deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 03:43:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merged PR 10973: Fixing insecure links

Browse Source 
It is against MSFT policy to have insecure links to other Microsoft properties (so *.microsoft.com, *.office.com, *.visualstudio.com, *.msdn.com, aka.ms, etc.). This was picked up in a scan of docs, and needs to be resolved.
This commit is contained in:
Duncan Mackenzie
2018-08-28 18:50:00 +00:00
committed by Patti Short
parent 336b204248 f424acf885
commit 10893b162f
248 changed files with 3568 additions and 3569 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
windows/client-management/mdm/alljoynmanagement-csp.md
View File

@ -22,7 +22,7 @@ This CSP was added in Windows 10, version 1511.
 
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](http://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](http://go.microsoft.com/fwlink/p/?LinkId=615877).
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](https://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](https://go.microsoft.com/fwlink/p/?LinkId=615877).
The following diagram shows the AllJoynManagement configuration service provider in tree format
@ -30,47 +30,47 @@ The following diagram shows the AllJoynManagement configuration service provider
The following list describes the characteristics and parameters.
<a href="" id="--vendor-msft-alljoynmanagement"></a>**./Vendor/MSFT/AllJoynManagement**
<a href="" id="--vendor-msft-alljoynmanagement"></a>**./Vendor/MSFT/AllJoynManagement**
The root node for the AllJoynManagement configuration service provider.
<a href="" id="services"></a>**Services**
<a href="" id="services"></a>**Services**
List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "com.microsoft.alljoynmanagement.config" are included.
<a href="" id="services-node-name"></a>**Services/****_Node name_**
<a href="" id="services-node-name"></a>**Services/****_Node name_**
The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects.
<a href="" id="services-node-name-port"></a>**Services/*Node name*/Port**
<a href="" id="services-node-name-port"></a>**Services/*Node name*/Port**
The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it is possible to specify additional ports.
<a href="" id="services-node-name-port-node-name"></a>**Services/*Node name*/Port/****_Node name_**
<a href="" id="services-node-name-port-node-name"></a>**Services/*Node name*/Port/****_Node name_**
Port number used for communication. This is specified by the configurable AllJoyn object and reflected here.
<a href="" id="services-node-name-port-node-name-cfgobject"></a>**Services/*Node name*/Port/*Node name*/CfgObject**
<a href="" id="services-node-name-port-node-name-cfgobject"></a>**Services/*Node name*/Port/*Node name*/CfgObject**
The set of configurable interfaces that are available on the port of the AllJoyn object.
<a href="" id="services-node-name-port-node-name-cfgobject-node-name"></a>**Services/*Node name*/Port/*Node name*/CfgObject/****_Node name_**
<a href="" id="services-node-name-port-node-name-cfgobject-node-name"></a>**Services/*Node name*/Port/*Node name*/CfgObject/****_Node name_**
The remainder of this URI is an escaped path to the configurable AllJoyn object hosted by the parent ServiceID and accessible by the parent PortNum.
For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "\\FabrikamService\\BridgeConfig" would be specified in the URI as: %2FFabrikamService%2FBridgeConfig.
<a href="" id="credentials"></a>**Credentials**
<a href="" id="credentials"></a>**Credentials**
This is the credential store. An administrator can set credentials for each AllJoyn device that requires authentication at this node.
When a SyncML request arrives in the CSP to replace or query a configuration item on an AllJoyn object that requires authentication, then the CSP uses the credentials stored here during the authentication phase.
<a href="" id="credentials-node-name"></a>**Credentials/****_Node name_**
<a href="" id="credentials-node-name"></a>**Credentials/****_Node name_**
This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It is typically implemented as a GUID.
<a href="" id="credentials-node-name-key"></a>**Credentials/*Node name*/Key**
<a href="" id="credentials-node-name-key"></a>**Credentials/*Node name*/Key**
An alphanumeric key value that conforms to the AllJoyn SRP KEYX authentication standard.
<a href="" id="firewall"></a>**Firewall**
<a href="" id="firewall"></a>**Firewall**
Firewall setting for the AllJoyn service.
<a href="" id="firewall-publicprofile"></a>**Firewall/PublicProfile**
<a href="" id="firewall-publicprofile"></a>**Firewall/PublicProfile**
Boolean value to enable or disable the AllJoyn router service (AJRouter.dll) for public network profile.
<a href="" id="firewall-privateprofile"></a>**Firewall/PrivateProfile**
<a href="" id="firewall-privateprofile"></a>**Firewall/PrivateProfile**
Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enabled for private network profile.
## Examples
@ -123,7 +123,7 @@ Get the firewall PrivateProfile
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
@ -131,7 +131,7 @@ Get the firewall PrivateProfile
<LocURI>./Vendor/MSFT/AllJoynManagement/Firewall/PrivateProfile</LocURI>
</Target>
</Item>
</Get>
</Get>
<Final/>
</SyncBody>
</SyncML>

34
windows/client-management/mdm/applocker-csp.md
View File

@ -19,7 +19,7 @@ The AppLocker configuration service provider is used to specify which applicatio
> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
>
> In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps.
>
>
> Delete/unenrollment is not properly supported unless Grouping values are unique across enrollments. If multiple enrollments use the same Grouping value, then unenrollment will not work as expected since there are duplicate URIs that get deleted by the resource manager. To prevent this problem, the Grouping value should include some randomness. The best practice is to use a randomly generated GUID. However, there is no requirement on the exact value of the node.
@ -27,15 +27,15 @@ The following diagram shows the AppLocker configuration service provider in tree
![applocker csp](images/provisioning-csp-applocker.png)
<a href="" id="--vendor-msft-applocker"></a>**./Vendor/MSFT/AppLocker**
<a href="" id="--vendor-msft-applocker"></a>**./Vendor/MSFT/AppLocker**
Defines the root node for the AppLocker configuration service provider.
<a href="" id="applicationlaunchrestrictions"></a>**ApplicationLaunchRestrictions**
<a href="" id="applicationlaunchrestrictions"></a>**ApplicationLaunchRestrictions**
Defines restrictions for applications.
> [!NOTE]  
> When you create a list of allowed apps, all [inbox apps](#inboxappsandcomponents) are also blocked, and you must include them in your list of allowed apps. Don't forget to add the inbox apps for Phone, Messaging, Settings, Start, Email and accounts, Work and school, and other apps that you need.
>
>
> In Windows 10 Mobile, when you create a list of allowed apps, the [settings app that rely on splash apps](#settingssplashapps) are blocked. To unblock these apps, you must include them in your list of allowed apps.
Additional information:
@ -43,10 +43,10 @@ Additional information:
- [Find publisher and product name of apps](#productname) - step-by-step guide for getting the publisher and product names for various Windows apps.
- [Whitelist example](#whitelist-example) - example for Windows 10 Mobile that denies all apps except the ones listed.
<a href="" id="enterprisedataprotection"></a>**EnterpriseDataProtection**
<a href="" id="enterprisedataprotection"></a>**EnterpriseDataProtection**
Captures the list of apps that are allowed to handle enterprise data. Should be used in conjunction with the settings in **./Device/Vendor/MSFT/EnterpriseDataProtection** in [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md).
In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data.
In Windows 10, version 1607 the Windows Information Protection has a concept for allowed and exempt applications. Allowed applications can access enterprise data and the data handled by those applications are protected with encryption. Exempt applications can also access enterprise data, but the data handled by those applications are not protected. This is because some critical enterprise applications may have compatibility problems with encrypted data.
You can set the allowed list using the following URI:
- ./Vendor/MSFT/AppLocker/EnterpriseDataProtection/_Grouping_/EXE/Policy
@ -155,7 +155,7 @@ Each of the previous nodes contains one or more of the following leaf nodes:
<td><p><strong>Policy</strong></p></td>
<td><p>Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.</p>
<p>Policy nodes are a Base64-encoded blob of the binary policy representation. The binary policy may be signed or unsigned.</p>
<p>For CodeIntegrity/Policy, you can use the [certutil -encode](http://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool to encode the data to base-64.</p>
<p>For CodeIntegrity/Policy, you can use the [certutil -encode](https://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool to encode the data to base-64.</p>
<p>Here is a sample certutil invocation:</p>
```
@ -164,7 +164,7 @@ certutil -encode WinSiPolicy.p7b WinSiPolicy.cer
<p>An alternative to using certutil would be to use the following PowerShell invocation:</p>
```
```
[Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path <bin file>))
```
@ -259,7 +259,7 @@ Here is an example AppLocker publisher rule:
``` syntax
FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Reader" BinaryName="*">
<BinaryVersionRange LowSection="*" HighSection="*" />
<BinaryVersionRange LowSection="*" HighSection="*" />
</FilePublisherCondition>
```
@ -889,14 +889,14 @@ The following example blocks the usage of the map application.
&lt;FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsMaps" BinaryName="*" /&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;/RuleCollection&gt;
</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
</SyncML>
```
The following example disables the Mixed Reality Portal. In the example, the **Id** can be any generated GUID and the **Name** can be any name you choose. Note that `BinaryName="*"` allows you to block any app executable in the Mixed Reality Portal package. **Binary/VersionRange**, as shown in the example, will block all versions of the Mixed Reality Portal app.
@ -914,7 +914,7 @@ The following example disables the Mixed Reality Portal. In the example, the **I
<Format xmlns="syncml:metinf">chr</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Data>
&lt;RuleCollection Type="Appx" EnforcementMode="Enabled"&gt;
&lt;FilePublisherRule Id="a9e18c21-ff8f-43cf-b9fc-db40eed693ba" Name="(Default Rule) All signed packaged apps" Description="Allows members of the Everyone group to run packaged apps that are signed." UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
&lt;Conditions&gt;
@ -937,7 +937,7 @@ The following example disables the Mixed Reality Portal. In the example, the **I
<Final/>
</SyncBody>
</SyncML>
```
```
The following example for Windows 10 Mobile denies all apps and allows the following apps:
@ -1215,7 +1215,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo
&lt;FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Getstarted" BinaryName="*" /&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;FilePublisherRule Id="4546BD28-69B6-4175-A44C-33197D48F658" Name="Whitelist Outlook Calendar" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="microsoft.windowscommunicationsapps" BinaryName="*" /&gt;
@ -1281,7 +1281,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo
&lt;FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.XboxIdentityProvider" BinaryName="*" /&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;FilePublisherRule Id="7565A8BB-D50B-4237-A9E9-B0997B36BDF9" Name="Whitelist Voice recorder" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.WindowsSoundRecorder" BinaryName="*" /&gt;
@ -1317,7 +1317,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo
&lt;FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Cortana" BinaryName="*" /&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;FilePublisherRule Id="01CD8E68-666B-4DE6-8849-7CE4F0C37CA8" Name="Whitelist Storage" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="*" ProductName="5B04B775-356B-4AA0-AAF8-6491FFEA564D" BinaryName="*" /&gt;
@ -1383,7 +1383,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo
&lt;FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.MSFacebook" BinaryName="*" /&gt;
&lt;/Conditions&gt;
&lt;/FilePublisherRule&gt;
&lt;FilePublisherRule Id="5168A5C3-5DC9-46C1-87C0-65A9DE1B4D18" Name="Whitelist Advanced Info" Description="Allow Admins" UserOrGroupSid="S-1-1-0" Action="Allow"&gt;
&lt;Conditions&gt;
&lt;FilePublisherCondition PublisherName="*" ProductName="B6E3E590-9FA5-40C0-86AC-EF475DE98E88" BinaryName="*" /&gt;

582
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -15,11 +15,11 @@ ms.date: 04/25/2018
The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211)
For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](https://go.microsoft.com/fwlink/p/?LinkID=722211)
In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps).
> [!Warning]
> [!Warning]
> You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
> [!Note]
@ -29,19 +29,19 @@ The following diagram shows the AssignedAccess configuration service provider in
![assignedaccess csp diagram](images/provisioning-csp-assignedaccess.png)
<a href="" id="--vendor-msft-assignedaccess"></a>**./Device/Vendor/MSFT/AssignedAccess**
<a href="" id="--vendor-msft-assignedaccess"></a>**./Device/Vendor/MSFT/AssignedAccess**
Root node for the CSP.
<a href="" id="assignedaccess-kioskmodeapp"></a>**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp**
<a href="" id="assignedaccess-kioskmodeapp"></a>**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp**
A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app).
For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211)
For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](https://go.microsoft.com/fwlink/p/?LinkID=722211)
> [!Note]
> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
> [!Note]
> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
>
> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even its not effective.
> [!Note]
> You cannot set both KioskModeApp and ShellLauncher at the same time on the device.
@ -53,14 +53,14 @@ Here's an example:
{"Account":"contoso\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"}
```
> [!Tip]
> [!Tip]
> In this example the double \\\ is required because it's in JSON and JSON escapes \ into \\\\. If an MDM server uses JSON parser\composer, they should ask customers to type only one \\, which will be \\\ in the JSON. If user types \\\\, it'll become \\\\\\\ in JSON, which will cause erroneous results. For the same reason, domain\account used in Configuration xml does not need \\\ but only one \\, because xml does not (need to) escape \\.
>
> This applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in JSON string. 
When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name.
> [!Note]
> [!Note]
> The domain name can be optional if the user name is unique across the system.
For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output.
@ -68,32 +68,32 @@ For a local account, the domain name should be the device name. When Get is exec
The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
<a href="" id="assignedaccess-configuration"></a>**./Device/Vendor/MSFT/AssignedAccess/Configuration**
Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
<a href="" id="assignedaccess-configuration"></a>**./Device/Vendor/MSFT/AssignedAccess/Configuration**
Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). Here is the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
> [!Note]
> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
> [!Note]
> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
>
> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even its not effective.
Enterprises can use this to easily configure and manage the curated lockdown experience.
Enterprises can use this to easily configure and manage the curated lockdown experience.
Supported operations are Add, Get, Delete, and Replace.
Deleting the multi-app configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies back (e.g. Start Layout).
<a href="" id="assignedaccess-status"></a>**./Device/Vendor/MSFT/AssignedAccess/Status**
<a href="" id="assignedaccess-status"></a>**./Device/Vendor/MSFT/AssignedAccess/Status**
Added in Windows 10, version 1803. This read only polling node allows MDM server to query the current KioskModeAppRuntimeStatus as long as the StatusConfiguration node is set to “On” or “OnWithAlerts”. If the StatusConfiguration is “Off”, a node not found error will be reported to the MDM server. Click [link](#status-example) to see an example SyncML. [Here](#assignedaccessalert-xsd) is the schema for the Status payload.
In Windows 10, version 1803, Assigned Access runtime status only supports monitoring single app kiosk mode. Here are the possible status available for single app kiosk mode.
In Windows 10, version 1803, Assigned Access runtime status only supports monitoring single app kiosk mode. Here are the possible status available for single app kiosk mode.
|Status |Description |
|---------|---------|---------|
| KioskModeAppRunning | This means the kiosk app is running normally. |
| KioskModeAppNotFound | This occurs when the kiosk app is not deployed to the machine. |
| KioskModeAppActivationFailure | This happens when the assigned access controller detects the process terminated unexpectedly after exceeding the max retry. |
Note that status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus.
Note that status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus.
|Status code | KioskModeAppRuntimeStatus |
@ -103,37 +103,37 @@ Note that status codes available in the Status payload correspond to a specific
| 3 | KioskModeAppActivationFailure |
Additionally, the status payload includes a profileId, which can be used by the MDM server to correlate which kiosk app caused the error.
Additionally, the status payload includes a profileId, which can be used by the MDM server to correlate which kiosk app caused the error.
Supported operation is Get.
<a href="" id="assignedaccess-shelllauncher"></a>**./Device/Vendor/MSFT/AssignedAccess/ShellLauncher**
<a href="" id="assignedaccess-shelllauncher"></a>**./Device/Vendor/MSFT/AssignedAccess/ShellLauncher**
Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. For more information, see [Shell Launcher](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/shell-launcher).
> [!Note]
> [!Note]
> You cannot set both ShellLauncher and KioskModeApp at the same time on the device.
>
> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature if it is available within the SKU. I. Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function.
>
> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature if it is available within the SKU. I. Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function.
>
>The ShellLauncher node is not supported in Windows 10 Pro.
<a href="" id="assignedaccess-statusconfiguration"></a>**./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration**
<a href="" id="assignedaccess-statusconfiguration"></a>**./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration**
Added in Windows 10, version 1803. This node accepts a StatusConfiguration xml as input to configure the Kiosk App Health monitoring. There are three possible values for StatusEnabled node inside StatusConfiguration xml: On, OnWithAlerts, and Off. Click [link](#statusconfiguration-xsd) to see the StatusConfiguration schema.
By default the StatusConfiguration node does not exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node.
Optionally, the MDM server can opt-in to the MDM alert so a MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node.
This MDM alert header is defined as follows:
- MDMAlertMark: Critical
- MDMAlertType: "com.microsoft.mdm.assignedaccess.status"
- MDMAlertDataType: String
- Source: "./Vendor/MSFT/AssignedAccess"
- Target: N/A
> [!Note]
> MDM alert will only be sent for errors.
By default the StatusConfiguration node does not exist, and it implies this feature is off. Once enabled via CSP, Assigned Access will check kiosk app status and wait for MDM server to query the latest status from the Status node.
Optionally, the MDM server can opt-in to the MDM alert so a MDM alert will be generated and sent immediately to the MDM server when the assigned access runtime status is changed. This MDM alert will contain the status payload that is available via the Status node.
This MDM alert header is defined as follows:
- MDMAlertMark: Critical
- MDMAlertType: "com.microsoft.mdm.assignedaccess.status"
- MDMAlertDataType: String
- Source: "./Vendor/MSFT/AssignedAccess"
- Target: N/A
> [!Note]
> MDM alert will only be sent for errors.
## KioskModeApp examples
@ -149,9 +149,9 @@ KioskModeApp Add
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>{"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}</Data>
</Item>
</Add>
@ -207,9 +207,9 @@ KioskModeApp Replace
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>{"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsAlarms_8wekyb3d8bbwe!App"}</Data>
</Item>
</Replace>
@ -235,7 +235,7 @@ KioskModeApp Replace
<xs:element name="Profile" type="profile_t" minOccurs="1" maxOccurs="unbounded"/>
</xs:sequence>
</xs:complexType>
<xs:complexType name="kioskmodeapp_t">
<xs:attribute name="AppUserModelId" type="xs:string"/>
</xs:complexType>
@ -365,61 +365,61 @@ KioskModeApp Replace
## Example AssignedAccessConfiguration XML
``` syntax
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
  <Profiles>
    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
      <AllAppsList>
        <AllowedApps>
          <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
          <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
          <App DesktopAppPath="%windir%\system32\mspaint.exe" />
          <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
        </AllowedApps>
      </AllAppsList>
      <StartLayout>
        <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
                      <LayoutOptions StartTileGroupCellWidth="6" />
                      <DefaultLayoutOverride>
                        <StartLayoutCollection>
                          <defaultlayout:StartLayout GroupCellWidth="6">
                            <start:Group Name="Group1">
                              <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
                              <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
                              <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
                              <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
                              <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
                            </start:Group>
                            <start:Group Name="Group2">
                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" />
                              <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" />
                            </start:Group>
                          </defaultlayout:StartLayout>
                        </StartLayoutCollection>
                      </DefaultLayoutOverride>
                    </LayoutModificationTemplate>
                ]]>
      </StartLayout>
      <Taskbar ShowTaskbar="true"/>
    </Profile>
  </Profiles>
  <Configs>
    <Config>
      <Account>MultiAppKioskUser</Account>
      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
    </Config>
  </Configs>
</AssignedAccessConfiguration>
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
  <Profiles>
    <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
      <AllAppsList>
        <AllowedApps>
          <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
          <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
          <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
          <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
          <App DesktopAppPath="%windir%\system32\mspaint.exe" />
          <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
        </AllowedApps>
      </AllAppsList>
      <StartLayout>
        <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
                      <LayoutOptions StartTileGroupCellWidth="6" />
                      <DefaultLayoutOverride>
                        <StartLayoutCollection>
                          <defaultlayout:StartLayout GroupCellWidth="6">
                            <start:Group Name="Group1">
                              <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
                              <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
                              <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
                              <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
                              <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
                            </start:Group>
                            <start:Group Name="Group2">
                              <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" />
                              <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" />
                            </start:Group>
                          </defaultlayout:StartLayout>
                        </StartLayoutCollection>
                      </DefaultLayoutOverride>
                    </LayoutModificationTemplate>
                ]]>
      </StartLayout>
      <Taskbar ShowTaskbar="true"/>
    </Profile>
  </Profiles>
  <Configs>
    <Config>
      <Account>MultiAppKioskUser</Account>
      <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
    </Config>
  </Configs>
</AssignedAccessConfiguration>
```
## Configuration examples
XML encoding (escaped) and CDATA of the XML in the Data node both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle.
XML encoding (escaped) and CDATA of the XML in the Data node both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle.
Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, youll have nested CDATA so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA.
Similarly, the StartLayout xml inside the configuration xml is using the same format, xml inside xml as string. In the sample Configuration xml provided above, CDATA is used to embed the StartLayout xml. If you use CDATA to embed configuration xml in SyncML as well, youll have nested CDATA so pay attention to how CDATA is used in the provided CDATA sample. With that being said, when the Configuration xml is being constructed, MDM server can either escape start layout xml or put startlayout xml inside CDATA, when MDM server puts configuration xml inside SyncML, MDM server can also either escape it or wrap with CDATA.
Escape and CDATA are mechanisms when handling xml in xml. Consider its a transportation channel to send the configuration xml as payload from server to client. Its transparent to both end user who configures the CSP and transparent to our CSP. Both the customer on the server side and our CSP must only see the original configuration XML.
@ -454,26 +454,26 @@ This example shows escaped XML of the Data node.
&lt;/AllowedApps&gt;
&lt;/AllAppsList&gt;
&lt;StartLayout&gt;
&lt;![CDATA[&lt;LayoutModificationTemplate xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot; Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
&lt;LayoutOptions StartTileGroupCellWidth=&quot;6&quot; /&gt;
&lt;DefaultLayoutOverride&gt;
&lt;StartLayoutCollection&gt;
&lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot;&gt;
&lt;start:Group Name=&quot;Group1&quot;&gt;
&lt;start:Tile Size=&quot;4x4&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;2&quot; AppUserModelID=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;4x2&quot; Column=&quot;0&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
&lt;/start:Group&gt;
&lt;start:Group Name=&quot;Group2&quot;&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; DesktopApplicationID=&quot;{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe&quot; /&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; DesktopApplicationID=&quot;{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe&quot; /&gt;
&lt;/start:Group&gt;
&lt;/defaultlayout:StartLayout&gt;
&lt;/StartLayoutCollection&gt;
&lt;/DefaultLayoutOverride&gt;
&lt;/LayoutModificationTemplate&gt;
&lt;![CDATA[&lt;LayoutModificationTemplate xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot; Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
&lt;LayoutOptions StartTileGroupCellWidth=&quot;6&quot; /&gt;
&lt;DefaultLayoutOverride&gt;
&lt;StartLayoutCollection&gt;
&lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot;&gt;
&lt;start:Group Name=&quot;Group1&quot;&gt;
&lt;start:Tile Size=&quot;4x4&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;2&quot; AppUserModelID=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;4x2&quot; Column=&quot;0&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
&lt;/start:Group&gt;
&lt;start:Group Name=&quot;Group2&quot;&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; DesktopApplicationID=&quot;{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe&quot; /&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; DesktopApplicationID=&quot;{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe&quot; /&gt;
&lt;/start:Group&gt;
&lt;/defaultlayout:StartLayout&gt;
&lt;/StartLayoutCollection&gt;
&lt;/DefaultLayoutOverride&gt;
&lt;/LayoutModificationTemplate&gt;
]]&gt;
&lt;/StartLayout&gt;
&lt;Taskbar ShowTaskbar=&quot;true&quot;/&gt;
@ -524,26 +524,26 @@ This example shows escaped XML of the Data node.
&lt;/AllowedApps&gt;
&lt;/AllAppsList&gt;
&lt;StartLayout&gt;
&lt;![CDATA[&lt;LayoutModificationTemplate xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot; Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
&lt;LayoutOptions StartTileGroupCellWidth=&quot;6&quot; /&gt;
&lt;DefaultLayoutOverride&gt;
&lt;StartLayoutCollection&gt;
&lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot;&gt;
&lt;start:Group Name=&quot;Group1&quot;&gt;
&lt;start:Tile Size=&quot;4x4&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;2&quot; AppUserModelID=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;4x2&quot; Column=&quot;0&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
&lt;/start:Group&gt;
&lt;start:Group Name=&quot;Group2&quot;&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; DesktopApplicationID=&quot;{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe&quot; /&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; DesktopApplicationID=&quot;{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe&quot; /&gt;
&lt;/start:Group&gt;
&lt;/defaultlayout:StartLayout&gt;
&lt;/StartLayoutCollection&gt;
&lt;/DefaultLayoutOverride&gt;
&lt;/LayoutModificationTemplate&gt;
&lt;![CDATA[&lt;LayoutModificationTemplate xmlns:defaultlayout=&quot;http://schemas.microsoft.com/Start/2014/FullDefaultLayout&quot; xmlns:start=&quot;http://schemas.microsoft.com/Start/2014/StartLayout&quot; Version=&quot;1&quot; xmlns=&quot;http://schemas.microsoft.com/Start/2014/LayoutModification&quot;&gt;
&lt;LayoutOptions StartTileGroupCellWidth=&quot;6&quot; /&gt;
&lt;DefaultLayoutOverride&gt;
&lt;StartLayoutCollection&gt;
&lt;defaultlayout:StartLayout GroupCellWidth=&quot;6&quot;&gt;
&lt;start:Group Name=&quot;Group1&quot;&gt;
&lt;start:Tile Size=&quot;4x4&quot; Column=&quot;0&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;2&quot; AppUserModelID=&quot;Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;0&quot; AppUserModelID=&quot;Microsoft.Windows.Photos_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;2x2&quot; Column=&quot;4&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.BingWeather_8wekyb3d8bbwe!App&quot; /&gt;
&lt;start:Tile Size=&quot;4x2&quot; Column=&quot;0&quot; Row=&quot;4&quot; AppUserModelID=&quot;Microsoft.WindowsCalculator_8wekyb3d8bbwe!App&quot; /&gt;
&lt;/start:Group&gt;
&lt;start:Group Name=&quot;Group2&quot;&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;2&quot; Row=&quot;0&quot; DesktopApplicationID=&quot;{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe&quot; /&gt;
&lt;start:DesktopApplicationTile Size=&quot;2x2&quot; Column=&quot;0&quot; Row=&quot;0&quot; DesktopApplicationID=&quot;{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe&quot; /&gt;
&lt;/start:Group&gt;
&lt;/defaultlayout:StartLayout&gt;
&lt;/StartLayoutCollection&gt;
&lt;/DefaultLayoutOverride&gt;
&lt;/LayoutModificationTemplate&gt;
]]&gt;
&lt;/StartLayout&gt;
&lt;Taskbar ShowTaskbar=&quot;true&quot;/&gt;
@ -579,53 +579,53 @@ This example uses CData for the XML.
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>
<![CDATA[<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%windir%\system32\mspaint.exe" />
<App DesktopAppPath="C:\Windows\System32\notepad.exe" />
</AllowedApps>
</AllAppsList>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Group1">
<start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
</start:Group>
<start:Group Name="Group2">
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
<![CDATA[<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%windir%\system32\mspaint.exe" />
<App DesktopAppPath="C:\Windows\System32\notepad.exe" />
</AllowedApps>
</AllAppsList>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Group1">
<start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
</start:Group>
<start:Group Name="Group2">
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\mspaint.exe" />
<start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationID="{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}\notepad.exe" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>
]]]]><![CDATA[>
</StartLayout>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>MultiAppKioskUser</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</StartLayout>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>MultiAppKioskUser</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
]]>
</Data>
@ -703,117 +703,117 @@ Example of the Delete command.
## StatusConfiguration example
StatusConfiguration Add OnWithAlerts
StatusConfiguration Add OnWithAlerts
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>
<![CDATA[
<?xml version="1.0" encoding="utf-8" ?>
<StatusConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2018/StatusConfiguration">
<StatusEnabled>OnWithAlerts</StatusEnabled>
</StatusConfiguration>
]]>
</Data>
</Item>
</Add>
<Final />
</SyncBody>
</SyncML>
```
StatusConfiguration Delete
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Delete>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration</LocURI>
</Target>
</Item>
</Delete>
<Final />
</SyncBody>
</SyncML>
```
StatusConfiguration Get
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration</LocURI>
</Target>
</Item>
</Get>
<Final />
</SyncBody>
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>
<![CDATA[
<?xml version="1.0" encoding="utf-8" ?>
<StatusConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2018/StatusConfiguration">
<StatusEnabled>OnWithAlerts</StatusEnabled>
</StatusConfiguration>
]]>
</Data>
</Item>
</Add>
<Final />
</SyncBody>
</SyncML>
```
StatusConfiguration Replace On
StatusConfiguration Delete
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Delete>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration</LocURI>
</Target>
</Item>
</Delete>
<Final />
</SyncBody>
</SyncML>
```
StatusConfiguration Get
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration</LocURI>
</Target>
</Item>
</Get>
<Final />
</SyncBody>
</SyncML>
```
StatusConfiguration Replace On
```syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>
<![CDATA[
<?xml version="1.0" encoding="utf-8" ?>
<StatusConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2018/StatusConfiguration">
<StatusEnabled>On</StatusEnabled>
</StatusConfiguration>
]]>
</Data>
</Item>
</Replace>
<Final />
</SyncBody>
</SyncML>
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>
<![CDATA[
<?xml version="1.0" encoding="utf-8" ?>
<StatusConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2018/StatusConfiguration">
<StatusEnabled>On</StatusEnabled>
</StatusConfiguration>
]]>
</Data>
</Item>
</Replace>
<Final />
</SyncBody>
</SyncML>
```
## Status example
Status Get
Status Get
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/Status</LocURI>
</Target>
</Item>
</Get>
<Final />
</SyncBody>
</SyncML>
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/Status</LocURI>
</Target>
</Item>
</Get>
<Final />
</SyncBody>
</SyncML>
```
## ShellLauncherConfiguration XSD
@ -1147,17 +1147,17 @@ ShellLauncherConfiguration Get
</xs:schema>
```
## Windows Holographic for Business edition example
## Windows Holographic for Business edition example
This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](https://docs.microsoft.com/en-us/hololens/hololens-provisioning).
``` syntax
<?xml version="1.0" encoding="utf-8" ?>
<!--
<!--
This is a sample Assigned Access XML file. The Profile specifies which apps are allowed
and their app IDs. An Assigned Access Config specifies the accounts or groups to which
a Profile is applicable.
and their app IDs. An Assigned Access Config specifies the accounts or groups to which
a Profile is applicable.
!!! NOTE: Change the Account below to a user in the tenant being tested !!!
-->
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
@ -1196,8 +1196,8 @@ This example configures the following apps: Skype, Learning, Feedback Hub, and C
</Profile>
</Profiles>
<Configs>
<!-- IMPORTANT: Replace the account name here with an email address of the user you want to
be enabled for assigned access. The value in the Account node must begin with
<!-- IMPORTANT: Replace the account name here with an email address of the user you want to
be enabled for assigned access. The value in the Account node must begin with
AzureAD\ for AAD accounts. -->
<Config>
<Account>AzureAD\multiusertest@analogfre.onmicrosoft.com</Account>

6
windows/client-management/mdm/assignedaccess-ddf.md
View File

@ -17,8 +17,8 @@ This topic shows the OMA DM device description framework (DDF) for the **Assigne
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
- [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is for Windows 10, version 1803.
@ -62,7 +62,7 @@ The XML below is for Windows 10, version 1803.
</AccessType>
<Description>This node can accept and return json string which comprises of account name, and AUMID for Kiosk mode app.
Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}.
Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}.
When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.

