can take on the machine. For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md). +The machine details, total logged on users and machine reporting sections display various attributes about the machine. You’ll see details such as machine name, health state, actions you can take on the machine, and others. For more information on how to take action on a machine, see [Take response action on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md). -You'll also see other information such as domain, operating system (OS), total logged on users and who frequently and less frequently logged on, IP address, and how long it's been reporting sensor data to the Windows Defender ATP service. +You'll also see other information such as domain, operating system (OS) and build, total logged on users and who frequently and less frequently logged on, IP address, and how long it's been reporting sensor data to the Windows Defender ATP service. -Clicking on the number of total logged on users in the Logged on user tile opens the Users Details pane that displays the following information for logged on users in the past 30 days: +Clicking on the number of total logged on users in the Logged on users tile opens the Users Details pane that displays the following information for logged on users in the past 30 days: - Interactive and remote interactive logins - Network, batch, and system logins ![Image of user details pane](images/atp-user-details-pane.png) -You'll also see details such as logon types for each user account, the user group, and when the account was logged in. +You'll also see details such as logon types for each user account, the user group, and when the account logon occurred. For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md). -The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the last activity was detected, a short description of the alert, the user associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. +The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a filtered version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date when the alert's last activity was detected, a short description of the alert, the user account associated with the alert, the alert's severity, the alert's status in the queue, and who is addressing the alert. -You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and other events that occurred on the machine by right-clicking on the alert and selecting **Select and mark events**. This highlights alerts and related events and helps distinguish from other alerts and events appearing in the timeline. Highlighted events are displayed in all filtering modes whether you choose to view the timeline by **Detections**, **Behaviors**, or **Verbose**. +You can also choose to highlight an alert from the **Alerts related to this machine** or from the **Machine timeline** section to see the correlation between the alert and its related events on the machine by right-clicking on the alert and selecting **Select and mark events**. This highlights the alert and its related events and helps distinguish them from other alerts and events appearing in the timeline. Highlighted events are displayed in all information levels whether you choose to view the timeline by **Detections**, **Behaviors**, or **Verbose**. The **Machine timeline** section provides a chronological view of the events and associated alerts that have been observed on the machine. -This feature also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a specified time period. +This feature also enables you to selectively drill down into events that occurred within a given time period. You can view the temporal sequence of events that occurred on a machine over a selected time period. -![Image of machine timeline with events](images/atp-machine-timeline.png) +![Image of machine timeline with events](images/atp-machines-timeline.png) -Windows Defender ATP monitors and captures questionable behavior on Windows 10 machines and displays the process tree flow in the **Machine timeline**. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine. +Windows Defender ATP monitors and captures suspicious or anomalous behavior on Windows 10 machines and displays the process tree flow in the **Machine timeline**. This gives you better context of the behavior which can contribute to understanding the correlation between events, files, and IP addresses in relation to the machine. -### Search for specific alerts -Use the search bar to look for specific alerts or files associated with the machine: -- **Value** – Type in any search keyword to filter the timeline with the attribute you’re searching for. +### Search for specific events +Use the search bar to look for specific timeline events. Harness the power of using the following defined search queries based on type:value pairs and event filter types to sift through the search results: + +- **Value** - Type in any search keyword to filter the timeline with the attribute you’re searching for. This search supports defined search queries based on type:value pairs.
+ You can use any of the following values:
+ - Hash: Sha1 or MD5 + - File name + - File extension + - Path + - Command line + - User + - IP + - URL - **Informational level** – Click the drop-down button to filter by the following levels: - - **Detections mode**: displays Windows ATP Alerts and detections - - **Behaviors mode**: displays "detections" and selected events of interest - - **Verbose mode**: displays "behaviors" (including "detections"), and all reported events -- **User** – Click the drop-down button to filter the machine timeline by the following user associated events: + - Detections mode: displays Windows ATP Alerts and detections + - Behaviors mode: displays "detections" and selected events of interest + - Verbose mode: displays all raw events without aggregation or filtering + +- **Event type** - Click the drop-down button to filter by the following levels: + - Windows Defender ATP alerts + - Windows Defender AV alerts + - Response actions + - AppGuard related events + - Windows Defender Device Guard events + - Process events + - Network events + - File events + - Registry events + - Load DLL events + - Other events

