deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' into 4749599-ASCIItotextimage-61-78

Browse Source
This commit is contained in:
Daniel Simpson 2021-03-15 10:16:38 -07:00 committed by GitHub
commit 090d45e7ed
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
41 changed files with 1542 additions and 174 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
windows/client-management/mdm/TOC.md
View File

@ -202,6 +202,7 @@
#### [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md)
#### [ADMX_EventLog](policy-csp-admx-eventlog.md)
#### [ADMX_Explorer](policy-csp-admx-explorer.md)
#### [ADMX_FileRecovery](policy-csp-admx-filerecovery.md)
#### [ADMX_FileServerVSSProvider](policy-csp-admx-fileservervssprovider.md)
#### [ADMX_FileSys](policy-csp-admx-filesys.md)
#### [ADMX_FolderRedirection](policy-csp-admx-folderredirection.md)

12
windows/client-management/mdm/activesync-csp.md
View File

@ -19,8 +19,8 @@ The ActiveSync configuration service provider is used to set up and change setti
Configuring Windows Live ActiveSync accounts through this configuration service provider is not supported.
> **Note**  
The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
> [!NOTE]
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync path will work if the user is logged in. The CSP fails when no user is logged in.
@ -65,8 +65,8 @@ ActiveSync
<a href="" id="--user-vendor-msft-activesync"></a>**./User/Vendor/MSFT/ActiveSync**
The root node for the ActiveSync configuration service provider.
> **Note**  
The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
> [!NOTE]
> The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in.
@ -261,8 +261,8 @@ Valid values are one of the following:
<a href="" id="options-contenttypes-content-type-guid-name"></a>**Options/ContentTypes/*Content Type GUID*/Name**
Required. A character string that specifies the name of the content type.
> **Note**  In Windows 10, this node is currently not working.
> [!NOTE]
> In Windows 10, this node is currently not working.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).

4
windows/client-management/mdm/alljoynmanagement-csp.md
View File

@ -17,8 +17,8 @@ ms.date: 06/26/2017
The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (com.microsoft.alljoynmanagement.config). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration.
> **Note**  
The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core).
> [!NOTE]
> The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core).
This CSP was added in Windows 10, version 1511.

6
windows/client-management/mdm/applicationcontrol-csp.md
View File

@ -122,7 +122,7 @@ The following table provides the result of this policy based on different values
|False|False|True|Not Reachable.|
|False|False|False|*Not Reachable.|
`*` denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail.
\* denotes a valid intermediary state; however, if an MDM transaction results in this state configuration, the END_COMMAND_PROCESSING will result in a fail.
<a href="" id="applicationcontrol-policies-policyguid-policyinfo-status"></a>**ApplicationControl/Policies/_Policy GUID_/PolicyInfo/Status**
This node specifies whether the deployment of the policy indicated by the GUID was successful.
@ -140,7 +140,7 @@ Value type is char.
## Microsoft Endpoint Manager (MEM) Intune Usage Guidance
For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune)
For customers using Intune standalone or hybrid management with Configuration Manager (MEMCM) to deploy custom policies via the ApplicationControl CSP, refer to [Deploy Windows Defender Application Control policies by using Microsoft Intune](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune).
## Generic MDM Server Usage Guidance
@ -152,7 +152,7 @@ In order to leverage the ApplicationControl CSP without using Intune, you must:
Below is a sample certutil invocation:
```cmd
```console
certutil -encode WinSiPolicy.p7b WinSiPolicy.cer
```

8
windows/client-management/mdm/applocker-csp.md
View File

@ -332,7 +332,7 @@ The following table show the mapping of information to the AppLocker publisher r
Here is an example AppLocker publisher rule:
``` syntax
```xml
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Reader" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
@ -343,7 +343,9 @@ You can get the publisher name and product name of apps using a web API.
**To find publisher and product name for Microsoft apps in Microsoft Store for Business**
1. Go to the Microsoft Store for Business website, and find your app. For example, Microsoft OneNote.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, **9wzdncrfhvjl**.
3. In your browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values.
<table>
@ -366,13 +368,13 @@ Here is the example for Microsoft OneNote:
Request
``` syntax
```http
https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata
```
Result
``` syntax
```json
{
"packageFamilyName": "Microsoft.Office.OneNote_8wekyb3d8bbwe",
"packageIdentityName": "Microsoft.Office.OneNote",

36
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -60,7 +60,7 @@ Starting in Windows 10, version 1607, you can use a provisioned app to configur
Here's an example:
``` syntax
```json
{"Account":"contoso\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"}
```
@ -104,7 +104,8 @@ In Windows 10, version 1803, Assigned Access runtime status only supports monito
| KioskModeAppNotFound | This occurs when the kiosk app is not deployed to the machine. |
| KioskModeAppActivationFailure | This happens when the assigned access controller detects the process terminated unexpectedly after exceeding the max retry. |
Note that status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus.
> [!NOTE]
> Status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus.
|Status code | KioskModeAppRuntimeStatus |
|---------|---------|
@ -123,7 +124,8 @@ In Windows 10, version 1809, Assigned Access runtime status supports monitoring
|ActivationFailed|The AssignedAccess account (kiosk or multi-app) failed to sign in.|
|AppNoResponse|The kiosk app launched successfully but is now unresponsive.|
Note that status codes available in the Status payload correspond to a specific AssignedAccessRuntimeStatus.
> [!NOTE]
> Status codes available in the Status payload correspond to a specific AssignedAccessRuntimeStatus.
|Status code|AssignedAccessRuntimeStatus|
|---|---|
@ -580,7 +582,7 @@ Escape and CDATA are mechanisms when handling xml in xml. Consider its a tran
This example shows escaped XML of the Data node.
```
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
@ -649,8 +651,10 @@ This example shows escaped XML of the Data node.
</SyncBody>
</SyncML>
```
This example shows escaped XML of the Data node.
```
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Replace>
@ -721,7 +725,8 @@ This example shows escaped XML of the Data node.
```
This example uses CData for the XML.
```
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
@ -792,7 +797,8 @@ This example uses CData for the XML.
```
Example of Get command that returns the configuration in the device.
```
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
@ -809,7 +815,8 @@ Example of Get command that returns the configuration in the device.
```
Example of the Delete command.
```
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Delete>
@ -1129,6 +1136,7 @@ Shell Launcher V2 uses a separate XSD and namespace for backward compatibility.
</xs:element>
</xs:schema>
```
### Shell Launcher V2 XSD
```xml
@ -1158,7 +1166,8 @@ Shell Launcher V2 uses a separate XSD and namespace for backward compatibility.
## ShellLauncherConfiguration examples
ShellLauncherConfiguration Add
```
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
@ -1227,7 +1236,8 @@ ShellLauncherConfiguration Add
```
ShellLauncherConfiguration Add AutoLogon
```
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
@ -1275,7 +1285,8 @@ ShellLauncherConfiguration Add AutoLogon
```
ShellLauncher V2 Add
```
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
@ -1330,7 +1341,8 @@ xmlns:V2="http://schemas.microsoft.com/ShellLauncher/2019/Configuration">
```
ShellLauncherConfiguration Get
```
```xml
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>

1
windows/client-management/mdm/bitlocker-csp.md
View File

@ -17,6 +17,7 @@ The BitLocker configuration service provider (CSP) is used by the enterprise to
> [!NOTE]
> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes.
>
> You must send all the settings together in a single SyncML to be effective.
A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns

36
windows/client-management/mdm/certificatestore-csp.md
View File

@ -111,7 +111,8 @@ Defines the certificate store that contains root, or self-signed, certificates.
Supported operation is Get.
> **Note**  Root/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing root certificates.
> [!NOTE]
> Root/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing root certificates.
@ -120,7 +121,8 @@ Defines the certificate store that contains cryptographic information, including
Supported operation is Get.
> **Note**  CA/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing CA certificates.
> [!NOTE]
> CA/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing CA certificates.
@ -129,7 +131,8 @@ Defines the certificate store that contains public keys for client certificates.
Supported operation is Get.
> **Note**  My/User is case sensitive.
> [!NOTE]
> My/User is case sensitive.
@ -138,7 +141,8 @@ Defines the certificate store that contains public key for client certificate. T
Supported operation is Get.
> **Note**  My/System is case sensitive.
> [!NOTE]
> My/System is case sensitive.
@ -182,7 +186,8 @@ Required for Simple Certificate Enrollment Protocol (SCEP) certificate enrollmen
Supported operation is Get.
> **Note**  Please use the ClientCertificateInstall CSP to install SCEP certificates moving forward. All enhancements to SCEP will happen in that CSP.
> [!NOTE]
> Please use the ClientCertificateInstall CSP to install SCEP certificates moving forward. All enhancements to SCEP will happen in that CSP.
@ -196,7 +201,8 @@ Required for SCEP certificate enrollment. Parent node to group SCEP certificate
Supported operations are Add, Replace, and Delete.
> **Note**   Though the children nodes under Install support Replace commands, after the Exec command is sent to the device, the device takes the values that are set when the Exec command is accepted. You should not expect the node value change that occurs after the Exec command is accepted to impact the current undergoing enrollment. You should check the Status node value and make sure that the device is not at an unknown stage before changing the children node values.
> [!NOTE]
> Though the children nodes under Install support Replace commands, after the Exec command is sent to the device, the device takes the values that are set when the Exec command is accepted. You should not expect the node value change that occurs after the Exec command is accepted to impact the current undergoing enrollment. You should check the Status node value and make sure that the device is not at an unknown stage before changing the children node values.
@ -296,7 +302,8 @@ Valid values are one of the following:
- Months
- Years
> **Note**   The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server.
> [!NOTE]
> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server.
@ -305,7 +312,8 @@ Optional. Specifies desired number of units used in validity period and subject
Supported operations are Get, Add, Delete, and Replace.
> **Note**   The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server.
> [!NOTE]
> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server.
@ -362,7 +370,8 @@ Supported operation is Get.
<a href="" id="my-wstep-renew-serverurl"></a>**My/WSTEP/Renew/ServerURL**
Optional. Specifies the URL of certificate renewal server. If this node does not exist, the client uses the initial certificate enrollment URL.
> **Note**  The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service.
> [!NOTE]
> The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service.
@ -375,7 +384,8 @@ The default value is 42 and the valid values are 1 1000. Value type is an in
Supported operations are Add, Get, Delete, and Replace.
> **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
> [!NOTE]
> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
@ -390,7 +400,8 @@ The default value is 7 and the valid values are 1 1000 AND =< RenewalPeriod,
Supported operations are Add, Get, Delete, and Replace.
> **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
> [!NOTE]
> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
@ -401,7 +412,8 @@ ROBO is the only supported renewal method for Windows 10. This value is ignored
Supported operations are Add, Get, Delete, and Replace.
> **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
> [!NOTE]
> When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.

3
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -325,7 +325,8 @@ Valid values are:
- Months
- Years
> **Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
> [!NOTE]
> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
Supported operations are Add, Get, Delete, and Replace.

10
windows/client-management/mdm/cm-proxyentries-csp.md
View File

@ -17,11 +17,11 @@ ms.date: 06/26/2017
The CM\_ProxyEntries configuration service provider is used to configure proxy connections on the mobile device.
> **Note**  CM\_ProxyEntries CSP is only supported in Windows 10 Mobile.
>
>
>
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
> [!NOTE]
> CM\_ProxyEntries CSP is only supported in Windows 10 Mobile.
> [!IMPORTANT]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.

5
windows/client-management/mdm/cmpolicy-csp.md
View File

@ -17,9 +17,8 @@ ms.date: 06/26/2017
The CMPolicy configuration service provider defines rules that the Connection Manager uses to identify the correct connection for a connection request.
> **Note**  
This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicy configuration service provider can have multiple policies

4
windows/client-management/mdm/cmpolicyenterprise-csp.md
View File

@ -17,8 +17,8 @@ ms.date: 06/26/2017
The CMPolicyEnterprise configuration service provider is used by the enterprise to define rules that the Connection Manager uses to identify the correct connection for a connection request.
> **Note**  
This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.

5
windows/client-management/mdm/customdeviceui-csp.md
View File

@ -17,7 +17,9 @@ ms.date: 06/26/2017
The CustomDeviceUI configuration service provider allows OEMs to implement their custom foreground application, as well as the background tasks to run on an IoT device running IoT Core. Only one foreground application is supported per device. Multiple background tasks are supported.
The following shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
> **Note**  This configuration service provider only applies to Windows 10 IoT Core (IoT Core).
> [!NOTE]
> This configuration service provider only applies to Windows 10 IoT Core (IoT Core).
```
./Vendor/MSFT
CustomDeviceUI
@ -25,6 +27,7 @@ CustomDeviceUI
----BackgroundTasksToLaunch
--------BackgroundTaskPackageName
```
<a href="" id="./Vendor/MSFT/CustomDeviceUI"></a>**./Vendor/MSFT/CustomDeviceUI**
The root node for the CustomDeviceUI configuration service provider. The supported operation is Get.

9
windows/client-management/mdm/devdetail-csp.md
View File

@ -176,8 +176,10 @@ The following are the available naming macros:
Value type is string. Supported operations are Get and Replace.
> [!Note]
> On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer&quot;s` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
> [!NOTE]
> We recommend using `%SERIAL%` or `%RAND:x%` with a high character limit to reduce the chance of name collision when generating a random name. This feature doesn't check if a particular name is already present in the environment.
On desktop PCs, this setting specifies the DNS hostname of the computer (Computer Name) up to 63 characters. Use `%RAND:x%` to generate x number of random digits in the name, where x must be a number less than 63. For domain-joined computers, the unique name must use `%RAND:x%`. Use `%SERIAL%` to generate the name with the `computer's` serial number embedded. If the serial number exceeds the character limit, it will be truncated from the beginning of the sequence. The character restriction limit does not count the length of the macros, `%RAND:x%` and `%SERIAL%`. This setting is supported only in Windows 10, version 1803 and later. To change this setting in Windows 10, version 1709 and earlier releases, use the **ComputerName** setting under **Accounts** > **ComputerAccount**.
<a href="" id="ext-microsoft-totalstorage"></a>**Ext/Microsoft/TotalStorage**
Added in Windows 10, version 1511. Integer that specifies the total available storage in MB from first internal drive on the device (may be less than total physical storage).
@ -248,6 +250,3 @@ Supported operation is Get.

3
windows/client-management/mdm/devinfo-csp.md
View File

@ -17,7 +17,8 @@ ms.date: 06/26/2017
The DevInfo configuration service provider handles the managed object which provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
 

36
windows/client-management/mdm/diagnosticlog-csp.md
View File

@ -26,9 +26,39 @@ The following are the links to different versions of the DiagnosticLog CSP DDF f
- [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2)
The following diagram shows the DiagnosticLog CSP in tree format.
![diagnosticlog csp diagram](images/provisioning-csp-diagnosticlog.png)
The following shows the DiagnosticLog CSP in tree format.
```
./Vendor/MSFT
DiagnosticLog
----EtwLog
--------Collectors
------------CollectorName
----------------TraceStatus
----------------TraceLogFileMode
----------------TraceControl
----------------LogFileSizeLimitMB
----------------Providers
--------------------ProviderGuid
------------------------Keywords
------------------------TraceLevel
------------------------State
--------Channels
------------ChannelName
----------------Export
----------------State
----------------Filter
----DeviceStateData
--------MdmConfiguration
----FileDownload
--------DMChannel
------------FileContext
----------------BlockSizeKB
----------------BlockCount
----------------BlockIndexToRead
----------------BlockData
----------------DataBlocks
--------------------BlockNumber
```
<a href="" id="--vendor-msft-diagnosticlog"></a>**./Vendor/MSFT/DiagnosticLog**
The root node for the DiagnosticLog CSP.

42
windows/client-management/mdm/dmacc-csp.md
View File

@ -23,10 +23,46 @@ The DMAcc configuration service provider allows an OMA Device Management (DM) ve
For the DMAcc CSP, you cannot use the Replace command unless the node already exists.
The following diagram shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol is not supported by this configuration service provider.
![dmacc csp (dm)](images/provisioning-csp-dmacc-dm.png)
The following shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol is not supported by this configuration service provider.
```
./SyncML
DMAcc
----*
--------AppID
--------ServerID
--------Name
--------PrefConRef
--------AppAddr
------------*
----------------Addr
----------------AddrType
----------------Port
--------------------*
------------------------PortNbr
--------AAuthPref
--------AppAuth
------------*
----------------AAuthLevel
----------------AAuthType
----------------AAuthName
----------------AAuthSecret
----------------AAuthData
--------Ext
------------Microsoft
----------------Role
----------------ProtoVer
----------------DefaultEncoding
----------------UseHwDevID
----------------ConnRetryFreq
----------------InitialBackOffTime
----------------MaxBackOffTime
----------------BackCompatRetryDisabled
----------------UseNonceResync
----------------CRLCheck
----------------DisableOnRoaming
----------------SSLCLIENTCERTSEARCHCRITERIA
```
<a href="" id="dmacc"></a>**DMAcc**
Required. Defines the root node of all OMA DM server accounts that use the OMA DM version 1.2 protocol.