112
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
View File

@ -58,7 +58,7 @@ In both scenarios, the enrollment flow provides an opportunity for the MDM servi
In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It is important that MDM vendors who chose to integrate with Azure AD to respect the Windows 10 design guidelines to the letter. This includes using a responsive web design and respecting the Windows accessibility guidelines, which includes the forward and back buttons that are properly wired to the navigation logic. Additional details are provided later in this topic.
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [this article](http://go.microsoft.com/fwlink/?LinkId=690246).
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [this article](https://go.microsoft.com/fwlink/?LinkId=690246).
Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** &gt; **Accounts** &gt; **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar.
@ -79,31 +79,31 @@ Azure AD MDM enrollment is a two-step process:
To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use endpoint and an MDM enrollment endpoint.
<a href="" id="terms-of-use-endpoint-"></a>**Terms of Use endpoint**
<a href="" id="terms-of-use-endpoint-"></a>**Terms of Use endpoint**
Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting users consent before the actual enrollment phase begins.
Its important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g. users in certain geographies may be subject to stricter device management policies).
The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. Its not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
<a href="" id="mdm-enrollment-endpoint"></a>**MDM enrollment endpoint**
<a href="" id="mdm-enrollment-endpoint"></a>**MDM enrollment endpoint**
After the users accepts the Terms of Use, the device is registered in Azure AD and the automatic MDM enrollment begins.
The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Subsequently, the device is enrolled for management with the MDM. This is done by calling the enrollment endpoint and requesting enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is made available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
![azure ad enrollment flow](images/azure-ad-enrollment-flow.png)
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654). A sample for reporting device compliance is provided later in this topic.
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654). A sample for reporting device compliance is provided later in this topic.
## Make the MDM a reliable party of Azure AD
To participate in the integrated enrollment flow outlined in the previous section, the MDM must be able to consume access tokens issued by Azure AD. To report compliance to Azure AD, the MDM must be able to authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654).
To participate in the integrated enrollment flow outlined in the previous section, the MDM must be able to consume access tokens issued by Azure AD. To report compliance to Azure AD, the MDM must be able to authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654).
### Add a cloud-based MDM
A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It is a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613661).
The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613661).
> **Note**  For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
@ -115,7 +115,7 @@ Use the following steps to register a cloud-based MDM application with Azure AD.
1. Login to the Azure Management Portal using an admin account in your home tenant.
2. In the left navigation, click on the **Active Directory**.
3. Click the directory tenant where you want to register the application.
Ensure that you are logged into your home tenant.
4. Click the **Applications** tab.
5. In the drawer, click **Add**.
@ -132,7 +132,7 @@ Use the following steps to register a cloud-based MDM application with Azure AD.
You will need this to call the Azure AD Graph API to report device compliance. This is covered in the subsequent section.
For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613667)
For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667)
### Add an on-premises MDM
@ -142,13 +142,13 @@ The customer experience for adding an on-premises MDM to their tenant is similar
Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance.
For more information about registering applications with Azure AD, see [Basics of Registering an Application in Azure AD](http://go.microsoft.com/fwlink/p/?LinkId=613671).
For more information about registering applications with Azure AD, see [Basics of Registering an Application in Azure AD](https://go.microsoft.com/fwlink/p/?LinkId=613671).
### Key management and security guidelines
The application keys used by your MDM service are a sensitive resource. They should be protected and rolled over periodically for greater security. Access tokens obtained by your MDM service to call the Azure AD Graph API are bearer tokens and should be protected to avoid unauthorized disclosure.
For security best practices, see [Windows Azure Security Essentials](http://go.microsoft.com/fwlink/p/?LinkId=613715).
For security best practices, see [Windows Azure Security Essentials](https://go.microsoft.com/fwlink/p/?LinkId=613715).
You can rollover the application keys used by a cloud-based MDM service without requiring a customer interaction. There is a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
@ -167,7 +167,7 @@ The following image illustrates how MDM applications will show up in the Azure a
You should work with the Azure AD engineering team if your MDM application is cloud-based. The following table shows the required information to create an entry in the Azure AD app gallery.
<table>
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
@ -211,7 +211,7 @@ However, key management is different for on-premises MDM. You must obtain the cl
## Themes
The pages rendered by the MDM as part of the integrated enrollment process must use Windows 10 templates ([Download the Windows 10 templates and CSS files](http://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared Windows 10 templates ensure a seamless experience for the customers.
The pages rendered by the MDM as part of the integrated enrollment process must use Windows 10 templates ([Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared Windows 10 templates ensure a seamless experience for the customers.
There are 3 distinct scenarios:
@ -221,7 +221,7 @@ There are 3 distinct scenarios:
Scenarios 1, 2, and 3 are available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. Scenarios 1 and 3 are available in Windows 10 Mobile. Support for scenario 1 was added in Windows 10 Mobile, version 1511.
The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows 10 templates and CSS files](http://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip).
The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows 10 templates and CSS files](https://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip).
### Using themes
@ -348,7 +348,7 @@ The following claims are expected in the access token passed by Windows to the T
> **Note**  There is no device ID claim in the access token because the device may not yet be enrolled at this time.
 
To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654).
To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](https://go.microsoft.com/fwlink/p/?LinkID=613654).
Here's an example URL.
@ -399,7 +399,7 @@ Location:
Example:
HTTP/1.1 302
HTTP/1.1 302
Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Acess%20is%20denied%2E
```
@ -594,13 +594,13 @@ With Azure integrated MDM enrollment, there is no discovery phase and the discov
There are two different MDM enrollment types that take advantage of integration with Azure AD and therefore make use of Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
<a href="" id="multiple-user-management-for-azure-ad-joined-devices"></a>**Multiple user management for Azure AD joined devices**
<a href="" id="multiple-user-management-for-azure-ad-joined-devices"></a>**Multiple user management for Azure AD joined devices**
In this scenario the MDM enrollment applies to every Azure AD user who logs on to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, conclude what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an additional HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token is not sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user logs on to the machine, Azure AD user token is not available to OMA-DM process. Typically MDM enrollment completes before Azure AD user logs on to machine and the initial management session does not contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
<a href="" id="adding-a-work-account-and-mdm-enrollment-to-a-device"></a>**Adding a work account and MDM enrollment to a device**
<a href="" id="adding-a-work-account-and-mdm-enrollment-to-a-device"></a>**Adding a work account and MDM enrollment to a device**
In this scenario, the MDM enrollment applies to a single user who initially added his work account and enrolled the device. In this enrollment type the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device.
<a href="" id="evaluating-azure-ad-user-tokens"></a>**Evaluating Azure AD user tokens**
<a href="" id="evaluating-azure-ad-user-tokens"></a>**Evaluating Azure AD user tokens**
The Azure AD token is in the HTTP Authorization header in the following format:
``` syntax
@ -616,8 +616,8 @@ Additional claims may be present in the Azure AD token, such as:
Access token issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to initiate the enrollment process. There are a couple of options to evaluate the tokens:
- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JSON Web Token Handler](http://go.microsoft.com/fwlink/p/?LinkId=613820).
- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613667).
- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JSON Web Token Handler](https://go.microsoft.com/fwlink/p/?LinkId=613820).
- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613667).
## Device Alert 1224 for Azure AD user token
@ -625,21 +625,21 @@ An alert is sent when the DM session starts and there is an Azure AD user logged
``` syntax
Alert Type: com.microsoft/MDM/AADUserToken
Alert sample:
<SyncBody>
<Alert>
<CmdID>1</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/AADUserToken</Type>
</Meta>
<Data>UserToken inserted here</Data>
</Item>
</Alert>
… other xml tags …
</SyncBody>
Alert sample:
<SyncBody>
<Alert>
<CmdID>1</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/AADUserToken</Type>
</Meta>
<Data>UserToken inserted here</Data>
</Item>
</Alert>
… other xml tags …
</SyncBody>
```
## Determine when a user is logged in through polling
@ -656,18 +656,18 @@ An alert is send to the MDM server in DM package\#1.
Here's an example.
``` syntax
<SyncBody>
<Alert>
<CmdID>1</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/LoginStatus</Type>
</Meta>
<Data>user</Data>
</Item>
</Alert>
… other xml tags …
<SyncBody>
<Alert>
<CmdID>1</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/LoginStatus</Type>
</Meta>
<Data>user</Data>
</Item>
</Alert>
… other xml tags …
</SyncBody>
```
@ -675,7 +675,7 @@ Here's an example.
Once a device is enrolled with the MDM for management, corporate policies configured by the IT administrator are enforced on the device. The device compliance with configured policies is evaluated by the MDM and then reported to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD.
For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613822).
For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=613822).
- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. Use this key to authenticate the MDM service with Azure AD, in order to obtain authorization.
- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This is because each on-premises instance of your MDM product has a different tenant-specific key. For this purpose, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD.
@ -687,15 +687,15 @@ The following sample REST API call illustrates how an MDM can use the Azure AD G
> **Note**  This is only applicable for approved MDM apps on Windows 10 devices.
``` syntax
Sample Graph API Request:
Sample Graph API Request:
PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1
Authorization: Bearer eyJ0eXAiO………
Accept: application/json
Content-Type: application/json
{ “isManaged”:true,
“isCompliant”:true
}
PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1
Authorization: Bearer eyJ0eXAiO………
Accept: application/json
Content-Type: application/json
{ “isManaged”:true,
“isCompliant”:true
}
```
Where:

88
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -27,18 +27,18 @@ The following image shows the ClientCertificateInstall configuration service pro
![clientcertificateinstall csp](images/provisioning-csp-clientcertificateinstall.png)
<a href="" id="device-or-user"></a>**Device or User**
<a href="" id="device-or-user"></a>**Device or User**
<p style="margin-left: 20px">For device certificates, use **./Device/Vendor/MSFT** path and for user certificates use **./User/Vendor/MSFT** path.
<a href="" id="clientcertificateinstall"></a>**ClientCertificateInstall**
<a href="" id="clientcertificateinstall"></a>**ClientCertificateInstall**
<p style="margin-left: 20px">The root node for the ClientCertificateInstaller configuration service provider.
<a href="" id="clientcertificateinstall-pfxcertinstall"></a>**ClientCertificateInstall/PFXCertInstall**
<a href="" id="clientcertificateinstall-pfxcertinstall"></a>**ClientCertificateInstall/PFXCertInstall**
<p style="margin-left: 20px">Required for PFX certificate installation. The parent node grouping the PFX certificate related settings.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid"></a>**ClientCertificateInstall/PFXCertInstall/****_UniqueID_**
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid"></a>**ClientCertificateInstall/PFXCertInstall/****_UniqueID_**
<p style="margin-left: 20px">Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
<p style="margin-left: 20px">The data type format is node.
@ -47,7 +47,7 @@ The following image shows the ClientCertificateInstall configuration service pro
<p style="margin-left: 20px">Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-keylocation"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation**
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-keylocation"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation**
<p style="margin-left: 20px">Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
@ -62,14 +62,14 @@ The following image shows the ClientCertificateInstall configuration service pro
| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified |
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
<p style="margin-left: 20px">Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
<p style="margin-left: 20px">Date type is string.
<p style="margin-left: 20px">Supported operations are Get, Add, Delete, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertblob"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertblob"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**
<p style="margin-left: 20px">CRYPT\_DATA\_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation.
<p style="margin-left: 20px">The data type format is binary.
@ -80,16 +80,16 @@ The following image shows the ClientCertificateInstall configuration service pro
<p style="margin-left: 20px">If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail.
<p style="margin-left: 20px">In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT\_DATA\_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](http://go.microsoft.com/fwlink/p/?LinkId=523871).
<p style="margin-left: 20px">In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT\_DATA\_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](https://go.microsoft.com/fwlink/p/?LinkId=523871).
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpassword"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpassword"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**
<p style="margin-left: 20px">Password that protects the PFX blob. This is required if the PFX is password protected.
<p style="margin-left: 20px">Data Type is a string.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpasswordencryptiontype"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType**
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpasswordencryptiontype"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType**
<p style="margin-left: 20px">Optional. Used to specify whtether the PFX certificate password is encrypted with the MDM certificate by the MDM sever.
<p style="margin-left: 20px">The data type is int. Valid values:
@ -102,7 +102,7 @@ The following image shows the ClientCertificateInstall configuration service pro
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxkeyexportable"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxkeyexportable"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
<p style="margin-left: 20px">Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM.
> **Note**  You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
@ -112,38 +112,38 @@ The following image shows the ClientCertificateInstall configuration service pro
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-thumbprint"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint**
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-thumbprint"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint**
<p style="margin-left: 20px">Returns the thumbprint of the installed PFX certificate.
<p style="margin-left: 20px">The datatype is a string.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-status"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status**
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-status"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status**
<p style="margin-left: 20px">Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
<p style="margin-left: 20px">Data type is an integer.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpasswordencryptionstore"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore**
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpasswordencryptionstore"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore**
<p style="margin-left: 20px">Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep"></a>**ClientCertificateInstall/SCEP**
<a href="" id="clientcertificateinstall-scep"></a>**ClientCertificateInstall/SCEP**
<p style="margin-left: 20px">Node for SCEP.
> **Note**  An alert is sent after the SCEP certificate is installed.
 
<a href="" id="clientcertificateinstall-scep-uniqueid"></a>**ClientCertificateInstall/SCEP/****_UniqueID_**
<a href="" id="clientcertificateinstall-scep-uniqueid"></a>**ClientCertificateInstall/SCEP/****_UniqueID_**
<p style="margin-left: 20px">A unique ID to differentiate different certificate installation requests.
<a href="" id="clientcertificateinstall-scep-uniqueid-install"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install**
<a href="" id="clientcertificateinstall-scep-uniqueid-install"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install**
<p style="margin-left: 20px">A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.
<p style="margin-left: 20px">Supported operations are Get, Add, Replace, and Delete.
@ -151,21 +151,21 @@ The following image shows the ClientCertificateInstall configuration service pro
> **Note**  Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values.
 
<a href="" id="clientcertificateinstall-scep-uniqueid-install-serverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-serverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**
<p style="margin-left: 20px">Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Get, Add, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-challenge"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-challenge"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge**
<p style="margin-left: 20px">Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-ekumapping"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-ekumapping"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**
<p style="margin-left: 20px">Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus **+**. For example, *OID1*+*OID2*+*OID3*.
Data type is string.
@ -175,14 +175,14 @@ Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectname"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectname"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
<p style="margin-left: 20px">Required. Specifies the subject name.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyprotection"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyprotection"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**
<p style="margin-left: 20px">Optional. Specifies where to keep the private key.
> **Note**  Even if the private key is protected by TPM, it is not protected with a TPM PIN.
@ -200,12 +200,12 @@ Data type is string.
 
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyusage"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyusage"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
<p style="margin-left: 20px">Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesnt have those bits set, configuration will fail.
<p style="margin-left: 20px"> Supported operations are Add, Get, Delete, and Replace. Value type is integer.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-retrydelay"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-retrydelay"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
<p style="margin-left: 20px">Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
<p style="margin-left: 20px">Data type format is an integer.
@ -216,7 +216,7 @@ Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-retrycount"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-retrycount"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount**
<p style="margin-left: 20px">Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status.
<p style="margin-left: 20px">Data type is integer.
@ -229,7 +229,7 @@ Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-templatename"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-templatename"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
<p style="margin-left: 20px">Optional. OID of certificate template name.
> **Note**  This name is typically ignored by the SCEP server; therefore the MDM server typically doesnt need to provide it.
@ -239,7 +239,7 @@ Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keylength"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keylength"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength**
<p style="margin-left: 20px">Required for enrollment. Specify private key length (RSA).
<p style="margin-left: 20px">Data type is integer.
@ -250,7 +250,7 @@ Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-hashalgorithm"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-hashalgorithm"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm**
<p style="margin-left: 20px">Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with **+**.
<p style="margin-left: 20px">For Windows Hello for Business, only SHA256 is the supported algorithm.
@ -259,14 +259,14 @@ Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-cathumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-cathumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**
<p style="margin-left: 20px">Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectalternativenames"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectalternativenames"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
<p style="margin-left: 20px">Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information.
<p style="margin-left: 20px">Each pair is separated by semicolon. For example, multiple SANs are presented in the format of *\[name format1\]*+*\[actual name1\]*;*\[name format 2\]*+*\[actual name2\]*.
@ -275,7 +275,7 @@ Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiod"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiod"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod**
<p style="margin-left: 20px">Optional. Specifies the units for the valid certificate period.
<p style="margin-left: 20px">Data type is string.
@ -291,7 +291,7 @@ Data type is string.
 
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiodunits"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiodunits"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
<p style="margin-left: 20px">Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
<p style="margin-left: 20px">Data type is string.
@ -301,35 +301,35 @@ Data type is string.
 
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-containername"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-containername"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
<p style="margin-left: 20px">Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-customtexttoshowinprompt"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-customtexttoshowinprompt"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt**
<p style="margin-left: 20px">Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-enroll"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-enroll"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**
<p style="margin-left: 20px">Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.
<p style="margin-left: 20px">The date type format is Null, meaning this node doesnt contain a value.
<p style="margin-left: 20px">The only supported operation is Execute.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-aadkeyidentifierlist"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**
<a href="" id="clientcertificateinstall-scep-uniqueid-install-aadkeyidentifierlist"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**
<p style="margin-left: 20px">Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-certthumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint**
<a href="" id="clientcertificateinstall-scep-uniqueid-certthumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint**
<p style="margin-left: 20px">Optional. Specifies the current certificates thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
<p style="margin-left: 20px">If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string.
@ -338,7 +338,7 @@ Data type is string.
<p style="margin-left: 20px">The only supported operation is Get.
<a href="" id="clientcertificateinstall-scep-uniqueid-status"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Status**
<a href="" id="clientcertificateinstall-scep-uniqueid-status"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Status**
<p style="margin-left: 20px">Required. Specifies latest status of the certificated during the enrollment request.
<p style="margin-left: 20px">Data type is string. Valid values:
@ -353,12 +353,12 @@ Data type is string.
| 32 | Unknown |
 
<a href="" id="clientcertificateinstall-scep-uniqueid-errorcode"></a>**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**
<a href="" id="clientcertificateinstall-scep-uniqueid-errorcode"></a>**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**
<p style="margin-left: 20px">Optional. An integer value that indicates the HRESULT of the last enrollment error code.
<p style="margin-left: 20px">The only supported operation is Get.
<a href="" id="clientcertificateinstall-scep-uniqueid-respondentserverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/RespondentServerUrl**
<a href="" id="clientcertificateinstall-scep-uniqueid-respondentserverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/RespondentServerUrl**
<p style="margin-left: 20px">Required. Returns the URL of the SCEP server that responded to the enrollment request.
<p style="margin-left: 20px">Data type is string.
@ -561,7 +561,7 @@ Enroll a client certificate through SCEP.
</Target>
</Item>
</Exec>
</Atomic>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
@ -617,7 +617,7 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c
</Meta>
<Data>Base64Encoded_Encrypted_Password_Blog</Data>
</Item>
</Add>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
@ -629,7 +629,7 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c
</Meta>
<Data>2</Data>
</Item>
</Add>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
@ -641,7 +641,7 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c
</Meta>
<Data>My</Data>
</Item>
</Add>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>

210
windows/client-management/mdm/configuration-service-provider-reference.md
View File