+ Filtering by event type allows you to define precise queries so that you see events with a specific focus. For example, you can search for a file name, then filter the results to only see Process events matching the search criteria or to only view file events, or even better: to view only network events over a period of time to make sure no suspicious outbound communications go unnoticed. + +- **User account** – Click the drop-down button to filter the machine timeline by the following user associated events: - Logon users - System - Network - Local service +The following example illustrates the use of type:value pair. The events were filtered by searching for the user jonathan.wolcott and network events as the event type: + +![Image of events filtered by user and event type](images/atp-machine-timeline-filter.png) + +The results in the timeline only show network communication events run in the defined user context. ### Filter events from a specific date Use the time-based slider to filter events from a specific date. By default, the machine timeline is set to display the events of the current day. @@ -92,12 +122,12 @@ The slider is helpful when you're investigating a particular alert on a machine. ### Export machine timeline events You can also export detailed event data from the machine timeline to conduct offline analysis. You can choose to export the machine timeline for the current date or specify a date range. You can export up to seven days of data and specify the specific time between the two dates. -![Image of export machine timeline events](images/atp-export-machine-timeline-events.png) +![Image of export machine timeline events](images/atp-machine-timeline-export.png) ### Navigate between pages Use the events per page drop-down to choose the number of alerts you’d like to see on the page. You can choose to display 20, 50, or 100 events per page. You can also move between pages by clicking **Older** or **Newer**. -From the **Machines view**, you can also navigate to the file, IP, or URL view and the timeline associated with an alert is retained, helping you view the investigation from different angles and retain the context of the event time line. +From the **Machines list**, you can also navigate to the file, IP, or URL view and the timeline associated with an alert is retained, helping you view the investigation from different angles and retain the context of the event time line. From the list of events that are displayed in the timeline, you can examine the behaviors or events in to help identify indicators of interests such as files and IP addresses to help determine the scope of a breach. You can then use the information to respond to events and keep your system secure. @@ -106,9 +136,9 @@ From the list of events that are displayed in the timeline, you can examine the You can also use the [Alerts spotlight](investigate-alerts-windows-defender-advanced-threat-protection.md#alert-timeline) feature to see the correlation between alerts and events on a specific machine. -Expand an event to view associated processes related to the event. Click on the circle next to any process or IP address in the process tree to investigating further into the identified processes. This action brings up the **Details pane** which includes execution context of processes, network communications and a summary of metadata on the file or IP address. +Expand an event to view associated processes related to the event. Click on the circle next to any process or IP address in the process tree to investigate additional details of the identified processes. This action brings up the **Details pane** which includes execution context of processes, network communications and a summary of metadata on the file or IP address. -This enhances the ‘in-context’ information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context. +The details pane enriches the ‘in-context’ information across investigation and exploration activities, reducing the need to switch between contexts. It lets you focus on the task of tracing associations between attributes without leaving the current context. ## Related topics - [View the Windows Defender Advanced Threat Protection Dashboard](dashboard-windows-defender-advanced-threat-protection.md) @@ -117,7 +147,7 @@ This enhances the ‘in-context’ information across investigation and explorat - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md index e0b1346b9e..9f45aa0817 100644 --- a/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md @@ -69,7 +69,7 @@ You can filter the results by the following time periods: - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md index 44a32cf414..ddcf2f5185 100644 --- a/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md @@ -23,21 +23,21 @@ localizationpriority: high The **Machines list** shows a list of the machines in your network, the domain of each machine, when it last reported and the local IP Address it reported on, its **Health state**, the number of active alerts on each machine categorized by alert severity level, and the number of active malware detections. This view allows viewing machines ranked by risk or sensor health state, and keeping track of all machines that are reporting sensor data in your network. -Use the Machines view in these main scenarios: +Use the Machines list in these main scenarios: - **During onboarding**
During the onboarding process, the **Machines list** is gradually populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they come online. Sort and filter by time of last report, **Active malware category**, or **Sensor health state**, or download the complete endpoint list as a CSV file for offline analysis. - **Day-to-day work** The **Machines list** enables easy identification of machines most at risk in a glance. High-risk machines have the greatest number and highest-severity alerts; **Sensor health state** provides another dimension to rank machines. Sorting machines by **Active alerts**, and then by **Sensor health state** helps identify the most vulnerable machines and take action on them. -## Sort, filter, and download the list of machines from the Machines view +## Sort, filter, and download the list of machines from the Machines list You can sort the **Machines list** by clicking on any column header to sort the view in ascending or descending order. -Filter the **Machines list** by time period, **Active malware categories**, or **Sensor health state** to focus on certain sets of machines, according to the desired criteria. +Filter the **Machines list** by time period, **OS Platform**, **Health**, or **Malware category alerts** to focus on certain sets of machines, according to the desired criteria. You can also download the entire list in CSV format using the **Export to CSV** feature. -![Image of machines list with list of machines](images/atp-machines-view-list.png) +![Image of machines list with list of machines](images/atp-machines-list-view.png) You can use the following filters to limit the list of machines displayed during an investigation: @@ -48,35 +48,50 @@ You can use the following filters to limit the list of machines displayed during - 30 days - 6 months +**OS Platform**
+- Windows 10 +- Windows Server 2012 R2 +- Windows Server 2016 +- Other + +**Sensor health state**
+Filter the list to view specific machines grouped together by the following machine health states: + +- **Active** – Machines that are actively reporting sensor data to the service. +- **Misconfigured** – Machines that have impaired communication with service or are unable to send sensor data. Misconfigured machines can further be classified to: + - Impaired communication + - No sensor data + + For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). +- **Inactive** – Machines that have completely stopped sending signals for more than 7 days. + + **Malware category**
Filter the list to view specific machines grouped together by the following malware categories: - **Ransomware** – Ransomware use common methods to encrypt files using keys that are known only to attackers. As a result, victims are unable to access the contents of the encrypted files. Most ransomware display or drop a ransom note—an image or an HTML file that contains information about how to obtain the attacker-supplied decryption tool for a fee. - **Credential theft** – Spying tools, whether commercially available or solely used for unauthorized purposes, include general purpose spyware, monitoring software, hacking programs, and password stealers. These tools collect credentials and other information from browser records, key presses, email and instant messages, voice and video conversations, and screenshots. They are used in cyberattacks to establish control and steal information. - **Exploit** – Exploits take advantage of unsecure code in operating system components and applications. Exploits allow attackers to run arbitrary code, elevate privileges, and perform other actions that increase their ability to compromise a targeted machine. Exploits are found in both commodity malware and malware used in targeted attacks. + - **Backdoor** - Backdoors are malicious remote access tools that allow attackers to access and control infected machines. Backdoors can also be used to exfiltrate data. - **General malware** – Malware are malicious programs that perform unwanted actions, including actions that can disrupt, cause direct damage, and facilitate intrusion and data theft. Some malware can replicate and spread from one machine to another. Others are able to receive commands from remote attackers and perform activities associated with cyberattacks. - - **Unwanted software** – Unwanted software is a category of applications that install and perform undesirable activity without adequate user consent. These applications are not necessarily malicious, but their behaviors often negatively impact the computing experience, even appearing to invade user privacy. Many of these applications display advertising, modify browser settings, and install bundled software. + - **PUA** – Unwanted software is a category of applications that install and perform undesirable activity without adequate user consent. These applications are not necessarily malicious, but their behaviors often negatively impact the computing experience, even appearing to invade user privacy. Many of these applications display advertising, modify browser settings, and install bundled software. -**Sensor health state**
-Filter the list to view specific machines grouped together by the following machine health states: - -- **Active** – Machines that are actively reporting sensor data to the service. -- **Misconfigured** – Machines that have impaired communication with service or are unable to send sensor data. For more information on how to address issues on misconfigured machines see, [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md). -- **Inactive** – Machines that have completely stopped sending signals for more than 7 days. ## Export machine list to CSV -You can download a full list of all the machines in your organization, in CSV format. Click the **Manage** menu icon ![The menu icon looks like three periods stacked on top of each other](images/menu-icon.png) to download the entire list as a CSV file. +You can download a full list of all the machines in your organization, in CSV format. Click the **Export to CSV** button to download the entire list as a CSV file. **Note**: Exporting the list depends on the number of machines in your organization. It might take a significant amount of time to download, depending on how large your organization is. Exporting the list in CSV format displays the data in an unfiltered manner. The CSV file will include all machines in the organization, regardless of any filtering applied in the view itself. -## Sort the Machines view +## Sort the Machines list You can sort the **Machines list** by the following columns: - **Machine name** - Name or GUID of the machine +- **Domain** - Domain where the machine is joined in +- **OS Platform** - Indicates the OS of the machine +- **Health State** – Indicates if the machine is misconfigured or is not sending sensor data - **Last seen** - Date and time when the machine last reported sensor data - **Internal IP** - Local internal Internet Protocol (IP) address of the machine -- **Health State** – Indicates if the machine is misconfigured or is not sending sensor data - **Active Alerts** - Number of alerts reported by the machine by severity - **Active malware detections** - Number of active malware detections reported by the machine @@ -91,7 +106,7 @@ You can sort the **Machines list** by the following columns: - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md index 4f1523a324..9dd0f7d8b2 100644 --- a/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md @@ -105,7 +105,7 @@ Each rule shows: - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Take response actions in Windows Defender ATP](response-actions-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 6eb46cb27f..82efa42cc1 100644 --- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -41,9 +41,9 @@ For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us ### Network and data storage and configuration requirements When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: either in a European or United States datacenter. -> **Notes**   -- You cannot change your data storage location after the first-time setup. -- Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data. +> [!NOTE] +> - You cannot change your data storage location after the first-time setup. +> - Review the [Windows Defender ATP data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md) for more information on where and how Microsoft stores your data. ### Endpoint hardware and software requirements @@ -68,7 +68,7 @@ The Windows Defender ATP sensor can utilize up to 5MB daily of bandwidth to com For more information on additional proxy configuration settings see, [Configure Windows Defender ATP endpoint proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md) . -Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10, but if it has been disabled you can turn it on by following the instructions in the [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md) section. +Before you configure endpoints, the telemetry and diagnostics service must be enabled. The service is enabled by default in Windows 10. ### Telemetry and diagnostics settings You must ensure that the telemetry and diagnostics service is enabled on all the endpoints in your organization. diff --git a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md index 3e1b3c8a80..6104ea6ffb 100644 --- a/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md @@ -31,11 +31,11 @@ You can use the [Windows Defender ATP portal](https://securitycenter.windows.com ## Windows Defender ATP portal When you open the portal, you’ll see the main areas of the application: - ![Windows Defender Advanced Threat Protection portal](images/atp-main-portal.png) + ![Windows Defender Advanced Threat Protection portal](images/atp-portal.png) -- (1) Search, Feedback, Settings, Help and support -- (2) Navigation pane -- (3) Main portal +- (1) Navigation pane +- (2) Main portal Search +- (3) Feedback, Settings, Help and support > [!NOTE] > Malware related detections will only appear if your endpoints are using [Windows Defender Antivirus](https://technet.microsoft.com/library/mt622091(v=vs.85).aspx) as the default real-time protection antimalware product. @@ -45,14 +45,14 @@ You can navigate through the portal using the menu options available in all sect Area | Description :---|:--- (1) Search bar, Feedback, Settings, Help and support | **Search** - Provides access to the search bar where you can search for file, IP, machine, URL, and user. Displays the Search box: the drop-down list allows you to select the entity type and then enter the search query text.