49
windows/client-management/mdm/dmclient-csp.md
View File

@ -17,11 +17,50 @@ ms.date: 11/01/2017
The DMClient configuration service provider (CSP) is used to specify additional enterprise-specific mobile device management (MDM) configuration settings for identifying the device in the enterprise domain, for security mitigation for certificate renewal, and for server-triggered enterprise unenrollment.
The following diagram shows the DMClient CSP in tree format.
![dmclient csp](images/provisioning-csp-dmclient-th2.png)
The following shows the DMClient CSP in tree format.
```
./Vendor/MSFT
DMClient
----Provider
--------
------------EntDeviceName
------------ExchangeID
------------EntDMID
------------SignedEntDMID
------------CertRenewTimeStamp
------------PublisherDeviceID
------------ManagementServiceAddress
------------UPN
------------HelpPhoneNumber
------------HelpWebsite
------------HelpEmailAddress
------------RequireMessageSigning
------------SyncApplicationVersion
------------MaxSyncApplicationVersion
------------Unenroll
------------AADResourceID
------------AADDeviceID
------------EnrollmentType
------------EnableOmaDmKeepAliveMessage
------------HWDevID
------------ManagementServerAddressList
------------CommercialID
------------Push
----------------PFN
----------------ChannelURI
----------------Status
------------Poll
----------------IntervalForFirstSetOfRetries
----------------NumberOfFirstRetries
----------------IntervalForSecondSetOfRetries
----------------NumberOfSecondRetries
----------------IntervalForRemainingScheduledRetries
----------------NumberOfRemainingScheduledRetries
----------------PollOnLogin
----------------AllUsersPollOnFirstLogin
----Unenroll
----UpdateManagementServiceAddress
```
<a href="" id="msft"></a>**./Vendor/MSFT**
All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path.

53
windows/client-management/mdm/dmsessionactions-csp.md
View File

@ -1,6 +1,6 @@
---
title: DMSessionActions CSP
description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low power state.
description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low-power state.
ms.author: dansimp
ms.topic: article
ms.prod: w10
@ -16,20 +16,57 @@ manager: dansimp
The DMSessionActions configuration service provider (CSP) is used to manage:
- the number of sessions the client skips if the device is in a low power state
- the number of sessions the client skips if the device is in a low-power state
- which CSP nodes should send an alert back to the server if there were any changes.
This CSP was added in Windows 10, version 1703.
The following diagram shows the DMSessionActions configuration service provider in tree format.
The following shows the DMSessionActions configuration service provider in tree format.
```
./User/Vendor/MSFT
DMSessionActions
----ProviderID
--------CheckinAlertConfiguration
------------Nodes
----------------NodeID
--------------------NodeURI
--------AlertData
--------PowerSettings
------------MaxSkippedSessionsInLowPowerState
------------MaxTimeSessionsSkippedInLowPowerState
![dmsessionactions csp](images/provisioning-csp-dmsessionactions.png)
./Device/Vendor/MSFT
DMSessionActions
----ProviderID
--------CheckinAlertConfiguration
------------Nodes
----------------NodeID
--------------------NodeURI
--------AlertData
--------PowerSettings
------------MaxSkippedSessionsInLowPowerState
------------MaxTimeSessionsSkippedInLowPowerState
./User/Vendor/MSFT
./Device/Vendor/MSFT
DMSessionActions
----ProviderID
--------CheckinAlertConfiguration
------------Nodes
----------------NodeID
--------------------NodeURI
--------AlertData
--------PowerSettings
------------MaxSkippedSessionsInLowPowerState
------------MaxTimeSessionsSkippedInLowPowerState
```
<a href="" id="vendor-msft-dmsessionactions"></a>**./Device/Vendor/MSFT/DMSessionActions or ./User/Vendor/MSFT/DMSessionActions**
<p style="margin-left: 20px">Defines the root node for the DMSessionActions configuration service provider.</p>
<a href="" id="providerid"></a>***ProviderID***
<p style="margin-left: 20px">Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means that there should be only one ProviderID node under NodeCache. </p>
<p style="margin-left: 20px">Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache. </p>
<p style="margin-left: 20px">Scope is dynamic. Supported operations are Get, Add, and Delete.</p>
@ -55,12 +92,12 @@ The following diagram shows the DMSessionActions configuration service provider
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
<a href="" id="powersettings"></a>**PowerSettings**
<p style="margin-left: 20px">Node for power related configrations</p>
<p style="margin-left: 20px">Node for power-related configrations</p>
<a href="" id="maxskippedsessionsinlowpowerstate"></a>**PowerSettings/MaxSkippedSessionsInLowPowerState**
<p style="margin-left: 20px">Maximum number of continuous skipped sync sessions when the device is in low power state.</p>
<p style="margin-left: 20px">Maximum number of continuous skipped sync sessions when the device is in low-power state.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="maxtimesessionsskippedinlowpowerstate"></a>**PowerSettings/MaxTimeSessionsSkippedInLowPowerState**
<p style="margin-left: 20px">Maximum time in minutes when the device can skip the check-in with the server if the device is in low power state. </p>
<p style="margin-left: 20px">Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state. </p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>