@ -23,8 +23,8 @@ Additional lists:
- [List of CSPs supported in Microsoft Surface Hub ](#surfacehubcspsupport)
- [List of CSPs supported in Windows 10 IoT Core](#iotcoresupport)
The following tables show the configuration service providers support in Windows 10.
Footnotes:
The following tables show the configuration service providers support in Windows 10.
Footnotes:
- 1 - Added in Windows 10, version 1607
- 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1709
@ -34,10 +34,10 @@ Footnotes:
<!--StartCSPs-->
<hr/>
## CSP support
## CSP support
<!--StartCSP-->
[AccountManagement CSP](accountmanagement-csp.md)
[AccountManagement CSP](accountmanagement-csp.md)
<!--StartSKU-->
<table>
@ -65,7 +65,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[Accounts CSP](accounts-csp.md)
[Accounts CSP](accounts-csp.md)
<!--StartSKU-->
<table>
@ -93,7 +93,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[ActiveSync CSP](activesync-csp.md)
[ActiveSync CSP](activesync-csp.md)
<!--StartSKU-->
<table>
@ -121,7 +121,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[AllJoynManagement CSP](alljoynmanagement-csp.md)
[AllJoynManagement CSP](alljoynmanagement-csp.md)
<!--StartSKU-->
<table>
@ -149,7 +149,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[APPLICATION CSP](application-csp.md)
[APPLICATION CSP](application-csp.md)
<!--StartSKU-->
<table>
@ -177,7 +177,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[AppLocker CSP](applocker-csp.md)
[AppLocker CSP](applocker-csp.md)
<!--StartSKU-->
<table>
@ -205,7 +205,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[AssignedAccess CSP](assignedaccess-csp.md)
[AssignedAccess CSP](assignedaccess-csp.md)
<!--StartSKU-->
<table>
@ -233,7 +233,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[BOOTSTRAP CSP](bootstrap-csp.md)
[BOOTSTRAP CSP](bootstrap-csp.md)
<!--StartSKU-->
<table>
@ -261,7 +261,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[BitLocker CSP](bitlocker-csp.md)
[BitLocker CSP](bitlocker-csp.md)
<!--StartSKU-->
<table>
@ -289,7 +289,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[BrowserFavorite CSP](browserfavorite-csp.md)
[BrowserFavorite CSP](browserfavorite-csp.md)
<!--StartSKU-->
<table>
@ -317,7 +317,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[CMPolicy CSP](cmpolicy-csp.md)
[CMPolicy CSP](cmpolicy-csp.md)
<!--StartSKU-->
<table>
@ -345,7 +345,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md)
[CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md)
<!--StartSKU-->
<table>
@ -373,7 +373,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[CM_CellularEntries CSP](cm-cellularentries-csp.md)
[CM_CellularEntries CSP](cm-cellularentries-csp.md)
<!--StartSKU-->
<table>
@ -401,7 +401,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[CM_ProxyEntries CSP](cm-proxyentries-csp.md)
[CM_ProxyEntries CSP](cm-proxyentries-csp.md)
<!--StartSKU-->
<table>
@ -429,7 +429,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[CellularSettings CSP](cellularsettings-csp.md)
[CellularSettings CSP](cellularsettings-csp.md)
<!--StartSKU-->
<table>
@ -457,7 +457,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[CertificateStore CSP](certificatestore-csp.md)
[CertificateStore CSP](certificatestore-csp.md)
<!--StartSKU-->
<table>
@ -485,7 +485,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[CleanPC CSP](cleanpc-csp.md)
[CleanPC CSP](cleanpc-csp.md)
<!--StartSKU-->
<table>
@ -513,7 +513,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)
[ClientCertificateInstall CSP](clientcertificateinstall-csp.md)
<!--StartSKU-->
<table>
@ -541,7 +541,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[CustomDeviceUI CSP](customdeviceui-csp.md)
[CustomDeviceUI CSP](customdeviceui-csp.md)
<!--StartSKU-->
<table>
@ -569,7 +569,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[DMAcc CSP](dmacc-csp.md)
[DMAcc CSP](dmacc-csp.md)
<!--StartSKU-->
<table>
@ -597,7 +597,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[DMClient CSP](dmclient-csp.md)
[DMClient CSP](dmclient-csp.md)
<!--StartSKU-->
<table>
@ -625,7 +625,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[Defender CSP](defender-csp.md)
[Defender CSP](defender-csp.md)
<!--StartSKU-->
<table>
@ -653,7 +653,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[DevDetail CSP](devdetail-csp.md)
[DevDetail CSP](devdetail-csp.md)
<!--StartSKU-->
<table>
@ -681,7 +681,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[DevInfo CSP](devinfo-csp.md)
[DevInfo CSP](devinfo-csp.md)
<!--StartSKU-->
<table>
@ -709,7 +709,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[DeveloperSetup CSP](developersetup-csp.md)
[DeveloperSetup CSP](developersetup-csp.md)
<!--StartSKU-->
<table>
@ -737,7 +737,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[DeviceInstanceService CSP](deviceinstanceservice-csp.md)
[DeviceInstanceService CSP](deviceinstanceservice-csp.md)
<!--StartSKU-->
<table>
@ -765,7 +765,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[DeviceLock CSP](devicelock-csp.md)
[DeviceLock CSP](devicelock-csp.md)
<!--StartSKU-->
<table>
@ -793,7 +793,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[DeviceManageability CSP](devicemanageability-csp.md)
[DeviceManageability CSP](devicemanageability-csp.md)
<!--StartSKU-->
<table>
@ -821,7 +821,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[DeviceStatus CSP](devicestatus-csp.md)
[DeviceStatus CSP](devicestatus-csp.md)
<!--StartSKU-->
<table>
@ -849,7 +849,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[DiagnosticLog CSP](diagnosticlog-csp.md)
[DiagnosticLog CSP](diagnosticlog-csp.md)
<!--StartSKU-->
<table>
@ -877,7 +877,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[DynamicManagement CSP](dynamicmanagement-csp.md)
[DynamicManagement CSP](dynamicmanagement-csp.md)
<!--StartSKU-->
<table>
@ -905,7 +905,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[EMAIL2 CSP](email2-csp.md)
[EMAIL2 CSP](email2-csp.md)
<!--StartSKU-->
<table>
@ -933,7 +933,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[EnterpriseAPN CSP](enterpriseapn-csp.md)
[EnterpriseAPN CSP](enterpriseapn-csp.md)
<!--StartSKU-->
<table>
@ -961,7 +961,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md)
[EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md)
<!--StartSKU-->
<table>
@ -989,7 +989,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md)
[EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md)
<!--StartSKU-->
<table>
@ -1017,7 +1017,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md)
[EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md)
<!--StartSKU-->
<table>
@ -1045,7 +1045,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
<!--StartSKU-->
<table>
@ -1073,7 +1073,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md)
[EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md)
<!--StartSKU-->
<table>
@ -1101,7 +1101,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[EnterpriseExt CSP](enterpriseext-csp.md)
[EnterpriseExt CSP](enterpriseext-csp.md)
<!--StartSKU-->
<table>
@ -1129,7 +1129,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md)
[EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md)
<!--StartSKU-->
<table>
@ -1157,7 +1157,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
[EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
<!--StartSKU-->
<table>
@ -1185,7 +1185,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[eUICCs CSP](euiccs-csp.md)
[eUICCs CSP](euiccs-csp.md)
<!--StartSKU-->
<table>
@ -1213,7 +1213,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[FileSystem CSP](filesystem-csp.md)
[FileSystem CSP](filesystem-csp.md)
<!--StartSKU-->
<table>
@ -1241,7 +1241,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[Firewall CSP](firewall-csp.md)
[Firewall CSP](firewall-csp.md)
<!--StartSKU-->
<table>
@ -1269,7 +1269,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[HealthAttestation CSP](healthattestation-csp.md)
[HealthAttestation CSP](healthattestation-csp.md)
<!--StartSKU-->
<table>
@ -1297,7 +1297,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[HotSpot CSP](hotspot-csp.md)
[HotSpot CSP](hotspot-csp.md)
<!--StartSKU-->
<table>
@ -1325,7 +1325,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[Maps CSP](maps-csp.md)
[Maps CSP](maps-csp.md)
<!--StartSKU-->
<table>
@ -1353,7 +1353,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[Messaging CSP](messaging-csp.md)
[Messaging CSP](messaging-csp.md)
<!--StartSKU-->
<table>
@ -1381,7 +1381,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[MultiSIM CSP](multisim-csp.md)
[MultiSIM CSP](multisim-csp.md)
<!--StartSKU-->
<table>
@ -1409,7 +1409,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[NAP CSP](nap-csp.md)
[NAP CSP](nap-csp.md)
<!--StartSKU-->
<table>
@ -1437,7 +1437,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[NAPDEF CSP](napdef-csp.md)
[NAPDEF CSP](napdef-csp.md)
<!--StartSKU-->
<table>
@ -1465,7 +1465,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[NetworkProxy CSP](networkproxy-csp.md)
[NetworkProxy CSP](networkproxy-csp.md)
<!--StartSKU-->
<table>
@ -1493,7 +1493,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[NetworkQoSPolicy CSP](networkqospolicy-csp.md)
[NetworkQoSPolicy CSP](networkqospolicy-csp.md)
<!--StartSKU-->
<table>
@ -1521,7 +1521,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[NodeCache CSP](nodecache-csp.md)
[NodeCache CSP](nodecache-csp.md)
<!--StartSKU-->
<table>
@ -1549,7 +1549,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[Office CSP](office-csp.md)
[Office CSP](office-csp.md)
<!--StartSKU-->
<table>
@ -1577,7 +1577,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[PROXY CSP](proxy-csp.md)
[PROXY CSP](proxy-csp.md)
<!--StartSKU-->
<table>
@ -1605,7 +1605,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[PXLOGICAL CSP](pxlogical-csp.md)
[PXLOGICAL CSP](pxlogical-csp.md)
<!--StartSKU-->
<table>
@ -1633,7 +1633,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[PassportForWork CSP](passportforwork-csp.md)
[PassportForWork CSP](passportforwork-csp.md)
<!--StartSKU-->
<table>
@ -1661,7 +1661,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[Personalization CSP](personalization-csp.md)
[Personalization CSP](personalization-csp.md)
<!--StartSKU-->
<table>
@ -1689,7 +1689,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[Policy CSP](policy-configuration-service-provider.md)
[Policy CSP](policy-configuration-service-provider.md)
<!--StartSKU-->
<table>
@ -1717,7 +1717,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[PolicyManager CSP](policymanager-csp.md)
[PolicyManager CSP](policymanager-csp.md)
<!--StartSKU-->
<table>
@ -1745,7 +1745,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[Provisioning CSP](provisioning-csp.md)
[Provisioning CSP](provisioning-csp.md)
<!--StartSKU-->
<table>
@ -1773,7 +1773,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[Reboot CSP](reboot-csp.md)
[Reboot CSP](reboot-csp.md)
<!--StartSKU-->
<table>
@ -1801,7 +1801,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[Registry CSP](registry-csp.md)
[Registry CSP](registry-csp.md)
<!--StartSKU-->
<table>
@ -1829,7 +1829,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[RemoteFind CSP](remotefind-csp.md)
[RemoteFind CSP](remotefind-csp.md)
<!--StartSKU-->
<table>
@ -1857,7 +1857,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[RemoteLock](remotelock-csp.md)
[RemoteLock](remotelock-csp.md)
<!--StartSKU-->
<table>
@ -1885,7 +1885,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[RemoteRing CSP](remotering-csp.md)
[RemoteRing CSP](remotering-csp.md)
<!--StartSKU-->
<table>
@ -1913,7 +1913,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[RemoteWipe CSP](remotewipe-csp.md)
[RemoteWipe CSP](remotewipe-csp.md)
<!--StartSKU-->
<table>
@ -1941,7 +1941,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[Reporting CSP](reporting-csp.md)
[Reporting CSP](reporting-csp.md)
<!--StartSKU-->
<table>
@ -1969,7 +1969,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[RootCATrustedCertificates CSP](rootcacertificates-csp.md)
[RootCATrustedCertificates CSP](rootcacertificates-csp.md)
<!--StartSKU-->
<table>
@ -1997,7 +1997,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[SUPL CSP](supl-csp.md)
[SUPL CSP](supl-csp.md)
<!--StartSKU-->
<table>
@ -2025,7 +2025,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[SecureAssessment CSP](secureassessment-csp.md)
[SecureAssessment CSP](secureassessment-csp.md)
<!--StartSKU-->
<table>
@ -2053,7 +2053,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[SecurityPolicy CSP](securitypolicy-csp.md)
[SecurityPolicy CSP](securitypolicy-csp.md)
<!--StartSKU-->
<table>
@ -2081,7 +2081,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[SharedPC CSP](sharedpc-csp.md)
[SharedPC CSP](sharedpc-csp.md)
<!--StartSKU-->
<table>
@ -2109,7 +2109,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[Storage CSP](storage-csp.md)
[Storage CSP](storage-csp.md)
<!--StartSKU-->
<table>
@ -2137,7 +2137,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[SurfaceHub](surfacehub-csp.md)
[SurfaceHub](surfacehub-csp.md)
<!--StartSKU-->
<table>
@ -2165,7 +2165,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[TenantLockdown CSP](tenantlockdown-csp.md)
[TenantLockdown CSP](tenantlockdown-csp.md)
<!--StartSKU-->
<table>
@ -2193,7 +2193,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[TPMPolicy CSP](tpmpolicy-csp.md)
[TPMPolicy CSP](tpmpolicy-csp.md)
<!--StartSKU-->
<table>
@ -2221,7 +2221,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[UEFI CSP](uefi-csp.md)
[UEFI CSP](uefi-csp.md)
<!--StartSKU-->
<table>
@ -2249,7 +2249,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
[UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
<!--StartSKU-->
<table>
@ -2277,7 +2277,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[Update CSP](update-csp.md)
[Update CSP](update-csp.md)
<!--StartSKU-->
<table>
@ -2305,7 +2305,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[VPN CSP](vpn-csp.md)
[VPN CSP](vpn-csp.md)
<!--StartSKU-->
<table>
@ -2333,7 +2333,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[VPNv2 CSP](vpnv2-csp.md)
[VPNv2 CSP](vpnv2-csp.md)
<!--StartSKU-->
<table>
@ -2361,7 +2361,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[W4 APPLICATION CSP](w4-application-csp.md)
[W4 APPLICATION CSP](w4-application-csp.md)
<!--StartSKU-->
<table>
@ -2389,7 +2389,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[WiFi CSP](wifi-csp.md)
[WiFi CSP](wifi-csp.md)
<!--StartSKU-->
<table>
@ -2417,7 +2417,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[Win32AppInventory CSP](win32appinventory-csp.md)
[Win32AppInventory CSP](win32appinventory-csp.md)
<!--StartSKU-->
<table>
@ -2445,7 +2445,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md)
[Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md)
<!--StartSKU-->
<table>
@ -2473,7 +2473,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)
[WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)
<!--StartSKU-->
<table>
@ -2503,7 +2503,7 @@ Footnotes:
<!--StartCSP-->
<!--StartCSP-->
[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)
[WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)
<!--StartSKU-->
<table>
@ -2532,7 +2532,7 @@ Footnotes:
<!--StartCSP-->
[WindowsLicensing CSP](windowslicensing-csp.md)
[WindowsLicensing CSP](windowslicensing-csp.md)
<!--StartSKU-->
<table>
@ -2560,7 +2560,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md)
[WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md)
<!--StartSKU-->
<table>
@ -2588,7 +2588,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[WiredNetwork CSP](wirednetwork-csp.md)
[WiredNetwork CSP](wirednetwork-csp.md)
<!--StartSKU-->
<table>
@ -2616,7 +2616,7 @@ Footnotes:
<!--EndCSP-->
<!--StartCSP-->
[w7 APPLICATION CSP](w7-application-csp.md)
[w7 APPLICATION CSP](w7-application-csp.md)
<!--StartSKU-->
<table>
@ -2647,9 +2647,9 @@ Footnotes:
<!--EndCSPs-->
 Footnotes:
 Footnotes:
- 1 - Added in Windows 10, version 1607
- 2 - Added in Windows 10, version 1703
- 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1709
- 4 - Added in Windows 10, version 1803
- 5 - Added in Windows 10, next major version
@ -2658,10 +2658,10 @@ Footnotes:
You can download the DDF files for various CSPs from the links below:
- [Download all the DDF files for Windows 10, version 1803](http://download.microsoft.com/download/6/2/7/6276FE19-E3FD-4254-9C16-3C31CAA2DE50/Windows10_1803_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1709](http://download.microsoft.com/download/9/7/C/97C6CF99-F75C-475E-AF18-845F8CECCFA4/Windows10_1709_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
- [Download all the DDF files for Windows 10, version 1803](https://download.microsoft.com/download/6/2/7/6276FE19-E3FD-4254-9C16-3C31CAA2DE50/Windows10_1803_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1709](https://download.microsoft.com/download/9/7/C/97C6CF99-F75C-475E-AF18-845F8CECCFA4/Windows10_1709_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
## <a href="" id="hololens"></a>CSPs supported in Windows Holographic
@ -2695,9 +2695,9 @@ The following list shows the configuration service providers supported in Window
| [WiFi CSP](wifi-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
| [WindowsLicensing CSP](windowslicensing-csp.md) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
 Footnotes:
 Footnotes:
- 1 - Added in Windows 10, version 1607
- 2 - Added in Windows 10, version 1703
- 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1709
- 4 - Added in Windows 10, version 1803
- 5 - Added in Windows 10, next major version
@ -2727,7 +2727,7 @@ The following list shows the configuration service providers supported in Window
- [Reporting CSP](reporting-csp.md)
- [RootCATrustedCertificates CSP](rootcacertificates-csp.md)
- [SurfaceHub CSP](surfacehub-csp.md)
- [UEFI CSP](uefi-csp.md)
- [UEFI CSP](uefi-csp.md)
- [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)

134
windows/client-management/mdm/device-update-management.md
View File

@ -30,7 +30,7 @@ In Windows 10, the MDM protocol has been extended to better enable IT admins to
- Specify a per-device update approval list, to ensure devices dont install unapproved updates that have not been tested.
- Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs.
The OMA DM APIs for specifying update approvals and getting compliance status reference updates using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the updates title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](http://go.microsoft.com/fwlink/p/?LinkId=526707).
The OMA DM APIs for specifying update approvals and getting compliance status reference updates using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the updates title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526707).
For more information about the CSPs, see [Update CSP](update-csp.md) and the update policy area of the [Policy CSP](policy-configuration-service-provider.md).
The following diagram provides a conceptual overview of how this works:
@ -53,12 +53,12 @@ This section describes how this is done. The following diagram shows the server-
MSDN provides much information about the Server-Server sync protocol. In particular:
- It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](http://go.microsoft.com/fwlink/p/?LinkId=526727). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
- You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although its even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx.
- It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](https://go.microsoft.com/fwlink/p/?LinkId=526727). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
- You can find code samples in [Protocol Examples](https://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although its even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx.
Some important highlights:
- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720), the **Sample 1: Authorization** code shows how this is done. Even though this is called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
- The protocol has an authorization phase (calling GetAuthConfig, GetAuthorizationCookie, and GetCookie). In [Protocol Examples](https://go.microsoft.com/fwlink/p/?LinkId=526720), the **Sample 1: Authorization** code shows how this is done. Even though this is called the authorization phase, the protocol is completely open (no credentials are needed to run this phase of the protocol). This sequence of calls needs to be done to obtain a cookie for the main part of the sync protocol. As an optimization, you can cache the cookie and only call this sequence again if your cookie has expired.
- The protocol allows the MDM to sync update metadata for a particular update by calling GetUpdateData. For more information, see [GetUpdateData](https://msdn.microsoft.com/library/dd304816.aspx) in MSDN. The LocURI to get the applicable updates with their revision Numbers is `<LocURI>./Vendor/MSFT/Update/InstallableUpdates?list=StructData</LocURI>`. Because not all updates are available via S2S sync, make sure you handle SOAP errors.
- For mobile devices, you can either sync metadata for a particular update by calling GetUpdateData, or for a local on-premises solution, you can use WSUS and manually import the mobile updates from the Microsoft Update Catalog site. For more information, see [Process flow diagram and screenshots of server sync process](#process-flow-diagram-and-screenshots-of-server-sync-process).
@ -67,7 +67,7 @@ Some important highlights:
## <a href="" id="examplesofupdatestructure"></a>Examples of update metadata XML structure and element descriptions
The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). Some of the key elements are described below:
The response of the GetUpdateData call returns an array of ServerSyncUpdateData that contains the update metadata in the XmlUpdateBlob element. The schema of the update xml is available at [Protocol Examples](https://go.microsoft.com/fwlink/p/?LinkId=526720). Some of the key elements are described below:
- **UpdateID** The unique identifier for an update
- **RevisionNumber** Revision number for the update in case the update was modified.
@ -101,8 +101,8 @@ The following procedure describes a basic algorithm for a metadata sync service:
- Initialization, composed of the following:
1. Create an empty list of “needed update IDs to fault in”. This list will get updated by the MDM service component that uses OMA DM. We recommend not adding definition updates to this list, since those are temporary in nature (for example, Defender releases about 4 new definition updates per day, each of which is cumulative).
- Sync periodically (we recommend once every 2 hours - no more than once/hour).
1. Implement the authorization phase of the protocol to get a cookie if you dont already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720).
2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720)), and:
1. Implement the authorization phase of the protocol to get a cookie if you dont already have a non-expired cookie. See **Sample 1: Authorization** in [Protocol Examples](https://go.microsoft.com/fwlink/p/?LinkId=526720).
2. Implement the metadata portion of the protocol (see **Sample 2: Metadata and Deployments Synchronization** in [Protocol Examples](https://go.microsoft.com/fwlink/p/?LinkId=526720)), and:
- Call GetUpdateData for all updates in the "needed update IDs to fault in" list if the update metadata has not already been pulled into the DB.
- If the update is a newer revision of an existing update (same UpdateID, higher revision number), replace the previous update metadata with the new one.
- Remove updates from the "needed update IDs to fault in" list once they have been brought in.
@ -134,7 +134,7 @@ The following diagram shows the Update policies in a tree format.
![update csp diagram](images/update-policies.png)
<a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd**
<a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -148,7 +148,7 @@ The following diagram shows the Update policies in a tree format.
<p style="margin-left: 20px">The default is 17 (5 PM).
<a href="" id="update-activehoursmaxrange"></a>**Update/ActiveHoursMaxRange**
<a href="" id="update-activehoursmaxrange"></a>**Update/ActiveHoursMaxRange**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -159,7 +159,7 @@ The following diagram shows the Update policies in a tree format.
<p style="margin-left: 20px">The default value is 18 (hours).
<a href="" id="update-activehoursstart"></a>**Update/ActiveHoursStart**
<a href="" id="update-activehoursstart"></a>**Update/ActiveHoursStart**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -173,7 +173,7 @@ The following diagram shows the Update policies in a tree format.
<p style="margin-left: 20px">The default value is 8 (8 AM).
<a href="" id="update-allowautoupdate"></a>**Update/AllowAutoUpdate**
<a href="" id="update-allowautoupdate"></a>**Update/AllowAutoUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -197,7 +197,7 @@ The following diagram shows the Update policies in a tree format.
<p style="margin-left: 20px">If the policy is not configured, end-users get the default behavior (Auto install and restart).
<a href="" id="update-allowmuupdateservice"></a>**Update/AllowMUUpdateService**
<a href="" id="update-allowmuupdateservice"></a>**Update/AllowMUUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
@ -209,7 +209,7 @@ The following diagram shows the Update policies in a tree format.
- 0 Not allowed or not configured.
- 1 Allowed. Accepts updates received through Microsoft Update.
<a href="" id="update-allownonmicrosoftsignedupdate"></a>**Update/AllowNonMicrosoftSignedUpdate**
<a href="" id="update-allownonmicrosoftsignedupdate"></a>**Update/AllowNonMicrosoftSignedUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -225,7 +225,7 @@ The following diagram shows the Update policies in a tree format.
<p style="margin-left: 20px">This policy is specific to desktop and local publishing via WSUS for 3rd party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
<a href="" id="update-allowupdateservice"></a>**Update/AllowUpdateService**
<a href="" id="update-allowupdateservice"></a>**Update/AllowUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -245,7 +245,7 @@ The following diagram shows the Update policies in a tree format.
> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
<a href="" id="update-autorestartnotificationschedule"></a>**Update/AutoRestartNotificationSchedule**
<a href="" id="update-autorestartnotificationschedule"></a>**Update/AutoRestartNotificationSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -256,7 +256,7 @@ The following diagram shows the Update policies in a tree format.
<p style="margin-left: 20px">The default value is 15 (minutes).
<a href="" id="update-autorestartrequirednotificationdismissal"></a>**Update/AutoRestartRequiredNotificationDismissal**
<a href="" id="update-autorestartrequirednotificationdismissal"></a>**Update/AutoRestartRequiredNotificationDismissal**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -268,7 +268,7 @@ The following diagram shows the Update policies in a tree format.
- 1 (default) Auto Dismissal.
- 2 User Dismissal.
<a href="" id="update-branchreadinesslevel"></a>**Update/BranchReadinessLevel**
<a href="" id="update-branchreadinesslevel"></a>**Update/BranchReadinessLevel**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -280,7 +280,7 @@ The following diagram shows the Update policies in a tree format.
- 16 (default) User gets all applicable upgrades from Current Branch (CB).
- 32 User gets upgrades from Current Branch for Business (CBB).
<a href="" id="update-deferfeatureupdatesperiodindays"></a>**Update/DeferFeatureUpdatesPeriodInDays**
<a href="" id="update-deferfeatureupdatesperiodindays"></a>**Update/DeferFeatureUpdatesPeriodInDays**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
<p style="margin-left: 20px">Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
@ -290,7 +290,7 @@ The following diagram shows the Update policies in a tree format.
<p style="margin-left: 20px">Supported values are 0-180.
<a href="" id="update-deferqualityupdatesperiodindays"></a>**Update/DeferQualityUpdatesPeriodInDays**
<a href="" id="update-deferqualityupdatesperiodindays"></a>**Update/DeferQualityUpdatesPeriodInDays**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -299,7 +299,7 @@ The following diagram shows the Update policies in a tree format.
<p style="margin-left: 20px">Supported values are 0-30.
<a href="" id="update-deferupdateperiod"></a>**Update/DeferUpdatePeriod**
<a href="" id="update-deferupdateperiod"></a>**Update/DeferUpdatePeriod**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
>
@ -371,7 +371,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
</table>
<a href="" id="update-deferupgradeperiod"></a>**Update/DeferUpgradePeriod**
<a href="" id="update-deferupgradeperiod"></a>**Update/DeferUpgradePeriod**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
>
@ -388,7 +388,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<p style="margin-left: 20px">If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
<a href="" id="update-engagedrestartdeadline"></a>**Update/EngagedRestartDeadline**
<a href="" id="update-engagedrestartdeadline"></a>**Update/EngagedRestartDeadline**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -399,7 +399,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<p style="margin-left: 20px">The default value is 0 days (not specified).
<a href="" id="update-engagedrestartsnoozeschedule"></a>**Update/EngagedRestartSnoozeSchedule**
<a href="" id="update-engagedrestartsnoozeschedule"></a>**Update/EngagedRestartSnoozeSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -410,7 +410,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<p style="margin-left: 20px">The default value is 3 days.
<a href="" id="update-engagedrestarttransitionschedule"></a>**Update/EngagedRestartTransitionSchedule**
<a href="" id="update-engagedrestarttransitionschedule"></a>**Update/EngagedRestartTransitionSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -421,7 +421,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<p style="margin-left: 20px">The default value is 7 days.
<a href="" id="update-excludewudriversinqualityupdate"></a>**Update/ExcludeWUDriversInQualityUpdate**
<a href="" id="update-excludewudriversinqualityupdate"></a>**Update/ExcludeWUDriversInQualityUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
@ -433,8 +433,8 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
- 0 (default) Allow Windows Update drivers.
- 1 Exclude Windows Update drivers.
<a href="" id="update-ignoremoappdownloadlimit"></a>**Update/IgnoreMOAppDownloadLimit**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
<a href="" id="update-ignoremoappdownloadlimit"></a>**Update/IgnoreMOAppDownloadLimit**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
@ -447,7 +447,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<p style="margin-left: 20px">To validate this policy:
1. Enable the policy ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
- `regd delete HKEY_USERS\S-1-5-21-2702878673-795188819-444038987-2781\software\microsoft\windows\currentversion\windowsupdate /v LastAutoAppUpdateSearchSuccessTime /f`
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\Automatic App Update"""" /I""`
@ -455,8 +455,8 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
3. Verify that any downloads that are above the download size limit will complete without being paused.
<a href="" id="update-ignoremoupdatedownloadlimit"></a>**Update/IgnoreMOUpdateDownloadLimit**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
<a href="" id="update-ignoremoupdatedownloadlimit"></a>**Update/IgnoreMOUpdateDownloadLimit**
<p style="margin-left: 20px">Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
@ -469,13 +469,13 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<p style="margin-left: 20px">To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
- `exec-device schtasks.exe -arguments ""/run /tn """"\Microsoft\Windows\WindowsUpdate\AUScheduledInstall"""" /I""`
3. Verify that any downloads that are above the download size limit will complete without being paused.
<a href="" id="update-pausedeferrals"></a>**Update/PauseDeferrals**
<a href="" id="update-pausedeferrals"></a>**Update/PauseDeferrals**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
>
@ -493,7 +493,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<p style="margin-left: 20px">If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
<a href="" id="update-pausefeatureupdates"></a>**Update/PauseFeatureUpdates**
<a href="" id="update-pausefeatureupdates"></a>**Update/PauseFeatureUpdates**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
<p style="margin-left: 20px">Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
@ -506,7 +506,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
- 0 (default) Feature Updates are not paused.
- 1 Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
<a href="" id="update-pausequalityupdates"></a>**Update/PauseQualityUpdates**
<a href="" id="update-pausequalityupdates"></a>**Update/PauseQualityUpdates**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -518,7 +518,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
- 0 (default) Quality Updates are not paused.
- 1 Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
<a href="" id="update-requiredeferupgrade"></a>**Update/RequireDeferUpgrade**
<a href="" id="update-requiredeferupgrade"></a>**Update/RequireDeferUpgrade**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
>
@ -532,7 +532,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
- 0 (default) User gets upgrades from Current Branch.
- 1 User gets upgrades from Current Branch for Business.
<a href="" id="update-requireupdateapproval"></a>**Update/RequireUpdateApproval**
<a href="" id="update-requireupdateapproval"></a>**Update/RequireUpdateApproval**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -552,7 +552,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
- 0 Not configured. The device installs all applicable updates.
- 1 The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
<a href="" id="update-scheduleimminentrestartwarning"></a>**Update/ScheduleImminentRestartWarning**
<a href="" id="update-scheduleimminentrestartwarning"></a>**Update/ScheduleImminentRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -563,7 +563,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<p style="margin-left: 20px">The default value is 15 (minutes).
<a href="" id="update-scheduledinstallday"></a>**Update/ScheduledInstallDay**
<a href="" id="update-scheduledinstallday"></a>**Update/ScheduledInstallDay**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -585,7 +585,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
- 6 Friday
- 7 Saturday
<a href="" id="update-scheduledinstalltime"></a>**Update/ScheduledInstallTime**
<a href="" id="update-scheduledinstalltime"></a>**Update/ScheduledInstallTime**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -600,7 +600,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<p style="margin-left: 20px">The default value is 3.
<a href="" id="update-schedulerestartwarning"></a>**Update/ScheduleRestartWarning**
<a href="" id="update-schedulerestartwarning"></a>**Update/ScheduleRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -611,7 +611,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
<p style="margin-left: 20px">The default value is 4 (hours).
<a href="" id="update-setautorestartnotificationdisable"></a>**Update/SetAutoRestartNotificationDisable**
<a href="" id="update-setautorestartnotificationdisable"></a>**Update/SetAutoRestartNotificationDisable**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
@ -623,11 +623,11 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
- 0 (default) Enabled
- 1 Disabled
<a href="" id="update-updateserviceurl"></a>**Update/UpdateServiceUrl**
<a href="" id="update-updateserviceurl"></a>**Update/UpdateServiceUrl**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise
> [!Important]
> [!Important]
> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Enterprise.
<p style="margin-left: 20px">Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
@ -657,7 +657,7 @@ Example
</Replace>
```
<a href="" id="update-updateserviceurlalternate"></a>**Update/UpdateServiceUrlAlternate**
<a href="" id="update-updateserviceurlalternate"></a>**Update/UpdateServiceUrlAlternate**
> **Note**  This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
@ -669,9 +669,9 @@ Example
<p style="margin-left: 20px">Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
> [!Note]
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.
> [!Note]
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
> If the "Alternate Download Server" Group Policy is not set, it will use the WSUS server by default to download updates.
> This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
### Update management
@ -680,12 +680,12 @@ The enterprise IT can configure the set of approved updates and get compliance s
![update csp diagram](images/provisioning-csp-update.png)
<a href="" id="update"></a>**Update**
<a href="" id="update"></a>**Update**
The root node.
Supported operation is Get.
<a href="" id="approvedupdates"></a>**ApprovedUpdates**
<a href="" id="approvedupdates"></a>**ApprovedUpdates**
Node for update approvals and EULA acceptance on behalf of the end-user.
> **Note** When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list.
@ -700,10 +700,10 @@ The update approval list enables IT to approve individual updates and update cla
Supported operations are Get and Add.
<a href="" id="approvedupdates-approved-update-guid"></a>**ApprovedUpdates/****_Approved Update Guid_**
<a href="" id="approvedupdates-approved-update-guid"></a>**ApprovedUpdates/****_Approved Update Guid_**
Specifies the update GUID.
To auto-approve a class of updates, you can specify the [Update Classifications](http://go.microsoft.com/fwlink/p/?LinkId=526723) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
To auto-approve a class of updates, you can specify the [Update Classifications](https://go.microsoft.com/fwlink/p/?LinkId=526723) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
Supported operations are Get and Add.
@ -713,52 +713,52 @@ Sample syncml:
<LocURI>./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d</LocURI>
```
<a href="" id="approvedupdates-approved-update-guid-approvedtime"></a>**ApprovedUpdates/*Approved Update Guid*/ApprovedTime**
<a href="" id="approvedupdates-approved-update-guid-approvedtime"></a>**ApprovedUpdates/*Approved Update Guid*/ApprovedTime**
Specifies the time the update gets approved.
Supported operations are Get and Add.
<a href="" id="failedupdates"></a>**FailedUpdates**
<a href="" id="failedupdates"></a>**FailedUpdates**
Specifies the approved updates that failed to install on a device.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid"></a>**FailedUpdates/****_Failed Update Guid_**
<a href="" id="failedupdates-failed-update-guid"></a>**FailedUpdates/****_Failed Update Guid_**
Update identifier field of the UpdateIdentity GUID that represent an update that failed to download or install.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid-hresult"></a>**FailedUpdates/*Failed Update Guid*/HResult**
<a href="" id="failedupdates-failed-update-guid-hresult"></a>**FailedUpdates/*Failed Update Guid*/HResult**
The update failure error code.
Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid-status"></a>**FailedUpdates/*Failed Update Guid*/Status**
<a href="" id="failedupdates-failed-update-guid-status"></a>**FailedUpdates/*Failed Update Guid*/Status**
Specifies the failed update status (for example, download, install).
Supported operation is Get.
<a href="" id="installedupdates"></a>**InstalledUpdates**
<a href="" id="installedupdates"></a>**InstalledUpdates**
The updates that are installed on the device.
Supported operation is Get.
<a href="" id="installedupdates-installed-update-guid"></a>**InstalledUpdates/****_Installed Update Guid_**
<a href="" id="installedupdates-installed-update-guid"></a>**InstalledUpdates/****_Installed Update Guid_**
UpdateIDs that represent the updates installed on a device.
Supported operation is Get.
<a href="" id="installableupdates"></a>**InstallableUpdates**
<a href="" id="installableupdates"></a>**InstallableUpdates**
The updates that are applicable and not yet installed on the device. This includes updates that are not yet approved.
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid"></a>**InstallableUpdates/****_Installable Update Guid_**
<a href="" id="installableupdates-installable-update-guid"></a>**InstallableUpdates/****_Installable Update Guid_**
Update identifiers that represent the updates applicable and not installed on a device.
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid-type"></a>**InstallableUpdates/*Installable Update Guid*/Type**
<a href="" id="installableupdates-installable-update-guid-type"></a>**InstallableUpdates/*Installable Update Guid*/Type**
The UpdateClassification value of the update. Valid values are:
- 0 - None
@ -767,32 +767,32 @@ The UpdateClassification value of the update. Valid values are:
Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid-revisionnumber"></a>**InstallableUpdates/*Installable Update Guid*/RevisionNumber**
<a href="" id="installableupdates-installable-update-guid-revisionnumber"></a>**InstallableUpdates/*Installable Update Guid*/RevisionNumber**
The revision number for the update that must be passed in server to server sync to get the metadata for the update.
Supported operation is Get.
<a href="" id="pendingrebootupdates"></a>**PendingRebootUpdates**
<a href="" id="pendingrebootupdates"></a>**PendingRebootUpdates**
The updates that require a reboot to complete the update session.
Supported operation is Get.
<a href="" id="pendingrebootupdates-pending-reboot-update-guid"></a>**PendingRebootUpdates/****_Pending Reboot Update Guid_**
<a href="" id="pendingrebootupdates-pending-reboot-update-guid"></a>**PendingRebootUpdates/****_Pending Reboot Update Guid_**
Update identifiers for the pending reboot state.
Supported operation is Get.
<a href="" id="pendingrebootupdates-pending-reboot-update-guid-installedtime"></a>**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime**
<a href="" id="pendingrebootupdates-pending-reboot-update-guid-installedtime"></a>**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime**
The time the update is installed.
Supported operation is Get.
<a href="" id="lastsuccessfulscantime"></a>**LastSuccessfulScanTime**
<a href="" id="lastsuccessfulscantime"></a>**LastSuccessfulScanTime**
The last successful scan time.
Supported operation is Get.
<a href="" id="deferupgrade"></a>**DeferUpgrade**
<a href="" id="deferupgrade"></a>**DeferUpgrade**
Upgrades deferred until the next period.
Supported operation is Get.