**Feedback** -Access the feedback button to provide comments about the portal.
**Settings** - Gives you access to the configuration settings where you can set time zones, alert suppression rules, and license information.
**Help and support** - Gives you access to the Windows Defender ATP guide, Microsoft support, and Premier support. -(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines view**, **Service health**, **Preferences setup**, and **Enpoint Management**. +(2) Navigation pane | Use the navigation pane to move between the **Dashboard**, **Alerts queue**, **Machines list**, **Service health**, **Preferences setup**, and **Endpoint management**. **Dashboard** | Provides clickable tiles that open detailed information on various alerts that have been detected in your organization. **Alerts queue** | Enables you to view separate queues of new, in progress, and resolved alerts. -**Machines view** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts. -**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service status is healthy or if there are current issues. +**Machines list** | Displays the list of machines that are onboarded to Windows Defender ATP, some information about them, and the corresponding number of alerts. +**Service health** | Provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. **Preferences setup** | Shows the settings you selected during onboarding and lets you update your industry preferences and retention policy period. You can also set email notifications, activate the preview experience, and enable or turn off advanced features. -**Endpoint Management** | Allows you to download the onboarding configuration package. It provides access to endpoint offboarding. -(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines view. +**Endpoint management** | Allows you to download the onboarding configuration package. It provides access to endpoint offboarding. +(3) Main portal| Main area where you will see the different views such as the Dashboard, Alerts queue, and Machines list. ## Windows Defender ATP icons The following table provides information on the icons used all throughout the portal: diff --git a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md index dab6725222..e2904380b5 100644 --- a/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md @@ -30,3 +30,5 @@ Topic | Description [Enable advanced features](advanced-features-windows-defender-advanced-threat-protection.md)| Enable features such as **Block file** and other features that require integration with other products. [Enable the preview experience](preview-settings-windows-defender-advanced-threat-protection.md) | Allows you to turn on preview features so you can try upcoming features. [Configure email notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md) | Enables you to configure and identify a group of individuals who will immediately be informed of new alerts through email notifications. +[Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md) | Enable security information and event management (SIEM) integration to pull alerts from the Windows Defender ATP portal using your SIEM solution. +[Enable Threat intel API](enable-custom-ti-windows-defender-advanced-threat-protection.md) | Before you can create custom threat intelligence (TI) using REST API, you'll need to set up the custom threat intelligence application. diff --git a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md index 311ebea501..8fb19c7e1a 100644 --- a/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md @@ -32,3 +32,6 @@ Turn on the preview experience setting to be among the first to try upcoming fea 1. In the navigation pane, select **Preferences setup** > **Preview experience**. 2. Toggle the setting between **On** and **Off** and select **Save preferences**. + +## Preview features +There are currently no preview only features. diff --git a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md index a22e882c62..597cefb9a1 100644 --- a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md @@ -40,7 +40,7 @@ Topic | Description - [Investigate a file associated with a Windows Defender ATP alert](investigate-files-windows-defender-advanced-threat-protection.md) - [Investigate an IP address associated with a Windows Defender ATP alert](investigate-ip-windows-defender-advanced-threat-protection.md) - [Investigate a domain associated with a Windows Defender ATP alert](investigate-domain-windows-defender-advanced-threat-protection.md) -- [View and organize the Windows Defender ATP Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md) -- [Investigate machines in the Windows Defender ATP Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) +- [View and organize the Windows Defender ATP Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md) +- [Investigate machines in the Windows Defender ATP Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) - [Investigate a user account in Windows Defender ATP](investigate-user-windows-defender-advanced-threat-protection.md) - [Manage Windows Defender Advanced Threat Protection alerts](manage-alerts-windows-defender-advanced-threat-protection.md) diff --git a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md index 6c8623a564..088b4ed61a 100644 --- a/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- -title: Check the Windows Defender ATP service status -description: Check Windows Defender ATP service status, see if the service is experiencing issues and review previous issues that have been resolved. -keywords: dashboard, service, issues, service status, current issues, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time +title: Check the Windows Defender ATP service health +description: Check Windows Defender ATP service health, see if the service is experiencing issues and review previous issues that have been resolved. +keywords: dashboard, service, issues, service health, current issues, status history, summary of impact, preliminary root cause, resolution, resolution time, expected resolution time search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -11,7 +11,7 @@ author: mjcaparas localizationpriority: high --- -# Check the Windows Defender Advanced Threat Protection service status +# Check the Windows Defender Advanced Threat Protection service health **Applies to:** @@ -21,11 +21,11 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service status is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time. +The **Service health** provides information on the current status of the Window Defender ATP service. You'll be able to verify that the service health is healthy or if there are current issues. If there are issues, you'll see details related to the issue such as when the issue was detected, what the preliminary root cause is, and the expected resolution time. You'll also see information on historical issues that have been resolved and details such as the date and time when the issue was resolved. When there are no issues on the service, you'll see a healthy status. -You can view details on the service status by clicking the tile from the **Dashboard** or selecting the **Service health** menu from the navigation pane. +You can view details on the service health by clicking the tile from the **Dashboard** or selecting the **Service health** menu from the navigation pane. The **Service health** details page has the following tabs: @@ -33,7 +33,7 @@ The **Service health** details page has the following tabs: - **Status History** ## Current issues -The **Current issues** tab shows the current state of the Windows Defender ATP service. When the service is running smoothly a healthy service status is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue: +The **Current issues** tab shows the current state of the Windows Defender ATP service. When the service is running smoothly a healthy service health is shown. If there are issues seen, the following service details are shown to help you gain better insight about the issue: - Date and time for when the issue was detected - A short description of the issue diff --git a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 85ad29fad8..a43f5f374c 100644 --- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -24,12 +24,12 @@ localizationpriority: high You might need to troubleshoot the Windows Defender ATP onboarding process if you encounter issues. This page provides detailed steps to troubleshoot onboarding issues that might occur when deploying with one of the deployment tools and common errors that might occur on the endpoints. -If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an endpoint onboarding or connectivity problem. +If you have completed the endpoint onboarding process and don't see endpoints in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, it might indicate an endpoint onboarding or connectivity problem. ## Troubleshoot onboarding when deploying with Group Policy Deployment with Group Policy is done by running the onboarding script on the endpoints. The Group Policy console does not indicate if the deployment has succeeded or not. -If you have completed the endpoint onboarding process and don't see endpoints in the [Machines view](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint). +If you have completed the endpoint onboarding process and don't see endpoints in the [Machines list](investigate-machines-windows-defender-advanced-threat-protection.md) after an hour, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint). If the script completes successfully, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur. @@ -43,7 +43,7 @@ When onboarding endpoints using the following versions of System Center Configur Deployment with the above-mentioned versions of System Center Configuration Manager is done by running the onboarding script on the endpoints. You can track the deployment in the Configuration Manager Console. -If the deployment fails, you can check the output of the script on the endpoints. For more information, see [Troubleshoot onboarding when deploying with a script on the endpoint](#troubleshoot-onboarding-when-deploying-with-a-script-on-the-endpoint). +If the deployment fails, you can check the output of the script on the endpoints. If the onboarding completed successfully but the endpoints are not showing up in the **Machines list** after an hour, see [Troubleshoot onboarding issues on the endpoint](#troubleshoot-onboarding-issues-on-the-endpoint) for additional errors that might occur. @@ -64,7 +64,7 @@ Event ID | Error Type | Resolution steps :---|:---|:--- 5 | Offboarding data was found but couldn't be deleted | Check the permissions on the registry, specifically ```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```. 10 | Onboarding data couldn't be written to registry | Check the permissions on the registry, specifically
```HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat```.
Verify that the script was ran as an administrator. -15 | Failed to start SENSE service |Check the service status (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights). +15 | Failed to start SENSE service |Check the service health (```sc query sense``` command). Make sure it's not in an intermediate state (*'Pending_Stopped'*, *'Pending_Running'*) and try to run the script again (with administrator rights).

If the endpoint is running Windows 10, version 1607 and running the command `sc query sense` returns `START_PENDING`, reboot the machine. If rebooting the machine doesn't address the issue, upgrade to KB4015217 and try onboarding again. 15 | Failed to start SENSE service | If the message of the error is: System error 577 has occurred. You need to enable the Windows Defender ELAM driver, see [Ensure that Windows Defender is not disabled by a policy](#ensure-that-windows-defender-is-not-disabled-by-a-policy) for instructions. 30 | The script failed to wait for the service to start running | The service could have taken more time to start or has encountered errors while trying to start. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). 35 | The script failed to find needed onboarding status registry value | When the SENSE service starts for the first time, it writes onboarding status to the registry location
```HKLM\SOFTWARE\Microsoft\Windows Advanced Threat Protection\Status```.
The script failed to find it after several seconds. You can manually test it and check if it's there. For more information on events and errors related to SENSE, see [Review events and errors on endpoints with Event viewer](event-error-codes-windows-defender-advanced-threat-protection.md). @@ -82,13 +82,13 @@ Use the following tables to understand the possible causes of issues while onboa - Known issues with non-compliance table - Mobile Device Management (MDM) event logs table -If none of the event logs and troubleshooting steps work, download the Local script from the **Endpoint Management** section of the portal, and run it in an elevated command prompt. +If none of the event logs and troubleshooting steps work, download the Local script from the **Endpoint management** section of the portal, and run it in an elevated command prompt. **Microsoft Intune error codes and OMA-URIs**: Error Code Hex | Error Code Dec | Error Description | OMA-URI | Possible cause and troubleshooting steps :---|:---|:---|:---|:--- -0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.

