Merged PR 2683: New topic to enable ADMX-backed policies in MDM

windows/client-management/mdm/TOC.md

@@ -6,6 +6,7 @@
 ### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
 ### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
 ## [Understanding ADMX-backed policies](understanding-admx-backed-policies.md)
+## [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md)
 ## [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)
 ## [Implement server-side support for mobile application management on Windows](implement-server-side-mobile-application-management.md)
 ## [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)

windows/client-management/mdm/devicemanageability-csp.md

@@ -7,12 +7,15 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 06/19/2017
+ms.date: 08/10/2017
 ---
 
 # DeviceManageability CSP
 
 
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 The DeviceManageability configuration service provider (CSP) is used retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
 
 For performance reasons DeviceManageability CSP directly reads the CSP version from the registry. Specifically, the value csp\_version is used to determine each of the CSP versions. The csp\_version is a value under each of the CSP registration keys. To have consistency on the CSP version, the CSP GetProperty implementation for CFGMGR\_PROPERTY\_SEMANTICTYPE has to be updated to read from the registry as well, so that the both paths return the same information. 
@@ -39,6 +42,8 @@ Added in Windows 10, version 1709. Provider ID of the configuration source.
 <a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/ConfigInfo**  
 Added in Windows 10, version 1709. Configuration information string value set by the configuration source. Recommended to be used during sync session.
 
+The MDM server can query ConfigInfo to determine the settings of the traditional PC management system. The MDM can also configure ConfigInfo with its own device management information.
+
 Data type is string. Supported operations are Add, Get, Delete, and Replace.
 