2
windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
View File

@ -42,7 +42,7 @@ In Windows, after the user confirms the account deletion command and before the
This action utilizes the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user unenrollment request, but before it deletes any enterprise data. The server should set the expectation that unenrollment may succeed or fail, and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back. If the server plans to send a push notification, it should allow for some delay to give the device the time to complete the unenrollment work.
> **Note**  The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=267526).
> **Note**  The user unenrollment is an OMA DM standard. For more information about the 1226 generic alert, refer to the OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526).
 
The vendor uses the Type attribute to specify what type of generic alert it is. For device initiated MDM unenrollment, the alert type is **com.microsoft:mdm.unenrollment.userrequest**.

52
windows/client-management/mdm/enterpriseappmanagement-csp.md
View File

@ -23,33 +23,33 @@ The following diagram shows the EnterpriseAppManagement configuration service pr
![enterpriseappmanagement csp](images/provisioning-csp-enterpriseappmanagement.png)
<a href="" id="enterpriseid"></a>***EnterpriseID***
<a href="" id="enterpriseid"></a>***EnterpriseID***
Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications.
Supported operations are Add, Delete, and Get.
<a href="" id="enterpriseid-enrollmenttoken"></a>***EnterpriseID*/EnrollmentToken**
<a href="" id="enterpriseid-enrollmenttoken"></a>***EnterpriseID*/EnrollmentToken**
Required. Used to install or update the binary representation of the application enrollment token (AET) and initiate "phone home" token validation. Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="enterpriseid-storeproductid"></a>***EnterpriseID*/StoreProductID**
<a href="" id="enterpriseid-storeproductid"></a>***EnterpriseID*/StoreProductID**
Required. The node to host the ProductId node. Scope is dynamic.
Supported operation is Get.
<a href="" id="-storeproductid-productid"></a>**/StoreProductID/ProductId**
<a href="" id="-storeproductid-productid"></a>**/StoreProductID/ProductId**
The character string that contains the ID of the first enterprise application (usually a Company Hub app), which is automatically installed on the device. Scope is dynamic.
Supported operations are Get and Add.
<a href="" id="enterpriseid-storeuri"></a>***EnterpriseID*/StoreUri**
<a href="" id="enterpriseid-storeuri"></a>***EnterpriseID*/StoreUri**
Optional. The character string that contains the URI of the first enterprise application to be installed on the device. The enrollment client downloads and installs the application from this URI. Scope is dynamic.
Supported operations are Get and Add.
<a href="" id="enterpriseid-certificatesearchcriteria"></a>***EnterpriseID*/CertificateSearchCriteria**
Optional. The character string that contains the search criteria to search for the DM-enrolled client certificate. The certificate is used for client authentication during enterprise application download. The company's application content server should use the enterprise-enrolled client certificate to authenticate the device. The value must be a URL encoded representation of the X.500 distinguished name of the client certificates Subject property. The X.500 name must conform to the format required by the [CertStrToName](http://go.microsoft.com/fwlink/p/?LinkId=523869) function. This search parameter is case sensitive. Scope is dynamic.
<a href="" id="enterpriseid-certificatesearchcriteria"></a>***EnterpriseID*/CertificateSearchCriteria**
Optional. The character string that contains the search criteria to search for the DM-enrolled client certificate. The certificate is used for client authentication during enterprise application download. The company's application content server should use the enterprise-enrolled client certificate to authenticate the device. The value must be a URL encoded representation of the X.500 distinguished name of the client certificates Subject property. The X.500 name must conform to the format required by the [CertStrToName](https://go.microsoft.com/fwlink/p/?LinkId=523869) function. This search parameter is case sensitive. Scope is dynamic.
Supported operations are Get and Add.
@ -57,77 +57,77 @@ Supported operations are Get and Add.
 
<a href="" id="enterpriseid-status"></a>***EnterpriseID*/Status**
<a href="" id="enterpriseid-status"></a>***EnterpriseID*/Status**
Required. The integer value that indicates the current status of the application enrollment. Valid values are 0 (ENABLED), 1 (INSTALL\_DISABLED), 2 (REVOKED), and 3 (INVALID). Scope is dynamic.
Supported operation is Get.
<a href="" id="enterpriseid-crlcheck"></a>***EnterpriseID*/CRLCheck**
<a href="" id="enterpriseid-crlcheck"></a>***EnterpriseID*/CRLCheck**
Optional. Character value that specifies whether the device should do a CRL check when using a certificate to authenticate the server. Valid values are "1" (CRL check required), "0" (CRL check not required). Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="enterpriseid-enterpriseapps"></a>***EnterpriseID*/EnterpriseApps**
<a href="" id="enterpriseid-enterpriseapps"></a>***EnterpriseID*/EnterpriseApps**
Required. The root node to for individual enterprise application related settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider).
Supported operation is Get.
<a href="" id="-enterpriseapps-inventory"></a>**/EnterpriseApps/Inventory**
<a href="" id="-enterpriseapps-inventory"></a>**/EnterpriseApps/Inventory**
Required. The root node for individual enterprise application inventory settings. Scope is dynamic (this node is automatically created when EnterpriseID is added to the configuration service provider).
Supported operation is Get.
<a href="" id="-inventory-productid"></a>**/Inventory/****_ProductID_**
<a href="" id="-inventory-productid"></a>**/Inventory/****_ProductID_**
Optional. A node that contains s single enterprise application product ID in GUID format. Scope is dynamic.
Supported operation is Get.
<a href="" id="-inventory-productid-version"></a>**/Inventory/*ProductID*/Version**
<a href="" id="-inventory-productid-version"></a>**/Inventory/*ProductID*/Version**
Required. The character string that contains the current version of the installed enterprise application. Scope is dynamic.
Supported operation is Get.
<a href="" id="-inventory-productid-title"></a>**/Inventory/*ProductID*/Title**
<a href="" id="-inventory-productid-title"></a>**/Inventory/*ProductID*/Title**
Required. The character string that contains the name of the installed enterprise application. Scope is dynamic.
Supported operation is Get.
<a href="" id="-inventory-productid-publisher"></a>**/Inventory/*ProductID*/Publisher**
<a href="" id="-inventory-productid-publisher"></a>**/Inventory/*ProductID*/Publisher**
Required. The character string that contains the name of the publisher of the installed enterprise application. Scope is dynamic.
Supported operation is Get.
<a href="" id="-inventory-productid-installdate"></a>**/Inventory/*ProductID*/InstallDate**
<a href="" id="-inventory-productid-installdate"></a>**/Inventory/*ProductID*/InstallDate**
Required. The time (in the character format YYYY-MM-DD-HH:MM:SS) that the application was installed or updated. Scope is dynamic.
Supported operation is Get.
<a href="" id="-enterpriseapps-download"></a>**/EnterpriseApps/Download**
<a href="" id="-enterpriseapps-download"></a>**/EnterpriseApps/Download**
Required. This node groups application download-related parameters. The enterprise server can only automatically update currently installed enterprise applications. The end user controls which enterprise applications to download and install. Scope is dynamic.
Supported operation is Get.
<a href="" id="-download-productid"></a>**/Download/****_ProductID_**
<a href="" id="-download-productid"></a>**/Download/****_ProductID_**
Optional. This node contains the GUID for the installed enterprise application. Each installed application has a unique ID. Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="-download-productid-version"></a>**/Download/*ProductID*/Version**
<a href="" id="-download-productid-version"></a>**/Download/*ProductID*/Version**
Optional. The character string that contains version information (set by the caller) for the application currently being downloaded. Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="-download-productid-name"></a>**/Download/*ProductID*/Name**
<a href="" id="-download-productid-name"></a>**/Download/*ProductID*/Name**
Required. The character string that contains the name of the installed application. Scope is dynamic.
Supported operation is Get.
<a href="" id="-download-productid-url"></a>**/Download/*ProductID*/URL**
<a href="" id="-download-productid-url"></a>**/Download/*ProductID*/URL**
Optional. The character string that contains the URL for the updated version of the installed application. The device will download application updates from this link. Scope is dynamic.
Supported operations are Get, Add, and Replace.
<a href="" id="-download-productid-status"></a>**/Download/*ProductID*/Status**
<a href="" id="-download-productid-status"></a>**/Download/*ProductID*/Status**
Required. The integer value that indicates the status of the current download process. The following table shows the possible values.
<table>
@ -175,15 +175,15 @@ Required. The integer value that indicates the status of the current download pr
Scope is dynamic. Supported operations are Get, Add, and Replace.
<a href="" id="-download-productid-lasterror"></a>**/Download/*ProductID*/LastError**
<a href="" id="-download-productid-lasterror"></a>**/Download/*ProductID*/LastError**
Required. The integer value that indicates the HRESULT of the last error code. If there are no errors, the value is 0 (S\_OK). Scope is dynamic.
Supported operation is Get.
<a href="" id="-download-productid-lasterrordesc"></a>**/Download/*ProductID*/LastErrorDesc**
<a href="" id="-download-productid-lasterrordesc"></a>**/Download/*ProductID*/LastErrorDesc**
Required. The character string that contains the human readable description of the last error code.
<a href="" id="-download-productid-downloadinstall"></a>**/Download/*ProductID*/DownloadInstall**
<a href="" id="-download-productid-downloadinstall"></a>**/Download/*ProductID*/DownloadInstall**
Required. The node to allow the server to trigger the download and installation for an updated version of the user installed application. The format for this node is null. The server must query the device later to determine the status. For each product ID, the status field is retained for up to one week. Scope is dynamic.
Supported operation is Exec.
@ -342,7 +342,7 @@ Response from the device (that contains two installed applications):
<Item>
<Source>
<LocURI>
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D
./Vendor/MSFT/EnterpriseAppManagement/4000000001/EnterpriseApps/Inventory/%7BB316008A-141D-4A79-810F-8B764C4CFDFB%7D
</LocURI>
</Source>
<Meta>

416
windows/client-management/mdm/enterpriseassignedaccess-csp.md
View File

@ -18,7 +18,7 @@ The EnterpriseAssignedAccess configuration service provider allows IT administra
> **Note**   The EnterpriseAssignedAccess CSP is only supported in Windows 10 Mobile.
To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](https://docs.microsoft.com/en-us/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983).
To use an app to create a lockdown XML see [Use the Lockdown Designer app to create a Lockdown XML file](https://docs.microsoft.com/en-us/windows/configuration/mobile-devices/mobile-lockdown-designer). For more information about how to interact with the lockdown XML at runtime, see [**DeviceLockdownProfile class**](https://msdn.microsoft.com/library/windows/hardware/mt186983).
The following diagram shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning.
@ -26,13 +26,13 @@ The following diagram shows the EnterpriseAssignedAccess configuration service p
The following list shows the characteristics and parameters.
<a href="" id="-vendor-msft-enterpriseassignedaccess-"></a>**./Vendor/MSFT/EnterpriseAssignedAccess/**
<a href="" id="-vendor-msft-enterpriseassignedaccess-"></a>**./Vendor/MSFT/EnterpriseAssignedAccess/**
The root node for the EnterpriseAssignedAccess configuration service provider. Supported operations are Add, Delete, Get and Replace.
<a href="" id="assignedaccess-"></a>**AssignedAccess/**
<a href="" id="assignedaccess-"></a>**AssignedAccess/**
The parent node of assigned access XML.
<a href="" id="assignedaccess-assignedaccessxml"></a>**AssignedAccess/AssignedAccessXml**
<a href="" id="assignedaccess-assignedaccessxml"></a>**AssignedAccess/AssignedAccessXml**
The XML code that controls the assigned access settings that will be applied to the device.
Supported operations are Add, Delete, Get and Replace.
@ -79,7 +79,7 @@ Application example:
``` syntax
<Apps>
<!-- Outlook Calendar -->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}"
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}"
aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.calendar">
<PinToStart>
<Size>Large</Size>
@ -90,7 +90,7 @@ aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.c
</PinToStart>
</Application>
<!-- Outlook Mail-->
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}"
<Application productId="{A558FEBA-85D7-4665-B5D8-A2FF9C19799B}"
aumid="microsoft.windowscommunicationsapps_8wekyb3d8bbwe!microsoft.windowslive.mail">
<PinToStart>
<Size>Large</Size>
@ -262,11 +262,11 @@ Here is an example for Windows 10, version 1703.
</Settings>
```
**Quick action settings**
**Quick action settings**
Starting in Windows 10, version 1511, you can specify the following quick action settings in the lockdown XML file. The following list shows the quick action settings and settings page dependencies (group and page).
> [!Note]
> [!Note]
> Only Windows 10, versions 1511 and 1607, the dependent settings group and pages are automatically added when the quick action item is specified in the lockdown XML. In Windows 10, version 1703, Quick action settings no longer require any dependencies from related group or page.
<ul>
@ -323,27 +323,27 @@ Starting in Windows 10, version 1703, Quick action settings no longer require an
- SystemSettings_System_Display_QuickAction_Brightness
In this example, all settings pages and quick action settings are allowed. An empty \<Settings> node indicates that none of the settings are blocked.
In this example, all settings pages and quick action settings are allowed. An empty \<Settings> node indicates that none of the settings are blocked.
``` syntax
<Settings>
</Settings>
```
In this example for Windows 10, version 1511, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names.
In this example for Windows 10, version 1511, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names.
``` syntax
<Settings>
<System name="SettingsPageGroupPCSystem" />
<System name="SettingsPageDisplay" />
<Settings>
<System name="SettingsPageGroupPCSystem" />
<System name="SettingsPageDisplay" />
<System name="SettingsPageAppsNotifications" />
<System name="SettingsPageCalls" />
<System name="SettingsPageMessaging" />
<System name="SettingsPageBatterySaver" />
<System name="SettingsPageMessaging" />
<System name="SettingsPageBatterySaver" />
<System name="SettingsPageStorageSenseStorageOverview" />
<System name="SettingsPageGroupPCSystemDeviceEncryption" />
<System name="SettingsPageDrivingMode" />
<System name="SettingsPagePCSystemInfo" />
<System name="SettingsPageGroupPCSystemDeviceEncryption" />
<System name="SettingsPageDrivingMode" />
<System name="SettingsPagePCSystemInfo" />
</Settings>
```
Here is an example for Windows 10, version 1703.
@ -363,7 +363,7 @@ Here is an example for Windows 10, version 1703.
Entry | Description
----------- | ------------
Buttons | The following list identifies the hardware buttons on the device that you can lock down in <strong>ButtonLockdownList</strong>. When a user taps a button that is in the lockdown list, nothing will happen.
<ul>
<li><p>Start</p>
<li><p>Back</p></li>
@ -374,12 +374,12 @@ Buttons | The following list identifies the hardware buttons on the device that
<li><p>Custom3</p></li>
</ul>
> [!Note]
> Lock down of the Start button only prevents the press and hold event.
> [!Note]
> Lock down of the Start button only prevents the press and hold event.
>
> Custom buttons are hardware buttons that can be added to devices by OEMs.
Buttons example:
Buttons example:
``` syntax
<Buttons>
<ButtonLockdownList>
@ -398,8 +398,8 @@ Buttons example:
```
The Search and custom buttons can be <em>remapped</em> or configured to open a specific application. Button remapping takes effect for the device and applies to all users.
> [!Note]
> The lockdown settings for a button, per user role, will apply regardless of the button mapping.
> [!Note]
> The lockdown settings for a button, per user role, will apply regardless of the button mapping.
>
> Button remapping can enable a user to open an application that is not in the Allow list. Use button lock down to prevent application access for a user role.
@ -415,7 +415,7 @@ To remap a button in lockdown XML, you supply the button name, the button event
</Button>
</ButtonRemapList>
```
**Disabling navigation buttons**
**Disabling navigation buttons**
To disable navigation buttons (such as Home or Back) in lockdown XML, you supply the name (for example, Start) and button event (typically "press").
The following section contains a sample lockdown XML file that shows how to disable navigation buttons.
@ -496,7 +496,7 @@ Entry | Description
----------- | ------------
MenuItems | Use **DisableMenuItems** to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Programs list. You can include this entry in the default profile and in any additional user role profiles that you create.
> [!Important]
> [!Important]
> If **DisableMenuItems** is not included in a profile, users of that profile can uninstall apps.
MenuItems example:
@ -511,12 +511,12 @@ Entry | Description
----------- | ------------
Tiles | **Turning-on tile manipulation** - By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the users profile. If tile manipulation is enabled in the users profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile.
> [!Important]
> [!Important]
> If a device is turned off then back on, the tiles reset to their predefined layout. If a device has only one profile, the only way to reset the tiles is to turn off then turn on the device. If a device has multiple profiles, the device resets the tiles to the predefined layout based on the logged-in users profile.
The following sample file contains configuration for enabling tile manipulation.
> [!Note]
> [!Note]
> Tile manipulation is disabled when you dont have a `<Tiles>` node in lockdown XML, or if you have a `<Tiles>` node but dont have the `<EnableTileManipulation>` node.
``` syntax
@ -596,25 +596,25 @@ Entry | Description
CSP Runner | Allows CSPs to be executed on the device per user role. You can use this to implement role specific policies, such as changing the color scheme when an admin logs on the device, or to set configurations per role.
 