**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section.

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). +0x87D1FDE8 | -2016281112 | Remediation failed | Onboarding
Offboarding | **Possible cause:** Onboarding or offboarding failed on a wrong blob: wrong signature or missing PreviousOrgIds fields.

**Troubleshooting steps:**
Check the event IDs in the [View agent onboarding errors in the endpoint event log](#view-agent-onboarding-errors-in-the-endpoint-event-log) section.

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). | | | Onboarding
Offboarding
SampleSharing | **Possible cause:** Windows Defender ATP Policy registry key does not exist or the OMA DM client doesn't have permissions to write to it.

**Troubleshooting steps:** Ensure that the following registry key exists: ```HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection```.

If it doesn't exist, open an elevated command and add the key. | | | SenseIsRunning
OnboardingState
OrgId | **Possible cause:** An attempt to remediate by read-only property. Onboarding has failed.

**Troubleshooting steps:** Check the troubleshooting steps in [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](#troubleshoot-windows-defender-advanced-threat-protection-onboarding-issues).

Check the MDM event logs in the following table or follow the instructions in [Diagnose MDM failures in Windows 10](https://msdn.microsoft.com/library/windows/hardware/mt632120%28v=vs.85%29.aspx). | | | All | **Possible cause:** Attempt to deploy Windows Defender ATP on non-supported SKU/Platform, particularly Holographic SKU.

