From 80487ed0c1984c8490cd6cfcc317dd31e1c4954d Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 7 Jan 2021 00:39:45 +0530 Subject: [PATCH 01/13] Updated-4749599DDFs --- .../mdm/diagnosticlog-csp.md | 36 +++++++- windows/client-management/mdm/dmacc-csp.md | 42 ++++++++- windows/client-management/mdm/dmclient-csp.md | 49 +++++++++-- .../mdm/dmsessionactions-csp.md | 41 ++++++++- .../mdm/dynamicmanagement-csp.md | 19 +++- windows/client-management/mdm/email2-csp.md | 42 ++++++++- .../mdm/enrollmentstatustracking-csp.md | 66 +++++++++++++- .../mdm/enterpriseapn-csp.md | 23 ++++- .../mdm/enterpriseappvmanagement-csp.md | 33 ++++++- .../mdm/enterpriseassignedaccess-csp.md | 21 ++++- .../mdm/enterprisedataprotection-csp.md | 20 ++++- .../mdm/enterprisedesktopappmanagement-csp.md | 22 ++++- .../mdm/enterpriseext-csp.md | 21 ++++- .../mdm/enterpriseextfilessystem-csp.md | 18 +++- .../mdm/enterprisemodernappmanagement-csp.md | 49 ++++++++++- windows/client-management/mdm/euiccs-csp.md | 28 +++++- windows/client-management/mdm/firewall-csp.md | 86 ++++++++++++++++++- .../mdm/healthattestation-csp.md | 20 ++++- windows/client-management/mdm/maps-csp.md | 12 ++- windows/client-management/mdm/multisim-csp.md | 20 ++++- 20 files changed, 593 insertions(+), 75 deletions(-) diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 2c49067d90..8eadae872c 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -26,9 +26,39 @@ The following are the links to different versions of the DiagnosticLog CSP DDF f - [DiagnosticLog CSP version 1.2](diagnosticlog-ddf.md#version-1-2) -The following diagram shows the DiagnosticLog CSP in tree format. -![diagnosticlog csp diagram](images/provisioning-csp-diagnosticlog.png) - +The following shows the DiagnosticLog CSP in tree format. +``` +./Vendor/MSFT +DiagnosticLog +----EtwLog +--------Collectors +------------CollectorName +----------------TraceStatus +----------------TraceLogFileMode +----------------TraceControl +----------------LogFileSizeLimitMB +----------------Providers +--------------------ProviderGuid +------------------------Keywords +------------------------TraceLevel +------------------------State +--------Channels +------------ChannelName +----------------Export +----------------State +----------------Filter +----DeviceStateData +--------MdmConfiguration +----FileDownload +--------DMChannel +------------FileContext +----------------BlockSizeKB +----------------BlockCount +----------------BlockIndexToRead +----------------BlockData +----------------DataBlocks +--------------------BlockNumber +``` **./Vendor/MSFT/DiagnosticLog** The root node for the DiagnosticLog CSP. diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index 4a45bf4eb2..e7e340552c 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -23,10 +23,46 @@ The DMAcc configuration service provider allows an OMA Device Management (DM) ve For the DMAcc CSP, you cannot use the Replace command unless the node already exists. -The following diagram shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol is not supported by this configuration service provider. - -![dmacc csp (dm)](images/provisioning-csp-dmacc-dm.png) +The following shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol is not supported by this configuration service provider. +``` +./SyncML +DMAcc +----* +--------AppID +--------ServerID +--------Name +--------PrefConRef +--------AppAddr +------------* +----------------Addr +----------------AddrType +----------------Port +--------------------* +------------------------PortNbr +--------AAuthPref +--------AppAuth +------------* +----------------AAuthLevel +----------------AAuthType +----------------AAuthName +----------------AAuthSecret +----------------AAuthData +--------Ext +------------Microsoft +----------------Role +----------------ProtoVer +----------------DefaultEncoding +----------------UseHwDevID +----------------ConnRetryFreq +----------------InitialBackOffTime +----------------MaxBackOffTime +----------------BackCompatRetryDisabled +----------------UseNonceResync +----------------CRLCheck +----------------DisableOnRoaming +----------------SSLCLIENTCERTSEARCHCRITERIA +``` **DMAcc** Required. Defines the root node of all OMA DM server accounts that use the OMA DM version 1.2 protocol. diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 6ed30e55f1..1f764db2bb 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -17,11 +17,50 @@ ms.date: 11/01/2017 The DMClient configuration service provider (CSP) is used to specify additional enterprise-specific mobile device management (MDM) configuration settings for identifying the device in the enterprise domain, for security mitigation for certificate renewal, and for server-triggered enterprise unenrollment. -The following diagram shows the DMClient CSP in tree format. - -![dmclient csp](images/provisioning-csp-dmclient-th2.png) - - +The following shows the DMClient CSP in tree format. +``` +./Vendor/MSFT +DMClient +----Provider +-------- +------------EntDeviceName +------------ExchangeID +------------EntDMID +------------SignedEntDMID +------------CertRenewTimeStamp +------------PublisherDeviceID +------------ManagementServiceAddress +------------UPN +------------HelpPhoneNumber +------------HelpWebsite +------------HelpEmailAddress +------------RequireMessageSigning +------------SyncApplicationVersion +------------MaxSyncApplicationVersion +------------Unenroll +------------AADResourceID +------------AADDeviceID +------------EnrollmentType +------------EnableOmaDmKeepAliveMessage +------------HWDevID +------------ManagementServerAddressList +------------CommercialID +------------Push +----------------PFN +----------------ChannelURI +----------------Status +------------Poll +----------------IntervalForFirstSetOfRetries +----------------NumberOfFirstRetries +----------------IntervalForSecondSetOfRetries +----------------NumberOfSecondRetries +----------------IntervalForRemainingScheduledRetries +----------------NumberOfRemainingScheduledRetries +----------------PollOnLogin +----------------AllUsersPollOnFirstLogin +----Unenroll +----UpdateManagementServiceAddress +``` **./Vendor/MSFT** All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path. diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index 65aeb1a961..f632a525d8 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -21,10 +21,47 @@ The DMSessionActions configuration service provider (CSP) is used to manage: This CSP was added in Windows 10, version 1703. -The following diagram shows the DMSessionActions configuration service provider in tree format. +The following shows the DMSessionActions configuration service provider in tree format. +``` +./User/Vendor/MSFT +DMSessionActions +----ProviderID +--------CheckinAlertConfiguration +------------Nodes +----------------NodeID +--------------------NodeURI +--------AlertData +--------PowerSettings +------------MaxSkippedSessionsInLowPowerState +------------MaxTimeSessionsSkippedInLowPowerState -![dmsessionactions csp](images/provisioning-csp-dmsessionactions.png) +./Device/Vendor/MSFT +DMSessionActions +----ProviderID +--------CheckinAlertConfiguration +------------Nodes +----------------NodeID +--------------------NodeURI +--------AlertData +--------PowerSettings +------------MaxSkippedSessionsInLowPowerState +------------MaxTimeSessionsSkippedInLowPowerState + + +./User/Vendor/MSFT +./Device/Vendor/MSFT +DMSessionActions +----ProviderID +--------CheckinAlertConfiguration +------------Nodes +----------------NodeID +--------------------NodeURI +--------AlertData +--------PowerSettings +------------MaxSkippedSessionsInLowPowerState +------------MaxTimeSessionsSkippedInLowPowerState +``` **./Device/Vendor/MSFT/DMSessionActions or ./User/Vendor/MSFT/DMSessionActions**