<a href="" id="lockscreenwallpaper-"></a>**LockscreenWallpaper/**
<a href="" id="lockscreenwallpaper-"></a>**LockscreenWallpaper/**
The parent node of the lock screen-related parameters that let administrators query and manage the lock screen image on devices. Supported operations are Add, Delete, Get and Replace.
<a href="" id="lockscreenwallpaper-bgfilename"></a>**LockscreenWallpaper/BGFileName**
<a href="" id="lockscreenwallpaper-bgfilename"></a>**LockscreenWallpaper/BGFileName**
The file name of the lock screen. The image file for the lock screen can be in .jpg or .png format and must not exceed 2 MB. The file name can also be in the Universal Naming Convention (UNC) format, in which case the device downloads it from the shared network and then sets it as the lock screen wallpaper.
Supported operations are Add, Get, and Replace.
<a href="" id="theme-"></a>**Theme/**
<a href="" id="theme-"></a>**Theme/**
The parent node of theme-related parameters.
Supported operations are Add, Delete, Get and Replace.
<a href="" id="theme-themebackground"></a>**Theme/ThemeBackground**
<a href="" id="theme-themebackground"></a>**Theme/ThemeBackground**
Indicates whether the background color is light or dark. Set to **0** for light; set to **1** for dark.
Supported operations are Get and Replace.
<a href="" id="theme-themeaccentcolorid"></a>**Theme/ThemeAccentColorID**
<a href="" id="theme-themeaccentcolorid"></a>**Theme/ThemeAccentColorID**
The accent color to apply as the foreground color for tiles, controls, and other visual elements on the device. The following table shows the possible values.
<table>
@ -724,22 +724,22 @@ The accent color to apply as the foreground color for tiles, controls, and other
Supported operations are Get and Replace.
<a href="" id="theme-themeaccentcolorvalue"></a>**Theme/ThemeAccentColorValue**
<a href="" id="theme-themeaccentcolorvalue"></a>**Theme/ThemeAccentColorValue**
A 6-character string for the accent color to apply to controls and other visual elements.
To use a custom accent color for Enterprise, enter **151** for *ThemeAccentColorID* before *ThemeAccentColorValue* in lockdown XML. *ThemeAccentColorValue* configures the custom accent color using hex values for red, green, and blue, in RRGGBB format. For example, enter FF0000 for red.
Supported operations are Get and Replace.
<a href="" id="persistdata"></a>**PersistData**
<a href="" id="persistdata"></a>**PersistData**
Not supported in Windows 10.
The parent node of whether to persist data that has been provisioned on the device.
<a href="" id="persistdata-persistprovisioneddata"></a>**PersistData/PersistProvisionedData**
<a href="" id="persistdata-persistprovisioneddata"></a>**PersistData/PersistProvisionedData**
Not supported in Windows 10. Use doWipePersistProvisionedData in [RemoteWipe CSP](remotewipe-csp.md) instead.
<a href="" id="clock-timezone-"></a>**Clock/TimeZone/**
<a href="" id="clock-timezone-"></a>**Clock/TimeZone/**
An integer that specifies the time zone of the device. The following table shows the possible values.
Supported operations are Get and Replace.
@ -1172,8 +1172,8 @@ Supported operations are Get and Replace.
</table>
<a href="" id="locale-language-"></a>**Locale/Language/**
The culture code that identifies the language to display on a device, and specifies the formatting of numbers, currencies, time, and dates. For language values, see [Locale IDs Assigned by Microsoft](http://go.microsoft.com/fwlink/p/?LinkID=189567).
<a href="" id="locale-language-"></a>**Locale/Language/**
The culture code that identifies the language to display on a device, and specifies the formatting of numbers, currencies, time, and dates. For language values, see [Locale IDs Assigned by Microsoft](https://go.microsoft.com/fwlink/p/?LinkID=189567).
The language setting is configured in the Default User profile only.
@ -1195,14 +1195,14 @@ The XML examples in this section show how to perform various tasks by using OMA
The following example shows how to add a new policy.
``` syntax
<wap-provisioningdoc>
  <characteristic type="EnterpriseAssignedAccess">
    <characteristic type="AssignedAccess">
      <parm name=" AssignedAccessXml" datatype="string"
            value="&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;&lt;HandheldLockdown version=&quot;1.0&quot;&gt;&lt;Default&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5615}&quot; pinToStart=&quot;1&quot;/&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5612}&quot; pinToStart=&quot;0&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;System name=&quot;Microsoft.About&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;ButtonLockdownList&gt;&lt;Button name=&quot;Start&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;Button name=&quot;Camera&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;Button name=&quot;Search&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;/ButtonLockdownList&gt;&lt;ButtonRemapList/&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Default&gt;&lt;RoleList&gt;&lt;Role guid=&quot;{76C01983-A872-4C4E-B4C6-321EAC709CEA}&quot; name=&quot;Associate&quot;&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5615}&quot; pinToStart=&quot;1&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;System name=&quot;Microsoft.About&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;ButtonLockdownList&gt;&lt;Button name=&quot;Start&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;Button name=&quot;Camera&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;/ButtonLockdownList&gt;&lt;ButtonRemapList/&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Role&gt;&lt;Role guid=&quot;{8ABB8A10-4418-4467-9E18-99D11FA54E30}&quot; name=&quot;Manager&quot;&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5612}&quot; pinToStart=&quot;1&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;ButtonLockdownList&gt;&lt;Button name=&quot;Start&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;/ButtonLockdownList&gt;&lt;ButtonRemapList/&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Role&gt;&lt;/RoleList&gt;&lt;/HandheldLockdown&gt;"/>
    </characteristic>
  </characteristic>
</wap-provisioningdoc>
<wap-provisioningdoc>
  <characteristic type="EnterpriseAssignedAccess">
    <characteristic type="AssignedAccess">
      <parm name=" AssignedAccessXml" datatype="string"
            value="&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;&lt;HandheldLockdown version=&quot;1.0&quot;&gt;&lt;Default&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5615}&quot; pinToStart=&quot;1&quot;/&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5612}&quot; pinToStart=&quot;0&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;System name=&quot;Microsoft.About&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;ButtonLockdownList&gt;&lt;Button name=&quot;Start&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;Button name=&quot;Camera&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;Button name=&quot;Search&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;/ButtonLockdownList&gt;&lt;ButtonRemapList/&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Default&gt;&lt;RoleList&gt;&lt;Role guid=&quot;{76C01983-A872-4C4E-B4C6-321EAC709CEA}&quot; name=&quot;Associate&quot;&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5615}&quot; pinToStart=&quot;1&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;System name=&quot;Microsoft.About&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;ButtonLockdownList&gt;&lt;Button name=&quot;Start&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;Button name=&quot;Camera&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;/ButtonLockdownList&gt;&lt;ButtonRemapList/&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Role&gt;&lt;Role guid=&quot;{8ABB8A10-4418-4467-9E18-99D11FA54E30}&quot; name=&quot;Manager&quot;&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5612}&quot; pinToStart=&quot;1&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;ButtonLockdownList&gt;&lt;Button name=&quot;Start&quot;&gt;&lt;ButtonEvent name=&quot;Press&quot; /&gt;&lt;ButtonEvent name=&quot;PressAndHold&quot; /&gt;&lt;/Button&gt;&lt;/ButtonLockdownList&gt;&lt;ButtonRemapList/&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Role&gt;&lt;/RoleList&gt;&lt;/HandheldLockdown&gt;"/>
    </characteristic>
  </characteristic>
</wap-provisioningdoc>
```
### Language
@ -1210,13 +1210,13 @@ The following example shows how to add a new policy.
The following example shows how to specify the language to display on the device.
``` syntax
<wap-provisioningdoc>
   <characteristic type="EnterpriseAssignedAccess">
  <characteristic type="Language">
      <parm name="Language" datatype="string"
<wap-provisioningdoc>
   <characteristic type="EnterpriseAssignedAccess">
  <characteristic type="Language">
      <parm name="Language" datatype="string"
<parm name="Language" value="1033" />
   </characteristic>
</wap-provisioningdoc>
   </characteristic>
</wap-provisioningdoc>
```
## OMA DM examples
@ -1229,20 +1229,20 @@ These XML examples show how to perform various tasks using OMA DM.
The following example shows how to lock down a device.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/AssignedAccess/AssignedAccessXml</LocURI>
</Target>
<Data>&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;&lt;HandheldLockdown version=&quot;1.0&quot;&gt;&lt;Default&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5615}&quot; pinToStart=&quot;1&quot;/&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5612}&quot; pinToStart=&quot;2&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;System name=&quot;Microsoft.About&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;Button name=&quot;Start&quot; disableEvents=&quot;PressAndHold&quot; /&gt;&lt;Button name=&quot;Camera&quot; disableEvents=&quot;All&quot; /&gt;&lt;Button name=&quot;Search&quot; disableEvents=&quot;All&quot; /&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Default&gt;&lt;RoleList&gt;&lt;Role guid=&quot;{76C01983-A872-4C4E-B4C6-321EAC709CEA}&quot; name=&quot;Associate&quot;&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5615}&quot; pinToStart=&quot;1&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;System name=&quot;Microsoft.About&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;Button name=&quot;Start&quot; disableEvents=&quot;PressAndHold&quot; /&gt;&lt;Button name=&quot;Camera&quot; disableEvents=&quot;All&quot; /&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Role&gt;&lt;Role guid=&quot;{8ABB8A10-4418-4467-9E18-99D11FA54E30}&quot; name=&quot;Manager&quot;&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5612}&quot; pinToStart=&quot;1&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;Button name=&quot;Start&quot; disableEvents=&quot;PressAndHold&quot; /&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Role&gt;&lt;/RoleList&gt;&lt;/HandheldLockdown&gt;</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/AssignedAccess/AssignedAccessXml</LocURI>
</Target>
<Data>&lt;?xml version=&quot;1.0&quot; encoding=&quot;utf-8&quot;?&gt;&lt;HandheldLockdown version=&quot;1.0&quot;&gt;&lt;Default&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5615}&quot; pinToStart=&quot;1&quot;/&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5612}&quot; pinToStart=&quot;2&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;System name=&quot;Microsoft.About&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;Button name=&quot;Start&quot; disableEvents=&quot;PressAndHold&quot; /&gt;&lt;Button name=&quot;Camera&quot; disableEvents=&quot;All&quot; /&gt;&lt;Button name=&quot;Search&quot; disableEvents=&quot;All&quot; /&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Default&gt;&lt;RoleList&gt;&lt;Role guid=&quot;{76C01983-A872-4C4E-B4C6-321EAC709CEA}&quot; name=&quot;Associate&quot;&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5615}&quot; pinToStart=&quot;1&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;System name=&quot;Microsoft.About&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;Button name=&quot;Start&quot; disableEvents=&quot;PressAndHold&quot; /&gt;&lt;Button name=&quot;Camera&quot; disableEvents=&quot;All&quot; /&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Role&gt;&lt;Role guid=&quot;{8ABB8A10-4418-4467-9E18-99D11FA54E30}&quot; name=&quot;Manager&quot;&gt;&lt;Apps&gt;&lt;Application productId=&quot;{5B04B775-356B-4AA0-AAF8-6491FFEA5612}&quot; pinToStart=&quot;1&quot;/&gt;&lt;/Apps&gt;&lt;Settings&gt;&lt;System name=&quot;Microsoft.Themes&quot; /&gt;&lt;/Settings&gt;&lt;Buttons&gt;&lt;Button name=&quot;Start&quot; disableEvents=&quot;PressAndHold&quot; /&gt;&lt;/Buttons&gt;&lt;MenuItems&gt;&lt;DisableMenuItems/&gt;&lt;/MenuItems&gt;&lt;/Role&gt;&lt;/RoleList&gt;&lt;/HandheldLockdown&gt;</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>
```
### Theme
@ -1250,66 +1250,66 @@ The following example shows how to lock down a device.
The following example shows how to change the accent color to one of the standard colors.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
      <Replace>
         <CmdID>1</CmdID>
         <Item>
            <Target>
             <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID</LocURI>
            </Target>
            <Meta>
               <Format xmlns="syncml:metinf">int</Format>
            </Meta>
            <!-- zero based index of available theme colors -->
            <Data>7</Data>
         </Item>
      </Replace>
      <Final/>
   </SyncBody>
<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
      <Replace>
         <CmdID>1</CmdID>
         <Item>
            <Target>
             <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID</LocURI>
            </Target>
            <Meta>
               <Format xmlns="syncml:metinf">int</Format>
            </Meta>
            <!-- zero based index of available theme colors -->
            <Data>7</Data>
         </Item>
      </Replace>
      <Final/>
   </SyncBody>
</SyncML>
```
The following example shows how to change the theme.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
       <Replace>
           <CmdID>1</CmdID>
           <Item>
               <Target>
                   <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground</LocURI>
               </Target>
               <Meta>
                   <Format xmlns="syncml:metinf">int</Format>
               </Meta>
               <!-- 0 for "light", 1 for "dark" -->
               <Data>1</Data>
           </Item>
       </Replace>
       <Final/>
   </SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
       <Replace>
           <CmdID>1</CmdID>
           <Item>
               <Target>
                   <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeBackground</LocURI>
               </Target>
               <Meta>
                   <Format xmlns="syncml:metinf">int</Format>
               </Meta>
               <!-- 0 for "light", 1 for "dark" -->
               <Data>1</Data>
           </Item>
       </Replace>
       <Final/>
   </SyncBody>
</SyncML>
```
The following example shows how to set a custom theme accent color for the enterprise environment.
``` syntax
<SyncBody>
   <Replace>
      <CmdID>1</CmdID>
      <Item>
         <Target>
             <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID</LocURI>
         </Target>
         <Meta>
            <Format xmlns="syncml:metinf">int</Format>
         </Meta>
         <!—set to Enterprise custom -->
         <Data>151</Data>
      </Item>
   </Replace>
<SyncBody>
   <Replace>
      <CmdID>1</CmdID>
      <Item>
         <Target>
             <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Theme/ThemeAccentColorID</LocURI>
         </Target>
         <Meta>
            <Format xmlns="syncml:metinf">int</Format>
         </Meta>
         <!—set to Enterprise custom -->
         <Data>151</Data>
      </Item>
   </Replace>
<Replace>
<CmdID>2</CmdID>
<Item>
@ -1323,8 +1323,8 @@ The following example shows how to set a custom theme accent color for the enter
<Data>FF0000</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
<Final/>
</SyncBody>
```
### Lock screen
@ -1332,55 +1332,55 @@ The following example shows how to set a custom theme accent color for the enter
Use the examples in this section to set a new lock screen and manage the lock screen features. If using a UNC path, format the LocURI as \\\\host\\share\\image.jpg.
``` syntax
<Add>
  <CmdID>2</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
    <Meta>
      <Format xmlns="syncml:metinf">chr</Format>
      <Type xmlns="syncml:metinf">text/plain</Type>
    </Meta>
    <Data>c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg </Data>
    </Target>
  </Item>
</Add>
<Add>
  <CmdID>2</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
    <Meta>
      <Format xmlns="syncml:metinf">chr</Format>
      <Type xmlns="syncml:metinf">text/plain</Type>
    </Meta>
    <Data>c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg </Data>
    </Target>
  </Item>
</Add>
```
The following example shows how to query the device for the file being used as the lock screen.
``` syntax
<Get>
  <CmdID>2</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
    </Target>
  </Item>
</Get>
<Get>
  <CmdID>2</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
    </Target>
  </Item>
</Get>
```
The following example shows how to change the existing lock screen image to one of your choosing.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
      <Replace>
         <CmdID>2</CmdID>
         <Item>
            <Target>
               <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
            </Target>
            <Meta>
               <Format xmlns="syncml:metinf">chr</Format>
               <Type xmlns="syncml:metinf">text/plain</Type>
            </Meta>
            <Data>c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg</Data>
         </Item>
      </Replace>
      <Final/>
   </SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
      <Replace>
         <CmdID>2</CmdID>
         <Item>
            <Target>
               <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/LockScreenWallpaper/BGFileName</LocURI>
            </Target>
            <Meta>
               <Format xmlns="syncml:metinf">chr</Format>
               <Type xmlns="syncml:metinf">text/plain</Type>
            </Meta>
            <Data>c:\windows\system32\lockscreen\480x800\Wallpaper_015.jpg</Data>
         </Item>
      </Replace>
      <Final/>
   </SyncBody>
</SyncML>
```
### Time zone
@ -1388,45 +1388,45 @@ The following example shows how to change the existing lock screen image to one
The following example shows how to set the time zone to UTC-07 Mountain Time (US & Canada).
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
      <Replace>
         <CmdID>2</CmdID>
         <Item>
            <Target>
               <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Clock/TimeZone</LocURI>
            </Target>
            <Meta>
               <Format xmlns="syncml:metinf">int</Format>
            </Meta>
            <Data>500</Data>
         </Item>
      </Replace>
      <Final/>
   </SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
      <Replace>
         <CmdID>2</CmdID>
         <Item>
            <Target>
               <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Clock/TimeZone</LocURI>
            </Target>
            <Meta>
               <Format xmlns="syncml:metinf">int</Format>
            </Meta>
            <Data>500</Data>
         </Item>
      </Replace>
      <Final/>
   </SyncBody>
</SyncML>
```
The following example shows how to set the time zone to Pacific Standard Time (UTC-08:00) without observing daylight savings time (UTC+01:00).
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
      <Replace>
         <CmdID>2</CmdID>
         <Item>
            <Target>
               <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Clock/TimeZone</LocURI>
            </Target>
            <Meta>
               <Format xmlns="syncml:metinf">int</Format>
            </Meta>
            <Data>400 </Data>
         </Item>
      </Replace>
      <Final/>
   </SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
      <Replace>
         <CmdID>2</CmdID>
         <Item>
            <Target>
               <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Clock/TimeZone</LocURI>
            </Target>
            <Meta>
               <Format xmlns="syncml:metinf">int</Format>
            </Meta>
            <Data>400 </Data>
         </Item>
      </Replace>
      <Final/>
   </SyncBody>
</SyncML>
```
### Language
@ -1434,23 +1434,23 @@ The following example shows how to set the time zone to Pacific Standard Time (U
The following example shows how to set the language.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
      <Replace>
         <CmdID>1</CmdID>
         <Item>
            <Target>
               <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Locale/Language</LocURI>
            </Target>
            <Meta>
               <Format xmlns="syncml:metinf">int</Format>
            </Meta>
            <Data>1033</Data>
         </Item>
      </Replace>
      <Final/>
   </SyncBody>
</SyncML>
<SyncML xmlns="SYNCML:SYNCML1.2">
   <SyncBody>
      <Replace>
         <CmdID>1</CmdID>
         <Item>
            <Target>
               <LocURI>./Vendor/MSFT/EnterpriseAssignedAccess/Locale/Language</LocURI>
            </Target>
            <Meta>
               <Format xmlns="syncml:metinf">int</Format>
            </Meta>
            <Data>1033</Data>
         </Item>
      </Replace>
      <Final/>
   </SyncBody>
</SyncML>
```
## <a href="" id="productid"></a>Product IDs in Windows 10 Mobile

36
windows/client-management/mdm/enterprisedesktopappmanagement-csp.md
View File

@ -21,34 +21,34 @@ The following diagram shows the EnterpriseDesktopAppManagement CSP in tree forma
![enterprisedesktopappmanagement csp](images/provisioning-csp-enterprisedesktopappmanagement.png)
<a href="" id="--vendor-msft-enterprisedesktopappmanagement"></a>**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement**
<a href="" id="--vendor-msft-enterprisedesktopappmanagement"></a>**./Device/Vendor/MSFT/EnterpriseDesktopAppManagement**
The root node for the EnterpriseDesktopAppManagement configuration service provider.
<a href="" id="msi"></a>**MSI**
<a href="" id="msi"></a>**MSI**
Node for all settings.
<a href="" id="msi-productid"></a>**MSI/****_ProductID_**
<a href="" id="msi-productid"></a>**MSI/****_ProductID_**
The MSI product code for the application.
<a href="" id="msi-productid-version"></a>**MSI/*ProductID*/Version**
<a href="" id="msi-productid-version"></a>**MSI/*ProductID*/Version**
Version number. Value type is string. Supported operation is Get.
<a href="" id="msi-productid-name"></a>**MSI/*ProductID*/Name**
<a href="" id="msi-productid-name"></a>**MSI/*ProductID*/Name**
Name of the application. Value type is string. Supported operation is Get.
<a href="" id="msi-productid-publisher"></a>**MSI/*ProductID*/Publisher**
<a href="" id="msi-productid-publisher"></a>**MSI/*ProductID*/Publisher**
Publisher of application. Value type is string. Supported operation is Get.
<a href="" id="msi-productid-installpath"></a>**MSI/*ProductID*/InstallPath**
<a href="" id="msi-productid-installpath"></a>**MSI/*ProductID*/InstallPath**
Installation path of the application. Value type is string. Supported operation is Get.
<a href="" id="msi-productid-installdate"></a>**MSI/*ProductID*/InstallDate**
<a href="" id="msi-productid-installdate"></a>**MSI/*ProductID*/InstallDate**
Installation date of the application. Value type is string. Supported operation is Get.
<a href="" id="msi-productid-downloadinstall"></a>**MSI/*ProductID*/DownloadInstall**
<a href="" id="msi-productid-downloadinstall"></a>**MSI/*ProductID*/DownloadInstall**
Executes the download and installation of the application. Value type is string. Supported operations are Execute and Get.
In Windows 10, version 1703 service release, a new tag \<DownloadFromAad\> was added to the \<Enforcement\> section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.
In Windows 10, version 1703 service release, a new tag \<DownloadFromAad\> was added to the \<Enforcement\> section of the XML. The default value is 0 (do not send token). This tag is optional and needs to be set to 1 in case the server wants the download URL to get the AADUserToken.
Here is an example:
@ -68,7 +68,7 @@ Here is an example:
</Enforcement>
```
<a href="" id="msi-productid-status"></a>**MSI/*ProductID*/Status**
<a href="" id="msi-productid-status"></a>**MSI/*ProductID*/Status**
Status of the application. Value type is string. Supported operation is Get.
| Status | Value |
@ -86,23 +86,23 @@ Status of the application. Value type is string. Supported operation is Get.
 
<a href="" id="msi-productid-lasterror"></a>**MSI/*ProductID*/LastError**
<a href="" id="msi-productid-lasterror"></a>**MSI/*ProductID*/LastError**
The last error code during the application installation process. This is typically stored as an HRESULT format. Depending on what was occurring when the error happened, this could be the result of executing MSIExec.exe or the error result from an API that failed.
Value type is string. Supported operation is Get.
<a href="" id="msi-productid-lasterrordesc"></a>**MSI/*ProductID*/LastErrorDesc**
<a href="" id="msi-productid-lasterrordesc"></a>**MSI/*ProductID*/LastErrorDesc**
Contains the last error code description. The LastErrorDesc value is looked up for the matching LastError value. Sometimes there is no LastErrorDesc returned.
Value type is string. Supported operation is Get.
<a href="" id="msi-upgradecode"></a>**MSI/UpgradeCode**
<a href="" id="msi-upgradecode"></a>**MSI/UpgradeCode**
Added in the March service release of Windows 10, version 1607.
<a href="" id="msi-upgradecode"></a>**MSI/UpgradeCode/_Guid_**
<a href="" id="msi-upgradecode"></a>**MSI/UpgradeCode/_Guid_**
Added in the March service release of Windows 10, version 1607. A gateway (or device management server) uses this method to detect matching upgrade MSI product when a Admin wants to update an existing MSI app. If the same upgrade product is installed, then the update is allowed.
Value type is string. Supported operation is Get.
Value type is string. Supported operation is Get.
## Examples
@ -226,7 +226,7 @@ The following table describes the fields in the previous sample:
<ContentURL>https://dp2.com/packages/myApp.msi</ContentURL>
</ContentURLList>
</Download>
<Validation>
<Validation>
<FileHash>134D8F1F7C3C036DC3DCDA9F97515C8C7951DB154B73365C9C22962BD23E3EB3</FileHash>
</Validation>
<Enforcement>
@ -532,7 +532,7 @@ Properties can be specified in the package, passed through the command line, mod
Here's a list of references:
- [Using Windows Installer](https://technet.microsoft.com/library/cc782896.aspx)
- [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](http://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx)
- [Authoring a single package for Per-User or Per-Machine Installation context in Windows 7](https://blogs.msdn.com/b/windows_installer_team/archive/2009/09/02/authoring-a-single-package-for-per-user-or-per-machine-installation-context-in-windows-7.aspx)
- SyncML Representation Protocol, Draft Version 1.3 - 27 Aug 2009 (OMA-TS-SyncML\_RepPro-V1\_3-20090827-D)
## Alert example

34
windows/client-management/mdm/hotspot-csp.md
View File

@ -27,7 +27,7 @@ The following diagram shows the HotSpot configuration service provider managemen
![hotspot csp (cp)](images/provisioning-csp-hotspot-cp.png)
<a href="" id="enabled"></a>**Enabled**
<a href="" id="enabled"></a>**Enabled**
Required. Specifies whether to enable Internet sharing on the device. The default is false.
If this is initially set to false, the feature is turned off and the Internet sharing screen is removed from Settings so that the user cannot access it. Configuration changes or connection sharing state changes will not be possible.
@ -36,7 +36,7 @@ When this is set to true, the Internet sharing screen is added to Settings, thou
This setting can be provisioned over the air, but it may require a reboot if Settings was open when this was enabled for the first time.
<a href="" id="dedicatedconnections"></a>**DedicatedConnections**
<a href="" id="dedicatedconnections"></a>**DedicatedConnections**
Optional. Specifies the semicolon separated list of Connection Manager cellular connections that Internet sharing will use as the public connections.
By default, any available connection will be used as a public connection. However, this node allows a mobile operator to specify one or more connection names to use as public connections.
@ -51,7 +51,7 @@ If the specified connections do not exist, Internet sharing will not start becau
If the Internet sharing service is already in a sharing state, setting this node will not take effect until sharing is stopped and restarted.
<a href="" id="tetheringnaiconnection"></a>**TetheringNAIConnection**
<a href="" id="tetheringnaiconnection"></a>**TetheringNAIConnection**
Optional. Specifies the CDMA TetheringNAI Connection Manager cellular connection that Internet sharing will use as a public connection.
If a CDMA mobile operator requires using a Tethering NAI during Internet sharing, they must use the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md) to provision a TetheringNAI connection and then specify the provisioned connection in this node.
@ -66,63 +66,63 @@ If the specified connections do not exist, Internet sharing will not start becau
If the Internet sharing service is already in a sharing state, setting this node will not take effect until sharing is stopped and restarted.
<a href="" id="maxusers"></a>**MaxUsers**
<a href="" id="maxusers"></a>**MaxUsers**
Optional. Specifies the maximum number of simultaneous users that can be connected to a device while in a sharing state. The value must be between 1 and 8 inclusive. The default value is 5.
If the Internet sharing service is already in a sharing state, setting this node will not take effect until sharing is stopped and restarted.
<a href="" id="maxbluetoothusers"></a>**MaxBluetoothUsers**
<a href="" id="maxbluetoothusers"></a>**MaxBluetoothUsers**
Optional. Specifies the maximum number of simultaneous Bluetooth users that can be connected to a device while sharing over Bluetooth. The value must be between 1 and 7 inclusive. The default value is 7.
<a href="" id="mohelpnumber"></a>**MOHelpNumber**
<a href="" id="mohelpnumber"></a>**MOHelpNumber**
Optional. A mobile operatorspecified device number that is displayed to the user when the Internet sharing service fails to start. The user interface displays a message informing the user that they can call the specified number for help.
<a href="" id="moinfolink"></a>**MOInfoLink**
<a href="" id="moinfolink"></a>**MOInfoLink**
Optional. A mobile operatorspecified HTTP link that is displayed to the user when Internet sharing is disabled or the device is not entitled. The user interface displays a message informing the user that they can visit the specified link for more information about how to enable the feature.
<a href="" id="moapplink"></a>**MOAppLink**
<a href="" id="moapplink"></a>**MOAppLink**
Optional. A Windows device application link that points to a preinstalled application, provided by the mobile operator, that will help a user to subscribe to the mobile operators Internet sharing service when Internet sharing is not provisioned or entitlement fails. The general format for the link is `app://MOapp`.
<a href="" id="mohelpmessage"></a>**MOHelpMessage**
<a href="" id="mohelpmessage"></a>**MOHelpMessage**
Optional. Reference to a localized string, provided by the mobile operator, that is displayed when Internet sharing is not enabled due to entitlement failure. The node takes a language-neutral registry value string, which has the following form:
`@<path_to_res_dll>,-<str_id>`
Where `<path_to_res_dll>` is the path to the resource dll that contains the string and `<str_id>` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](http://msdn.microsoft.com/library/windows/desktop/dd374120.aspx) on MSDN.
Where `<path_to_res_dll>` is the path to the resource dll that contains the string and `<str_id>` is the string identifier. For more information on language-neutral string resource registry values, see [Using Registry String Redirection](https://msdn.microsoft.com/library/windows/desktop/dd374120.aspx) on MSDN.
> **Note**  MOAppLink is required to use the MOHelpMessage setting.
 
<a href="" id="entitlementrequired"></a>**EntitlementRequired**
<a href="" id="entitlementrequired"></a>**EntitlementRequired**
Optional. Specifies whether the device requires an entitlement check to determine if Internet sharing should be enabled. This node is set to a Boolean value. The default value is **True**.
By default the Internet sharing service will check entitlement every time an attempt is made to enable Internet sharing. Internet sharing should be set to **False** for carrier-unlocked devices.
<a href="" id="entitlementdll"></a>**EntitlementDll**
<a href="" id="entitlementdll"></a>**EntitlementDll**
Required if `EntitlementRequired` is set to true. The path to the entitlement DLL used to make entitlement checks that verify that the device is entitled to use the Internet sharing service on a mobile operators network. The value is a string that represents a valid file system path to the entitlement DLL. By default, the Internet sharing service fails entitlement checks if this setting is missing or empty. For more information, see [Creating an Entitlement DLL](#creating-entitlement-dll) later in this topic.
<a href="" id="entitlementinterval"></a>**EntitlementInterval**
<a href="" id="entitlementinterval"></a>**EntitlementInterval**
Optional. The time interval, in seconds, between entitlement checks. The default value is 86,400 seconds (24 hours).
If a periodic entitlement check fails, Internet sharing is automatically disabled.
<a href="" id="peerlesstimeout"></a>**PeerlessTimeout**
<a href="" id="peerlesstimeout"></a>**PeerlessTimeout**
Optional. The time-out period, in minutes, after which Internet sharing should automatically turn off if there are no longer any active clients. This node can be set to any value between 1 and 120 inclusive. A value of 0 is not supported. The default value is 5 minutes.
A reboot may be required before changes to this node take effect.
<a href="" id="publicconnectiontimeout"></a>**PublicConnectionTimeout**
<a href="" id="publicconnectiontimeout"></a>**PublicConnectionTimeout**
Optional. The time-out value, in minutes, after which Internet sharing is automatically turned off if a cellular connection is not available. This node can be set to any value between 1 and 60 inclusive. The default value is 20 minutes. A time-out is required, so a value of 0 is not supported.
Changes to this node require a reboot.
<a href="" id="minwifikeylength"></a>**MinWifiKeyLength**
<a href="" id="minwifikeylength"></a>**MinWifiKeyLength**
> **Important**   This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi key is 8.
 
<a href="" id="minwifissidlength"></a>**MinWifiSSIDLength**
<a href="" id="minwifissidlength"></a>**MinWifiSSIDLength**
> **Important**   This parm is no longer supported for Windows Phone 8.1. The enforced minimum allowed length of the Wi-Fi SSID is 1.
 

2
windows/client-management/mdm/index.md
View File

@ -23,7 +23,7 @@ There are two parts to the Windows 10 management component:
- The enrollment client, which enrolls and configures the device to communicate with the enterprise management server.
- The management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.
Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
## Learn about device enrollment

10
windows/client-management/mdm/management-tool-for-windows-store-for-business.md
View File

@ -72,14 +72,14 @@ The Store for Business services rely on Azure Active Directory for authenticatio
To learn more about Azure AD and how to register your application within Azure AD, here are some topics to get you started:
- Adding an application to Azure Active Directory - [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
- Accessing other Web applications and configuring your application to access other APIs - [Integrating Applications with Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=623021)
- Authenticating to the Store for Business services via Azure AD - [Authentication Scenarios for Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=623023)
- Accessing other Web applications and configuring your application to access other APIs - [Integrating Applications with Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=623021)
- Authenticating to the Store for Business services via Azure AD - [Authentication Scenarios for Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=623023)
For code samples, see [Microsoft Azure Active Directory Samples and Documentation](http://go.microsoft.com/fwlink/p/?LinkId=623024) in GitHub. Patterns are very similar to [Daemon-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=623025) and [ConsoleApp-GraphAPI-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=623026).
For code samples, see [Microsoft Azure Active Directory Samples and Documentation](https://go.microsoft.com/fwlink/p/?LinkId=623024) in GitHub. Patterns are very similar to [Daemon-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623025) and [ConsoleApp-GraphAPI-DotNet](https://go.microsoft.com/fwlink/p/?LinkId=623026).
## Configure your Azure AD application
Here are the steps to configure your Azure AD app. For additional information, see [Integrating Applications with Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=623021):
Here are the steps to configure your Azure AD app. For additional information, see [Integrating Applications with Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=623021):
1. Log into Microsoft Azure Management Portal (https:manage.windowsazure.com)
2. Go to the Active Directory module.
@ -104,7 +104,7 @@ Here are the steps to configure your Azure AD app. For additional information, s
![business store management tool](images/businessstoreportalservices12.png)
9. Specify whether your app is multi-tenant or single tenant. For more information, see [Integrating Applications with Azure Active Directory](http://go.microsoft.com/fwlink/p/?LinkId=623021).
9. Specify whether your app is multi-tenant or single tenant. For more information, see [Integrating Applications with Azure Active Directory](https://go.microsoft.com/fwlink/p/?LinkId=623021).
![business store management tool](images/businessstoreportalservices13.png)

12
windows/client-management/mdm/mobile-device-enrollment.md
View File

@ -32,20 +32,20 @@ The enrollment process includes the following steps:
## Enrollment protocol
There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
The enrollment process involves the following steps:
**Discovery request**
**Discovery request**
The discovery request is a simple HTTP post call that returns XML over HTTP. The returned XML includes the authentication URL, the management service URL, and the user credential type.
**Certificate enrollment policy**
The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in \[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619345)
**Certificate enrollment policy**
The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in \[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619345)
**Certificate enrollment**
**Certificate enrollment**
The certificate enrollment is an implementation of the MS-WSTEP protocol.
**Management configuration**
**Management configuration**
The server sends provisioning XML that contains a server certificate (for SSL server authentication), a client certificate issued by enterprise CA, DM client bootstrap information (for the client to communicate with the management server), an enterprise application token (for the user to install enterprise applications), and the link to download the Company Hub application.
The following topics describe the end-to-end enrollment process using various authentication methods:

322
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -18,7 +18,7 @@ ms.date: 08/14/2018
This topic provides information about what's new and breaking changes in Windows 10 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](http://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
For details about Microsoft mobile device management protocols for Windows 10 see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
## In this section
@ -108,7 +108,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<td style="vertical-align:top"><p>Custom header for generic alert</p></td>
<td style="vertical-align:top"><p>The MDM-GenericAlert is a new custom header that hosts one or more alert information provided in the http messages sent by the device to the server during an OMA DM session. The generic alert is sent if the session is triggered by the device due to one or more critical or fatal alerts. Here is alert format:</p>
<code>MDM-GenericAlert: &lt;AlertType1&gt;&lt;AlertType2&gt;</code>
<p>If present, the MDM-GenericAlert is presented in every the outgoing MDM message in the same OMA DM session. For more information about generic alerts, see section 8.7 in the OMA Device Management Protocol, Approved Version 1.2.1 in this [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=267526).</p></td>
<p>If present, the MDM-GenericAlert is presented in every the outgoing MDM message in the same OMA DM session. For more information about generic alerts, see section 8.7 in the OMA Device Management Protocol, Approved Version 1.2.1 in this [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526).</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Alert message for slow client response</p></td>
@ -846,7 +846,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)</td>
<td style="vertical-align:top">[Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)</td>
<td style="vertical-align:top"><p>Added a zip file containing the DDF XML files of the CSPs. The link to the download is available in the DDF topics of various CSPs.</p>
</td></tr>
<tr class="odd">
@ -1025,7 +1025,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>Authentication/AllowAadPasswordReset</li>
<li>Authentication/AllowFidoDeviceSignon</li>
@ -1047,26 +1047,26 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
<li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</li>
<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</li>
<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li>
<li>LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</li>
<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li>
<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</li>
<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li>
<li>LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</li>
<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li>
<li>Power/DisplayOffTimeoutOnBattery</li>
<li>Power/DisplayOffTimeoutPluggedIn</li>
<li>Power/HibernateTimeoutOnBattery</li>
@ -1169,34 +1169,34 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>KioskBrowser/EnableNavigationButtons</li>
<li>KioskBrowser/RestartOnIdleTime</li>
<li>LanmanWorkstation/EnableInsecureGuestLogons</li>
<li>LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon</li>
<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia</li>
<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</li>
<li>LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon</li>
<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia</li>
<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</li>
<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DigitallyEncryptSecureChannelDataWhenPossible</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</li>
<li>LocalPoliciesSecurityOptions/DomainMember_DisableMachineAccountPasswordChanges</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AddRemoteServerExceptionsForNTLMAuthentication</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_AuditIncomingNTLMTraffic</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_IncomingNTLMTraffic</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers</li>
<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
<li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_RestrictNTLM_OutgoingNTLMTrafficToRemoteServers</li>
<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
<li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode</li>
<li>Notifications/DisallowCloudNotification</li>
<li>Notifications/DisallowCloudNotification</li>
<li>RestrictedGroups/ConfigureGroupMembership</li>
<li>Search/AllowCortanaInAAD</li>
<li>Search/DoNotUseWebResults</li>
@ -1222,38 +1222,38 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>Update/ConfigureFeatureUpdateUninstallPeriod</li>
<li>UserRights/AccessCredentialManagerAsTrustedCaller</li>
<li>UserRights/AccessFromNetwork</li>
<li>UserRights/ActAsPartOfTheOperatingSystem</li>
<li>UserRights/AllowLocalLogOn</li>
<li>UserRights/BackupFilesAndDirectories</li>
<li>UserRights/ChangeSystemTime</li>
<li>UserRights/CreateGlobalObjects</li>
<li>UserRights/CreatePageFile</li>
<li>UserRights/CreatePermanentSharedObjects</li>
<li>UserRights/CreateSymbolicLinks</li>
<li>UserRights/CreateToken</li>
<li>UserRights/DebugPrograms</li>
<li>UserRights/DenyAccessFromNetwork</li>
<li>UserRights/DenyLocalLogOn</li>
<li>UserRights/DenyRemoteDesktopServicesLogOn</li>
<li>UserRights/EnableDelegation</li>
<li>UserRights/GenerateSecurityAudits</li>
<li>UserRights/ImpersonateClient</li>
<li>UserRights/IncreaseSchedulingPriority</li>
<li>UserRights/LoadUnloadDeviceDrivers</li>
<li>UserRights/LockMemory</li>
<li>UserRights/ManageAuditingAndSecurityLog</li>
<li>UserRights/ManageVolume</li>
<li>UserRights/ModifyFirmwareEnvironment</li>
<li>UserRights/ModifyObjectLabel</li>
<li>UserRights/ProfileSingleProcess</li>
<li>UserRights/RemoteShutdown</li>
<li>UserRights/RestoreFilesAndDirectories</li>
<li>UserRights/ActAsPartOfTheOperatingSystem</li>
<li>UserRights/AllowLocalLogOn</li>
<li>UserRights/BackupFilesAndDirectories</li>
<li>UserRights/ChangeSystemTime</li>
<li>UserRights/CreateGlobalObjects</li>
<li>UserRights/CreatePageFile</li>
<li>UserRights/CreatePermanentSharedObjects</li>
<li>UserRights/CreateSymbolicLinks</li>
<li>UserRights/CreateToken</li>
<li>UserRights/DebugPrograms</li>
<li>UserRights/DenyAccessFromNetwork</li>
<li>UserRights/DenyLocalLogOn</li>
<li>UserRights/DenyRemoteDesktopServicesLogOn</li>
<li>UserRights/EnableDelegation</li>
<li>UserRights/GenerateSecurityAudits</li>
<li>UserRights/ImpersonateClient</li>
<li>UserRights/IncreaseSchedulingPriority</li>
<li>UserRights/LoadUnloadDeviceDrivers</li>
<li>UserRights/LockMemory</li>
<li>UserRights/ManageAuditingAndSecurityLog</li>
<li>UserRights/ManageVolume</li>
<li>UserRights/ModifyFirmwareEnvironment</li>
<li>UserRights/ModifyObjectLabel</li>
<li>UserRights/ProfileSingleProcess</li>
<li>UserRights/RemoteShutdown</li>
<li>UserRights/RestoreFilesAndDirectories</li>
<li>UserRights/TakeOwnership</li>
<li>WindowsDefenderSecurityCenter/DisableAccountProtectionUI</li>
<li>WindowsDefenderSecurityCenter/DisableDeviceSecurityUI</li>
<li>WindowsDefenderSecurityCenter/HideRansomwareDataRecovery</li>
<li>WindowsDefenderSecurityCenter/HideSecureBoot</li>
<li>WindowsDefenderSecurityCenter/HideTPMTroubleshooting</li>
<li>WindowsDefenderSecurityCenter/HideTPMTroubleshooting</li>
</ul>
<p>Security/RequireDeviceEncrption - updated to show it is supported in desktop.</p>
</tr>
@ -1349,7 +1349,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[MDM Migration Analysis Too (MMAT)](http://aka.ms/mmat)</td>
<td style="vertical-align:top">[MDM Migration Analysis Too (MMAT)](https://aka.ms/mmat)</td>
<td style="vertical-align:top"><p>Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.</p>
</td></tr>
<tr>
@ -1389,7 +1389,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>Browser/AllowSideloadingOfExtensions</li>
<li>Browser/AllowTabPreloading</li>
<li>Browser/AllowWebContentOnNewTabPage</li>
<li>Browser/ConfigureFavoritesBar</li>
<li>Browser/ConfigureFavoritesBar</li>
<li>Browser/ConfigureHomeButton</li>
<li>Browser/ConfigureKioskMode</li>
<li>Browser/ConfigureKioskResetAfterIdleTimeout</li>
@ -1613,15 +1613,15 @@ The following XML sample explains the properties for the EAP TLS XML including c
<VendorType xmlns="http://www.microsoft.com/provisioning/EapCommon">0</VendorType>
<AuthorId xmlns="http://www.microsoft.com/provisioning/EapCommon">0</AuthorId>
<!--The 3 properties above define the method publishers, this is seen primarily in 3rd party Vendor methods.-->
<!-- For Microsoft EAP TLS the value of the above fields will always be 0 -->
<!-- For Microsoft EAP TLS the value of the above fields will always be 0 -->
</EapMethod>
<!-- Now that the EAP Method is Defined we will go into the Configuration -->
<!-- Now that the EAP Method is Defined we will go into the Configuration -->
<Config xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
<Eap xmlns="http://www.microsoft.com/provisioning/BaseEapConnectionPropertiesV1">
<Type>13</Type>
<EapType xmlns="http://www.microsoft.com/provisioning/EapTlsConnectionPropertiesV1">
<CredentialsSource>
<!-- Credential Source can be either CertificateStore or SmartCard -->
<!-- Credential Source can be either CertificateStore or SmartCard -->
<CertificateStore>
<SimpleCertSelection>true</SimpleCertSelection>
<!--SimpleCertSelection automatically selects a cert if there are mutiple identical (Same UPN, Issuer, etc.) certs.-->
@ -1644,7 +1644,7 @@ The following XML sample explains the properties for the EAP TLS XML including c
<IssuerHash>ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
<!-- Issuing certs thumbprint goes here-->
</IssuerHash>
<!-- You can add multiple entries and it will find the list of certs that have at least one of these certs in its chain-->
<!-- You can add multiple entries and it will find the list of certs that have at least one of these certs in its chain-->
</CAHashList>
<EKUMapping>
<!-- This section defines Custom EKUs that you may be adding-->
@ -1652,15 +1652,15 @@ The following XML sample explains the properties for the EAP TLS XML including c
<!-- You can have multiple EKUs defined here and then referenced below as shown -->
<EKUMap>
<EKUName>
<!--Add a friendly Name for an EKU here for example -->ContostoITEKU</EKUName>
<!--Add a friendly Name for an EKU here for example -->ContostoITEKU</EKUName>
<EKUOID>
<!--Add the OID Value your CA adds to the certificate here, for example -->1.3.6.1.4.1.311.42.1.15</EKUOID>
<!--Add the OID Value your CA adds to the certificate here, for example -->1.3.6.1.4.1.311.42.1.15</EKUOID>
</EKUMap>
<!-- All the EKU Names referenced in the example below must first be defined here
<EKUMap>
<EKUName>Example1</EKUName>
<EKUOID>2.23.133.8.3</EKUOID>
</EKUMap>
<EKUMap>
<EKUName>Example2</EKUName>
@ -1673,7 +1673,7 @@ The following XML sample explains the properties for the EAP TLS XML including c
<EKUMapInList>
<!-- This section implies that the certificate should have the following custom EKUs in addition to the Client Authentication EKU -->
<EKUName>
<!--Use the name from the EKUMap Field above-->ContostoITEKU</EKUName>
<!--Use the name from the EKUMap Field above-->ContostoITEKU</EKUName>
</EKUMapInList>
<!-- You can have multiple Custom EKUs mapped here, Each additional EKU will be processed with an AND operand -->
<!-- For example, Client Auth EKU AND ContosoITEKU AND Example1 etc. -->
@ -1682,16 +1682,16 @@ The following XML sample explains the properties for the EAP TLS XML including c
</EKUMapInList>
</ClientAuthEKUList>
<AllPurposeEnabled>true</AllPurposeEnabled>
<!-- Implies that a certificate with the EKU field = 0 will be selected -->
<!-- Implies that a certificate with the EKU field = 0 will be selected -->
<AnyPurposeEKUList Enabled="true"/>
<!-- Implies that a certificate with the EKU oid Value of 1.3.6.1.4.1.311.10.12.1 will be selected -->
<!-- Implies that a certificate with the EKU oid Value of 1.3.6.1.4.1.311.10.12.1 will be selected -->
<!-- Like for Client Auth you can also add Custom EKU properties with AnyPurposeEKUList (but not with AllPurposeEnabled) -->
<!-- So here is what the above policy implies.
<!-- So here is what the above policy implies.
The certificate selected will have
Issuer Thumbprint = ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
AND
((Client Authentication EKU AND ContosoITEKU) OR (AnyPurposeEKU) OR AllPurpose Certificate)
Any certificate(s) that match these criteria will be utilised for authentication
-->
</FilteringInfo>
@ -1798,7 +1798,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>Browser/AllowSideloadingOfExtensions</li>
<li>Browser/AllowTabPreloading</li>
<li>Browser/AllowWebContentOnNewTabPage</li>
<li>Browser/ConfigureFavoritesBar</li>
<li>Browser/ConfigureFavoritesBar</li>
<li>Browser/ConfigureHomeButton</li>
<li>Browser/ConfigureKioskMode</li>
<li>Browser/ConfigureKioskResetAfterIdleTimeout</li>
@ -1990,8 +1990,8 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top">[Policy DDF file](policy-ddf-file.md)</td>
<td style="vertical-align:top"><p>Updated the DDF files in the Windows 10 version 1703 and 1709.</p>
<ul>
<li>[Download the Policy DDF file for Windows 10, version 1709](http://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)</li>
<li>[Download the Policy DDF file for Windows 10, version 1703](http://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)</li>
<li>[Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)</li>
<li>[Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)</li>
</ul>
</td></tr>
</tbody>
@ -2031,7 +2031,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
</td></tr>
<tr>
<td style="vertical-align:top">[MDM Migration Analysis Too (MMAT)](http://aka.ms/mmat)</td>
<td style="vertical-align:top">[MDM Migration Analysis Too (MMAT)](https://aka.ms/mmat)</td>
<td style="vertical-align:top"><p>Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.</p>
</td></tr>
<tr>
@ -2237,26 +2237,26 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>KioskBrowser/EnableHomeButton</li>
<li>KioskBrowser/EnableNavigationButtons</li>
<li>KioskBrowser/RestartOnIdleTime</li>
<li>LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon</li>
<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia</li>
<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</li>
<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li>
<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
<li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode</li>
<li>LocalPoliciesSecurityOptions/Devices_AllowUndockWithoutHavingToLogon</li>
<li>LocalPoliciesSecurityOptions/Devices_AllowedToFormatAndEjectRemovableMedia</li>
<li>LocalPoliciesSecurityOptions/Devices_PreventUsersFromInstallingPrinterDriversWhenConnectingToSharedPrinters</li>
<li>LocalPoliciesSecurityOptions/Devices_RestrictCDROMAccessToLocallyLoggedOnUserOnly</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</li>
<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares</li>
<li>LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers</li>
<li>LocalPoliciesSecurityOptions/Shutdown_ClearVirtualMemoryPageFile</li>
<li>LocalPoliciesSecurityOptions/SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode</li>
<li>RestrictedGroups/ConfigureGroupMembership</li>
<li>Search/AllowCortanaInAAD</li>
<li>Search/DoNotUseWebResults</li>
@ -2273,38 +2273,38 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>Update/ConfigureFeatureUpdateUninstallPeriod</li>
<li>UserRights/AccessCredentialManagerAsTrustedCaller</li>
<li>UserRights/AccessFromNetwork</li>
<li>UserRights/ActAsPartOfTheOperatingSystem</li>
<li>UserRights/AllowLocalLogOn</li>
<li>UserRights/BackupFilesAndDirectories</li>
<li>UserRights/ChangeSystemTime</li>
<li>UserRights/CreateGlobalObjects</li>
<li>UserRights/CreatePageFile</li>
<li>UserRights/CreatePermanentSharedObjects</li>
<li>UserRights/CreateSymbolicLinks</li>
<li>UserRights/CreateToken</li>
<li>UserRights/DebugPrograms</li>
<li>UserRights/DenyAccessFromNetwork</li>
<li>UserRights/DenyLocalLogOn</li>
<li>UserRights/DenyRemoteDesktopServicesLogOn</li>
<li>UserRights/EnableDelegation</li>
<li>UserRights/GenerateSecurityAudits</li>
<li>UserRights/ImpersonateClient</li>
<li>UserRights/IncreaseSchedulingPriority</li>
<li>UserRights/LoadUnloadDeviceDrivers</li>
<li>UserRights/LockMemory</li>
<li>UserRights/ManageAuditingAndSecurityLog</li>
<li>UserRights/ManageVolume</li>
<li>UserRights/ModifyFirmwareEnvironment</li>
<li>UserRights/ModifyObjectLabel</li>
<li>UserRights/ProfileSingleProcess</li>
<li>UserRights/RemoteShutdown</li>
<li>UserRights/RestoreFilesAndDirectories</li>
<li>UserRights/ActAsPartOfTheOperatingSystem</li>
<li>UserRights/AllowLocalLogOn</li>
<li>UserRights/BackupFilesAndDirectories</li>
<li>UserRights/ChangeSystemTime</li>
<li>UserRights/CreateGlobalObjects</li>
<li>UserRights/CreatePageFile</li>
<li>UserRights/CreatePermanentSharedObjects</li>
<li>UserRights/CreateSymbolicLinks</li>
<li>UserRights/CreateToken</li>
<li>UserRights/DebugPrograms</li>
<li>UserRights/DenyAccessFromNetwork</li>
<li>UserRights/DenyLocalLogOn</li>
<li>UserRights/DenyRemoteDesktopServicesLogOn</li>
<li>UserRights/EnableDelegation</li>
<li>UserRights/GenerateSecurityAudits</li>
<li>UserRights/ImpersonateClient</li>
<li>UserRights/IncreaseSchedulingPriority</li>
<li>UserRights/LoadUnloadDeviceDrivers</li>
<li>UserRights/LockMemory</li>
<li>UserRights/ManageAuditingAndSecurityLog</li>
<li>UserRights/ManageVolume</li>
<li>UserRights/ModifyFirmwareEnvironment</li>
<li>UserRights/ModifyObjectLabel</li>
<li>UserRights/ProfileSingleProcess</li>
<li>UserRights/RemoteShutdown</li>
<li>UserRights/RestoreFilesAndDirectories</li>
<li>UserRights/TakeOwnership</li>
<li>WindowsDefenderSecurityCenter/DisableAccountProtectionUI</li>
<li>WindowsDefenderSecurityCenter/DisableDeviceSecurityUI</li>
<li>WindowsDefenderSecurityCenter/HideRansomwareDataRecovery</li>
<li>WindowsDefenderSecurityCenter/HideSecureBoot</li>
<li>WindowsDefenderSecurityCenter/HideTPMTroubleshooting</li>
<li>WindowsDefenderSecurityCenter/HideTPMTroubleshooting</li>
</ul>
<p>Added the following policies the were added in Windows 10, version 1709</p>
<ul>
@ -2598,7 +2598,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Policy DDF file](policy-ddf-file.md)</td>
<td style="vertical-align:top">Added another Policy DDF file [download](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:
<td style="vertical-align:top">Added another Policy DDF file [download](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:
<ul>
<li>Browser/AllowMicrosoftCompatibilityList</li>
<li>Update/DisableDualScan</li>
@ -2617,25 +2617,25 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
<li>LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus</li>
<li>LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly</li>
<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</li>
<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li>
<li>LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</li>
<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</li>
<li>LocalPoliciesSecurityOptions/Accounts_RenameAdministratorAccount</li>
<li>LocalPoliciesSecurityOptions/Accounts_RenameGuestAccount</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_DisplayUserInformationWhenTheSessionIsLocked</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayLastSignedIn</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotDisplayUsernameAtSignIn</li>
<li>LocalPoliciesSecurityOptions/Interactivelogon_DoNotRequireCTRLALTDEL</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTextForUsersAttemptingToLogOn</li>
<li>LocalPoliciesSecurityOptions/InteractiveLogon_MessageTitleForUsersAttemptingToLogOn</li>
<li>LocalPoliciesSecurityOptions/NetworkSecurity_AllowPKU2UAuthenticationRequests</li>
<li>LocalPoliciesSecurityOptions/RecoveryConsole_AllowAutomaticAdministrativeLogon</li>
<li>LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateExecutableFilesThatAreSignedAndValidated</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li>
<li>Privacy/EnableActivityFeed</li>
<li>Privacy/PublishUserActivities</li>
@ -2664,10 +2664,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
## FAQ
<a href="" id="can-there-be-more-than-1-mdm-server-to-enroll-and-manage-devices-in--"></a>**Can there be more than 1 MDM server to enroll and manage devices in Windows 10?**
<a href="" id="can-there-be-more-than-1-mdm-server-to-enroll-and-manage-devices-in--"></a>**Can there be more than 1 MDM server to enroll and manage devices in Windows 10?**
No. Only one MDM is allowed.
<a href="" id="how-do-i-set-the-maximum-number-of-azure-active-directory-joined-devices-per-user-"></a>**How do I set the maximum number of Azure Active Directory joined devices per user?**
<a href="" id="how-do-i-set-the-maximum-number-of-azure-active-directory-joined-devices-per-user-"></a>**How do I set the maximum number of Azure Active Directory joined devices per user?**
1. Login to the portal as tenant admin: https://manage.windowsazure.com.
2. Click Active Directory on the left pane.
3. Choose your tenant.
@ -2677,10 +2677,10 @@ No. Only one MDM is allowed.
![aad maximum joined devices](images/faq-max-devices.png)
 
<a href="" id="dwmapppushsvc "></a>**What is dmwappushsvc?**
<a href="" id="dwmapppushsvc "></a>**What is dmwappushsvc?**
Entry | Description
--------------- | --------------------
Entry | Description
--------------- | --------------------
What is dmwappushsvc? | It is a Windows service that ships in Windows 10 operating system as a part of the windows management platform. It is used internally by the operating system as a queue for categorizing and processing all WAP messages, which include Windows management messages, MMS, NabSync, and Service Indication/Service Loading (SI/SL). The service also initiates and orchestrates management sync sessions with the MDM server. |
What data is handled by dmwappushsvc? | It is a component handling the internal workings of the management platform and involved in processing messages that have been received by the device remotely for management. The messages in the queue are serviced by another component that is also part of the Windows management stack to process messages. The service also routes and authenticates WAP messages received by the device to internal OS components that process them further: MMS, NabSync, SI/SL. |
How do I turn if off? | The service can be stopped from the "Services" console on the device (Start > Run > services.msc). However, since this is a component part of the OS and required for the proper functioning of the device, we strongly recommend not to do this. |

16
windows/client-management/mdm/oma-dm-protocol-support.md
View File

@ -13,7 +13,7 @@ ms.date: 06/26/2017
# OMA DM protocol support
The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=267526).
The OMA DM client communicates with the server over HTTPS and uses DM Sync (OMA DM v1.2) as the message payload. This topic describes the OMA DM functionality that the DM client supports in general. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526).
## In this topic
@ -62,7 +62,7 @@ The following table shows the OMA DM standards that Windows uses.
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>DM protocol commands</p></td>
<td style="vertical-align:top"><p>The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see &quot;SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)&quot; available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=267526).</p>
<td style="vertical-align:top"><p>The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see &quot;SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)&quot; available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526).</p>
<ul>
<li><p>Add (Implicit Add supported)</p></li>
<li><p>Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.</p></li>
@ -121,7 +121,7 @@ The following table shows the OMA DM standards that Windows uses.
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Provisioning Files</p></td>
<td style="vertical-align:top"><p>Provisioning XML must be well formed and follow the definition in [SyncML Representation Protocol](http://go.microsoft.com/fwlink/p/?LinkId=526905) specification.</p>
<td style="vertical-align:top"><p>Provisioning XML must be well formed and follow the definition in [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.</p>
<p>If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.</p>
<div class="alert">
<strong>Note</strong>  
@ -133,7 +133,7 @@ The following table shows the OMA DM standards that Windows uses.
</tr>
<tr class="even">
<td style="vertical-align:top"><p>WBXML support</p></td>
<td style="vertical-align:top"><p>Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](http://go.microsoft.com/fwlink/p/?LinkId=526905) specification.</p></td>
<td style="vertical-align:top"><p>Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Handling of large objects</p></td>
@ -146,7 +146,7 @@ The following table shows the OMA DM standards that Windows uses.
<a href="" id="protocol-common-elements"></a>
## OMA DM protocol common elements
Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1\_1\_2-20030613-A) available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900).
Common elements are used by other OMA DM element types. The following table lists the OMA DM common elements used to configure the devices. For more information about OMA DM common elements, see "SyncML Representation Protocol Device Management Usage" (OMA-SyncML-DMRepPro-V1\_1\_2-20030613-A) available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900).
<table>
<colgroup>
@ -303,13 +303,13 @@ The following table shows the sequence of events during a typical DM session.
 
The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each additional message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (OMA-TS-DM\_RepPro-V1\_2-20070209-A) available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900).
The step numbers in the table do not represent message identification numbers (MsgID). All messages from the server must have a MsgID that is unique within the session, starting at 1 for the first message, and increasing by an increment of 1 for each additional message. For more information about MsgID and OMA SyncML protocol, see "OMA Device Management Representation Protocol" (OMA-TS-DM\_RepPro-V1\_2-20070209-A) available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900).
During OMA DM application level mutual authentication, if the device response code to Cred element in the server request is 212, no further authentication is needed for the remainder of the DM session. In the case of the MD5 authentication, the Chal element can be returned. Then the next nonce in Chal must be used for the MD5 digest when the next DM session is started.
If a request includes credentials and the response code to the request is 200, the same credential must be sent within the next request. If the Chal element is included and the MD5 authentication is required, a new digest is created by using the next nonce via the Chal element for next request.
For more information about Basic or MD5 client authentication, MD5 server authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM\_Security-V1\_2\_1-20080617-A), authentication response code handling and step-by-step samples in OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900).
For more information about Basic or MD5 client authentication, MD5 server authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM\_Security-V1\_2\_1-20080617-A), authentication response code handling and step-by-step samples in OMA Device Management Protocol specification (OMA-TS-DM\_Protocol-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900).
## User targeted vs. Device targeted configuration
@ -348,7 +348,7 @@ The following LocURL shows a per device CSP node configuration: **./device/vendo
<a href="" id="syncml-response-codes"></a>
## SyncML response status codes
When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](http://go.microsoft.com/fwlink/p/?LinkId=526905) specification.
When using SyncML in OMA DM, there are standard response status codes that are returned. The following table lists the common SyncML response status codes you are likely to see. For more information about SyncML response status codes, see section 10 of the [SyncML Representation Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526905) specification.
| Status code | Description |
|-------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|

