deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

desktop desktopa;;installer deviceguard devicehealthmonitoring deviceinstallation

Browse Source
This commit is contained in:
Liz Long 2022-12-29 12:01:25 -05:00
parent 2447a37757
commit 03f55e0b8e
5 changed files with 1603 additions and 1389 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

130
windows/client-management/mdm/policy-csp-desktop.md
View File

@ -1,92 +1,98 @@
--- ---
title: Policy CSP - Desktop title: Desktop Policy CSP
description: Learn how to use the Policy CSP - Desktop setting to prevent users from changing the path to their profile folders. description: Learn more about the Desktop Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.date: 12/29/2022
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft ms.topic: reference
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
--- ---
<!-- Auto-Generated CSP Document -->
<!-- Desktop-Begin -->
# Policy CSP - Desktop # Policy CSP - Desktop
> [!TIP] > [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md). > Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> >
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy). > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> >
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<hr/> <!-- Desktop-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Desktop-Editable-End -->
<!--Policies--> <!-- PreventUserRedirectionOfProfileFolders-Begin -->
## Desktop policies ## PreventUserRedirectionOfProfileFolders
<dl> <!-- PreventUserRedirectionOfProfileFolders-Applicability-Begin -->
<dd> | Scope | Editions | Applicable OS |
<a href="#desktop-preventuserredirectionofprofilefolders">Desktop/PreventUserRedirectionOfProfileFolders</a> |:--|:--|:--|
</dd> | :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1703 [10.0.15063] and later |
</dl> <!-- PreventUserRedirectionOfProfileFolders-Applicability-End -->
<!-- PreventUserRedirectionOfProfileFolders-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/Desktop/PreventUserRedirectionOfProfileFolders
```
<!-- PreventUserRedirectionOfProfileFolders-OmaUri-End -->
<hr/> <!-- PreventUserRedirectionOfProfileFolders-Description-Begin -->
<!-- Description-Source-ADMX -->
<!--Policy--> Prevents users from changing the path to their profile folders.
<a href="" id="desktop-preventuserredirectionofprofilefolders"></a>**Desktop/PreventUserRedirectionOfProfileFolders**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting prevents users from changing the path to their profile folders.
By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box. By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties dialog box.
If you enable this setting, users are unable to type a new location in the Target box. If you enable this setting, users are unable to type a new location in the Target box.
<!-- PreventUserRedirectionOfProfileFolders-Description-End -->
<!--/Description--> <!-- PreventUserRedirectionOfProfileFolders-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- PreventUserRedirectionOfProfileFolders-Editable-End -->
<!-- PreventUserRedirectionOfProfileFolders-DFProperties-Begin -->
**Description framework properties**:
<!--ADMXBacked--> | Property name | Property value |
ADMX Info: |:--|:--|
- GP Friendly name: *Prohibit User from manually redirecting Profile Folders* | Format | chr (string) |
- GP name: *DisablePersonalDirChange* | Access Type | Add, Delete, Get, Replace |
- GP path: *Desktop* <!-- PreventUserRedirectionOfProfileFolders-DFProperties-End -->
- GP ADMX file name: *desktop.admx*