Currently is supported platforms: Enterprise, Education, and Professional.
Server is not supported. diff --git a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md index e614c969ca..6b8436e6ef 100644 --- a/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md @@ -44,7 +44,7 @@ Topic | Description [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md) | Investigate the details of a file associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md) | Examine possible communication between your machines and external Internet protocol (IP) addresses. [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md) | Investigate a domain to see if machines and servers in your enterprise network have been communicating with a known malicious domain. -[View and organize the Machines view](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list. +[View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)| You can sort, filter, and exporting the machine list. [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md) | The **Machines list** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, as well as the number of threats. [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)| Investigate user accounts with the most active alerts. [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md) | The **Manage Alert** menu on every alert lets you change an alert's status, resolve it, suppress it, or contribute comments about the alert. diff --git a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index 183bf2bd6b..8f73a17944 100644 --- a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -86,12 +86,18 @@ detect sophisticated cyber-attacks, providing: Topic | Description :---|:--- [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md) | This overview topic for IT professionals provides information on the minimum requirements to use Windows Defender ATP such as network and data storage configuration, and endpoint hardware and software requirements, and deployment channels. +[Preview features](preview-windows-defender-advanced-threat-protection.md) | Learn about new features in the Windows Defender ATP preview release and enable the preview experience. [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)| Learn about how Windows Defender ATP collects and handles information and where data is stored. [Assign user access to the Windows Defender ATP portal](assign-portal-access-windows-defender-advanced-threat-protection.md)| Before users can access the portal, they'll need to be granted specific roles in Azure Active Directory. [Onboard endpoints and set up access](onboard-configure-windows-defender-advanced-threat-protection.md) | You'll need to onboard and configure the Windows Defender ATP service and the endpoints in your network before you can use the service. Learn about how you can assign users to the Windows Defender ATP service in Azure Active Directory (AAD) and using a configuration package to configure endpoints. [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) | Understand the main features of the service and how it leverages Microsoft technology to protect enterprise endpoints from sophisticated cyber attacks. [Use the Windows Defender Advanced Threat Protection portal](use-windows-defender-advanced-threat-protection.md) | Learn about the capabilities of Windows Defender ATP to help you investigate alerts that might be indicators of possible breaches in your enterprise. -[Windows Defender Advanced Threat Protection settings](settings-windows-defender-advanced-threat-protection.md) | Learn about setting the time zone and configuring the suppression rules to configure the service to your requirements. +[Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md) | Learn about pulling alerts from the Windows Defender ATP portal using supported security information and events management (SIEM) tools. +[Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md) | Understand threat intelligence concepts, then enable the custom threat intelligence application so that you can proceed to create custom threat intelligence alerts that are specific to your organization. +[Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md) | Check the sensor health state on endpoints to verify that they are providing sensor data and communicating with the Windows Defender ATP service. +[Configure Windows Defender ATP preferences settings](preferences-setup-windows-defender-advanced-threat-protection.md) | Use the Preferences setup menu to modify general settings, advanced features, enable the preview experience, email notifications, and the custom threat intelligence feature. +[Windows Defender ATP settings](settings-windows-defender-advanced-threat-protection.md) | Configure time zone settings, suppression rules, and view license information. +[Windows Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md) | Verify that the service health is running properly or if there are current issues. [Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP. [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required. [Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender works in conjunction with Windows Defender ATP. diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md index 0e76ae6cdd..64602d97ae 100644 --- a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md +++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md @@ -1,6 +1,6 @@ --- -title: Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune (Windows 10) -description: After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy. +title: Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune (Windows 10) +description: After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy. ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b keywords: WIP, Enterprise Data Protection ms.prod: w10 @@ -11,63 +11,110 @@ author: eross-msft localizationpriority: high --- -# Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune +# Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune **Applies to:** -- Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop) +- Windows 10, version 1607 +- Windows 10 Mobile -After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy. - -## Associate your WIP policy to your VPN policy by using Microsoft Intune -Follow these steps to associate your WIP policy with your organization's existing VPN policy. +After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy. -**To associate your policies** +## Create your VPN policy using Microsoft Intune +Follow these steps to create the VPN policy you want to use with WIP. -1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration). +**To create your VPN policy** -2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**. +1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**. - ![Microsoft Intune, Create a new policy using the portal](images/wip-azure-vpn-device-policy.png) +2. Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. -3. In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**. + ![Microsoft Intune, Create a new policy using the New Policy screen](images/intune-vpn-createpolicy.png) - ![Microsoft Intune, Create a new policy using the Create Profile blade](images/wip-azure-vpn-configure-policy.png) +3. Type *Contoso_VPN_Win10* into the **Name** box, along with an optional description for your policy into the **Description** box. -4. In the **Custom OMA-URI Settings** blade, click **Add**. + ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-titledescription.png) -5. In the **Add Row** blade, type: +4. In the **VPN Settings** area, type the following info: - - **Name.** Type a name for your setting, such as *EDPModeID*. - - - **Description.** Type an optional description for your setting. - - - **OMA-URI.** Type _./Vendor/MSFT/VPNv2/<VPNProfileName>/EDPModeId_ into the box. + - **VPN connection name.** This name is also what appears to your employees, so it's important that it be clear and understandable. - - **Data type.** Select **String** from the dropdown box - - - **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_. + - **Connection type.** Pick the connection type that matches your infrastructure. The options are **Pulse Secure**, **F5 Edge Client**, **Dell SonicWALL Mobile Connect**, or **Check Point Capsule VPN**. - ![Microsoft Intune, Add your OMA-URI settings](images/wip-azure-vpn-custom-omauri.png) + - **VPN server description.** A descriptive name for this connection. Only you will see it, but it should be unique and readable. -6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy. + - **Server IP address or FQDN.** The server's IP address or fully-qualified domain name (FQDN). -7. Click **Create** to create the policy, including your OMA_URI info. + ![Microsoft Intune: Fill in the VPN Settings area](images/intune-vpn-vpnsettings.png) + +5. In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**.

+It's your choice whether you check the box to **Remember the user credentials at each logon**. + + ![Microsoft Intune, Choose the Authentication Method for your VPN system](images/intune-vpn-authentication.png) + +6. You can leave the rest of the default or blank settings, and then click **Save Policy**. ## Deploy your VPN policy using Microsoft Intune After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy. -**To deploy your Custom VPN policy** +**To deploy your VPN policy** -1. On the **App policy** blade, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**. +1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. - A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** blade. +2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.

+The added people move to the **Selected Groups** list on the right-hand pane. -2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy. + ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-deploy-vpn.png) - The policy is deployed to the selected users' devices. +3. After you've picked all of the employees and groups that should get the policy, click **OK**.