110
windows/client-management/mdm/policy-csp-experience.md
View File

@ -18,7 +18,7 @@ ms.date: 07/30/2018
<hr/>
<!--Policies-->
## Experience policies
## Experience policies
<dl>
<dd>
@ -102,7 +102,7 @@ ms.date: 07/30/2018
<hr/>
<!--Policy-->
<a href="" id="experience-allowclipboardhistory"></a>**Experience/AllowClipboardHistory**
<a href="" id="experience-allowclipboardhistory"></a>**Experience/AllowClipboardHistory**
<!--SupportedSKUs-->
<table>
@ -139,13 +139,13 @@ ms.date: 07/30/2018
<!--Description-->
Allows history of clipboard items to be stored in memory.
Value type is integer. Supported values:
Value type is integer. Supported values:
- 0 - Not allowed
- 1 - Allowed (default)
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP English name: *Allow Clipboard History*
- GP name: *AllowClipboardHistory*
- GP path: *System/OS Policies*
@ -159,7 +159,7 @@ ADMX Info:
<!--/Example-->
<!--Validation-->
**Validation procedure**
**Validation procedure**
1. Configure Experiences/AllowClipboardHistory to 0.
1. Open Notepad (or any editor app), select a text, and copy it to the clipboard.
@ -173,7 +173,7 @@ ADMX Info:
<hr/>
<!--Policy-->
<a href="" id="experience-allowcopypaste"></a>**Experience/AllowCopyPaste**
<a href="" id="experience-allowcopypaste"></a>**Experience/AllowCopyPaste**
<!--SupportedSKUs-->
<table>
@ -228,7 +228,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowcortana"></a>**Experience/AllowCortana**
<a href="" id="experience-allowcortana"></a>**Experience/AllowCortana**
<!--SupportedSKUs-->
<table>
@ -269,7 +269,7 @@ Most restricted value is 0.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP English name: *Allow Cortana*
- GP name: *AllowCortana*
- GP path: *Windows Components/Search*
@ -288,7 +288,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowdevicediscovery"></a>**Experience/AllowDeviceDiscovery**
<a href="" id="experience-allowdevicediscovery"></a>**Experience/AllowDeviceDiscovery**
<!--SupportedSKUs-->
<table>
@ -342,7 +342,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowfindmydevice"></a>**Experience/AllowFindMyDevice**
<a href="" id="experience-allowfindmydevice"></a>**Experience/AllowFindMyDevice**
<!--SupportedSKUs-->
<table>
@ -385,7 +385,7 @@ When Find My Device is off, the device and its location are not registered and t
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP English name: *Turn On/Off Find My Device*
- GP name: *FindMy_AllowFindMyDeviceConfig*
- GP path: *Windows Components/Find My Device*
@ -404,7 +404,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowmanualmdmunenrollment"></a>**Experience/AllowManualMDMUnenrollment**
<a href="" id="experience-allowmanualmdmunenrollment"></a>**Experience/AllowManualMDMUnenrollment**
<!--SupportedSKUs-->
<table>
@ -460,7 +460,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowsimerrordialogpromptwhennosim"></a>**Experience/AllowSIMErrorDialogPromptWhenNoSIM**
<a href="" id="experience-allowsimerrordialogpromptwhennosim"></a>**Experience/AllowSIMErrorDialogPromptWhenNoSIM**
<!--SupportedSKUs-->
<table>
@ -514,7 +514,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowsaveasofofficefiles"></a>**Experience/AllowSaveAsOfOfficeFiles**
<a href="" id="experience-allowsaveasofofficefiles"></a>**Experience/AllowSaveAsOfOfficeFiles**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
@ -534,7 +534,7 @@ This policy is deprecated.
<hr/>
<!--Policy-->
<a href="" id="experience-allowscreencapture"></a>**Experience/AllowScreenCapture**
<a href="" id="experience-allowscreencapture"></a>**Experience/AllowScreenCapture**
<!--SupportedSKUs-->
<table>
@ -590,7 +590,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowsharingofofficefiles"></a>**Experience/AllowSharingOfOfficeFiles**
<a href="" id="experience-allowsharingofofficefiles"></a>**Experience/AllowSharingOfOfficeFiles**
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
@ -610,7 +610,7 @@ This policy is deprecated.
<hr/>
<!--Policy-->
<a href="" id="experience-allowsyncmysettings"></a>**Experience/AllowSyncMySettings**
<a href="" id="experience-allowsyncmysettings"></a>**Experience/AllowSyncMySettings**
<!--SupportedSKUs-->
<table>
@ -645,7 +645,7 @@ This policy is deprecated.
<!--/Scope-->
<!--Description-->
Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](http://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
Allows or disallows all Windows sync settings on the device. For information about what settings are sync'ed, see [About sync setting on Windows 10 devices](https://windows.microsoft.com/windows-10/about-sync-settings-on-windows-10-devices).
<!--/Description-->
<!--SupportedValues-->
@ -660,7 +660,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowtailoredexperienceswithdiagnosticdata"></a>**Experience/AllowTailoredExperiencesWithDiagnosticData**
<a href="" id="experience-allowtailoredexperienceswithdiagnosticdata"></a>**Experience/AllowTailoredExperiencesWithDiagnosticData**
<!--SupportedSKUs-->
<table>
@ -708,7 +708,7 @@ Most restricted value is 0.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP English name: *Do not use diagnostic data for tailored experiences*
- GP name: *DisableTailoredExperiencesWithDiagnosticData*
- GP path: *Windows Components/Cloud Content*
@ -727,7 +727,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowtaskswitcher"></a>**Experience/AllowTaskSwitcher**
<a href="" id="experience-allowtaskswitcher"></a>**Experience/AllowTaskSwitcher**
<!--SupportedSKUs-->
<table>
@ -781,7 +781,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowthirdpartysuggestionsinwindowsspotlight"></a>**Experience/AllowThirdPartySuggestionsInWindowsSpotlight**
<a href="" id="experience-allowthirdpartysuggestionsinwindowsspotlight"></a>**Experience/AllowThirdPartySuggestionsInWindowsSpotlight**
<!--SupportedSKUs-->
<table>
@ -824,7 +824,7 @@ Specifies whether to allow app and content suggestions from third-party software
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP English name: *Do not suggest third-party content in Windows spotlight*
- GP name: *DisableThirdPartySuggestions*
- GP path: *Windows Components/Cloud Content*
@ -843,7 +843,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowvoicerecording"></a>**Experience/AllowVoiceRecording**
<a href="" id="experience-allowvoicerecording"></a>**Experience/AllowVoiceRecording**
<!--SupportedSKUs-->
<table>
@ -899,7 +899,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowwindowsconsumerfeatures"></a>**Experience/AllowWindowsConsumerFeatures**
<a href="" id="experience-allowwindowsconsumerfeatures"></a>**Experience/AllowWindowsConsumerFeatures**
<!--SupportedSKUs-->
<table>
@ -944,7 +944,7 @@ Most restricted value is 0.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP English name: *Turn off Microsoft consumer experiences*
- GP name: *DisableWindowsConsumerFeatures*
- GP path: *Windows Components/Cloud Content*
@ -963,7 +963,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowwindowsspotlight"></a>**Experience/AllowWindowsSpotlight**
<a href="" id="experience-allowwindowsspotlight"></a>**Experience/AllowWindowsSpotlight**
<!--SupportedSKUs-->
<table>
@ -1008,7 +1008,7 @@ Most restricted value is 0.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP English name: *Turn off all Windows spotlight features*
- GP name: *DisableWindowsSpotlightFeatures*
- GP path: *Windows Components/Cloud Content*
@ -1027,7 +1027,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowwindowsspotlightonactioncenter"></a>**Experience/AllowWindowsSpotlightOnActionCenter**
<a href="" id="experience-allowwindowsspotlightonactioncenter"></a>**Experience/AllowWindowsSpotlightOnActionCenter**
<!--SupportedSKUs-->
<table>
@ -1071,7 +1071,7 @@ Most restricted value is 0.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP English name: *Turn off Windows Spotlight on Action Center*
- GP name: *DisableWindowsSpotlightOnActionCenter*
- GP path: *Windows Components/Cloud Content*
@ -1090,7 +1090,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowwindowsspotlightonsettings"></a>**Experience/AllowWindowsSpotlightOnSettings**
<a href="" id="experience-allowwindowsspotlightonsettings"></a>**Experience/AllowWindowsSpotlightOnSettings**
<!--SupportedSKUs-->
<table>
@ -1125,7 +1125,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Added in Windows 10, version 1803. This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make thier experience productive.
Added in Windows 10, version 1803. This policy allows IT admins to turn off Suggestions in Settings app. These suggestions from Microsoft may show after each OS clean install, upgrade or an on-going basis to help users discover apps/features on Windows or across devices, to make thier experience productive.
- User setting is under Settings -> Privacy -> General -> Show me suggested content in Settings app.
- User Setting is changeable on a per user basis.
@ -1133,7 +1133,7 @@ Added in Windows 10, version 1803. This policy allows IT admins to turn off Sugg
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP English name: *Turn off Windows Spotlight on Settings*
- GP name: *DisableWindowsSpotlightOnSettings*
- GP path: *Windows Components/Cloud Content*
@ -1152,7 +1152,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowwindowsspotlightwindowswelcomeexperience"></a>**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**
<a href="" id="experience-allowwindowsspotlightwindowswelcomeexperience"></a>**Experience/AllowWindowsSpotlightWindowsWelcomeExperience**
<!--SupportedSKUs-->
<table>
@ -1190,14 +1190,14 @@ The following list shows the supported values:
> [!NOTE]
> This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature.
Added in Windows 10, version 1703. This policy setting lets you turn off the Windows spotlight Windows welcome experience feature.
The Windows welcome experience feature introduces onboard users to Windows; for example, launching Microsoft Edge with a webpage that highlights new features. If you enable this policy, the Windows welcome experience will no longer be displayed when there are updates and changes to Windows and its apps. If you disable or do not configure this policy, the Windows welcome experience will be launched to inform onboard users about what's new, changed, and suggested.
Most restricted value is 0.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP English name: *Turn off the Windows Welcome Experience*
- GP name: *DisableWindowsSpotlightWindowsWelcomeExperience*
- GP path: *Windows Components/Cloud Content*
@ -1216,7 +1216,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-allowwindowstips"></a>**Experience/AllowWindowsTips**
<a href="" id="experience-allowwindowstips"></a>**Experience/AllowWindowsTips**
<!--SupportedSKUs-->
<table>
@ -1255,7 +1255,7 @@ Enables or disables Windows Tips / soft landing.
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP English name: *Do not show Windows tips*
- GP name: *DisableSoftLanding*
- GP path: *Windows Components/Cloud Content*
@ -1274,7 +1274,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-configurewindowsspotlightonlockscreen"></a>**Experience/ConfigureWindowsSpotlightOnLockScreen**
<a href="" id="experience-configurewindowsspotlightonlockscreen"></a>**Experience/ConfigureWindowsSpotlightOnLockScreen**
<!--SupportedSKUs-->
<table>
@ -1317,7 +1317,7 @@ Allows IT admins to specify whether spotlight should be used on the user's lock
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP English name: *Configure Windows spotlight on lock screen*
- GP name: *ConfigureWindowsSpotlight*
- GP path: *Windows Components/Cloud Content*
@ -1337,7 +1337,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-donotshowfeedbacknotifications"></a>**Experience/DoNotShowFeedbackNotifications**
<a href="" id="experience-donotshowfeedbacknotifications"></a>**Experience/DoNotShowFeedbackNotifications**
<!--SupportedSKUs-->
<table>
@ -1380,7 +1380,7 @@ If you disable or do not configure this policy setting, users can control how of
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP English name: *Do not show feedback notifications*
- GP name: *DoNotShowFeedbackNotifications*
- GP path: *Data Collection and Preview Builds*
@ -1399,7 +1399,7 @@ The following list shows the supported values:
<hr/>
<!--Policy-->
<a href="" id="experience-donotsyncbrowsersetting"></a>**Experience/DoNotSyncBrowserSettings**
<a href="" id="experience-donotsyncbrowsersetting"></a>**Experience/DoNotSyncBrowserSettings**
<!--SupportedSKUs-->
<table>
@ -1436,12 +1436,12 @@ The following list shows the supported values:
<!--Description-->
[!INCLUDE [do-not-sync-browser-settings-shortdesc](../../../browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md)]
Related policy:
Related policy:
[PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing)
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP English name: *Do not sync browser settings*
- GP name: *DisableWebBrowserSettingSync*
- GP path: *Windows Components/Sync your settings*
@ -1449,17 +1449,17 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
Supported values:
- 0 (default) - Allowed/turned on. The "browser" group syncs automatically between users devices and lets users to make changes.
- 2 - Prevented/turned off. The "browser" group does not use the _Sync your Settings_ option.
_**Sync the browser settings automatically**_
_**Sync the browser settings automatically**_
Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
_**Prevent syncing of browser settings and prevent users from turning it on**_
_**Prevent syncing of browser settings and prevent users from turning it on**_
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off).
@ -1485,7 +1485,7 @@ _**Turn syncing off by default but dont disable**_
<hr/>
<!--Policy-->
<a href="" id="experience-preventusersfromturningonbrowsersyncing"></a>**Experience/PreventUsersFromTurningOnBrowserSyncing**
<a href="" id="experience-preventusersfromturningonbrowsersyncing"></a>**Experience/PreventUsersFromTurningOnBrowserSyncing**
<!--SupportedSKUs-->
<table>
@ -1522,13 +1522,13 @@ _**Turn syncing off by default but dont disable**_
<!--Description-->
[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../../../browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)]
Related policy:
Related policy:
[DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting)
<!--/Description-->
<!--ADMXMapped-->
ADMX Info:
ADMX Info:
- GP English name: *Prevent users from turning on browser syncing*
- GP name: *PreventUsersFromTurningOnBrowserSyncing*
- GP path: *Windows Components/Sync your settings*
@ -1536,17 +1536,17 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Supported values:
Supported values:
- 0 - Allowed/turned on. Users can sync the browser settings.
- 1 (default) - Prevented/turned off.
_**Sync the browser settings automatically**_
_**Sync the browser settings automatically**_
Set both **DoNotSyncBrowserSettings** and **PreventUsersFromTurningOnBrowserSyncing** to 0 (Allowed/turned on).
_**Prevent syncing of browser settings and prevent users from turning it on**_
_**Prevent syncing of browser settings and prevent users from turning it on**_
1. Set **DoNotSyncBrowserSettings** to 2 (Prevented/turned off).
2. Set **PreventUsersFromTurningOnBrowserSyncing** to 1 (Prevented/turned off).
@ -1561,7 +1561,7 @@ _**Prevent syncing of browser settings and let users turn on syncing**_
<!--/Example-->
<!--Validation-->
Validation procedure:
Validation procedure:
1. Select **More > Settings**.
1. See if the setting is enabled or disabled based on your selection.

44
windows/client-management/mdm/policy-ddf-file.md
View File

@ -19,11 +19,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Policy*
You can download the DDF files from the links below:
- [Download the Policy DDF file for Windows 10, version 1803](http://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml)
- [Download the Policy DDF file for Windows 10, version 1709](http://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
- [Download the Policy DDF file for Windows 10, version 1703](http://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)
- [Download the Policy DDF file for Windows 10, version 1607](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml)
- [Download the Policy DDF file for Windows 10, version 1607 release 8C](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml)
- [Download the Policy DDF file for Windows 10, version 1803](https://download.microsoft.com/download/4/9/6/496534EE-8F0C-4F12-B084-A8502DA22430/PolicyDDF_all.xml)
- [Download the Policy DDF file for Windows 10, version 1709](https://download.microsoft.com/download/8/C/4/8C43C116-62CB-470B-9B69-76A3E2BC32A8/PolicyDDF_all.xml)
- [Download the Policy DDF file for Windows 10, version 1703](https://download.microsoft.com/download/7/2/C/72C36C37-20F9-41BF-8E23-721F6FFC253E/PolicyDDF_all.xml)
- [Download the Policy DDF file for Windows 10, version 1607](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607.xml)
- [Download the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml)
- [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)
The XML below is the DDF for Windows 10, next major version.
@ -27216,7 +27216,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
<Get />
<Replace />
</AccessType>
<Description>You can configure Microsoft Edge, when enabled, to prevent the &quot;browser&quot; group from using the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user.
<Description>You can configure Microsoft Edge, when enabled, to prevent the &quot;browser&quot; group from using the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user.
Related policy: PreventUsersFromTurningOnBrowserSyncing
0 (default) = allow syncing, 2 = disable syncing</Description>
<DFFormat>
@ -33473,7 +33473,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
<Replace />
</AccessType>
<Description>Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal.
This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal.</Description>
<DFFormat>
<chr/>
@ -33861,7 +33861,7 @@ If you disable or do not configure this policy (recommended), users will be able
Notes
If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
Disabling the Administrator account can become a maintenance issue under certain circumstances.
Disabling the Administrator account can become a maintenance issue under certain circumstances.
Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled.
@ -34351,7 +34351,7 @@ The options are:
No Action
Lock Workstation
Force Logoff
Disconnect if a Remote Desktop Services session
Disconnect if a Remote Desktop Services session
If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
@ -35373,7 +35373,7 @@ This policy setting controls the behavior of all User Account Control (UAC) poli
The options are:
• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.</Description>
<DFFormat>
@ -44744,7 +44744,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
<Get />
<Replace />
</AccessType>
<Description>Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user&apos;s permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
<Description>Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user&apos;s permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
1) The access token that is being impersonated is for this user.
2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
3) The requested level is less than Impersonate, such as Anonymous or Identify.
@ -47063,11 +47063,11 @@ Because of these factors, users do not usually need this user right. Warning: If
<xs:element name="ForceRestart">
<xs:complexType>
<xs:attribute name="StartDateTime" type="xs:dateTime" use="required"/>
<xs:attribute name="Recurrence" type="recurrence" use="required"/>
<xs:attribute name="RunIfTaskIsMissed" type="xs:boolean" use="required"/>
<xs:attribute name="DaysOfWeek" type="daysOfWeek"/>
<xs:attribute name="DaysOfMonth" type="daysOfMonth"/>
<xs:attribute name="StartDateTime" type="xs:dateTime" use="required"/>
<xs:attribute name="Recurrence" type="recurrence" use="required"/>
<xs:attribute name="RunIfTaskIsMissed" type="xs:boolean" use="required"/>
<xs:attribute name="DaysOfWeek" type="daysOfWeek"/>
<xs:attribute name="DaysOfMonth" type="daysOfMonth"/>
</xs:complexType>
</xs:element>
</xs:schema>]]></MSFT:XMLSchema>
@ -55083,7 +55083,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
<Get />
</AccessType>
<DefaultValue>0</DefaultValue>
<Description>You can configure Microsoft Edge, when enabled, to prevent the &quot;browser&quot; group from using the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user.
<Description>You can configure Microsoft Edge, when enabled, to prevent the &quot;browser&quot; group from using the Sync your Settings option to sync information, such as history and favorites, between user&apos;s devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user.
Related policy: PreventUsersFromTurningOnBrowserSyncing
0 (default) = allow syncing, 2 = disable syncing</Description>
<DFFormat>
@ -62092,7 +62092,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
</AccessType>
<DefaultValue></DefaultValue>
<Description>Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal.
This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal.</Description>
<DFFormat>
<chr/>
@ -62490,7 +62490,7 @@ If you disable or do not configure this policy (recommended), users will be able
Notes
If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
Disabling the Administrator account can become a maintenance issue under certain circumstances.
Disabling the Administrator account can become a maintenance issue under certain circumstances.
Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled.
@ -63023,7 +63023,7 @@ The options are:
No Action
Lock Workstation
Force Logoff
Disconnect if a Remote Desktop Services session
Disconnect if a Remote Desktop Services session
If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
@ -64126,7 +64126,7 @@ This policy setting controls the behavior of all User Account Control (UAC) poli
The options are:
• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.</Description>
<DFFormat>
@ -74443,7 +74443,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
<Get />
</AccessType>
<DefaultValue></DefaultValue>
<Description>Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user&apos;s permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
<Description>Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user&apos;s permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
1) The access token that is being impersonated is for this user.
2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
3) The requested level is less than Impersonate, such as Anonymous or Identify.

4
windows/client-management/mdm/push-notification-windows-mdm.md
View File

@ -16,13 +16,13 @@ ms.date: 09/22/2017
# Push notification support for device management
The [DMClient CSP](dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](http://go.microsoft.com/fwlink/p/?linkid=528800), a management server can request a device to establish a management session with the server through a push notification. A device is configured to support push by the management server by providing the device with a PFN for an application. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting).
The [DMClient CSP](dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](https://go.microsoft.com/fwlink/p/?linkid=528800), a management server can request a device to establish a management session with the server through a push notification. A device is configured to support push by the management server by providing the device with a PFN for an application. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting).
To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token that it can use to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a device management session with a device, it can utilize its token and the device ChannelURI and begin communicating with the device.
For more information about how to get push credentials (SID and client secret) and PFN to use in WNS, see [Get WNS credentials and PFN for MDM push notification](#get-wns-credentials-and-pfn-for-mdm-push-notification).
Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview (Windows Runtime apps)](http://go.microsoft.com/fwlink/p/?LinkId=733254).
Because a device may not always be connected to the internet, WNS supports caching notifications for delivery to the device once it reconnects. To ensure your notification is cached for delivery, set the X-WNS-Cache-Policy header to Cache. Additionally, if the server wants to send a time-bound raw push notification, the server can use the X-WNS-TTL header that will provide WNS with a time-to-live binding so that the notification will expire after the time has passed. For more information, see [Raw notification overview (Windows Runtime apps)](https://go.microsoft.com/fwlink/p/?LinkId=733254).
Note the following restrictions related to push notifications and WNS:

54
windows/client-management/mdm/remotelock-csp.md
View File

@ -15,7 +15,7 @@ ms.date: 06/26/2017
The RemoteLock CSP supports the ability to lock a device that has a PIN set on the device or reset the PIN on a device that may or may not have a PIN set.
> [!Note]
> [!Note]
> The RemoteLock CSP is only supported in Windows 10 Mobile.
 
@ -23,11 +23,11 @@ The following diagram shows the RemoteLock configuration service provider in a t
![provisioning\-csp\-remotelock](images/provisioning-csp-remotelock.png)
<a href="" id="--vendor-msft-remotelock"></a>**./Vendor/MSFT/RemoteLock**
<a href="" id="--vendor-msft-remotelock"></a>**./Vendor/MSFT/RemoteLock**
<p style="margin-left: 20px">Defines the root node for the RemoteLock configuration service provider.</p>
<a href="" id="lock"></a>**Lock**
Required. The setting accepts requests to lock the device screen. The device screen will lock immediately if a PIN has been set. If no PIN is set, the lock request is ignored and the OMA DM (405) Forbidden error is returned over the management channel. All OMA DM errors are listed [here](http://go.microsoft.com/fwlink/p/?LinkId=522607) in the protocol specification. The supported operations are Get and Exec.
<a href="" id="lock"></a>**Lock**
Required. The setting accepts requests to lock the device screen. The device screen will lock immediately if a PIN has been set. If no PIN is set, the lock request is ignored and the OMA DM (405) Forbidden error is returned over the management channel. All OMA DM errors are listed [here](https://go.microsoft.com/fwlink/p/?LinkId=522607) in the protocol specification. The supported operations are Get and Exec.
<table>
<colgroup>
@ -63,10 +63,10 @@ Required. The setting accepts requests to lock the device screen. The device scr
 
<a href="" id="lockandresetpin"></a>**LockAndResetPIN**
<a href="" id="lockandresetpin"></a>**LockAndResetPIN**
This setting can be used to lock and reset the PIN on the device. It is used in conjunction with the NewPINValue node. After the **Exec** operation is called successfully on this node, the previous PIN will no longer work and cannot be recovered. The supported operation is Exec.
This node will return the following status. All OMA DM errors are listed [here](http://go.microsoft.com/fwlink/p/?LinkId=522607) in the protocol specification.
This node will return the following status. All OMA DM errors are listed [here](https://go.microsoft.com/fwlink/p/?LinkId=522607) in the protocol specification.
<table>
<colgroup>
@ -95,13 +95,13 @@ This node will return the following status. All OMA DM errors are listed [here](
</tbody>
</table>
<a href="" id="lockandrecoverpin"></a>**LockAndRecoverPIN**
<a href="" id="lockandrecoverpin"></a>**LockAndRecoverPIN**
Added in Windows 10, version 1703. This setting performs a similar function to the LockAndResetPIN node. With LockAndResetPIN any Windows Hello keys associated with the PIN gets deleted, but with LockAndRecoverPIN those keys are saved. After the Exec operation is called successfully on this setting, the new PIN can be retrieved from the NewPINValue setting. The previous PIN will no longer work.
Executing this node requires a ticket from the Microsoft credential reset service. Additionally, the execution of this setting is only supported when the [EnablePinRecovery](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/passportforwork-csp#tenantid-policies-enablepinrecovery) policy is set on the client.
<a href="" id="newpinvalue"></a>**NewPINValue**
<a href="" id="newpinvalue"></a>**NewPINValue**
This setting contains the PIN after Exec has been called on /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin. If LockAndResetPIN or LockAndResetPIN has never been called, the value will be null. If Get is called on this node after a successful Exec call on /RemoteLock/LockAndResetPIN or /RemoteLock/LockAndRecoverPin, then the new PIN will be provided. If another Get command is called on this node, the value will be null. If you need to reset the PIN again, then another LockAndResetPIN Exec can be communicated to the device to generate a new PIN. The PIN value will conform to the minimum PIN complexity requirements of the merged policies that are set on the device. If no PIN policy has been set on the device, the generated PIN will conform to the default policy of the device.
The data type returned is a string.
@ -117,12 +117,12 @@ Initiate a remote lock of the device.
``` syntax
<Exec>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/RemoteLock/Lock </LocURI>
</Target>
</Item>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/RemoteLock/Lock </LocURI>
</Target>
</Item>
</Exec>
```
@ -130,22 +130,22 @@ Initiate a remote lock and PIN reset of the device. To successfully retrieve the
``` syntax
<Sequence>
<CmdID>1</CmdID>
<CmdID>1</CmdID>
<Exec>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/RemoteLock/LockAndResetPIN </LocURI>
</Target>
</Item>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/RemoteLock/LockAndResetPIN </LocURI>
</Target>
</Item>
</Exec>
<Get>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/RemoteLock/NewPINValue </LocURI>
</Target>
</Item>
<CmdID>3</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/RemoteLock/NewPINValue </LocURI>
</Target>
</Item>
</Get>
</Sequence>
```

2
windows/client-management/mdm/server-requirements-windows-mdm.md
View File

@ -27,7 +27,7 @@ The following list shows the general server requirements for using OMA DM to man
- The MD5 binary nonce is send over XML B64 encoded format, but the octal form of the binary data should be used when the service calculates the hash.
For more information about Basic or MD5 client authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM\_Security-V1\_2\_1-20080617-A), available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900).
For more information about Basic or MD5 client authentication, MD5 hash, and MD5 nonce, see the OMA Device Management Security specification (OMA-TS-DM\_Security-V1\_2\_1-20080617-A), available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900).
- The server must support HTTPS.

6
windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md
View File

@ -14,7 +14,7 @@ ms.date: 06/26/2017
OMA DM commands are transmitted between the server and the client device in messages. A message can contain one or more commands. For a list of commands supported, see the table in [OMA DM protocol support](oma-dm-protocol-support.md).
A DM message is an XML document. The structure and content of the document is defined in the OMA DM Representation Protocol (OMA-SyncML-DevInfo-DTD-V1\_1\_2-20030505-D.dtd) available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900).
A DM message is an XML document. The structure and content of the document is defined in the OMA DM Representation Protocol (OMA-SyncML-DevInfo-DTD-V1\_1\_2-20030505-D.dtd) available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900).
Each message is composed of a header, specified by the SyncHdr element, and a message body, specified by the SyncBody element.
@ -49,7 +49,7 @@ The following table shows the OMA DM versions that are supported.
## File format
The following example shows the general structure of the XML document sent by the server using OMA DM version 1.2.1 for demonstration purposes only. The initial XML packages exchanged between client and server could contain additional XML tags. For a detailed description and samples for those packages, see the [OMA Device Management Protocol 1.2.1](http://go.microsoft.com/fwlink/p/?LinkId=526902) specification.
The following example shows the general structure of the XML document sent by the server using OMA DM version 1.2.1 for demonstration purposes only. The initial XML packages exchanged between client and server could contain additional XML tags. For a detailed description and samples for those packages, see the [OMA Device Management Protocol 1.2.1](https://go.microsoft.com/fwlink/p/?LinkId=526902) specification.
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
@ -76,7 +76,7 @@ The following example shows the general structure of the XML document sent by th
</Item>
</Get>
<!-- Update device policy -->
<Final />
</SyncBody>
</SyncML>

70
windows/client-management/mdm/update-csp.md
View File

@ -18,12 +18,12 @@ The following diagram shows the Update configuration service provider in tree fo
![update csp diagram](images/provisioning-csp-update.png)
<a href="" id="update"></a>**Update**
<a href="" id="update"></a>**Update**
<p style="margin-left: 20px">The root node.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="approvedupdates"></a>**ApprovedUpdates**
<a href="" id="approvedupdates"></a>**ApprovedUpdates**
<p style="margin-left: 20px">Node for update approvals and EULA acceptance on behalf of the end-user.
> [!NOTE]
@ -38,10 +38,10 @@ The following diagram shows the Update configuration service provider in tree fo
<p style="margin-left: 20px">Supported operations are Get and Add.
<a href="" id="approvedupdates-approved-update-guid"></a>**ApprovedUpdates/****_Approved Update Guid_**
<a href="" id="approvedupdates-approved-update-guid"></a>**ApprovedUpdates/****_Approved Update Guid_**
<p style="margin-left: 20px">Specifies the update GUID.
<p style="margin-left: 20px">To auto-approve a class of updates, you can specify the [Update Classifications](http://go.microsoft.com/fwlink/p/?LinkId=526723) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
<p style="margin-left: 20px">To auto-approve a class of updates, you can specify the [Update Classifications](https://go.microsoft.com/fwlink/p/?LinkId=526723) GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. There are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly.
<p style="margin-left: 20px">Supported operations are Get and Add.
@ -50,62 +50,62 @@ The following diagram shows the Update configuration service provider in tree fo
<LocURI>./Vendor/MSFT/Update/ApprovedUpdates/%7ba317dafe-baf4-453f-b232-a7075efae36e%7d</LocURI>
</code>
<a href="" id="approvedupdates-approved-update-guid-approvedtime"></a>**ApprovedUpdates/*Approved Update Guid*/ApprovedTime**
<a href="" id="approvedupdates-approved-update-guid-approvedtime"></a>**ApprovedUpdates/*Approved Update Guid*/ApprovedTime**
<p style="margin-left: 20px">Specifies the time the update gets approved.
<p style="margin-left: 20px">Supported operations are Get and Add.
<a href="" id="failedupdates"></a>**FailedUpdates**
<a href="" id="failedupdates"></a>**FailedUpdates**
<p style="margin-left: 20px">Specifies the approved updates that failed to install on a device.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid"></a>**FailedUpdates/****_Failed Update Guid_**
<a href="" id="failedupdates-failed-update-guid"></a>**FailedUpdates/****_Failed Update Guid_**
<p style="margin-left: 20px">Update identifier field of the UpdateIdentity GUID that represent an update that failed to download or install.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid-hresult"></a>**FailedUpdates/*Failed Update Guid*/HResult**
<a href="" id="failedupdates-failed-update-guid-hresult"></a>**FailedUpdates/*Failed Update Guid*/HResult**
<p style="margin-left: 20px">The update failure error code.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid-status"></a>**FailedUpdates/*Failed Update Guid*/Status**
<a href="" id="failedupdates-failed-update-guid-status"></a>**FailedUpdates/*Failed Update Guid*/Status**
<p style="margin-left: 20px">Specifies the failed update status (for example, download, install).
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="failedupdates-failed-update-guid-revisionnumber"></a>**FailedUpdates/*Failed Update Guid*/RevisionNumber**
<a href="" id="failedupdates-failed-update-guid-revisionnumber"></a>**FailedUpdates/*Failed Update Guid*/RevisionNumber**
<p style="margin-left: 20px">Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="installedupdates"></a>**InstalledUpdates**
<a href="" id="installedupdates"></a>**InstalledUpdates**
<p style="margin-left: 20px">The updates that are installed on the device.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="installedupdates-installed-update-guid"></a>**InstalledUpdates/****_Installed Update Guid_**
<a href="" id="installedupdates-installed-update-guid"></a>**InstalledUpdates/****_Installed Update Guid_**
<p style="margin-left: 20px">UpdateIDs that represent the updates installed on a device.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="installedupdates-installed-update-guid-revisionnumber"></a>**InstalledUpdates/*Installed Update Guid*/RevisionNumber**
<a href="" id="installedupdates-installed-update-guid-revisionnumber"></a>**InstalledUpdates/*Installed Update Guid*/RevisionNumber**
<p style="margin-left: 20px">Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="installableupdates"></a>**InstallableUpdates**
<a href="" id="installableupdates"></a>**InstallableUpdates**
<p style="margin-left: 20px">The updates that are applicable and not yet installed on the device. This includes updates that are not yet approved.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid"></a>**InstallableUpdates/****_Installable Update Guid_**
<a href="" id="installableupdates-installable-update-guid"></a>**InstallableUpdates/****_Installable Update Guid_**
<p style="margin-left: 20px">Update identifiers that represent the updates applicable and not installed on a device.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid-type"></a>**InstallableUpdates/*Installable Update Guid*/Type**
<a href="" id="installableupdates-installable-update-guid-type"></a>**InstallableUpdates/*Installable Update Guid*/Type**
<p style="margin-left: 20px">The UpdateClassification value of the update. Valid values are:
- 0 - None
@ -114,71 +114,71 @@ The following diagram shows the Update configuration service provider in tree fo
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="installableupdates-installable-update-guid-revisionnumber"></a>**InstallableUpdates/*Installable Update Guid*/RevisionNumber**
<a href="" id="installableupdates-installable-update-guid-revisionnumber"></a>**InstallableUpdates/*Installable Update Guid*/RevisionNumber**
<p style="margin-left: 20px">The revision number for the update that must be passed in server to server sync to get the metadata for the update.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="pendingrebootupdates"></a>**PendingRebootUpdates**
<a href="" id="pendingrebootupdates"></a>**PendingRebootUpdates**
<p style="margin-left: 20px">The updates that require a reboot to complete the update session.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="pendingrebootupdates-pending-reboot-update-guid"></a>**PendingRebootUpdates/****_Pending Reboot Update Guid_**
<a href="" id="pendingrebootupdates-pending-reboot-update-guid"></a>**PendingRebootUpdates/****_Pending Reboot Update Guid_**
<p style="margin-left: 20px">Update identifiers for the pending reboot state.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="pendingrebootupdates-pending-reboot-update-guid-installedtime"></a>**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime**
<a href="" id="pendingrebootupdates-pending-reboot-update-guid-installedtime"></a>**PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime**
<p style="margin-left: 20px">The time the update is installed.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="pendingrebootupdates-pending-reboot-update-guid-revisionnumber"></a>**PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber**
<a href="" id="pendingrebootupdates-pending-reboot-update-guid-revisionnumber"></a>**PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber**
<p style="margin-left: 20px">Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="lastsuccessfulscantime"></a>**LastSuccessfulScanTime**
<a href="" id="lastsuccessfulscantime"></a>**LastSuccessfulScanTime**
<p style="margin-left: 20px">The last successful scan time.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="deferupgrade"></a>**DeferUpgrade**
<a href="" id="deferupgrade"></a>**DeferUpgrade**
<p style="margin-left: 20px">Upgrades deferred until the next period.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="rollback"></a>**Rollback**
<a href="" id="rollback"></a>**Rollback**
Added in Windows 10, version 1803. Node for the rollback operations.
<a href="" id="rollback-qualityupdate"></a>**Rollback/QualityUpdate**
Added in Windows 10, version 1803. Roll back latest Quality Update, if the machine meets the following conditions:
<a href="" id="rollback-qualityupdate"></a>**Rollback/QualityUpdate**
Added in Windows 10, version 1803. Roll back latest Quality Update, if the machine meets the following conditions:
- Condition 1: Device must be Windows Update for Business Connected
- Condition 2: Device must be in a Paused State
- Condition 3: Device must have the Latest Quality Update installed on the device (Current State)
If the conditions are not true, the device will not Roll Back the Latest Quality Update.
<a href="" id="rollback-featureupdate"></a>**Rollback/FeatureUpdate**
Added in Windows 10, version 1803. Roll Back Latest Feature Update, if the machine meets the following conditions:
<a href="" id="rollback-featureupdate"></a>**Rollback/FeatureUpdate**
Added in Windows 10, version 1803. Roll Back Latest Feature Update, if the machine meets the following conditions:
- Condition 1: Device must be Windows Update for Business Connnected
- Condition 2: Device must be in Paused State
- Condition 3: Device must have the Latest Feature Update Installed on the device (Current State)
- Condition 4: Machine should be within the uninstall period
- Condition 4: Machine should be within the uninstall period
> [!Note]
> [!Note]
> This only works for Semi Annual Channel Targeted devices.
If the conditions are not true, the device will not Roll Back the Latest Feature Update.
<a href="" id="rollback-qualityupdatestatus"></a>**Rollback/QualityUpdateStatus**
Added in Windows 10, version 1803. Returns the result of last RollBack QualityUpdate operation.
<a href="" id="rollback-featureupdatestatus"></a>**Rollback/FeatureUpdateStatus**
<a href="" id="rollback-qualityupdatestatus"></a>**Rollback/QualityUpdateStatus**
Added in Windows 10, version 1803. Returns the result of last RollBack QualityUpdate operation.
<a href="" id="rollback-featureupdatestatus"></a>**Rollback/FeatureUpdateStatus**
Added in Windows 10, version 1803. Returns the result of last RollBack FeatureUpdate operation.
## Related topics