<!--/ADMXBacked--> <!-- PreventUserRedirectionOfProfileFolders-AdmxBacked-Begin -->
<!--/Policy--> > [!TIP]
<hr/> > This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | DisablePersonalDirChange |
| Friendly Name | Prohibit User from manually redirecting Profile Folders |
| Location | User Configuration |
| Path | Desktop |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
| Registry Value Name | DisablePersonalDirChange |
| ADMX File Name | Desktop.admx |
<!-- PreventUserRedirectionOfProfileFolders-AdmxBacked-End -->
<!--/Policies--> <!-- PreventUserRedirectionOfProfileFolders-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- PreventUserRedirectionOfProfileFolders-Examples-End -->
## Related topics <!-- PreventUserRedirectionOfProfileFolders-End -->
[Policy configuration service provider](policy-configuration-service-provider.md) <!-- Desktop-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- Desktop-CspMoreInfo-End -->
<!-- Desktop-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)

1097
windows/client-management/mdm/policy-csp-desktopappinstaller.md
View File

File diff suppressed because it is too large Load Diff

496
windows/client-management/mdm/policy-csp-deviceguard.md
View File

@ -1,259 +1,351 @@
--- ---
title: Policy CSP - DeviceGuard title: DeviceGuard Policy CSP
description: Learn how to use the Policy CSP - DeviceGuard setting to allow the IT admin to configure the launch of System Guard. description: Learn more about the DeviceGuard Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.date: 12/29/2022
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft ms.topic: reference
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
--- ---
<!-- Auto-Generated CSP Document -->
<!-- DeviceGuard-Begin -->
# Policy CSP - DeviceGuard # Policy CSP - DeviceGuard
<!-- DeviceGuard-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DeviceGuard-Editable-End -->
<hr/> <!-- ConfigureSystemGuardLaunch-Begin -->
## ConfigureSystemGuardLaunch
<!--Policies--> <!-- ConfigureSystemGuardLaunch-Applicability-Begin -->
## DeviceGuard policies | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1809 [10.0.17763] and later |
<!-- ConfigureSystemGuardLaunch-Applicability-End -->
<dl> <!-- ConfigureSystemGuardLaunch-OmaUri-Begin -->
<dd> ```Device
<a href="#deviceguard-configuresystemguardlaunch">DeviceGuard/ConfigureSystemGuardLaunch</a> ./Device/Vendor/MSFT/Policy/Config/DeviceGuard/ConfigureSystemGuardLaunch
</dd> ```
<dd> <!-- ConfigureSystemGuardLaunch-OmaUri-End -->
<a href="#deviceguard-enablevirtualizationbasedsecurity">DeviceGuard/EnableVirtualizationBasedSecurity</a>
</dd>
<dd>
<a href="#deviceguard-lsacfgflags">DeviceGuard/LsaCfgFlags</a>
</dd>
<dd>
<a href="#deviceguard-requireplatformsecurityfeatures">DeviceGuard/RequirePlatformSecurityFeatures</a>
</dd>
</dl>
<!-- ConfigureSystemGuardLaunch-Description-Begin -->
<!-- Description-Source-DDF -->
Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch.
<!-- ConfigureSystemGuardLaunch-Description-End -->
<hr/> <!-- ConfigureSystemGuardLaunch-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!--Policy-->
<a href="" id="deviceguard-configuresystemguardlaunch"></a>**DeviceGuard/ConfigureSystemGuardLaunch**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy allows the IT admin to configure the launch of System Guard.
Secure Launch configuration:
- 0 - Unmanaged, configurable by Administrative user
- 1 - Enables Secure Launch if supported by hardware
- 2 - Disables Secure Launch.
For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows). For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows).