 <a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/EnrollmentInfo**  

windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md

@@ -0,0 +1,300 @@
+---
+title: Enable ADMX-backed policies in MDM
+description: Guide to configuring ADMX-backed policies in MDM
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 08/11/2017
+---
+
+# Enable ADMX-backed policies in MDM
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This is a step-by-step guide to configuring ADMX-backed policies in MDM.
+
+Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy. 
+
+Summary of steps to enable a policy:
+-	Find the policy from the list ADMX-backed policies. 
+-	Find the Group Policy related information from the MDM policy description.
+-	Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy.
+-	Create the data payload for the SyncML.
+
+## Enable a policy
+
+1.  Find the policy from the list [ADMX-backed policies](policy-configuration-service-provider.md#admx-backed-policies). You need the following information listed in the policy description.  
+	- GP English name
+    - GP name
+    - GP ADMX file name
+    - GP path
+
+2.  Use the Group Policy Editor to determine whether you need additional information to enable the policy. Run GPEdit.msc
+
+    1. Click **Start**, then in the text box type **gpedit**. 
+
+    2. Under **Best match**, click **Edit group policy** to launch it.  
+       
+       ![GPEdit search](images/admx-gpedit-search.png)
+
+    3. In **Local Computer Policy** navigate to the policy you want to configure.  
+    
+       In this example, navigate to **Administrative Templates >  System > App-V**.
+
+       ![App-V policies](images/admx-appv.png)
+
+    4. Double-click **Enable App-V Client**.  
+
+       The **Options** section is empty, which means there are no parameters necessary to enable the policy. If the **Options** section is not empty, follow the procedure in [Enable a policy that requires parameters](#enable-a-policy-that-requires-parameters)
+
+       ![Enable App-V client](images/admx-appv-enableapp-vclient.png)
+
+3.  Create the SyncML  to enable the policy that does not require any parameter.  
+
+    In this example you configure **Enable App-V Client** to **Enabled**.
+
+> [!Note]  
+> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
+     
+``` syntax
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Replace>
+      <CmdID>2</CmdID>
+      <Item>
+        <Meta>
+          <Format>chr</Format>
+          <Type>text/plain</Type>
+        </Meta>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppVClient </LocURI>
+        </Target>
+        <Data>&lt;Enabled/&gt;</Data>
+      </Item>
+    </Replace>
+    <Final/>
+  </SyncBody>
+</SyncML>
+```
+
+
+## Enable a policy that requires parameters  
+
+
+1. Create the SyncML  to enable the policy that requires parameters.
+
+    In this example, the policy is in **Administrative Templates >  System > App-V > Publishing**.
+
+    1.  Double-click **Publishing Server 2 Settings** to see the parameters you need to configure when you enable this policy.
+
+        ![Enable publishing server 2 policy](images/admx-appv-publishingserver2.png)
+
+        ![Enable publishing server 2 settings](images/admx-app-v-enablepublishingserver2settings.png)
+
+    2.  Find the variable names of the parameters in the ADMX file.
+
+        You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
+
+          ![Publishing server 2 policy description](images/admx-appv-policy-description.png)
+
+    3.  Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx.
+
+    4.	Search for GP name **Publishing_Server2_policy**.
+
+
+    5.	Under **policy name="Publishing_Server2_Policy"** you can see the \<elements> listed. The text id and enum id represents the data id you need to include in the SyncML data payload. They correspond to the fields you see in GP Editor.
+    
+        Here is the snippet from appv.admx:
+
+    ``` syntax
+    <!--  Publishing Server 2  -->
+    <policy name="Publishing_Server2_Policy" class="Machine" displayName="$(string.PublishingServer2)" 
+            explainText="$(string.Publishing_Server_Help)" presentation="$(presentation.Publishing_Server2)" 
+            key="SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\2">
+      <parentCategory ref="CAT_Publishing" />
+      <supportedOn ref="windows:SUPPORTED_Windows7" />
+      <elements>
+        <text id="Publishing_Server2_Name_Prompt" valueName="Name" required="true"/>
+        <text id="Publishing_Server_URL_Prompt" valueName="URL" required="true"/>
+        <enum id="Global_Publishing_Refresh_Options" valueName="GlobalEnabled">
+          <item displayName="$(string.False)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.True)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>  
+        <enum id="Global_Refresh_OnLogon_Options" valueName="GlobalLogonRefresh">
+          <item displayName="$(string.False)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.True)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>      
+        <decimal id="Global_Refresh_Interval_Prompt" valueName="GlobalPeriodicRefreshInterval" minValue="0" maxValue="31"/>
+        <enum id="Global_Refresh_Unit_Options" valueName="GlobalPeriodicRefreshIntervalUnit">
+          <item displayName="$(string.Hour)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.Day)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>        
+        <enum id="User_Publishing_Refresh_Options" valueName="UserEnabled">
+          <item displayName="$(string.False)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.True)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>
+        <enum id="User_Refresh_OnLogon_Options" valueName="UserLogonRefresh">
+          <item displayName="$(string.False)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.True)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>      
+        <decimal id="User_Refresh_Interval_Prompt" valueName="UserPeriodicRefreshInterval" minValue="0" maxValue="31"/>
+        <enum id="User_Refresh_Unit_Options" valueName="UserPeriodicRefreshIntervalUnit">
+          <item displayName="$(string.Hour)">
+            <value>
+              <decimal value="0"/>
+            </value>
+          </item>
+          <item displayName="$(string.Day)">
+            <value>
+              <decimal value="1"/>
+            </value>
+          </item>
+        </enum>        
+      </elements>
+    </policy>
+    ```
+
+    6.  From the \<elements>  tag, copy all the text id and enum id and create an XML with data id and value fields. The value field contains the configuration settings you would enter in the GP Editor.
+
+        Here is the example XML for Publishing_Server2_Policy :
+        
+    ``` syntax
+    <data id="Publishing_Server2_Name_Prompt" value="Name"/>
+    <data id="Publishing_Server_URL_Prompt" value="http://someuri"/>
+    <data id="Global_Publishing_Refresh_Options" value="1"/>
+    <data id="Global_Refresh_OnLogon_Options" value="0"/>
+    <data id="Global_Refresh_Interval_Prompt" value="15"/>
+    <data id="Global_Refresh_Unit_Options" value="0"/>
+    <data id="User_Publishing_Refresh_Options" value="0"/>
+    <data id="User_Refresh_OnLogon_Options" value="0"/>
+    <data id="User_Refresh_Interval_Prompt" value="15"/>
+    <data id="User_Refresh_Unit_Options" value="1"/>
+    ```    
+
+    7.  Create the SyncML to enable the policy. Payload contains \<enabled/> and name/value pairs.  
+
+        Here is the example for **AppVirtualization/PublishingAllowServer2**:
+        
+> [!Note]  
+> The \<Data> payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type.
+    
+    ``` syntax
+    <?xml version="1.0" encoding="utf-8"?>
+       <SyncML xmlns="SYNCML:SYNCML1.2">
+         <SyncBody>
+           <Replace>
+             <CmdID>2</CmdID>
+             <Item>
+               <Meta>
+                 <Format>chr</Format>
+                 <Type>text/plain</Type>
+               </Meta>
+               <Target>
+                <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
+               </Target>
+               <![CDATA[<enabled/><data id="Publishing_Server2_Name_Prompt" value="name prompt"/><data 
+                 id="Publishing_Server_URL_Prompt" value="URL prompt"/><data 
+                 id="Global_Publishing_Refresh_Options" value="1"/><data 
+                 id="Global_Refresh_OnLogon_Options" value="0"/><data 
+                 id="Global_Refresh_Interval_Prompt" value="15"/><data 
+                 id="Global_Refresh_Unit_Options" value="0"/><data 
+                 id="User_Publishing_Refresh_Options" value="0"/><data 
+                 id="User_Refresh_OnLogon_Options" value="0"/><data 
+                 id="User_Refresh_Interval_Prompt" value="15"/><data 
+                 id="User_Refresh_Unit_Options" value="1"/>]]>
+             </Item>
+           </Replace>
+           <Final/>
+         </SyncBody>
+       </SyncML>
+    ```
+
+
+## Disable a policy
+
+The \<Data> payload is \<disabled/>. Here is an example to disable AppVirtualization/PublishingAllowServer2.
+
+``` syntax
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Replace>
+      <CmdID>2</CmdID>
+      <Item>
+        <Meta>
+          <Format>chr</Format>
+          <Type>text/plain</Type>
+        </Meta>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
+        </Target>
+        <Data>&lt;disabled/&gt;</Data>
+      </Item>
+    </Replace>
+    <Final/>
+  </SyncBody>
+</SyncML>
+```
+
+## Setting a policy to not configured
+
+The \<Data> payload is empty. Here an example to set AppVirtualization/PublishingAllowServer2 to "Not Configured."
+
+``` syntax
+<?xml version="1.0" encoding="utf-8"?>
+<SyncML xmlns="SYNCML:SYNCML1.2">
+  <SyncBody>
+    <Delete>
+      <CmdID>1</CmdID>
+      <Item>
+        <Target>
+          <LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2</LocURI>
+        </Target>
+      </Item>
+    </Delete>
+    <Final/>
+  </SyncBody>
+</SyncML>
+```