72
windows/client-management/mdm/vpn-csp.md
View File

@ -13,7 +13,7 @@ ms.date: 04/02/2017
# VPN CSP
The VPN configuration service provider allows the MDM server to configure the VPN profile of the device. Windows 10 supports both IKEv2 VPN and SSL VPN profiles. For information about IKEv2, see [Configure IKEv2-based Remote Access](http://technet.microsoft.com/library/ff687731%28v=ws.10%29.aspx).
The VPN configuration service provider allows the MDM server to configure the VPN profile of the device. Windows 10 supports both IKEv2 VPN and SSL VPN profiles. For information about IKEv2, see [Configure IKEv2-based Remote Access](https://technet.microsoft.com/library/ff687731%28v=ws.10%29.aspx).
> **Note**   The VPN CSP is deprecated in Windows 10 and it only supported in Windows 10 Mobile for backward compatibility. Use [VPNv2 CSP](vpnv2-csp.md) instead.
@ -33,29 +33,29 @@ The following diagram shows the VPN configuration service provider in tree forma
![provisioning\-csp\-vpn](images/provisioning-csp-vpn.png)
<a href="" id="profilename"></a>***ProfileName***
<a href="" id="profilename"></a>***ProfileName***
Unique alpha numeric Identifier for the profile. The profile name must not include a forward slash (/).
Value type is chr. Supported operations include Get, Add, Replace, and Delete.
<a href="" id="server"></a>**Server**
<a href="" id="server"></a>**Server**
Required. Public or routable IP address or DNS name for the VPN gateway server farm. It can point to the external IP of a gateway or a virtual IP for a server farm.
Supported operations are Get, Add, and Replace.
Value type is chr. Some examples are 208.23.45.130 or vpn.contoso.com.
<a href="" id="tunneltype"></a>**TunnelType**
<a href="" id="tunneltype"></a>**TunnelType**
Optional, but required when deploying a 3rd party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release.
Value type is chr. Supported operations are Get and Add.
<a href="" id="thirdparty"></a>**ThirdParty**
<a href="" id="thirdparty"></a>**ThirdParty**
Optional, but required if deploying 3rd party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning.
Supported operations are Get and Add.
<a href="" id="thirdparty-name"></a>**ThirdParty/Name**
<a href="" id="thirdparty-name"></a>**ThirdParty/Name**
Required when ThirdParty is defined for SSL-VPN profile provisioning.
Value type is chr. Supported operations are Get and Add.
@ -70,32 +70,32 @@ Valid values:
- Checkpoint Mobile VPN
<a href="" id="thirdparty-appid"></a>**ThirdParty/AppID**
<a href="" id="thirdparty-appid"></a>**ThirdParty/AppID**
Optional, but required when deploying a 3rd party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized.
Value type is chr. Supported operations are Get, Add, Replace, and Delete.
<a href="" id="thirdparty-customstoreurl"></a>**ThirdParty/CustomStoreURL**
<a href="" id="thirdparty-customstoreurl"></a>**ThirdParty/CustomStoreURL**
Optional, but required if an enterprise is deploying a 3rd party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the 3rd party SSL-VPN plugin app.
Value type is chr. Supported operations are Get, Add, Replace, and Delete.
<a href="" id="thirdparty-customconfiguration"></a>**ThirdParty/CustomConfiguration**
<a href="" id="thirdparty-customconfiguration"></a>**ThirdParty/CustomConfiguration**
Optional. This is an HTML encoded XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins.
Value type is char. Supported operations are Get, Add, Replace, and Delete.
<a href="" id="roleorgroup"></a>**RoleOrGroup**
<a href="" id="roleorgroup"></a>**RoleOrGroup**
Not Implemented. Optional.
Value type is char. Supported operations are Get, Add, Delete, and Replace.
<a href="" id="authentication"></a>**Authentication**
<a href="" id="authentication"></a>**Authentication**
Optional node for ThirdParty VPN profiles, but required for IKEv2. This is a collection of configuration objects to ensure that the correct authentication policy is used on the device based on the chosen TunnelType.
Supported operations are Get and Add.
<a href="" id="authentication-method"></a>**Authentication/Method**
<a href="" id="authentication-method"></a>**Authentication/Method**
Required for IKEv2 profiles and optional for third party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles.
Supported operations are Get and Add.
@ -106,12 +106,12 @@ Value type is chr.
 
<a href="" id="authentication-certificate"></a>**Authentication/Certificate**
<a href="" id="authentication-certificate"></a>**Authentication/Certificate**
Optional node. A collection of nodes that enables simpler authentication experiences for end users when using VPN. This and its subnodes should not be used for IKEv2 profiles.
Supported operations are Get and Add.
<a href="" id="authentication-certificate-issuer"></a>**Authentication/Certificate/Issuer**
<a href="" id="authentication-certificate-issuer"></a>**Authentication/Certificate/Issuer**
Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used in conjunction with EKU for more granular filtering.
Value type is chr. Supported operations are Get, Add, Delete, and Replace.
@ -120,7 +120,7 @@ Value type is chr. Supported operations are Get, Add, Delete, and Replace.
 
<a href="" id="authentication-certificate-eku"></a>**Authentication/Certificate/EKU**
<a href="" id="authentication-certificate-eku"></a>**Authentication/Certificate/EKU**
Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this in conjunction with ISSUER for a more granular filtering.
Value type is chr. Supported operations are Get, Add, Delete, and Replace.
@ -129,38 +129,38 @@ Value type is chr. Supported operations are Get, Add, Delete, and Replace.
 
<a href="" id="authentication-certificate-cachelifetimeforprotectedcert"></a>**Authentication/Certificate/CacheLifeTimeForProtectedCert**
<a href="" id="authentication-certificate-cachelifetimeforprotectedcert"></a>**Authentication/Certificate/CacheLifeTimeForProtectedCert**
Not Implemented. Optional.
Value type is int. Supported operations are Get, Add, Replace, and Delete.
<a href="" id="authentication-eap"></a>**Authentication/EAP**
Required when IKEv2 is selected. Defines the EAP blob to be used for IKEv2 authentication. You can use EAP-MSCHAPv2 or EAP-TLS. EAP blob is HTML encoded XML as defined in EAP Host Config schemas. You can find the schemas in [Microsoft EAP MsChapV2 Schema](http://go.microsoft.com/fwlink/p/?LinkId=523885) and [Microsoft EAP TLS Schema](http://go.microsoft.com/fwlink/p/?LinkId=523884).
<a href="" id="authentication-eap"></a>**Authentication/EAP**
Required when IKEv2 is selected. Defines the EAP blob to be used for IKEv2 authentication. You can use EAP-MSCHAPv2 or EAP-TLS. EAP blob is HTML encoded XML as defined in EAP Host Config schemas. You can find the schemas in [Microsoft EAP MsChapV2 Schema](https://go.microsoft.com/fwlink/p/?LinkId=523885) and [Microsoft EAP TLS Schema](https://go.microsoft.com/fwlink/p/?LinkId=523884).
Supported operations are Get, Add, and Replace.
Value type is chr.
<a href="" id="proxy"></a>**Proxy**
<a href="" id="proxy"></a>**Proxy**
Optional node. A collection of configuration objects to enable a post-connect proxy support for VPN. The proxy defined for this profile will be applied when this profile is active and connected.
Supported operations are Add, Delete, and Replace.
<a href="" id="proxy-manual-server"></a>**Proxy/Manual/Server**
<a href="" id="proxy-manual-server"></a>**Proxy/Manual/Server**
Optional. Set this element together with PORT. The value is the proxy server address as a fully qualified hostname or an IP address, for example, proxy.constoso.com.
Supported operations are Get, Add, Replace, and Delete.
Value type is chr.
<a href="" id="proxy-manual-port"></a>**Proxy/Manual/Port**
<a href="" id="proxy-manual-port"></a>**Proxy/Manual/Port**
Optional. Set this element together with Server. The value is the proxy server port number in the range of 1-65535, for example, 8080.
Supported operations are Get, Add, Replace, and Delete.
Value type is int.
<a href="" id="proxy-bypassforlocal"></a>**Proxy/BypassForLocal**
<a href="" id="proxy-bypassforlocal"></a>**Proxy/BypassForLocal**
Optional. When this setting is enabled, any web requests to resources in the intranet zone will not be sent to the proxy. When this is false, the setting should be disabled and all requests should go to the proxy. When this is true, the setting is enabled and intranet requests will not go to the proxy.
Supported operations are Get, Add, Replace, and Delete.
@ -169,10 +169,10 @@ Value type is bool.
Default is False.
<a href="" id="securedresources"></a>**SecuredResources**
<a href="" id="securedresources"></a>**SecuredResources**
Optional node. A collection of configuration objects that define the inclusion resource lists for what can be secured over VPN. Allowed lists are applied only when Policies/SplitTunnel element is set to True. VPN exclusions are not supported..
<a href="" id="securedresources-appallowedlist-appallowedlist"></a>**SecuredResources/AppAllowedList/AppAllowedList**
<a href="" id="securedresources-appallowedlist-appallowedlist"></a>**SecuredResources/AppAllowedList/AppAllowedList**
Optional. Specifies one or more ProductIDs for the enterprise line of business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is auto-triggered, VPN is triggered automatically by these apps.
Supported operations are Get, Add, Replace and Delete.
@ -181,7 +181,7 @@ Value type is chr.
Examples are {F05DC613-E223-40AD-ABA9-CCCE04277CD9} and ContosoApp.ContosoCorp\_jlsnulm3s397u.
<a href="" id="securedresources-networkallowedlist-networkallowedlist"></a>**SecuredResources/NetworkAllowedList/NetworkAllowedList**
<a href="" id="securedresources-networkallowedlist-networkallowedlist"></a>**SecuredResources/NetworkAllowedList/NetworkAllowedList**
Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, theyll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is auto-triggered, the VPN is triggered automatically by these protected networks.
Supported operations are Get, Add, Replace, and Delete.
@ -190,7 +190,7 @@ Value type is chr.
An example is 172.31.0.0/16.
<a href="" id="securedresources-namespaceallowedlist-namespaceallowedlist"></a>**SecuredResources/NameSpaceAllowedList/NameSpaceAllowedList**
<a href="" id="securedresources-namespaceallowedlist-namespaceallowedlist"></a>**SecuredResources/NameSpaceAllowedList/NameSpaceAllowedList**
Optional. Specifies one or more namespaces that you want secured over VPN. All requests to the specified namespaces are secured over VPN. Applications connecting to namespaces are secured over VPN. Otherwise, theyll continue to connect directly. Namespaces are defined in the format \*.corp.contoso.com. Restrictions such as \* or \*.\* or \*.com.\* are not allowed. NetworkAllowedList is required for IKEv2 profiles for routing the traffic correctly over split tunnel.
Supported operations are Get, Add, Replace, and Delete.
@ -199,7 +199,7 @@ Value type is chr.
An example is \*.corp.contoso.com.
<a href="" id="securedresources-excluddedapplist-excludedapplist"></a>**SecuredResources/ExcluddedAppList/ExcludedAppList**
<a href="" id="securedresources-excluddedapplist-excludedapplist"></a>**SecuredResources/ExcluddedAppList/ExcludedAppList**
Optional. Specifies one or more ProductIDs for enterprise line of business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection.
Supported operations are Get, Add, Replace, and Delete.
@ -208,7 +208,7 @@ Value type is chr.
Examples are {F05DC613-E223-40AD-ABA9-CCCE04277CD9} and ContosoApp.ContosoCorp\_jlsnulm3s397u.
<a href="" id="securedresources-excludednetworklist-excludednetworklist"></a>**SecuredResources/ExcludedNetworkList/ExcludedNetworkList**
<a href="" id="securedresources-excludednetworklist-excludednetworklist"></a>**SecuredResources/ExcludedNetworkList/ExcludedNetworkList**
Optional. Specifies one or more IP addresses that will never use VPN. Any app connecting to the configured excluded IP list will use the internet directly and bypass VPN. Values are defined in the format 10.0.0.0/8.
Supported operations are Get, Add, Replace, and Delete.
@ -217,7 +217,7 @@ Value type is chr.
An example is 172.31.0.0/16.
<a href="" id="securedresources-excludednamespacelist-excludednamespacelist"></a>**SecuredResources/ExcludedNameSpaceList/ExcludedNameSpaceList**
<a href="" id="securedresources-excludednamespacelist-excludednamespacelist"></a>**SecuredResources/ExcludedNameSpaceList/ExcludedNameSpaceList**
Optional. Specifies one or more namespaces of hosts that will never use VPN. Any app connecting to the configured excluded host list will use the internet and bypass VPN. Restrictions such as \* or \*.\* or \*.com.\* are not allowed.
Supported operations are Get, Add, Replace, and Delete.
@ -226,7 +226,7 @@ Value type is chr.
An example is \*.corp.contoso.com.
<a href="" id="securedresources-dnssuffixsearchlist-dnssuffixsearchlist"></a>**SecuredResources/DNSSuffixSearchList/DNSSuffixSearchList**
<a href="" id="securedresources-dnssuffixsearchlist-dnssuffixsearchlist"></a>**SecuredResources/DNSSuffixSearchList/DNSSuffixSearchList**
Optional. Specifies one or many DNS suffixes that will be appended to shortname URLs for DNS resolution and connectivity.
Supported operations are Get, Add, Replace, and Delete.
@ -235,10 +235,10 @@ Value type is chr.
An example is .corp.contoso.com.
<a href="" id="policies"></a>**Policies**
<a href="" id="policies"></a>**Policies**
Optional node. A collection of configuration objects you can use to enforce profile-specific restrictions.
<a href="" id="policies-splittunnel"></a>**Policies/SplitTunnel**
<a href="" id="policies-splittunnel"></a>**Policies/SplitTunnel**
Optional. When this is False, all traffic goes to the VPN gateway in force tunnel mode. When this is True, only the specific traffic to defined secured resources goes to the VPN gateway.
Supported operations are Get, Add, Replace, and Delete.
@ -247,7 +247,7 @@ Value type is bool.
Default value is True.
<a href="" id="policies-bypassforlocal"></a>**Policies/ByPassForLocal**
<a href="" id="policies-bypassforlocal"></a>**Policies/ByPassForLocal**
Optional. When this setting is True, requests to local resources that are available on the same Wi-Fi network as the VPN client can bypass the VPN. For example, if enterprise policy for VPN requires force tunnel for VPN, but enterprise intends to allow the remote user to connect locally to media center in their home, then this option should be set to True. The user can bypass VPN for local subnet traffic. When this is set to False, the setting is disabled and no subnet exceptions are allowed.
Supported operations are Get, Add, Replace, and Delete.
@ -256,7 +256,7 @@ Value type is bool.
Default value is False.
<a href="" id="policies-trustednetworkdetection"></a>**Policies/TrustedNetworkDetection**
<a href="" id="policies-trustednetworkdetection"></a>**Policies/TrustedNetworkDetection**
Optional. When this setting is set to True, the VPN cannot connect when the user is on their corporate wireless network where protected resources are directly accessible to the device. When this is False, the VPN connects over corporate wireless network. This node has a dependency on the DNSSuffix node setting to detect the corporate wireless network.
Supported operations are Get, Add, Replace, and Delete.
@ -265,7 +265,7 @@ Value type is bool.
Default value is False.
<a href="" id="policies-connectiontype"></a>**Policies/ConnectionType**
<a href="" id="policies-connectiontype"></a>**Policies/ConnectionType**
Optional. Valid values are:
- Triggering: A VPN automatically connects as applications require connectivity to protected resources. The life cycle of the VPN is based on applications using the VPN. Recommended setting for optimizing usage of power resources.
@ -278,7 +278,7 @@ Value type is chr.
Default value is Triggering.
<a href="" id="dnssuffix"></a>**DNSSuffix**
<a href="" id="dnssuffix"></a>**DNSSuffix**
Optional, but it is required to set the specific DNS suffix of the primary connection. Supported operations are Get, Add, Delete, and Replace.
Value type is chr.

14
windows/client-management/mdm/w4-application-csp.md
View File

@ -25,10 +25,10 @@ The following diagram shows the configuration service provider in tree format as
![w4 application csp (cp)](images/provisioning-csp-w4-application-cp.png)
<a href="" id="appid"></a>**APPID**
<a href="" id="appid"></a>**APPID**
Required. This parameter takes a string value. The only supported value for configuring MMS is "w4".
<a href="" id="name"></a>**NAME**
<a href="" id="name"></a>**NAME**
Optional. Specifies a userreadable application identity. This parameter is also used to define part of the registry path for the APPLICATION parameters.
This parameter takes a string value. The possible values to configure the NAME parameter are:
@ -45,15 +45,15 @@ If no value is specified, the registry location will default to &lt;unnamed&gt;.
If `Name` is greater than 40 characters, it will be truncated to 40 characters.
<a href="" id="to-proxy"></a>**TO-PROXY**
<a href="" id="to-proxy"></a>**TO-PROXY**
Required. Specifies one logical proxy with a matching PROXY-ID. It is only possible to refer to proxies defined within the same provisioning file. Only one proxy can be listed.
The TO-PROXY value must be set to the value of the PROXY ID in PXLOGICAL that defines the MMS specific-proxy.
<a href="" id="to-napid"></a>**TO-NAPID**
<a href="" id="to-napid"></a>**TO-NAPID**
Required. Specifies the network access point identification name (NAPID) defined in the provisioning file. This parameter takes a string value. It is only possible to refer to network access points defined within the same provisioning file (except if the INTERNET attribute is set in the NAPDEF characteristic). For more information about the NAPDEF characteristic, see [NAPDEF configuration service provider](napdef-csp.md).
<a href="" id="addr"></a>**ADDR**
<a href="" id="addr"></a>**ADDR**
Required. Specifies the address of the MMS application server, as a string. The possible values to configure the ADDR parameter are:
- A Uniform Resource Identifier (URI)
@ -62,7 +62,7 @@ Required. Specifies the address of the MMS application server, as a string. The
- A fully qualified Internet domain name
<a href="" id="ms"></a>**MS**
<a href="" id="ms"></a>**MS**
Optional. The maximum authorized size, in KB, for multimedia content. This parameter takes a numeric value in string format. If the value is not a number, or is less than or equal to 10, it will be ignored and outgoing MMS will not be resized.
## Remarks
@ -72,7 +72,7 @@ Windows Phone MMS does not support userselectable profiles. While multiple MM
If provisioning XML is received for a profile with an existing name, the values in that profile will be overwritten with the new values.
For more information about the parameters used by the w4 APPLICATION configuration service provider and how they are used, see the OMA MMS Conformance Document (OMA-TS-MMS-CONF-V1\_3-20051027-C) available from the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=526900).
For more information about the parameters used by the w4 APPLICATION configuration service provider and how they are used, see the OMA MMS Conformance Document (OMA-TS-MMS-CONF-V1\_3-20051027-C) available from the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=526900).
## Related topics

58
windows/client-management/mdm/wifi-csp.md
View File

@ -33,23 +33,23 @@ The following image shows the WiFi configuration service provider in tree format
The following list shows the characteristics and parameters.
<a href="" id="wifi"></a>**Device or User profile**
<a href="" id="wifi"></a>**Device or User profile**
For user profile, use ./User/Vendor/MSFT/Wifi path and for device profile, use ./Device/Vendor/MSFT/Wifi path.
<a href="" id="profile"></a>**Profile**
<a href="" id="profile"></a>**Profile**
Identifies the Wi-Fi network configuration. Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the device to connect to that network for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks.
Supported operation is Get.
<a href="" id="-ssid-"></a>***&lt;SSID&gt;***
<a href="" id="-ssid-"></a>***&lt;SSID&gt;***
Specifies the name of the Wi-Fi network (32 bytes maximum) to create, configure, query, or delete. The name is case sensitive and can be represented in ASCII. The SSID is added when the WlanXML node is added. When the SSID node is deleted, then all the subnodes are also deleted.
SSID is the name of network you are connecting to, while Profile name is the name of the Profile which contains the WiFi settings information. If the Profile name is not set right in the MDM SyncML, as per the information in the WiFi settings XML, it could lead to some unexpected errors. For example, &lt;LocURI&gt;./Vendor/MSFT/WiFi/Profile/&lt;*MUST BE NAME OF PROFILE AS PER WIFI XML*&gt;/WlanXml&lt;/LocURI&gt;.
The supported operations are Add, Get, Delete, and Replace.
<a href="" id="wlanxml"></a>**WlanXML**
The XML that describes the network configuration and follows the [WLAN\_profile Schema](http://go.microsoft.com/fwlink/p/?LinkId=325608) on MSDN.
<a href="" id="wlanxml"></a>**WlanXML**
The XML that describes the network configuration and follows the [WLAN\_profile Schema](https://go.microsoft.com/fwlink/p/?LinkId=325608) on MSDN.
Supported operations are Get, Add, Delete, and Replace.
@ -57,13 +57,13 @@ Value type is chr.
The profile XML must be escaped, as shown in the examples below.
If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](http://go.microsoft.com/fwlink/p/?LinkId=523870).
If it exists in the blob, the **keyType** and **protected** elements must come before **keyMaterial**, as shown in the example in [WPA2-Personal Profile Sample](https://go.microsoft.com/fwlink/p/?LinkId=523870).
> **Note**  If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](http://go.microsoft.com/fwlink/p/?LinkId=618963).
> **Note**  If you need to specify other advanced conditions, such as specifying criteria for certificates that can be used by the Wi-Fi profile, you can do so by specifying this through the EapHostConfig portion of the WlanXML. For more information, see [EAP configuration](https://go.microsoft.com/fwlink/p/?LinkId=618963).
The supported operations are Add, Get, Delete, and Replace.
<a href="" id="proxy"></a>**Proxy**
<a href="" id="proxy"></a>**Proxy**
Optional. Specifies the configuration of the network proxy. A proxy server host and port can be specified per connection for Windows 10 Mobile. This proxy configuration is only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions will result in failure.
The format is *host:port*, where host can be one of the following:
@ -76,7 +76,7 @@ If it is an IPvFuture address, then it must be specified as an IP literal as "\[
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="disableinternetconnectivitychecks"></a>**DisableInternetConnectivityChecks**
<a href="" id="disableinternetconnectivitychecks"></a>**DisableInternetConnectivityChecks**
Added in Windows 10, version 1511.Optional. Disable the internet connectivity check for the profile.
Value type is chr.
@ -86,23 +86,23 @@ Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="proxypacurl"></a>**ProxyPacUrl**
<a href="" id="proxypacurl"></a>**ProxyPacUrl**
Added in Windows 10, version 1607. Optional. Specifies the value of the URL to the Proxy auto-config (PAC) file location. This proxy configuration is only supported in Windows 10 Mobile.
Value type is chr, e.g. http://www.contoso.com/wpad.dat.
<a href="" id="proxywpad"></a>**ProxyWPAD**
<a href="" id="proxywpad"></a>**ProxyWPAD**
Added in Windows 10, version 1607. Optional. When set to true it enables Web Proxy Auto-Discovery Protocol (WPAD) for proxy lookup.This proxy configuration is only supported in Windows 10 Mobile.
Value type is bool.
<a href="" id="wificost"></a>**WiFiCost**
<a href="" id="wificost"></a>**WiFiCost**
Added in Windows 10, next major version. Optional. This policy sets the cost of WLAN connection for the Wi-Fi profile. Default behaviour: Unrestricted.
Supported values:
Supported values:
- 1 - Unrestricted - unlimited connection
- 2 - Fixed - capacity constraints up to a certain data limit
- 2 - Fixed - capacity constraints up to a certain data limit
- 3 - Variable - paid on per byte basic
Supported operations are Add, Get, Replace and Delete. Value type is integer.
@ -156,28 +156,28 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwor
The following example shows how to query Wi-Fi profiles installed on an MDM server.
``` syntax
<Get>
<CmdID>301</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/WiFi/Profile</LocURI>
</Target>
</Item>
<Get>
<CmdID>301</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/WiFi/Profile</LocURI>
</Target>
</Item>
</Get>
```
The following example shows the response.
``` syntax
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<Results>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>301</CmdRef>
<Item>
<Source><LocURI>./Vendor/MSFT/WiFi/Profile</LocURI></Source>
<Meta><Format xmlns="syncml:metinf">node</Format></Meta>
<Data>TestWLAN1/TestWLAN2</Data>
</Item>
<Item>
<Source><LocURI>./Vendor/MSFT/WiFi/Profile</LocURI></Source>
<Meta><Format xmlns="syncml:metinf">node</Format></Meta>
<Data>TestWLAN1/TestWLAN2</Data>
</Item>
</Results>
```

2
windows/client-management/mdm/windows-mdm-enterprise-settings.md
View File

@ -15,7 +15,7 @@ ms.date: 06/26/2017
# Enterprise settings, policies, and app management
The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](http://go.microsoft.com/fwlink/p/?LinkId=267526).
The actual management interaction between the device and server is done via the DM client. The DM client communicates with the enterprise management server via DM v1.2 SyncML syntax. The full description of the OMA DM protocol v1.2 can be found at the [OMA website](https://go.microsoft.com/fwlink/p/?LinkId=267526).
Windows currently supports one MDM server. The DM client that is configured via the enrollment process is granted access to enterprise related settings. Enterprise MDM settings are exposed via various configuration service providers to the DM client. For the list of available configuration service providers, see [Configuration service provider reference](configuration-service-provider-reference.md).