deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into vs-wip-junerelease

Browse Source
This commit is contained in:
LizRoss 2017-05-31 08:23:22 -07:00
commit 182191eb96
580 changed files with 145475 additions and 1038 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.openpublishing.publish.config.json
View File

@ -398,8 +398,7 @@
"branches_to_filter": [
""
],
"git_repository_url_open_to_public_contributors": "https://github.com/Microsoft/windows-itpro-docs",
"git_repository_branch_open_to_public_contributors": "master",
"git_repository_url_open_to_public_contributors": "https://github.com/Microsoft/win-cpub-itpro-docs",
"skip_source_output_uploading": false,
"need_preview_pull_request": true,
"dependent_repositories": [
@ -424,7 +423,12 @@
"master": [
"Publish",
"Pdf"
],
"msesdemo": [
"Publish",
"Pdf"
]
},
"need_generate_pdf_url_template": true,
"Targets": {

15
.openpublishing.redirection.json
View File

@ -1,6 +1,11 @@
{
"redirections": [
{
"source_path": "education/windows/windows-10-pro-to-pro-edu-upgrade.md",
"redirect_url": "/education/windows/switch-to-pro-education",
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md",
"redirect_url": "/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune",
"redirect_document_id": false
@ -62,27 +67,27 @@
},
{
"source_path": "devices/surface-hub/i-am-done-finishing-your-surface-hub-meeting.md",
"redirect_url": "/itpro/surface-hub/finishing-your-surface-hub-meeting",
"redirect_url": "/surface-hub/finishing-your-surface-hub-meeting",
"redirect_document_id": true
},
{
"source_path": "devices/surface-hub/provisioning-packages-for-certificates-surface-hub.md",
"redirect_url": "/itpro/surface-hub/provisioning-packages-for-surface-hub",
"redirect_url": "/surface-hub/provisioning-packages-for-surface-hub",
"redirect_document_id": true
},
{
"source_path": "devices/surface-hub/manage-settings-with-local-admin-account-surface-hub.md",
"redirect_url": "/itpro/surface-hub/admin-group-management-for-surface-hub",
"redirect_url": "/surface-hub/admin-group-management-for-surface-hub",
"redirect_document_id": true
},
{
"source_path": "devices/surface-hub/surface-hub-administrators-guide.md",
"redirect_url": "/itpro/surface-hub/index",
"redirect_url": "/surface-hub/index",
"redirect_document_id": true
},
{
"source_path": "devices/surface-hub/intro-to-surface-hub.md",
"redirect_url": "/itpro/surface-hub/index",
"redirect_url": "/surface-hub/index",
"redirect_document_id": false
},
{

14
browsers/internet-explorer/TOC.md
View File

@ -20,7 +20,7 @@
###[Virtualization and compatibility with Internet Explorer 11](ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md)
##[Collect data using Enterprise Site Discovery](ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md)
##[Enterprise Mode for Internet Explorer 11 (IE11)](ie11-deploy-guide/enterprise-mode-overview-for-ie11.md)
###[What is Enterprise Mode?](ie11-deploy-guide/what-is-enterprise-mode.md)
###[Enterprise Mode and the Enterprise Mode Site List](ie11-deploy-guide/what-is-enterprise-mode.md)
###[Set up Enterprise Mode logging and data collection](ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md)
###[Turn on Enterprise Mode and use a site list](ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md)
###[Enterprise Mode schema v.2 guidance](ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md)
@ -40,6 +40,18 @@
####[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md)
####[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
####[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md)
###[Use the Enterprise Mode Site List Portal](ie11-deploy-guide/use-the-enterprise-mode-portal.md)
####[Set up the Enterprise Mode Site List Portal](ie11-deploy-guide/set-up-enterprise-mode-portal.md)
#####[Use the Settings page to finish setting up the Enterprise Mode Site List Portal](ie11-deploy-guide/configure-settings-enterprise-mode-portal.md)
#####[Add employees to the Enterprise Mode Site List Portal](ie11-deploy-guide/add-employees-enterprise-mode-portal.md)
####[Workflow-based processes for employees using the Enterprise Mode Site List Portal](ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md)
#####[Create a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/create-change-request-enterprise-mode-portal.md)
#####[Verify your changes using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md)
#####[Approve a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md)
#####[Schedule approved change requests for production using the Enterprise Mode Site List Portal](ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md)
#####[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md)
#####[View the apps currently on the Enterprise Mode Site List](ie11-deploy-guide/view-apps-enterprise-mode-site-list.md)
#####[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md)
###[Using IE7 Enterprise Mode or IE8 Enterprise Mode](ie11-deploy-guide/using-enterprise-mode.md)
###[Fix web compatibility issues using document modes and the Enterprise Mode site list](ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md)
###[Remove sites from a local Enterprise Mode site list](ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md)