Defines the root node for the DMSessionActions configuration service provider.

diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index b6fe50d931..5ef97bbf97 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -17,10 +17,21 @@ Windows 10 allows you to manage devices differently depending on location, netwo This CSP was added in Windows 10, version 1703. -The following diagram shows the DynamicManagement configuration service provider in tree format. - -![dynamicmanagement csp](images/provisioning-csp-dynamicmanagement.png) - +The following shows the DynamicManagement configuration service provider in tree format. +``` +./Device/Vendor/MSFT +DynamicManagement +----NotificationsEnabled +----ActiveList +----Contexts +--------ContextID +------------SignalDefinition +------------SettingsPack +------------SettingsPackResponse +------------ContextStatus +------------Altitude +----AlertsEnabled +``` **DynamicManagement**

The root node for the DynamicManagement configuration service provider.

diff --git a/windows/client-management/mdm/email2-csp.md b/windows/client-management/mdm/email2-csp.md index 844fc1be39..f3e4080512 100644 --- a/windows/client-management/mdm/email2-csp.md +++ b/windows/client-management/mdm/email2-csp.md @@ -22,10 +22,44 @@ On the desktop, only per user configuration is supported.   -The following diagram shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. - -![email2 csp (dm,cp)](images/provisioning-csp-email2.png) - +The following shows the EMAIL2 configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning. +``` +./Vendor/MSFT +EMAIL2 +----Account GUID +--------ACCOUNTICON +--------ACCOUNTTYPE +--------AUTHNAME +--------AUTHREQUIRED +--------AUTHSECRET +--------DOMAIN +--------DWNDAY +--------INSERVER +--------LINGER +--------KEEPMAX +--------NAME +--------OUTSERVER +--------REPLYADDR +--------SERVICENAME +--------SERVICETYPE +--------RETRIEVE +--------SERVERDELETEACTION +--------CELLULARONLY +--------SYNCINGCONTENTTYPES +--------CONTACTSSERVER +--------CALENDARSERVER +--------CONTACTSSERVERREQUIRESSL +--------CALENDARSERVERREQUIRESSL +--------CONTACTSSYNCSCHEDULE +--------CALENDARSYNCSCHEDULE +--------SMTPALTAUTHNAME +--------SMTPALTDOMAIN +--------SMTPALTENABLED +--------SMTPALTPASSWORD +--------TAGPROPS +------------8128000B +------------812C000B +``` In Windows 10 Mobile, after the user’s out of box experience, an OEM or mobile operator can use the EMAIL2 configuration service provider to provision the device with a mobile operator’s proprietary mail over the air. After provisioning, the **Start** screen has a tile for the proprietary mail provider and there is also a link to it in the applications list under **Settings, email & accounts**. After an account has been updated over-the-air by the EMAIL2 CSP, the device must be powered off and then powered back on to see the sync status. Configuration data is not encrypted when sent over the air (OTA). Be aware that this is a potential security risk when sending sensitive configuration data, such as passwords. diff --git a/windows/client-management/mdm/enrollmentstatustracking-csp.md b/windows/client-management/mdm/enrollmentstatustracking-csp.md index 6faa0a9b38..7bb30dc47f 100644 --- a/windows/client-management/mdm/enrollmentstatustracking-csp.md +++ b/windows/client-management/mdm/enrollmentstatustracking-csp.md @@ -18,10 +18,72 @@ ESP uses the EnrollmentStatusTracking CSP along with the DMClient CSP to track t The EnrollmentStatusTracking CSP was added in Windows 10, version 1903. -The following diagram shows the EnrollmentStatusTracking CSP in tree format. +The following shows the EnrollmentStatusTracking CSP in tree format. +``` +./User/Vendor/MSFT +EnrollmentStatusTracking +----Setup +--------Apps +------------PolicyProviders +----------------ProviderName +--------------------TrackingPoliciesCreated +------------Tracking +----------------ProviderName +--------------------AppName +------------------------TrackingUri +------------------------InstallationState +------------------------RebootRequired +--------HasProvisioningCompleted -![tree diagram for enrollmentstatustracking csp](images/provisioning-csp-enrollmentstatustracking.png) +./Device/Vendor/MSFT +EnrollmentStatusTracking +----DevicePreparation +--------PolicyProviders +------------ProviderName +----------------InstallationState +----------------LastError +----------------Timeout +----------------TrackedResourceTypes +--------------------Apps +----Setup +--------Apps +------------PolicyProviders +----------------ProviderName +--------------------TrackingPoliciesCreated +------------Tracking +----------------ProviderName +--------------------AppName +------------------------TrackingUri +------------------------InstallationState +------------------------RebootRequired +--------HasProvisioningCompleted + + +./User/Vendor/MSFT +./Device/Vendor/MSFT +EnrollmentStatusTracking +----DevicePreparation +--------PolicyProviders +------------ProviderName +----------------InstallationState +----------------LastError +----------------Timeout +----------------TrackedResourceTypes +--------------------Apps +----Setup +--------Apps +------------PolicyProviders +----------------ProviderName +--------------------TrackingPoliciesCreated +------------Tracking +----------------ProviderName +--------------------AppName +------------------------TrackingUri +------------------------InstallationState +------------------------RebootRequired +--------HasProvisioningCompleted +``` **./Vendor/MSFT** For device context, use **./Device/Vendor/MSFT** path and for user context, use **./User/Vendor/MSFT** path. diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index d2b3bddc1d..c271c1dbe6 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -19,10 +19,25 @@ The EnterpriseAPN configuration service provider (CSP) is used by the enterprise > [!Note] > Starting in Windows 10, version 1703 the EnterpriseAPN CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions. -The following image shows the EnterpriseAPN configuration service provider in tree format. - -![enterpriseapn csp](images/provisioning-csp-enterpriseapn-rs1.png) - +The following shows the EnterpriseAPN configuration service provider in tree format. +``` +./Vendor/MSFT +EnterpriseAPN +----ConnectionName +--------APNName +--------IPType +--------IsAttachAPN +--------ClassId +--------AuthType +--------UserName +--------Password +--------IccId +--------AlwaysOn +--------Enabled +----Settings +--------AllowUserControl +--------HideView +``` **EnterpriseAPN**

The root node for the EnterpriseAPN configuration service provider.

diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index 272f60f44f..4be89ba1e5 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -15,10 +15,35 @@ manager: dansimp The EnterpriseAppVManagement configuration service provider (CSP) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions). This CSP was added in Windows 10, version 1703. -The following diagram shows the EnterpriseAppVManagement configuration service provider in tree format. - -![enterpriseappvmanagement csp](images/provisioning-csp-enterpriseappvmanagement.png) - +The following shows the EnterpriseAppVManagement configuration service provider in tree format. +``` +./Vendor/MSFT +EnterpriseAppVManagement +----AppVPackageManagement +--------EnterpriseID +------------PackageFamilyName +----------------PackageFullName +--------------------Name +--------------------Version +--------------------Publisher +--------------------InstallLocation +--------------------InstallDate +--------------------Users +--------------------AppVPackageId +--------------------AppVVersionId +--------------------AppVPackageUri +----AppVPublishing +--------LastSync +------------LastError +------------LastErrorDescription +------------SyncStatusDescription +------------SyncProgress +--------Sync +------------PublishXML +----AppVDynamicPolicy +--------ConfigurationId +------------Policy +``` **./Vendor/MSFT/EnterpriseAppVManagement**

Root node for the EnterpriseAppVManagement configuration service provider.