29
windows/client-management/mdm/dynamicmanagement-csp.md
View File

@ -17,10 +17,21 @@ Windows 10 allows you to manage devices differently depending on location, netwo
This CSP was added in Windows 10, version 1703.
The following diagram shows the DynamicManagement configuration service provider in tree format.
![dynamicmanagement csp](images/provisioning-csp-dynamicmanagement.png)
The following shows the DynamicManagement configuration service provider in tree format.
```
./Device/Vendor/MSFT
DynamicManagement
----NotificationsEnabled
----ActiveList
----Contexts
--------ContextID
------------SignalDefinition
------------SettingsPack
------------SettingsPackResponse
------------ContextStatus
------------Altitude
----AlertsEnabled
```
<a href="" id="dynamicmanagement"></a>**DynamicManagement**
<p style="margin-left: 20px">The root node for the DynamicManagement configuration service provider.</p>
@ -53,7 +64,7 @@ The following diagram shows the DynamicManagement configuration service provider
<p style="margin-left: 20px">Supported operation is Get.</p>
<a href="" id="contextid"></a>***ContextID***
<p style="margin-left: 20px">Node created by the server to define a context. Maximum amount of characters allowed is 38.</p>
<p style="margin-left: 20px">Node created by the server to define a context. Maximum number of characters allowed is 38.</p>
<p style="margin-left: 20px">Supported operations are Add, Get, and Delete.</p>
<a href="" id="signaldefinition"></a>**SignalDefinition**
@ -65,15 +76,15 @@ The following diagram shows the DynamicManagement configuration service provider
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="settingspackresponse"></a>**SettingsPackResponse**
<p style="margin-left: 20px">Response from applying a Settings Pack that contains information on each individual action..</p>
<p style="margin-left: 20px">Response from applying a Settings Pack that contains information on each individual action.</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
<a href="" id="contextstatus"></a>**ContextStatus**
<p style="margin-left: 20px">Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed..</p>
<p style="margin-left: 20px">Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.</p>
<p style="margin-left: 20px">Value type is integer. Supported operation is Get.</p>
<a href="" id="altitude"></a>**Altitude**
<p style="margin-left: 20px">A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities..</p>
<p style="margin-left: 20px">A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Delete, and Replace.</p>
<a href="" id="alertsenabled"></a>**AlertsEnabled**
@ -82,7 +93,7 @@ The following diagram shows the DynamicManagement configuration service provider
## Examples
Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100 meters radius of the specified latitude/longitude
Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100-meters radius of the specified latitude/longitude
```xml
<Replace>

42
windows/client-management/mdm/email2-csp.md
View File

@ -22,10 +22,44 @@ On the desktop, only per user configuration is supported.
 
The following diagram shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
![email2 csp (dm,cp)](images/provisioning-csp-email2.png)
The following shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
```
./Vendor/MSFT
EMAIL2
----Account GUID
--------ACCOUNTICON
--------ACCOUNTTYPE
--------AUTHNAME
--------AUTHREQUIRED
--------AUTHSECRET
--------DOMAIN
--------DWNDAY
--------INSERVER
--------LINGER
--------KEEPMAX
--------NAME
--------OUTSERVER
--------REPLYADDR
--------SERVICENAME
--------SERVICETYPE
--------RETRIEVE
--------SERVERDELETEACTION
--------CELLULARONLY
--------SYNCINGCONTENTTYPES
--------CONTACTSSERVER
--------CALENDARSERVER
--------CONTACTSSERVERREQUIRESSL
--------CALENDARSERVERREQUIRESSL
--------CONTACTSSYNCSCHEDULE
--------CALENDARSYNCSCHEDULE
--------SMTPALTAUTHNAME
--------SMTPALTDOMAIN
--------SMTPALTENABLED
--------SMTPALTPASSWORD
--------TAGPROPS
------------8128000B
------------812C000B
```
In Windows 10 Mobile, after the users out of box experience, an OEM or mobile operator can use the EMAIL2 configuration service provider to provision the device with a mobile operators proprietary mail over the air. After provisioning, the **Start** screen has a tile for the proprietary mail provider and there is also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status.
Configuration data is not encrypted when sent over the air (OTA). Be aware that this is a potential security risk when sending sensitive configuration data, such as passwords.

66
windows/client-management/mdm/enrollmentstatustracking-csp.md
View File

@ -18,10 +18,72 @@ ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track t
The EnrollmentStatusTracking CSP was added in Windows 10, version 1903.
The following diagram shows the EnrollmentStatusTracking CSP in tree format.
The following shows the EnrollmentStatusTracking CSP in tree format.
```
./User/Vendor/MSFT
EnrollmentStatusTracking
----Setup
--------Apps
------------PolicyProviders
----------------ProviderName
--------------------TrackingPoliciesCreated
------------Tracking
----------------ProviderName
--------------------AppName
------------------------TrackingUri
------------------------InstallationState
------------------------RebootRequired
--------HasProvisioningCompleted
![tree diagram for enrollmentstatustracking csp](images/provisioning-csp-enrollmentstatustracking.png)
./Device/Vendor/MSFT
EnrollmentStatusTracking
----DevicePreparation
--------PolicyProviders
------------ProviderName
----------------InstallationState
----------------LastError
----------------Timeout
----------------TrackedResourceTypes
--------------------Apps
----Setup
--------Apps
------------PolicyProviders
----------------ProviderName
--------------------TrackingPoliciesCreated
------------Tracking
----------------ProviderName
--------------------AppName
------------------------TrackingUri
------------------------InstallationState
------------------------RebootRequired
--------HasProvisioningCompleted
./User/Vendor/MSFT
./Device/Vendor/MSFT
EnrollmentStatusTracking
----DevicePreparation
--------PolicyProviders
------------ProviderName
----------------InstallationState
----------------LastError
----------------Timeout
----------------TrackedResourceTypes
--------------------Apps
----Setup
--------Apps
------------PolicyProviders
----------------ProviderName
--------------------TrackingPoliciesCreated
------------Tracking
----------------ProviderName
--------------------AppName
------------------------TrackingUri
------------------------InstallationState
------------------------RebootRequired
--------HasProvisioningCompleted
```
<a href="" id="vendor-msft"></a>**./Vendor/MSFT**
For device context, use **./Device/Vendor/MSFT** path and for user context, use **./User/Vendor/MSFT** path.

23
windows/client-management/mdm/enterpriseapn-csp.md
View File

@ -19,10 +19,25 @@ The EnterpriseAPN configuration service provider (CSP) is used by the enterprise
> [!Note]
> Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
The following image shows the EnterpriseAPN configuration service provider in tree format.
![enterpriseapn csp](images/provisioning-csp-enterpriseapn-rs1.png)
The following shows the EnterpriseAPN configuration service provider in tree format.
```
./Vendor/MSFT
EnterpriseAPN
----ConnectionName
--------APNName
--------IPType
--------IsAttachAPN
--------ClassId
--------AuthType
--------UserName
--------Password
--------IccId
--------AlwaysOn
--------Enabled
----Settings
--------AllowUserControl
--------HideView
```
<a href="" id="enterpriseapn"></a>**EnterpriseAPN**
<p style="margin-left: 20px">The root node for the EnterpriseAPN configuration service provider.</p>

33
windows/client-management/mdm/enterpriseappvmanagement-csp.md
View File

@ -15,10 +15,35 @@ manager: dansimp
The EnterpriseAppVManagement configuration service provider (CSP) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions). This CSP was added in Windows 10, version 1703.
The following diagram shows the EnterpriseAppVManagement configuration service provider in tree format.
![enterpriseappvmanagement csp](images/provisioning-csp-enterpriseappvmanagement.png)
The following shows the EnterpriseAppVManagement configuration service provider in tree format.
```
./Vendor/MSFT
EnterpriseAppVManagement
----AppVPackageManagement
--------EnterpriseID
------------PackageFamilyName
----------------PackageFullName
--------------------Name
--------------------Version
--------------------Publisher
--------------------InstallLocation
--------------------InstallDate
--------------------Users
--------------------AppVPackageId
--------------------AppVVersionId
--------------------AppVPackageUri
----AppVPublishing
--------LastSync
------------LastError
------------LastErrorDescription
------------SyncStatusDescription
------------SyncProgress
--------Sync
------------PublishXML
----AppVDynamicPolicy
--------ConfigurationId
------------Policy
```
**./Vendor/MSFT/EnterpriseAppVManagement**
<p style="margin-left: 20px">Root node for the EnterpriseAppVManagement configuration service provider.</p>

21
windows/client-management/mdm/enterpriseassignedaccess-csp.md
View File

@ -22,10 +22,23 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra
To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](https://docs.microsoft.com/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983).
The following diagram shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
![enterpriseassignedaccess csp](images/provisioning-csp-enterpriseassignedaccess.png)
The following shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
```
./Vendor/MSFT
EnterpriseAssignedAccess
----AssignedAccess
--------AssignedAccessXml
----LockScreenWallpaper
--------BGFileName
----Theme
--------ThemeBackground
--------ThemeAccentColorID
--------ThemeAccentColorValue
----Clock
--------TimeZone
----Locale
--------Language
```
The following list shows the characteristics and parameters.
<a href="" id="-vendor-msft-enterpriseassignedaccess-"></a>**./Vendor/MSFT/EnterpriseAssignedAccess/**

20
windows/client-management/mdm/enterprisedataprotection-csp.md
View File

@ -29,10 +29,22 @@ To learn more about WIP, see the following articles:
- [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy)
- [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip)
The following diagram shows the EnterpriseDataProtection CSP in tree format.
![enterprisedataprotection csp diagram](images/provisioning-csp-enterprisedataprotection.png)
The following shows the EnterpriseDataProtection CSP in tree format.
```
./Device/Vendor/MSFT
EnterpriseDataProtection
----Settings
--------EDPEnforcementLevel
--------EnterpriseProtectedDomainNames
--------AllowUserDecryption
--------RequireProtectionUnderLockConfig
--------DataRecoveryCertificate
--------RevokeOnUnenroll
--------RMSTemplateIDForEDP
--------AllowAzureRMSForEDP
--------EDPShowIcons
----Status
```
<a href="" id="--device-vendor-msft-enterprisedataprotection"></a>**./Device/Vendor/MSFT/EnterpriseDataProtection**
The root node for the CSP.

22
windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
View File

@ -19,10 +19,24 @@ The EnterpriseDesktopAppManagement configuration service provider is used to han
Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example).
The following diagram shows the EnterpriseDesktopAppManagement CSP in tree format.
![enterprisedesktopappmanagement csp](images/provisioning-csp-enterprisedesktopappmanagement.png)
The following shows the EnterpriseDesktopAppManagement CSP in tree format.
```
./Device/Vendor/MSFT
EnterpriseDesktopAppManagement
----MSI
--------ProductID
------------Version
------------Name
------------Publisher
------------InstallPath
------------InstallDate
------------DownloadInstall
------------Status
------------LastError
------------LastErrorDesc
--------UpgradeCode
------------Guid
```
<a href="" id="--vendor-msft-enterprisedesktopappmanagement"></a>**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement**
The root node for the EnterpriseDesktopAppManagement configuration service provider.

21
windows/client-management/mdm/enterpriseext-csp.md
View File

@ -21,10 +21,23 @@ The EnterpriseExt configuration service provider allows OEMs to set their own un
 
The following diagram shows the EnterpriseExt configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
![enterpriseext csp](images/provisioning-csp-enterpriseext.png)
The following shows the EnterpriseExt configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
```
./Vendor/MSFT
EnterpriseExt
----DeviceCustomData
--------CustomID
--------CustomString
----Brightness
--------Default
--------MaxAuto
----LedAlertNotification
--------State
--------Intensity
--------Period
--------DutyCycle
--------Cyclecount
```
The following list shows the characteristics and parameters.
<a href="" id="--vendor-msft-enterpriseext"></a>**./Vendor/MSFT/EnterpriseExt**

18
windows/client-management/mdm/enterpriseextfilessystem-csp.md
View File

@ -23,10 +23,20 @@ The EnterpriseExtFileSystem configuration service provider (CSP) allows IT admin
File contents are embedded directly into the syncML message, so there is a limit to the size of the file that can be retrieved from the device. The default limit is 0x100000 (1 MB). You can configure this limit by using the following registry key: **Software\\Microsoft\\Provisioning\\CSPs\\.\\Vendor\\MSFT\\EnterpriseExtFileSystem\\MaxFileReadSize**.