<!-- ConfigureSystemGuardLaunch-Editable-End -->
<!--/Description--> <!-- ConfigureSystemGuardLaunch-DFProperties-Begin -->
<!--ADMXMapped--> **Description framework properties**:
ADMX Info:
- GP Friendly name: *Turn On Virtualization Based Security*
- GP name: *VirtualizationBasedSecurity*
- GP element: *SystemGuardDrop*
- GP path: *System/Device Guard*
- GP ADMX file name: *DeviceGuard.admx*
<!--/ADMXMapped--> | Property name | Property value |
<!--SupportedValues--> |:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- ConfigureSystemGuardLaunch-DFProperties-End -->
<!--/SupportedValues--> <!-- ConfigureSystemGuardLaunch-AllowedValues-Begin -->
<!--Example--> **Allowed values**:
<!--/Example--> | Value | Description |
<!--Validation--> |:--|:--|
| 0 (Default) | Unmanaged Configurable by Administrative user |
| 1 | Unmanaged Enables Secure Launch if supported by hardware |
| 2 | Unmanaged Disables Secure Launch |
<!-- ConfigureSystemGuardLaunch-AllowedValues-End -->
<!--/Validation--> <!-- ConfigureSystemGuardLaunch-GpMapping-Begin -->
<!--/Policy--> **Group policy mapping**:
<hr/> | Name | Value |
|:--|:--|
| Name | VirtualizationBasedSecurity |
| Friendly Name | Turn On Virtualization Based Security |
| Element Name | Secure Launch Configuration |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
| ADMX File Name | DeviceGuard.admx |
<!-- ConfigureSystemGuardLaunch-GpMapping-End -->
<!--Policy--> <!-- ConfigureSystemGuardLaunch-Examples-Begin -->
<a href="" id="deviceguard-enablevirtualizationbasedsecurity"></a>**DeviceGuard/EnableVirtualizationBasedSecurity** <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigureSystemGuardLaunch-Examples-End -->
<!--SupportedSKUs--> <!-- ConfigureSystemGuardLaunch-End -->
|Edition|Windows 10|Windows 11| <!-- EnableVirtualizationBasedSecurity-Begin -->
|--- |--- |--- | ## EnableVirtualizationBasedSecurity
|Home|No|No|
|Pro|No|No|
|Windows SE|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- EnableVirtualizationBasedSecurity-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
<!-- EnableVirtualizationBasedSecurity-Applicability-End -->
<!--/SupportedSKUs--> <!-- EnableVirtualizationBasedSecurity-OmaUri-Begin -->
<hr/> ```Device
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity
```
<!-- EnableVirtualizationBasedSecurity-OmaUri-End -->
<!--Scope--> <!-- EnableVirtualizationBasedSecurity-Description-Begin -->
[Scope](./policy-configuration-service-provider.md#policy-scope): <!-- Description-Source-ADMX -->
Specifies whether Virtualization Based Security is enabled.
> [!div class = "checklist"] Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot, and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices.
> * Device
<hr/> Virtualization Based Protection of Code Integrity
<!--/Scope--> This setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled, kernel mode memory protections are enforced and the Code Integrity validation path is protected by the Virtualization Based Security feature.
<!--Description-->
Turns on virtualization based security(VBS) at the next reboot. Virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer.
<!--/Description--> The "Disabled" option turns off Virtualization Based Protection of Code Integrity remotely if it was previously turned on with the "Enabled without lock" option.
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Turn On Virtualization Based Security*
- GP name: *VirtualizationBasedSecurity*
- GP path: *System/Device Guard*
- GP ADMX file name: *DeviceGuard.admx*
<!--/ADMXMapped--> The "Enabled with UEFI lock" option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) - disable virtualization based security. The "Enabled without lock" option allows Virtualization Based Protection of Code Integrity to be disabled remotely by using Group Policy.
- 1 - enable virtualization based security.
<!--/SupportedValues--> The "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified.
<!--/Policy-->
<hr/> The "Require UEFI Memory Attributes Table" option will only enable Virtualization Based Protection of Code Integrity on devices with UEFI firmware support for the Memory Attributes Table. Devices without the UEFI Memory Attributes Table may have firmware that is incompatible with Virtualization Based Protection of Code Integrity which in some cases can lead to crashes or data loss or incompatibility with certain plug-in cards. If not setting this option the targeted devices should be tested to ensure compatibility.
<!--Policy--> Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible.
<a href="" id="deviceguard-lsacfgflags"></a>**DeviceGuard/LsaCfgFlags**
<!--SupportedSKUs--> Credential Guard
|Edition|Windows 10|Windows 11| This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials.
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
For Windows 11 21H2 and earlier, the "Disabled" option turns off Credential Guard remotely if it was previously turned on with the "Enabled without lock" option. For later versions, the "Disabled" option turns off Credential Guard remotely if it was previously turned on with the "Enabled without lock" option or was "Not Configured".
<!--/SupportedSKUs--> The "Enabled with UEFI lock" option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.
<hr/>
<!--Scope--> The "Enabled without lock" option allows Credential Guard to be disabled remotely by using Group Policy. The devices that use this setting must be running at least Windows 10 (Version 1511).