diff --git a/windows/client-management/mdm/enterpriseassignedaccess-csp.md b/windows/client-management/mdm/enterpriseassignedaccess-csp.md index 45d11904d5..7221f719d1 100644 --- a/windows/client-management/mdm/enterpriseassignedaccess-csp.md +++ b/windows/client-management/mdm/enterpriseassignedaccess-csp.md @@ -22,10 +22,23 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](https://docs.microsoft.com/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983). -The following diagram shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. - -![enterpriseassignedaccess csp](images/provisioning-csp-enterpriseassignedaccess.png) - +The following shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. +``` +./Vendor/MSFT +EnterpriseAssignedAccess +----AssignedAccess +--------AssignedAccessXml +----LockScreenWallpaper +--------BGFileName +----Theme +--------ThemeBackground +--------ThemeAccentColorID +--------ThemeAccentColorValue +----Clock +--------TimeZone +----Locale +--------Language +``` The following list shows the characteristics and parameters. **./Vendor/MSFT/EnterpriseAssignedAccess/** diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 8cc8149b7f..8e674ed1e6 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -29,10 +29,22 @@ To learn more about WIP, see the following articles: - [Create a Windows Information Protection (WIP) policy](https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy) - [General guidance and best practices for Windows Information Protection (WIP)](https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip) -The following diagram shows the EnterpriseDataProtection CSP in tree format. - -![enterprisedataprotection csp diagram](images/provisioning-csp-enterprisedataprotection.png) - +The following shows the EnterpriseDataProtection CSP in tree format. +``` +./Device/Vendor/MSFT +EnterpriseDataProtection +----Settings +--------EDPEnforcementLevel +--------EnterpriseProtectedDomainNames +--------AllowUserDecryption +--------RequireProtectionUnderLockConfig +--------DataRecoveryCertificate +--------RevokeOnUnenroll +--------RMSTemplateIDForEDP +--------AllowAzureRMSForEDP +--------EDPShowIcons +----Status +``` **./Device/Vendor/MSFT/EnterpriseDataProtection** The root node for the CSP. diff --git a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md index f52b397125..6a9673e330 100644 --- a/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisedesktopappmanagement-csp.md @@ -19,10 +19,24 @@ The EnterpriseDesktopAppManagement configuration service provider is used to han Application installations can take some time to complete, hence they are done asynchronously. When the Exec command is completed, the client can send a generic alert to the management server with a status, whether it's a failure or success. For a SyncML example, see [Alert example](#alert-example). -The following diagram shows the EnterpriseDesktopAppManagement CSP in tree format. - -![enterprisedesktopappmanagement csp](images/provisioning-csp-enterprisedesktopappmanagement.png) - +The following shows the EnterpriseDesktopAppManagement CSP in tree format. +``` +./Device/Vendor/MSFT +EnterpriseDesktopAppManagement +----MSI +--------ProductID +------------Version +------------Name +------------Publisher +------------InstallPath +------------InstallDate +------------DownloadInstall +------------Status +------------LastError +------------LastErrorDesc +--------UpgradeCode +------------Guid +``` **./Device/Vendor/MSFT/EnterpriseDesktopAppManagement** The root node for the EnterpriseDesktopAppManagement configuration service provider. diff --git a/windows/client-management/mdm/enterpriseext-csp.md b/windows/client-management/mdm/enterpriseext-csp.md index 24cadf3270..1cf7829f88 100644 --- a/windows/client-management/mdm/enterpriseext-csp.md +++ b/windows/client-management/mdm/enterpriseext-csp.md @@ -21,10 +21,23 @@ The EnterpriseExt configuration service provider allows OEMs to set their own un   -The following diagram shows the EnterpriseExt configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. - -![enterpriseext csp](images/provisioning-csp-enterpriseext.png) - +The following shows the EnterpriseExt configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. +``` +./Vendor/MSFT +EnterpriseExt +----DeviceCustomData +--------CustomID +--------CustomString +----Brightness +--------Default +--------MaxAuto +----LedAlertNotification +--------State +--------Intensity +--------Period +--------DutyCycle +--------Cyclecount +``` The following list shows the characteristics and parameters. **./Vendor/MSFT/EnterpriseExt** diff --git a/windows/client-management/mdm/enterpriseextfilessystem-csp.md b/windows/client-management/mdm/enterpriseextfilessystem-csp.md index 8f00e3fe0b..12f02b683f 100644 --- a/windows/client-management/mdm/enterpriseextfilessystem-csp.md +++ b/windows/client-management/mdm/enterpriseextfilessystem-csp.md @@ -23,10 +23,20 @@ The EnterpriseExtFileSystem configuration service provider (CSP) allows IT admin File contents are embedded directly into the syncML message, so there is a limit to the size of the file that can be retrieved from the device. The default limit is 0x100000 (1 MB). You can configure this limit by using the following registry key: **Software\\Microsoft\\Provisioning\\CSPs\\.\\Vendor\\MSFT\\EnterpriseExtFileSystem\\MaxFileReadSize**. -The following diagram shows the EnterpriseExtFileSystem configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). - -![enterpriseextfilesystem csp](images/provisioning-csp-enterpriseextfilesystem.png) - +The following shows the EnterpriseExtFileSystem configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). +``` +./Vendor/MSFT +EnterpriseExtFileSystem +----Persistent +--------Files_abc1 +--------Directory_abc2 +----NonPersistent +--------Files_abc3 +--------Directory_abc4 +----OemProfile +--------Directory_abc5 +--------Files_abc6 +``` The following list describes the characteristics and parameters. **./Vendor/MSFT/EnterpriseExtFileSystem** diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md index 77b6e72ff9..ee9026f5a7 100644 --- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md +++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md @@ -19,10 +19,51 @@ The EnterpriseModernAppManagement configuration service provider (CSP) is used f > [!Note] > Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP. -The following image shows the EnterpriseModernAppManagement configuration service provider in tree format. - -![enterprisemodernappmanagement csp diagram](images/provisioning-csp-enterprisemodernappmanagement.png) - +The following shows the EnterpriseModernAppManagement configuration service provider in tree format. +``` +./Vendor/MSFT +EnterpriseModernAppManagement +----AppManagement +--------EnterpriseID +------------PackageFamilyName +----------------PackageFullName +--------------------Name +--------------------Version +--------------------Publisher +--------------------Architecture +--------------------InstallLocation +--------------------IsFramework +--------------------IsBundle +--------------------InstallDate +--------------------ResourceID +--------------------PackageStatus +--------------------RequiresReinstall +--------------------Users +--------------------IsProvisioned +----------------DoNotUpdate +----------------AppSettingPolicy +--------------------SettingValue +--------UpdateScan +--------LastScanError +--------AppInventoryResults +--------AppInventoryQuery +----AppInstallation +--------PackageFamilyName +------------StoreInstall +------------HostedInstall +------------LastError +------------LastErrorDesc +------------Status +------------ProgressStatus +----AppLicenses +--------StoreLicenses +------------LicenseID +----------------LicenseCategory +----------------LicenseUsage +----------------RequesterID +----------------AddLicense +----------------GetLicenseFromStore +``` **Device or User context** For user context, use **./User/Vendor/MSFT** path and for device context, use **./Device/Vendor/MSFT** path. diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 1f42e3e43d..9ce12f6be8 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -16,10 +16,30 @@ manager: dansimp The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709. -The following diagram shows the eUICCs configuration service provider in tree format. - -![euiccs csp](images/provisioning-csp-euiccs.png) - +The following shows the eUICCs configuration service provider in tree format. +``` +./Device/Vendor/MSFT +eUICCs +----eUICC +--------Identifier +--------IsActive +--------PPR1Allowed +--------PPR1AlreadySet +--------Profiles +------------ICCID +----------------ServerName +----------------MatchingID +----------------State +----------------IsEnabled +----------------PPR1Set +----------------PPR2Set +----------------ErrorDetail +--------Policies +------------LocalUIEnabled +--------Actions +------------ResetToFactoryState +------------Status +``` **./Vendor/MSFT/eUICCs** Root node. diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index bf8a5ea5ad..0e039ef35a 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -20,10 +20,88 @@ Firewall rules in the FirewallRules section must be wrapped in an Atomic block i For detailed information on some of the fields below see [[MS-FASP]: Firewall and Advanced Security Protocol documentation](https://msdn.microsoft.com/library/mt620101.aspx). -The following diagram shows the Firewall configuration service provider in tree format. - -![firewall csp](images/provisioning-csp-firewall.png) - +The following shows the Firewall configuration service provider in tree format. +``` +./Vendor/MSFT +Firewall +---- +--------Global +------------PolicyVersionSupported +------------CurrentProfiles +------------DisableStatefulFtp +------------SaIdleTime +------------PresharedKeyEncoding +------------IPsecExempt +------------CRLcheck +------------PolicyVersion +------------BinaryVersionSupported +------------OpportunisticallyMatchAuthSetPerKM +------------EnablePacketQueue +--------DomainProfile +------------EnableFirewall +------------DisableStealthMode +------------Shielded +------------DisableUnicastResponsesToMulticastBroadcast +------------DisableInboundNotifications +------------AuthAppsAllowUserPrefMerge +------------GlobalPortsAllowUserPrefMerge +------------AllowLocalPolicyMerge +------------AllowLocalIpsecPolicyMerge +------------DefaultOutboundAction +------------DefaultInboundAction +------------DisableStealthModeIpsecSecuredPacketExemption +--------PrivateProfile +------------EnableFirewall +------------DisableStealthMode +------------Shielded +------------DisableUnicastResponsesToMulticastBroadcast +------------DisableInboundNotifications +------------AuthAppsAllowUserPrefMerge +------------GlobalPortsAllowUserPrefMerge +------------AllowLocalPolicyMerge +------------AllowLocalIpsecPolicyMerge +------------DefaultOutboundAction +------------DefaultInboundAction +------------DisableStealthModeIpsecSecuredPacketExemption +--------PublicProfile +------------EnableFirewall +------------DisableStealthMode +------------Shielded +------------DisableUnicastResponsesToMulticastBroadcast +------------DisableInboundNotifications +------------AuthAppsAllowUserPrefMerge +------------GlobalPortsAllowUserPrefMerge +------------AllowLocalPolicyMerge +------------AllowLocalIpsecPolicyMerge +------------DefaultOutboundAction +------------DefaultInboundAction +------------DisableStealthModeIpsecSecuredPacketExemption +--------FirewallRules +------------FirewallRuleName +----------------App +--------------------PackageFamilyName +--------------------FilePath +--------------------Fqbn +--------------------ServiceName +----------------Protocol +----------------LocalPortRanges +----------------RemotePortRanges +----------------LocalAddressRanges +----------------RemoteAddressRanges +----------------Description +----------------Enabled +----------------Profiles +----------------Action +--------------------Type +----------------Direction +----------------InterfaceTypes +----------------EdgeTraversal +----------------LocalUserAuthorizationList +----------------FriendlyName +----------------IcmpTypesAndCodes +----------------Status +----------------Name +``` **./Vendor/MSFT/Firewall**