+The policy is deployed to the selected users' devices. + +## Link your WIP and VPN policies and deploy the custom configuration policy +The final step to making your VPN configuration work with WIP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EDPModeID** setting, and then deploying the policy to the same group you deployed your WIP and VPN policies + +**To link your VPN policy** + +1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**. + +2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. + + ![Microsoft Intune, Create a new policy from the New Policy screen](images/intune-vpn-customconfig.png) + +3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. + + ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-wipmodeid.png) + +4. In the **OMA-URI Settings** area, click **Add** to add your **EDPModeID** info. + +5. In the **OMA-URI Settings** area, type the following info: + + - **Setting name.** Type **EDPModeID** as the name. + + - **Data type.** Pick the **String** data type. + + - **OMA-URI.** Type `./Vendor/MSFT/VPNv2//EDPModeId`, replacing <*VPNProfileName*> with the name you gave to your VPN policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EDPModeId`. + + - **Value.** Your fully-qualified domain that should be used by the OMA-URI setting. + + ![Microsoft Intune: Fill in the OMA-URI Settings for the EMPModeID setting](images/intune-vpn-omaurisettings.png) + +6. Click **OK** to save your new OMA-URI setting, and then click **Save Policy.** + + + **To deploy your linked policy** + +1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. + +2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. The added people move to the **Selected Groups** list on the right-hand pane. + + ![Microsoft Intune, Manage Deployment box used to deploy your linked VPN policy](images/intune-groupselection_vpnlink.png) + +3. After you've picked all of the employees and groups that should get the policy, click **OK**. The policy is deployed to the selected users' devices. - ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). + + + + + diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md index 3b756a14c7..2b277e056a 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md @@ -1,5 +1,5 @@ --- -title: Create a Windows Information Protection (WIP) with enrollment policy using Microsoft Intune (Windows 10) +title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10) description: Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721 ms.prod: w10 @@ -10,125 +10,88 @@ author: eross-msft localizationpriority: high --- -# Create a Windows Information Protection (WIP) with enrollment policy using Microsoft Intune +# Create a Windows Information Protection (WIP) policy using Microsoft Intune **Applies to:** -- Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop) +- Windows 10, version 1703 +- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. ->[!Important] ->This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, you must follow the instructions in the [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune) topic. - ## Add a WIP policy After you’ve set up Intune for your organization, you must create a WIP-specific policy. **To add a WIP policy** -1. Open the Microsoft Intune mobile application management console, click **All settings**, and then click **App policy**. +1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. - ![Microsoft Intune management console: App policy link](images/wip-azure-portal-start.png) +2. Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. -2. In the **App policy** screen, click **Add a policy**, and then fill out the fields: - - **Name.** Type a name (required) for your new policy. + ![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) - - **Description.** Type an optional description. +3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. - - **Platform.** Choose **Windows 10** as the supported platform for your policy. + ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) - - **Enrollment state.** Choose **With enrollment** as the enrollment state for your policy. - - ![Microsoft Intune management console: Create your new policy in the Add a policy blade](images/wip-azure-portal-add-policy.png) - - >[!Important] - >Choosing **With enrollment** only applies for organizations using MDM. If you're using MAM, you must use these instructions, [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune), instead. - -3. Click **Create**. - - The policy is created and appears in the table on the **App Policy** screen. - - >[!NOTE] - >Optionally, you can also add your apps and set your settings from the **Add a policy** blade, but for the purposes of this documentation, we recommend instead that you create the policy first, and then use the subsequent menus that become available. - -### Add apps to your Allowed apps list +### Add app rules to your policy During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. -The steps to add your apps are based on the type of template being applied. You can add a recommended app, a store app (also known as a Universal Windows Platform (UWP) app), or a signed Windows desktop app. +The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. >[!Important] ->WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **Allowed apps** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. +>WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. -#### Add a Recommended app to your Allowed apps list -For this example, we’re going to add Microsoft Edge, a recommended app, to the **Allowed apps** list. +#### Add a store app rule to your policy +For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. -**To add a recommended app** -1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears. - - The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy. +**To add a store app** +1. From the **App Rules** area, click **Add**. - ![Microsoft Intune management console: Viewing the recommended apps that you can add to your policy](images/wip-azure-allowed-apps-pane.png) + The **Add App Rule** box appears. -2. From the **Allowed apps** blade, click **Add apps**. - - The **Add apps** blade appears, showing you all **Recommended apps**. + ![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) - ![Microsoft Intune management console: Adding recommended apps to your policy](images/wip-azure-add-recommended-apps.png) +2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. -3. Select each app you want to access your enterprise data, and then click **OK**. - - The **Allowed apps** blade updates to show you your selected apps. +3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - ![Microsoft Intune management console: Allowed apps blade with recommended apps](images/wip-azure-allowed-apps-with-apps.png) + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. -#### Add a Store app to your Allowed apps list -For this example, we’re going to add Microsoft Power BI, a store app, to the **Allowed apps** list. +4. Pick **Store App** from the **Rule template** drop-down list. -**To add a Store app** -1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears. - - The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy. + The box changes to show the store app rule options. -2. From the **Allowed apps** blade, click **Add apps**. - -3. On the **Add apps** blade, click **Store apps** from the dropdown list. - - The blade changes to show boxes for you to add a publisher and app name. - -4. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the Product **name** is `Microsoft.MicrosoftPowerBIForWindows`. - -5. After you’ve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list. - - >[!NOTE] - >To add multiple Store apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When you’re done, click **OK**. - - ![Microsoft Intune management console: Adding Store app info](images/wip-azure-add-store-apps.png) +5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps. -**To find the publisher and product name values for Store apps without installing them** -1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft Power BI*. +**To find the Publisher and Product Name values for Store apps without installing them** +1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. -2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`. +2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. + +3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value. -3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value. - The API runs and opens a text editor with the app details. + ```json + { + "packageIdentityName": "Microsoft.Office.OneNote", + "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" + } + ``` + +4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. + + >[!Important] + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
```json { - "packageIdentityName": "Microsoft.MicrosoftPowerBIForWindows", - "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", } ``` -4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune. - - >[!Important] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
- {
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
} - -**To find the publisher and product name values for apps installed on Windows 10 mobile phones** +**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. >**Note**
Your PC and phone must be on the same wireless network. @@ -148,362 +111,309 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. >[!Important] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
- {
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
} + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
+ ```json + { + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } + ``` -#### Add a Desktop app to your Allowed apps list -For this example, we’re going to add WordPad, a desktop app, to the **Allowed apps** list. +#### Add a desktop app rule to your policy +For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. -**To add a Desktop app** -1. From the **App policy** blade, click the name of your policy, and then click **Allowed apps** from the menu that appears. +**To add a desktop app** +1. From the **App Rules** area, click **Add**. - The **Allowed apps** blade appears, showing you any apps that are already included in the list for this policy. + The **Add App Rule** box appears. + + ![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) -2. From the **Allowed apps** blade, click **Add apps**. +2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. -3. On the **Add apps** blade, click **Desktop apps** from the dropdown list. +3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - The blade changes to show boxes for you to add the following, based on what results you want returned: + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. + +4. Pick **Desktop App** from the **Rule template** drop-down list. + + The box changes to show the store app rule options. + +5. Pick the options you want to include for the app rule (see table), and then click **OK**. - + - + - - + + - - + + - - + + - - + + - - + + - - + +
FieldOption Manages
All fields marked as “*”All fields left as “*” All files signed by any publisher. (Not recommended)
Publisher onlyIf you only fill out this field, you’ll get all files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.		Publisher selectedAll files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.
Publisher and Name onlyIf you only fill out these fields, you’ll get all files for the specified product, signed by the named publisher.Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
Publisher, Name, and File onlyIf you only fill out these fields, you’ll get any version of the named file or package for the specified product, signed by the named publisher.Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