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"] For Windows 11 21H2 and earlier, the "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified. For later versions, if there is no current setting in the registry, the "Not Configured" option will enable Credential Guard without UEFI lock.
> * Device
<hr/> Secure Launch
<!--/Scope--> This setting sets the configuration of Secure Launch to secure the boot chain.
<!--Description-->
The "Not Configured" setting is the default, and allows configuration of the feature by Administrative users.
The "Enabled" option turns on Secure Launch on supported hardware.
The "Disabled" option turns off Secure Launch, regardless of hardware support.
Kernel-mode Hardware-enforced Stack Protection
This setting enables Hardware-enforced Stack Protection for kernel-mode code. When this security feature is enabled, kernel-mode data stacks are hardened with hardware-based shadow stacks, which store intended return address targets to ensure that program control flow is not tampered.
This security feature has the following prerequisites:
1) The CPU hardware supports hardware-based shadow stacks.
2) Virtualization Based Protection of Code Integrity is enabled.
If either prerequisite is not met, this feature will not be enabled, even if an "Enabled" option is selected for this feature.
**Note** that selecting an "Enabled" option for this feature will not automatically enable Virtualization Based Protection of Code Integrity, that needs to be done separately.
Devices that enable this security feature must be running at least Windows 11 (Version 22H2).
The "Disabled" option turns off kernel-mode Hardware-enforced Stack Protection.
The "Enabled in audit mode" option enables kernel-mode Hardware-enforced Stack Protection in audit mode, where shadow stack violations are not fatal and will be logged to the system event log.
The "Enabled in enforcement mode" option enables kernel-mode Hardware-enforced Stack Protection in enforcement mode, where shadow stack violations are fatal.
The "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the registry, and so it has no impact on computers or users. If there is a current setting in the registry it will not be modified.
Warning: All drivers on the system must be compatible with this security feature or the system may crash in enforcement mode. Audit mode can be used to discover incompatible drivers. For more information, refer to <https://go.microsoft.com/fwlink/?LinkId=2162953>.
<!-- EnableVirtualizationBasedSecurity-Description-End -->
<!-- EnableVirtualizationBasedSecurity-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- EnableVirtualizationBasedSecurity-Editable-End -->
<!-- EnableVirtualizationBasedSecurity-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- EnableVirtualizationBasedSecurity-DFProperties-End -->
<!-- EnableVirtualizationBasedSecurity-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | disable virtualization based security. |
| 1 | enable virtualization based security. |
<!-- EnableVirtualizationBasedSecurity-AllowedValues-End -->
<!-- EnableVirtualizationBasedSecurity-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | VirtualizationBasedSecurity |
| Friendly Name | Turn On Virtualization Based Security |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
| Registry Value Name | EnableVirtualizationBasedSecurity |
| ADMX File Name | DeviceGuard.admx |
<!-- EnableVirtualizationBasedSecurity-GpMapping-End -->
<!-- EnableVirtualizationBasedSecurity-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- EnableVirtualizationBasedSecurity-Examples-End -->
<!-- EnableVirtualizationBasedSecurity-End -->
<!-- LsaCfgFlags-Begin -->
## LsaCfgFlags
<!-- LsaCfgFlags-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
<!-- LsaCfgFlags-Applicability-End -->
<!-- LsaCfgFlags-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags
```
<!-- LsaCfgFlags-OmaUri-End -->
<!-- LsaCfgFlags-Description-Begin -->
<!-- Description-Source-DDF -->
Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock.