Root node for the Firewall configuration service provider.

diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index f128954ea6..d58cb649f6 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -176,10 +176,22 @@ The following is a list of functions performed by the Device HealthAttestation C ## CSP diagram and node descriptions -The following diagram shows the Device HealthAttestation configuration service provider in tree format. - -![healthattestation csp](images/provisioning-csp-healthattestation.png) - +The following shows the Device HealthAttestation configuration service provider in tree format. +``` +./Vendor/MSFT +HealthAttestation +----VerifyHealth +----Status +----ForceRetrieve +----Certificate +----Nonce +----CorrelationID +----HASEndpoint +----TpmReadyStatus +----CurrentProtocolVersion +----PreferredMaxProtocolVersion +----MaxSupportedProtocolVersion +``` **./Vendor/MSFT/HealthAttestation**

The root node for the device HealthAttestation configuration service provider.

diff --git a/windows/client-management/mdm/maps-csp.md b/windows/client-management/mdm/maps-csp.md index dd51d6cb8b..2fa6bccaa3 100644 --- a/windows/client-management/mdm/maps-csp.md +++ b/windows/client-management/mdm/maps-csp.md @@ -21,10 +21,14 @@ The Maps configuration service provider (CSP) is used to configure the maps to d -The following diagram shows the Maps configuration service provider in tree format. - -![maps csp diagram](images/provisioning-csp-maps.png) - +The following shows the Maps configuration service provider in tree format. +``` +./Vendor/MSFT +Maps +----Packages +--------Package +------------Status +``` **Maps** Root node. diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md index 3597ffa5fe..4436e52fc7 100644 --- a/windows/client-management/mdm/multisim-csp.md +++ b/windows/client-management/mdm/multisim-csp.md @@ -17,10 +17,22 @@ manager: dansimp The MultiSIM configuration service provider (CSP) is used by the enterprise to manage devices with dual SIM single active configuration. An enterprise can set policies on whether that user can switch between SIM slots, specify which slot is the default, and whether the slot is embedded. This CSP was added in Windows 10, version 1803. -The following diagram shows the MultiSIM configuration service provider in tree format. - -![MultiSIM CSP diagram](images/provisioning-csp-multisim.png) - +The following shows the MultiSIM configuration service provider in tree format. +``` +./Device/Vendor/MSFT +MultiSIM +----ModemID +--------Identifier +--------IsEmbedded +--------Slots +------------SlotID +----------------Identifier +----------------IsEmbedded +----------------IsSelected +----------------State +--------Policies +------------SlotSelectionEnabled +``` **./Device/Vendor/MSFT/MultiSIM** Root node. From 00598fdf5c2488a54ccc084a9ffe7e8b3643f7ac Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 19 Jan 2021 16:45:24 +0530 Subject: [PATCH 02/13] Updated-4769890 --- .../mdm/policy-csp-internetexplorer.md | 676 ++++++++++++++++++ 1 file changed, 676 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index c63c654abe..76bbfdbec4 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -85,6 +85,9 @@ manager: dansimp
InternetExplorer/AllowOneWordEntry
+
+ InternetExplorer/AllowSaveTargetAsInIEMode +
InternetExplorer/AllowSiteToZoneAssignmentList
@@ -112,6 +115,11 @@ manager: dansimp
InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses
+ +
+ InternetExplorer/ConfigureEdgeRedirectChannel +
InternetExplorer/DisableActiveXVersionListAutoDownload
@@ -160,6 +168,9 @@ manager: dansimp
InternetExplorer/DisableHomePageChange
+
+ InternetExplorer/AllowSaveTargetAsInIEMode +
InternetExplorer/DisableIgnoringCertificateErrors
@@ -355,6 +366,9 @@ manager: dansimp
InternetExplorer/IntranetZoneNavigateWindowsAndFrames
+
+ InternetExplorer/KeepIntranetSitesInInternetExplorer +
InternetExplorer/LocalMachineZoneAllowAccessToDataSources
@@ -739,6 +753,9 @@ manager: dansimp
InternetExplorer/SecurityZonesUseOnlyMachineSettings
+
+ InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge +
InternetExplorer/SpecifyUseOfActiveXInstallerService
@@ -2348,6 +2365,88 @@ ADMX Info:
+ +**InternetExplorer/AllowSaveTargetAsInIEMode** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This policy setting allows the administrator to enable "Save Target As" context menu in Internet Explorer mode. + +- If you enable this policy, "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explorer. +- If you disable or do not configure this policy setting, "Save Target As" will not show up in the Internet Explorer mode context menu. + +For more information, see [https://go.microsoft.com/fwlink/?linkid=2102115](https://go.microsoft.com/fwlink/?linkid=2102115) + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow "Save Target As" in Internet Explorer mode* +- GP name: *AllowSaveTargetAsInIEMode* +- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP ADMX file name: *inetres.admx* + + + +```xml + + + + + + + + + + +``` + **InternetExplorer/AllowSiteToZoneAssignmentList** @@ -2978,6 +3077,299 @@ ADMX Info:
+--Policy--> +**InternetExplorer/ConfigureEdgeRedirectChannel** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +Enables you to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this policy, if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge. If any of the chosen versions are not installed on the device, that preference will be bypassed. + +If both the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed, the following behaviors occur: + +- If you enable this policy, you can configure redirected sites to open in up to three of the following channels where: + 1 = Microsoft Edge Stable + 2 = Microsoft Edge Beta version 77 or later + 3 = Microsoft Edge Dev version 77 or later + 4 = Microsoft Edge Canary version 77 or later + +- If you disable or do not configure this policy, Microsoft Edge Stable channel is used. This is the default behavior. + +If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel are not installed, the following behaviors occur: + +- If you enable this policy, you can configure redirected sites to open in up to three of the following channels where: + 0 = Microsoft Edge version 45 or earlier + 1 = Microsoft Edge Stable + 2 = Microsoft Edge Beta version 77 or later + 3 = Microsoft Edge Dev version 77 or later + 4 = Microsoft Edge Canary version 77 or later + +- If you disable or do not configure this policy, Microsoft Edge version 45 or earlier is automatically used. This is the default behavior. + +> [!NOTE] +> For more information about the Windows update for the next version of Microsoft Edge including how to disable it, see [https://go.microsoft.com/fwlink/?linkid=2102115](https://go.microsoft.com/fwlink/?linkid=2102115). This update applies only to Windows 10 version 1709 and higher. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure which channel of Microsoft Edge to use for opening redirected sites* +- GP name: *ConfigureEdgeRedirectChannel* +- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP ADMX file name: *inetres.admx* + + + +```xml + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` **InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses** @@ -4250,8 +4642,101 @@ ADMX Info: + +**InternetExplorer/DisableInternetExplorerApp** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ +
+ +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy lets you restrict launching of Internet Explorer as a standalone browser. + +If you enable this policy, it: +- Prevents Internet Explorer 11 from launching as a standalone browser. +- Restricts Internet Explorer's usage to Microsoft Edge's native 'Internet Explorer mode'. +- Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable Channel browser. +- Overrides any other policies that redirect to Internet Explorer 11. + +If you disable, or do not configure this policy, all sites are opened using the current active browser settings. + +> [!NOTE] +> Microsoft Edge Stable Channel must be installed for this policy to take effect. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disable Internet Explorer 11 as a standalone browser* +- GP name: *DisableInternetExplorerApp* +- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP ADMX file name: *inetres.admx* + + + +```xml + + + + + + + + + + + + + + + + + + + +``` **InternetExplorer/DisableIgnoringCertificateErrors** @@ -9007,6 +9492,105 @@ ADMX Info:
+ +**InternetExplorer/KeepIntranetSitesInInternetExplorer** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This policy setting prevents intranet sites from being opened in any browser except Internet Explorer. + +> [!NOTE] +> If the ‘Send all sites not included in the Enterprise Mode Site List to Microsoft Edge’ (‘RestrictIE’) policy is not enabled, then this policy has no effect. + +If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List. +If you disable or do not configure this policy, all intranet sites are automatically opened in Microsoft Edge. + +We strongly recommend keeping this policy in sync with the ‘Send all intranet sites to Internet Explorer’ (‘SendIntranetToInternetExplorer’) policy. Additionally, it is best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge. + +Related policies: +- Send all intranet sites to Internet Explorer (‘SendIntranetToInternetExplorer’) +- Send all sites not included in the Enterprise Mode Site List to Microsoft Edge (‘RestrictIE’) + +For more information on how to use this policy together with other related policies to create the optimal configuration for your organization, see [https://go.microsoft.com/fwlink/?linkid=2094210.](https://go.microsoft.com/fwlink/?linkid=2094210) + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Keep all Intranet Sites in Internet Explorer* +- GP name: *KeepIntranetSitesInInternetExplorer* +- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP ADMX file name: *inetres.admx* + + + +```xml + + + + + + + + + + + + + + + + + + + +``` **InternetExplorer/LocalMachineZoneAllowAccessToDataSources** @@ -18428,6 +19012,98 @@ ADMX Info:
+ +**InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User +> * Device + +
+ + + +This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode Site List. + +If you enable this setting, it automatically opens all sites not included in the Enterprise Mode Site List in Microsoft Edge. + +If you disable, or not configure this setting, then it opens all sites based on the currently active browser. + +> [!NOTE] +> If you have also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Send all sites not included in the Enterprise Mode Site List to Microsoft Edge* +- GP name: *SendSitesNotInEnterpriseSiteListToEdge* +- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP ADMX file name: *inetres.admx* + + + +```xml + + + + + + + + + + + + + + + + + + + +``` **InternetExplorer/SpecifyUseOfActiveXInstallerService** From e911cd7991dfdce6e8070413a7e132f18e5d2f9a Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 19 Jan 2021 07:59:31 -0800 Subject: [PATCH 03/13] Update policy-csp-internetexplorer.md --- windows/client-management/mdm/policy-csp-internetexplorer.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 76bbfdbec4..9f9d86fb13 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -5,9 +5,8 @@ ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows -author: manikadhiman +author: dansimp ms.localizationpriority: medium -ms.date: 09/27/2019 ms.reviewer: manager: dansimp --- From 300cfdd38b000dba50303b770fe904a18dfc189c Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 2 Feb 2021 16:09:05 +0530 Subject: [PATCH 04/13] Updated --- .../mdm/policy-csp-internetexplorer.md | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 9f9d86fb13..42ba6d3f7a 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -168,7 +168,7 @@ manager: dansimp InternetExplorer/DisableHomePageChange
- InternetExplorer/AllowSaveTargetAsInIEMode + InternetExplorer/DisableInternetExplorerApp
InternetExplorer/DisableIgnoringCertificateErrors @@ -2428,7 +2428,7 @@ For more information, see [https://go.microsoft.com/fwlink/?linkid=2102115](http ADMX Info: - GP English name: *Allow "Save Target As" in Internet Explorer mode* - GP name: *AllowSaveTargetAsInIEMode* -- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -3158,8 +3158,8 @@ If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge ADMX Info: - GP English name: *Configure which channel of Microsoft Edge to use for opening redirected sites* -- GP name: *ConfigureEdgeRedirectChannel* -- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP name: *NeedEdgeBrowser* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -4680,6 +4680,7 @@ ADMX Info: > [!div class = "checklist"] > * User +> * Device
@@ -4710,7 +4711,7 @@ If you disable, or do not configure this policy, all sites are opened using the ADMX Info: - GP English name: *Disable Internet Explorer 11 as a standalone browser* - GP name: *DisableInternetExplorerApp* -- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -9563,8 +9564,8 @@ For more information on how to use this policy together with other related polic ADMX Info: - GP English name: *Keep all Intranet Sites in Internet Explorer* -- GP name: *KeepIntranetSitesInInternetExplorer* -- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP name: *MDM policy is Browser/SendIntranetTraffictoInternetExplorer* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -19076,8 +19077,8 @@ If you disable, or not configure this setting, then it opens all sites based on ADMX Info: - GP English name: *Send all sites not included in the Enterprise Mode Site List to Microsoft Edge* -- GP name: *SendSitesNotInEnterpriseSiteListToEdge* -- GP path: *OS\Core\WSD\CFE-Browser\IE-Apps* +- GP name: *RestrictInternetExplorer* +- GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* From f8b5cdbaa1ecd38d806c8fab769c514e21d87002 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 2 Feb 2021 16:20:16 +0530 Subject: [PATCH 05/13] updated --- ...olicy-csp-admx-microsoftdefenderantivirus.md | 17 +++++++++++++---- .../mdm/policy-csp-internetexplorer.md | 2 +- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md index 5862dadff7..1e2341c8cf 100644 --- a/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md +++ b/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md @@ -3223,9 +3223,11 @@ ADMX Info:
- + + **ADMX_MicrosoftDefenderAntivirus/Reporting_DisablegenericrePorts** + @@ -3356,7 +3358,8 @@ ADMX Info:
- + + **ADMX_MicrosoftDefenderAntivirus/Reporting_RecentlyCleanedTimeout** @@ -4249,7 +4252,11 @@ ADMX Info:
-**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan** + +**ADMX_MicrosoftDefenderAntivirus/Scan_DisableScanningMappedNetworkDrivesForFullScan** + +
@@ -6135,7 +6142,9 @@ ADMX Info:
-**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification** +**ADMX_MicrosoftDefenderAntivirus/SignatureUpdate_SignatureDisableNotification** + +
diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 42ba6d3f7a..a8e42b4c6d 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -19077,7 +19077,7 @@ If you disable, or not configure this setting, then it opens all sites based on ADMX Info: - GP English name: *Send all sites not included in the Enterprise Mode Site List to Microsoft Edge* -- GP name: *RestrictInternetExplorer* +- GP name: *SendSitesNotInEnterpriseSiteListToEdge* - GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* From 1ab9178ee618ffb42158eb4502e132c47f8e6161 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Thu, 4 Feb 2021 12:10:51 +0530 Subject: [PATCH 06/13] Updated --- .../mdm/policy-csp-internetexplorer.md | 24 ++++++++++--------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index a8e42b4c6d..eac30fe874 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -1327,19 +1327,19 @@ ADMX Info: - + - + - + - +
Procheck mark6check mark7
Businesscheck mark6check mark7
Enterprisecheck mark6check mark7
Educationcheck mark6check mark7
@@ -9540,16 +9540,16 @@ ADMX Info: This policy setting prevents intranet sites from being opened in any browser except Internet Explorer. > [!NOTE] -> If the ‘Send all sites not included in the Enterprise Mode Site List to Microsoft Edge’ (‘RestrictIE’) policy is not enabled, then this policy has no effect. +> If the [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdg](#internetexplorer-policies)e policy is not enabled, then this policy has no effect. If you enable this policy, all intranet sites are opened in Internet Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List. If you disable or do not configure this policy, all intranet sites are automatically opened in Microsoft Edge. -We strongly recommend keeping this policy in sync with the ‘Send all intranet sites to Internet Explorer’ (‘SendIntranetToInternetExplorer’) policy. Additionally, it is best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge. +We strongly recommend keeping this policy in sync with the [Browser/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy. Additionally, it is best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge. Related policies: -- Send all intranet sites to Internet Explorer (‘SendIntranetToInternetExplorer’) -- Send all sites not included in the Enterprise Mode Site List to Microsoft Edge (‘RestrictIE’) +- [Browser/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) +- [InternetExplorer/SendSitesNotInEnterpriseSiteListToEdge](#internetexplorer-policies) For more information on how to use this policy together with other related policies to create the optimal configuration for your organization, see [https://go.microsoft.com/fwlink/?linkid=2094210.](https://go.microsoft.com/fwlink/?linkid=2094210) @@ -9564,7 +9564,7 @@ For more information on how to use this policy together with other related polic ADMX Info: - GP English name: *Keep all Intranet Sites in Internet Explorer* -- GP name: *MDM policy is Browser/SendIntranetTraffictoInternetExplorer* +- GP name: *KeepIntranetSitesInInternetExplorer* - GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* @@ -19057,14 +19057,14 @@ ADMX Info: -This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode Site List. +This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this setting, you must also turn on the [InternetExplorer/AllowEnterpriseModeSiteList ](#internetexplorer-policies) policy setting and you must include at least one site in the Enterprise Mode Site List. If you enable this setting, it automatically opens all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you disable, or not configure this setting, then it opens all sites based on the currently active browser. > [!NOTE] -> If you have also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting, then all intranet sites will continue to open in Internet Explorer 11. +> If you have also enabled the [InternetExplorer/SendIntranetTraffictoInternetExplorer](#internetexplorer-policies) policy setting, then all intranet sites will continue to open in Internet Explorer 11. > [!TIP] @@ -19081,6 +19081,8 @@ ADMX Info: - GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* +> [!NOTE] +> This MDM policy is still outstanding. ```xml From fd8b9fa09426cfbe2e7445cc419a0fc02aec8e7b Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 9 Feb 2021 15:17:51 +0530 Subject: [PATCH 07/13] Updated --- .../mdm/policy-csp-internetexplorer.md | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index eac30fe874..aa666c9b90 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -1327,19 +1327,19 @@ ADMX Info: Pro - check mark7 + check mark6 Business - check mark7 + check mark6 Enterprise - check mark7 + check mark6 Education - check mark7 + check mark6 @@ -2379,19 +2379,19 @@ ADMX Info: Pro - check mark + check mark7 Business - check mark + check mark7 Enterprise - check mark + check mark7 Education - check mark + check mark7 @@ -3091,19 +3091,19 @@ ADMX Info: Pro - check mark + check mark7 Business - check mark + check mark7 Enterprise - check mark + check mark7 Education - check mark + check mark7 @@ -4656,19 +4656,19 @@ ADMX Info: Pro - check mark + check mark7 Business - check mark + check mark7 Enterprise - check mark + check mark7 Education - check mark + check mark7 @@ -9507,19 +9507,19 @@ ADMX Info: Pro - check mark + check mark7 Business - check mark + check mark7 Enterprise - check mark + check mark7 Education - check mark + check mark7 @@ -19027,19 +19027,19 @@ ADMX Info: Pro - check mark + check mark7 Business - check mark + check mark7 Enterprise - check mark + check mark7 Education - check mark + check mark7 From e77ff5a3f0f1dc3b12d0e7da3e845be9eb9817ac Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 17 Feb 2021 18:02:20 +0530 Subject: [PATCH 08/13] Updated --- windows/client-management/mdm/policy-csp-internetexplorer.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index aa666c9b90..73e6d3c865 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -3076,7 +3076,6 @@ ADMX Info:
---Policy--> **InternetExplorer/ConfigureEdgeRedirectChannel** @@ -19077,7 +19076,7 @@ If you disable, or not configure this setting, then it opens all sites based on ADMX Info: - GP English name: *Send all sites not included in the Enterprise Mode Site List to Microsoft Edge* -- GP name: *SendSitesNotInEnterpriseSiteListToEdge* +- GP name: *RestrictInternetExplorer* - GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* From 6ea410dc2648a612ab610315387fbe39ed1b53bc Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Tue, 2 Mar 2021 01:17:59 +0530 Subject: [PATCH 09/13] Updated --- windows/client-management/mdm/TOC.md | 1 + .../mdm/policies-in-policy-csp-admx-backed.md | 1 + .../policy-configuration-service-provider.md | 7 + .../mdm/policy-csp-admx-filerecovery.md | 125 ++++++++++++++++++ 4 files changed, 134 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-filerecovery.md diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 3675333e76..5d1426ba5e 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -203,6 +203,7 @@ #### [ADMX_EventForwarding](policy-csp-admx-eventforwarding.md) #### [ADMX_EventLog](policy-csp-admx-eventlog.md) #### [ADMX_Explorer](policy-csp-admx-explorer.md) +#### [ADMX_FileRecovery](policy-csp-admx-filerecovery.md) #### [ADMX_FileServerVSSProvider](policy-csp-admx-fileservervssprovider.md) #### [ADMX_FileSys](policy-csp-admx-filesys.md) #### [ADMX_FolderRedirection](policy-csp-admx-folderredirection.md) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index a93f4e23d3..25617b27ab 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -266,6 +266,7 @@ ms.date: 10/08/2020 - [ADMX_Explorer/DisableRoamedProfileInit](./policy-csp-admx-explorer.md#admx-explorer-disableroamedprofileinit) - [ADMX_Explorer/PreventItemCreationInUsersFilesFolder](./policy-csp-admx-explorer.md#admx-explorer-preventitemcreationinusersfilesfolder) - [ADMX_Explorer/TurnOffSPIAnimations](./policy-csp-admx-explorer.md#admx-explorer-turnoffspianimations) +- [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy) - [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol) - [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression) - [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 5056143d53..c8b2f862cc 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1053,6 +1053,13 @@ The following diagram shows the Policy configuration service provider in tree fo
+### ADMX_FileRecovery policies +
+
+ ADMX_FileRecovery/WdiScenarioExecutionPolicy +
+
+ ### ADMX_FileServerVSSProvider policies
diff --git a/windows/client-management/mdm/policy-csp-admx-filerecovery.md b/windows/client-management/mdm/policy-csp-admx-filerecovery.md new file mode 100644 index 0000000000..8a327a33a4 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-filerecovery.md @@ -0,0 +1,125 @@ +--- +title: Policy CSP - ADMX_FileRecovery +description: Policy CSP - ADMX_FileRecovery +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 03/02/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_FileRecovery +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_FileRecovery policies + +
+
+ ADMX_FileRecovery/WdiScenarioExecutionPolicy +
+
+ + +
+ + +**ADMX_FileRecovery/WdiScenarioExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procross mark
Businesscross mark
Enterprisecheck mark
Educationcross mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +Available in the latest Windows 10 Insider Preview Build. This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault. + +If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters. + +If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message. + +No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. + +This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. + +> [!NOTE] +> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. + +> [!NOTE] +> This policy setting applies to all sites in Trusted zones. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Disk Diagnostic: Configure execution level* +- GP name: *WdiScenarioExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic* +- GP ADMX file name: *FileRecovery.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607 +- 2 - Available in Windows 10, version 1703 +- 3 - Available in Windows 10, version 1709 +- 4 - Available in Windows 10, version 1803 +- 5 - Available in Windows 10, version 1809 +- 6 - Available in Windows 10, version 1903 +- 7 - Available in Windows 10, version 1909 +- 8 - Available in Windows 10, version 2004 +- 9 - Available in Windows 10, version 20H2 + + + From 7f2a54acd2cedd6c42b87a67ab9228b96602431f Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 5 Mar 2021 11:34:11 +0530 Subject: [PATCH 10/13] Update healthattestation-csp.md --- .../mdm/healthattestation-csp.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index d58cb649f6..3463de078b 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -37,7 +37,7 @@ The following is a list of functions performed by the Device HealthAttestation C **DHA-Session (Device HealthAttestation session)**