Publisher, Name, File, and Min version onlyIf you only fill out these fields, you’ll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.		Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.
Publisher, Name, File, and Max version onlyIf you only fill out these fields, you’ll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
All fields completedIf you fill out all fields, you’ll get the specified version of the named file or package for the specified product, signed by the named publisher.Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
-4. After you’ve entered the info into the fields, click **OK** to add the app to your **Allowed apps** list. +If you’re unsure about what to include for the publisher, you can run this PowerShell command: - >[!Note] - >To add multiple Desktop apps at the same time, you can click the menu **(…)** at the end of the app row, and then continue to add more apps. When you’re done, click **OK**. +```ps1 + Get-AppLockerFileInformation -Path "" +``` +Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`. - ![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png) +In this example, you'd get the following info: - **To find the Publisher values for Desktop apps** - If you’re unsure about what to include for the publisher, you can run this PowerShell command: +``` json + Path Publisher + ---- --------- + %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... +``` +Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. - ```ps1 - Get-AppLockerFileInformation -Path "" - ``` - Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Windows NT\Accessories\wordpad.exe"`. +#### Add an AppLocker policy file +For this example, we’re going to add an AppLocker XML file to the **App Rules** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. - In this example, you'd get the following info: - - ``` json - Path Publisher - ---- --------- - %PROGRAMFILES%\WINDOWS NT\ACCESSORIES\WORDPAD.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US - ``` - Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter into the **Publisher** box and `WORDPAD.EXE` is the text to enter into the **File** box. - -#### Import a list of apps to your Allowed apps list -For this example, we’re going to add an AppLocker XML file to the **Allowed apps** list. You’ll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content. - -**To create a list of Allowed apps using the AppLocker tool** +**To create an app rule and xml file using the AppLocker tool** 1. Open the Local Security Policy snap-in (SecPol.msc). -2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. +2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. - ![Local security snap-in, showing the Packaged app Rules](images/wip-applocker-secpol-1.png) + ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) -3. Right-click in the right-hand blade, and then click **Create New Rule**. +3. Right-click in the right-hand pane, and then click **Create New Rule**. The **Create Packaged app Rules** wizard appears. 4. On the **Before You Begin** page, click **Next**. - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-1.png) + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/wip-applocker-secpol-wizard-2.png) + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) 6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. - ![Create Packaged app Rules wizard, showing the Publisher](images/wip-applocker-secpol-wizard-3.png) + ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) -7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Dynamics 365. +7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos. - ![Create Packaged app Rules wizard, showing the Select applications page](images/wip-applocker-secpol-wizard-4.png) + ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) 8. On the updated **Publisher** page, click **Create**. - ![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-secpol-wizard-5.png) - -9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy. - - ![Create Packaged app Rules wizard, showing the Microsoft Dynamics 365 on the Publisher page](images/wip-applocker-default-rule-warning.png) + ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) 9. Review the Local Security Policy snap-in to make sure your rule is correct. - ![Local security snap-in, showing the new rule](images/wip-applocker-secpol-create.png) + ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) -10. In the left blade, right-click on **AppLocker**, and then click **Export policy**. +10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. The **Export policy** box opens, letting you export and save your new policy as XML. - ![Local security snap-in, showing the Export Policy option](images/wip-applocker-secpol-export.png) + ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. The policy is saved and you’ll see a message that says 1 rule was exported from the policy. **Example XML file**
- This is the XML file that AppLocker creates for Microsoft Dynamics 365. + This is the XML file that AppLocker creates for Microsoft Photos. ```xml - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + ``` - 12. After you’ve created your XML file, you need to import it by using Microsoft Intune. -**To import your list of Allowed apps using Microsoft Intune** - -1. From the **Allowed apps** area, click **Import apps**. +**To import your Applocker policy file app rule using Microsoft Intune** +1. From the **App Rules** area, click **Add**. - The blade changes to let you add your import file. + The **Add App Rule** box appears. - ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png) + ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) -2. Browse to your exported AppLocker policy file, and then click **Open**. +2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. - The file imports and the apps are added to your **Allowed app** list. +3. Click **Allow** from the **Windows Information Protection mode** drop-down list. -#### Add exempt apps to your policy + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. + +4. Pick **AppLocker policy file** from the **Rule template** drop-down list. + + The box changes to let you import your AppLocker XML policy file. + +5. Click **Import**, browse to your AppLocker XML file, click **Open**, and then click **OK** to close the **Add App Rule** box. + + The file is imported and the apps are added to your **App Rules** list. + +#### Exempt apps from WIP restrictions If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. -**To exempt a Store app, a Desktop app, or an AppLocker policy file from the Allowed apps list** - -1. From the **App policy** blade, click the name of your policy, and then click **Exempt apps** from the menu that appears. +**To exempt a store app, a desktop app, or an AppLocker policy file app rule** +1. From the **App Rules** area, click **Add**. - The **Exempt apps** blade appears, showing you any apps that are already included in the list for this policy. + The **Add App Rule** box appears. -2. From the **Exempt apps** blade, click **Add apps**. +2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. - Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-apps-to_your-allowed-apps-list) section of this topic. - -3. Fill out the rest of the app info, based on the type of app you’re adding: +3. Click **Exempt** from the **Windows Information Protection mode** drop-down list. - - **Recommended app.** Follow the instructions in the [Add a Recommended app to your Allowed apps list](#add-a-recommended-app-to_your-allowed-apps-list) section of this topic. + Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. - - **Store app.** Follow the instructions in the [Add a Store app to your Allowed apps list](#add-a-store-app-to_your-allowed-apps-list) section of this topic. +4. Fill out the rest of the app rule info, based on the type of rule you’re adding: - - **Desktop app.** Follow the instructions in the [Add a Desktop app to your Allowed apps list](#add-a-desktop-app-to_your-allowed-apps-list) section of this topic. + - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. - - **AppLocker policy file.** Follow the instructions to create your app list in the [Import a list of apps to your Allowed apps list](#import-a-list-of-apps-to_your-allowed-apps-list) section of this topic, using a list of exempted apps. + - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. -4. Click **OK**. + - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. + +5. Click **OK**. ### Manage the WIP protection mode for your enterprise data After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode. -We recommend that you start with **Silent** or **Allow Overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Hide Overrides**. +We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**. ->[!NOTE] ->For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). +|Mode |Description | +|-----|------------| +|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| +|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). | +|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| +|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| -**To add your protection mode** - -1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears. - - The **Required settings** blade appears. - - ![Microsoft Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png) - - |Mode |Description | - |-----|------------| - |Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.| - |Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| - |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| - |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.| - -2. Click **Save**. +![Microsoft Intune, Set the protection mode for your data](images/intune-protection-mode.png) ### Define your enterprise-managed corporate identity Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies. -Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the Corporate identity field. You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. +You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list. -**To change your corporate identity** +**To add your corporate identity** +- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. -1. From the **App policy** blade, click the name of your policy, and then click **Required settings** from the menu that appears. - - The **Required settings** blade appears. - -2. If the identity isn’t correct, or if you need to add additional domains, type info into the **Corporate identity** field. For example, `contoso.com|newcontoso.com`. - - ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png) + ![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) ### Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT). ->[!Important] ->Every WIP policy should include policy that defines your enterprise network locations.
Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. +>[!IMPORTANT] +>Every WIP policy should include policy that defines your enterprise network locations.
+>Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations. -**To define where your allowed apps can find and send enterprise data on you network** +**To define where your protected apps can find and send enterprise data on you network** -1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. - - The **Advanced settings** blade appears. +1. Add additional network locations your apps can access by clicking **Add**. -2. Click **Add network boundary** from the Network perimeter area. + The **Add or edit corporate network definition** box appears. - The **Add network boundary** blade appears. - - ![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png) - -3. Select the type of network boundary to add from the **Boundary type** box. - -4. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the following options, and then click **OK**. +2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. + ![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png) +