<!-- LsaCfgFlags-Description-End -->
<!-- LsaCfgFlags-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LsaCfgFlags-Editable-End -->
<!-- LsaCfgFlags-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- LsaCfgFlags-DFProperties-End -->
<!-- LsaCfgFlags-AllowedValues-Begin -->
**Allowed values**:
| Value | Description |
|:--|:--|
| 0 (Default) | (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock. |
| 1 | (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock. |
| 2 | (Enabled without lock) Turns on Credential Guard without UEFI lock. |
<!-- LsaCfgFlags-AllowedValues-End -->
<!-- LsaCfgFlags-GpMapping-Begin -->
**Group policy mapping**:
| Name | Value |
|:--|:--|
| Name | VirtualizationBasedSecurity |
| Friendly Name | Turn On Virtualization Based Security |
| Element Name | Credential Guard Configuration |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
| ADMX File Name | DeviceGuard.admx |
<!-- LsaCfgFlags-GpMapping-End -->
<!-- LsaCfgFlags-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LsaCfgFlags-Examples-End -->
<!-- LsaCfgFlags-End -->
<!-- RequirePlatformSecurityFeatures-Begin -->
## RequirePlatformSecurityFeatures
<!-- RequirePlatformSecurityFeatures-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :x: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :x: Windows SE | :heavy_check_mark: Windows 10, version 1709 [10.0.16299] and later |
<!-- RequirePlatformSecurityFeatures-Applicability-End -->
<!-- RequirePlatformSecurityFeatures-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/RequirePlatformSecurityFeatures
```
<!-- RequirePlatformSecurityFeatures-OmaUri-End -->
<!-- RequirePlatformSecurityFeatures-Description-Begin -->
<!-- Description-Source-DDF -->
Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support.
<!-- RequirePlatformSecurityFeatures-Description-End -->
<!-- RequirePlatformSecurityFeatures-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer.
<!-- RequirePlatformSecurityFeatures-Editable-End -->
<!--/Description--> <!-- RequirePlatformSecurityFeatures-DFProperties-Begin -->
<!--ADMXMapped--> **Description framework properties**:
ADMX Info:
- GP Friendly name: *Turn On Virtualization Based Security*
- GP name: *VirtualizationBasedSecurity*
- GP element: *CredentialIsolationDrop*
- GP path: *System/Device Guard*
- GP ADMX file name: *DeviceGuard.admx*
<!--/ADMXMapped--> | Property name | Property value |
<!--SupportedValues--> |:--|:--|
The following list shows the supported values: | Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 1 |
<!-- RequirePlatformSecurityFeatures-DFProperties-End -->
- 0 (default) - (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock. <!-- RequirePlatformSecurityFeatures-AllowedValues-Begin -->
- 1 - (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock. **Allowed values**:
- 2 - (Enabled without lock) Turns on Credential Guard without UEFI lock.
<!--/SupportedValues--> | Value | Description |
<!--/Policy--> |:--|:--|
| 1 (Default) | Turns on VBS with Secure Boot. |
| 3 | Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support. |
<!-- RequirePlatformSecurityFeatures-AllowedValues-End -->
<hr/> <!-- RequirePlatformSecurityFeatures-GpMapping-Begin -->
**Group policy mapping**:
<!--Policy--> | Name | Value |
<a href="" id="deviceguard-requireplatformsecurityfeatures"></a>**DeviceGuard/RequirePlatformSecurityFeatures** |:--|:--|
| Name | VirtualizationBasedSecurity |
| Friendly Name | Turn On Virtualization Based Security |
| Element Name | Select Platform Security Level |
| Location | Computer Configuration |
| Path | System > Device Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard |
| ADMX File Name | DeviceGuard.admx |
<!-- RequirePlatformSecurityFeatures-GpMapping-End -->
<!--SupportedSKUs--> <!-- RequirePlatformSecurityFeatures-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- RequirePlatformSecurityFeatures-Examples-End -->
|Edition|Windows 10|Windows 11| <!-- RequirePlatformSecurityFeatures-End -->
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Windows SE|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs--> <!-- DeviceGuard-CspMoreInfo-Begin -->
<hr/> <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- DeviceGuard-CspMoreInfo-End -->
<!--Scope--> <!-- DeviceGuard-End -->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"] ## Related articles
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This setting specifies the platform security level at the next reboot. Value type is integer.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
- GP Friendly name: *Turn On Virtualization Based Security*
- GP name: *VirtualizationBasedSecurity*
- GP element: *RequirePlatformSecurityFeaturesDrop*
- GP path: *System/Device Guard*
- GP ADMX file name: *DeviceGuard.admx*
<!--/ADMXMapped-->
<!--SupportedValues-->
The following list shows the supported values:
- 1 (default) - Turns on VBS with Secure Boot.