windows/client-management/mdm/policy-csp-appvirtualization.md

@@ -702,7 +702,7 @@ User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23, D
 
 <!--StartADMX-->
 ADMX Info:  
--   GP english name: *Publishing Server 2 Settings*
+-   GP English name: *Publishing Server 2 Settings*
 -   GP name: *Publishing_Server2_Policy*
 -   GP path: *Administrative Templates/System/App-V/Publishing*
 -   GP ADMX file name: *appv.admx*

windows/client-management/mdm/understanding-admx-backed-policies.md

@@ -97,7 +97,7 @@ Appv.admx file:
 
 ## <a href="" id="admx-backed-policy-examples"></a>ADMX-backed policy examples
 
-The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX-backed policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use the [Coder’s Toolbox](http://coderstoolbox.net/string/#!encoding=xml&action=encode&charset=us_ascii) online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+The following SyncML examples describe how to set a MDM policy that is defined by an ADMX template, specifically the Publishing_Server2_Policy Group Policy description in the application virtualization ADMX file, appv.admx. Note that the functionality that this Group Policy manages is not important; it is used to illustrate only how an MDM ISV can set an ADMX-backed policy. These SyncML examples illustrate common options and the corresponding SyncML code that can be used for testing your policies. Note that the payload of the SyncML must be XML-encoded; for this XML encoding, you can use favorite online tool. To avoid encoding the payload, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 
 
 ### <a href="" id="enabling-a-policy"></a>Enabling a policy