The following diagram shows the EnterpriseExtFileSystem configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
![enterpriseextfilesystem csp](images/provisioning-csp-enterpriseextfilesystem.png)
The following shows the EnterpriseExtFileSystem configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
```
./Vendor/MSFT
EnterpriseExtFileSystem
----Persistent
--------Files_abc1
--------Directory_abc2
----NonPersistent
--------Files_abc3
--------Directory_abc4
----OemProfile
--------Directory_abc5
--------Files_abc6
```
The following list describes the characteristics and parameters.
<a href="" id="--vendor-msft-enterpriseextfilesystem"></a>**./Vendor/MSFT/EnterpriseExtFileSystem**

49
windows/client-management/mdm/enterprisemodernappmanagement-csp.md
View File

@ -19,10 +19,51 @@ The EnterpriseModernAppManagement configuration service provider (CSP) is used f
> [!Note]
> Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP.
The following image shows the EnterpriseModernAppManagement configuration service provider in tree format.
![enterprisemodernappmanagement csp diagram](images/provisioning-csp-enterprisemodernappmanagement.png)
The following shows the EnterpriseModernAppManagement configuration service provider in tree format.
```
./Vendor/MSFT
EnterpriseModernAppManagement
----AppManagement
--------EnterpriseID
------------PackageFamilyName
----------------PackageFullName
--------------------Name
--------------------Version
--------------------Publisher
--------------------Architecture
--------------------InstallLocation
--------------------IsFramework
--------------------IsBundle
--------------------InstallDate
--------------------ResourceID
--------------------PackageStatus
--------------------RequiresReinstall
--------------------Users
--------------------IsProvisioned
----------------DoNotUpdate
----------------AppSettingPolicy
--------------------SettingValue
--------UpdateScan
--------LastScanError
--------AppInventoryResults
--------AppInventoryQuery
----AppInstallation
--------PackageFamilyName
------------StoreInstall
------------HostedInstall
------------LastError
------------LastErrorDesc
------------Status
------------ProgressStatus
----AppLicenses
--------StoreLicenses
------------LicenseID
----------------LicenseCategory
----------------LicenseUsage
----------------RequesterID
----------------AddLicense
----------------GetLicenseFromStore
```
<a href="" id="device-or-user-context"></a>**Device or User context**
For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path.

28
windows/client-management/mdm/euiccs-csp.md
View File

@ -16,10 +16,30 @@ manager: dansimp
The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709.
The following diagram shows the eUICCs configuration service provider in tree format.
![euiccs csp](images/provisioning-csp-euiccs.png)
The following shows the eUICCs configuration service provider in tree format.
```
./Device/Vendor/MSFT
eUICCs
----eUICC
--------Identifier
--------IsActive
--------PPR1Allowed
--------PPR1AlreadySet
--------Profiles
------------ICCID
----------------ServerName
----------------MatchingID
----------------State
----------------IsEnabled
----------------PPR1Set
----------------PPR2Set
----------------ErrorDetail
--------Policies
------------LocalUIEnabled
--------Actions
------------ResetToFactoryState
------------Status
```
<a href="" id="--vendor-msft-euiccs"></a>**./Vendor/MSFT/eUICCs**
Root node.

86
windows/client-management/mdm/firewall-csp.md
View File

@ -20,10 +20,88 @@ Firewall rules in the FirewallRules section must be wrapped in an Atomic block i
For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](https://msdn.microsoft.com/library/mt620101.aspx).
The following diagram shows the Firewall configuration service provider in tree format.
![firewall csp](images/provisioning-csp-firewall.png)
The following shows the Firewall configuration service provider in tree format.
```
./Vendor/MSFT
Firewall
----
--------Global
------------PolicyVersionSupported
------------CurrentProfiles
------------DisableStatefulFtp
------------SaIdleTime
------------PresharedKeyEncoding
------------IPsecExempt
------------CRLcheck
------------PolicyVersion
------------BinaryVersionSupported
------------OpportunisticallyMatchAuthSetPerKM
------------EnablePacketQueue
--------DomainProfile
------------EnableFirewall
------------DisableStealthMode
------------Shielded
------------DisableUnicastResponsesToMulticastBroadcast
------------DisableInboundNotifications
------------AuthAppsAllowUserPrefMerge
------------GlobalPortsAllowUserPrefMerge
------------AllowLocalPolicyMerge
------------AllowLocalIpsecPolicyMerge
------------DefaultOutboundAction
------------DefaultInboundAction
------------DisableStealthModeIpsecSecuredPacketExemption
--------PrivateProfile
------------EnableFirewall
------------DisableStealthMode
------------Shielded
------------DisableUnicastResponsesToMulticastBroadcast
------------DisableInboundNotifications
------------AuthAppsAllowUserPrefMerge
------------GlobalPortsAllowUserPrefMerge
------------AllowLocalPolicyMerge
------------AllowLocalIpsecPolicyMerge
------------DefaultOutboundAction
------------DefaultInboundAction
------------DisableStealthModeIpsecSecuredPacketExemption
--------PublicProfile
------------EnableFirewall
------------DisableStealthMode
------------Shielded
------------DisableUnicastResponsesToMulticastBroadcast
------------DisableInboundNotifications
------------AuthAppsAllowUserPrefMerge
------------GlobalPortsAllowUserPrefMerge
------------AllowLocalPolicyMerge
------------AllowLocalIpsecPolicyMerge
------------DefaultOutboundAction
------------DefaultInboundAction
------------DisableStealthModeIpsecSecuredPacketExemption
--------FirewallRules
------------FirewallRuleName
----------------App
--------------------PackageFamilyName
--------------------FilePath
--------------------Fqbn
--------------------ServiceName
----------------Protocol
----------------LocalPortRanges
----------------RemotePortRanges
----------------LocalAddressRanges
----------------RemoteAddressRanges
----------------Description
----------------Enabled
----------------Profiles
----------------Action
--------------------Type
----------------Direction
----------------InterfaceTypes
----------------EdgeTraversal
----------------LocalUserAuthorizationList
----------------FriendlyName
----------------IcmpTypesAndCodes
----------------Status
----------------Name
```
<a href="" id="--vendor-msft-applocker"></a>**./Vendor/MSFT/Firewall**
<p style="margin-left: 20px">Root node for the Firewall configuration service provider.</p>

42
windows/client-management/mdm/healthattestation-csp.md
View File

@ -37,7 +37,7 @@ The following is a list of functions performed by the Device HealthAttestation C
**DHA-Session (Device HealthAttestation session)**
<p style="margin-left: 20px">The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.</p>
<p style="margin-left: 20px">The following list of transactions are performed in one DHA-Session:</p>
<p style="margin-left: 20px">The following list of transactions is performed in one DHA-Session:</p>
<ul>
<li>DHA-CSP and DHA-Service communication:
<ul><li>DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service</li>
@ -75,7 +75,7 @@ The following is a list of functions performed by the Device HealthAttestation C
<strong>DHA-Enabled MDM (Device HealthAttestation enabled device management solution)</strong>
<p style="margin-left: 20px">Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.</p>
<p style="margin-left: 20px">DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.</p>
<p style="margin-left: 20px">The following list of operations are performed by DHA-Enabled-MDM:</p>
<p style="margin-left: 20px">The following list of operations is performed by DHA-Enabled-MDM</p>
<ul>
<li>Enables the DHA feature on a DHA-Enabled device</li>
<li>Issues device health attestation requests to enrolled/managed devices</li>
@ -85,7 +85,7 @@ The following is a list of functions performed by the Device HealthAttestation C
<strong>DHA-CSP (Device HealthAttestation Configuration Service Provider)</strong>
<p style="margin-left: 20px">The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a devices TPM and firmware to measure critical security properties of the devices BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.</p>
<p style="margin-left: 20px">The following list of operations are performed by DHA-CSP:</p>
<p style="margin-left: 20px">The following list of operations is performed by DHA-CSP:</p>
<ul>
<li>Collects device boot data (DHA-BootData) from a managed device</li>
<li>Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)</li>
@ -97,7 +97,7 @@ The following is a list of functions performed by the Device HealthAttestation C
<p style="margin-left: 20px">Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.</p>
<p style="margin-left: 20px">DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.</p>
<p style="margin-left: 20px">The following list of operations are performed by DHA-Service:</p>
<p style="margin-left: 20px">The following list of operations is performed by DHA-Service:</p>
- Receives device boot data (DHA-BootData) from a DHA-Enabled device</li>
- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) </li>
@ -126,7 +126,7 @@ The following is a list of functions performed by the Device HealthAttestation C
<li>Available in Windows for free</li>
<li>Running on a high-availability and geo-balanced cloud infrastructure </li>
<li>Supported by most DHA-Enabled device management solutions as the default device attestation service provider</li>
<li>Accessible to all enterprise managed devices via following:
<li>Accessible to all enterprise-managed devices via following:
<ul>
<li>FQDN = has.spserv.microsoft.com) port</li>
<li>Port = 443</li>
@ -144,7 +144,7 @@ The following is a list of functions performed by the Device HealthAttestation C
<li>Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service) </li>
<li>Hosted on an enterprise owned and managed server device/hardware</li>
<li>Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios</li>
<li><p>Accessible to all enterprise managed devices via following:</p>
<li><p>Accessible to all enterprise-managed devices via following:</p>
<ul>
<li>FQDN = (enterprise assigned)</li>
<li>Port = (enterprise assigned)</li>
@ -155,12 +155,12 @@ The following is a list of functions performed by the Device HealthAttestation C
<td style="vertical-align:top">The operation cost of running one or more instances of Server 2016 on-premises.</td>
</tr>
<tr class="even">
<td style="vertical-align:top">Device Health Attestation - Enterprise Managed Cloud<p>(DHA-EMC)</p></td>
<td style="vertical-align:top"><p>DHA-EMC refers to an enterprise managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise managed cloud service, such as Microsoft Azure.</p>
<td style="vertical-align:top">Device Health Attestation - Enterprise-Managed Cloud<p>(DHA-EMC)</p></td>
<td style="vertical-align:top"><p>DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.</p>
<ul>
<li>Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)</li>
<li>Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios </li>
<li><p>Accessible to all enterprise managed devices via following:</p>
<li><p>Accessible to all enterprise-managed devices via following:</p>
<ul>
<li>FQDN = (enterprise assigned)</li>
<li>Port = (enterprise assigned)</li>
@ -176,10 +176,22 @@ The following is a list of functions performed by the Device HealthAttestation C
## CSP diagram and node descriptions
The following diagram shows the Device HealthAttestation configuration service provider in tree format.
![healthattestation csp](images/provisioning-csp-healthattestation.png)
The following shows the Device HealthAttestation configuration service provider in tree format.
```
./Vendor/MSFT
HealthAttestation
----VerifyHealth
----Status
----ForceRetrieve
----Certificate
----Nonce
----CorrelationID
----HASEndpoint
----TpmReadyStatus
----CurrentProtocolVersion
----PreferredMaxProtocolVersion
----MaxSupportedProtocolVersion
```
<a href="" id="healthattestation"></a>**./Vendor/MSFT/HealthAttestation**
<p style="margin-left: 20px">The root node for the device HealthAttestation configuration service provider.</p>
@ -306,13 +318,13 @@ SSL-Session:
There are three types of DHA-Service:
- Device Health Attestation Cloud (owned and operated by Microsoft)
- Device Health Attestation On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premises)
- Device Health Attestation - Enterprise Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise managed cloud)
- Device Health Attestation - Enterprise-Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise-managed cloud)
DHA-Cloud is the default setting. No further action is required if an enterprise is planning to use Microsoft DHA-Cloud as the trusted DHA-Service provider.
For DHA-OnPrem & DHA-EMC scenarios, send a SyncML command to the HASEndpoint node to instruct a managed device to communicate with the enterprise trusted DHA-Service.
The following example shows a sample call that instructs a managed device to communicate with an enterprise managed DHA-Service.
The following example shows a sample call that instructs a managed device to communicate with an enterprise-managed DHA-Service.
```xml
<Replace>