- 3 - Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.
<!--/SupportedValues-->
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md) [Policy configuration service provider](policy-configuration-service-provider.md)

289
windows/client-management/mdm/policy-csp-devicehealthmonitoring.md
View File

@ -1,189 +1,200 @@
--- ---
title: Policy CSP - DeviceHealthMonitoring title: DeviceHealthMonitoring Policy CSP
description: Learn how the Policy CSP - DeviceHealthMonitoring setting is used as an opt-in health monitoring connection between the device and Microsoft. description: Learn more about the DeviceHealthMonitoring Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa ms.author: vinpa
ms.topic: article ms.date: 12/29/2022
ms.localizationpriority: medium
ms.prod: windows-client ms.prod: windows-client
ms.technology: itpro-manage ms.technology: itpro-manage
author: vinaypamnani-msft ms.topic: reference
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: aaroncz
--- ---
<!-- Auto-Generated CSP Document -->
<!-- DeviceHealthMonitoring-Begin -->
# Policy CSP - DeviceHealthMonitoring # Policy CSP - DeviceHealthMonitoring
<!-- DeviceHealthMonitoring-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DeviceHealthMonitoring-Editable-End -->
<!-- AllowDeviceHealthMonitoring-Begin -->
## AllowDeviceHealthMonitoring
<hr/> <!-- AllowDeviceHealthMonitoring-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- AllowDeviceHealthMonitoring-Applicability-End -->
<!--Policies--> <!-- AllowDeviceHealthMonitoring-OmaUri-Begin -->
## DeviceHealthMonitoring policies ```Device
./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring
```
<!-- AllowDeviceHealthMonitoring-OmaUri-End -->
<dl> <!-- AllowDeviceHealthMonitoring-Description-Begin -->
<dd> <!-- Description-Source-DDF -->
<a href="#devicehealthmonitoring-allowdevicehealthmonitoring">DeviceHealthMonitoring/AllowDeviceHealthMonitoring</a> Enable/disable 4Nines device health monitoring on devices.
</dd> <!-- AllowDeviceHealthMonitoring-Description-End -->
<dd>
<a href="#devicehealthmonitoring-configdevicehealthmonitoringscope">DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope</a>
</dd>
<dd>
<a href="#devicehealthmonitoring-configdevicehealthmonitoringuploaddestination">DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination</a>
</dd>
</dl>
<!-- AllowDeviceHealthMonitoring-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- AllowDeviceHealthMonitoring-Editable-End -->
<hr/> <!-- AllowDeviceHealthMonitoring-DFProperties-Begin -->
**Description framework properties**:
<!--Policy--> | Property name | Property value |
<a href="" id="devicehealthmonitoring-allowdevicehealthmonitoring"></a>**DeviceHealthMonitoring/AllowDeviceHealthMonitoring** |:--|:--|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
<!-- AllowDeviceHealthMonitoring-DFProperties-End -->
<!--SupportedSKUs--> <!-- AllowDeviceHealthMonitoring-AllowedValues-Begin -->
**Allowed values**:
|Edition|Windows 10|Windows 11| | Value | Description |
|--- |--- |--- | |:--|:--|
|Home|No|No| | 1 | The DeviceHealthMonitoring connection is enabled. |
|Pro|Yes|Yes| | 0 (Default) | The DeviceHealthMonitoring connection is disabled. |
|Windows SE|No|Yes| <!-- AllowDeviceHealthMonitoring-AllowedValues-End -->
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- AllowDeviceHealthMonitoring-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- AllowDeviceHealthMonitoring-Examples-End -->
<!--/SupportedSKUs--> <!-- AllowDeviceHealthMonitoring-End -->
<hr/>
<!--Scope--> <!-- ConfigDeviceHealthMonitoringScope-Begin -->
[Scope](./policy-configuration-service-provider.md#policy-scope): ## ConfigDeviceHealthMonitoringScope
> [!div class = "checklist"] <!-- ConfigDeviceHealthMonitoringScope-Applicability-Begin -->
> * Device | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- ConfigDeviceHealthMonitoringScope-Applicability-End -->
<hr/> <!-- ConfigDeviceHealthMonitoringScope-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope
```
<!-- ConfigDeviceHealthMonitoringScope-OmaUri-End -->
<!--/Scope--> <!-- ConfigDeviceHealthMonitoringScope-Description-Begin -->
<!--Description--> <!-- Description-Source-DDF -->
DeviceHealthMonitoring is an opt-in health monitoring connection between the device and Microsoft. You should enable this policy only if your organization is using a Microsoft device monitoring service that requires it. If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which types of events are monitored.