The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.

-

The following list of transactions are performed in one DHA-Session:

+

The following list of transactions is performed in one DHA-Session:

  • DHA-CSP and DHA-Service communication:
    • DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service
      • @@ -75,7 +75,7 @@ The following is a list of functions performed by the Device HealthAttestation C DHA-Enabled MDM (Device HealthAttestation enabled device management solution)

      Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.

      DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.

      -

      The following list of operations are performed by DHA-Enabled-MDM:

      +

      The following list of operations is performed by DHA-Enabled-MDM

      • Enables the DHA feature on a DHA-Enabled device
      • Issues device health attestation requests to enrolled/managed devices
        • @@ -85,7 +85,7 @@ The following is a list of functions performed by the Device HealthAttestation C DHA-CSP (Device HealthAttestation Configuration Service Provider)

        The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.

        -

        The following list of operations are performed by DHA-CSP:

        +

        The following list of operations is performed by DHA-CSP:

        • Collects device boot data (DHA-BootData) from a managed device
        • Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
          • @@ -97,7 +97,7 @@ The following is a list of functions performed by the Device HealthAttestation C

          Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.

          DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.

          -

          The following list of operations are performed by DHA-Service:

          +

          The following list of operations is performed by DHA-Service:

          - Receives device boot data (DHA-BootData) from a DHA-Enabled device - Forwards DHA-BootData to Device Health Attestation Service (DHA-Service) @@ -126,7 +126,7 @@ The following is a list of functions performed by the Device HealthAttestation C
        • Available in Windows for free
        • Running on a high-availability and geo-balanced cloud infrastructure
        • Supported by most DHA-Enabled device management solutions as the default device attestation service provider
          • -
        • Accessible to all enterprise managed devices via following: +
        • Accessible to all enterprise-managed devices via following:
          • FQDN = has.spserv.microsoft.com) port
          • Port = 443
            • @@ -144,7 +144,7 @@ The following is a list of functions performed by the Device HealthAttestation C
          • Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
          • Hosted on an enterprise owned and managed server device/hardware
          • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
            • -

          • Accessible to all enterprise managed devices via following:

            +

          • Accessible to all enterprise-managed devices via following:

            • FQDN = (enterprise assigned)
            • Port = (enterprise assigned)
              • @@ -155,12 +155,12 @@ The following is a list of functions performed by the Device HealthAttestation C The operation cost of running one or more instances of Server 2016 on-premises. -Device Health Attestation - Enterprise Managed Cloud

              (DHA-EMC)

              -

              DHA-EMC refers to an enterprise managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise managed cloud service, such as Microsoft Azure.

              +Device Health Attestation - Enterprise-Managed Cloud

              (DHA-EMC)

              +

              DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.

              • Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
              • Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
                • -

              • Accessible to all enterprise managed devices via following:

                +

              • Accessible to all enterprise-managed devices via following:

                • FQDN = (enterprise assigned)
                • Port = (enterprise assigned)
                  • @@ -318,13 +318,13 @@ SSL-Session: There are three types of DHA-Service: - Device Health Attestation – Cloud (owned and operated by Microsoft) - Device Health Attestation – On Premise (owned and operated by an enterprise, runs on Windows Server 2016 on premises) -- Device Health Attestation - Enterprise Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise managed cloud) +- Device Health Attestation - Enterprise-Managed Cloud (owned and operated by an enterprise, runs on Windows Server 2016 compatible enterprise-managed cloud) DHA-Cloud is the default setting. No further action is required if an enterprise is planning to use Microsoft DHA-Cloud as the trusted DHA-Service provider. For DHA-OnPrem & DHA-EMC scenarios, send a SyncML command to the HASEndpoint node to instruct a managed device to communicate with the enterprise trusted DHA-Service. -The following example shows a sample call that instructs a managed device to communicate with an enterprise managed DHA-Service. +The following example shows a sample call that instructs a managed device to communicate with an enterprise-managed DHA-Service. ```xml From 9ef28f1dc68c77c1157c6a1190be17391f6c21e6 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 5 Mar 2021 11:38:46 +0530 Subject: [PATCH 11/13] Update dynamicmanagement-csp.md --- windows/client-management/mdm/dynamicmanagement-csp.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index 5ef97bbf97..3716a1c54a 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -64,7 +64,7 @@ DynamicManagement

                  Supported operation is Get.

                  ***ContextID*** -

                  Node created by the server to define a context. Maximum amount of characters allowed is 38.

                  +

                  Node created by the server to define a context. Maximum number of characters allowed is 38.

                  Supported operations are Add, Get, and Delete.

                  **SignalDefinition** @@ -76,15 +76,15 @@ DynamicManagement

                  Value type is string. Supported operations are Add, Get, Delete, and Replace.

                  **SettingsPackResponse** -

                  Response from applying a Settings Pack that contains information on each individual action..

                  +

                  Response from applying a Settings Pack that contains information on each individual action.

                  Value type is string. Supported operation is Get.

                  **ContextStatus** -

                  Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed..

                  +

                  Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.

                  Value type is integer. Supported operation is Get.

                  **Altitude** -

                  A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities..

                  +

                  A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.

                  Value type is integer. Supported operations are Add, Get, Delete, and Replace.

                  **AlertsEnabled** @@ -93,7 +93,7 @@ DynamicManagement ## Examples -Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100 meters radius of the specified latitude/longitude +Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100-meters radius of the specified latitude/longitude ```xml From 14d8930359a52680ccdd83d13fb00c26a9a1a731 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 5 Mar 2021 11:43:09 +0530 Subject: [PATCH 12/13] Update dmsessionactions-csp.md --- .../client-management/mdm/dmsessionactions-csp.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md index f632a525d8..8c5772b29c 100644 --- a/windows/client-management/mdm/dmsessionactions-csp.md +++ b/windows/client-management/mdm/dmsessionactions-csp.md @@ -1,6 +1,6 @@ --- title: DMSessionActions CSP -description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low power state. +description: Learn how the DMSessionActions configuration service provider (CSP) is used to manage the number of sessions the client skips if the device is in a low-power state. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -16,7 +16,7 @@ manager: dansimp The DMSessionActions configuration service provider (CSP) is used to manage: -- the number of sessions the client skips if the device is in a low power state +- the number of sessions the client skips if the device is in a low-power state - which CSP nodes should send an alert back to the server if there were any changes. This CSP was added in Windows 10, version 1703. @@ -66,7 +66,7 @@ DMSessionActions

                  Defines the root node for the DMSessionActions configuration service provider.

                  ***ProviderID*** -

                  Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means that there should be only one ProviderID node under NodeCache.

                  +

                  Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.

                  Scope is dynamic. Supported operations are Get, Add, and Delete.

                  @@ -92,12 +92,12 @@ DMSessionActions

                  Value type is string. Supported operation is Get.

                  **PowerSettings** -

                  Node for power related configrations

                  +

                  Node for power-related configrations

                  **PowerSettings/MaxSkippedSessionsInLowPowerState** -

                  Maximum number of continuous skipped sync sessions when the device is in low power state.

                  +

                  Maximum number of continuous skipped sync sessions when the device is in low-power state.

                  Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                  **PowerSettings/MaxTimeSessionsSkippedInLowPowerState** -

                  Maximum time in minutes when the device can skip the check-in with the server if the device is in low power state.

                  +

                  Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.

                  Value type is integer. Supported operations are Add, Get, Replace, and Delete.

                  From 4ad258732e2c7b318ed4b6a3d47cd70acbd24203 Mon Sep 17 00:00:00 2001 From: adirdidi <68847945+adirdidi@users.noreply.github.com> Date: Mon, 15 Mar 2021 18:48:47 +0200 Subject: [PATCH 13/13] Update gov.md MDE for DoD is now GA'd. --- .../threat-protection/microsoft-defender-atp/gov.md | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/gov.md b/windows/security/threat-protection/microsoft-defender-atp/gov.md index e40a3ed5d3..e119763d43 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/gov.md +++ b/windows/security/threat-protection/microsoft-defender-atp/gov.md @@ -47,9 +47,6 @@ GCC | GCC High | DoD Microsoft Defender for Endpoint Server GCC | Microsoft Defender for Endpoint Server for GCC High | Microsoft Defender for Endpoint Server for DOD Azure Defender for Servers | Azure Defender for Servers - Government | Azure Defender for Servers - Government -> [!NOTE] -> DoD licensing will only be available at DoD general availability. -
                  ## Portal URLs @@ -59,7 +56,7 @@ Customer type | Portal URL :---|:--- GCC | https://gcc.securitycenter.microsoft.us GCC High | https://securitycenter.microsoft.us -DoD (PREVIEW) | https://securitycenter.microsoft.us +DoD | https://securitycenter.microsoft.us
                  @@ -68,7 +65,7 @@ DoD (PREVIEW) | https://securitycenter.microsoft.us ### Standalone OS versions The following OS versions are supported: -OS version | GCC | GCC High | DoD (PREVIEW) +OS version | GCC | GCC High | DoD :---|:---|:---|:--- Windows 10, version 20H2 (with [KB4586853](https://support.microsoft.com/help/4586853)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) Windows 10, version 2004 (with [KB4586853](https://support.microsoft.com/help/4586853)) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) @@ -100,7 +97,7 @@ iOS | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images ### OS versions when using Azure Defender for Servers The following OS versions are supported when using [Azure Defender for Servers](https://docs.microsoft.com/azure/security-center/security-center-wdatp): -OS version | GCC | GCC High | DoD (PREVIEW) +OS version | GCC | GCC High | DoD :---|:---|:---|:--- Windows Server 2016 | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) Windows Server 2012 R2 | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) @@ -143,7 +140,7 @@ You can find the Azure IP ranges in [Azure IP Ranges and Service Tags – US Gov ## API Instead of the public URIs listed in our [API documentation](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/apis-intro), you'll need to use the following URIs: -Endpoint type | GCC | GCC High & DoD (PREVIEW) +Endpoint type | GCC | GCC High & DoD :---|:---|:--- Login | `https://login.microsoftonline.com` | `https://login.microsoftonline.us` Defender for Endpoint API | `https://api-gcc.securitycenter.microsoft.us` | `https://api-gov.securitycenter.microsoft.us` @@ -156,7 +153,7 @@ Defender for Endpoint for US Government customers doesn't have complete parity w These are the known gaps as of March 2021: -Feature name | GCC | GCC High | DoD (PREVIEW) +Feature name | GCC | GCC High | DoD :---|:---|:---|:--- Automated investigation and remediation: Live response | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) | ![Yes](../images/svg/check-yes.svg) Automated investigation and remediation: Response to Office 365 alerts | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog | ![No](../images/svg/check-no.svg) On engineering backlog