12
windows/client-management/mdm/maps-csp.md
View File

@ -21,10 +21,14 @@ The Maps configuration service provider (CSP) is used to configure the maps to d
The following diagram shows the Maps configuration service provider in tree format.
![maps csp diagram](images/provisioning-csp-maps.png)
The following shows the Maps configuration service provider in tree format.
```
./Vendor/MSFT
Maps
----Packages
--------Package
------------Status
```
<a href="" id="maps"></a>**Maps**
Root node.

20
windows/client-management/mdm/multisim-csp.md
View File

@ -17,10 +17,22 @@ manager: dansimp
The MultiSIM configuration service provider (CSP) is used by the enterprise to manage devices with dual SIM single active configuration. An enterprise can set policies on whether that user can switch between SIM slots, specify which slot is the default, and whether the slot is embedded. This CSP was added in Windows 10, version 1803.
The following diagram shows the MultiSIM configuration service provider in tree format.
![MultiSIM CSP diagram](images/provisioning-csp-multisim.png)
The following shows the MultiSIM configuration service provider in tree format.
```
./Device/Vendor/MSFT
MultiSIM
----ModemID
--------Identifier
--------IsEmbedded
--------Slots
------------SlotID
----------------Identifier
----------------IsEmbedded
----------------IsSelected
----------------State
--------Policies
------------SlotSelectionEnabled
```
<a href="" id="multisim"></a>**./Device/Vendor/MSFT/MultiSIM**
Root node.

1
windows/client-management/mdm/policies-in-policy-csp-admx-backed.md
View File

@ -266,6 +266,7 @@ ms.date: 10/08/2020
- [ADMX_Explorer/DisableRoamedProfileInit](./policy-csp-admx-explorer.md#admx-explorer-disableroamedprofileinit)
- [ADMX_Explorer/PreventItemCreationInUsersFilesFolder](./policy-csp-admx-explorer.md#admx-explorer-preventitemcreationinusersfilesfolder)
- [ADMX_Explorer/TurnOffSPIAnimations](./policy-csp-admx-explorer.md#admx-explorer-turnoffspianimations)
- [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy)
- [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol)
- [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression)
- [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification)

7
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -1053,6 +1053,13 @@ The following diagram shows the Policy configuration service provider in tree fo
</dd>
</dl>
### ADMX_FileRecovery policies
<dl>
<dd>
<a href="./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy" id="admx-filerecovery-wdiscenarioexecutionpolicy">ADMX_FileRecovery/WdiScenarioExecutionPolicy</a>
</dd>
</dl>
### ADMX_FileServerVSSProvider policies
<dl>
<dd>

125
windows/client-management/mdm/policy-csp-admx-filerecovery.md Normal file
View File

@ -0,0 +1,125 @@
---
title: Policy CSP - ADMX_FileRecovery
description: Policy CSP - ADMX_FileRecovery
ms.author: dansimp
ms.localizationpriority: medium
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.date: 03/02/2021
ms.reviewer:
manager: dansimp
---
# Policy CSP - ADMX_FileRecovery
> [!WARNING]
> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
<hr/>
<!--Policies-->
## ADMX_FileRecovery policies
<dl>
<dd>
<a href="#admx-filerecovery-wdiscenarioexecutionpolicy">ADMX_FileRecovery/WdiScenarioExecutionPolicy</a>
</dd>
</dl>
<hr/>
<!--Policy-->
<a href="" id="admx-filerecovery-wdiscenarioexecutionpolicy"></a>**ADMX_FileRecovery/WdiScenarioExecutionPolicy**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Machine
<hr/>
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault.
If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters.
If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message.
No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.
This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
> [!NOTE]
> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed.
> [!NOTE]
> This policy setting applies to all sites in Trusted zones.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Disk Diagnostic: Configure execution level*
- GP name: *WdiScenarioExecutionPolicy*
- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic*
- GP ADMX file name: *FileRecovery.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
Footnotes:
- 1 - Available in Windows 10, version 1607
- 2 - Available in Windows 10, version 1703
- 3 - Available in Windows 10, version 1709
- 4 - Available in Windows 10, version 1803
- 5 - Available in Windows 10, version 1809
- 6 - Available in Windows 10, version 1903
- 7 - Available in Windows 10, version 1909
- 8 - Available in Windows 10, version 2004
- 9 - Available in Windows 10, version 20H2
<!--/Policies-->