<!-- ConfigDeviceHealthMonitoringScope-Description-End -->
<!--/Description--> <!-- ConfigDeviceHealthMonitoringScope-Editable-Begin -->
<!--SupportedValues--> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
The following list shows the supported values: <!-- ConfigDeviceHealthMonitoringScope-Editable-End -->
- 1 -The DeviceHealthMonitoring connection is enabled. <!-- ConfigDeviceHealthMonitoringScope-DFProperties-Begin -->
- 0 - (default)—The DeviceHealthMonitoring connection is disabled. **Description framework properties**:
<!--/SupportedValues--> | Property name | Property value |
<!--Example--> |:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringScope_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- ConfigDeviceHealthMonitoringScope-DFProperties-End -->
<!--/Example--> <!-- ConfigDeviceHealthMonitoringScope-Examples-Begin -->
<!--Validation--> <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigDeviceHealthMonitoringScope-Examples-End -->
<!--/Validation--> <!-- ConfigDeviceHealthMonitoringScope-End -->
<!--/Policy-->
<hr/> <!-- ConfigDeviceHealthMonitoringServiceInstance-Begin -->
## ConfigDeviceHealthMonitoringServiceInstance
<!--Policy--> <!-- ConfigDeviceHealthMonitoringServiceInstance-Applicability-Begin -->
<a href="" id="devicehealthmonitoring-configdevicehealthmonitoringscope"></a>**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope** | Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- ConfigDeviceHealthMonitoringServiceInstance-Applicability-End -->
<!--SupportedSKUs--> <!-- ConfigDeviceHealthMonitoringServiceInstance-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringServiceInstance
```
<!-- ConfigDeviceHealthMonitoringServiceInstance-OmaUri-End -->
|Edition|Windows 10|Windows 11| <!-- ConfigDeviceHealthMonitoringServiceInstance-Description-Begin -->
|--- |--- |--- | <!-- Description-Source-DDF -->
|Home|No|No| If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which service instance to which events are to be uploaded.
|Pro|Yes|Yes| <!-- ConfigDeviceHealthMonitoringServiceInstance-Description-End -->
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- ConfigDeviceHealthMonitoringServiceInstance-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigDeviceHealthMonitoringServiceInstance-Editable-End -->
<!--/SupportedSKUs--> <!-- ConfigDeviceHealthMonitoringServiceInstance-DFProperties-Begin -->
<hr/> **Description framework properties**:
<!--Scope--> | Property name | Property value |
[Scope](./policy-configuration-service-provider.md#policy-scope): |:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringServiceInstance_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- ConfigDeviceHealthMonitoringServiceInstance-DFProperties-End -->
> [!div class = "checklist"] <!-- ConfigDeviceHealthMonitoringServiceInstance-Examples-Begin -->
> * Device <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigDeviceHealthMonitoringServiceInstance-Examples-End -->
<hr/> <!-- ConfigDeviceHealthMonitoringServiceInstance-End -->
<!--/Scope--> <!-- ConfigDeviceHealthMonitoringUploadDestination-Begin -->
<!--Description--> ## ConfigDeviceHealthMonitoringUploadDestination
This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
This policy modifies which health events are sent to Microsoft on the DeviceHealthMonitoring connection.