- - + + - - - + + + - + - + - + - + - + - + - + - + - + - + - + - +
Boundary typeValue formatNetwork location typeFormat Description
Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com		Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.		Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.
Network domain namesEnterprise Network Domain Names (Required) corp.contoso.com,region.contoso.comStarting with Windows 10, version 1703, this field is optional.

Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

If you have multiple resources, you must separate them using the "," delimiter.		Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.
Proxy serversEnterprise Proxy Servers proxy.contoso.com:80;proxy2.contoso.com:443Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.

If you have multiple resources, you must separate them using the ";" delimiter.		Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter.
Internal proxy serversEnterprise Internal Proxy Servers contoso.internalproxy1.com;contoso.internalproxy2.comSpecify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.

If you have multiple resources, you must separate them using the ";" delimiter.		Specify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.
IPv4 rangesEnterprise IPv4 Range (Required, if not using IPv6) **Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254		Starting with Windows 10, version 1703, this field is optional.

Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.
IPv6 rangesEnterprise IPv6 Range (Required, if not using IPv4) **Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff		Starting with Windows 10, version 1703, this field is optional.

Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.
Neutral resourcesNeutral Resources sts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.		Specify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.
-5. Repeat steps 1-4 to add any additional network boundaries. +3. Add as many locations as you need, and then click **OK**. -6. Decide if you want to Windows to look for additional network settings: + The **Add corporate network definition** box closes. - ![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png) +4. Decide if you want to Windows to look for additional network settings: + + ![Microsoft Intune, Choose if you want Windows to search for additinal proxy servers or IP ranges in your enterprise](images/intune-network-detection-boxes.png) - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. -### Upload your Data Recovery Agent (DRA) certificate -After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data. +5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. ->[!Important] ->Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://tnstage.redmond.corp.microsoft.com/en-us/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic. + ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) -**To upload your DRA certificate** -1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears. + After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. - The **Advanced settings** blade appears. - -2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - - ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png) - -### Choose your optional WIP-related settings -After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. - -**To set your optional settings** - -1. Choose to set any or all optional settings: - - ![Microsoft Intune, Choose if you want to include any of the optional settings](images/wip-azure-advanced-settings-optional.png) - - - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile.** Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - - - **On (recommended).** Turns on the feature and provides the additional protection. - - - **Off, or not configured.** Doesn't enable this feature. - - - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - - - **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - - **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example if you’re migrating between Mobile Device Management (MDM) solutions. - - - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: - - - **On.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with Managed text on the app name in the **Start** menu. - - - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. - - - **Use Azure RMS for WIP.** Determines whether to use Azure Rights Management encryption with Windows Information Protection. - - - **On.** Starts using Azure Rights Management encryption with WIP. By turning this option on, you can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. For more info about setting up Azure Rights management and using a template ID with WIP, see the [Choose to set up Azure Rights Management with WIP](#choose-to-set-up-azure-rights-management-with-wip) section of this topic. - - - **Off, or not configured.** Stops using Azure Rights Management encryption with WIP. + For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). ### Choose to set up Azure Rights Management with WIP -WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. +WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. @@ -512,22 +422,56 @@ Optionally, if you don’t want everyone in your organization to be able to shar >[!NOTE] >For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. +### Choose your optional WIP-related settings +After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. + +![Microsoft Intune, Choose any additional, optional settings](images/intune-optional-settings.png) + +**To set your optional settings** +1. Choose to set any or all of the optional settings: + + - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: + + - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. + + - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. + + - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: + + - **Yes (recommended).** Turns on the feature and provides the additional protection. + + - **No, or not configured.** Doesn't enable this feature. + + - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + + - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. + + - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. + + - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: + + - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. + + - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. + + - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: + + - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. + + - **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. + +2. Click **Save Policy**. + ## Related topics -- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) - - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) -- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) +- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) -- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms) - -- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune) - -- [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/) - - [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/) +- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms) + >[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md index 56341f5155..c7dcdf364b 100644 --- a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md +++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md @@ -14,23 +14,24 @@ localizationpriority: high # Deploy your Windows Information Protection (WIP) policy using Microsoft Intune **Applies to:** -- Windows 10, version 1607 and later -- Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop) +- Windows 10, version 1607 +- Windows 10 Mobile After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information. **To deploy your WIP policy** -1. On the **App policy** pane, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**. +1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. - A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** pane. + ![Microsoft Intune: Click the Manage Deployment link from the Configuration Policies screen](images/intune-managedeployment.png) -2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy. +2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.

+The added people move to the **Selected Groups** list on the right-hand pane. - The policy is deployed to the selected users' devices. - - ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png) + ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-groupselection.png) +3. After you've picked all of the employees and groups that should get the policy, click **OK**.

+The policy is deployed to the selected users' devices. >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). @@ -38,6 +39,6 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll ## Related topics - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) -- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) +- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) -- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) +- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) \ No newline at end of file diff --git a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md index dfd5630dc2..d8d0fb1910 100644 --- a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -24,7 +24,7 @@ This list provides all of the tasks and settings that are required for the opera |Task|Description| |----|-----------| |Add at least one app to the **Allowed apps** list in your WIP policy.|You must have at least one app added to your **Allowed apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Allowed apps list** section of the policy creation topics.| -|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Hide Overrides**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| +|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Override**, **Silent**, or **Block**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).| |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.

Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.| |Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.

Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.| diff --git a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 19071542aa..fe8a354526 100644 --- a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -76,13 +76,13 @@ WIP gives you a new way to manage data policy enforcement for apps and documents - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device. - - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Hide overrides**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. + - **Using allowed apps.** Managed apps (apps that you've included on the **Allowed apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem. - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode. You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list. - - **Deciding your level of data access.** WIP lets you hide overrides, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). + - **Deciding your level of data access.** WIP lets you block overrides, allow overrides, or audit employees' data sharing actions. Blocking overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md). - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media. @@ -131,8 +131,8 @@ You can set your WIP policy to use 1 of 4 protection and management modes: |Mode|Description| |----|-----------| -|Hide overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| -|Allow overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.| +|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.| +|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.| |Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.| |Off |WIP is turned off and doesn't help to protect or audit your data.

After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.

**Note**
For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. | diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index f2cd5d5e8b..3c9739ce2e 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -32,7 +32,8 @@ "externalReference": [], "globalMetadata": { "uhfHeaderId": "MSDocsHeader-WindowsIT", - "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json" + "breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json", + "ms.technology": "windows" }, "fileMetadata": {}, "template": [],