11
windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
View File

@ -3224,8 +3224,10 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-microsoftdefenderantivirus-reporting-disablegenericreports"></a>**ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts**
<!--SupportedSKUs-->
<table>
<tr>
@ -3357,6 +3359,7 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-microsoftdefenderantivirus-reporting-recentlycleanedtimeout"></a>**ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout**
<!--SupportedSKUs-->
@ -4249,7 +4252,11 @@ ADMX Info:
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-microsoftdefenderantivirus-scan-disablescanningmappednetworkdrivesforfullscan"></a>**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan**
<a href=""
id="admx-microsoftdefenderantivirus-scan-disablescanningmappednetworkdrivesforfullscan"></a>**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan**
<!--SupportedSKUs-->
<table>
@ -6137,6 +6144,8 @@ ADMX Info:
<!--Policy-->
<a href=""id="admx-microsoftdefenderantivirus-signatureupdate-signaturedisablenotification"></a>**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification**
<!--SupportedSKUs-->
<table>
<tr>

681
windows/client-management/mdm/policy-csp-internetexplorer.md
View File

@ -5,9 +5,8 @@ ms.author: dansimp
ms.topic: article
ms.prod: w10
ms.technology: windows
author: manikadhiman
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.reviewer:
manager: dansimp
---
@ -85,6 +84,9 @@ manager: dansimp
<dd>
<a href="#internetexplorer-allowonewordentry">InternetExplorer/AllowOneWordEntry</a>
</dd>
<dd>
<a href="#internetexplorer-allowsavetargetasinIEmode">InternetExplorer/AllowSaveTargetAsInIEMode</a>
</dd>
<dd>
<a href="#internetexplorer-allowsitetozoneassignmentlist">InternetExplorer/AllowSiteToZoneAssignmentList</a>
</dd>
@ -112,6 +114,11 @@ manager: dansimp
<dd>
<a href="#internetexplorer-consistentmimehandlinginternetexplorerprocesses">InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses</a>
</dd>
<dd>
<a
href="#internetexplorer-configureedgeredirectchannel">InternetExplorer/ConfigureEdgeRedirectChannel</a>
</dd>
<dd>
<a href="#internetexplorer-disableactivexversionlistautodownload">InternetExplorer/DisableActiveXVersionListAutoDownload</a>
</dd>
@ -160,6 +167,9 @@ manager: dansimp
<dd>
<a href="#internetexplorer-disablehomepagechange">InternetExplorer/DisableHomePageChange</a>
</dd>
<dd>
<a href="#internetexplorer-disableinternetexplorerapp">InternetExplorer/DisableInternetExplorerApp</a>
</dd>
<dd>
<a href="#internetexplorer-disableignoringcertificateerrors">InternetExplorer/DisableIgnoringCertificateErrors</a>
</dd>
@ -355,6 +365,9 @@ manager: dansimp
<dd>
<a href="#internetexplorer-intranetzonenavigatewindowsandframes">InternetExplorer/IntranetZoneNavigateWindowsAndFrames</a>
</dd>
<dd>
<a href="#internetexplorer-keepintranetsitesininternetexplorer">InternetExplorer/KeepIntranetSitesInInternetExplorer</a>
</dd>
<dd>
<a href="#internetexplorer-localmachinezoneallowaccesstodatasources">InternetExplorer/LocalMachineZoneAllowAccessToDataSources</a>
</dd>
@ -739,6 +752,9 @@ manager: dansimp
<dd>
<a href="#internetexplorer-securityzonesuseonlymachinesettings">InternetExplorer/SecurityZonesUseOnlyMachineSettings</a>
</dd>
<dd>
<a href="#internetexplorer-sendsitesnotinenterprisesitelisttoedge">InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge</a>
</dd>
<dd>
<a href="#internetexplorer-specifyuseofactivexinstallerservice">InternetExplorer/SpecifyUseOfActiveXInstallerService</a>
</dd>
@ -2348,6 +2364,88 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-allowsavetargetasinIEmode"></a>**InternetExplorer/AllowSaveTargetAsInIEMode**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting allows the administrator to enable "Save Target As" context menu in Internet Explorer mode.
- If you enable this policy, "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explorer.
- If you disable or do not configure this policy setting, "Save Target As" will not show up in the Internet Explorer mode context menu.
For more information, see [https://go.microsoft.com/fwlink/?linkid=2102115](https://go.microsoft.com/fwlink/?linkid=2102115)
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Allow "Save Target As" in Internet Explorer mode*
- GP name: *AllowSaveTargetAsInIEMode*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
<!--/ADMXBacked-->
<!--/Policy-->
```xml
<policy name="AllowSaveTargetAsInIEMode" class="Both" displayName="$(string.AllowSaveTargetAsInIEMode)" explainText="$(string.IE_ExplainAllowSaveTargetAsInIEMode)" key="Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode" valueName="AllowSaveTargetAsInIEMode">
<parentCategory ref="InternetExplorer" />
<supportedOn ref="SUPPORTED_IE11" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
```
<!--Policy-->
<a href="" id="internetexplorer-allowsitetozoneassignmentlist"></a>**InternetExplorer/AllowSiteToZoneAssignmentList**
@ -2978,6 +3076,298 @@ ADMX Info:
<hr/>
<a href="" id="internetexplorer-configureedgeredirectchannel"></a>**InternetExplorer/ConfigureEdgeRedirectChannel**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
Enables you to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this policy, if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge. If any of the chosen versions are not installed on the device, that preference will be bypassed.
If both the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed, the following behaviors occur:
- If you enable this policy, you can configure redirected sites to open in up to three of the following channels where:
1 = Microsoft Edge Stable
2 = Microsoft Edge Beta version 77 or later
3 = Microsoft Edge Dev version 77 or later
4 = Microsoft Edge Canary version 77 or later
- If you disable or do not configure this policy, Microsoft Edge Stable channel is used. This is the default behavior.
If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel are not installed, the following behaviors occur:
- If you enable this policy, you can configure redirected sites to open in up to three of the following channels where:
0 = Microsoft Edge version 45 or earlier
1 = Microsoft Edge Stable
2 = Microsoft Edge Beta version 77 or later
3 = Microsoft Edge Dev version 77 or later
4 = Microsoft Edge Canary version 77 or later
- If you disable or do not configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior.
> [!NOTE]
> For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see [https://go.microsoft.com/fwlink/?linkid=2102115](https://go.microsoft.com/fwlink/?linkid=2102115). This update applies only to Windows 10 version 1709 and higher.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Configure which channel of Microsoft Edge to use for opening redirected sites*
- GP name: *NeedEdgeBrowser*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
<!--/ADMXBacked-->
<!--/Policy-->
```xml
<policy name="NeedEdgeBrowser" class="Both" displayName="$(string.NeedEdgeBrowser)" explainText="$(string.IE_ExplainNeedEdgeBrowser)" key="Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode" presentation="$(presentation.NeedEdgeBrowser)">
<parentCategory ref="InternetExplorer" />
<supportedOn ref="SUPPORTED_IE11" />
<elements>
<enum id="NeedEdgeBrowser" valueName="NeedEdgeBrowser">
<item displayName="$(string.NeedEdgeBrowserChoice_None)">
<value>
<delete />
</value>
</item>
<item displayName="$(string.NeedEdgeBrowserChoice_ChromiumStable)">
<value>
<decimal value="1" />
</value>
</item>
<item displayName="$(string.NeedEdgeBrowserChoice_ChromiumBeta)">
<value>
<decimal value="2" />
</value>
</item>
<item displayName="$(string.NeedEdgeBrowserChoice_ChromiumDev)">
<value>
<decimal value="3" />
</value>
</item>
<item displayName="$(string.NeedEdgeBrowserChoice_ChromiumCanary)">
<value>
<decimal value="4" />
</value>
</item>
<item displayName="$(string.NeedEdgeBrowserChoice_EdgeHTML)">
<value>
<decimal value="0" />
</value>
</item>
</enum>
<enum id="NeedEdgeBrowser2" valueName="NeedEdgeBrowser2">
<item displayName="$(string.NeedEdgeBrowserChoice_None)">
<value>
<delete />
</value>
</item>
<item displayName="$(string.NeedEdgeBrowserChoice_ChromiumStable)">
<value>
<decimal value="1" />
</value>
</item>
<item displayName="$(string.NeedEdgeBrowserChoice_ChromiumBeta)">
<value>
<decimal value="2" />
</value>
</item>
<item displayName="$(string.NeedEdgeBrowserChoice_ChromiumDev)">
<value>
<decimal value="3" />
</value>
</item>
<item displayName="$(string.NeedEdgeBrowserChoice_ChromiumCanary)">
<value>
<decimal value="4" />
</value>
</item>
<item displayName="$(string.NeedEdgeBrowserChoice_EdgeHTML)">
<value>
<decimal value="0" />
</value>
</item>
</enum>
<enum id="NeedEdgeBrowser3" valueName="NeedEdgeBrowser3">
<item displayName="$(string.NeedEdgeBrowserChoice_None)">
<value>
<delete />
</value>
</item>
<item displayName="$(string.NeedEdgeBrowserChoice_ChromiumStable)">
<value>
<decimal value="1" />
</value>
</item>
<item displayName="$(string.NeedEdgeBrowserChoice_ChromiumBeta)">
<value>
<decimal value="2" />
</value>
</item>
<item displayName="$(string.NeedEdgeBrowserChoice_ChromiumDev)">
<value>
<decimal value="3" />
</value>
</item>
<item displayName="$(string.NeedEdgeBrowserChoice_ChromiumCanary)">
<value>
<decimal value="4" />
</value>
</item>
<item displayName="$(string.NeedEdgeBrowserChoice_EdgeHTML)">
<value>
<decimal value="0" />
</value>
</item>
</enum>
</elements>
</policy>
```
<!--Policy-->
<a href="" id="internetexplorer-consistentmimehandlinginternetexplorerprocesses"></a>**InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses**
@ -4250,8 +4640,102 @@ ADMX Info:
<!--/ADMXBacked-->
<!--/Policy-->
<!--Policy-->
<a href="" id="internetexplorer-disableinternetexplorerapp"></a>**InternetExplorer/DisableInternetExplorerApp**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy lets you restrict launching of Internet Explorer as a standalone browser.
If you enable this policy, it:
- Prevents Internet Explorer 11 from launching as a standalone browser.
- Restricts Internet Explorer's usage to Microsoft Edge's native 'Internet Explorer mode'.
- Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable Channel browser.
- Overrides any other policies that redirect to Internet Explorer 11.
If you disable, or do not configure this policy, all sites are opened using the current active browser settings.
> [!NOTE]
> Microsoft Edge Stable Channel must be installed for this policy to take effect.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Disable Internet Explorer 11 as a standalone browser*
- GP name: *DisableInternetExplorerApp*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
<!--/ADMXBacked-->
<!--/Policy-->
```xml
<policy name="DisableInternetExplorerApp" class="Both" displayName="$(string.DisableInternetExplorerApp)" explainText="$(string.IE_ExplainDisableInternetExplorerApp)" key="Software\Policies\Microsoft\Internet Explorer\Main" valueName="DisableInternetExplorerApp">
<parentCategory ref="InternetExplorer" />
<supportedOn ref="SUPPORTED_IE11" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
```
<!--Policy-->
<a href="" id="internetexplorer-disableignoringcertificateerrors"></a>**InternetExplorer/DisableIgnoringCertificateErrors**
@ -9007,6 +9491,105 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-keepintranetsitesininternetexplorer"></a>**InternetExplorer/KeepIntranetSitesInInternetExplorer**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting prevents intranet sites from being opened in any browser except Internet Explorer.
> [!NOTE]
> If the [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdg](#internetexplorer-policies)e policy is not enabled, then this policy has no effect.
If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List.
If you disable or do not configure this policy, all intranet sites are automatically opened in Microsoft Edge.
We strongly recommend keeping this policy in sync with the [Browser/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy. Additionally, it is best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge.
Related policies:
- [Browser/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies)
- [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge](#internetexplorer-policies)
For more information on how to use this policy together with other related policies to create the optimal configuration for your organization, see [https://go.microsoft.com/fwlink/?linkid=2094210.](https://go.microsoft.com/fwlink/?linkid=2094210)
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Keep all Intranet Sites in Internet Explorer*
- GP name: *KeepIntranetSitesInInternetExplorer*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
<!--/ADMXBacked-->
<!--/Policy-->
```xml
<policy name="KeepIntranetSitesInInternetExplorer" class="Both" displayName="$(string.KeepIntranetSitesInInternetExplorer)" explainText="$(string.IE_ExplainKeepIntranetSitesInInternetExplorer)" key="Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode" valueName="KeepIntranetSitesInInternetExplorer">
<parentCategory ref="InternetExplorer" />
<supportedOn ref="SUPPORTED_IE11" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
```
<!--Policy-->
<a href="" id="internetexplorer-localmachinezoneallowaccesstodatasources"></a>**InternetExplorer/LocalMachineZoneAllowAccessToDataSources**
@ -18428,6 +19011,100 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="internetexplorer-sendsitesnotinenterprisesitelisttoedge"></a>**InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge**
<!--SupportedSKUs-->
<table>
<tr>
<th>Windows Edition</th>
<th>Supported?</th>
</tr>
<tr>
<td>Home</td>
<td><img src="images/crossmark.png" alt="cross mark" /></td>
</tr>
<tr>
<td>Pro</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Business</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Enterprise</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
<tr>
<td>Education</td>
<td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
</tr>
</table>
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the [InternetExplorer/AllowEnterpriseModeSiteList ](#internetexplorer-policies) policy setting and you must include at least one site in the Enterprise Mode Site List.
If you enable this setting, it automatically opens all sites not included in the Enterprise Mode Site List in Microsoft Edge.
If you disable, or not configure this setting, then it opens all sites based on the currently active browser.
> [!NOTE]
> If you have also enabled the [InternetExplorer/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy setting, then all intranet sites will continue to open in Internet Explorer 11.
<!--/Description-->
> [!TIP]
> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!--ADMXBacked-->
ADMX Info:
- GP English name: *Send all sites not included in the Enterprise Mode Site List to Microsoft Edge*
- GP name: *RestrictInternetExplorer*
- GP path: *Windows Components/Internet Explorer*
- GP ADMX file name: *inetres.admx*
> [!NOTE]
> This MDM policy is still outstanding.
<!--/ADMXBacked-->
<!--/Policy-->
```xml
<policy name="RestrictInternetExplorer" class="Both" displayName="$(string.RestrictInternetExplorer)" explainText="$(string.IE_ExplainRestrictInternetExplorer)" key="Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode" valueName="RestrictIE">
<parentCategory ref="InternetExplorer" />
<supportedOn ref="SUPPORTED_IE11WIN10_1607" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
```
<!--Policy-->
<a href="" id="internetexplorer-specifyuseofactivexinstallerservice"></a>**InternetExplorer/SpecifyUseOfActiveXInstallerService**