IT Pros don't need to set this policy. Instead, Microsoft Intune is expected to dynamically manage this value in coordination with the Microsoft device health monitoring service.
<!-- ConfigDeviceHealthMonitoringUploadDestination-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 1903 [10.0.18362] and later |
<!-- ConfigDeviceHealthMonitoringUploadDestination-Applicability-End -->
<!--/Description--> <!-- ConfigDeviceHealthMonitoringUploadDestination-OmaUri-Begin -->
<!--SupportedValues--> ```Device
./Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination
```
<!-- ConfigDeviceHealthMonitoringUploadDestination-OmaUri-End -->
<!--/SupportedValues--> <!-- ConfigDeviceHealthMonitoringUploadDestination-Description-Begin -->
<!--Example--> <!-- Description-Source-DDF -->
If the device is not opted-in to the DeviceHealthMonitoring service via the AllowDeviceHealthMonitoring then this policy has no meaning. For devices which are opted in, the value of this policy modifies which destinations are in-scope for monitored events to be uploaded.
<!-- ConfigDeviceHealthMonitoringUploadDestination-Description-End -->
<!--/Example--> <!-- ConfigDeviceHealthMonitoringUploadDestination-Editable-Begin -->
<!--Validation--> <!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ConfigDeviceHealthMonitoringUploadDestination-Editable-End -->
<!--/Validation--> <!-- ConfigDeviceHealthMonitoringUploadDestination-DFProperties-Begin -->
<!--/Policy--> **Description framework properties**:
<hr/> | Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Dependency [DeviceHealthMonitoring_ConfigDeviceHealthMonitoringUploadDestination_DependencyGroup] | Dependency Type: `DependsOn` <br> Dependency URI: `Device/Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/AllowDeviceHealthMonitoring` <br> Dependency Allowed Value: `[1]` <br> Dependency Allowed Value Type: `Range` <br> |
<!-- ConfigDeviceHealthMonitoringUploadDestination-DFProperties-End -->
<!--Policy--> <!-- ConfigDeviceHealthMonitoringUploadDestination-Examples-Begin -->
<a href="" id="devicehealthmonitoring-configdevicehealthmonitoringuploaddestination"></a>**DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination** <!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ConfigDeviceHealthMonitoringUploadDestination-Examples-End -->
<!--SupportedSKUs--> <!-- ConfigDeviceHealthMonitoringUploadDestination-End -->
|Edition|Windows 10|Windows 11| <!-- DeviceHealthMonitoring-CspMoreInfo-Begin -->
|--- |--- |--- | <!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
|Home|No|No| <!-- DeviceHealthMonitoring-CspMoreInfo-End -->
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- DeviceHealthMonitoring-End -->
<!--/SupportedSKUs--> ## Related articles
<hr/>
<!--Scope--> [Policy configuration service provider](policy-configuration-service-provider.md)
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy is applicable only if the [AllowDeviceHealthMonitoring](#devicehealthmonitoring-allowdevicehealthmonitoring) policy has been set to 1 (Enabled) on the device.
The value of this policy constrains the DeviceHealthMonitoring connection to certain destinations in order to support regional and sovereign cloud scenarios.
In most cases, an IT Pro doesn't need to define this policy. Instead, it's expected that this value is dynamically managed by Microsoft Intune to align with the region or cloud to which the device's tenant is already linked.
Configure this policy manually only when explicitly instructed to do so by a Microsoft device monitoring service.
<!--/Description-->
<!--SupportedValues-->
<!--/SupportedValues-->
<!--Example-->
<!--/Example-->
<!--Validation-->
<!--/Validation-->
<!--/Policy-->
<hr/>
<!--/Policies-->
## Related topics
[Policy configuration service provider](policy-configuration-service-provider.md)

980
windows/client-management/mdm/policy-csp-deviceinstallation.md
View File

File diff suppressed because it is too large Load Diff