2
windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
View File

@ -65,7 +65,7 @@ If the error occurs again, check the error code against the following table to s
| 0x801C03EA | Server failed to authorize user or device. | Check if the token is valid and user has permission to register Windows Hello for Business keys. |
| 0x801C03EB | Server response http status is not valid | Sign out and then sign in again. |
| 0x801C03EC | Unhandled exception from server. | sign out and then sign in again. |
| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed. <br><br> -or- <br><br> Token was not found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin.
| 0x801C03ED | Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed. <br><br> -or- <br><br> Token was not found in the Authorization header. <br><br> -or- <br><br> Failed to read one or more objects. <br><br> -or- <br><br> The request sent to the server was invalid. <br><br> -or- <br><br> User does not have permissions to join to Azure AD. | Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure AD and rejoin. <br> Allow user(s) to join to Azure AD under Azure AD Device settings.
| 0x801C03EE | Attestation failed. | Sign out and then sign in again. |
| 0x801C03EF | The AIK certificate is no longer valid. | Sign out and then sign in again. |
| 0x801C03F2 | Windows Hello key registration failed. | ERROR\_BAD\_DIRECTORY\_REQUEST. Another object with the same value for property proxyAddresses already exists. To resolve the issue, refer to [Duplicate Attributes Prevent Dirsync](https://docs.microsoft.com/office365/troubleshoot/administration/duplicate-attributes-prevent-dirsync). Also, if no sync conflict exists, please verify that the "Mail/Email address" in AAD and the Primary SMTP address are the same in the proxy address.