64
browsers/internet-explorer/ie11-deploy-guide/add-employees-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,64 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how to add employees to the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: Add employees to the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Add employees to the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
After you get the Enterprise Mode Site List Portal up and running, you must add your employees. During this process, you'll also assign roles and groups.
The available roles are:
- **Requester.** The primary role to assign to employees that need to access the Enterprise Mode Site List Portal. The Requester can create change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal change requests, and sign off and close personal change requests.
- **App Manager.** This role is considered part of the Approvers group. The App Manager can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
- **Group Head.** This role is considered part of the Approvers group. The Group Head can approve change requests, validate changes in the pre-production environment, rollback pre-production and production changes in case of failure, send personal approval requests, view personal requests, and sign off and close personal requests.
- **Administrator.** The role with the highest-level rights; we recommend limiting the number of employees you grant this role. The Administrator can perform any task that can be performed by the other roles, in addition to adding employees to the portal, assigning employee roles, approving registrations to the portal, configuring portal settings (for example, determining the freeze schedule, determining the pre-production and production XML paths, and determining the attachment upload location), and using the standalone Enterprise Mode Site List Manager page.
**To add an employee to the Enterprise Mode Site List Portal**
1. Open the Enterprise Mode Site List Portal and click the **Employee Management** icon in the upper-right area of the page.
The **Employee management** page appears.
2. Click **Add a new employee**.
The **Add a new employee** page appears.
3. Fill out the fields for each employee, including:
- **Email.** Add the employee's email address.
- **Name.** This box autofills based on the email address.
- **Role.** Pick a single role for the employee, based on the list above.
- **Group name.** Pick the name of the employee's group. The group association also assigns a group of Approvers.
- **Comments.** Add optional comments about the employee.
- **Active.** Click the check box to make the employee active in the system. If you want to keep the employee in the system, but you want to prevent access, clear this check box.
4. Click **Save**.
**To export all employees to an Excel spreadsheet**
1. On the **Employee management** page, click **Export to Excel**.
2. Save the EnterpriseModeUsersList.xlsx file.
The Excel file includes all employees with access to the Enterprise Mode Site List Portal, including user name, email address, role, and group name.

58
browsers/internet-explorer/ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,58 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how Approvers can approve open change requests in the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: Approve a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Approve a change request using the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
After a change request is successfully submitted to the pre-defined Approver(s), employees granted the role of **App Manager**, **Group Head**, or **Administrator**, they must approve the changes.
## Approve or reject a change request
The Approvers get an email stating that a Requester successfully opened, tested, and submitted the change request to the Approvers group. The Approvers can accept or reject a change request.
**To approve or reject a change request**
1. The Approver logs onto the Enterprise Mode Site List Portal, **All Approvals** page.
The Approver can also get to the **All Approvals** page by clicking **Approvals Pending** from the left pane.
2. The Approver clicks the expander arrow (**\/**) to the right side of the change request, showing the list of Approvers and the **Approve** and **Reject** buttons.
3. The Approver reviews the change request, making sure it's correct. If the info is correct, the Approver clicks **Approve** to approve the change request. If the info seems incorrect, or if the app shouldn't be added to the site list, the Approver clicks **Reject**.
An email is sent to the Requester, the Approver(s) group, and the Administrator(s) group, with the updated status of the request.
## Send a reminder to the Approver(s) group
If the change request is sitting in the approval queue for too long, the Requester can send a reminder to the group.
- From the **My Approvals** page, click the checkbox next to the name of each Approver to be reminded, and then click **Send reminder**.
An email is sent to the selected Approver(s).
## View rejected change requests
The original Requester, the Approver(s) group, and the Administrator(s) group can all view the rejected change request.
**To view the rejected change request**
- In the Enterprise Mode Site List Portal, click **Rejected** from the left pane.
All rejected change requests appear, with role assignment determining which ones are visible.
## Next steps
After an Approver approves the change request, it must be scheduled for inclusion in the production Enterprise Mode Site List. For the scheduling steps, see the [Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md) topic.

5
browsers/internet-explorer/ie11-deploy-guide/change-history-for-internet-explorer-11.md
View File

@ -12,6 +12,11 @@ author: eross-msft
# Change history for Internet Explorer 11
This topic lists new and updated topics in the Internet Explorer 11 documentation for both Windows 10 and Windows 10 Mobile.
## April 2017
|New or changed topic | Description |
|----------------------|-------------|
|[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md)|Updates to the Enterprise Mode section to include info about the Enterprise Mode Site List Portal. |
## March 2017
|New or changed topic | Description |
|----------------------|-------------|

93
browsers/internet-explorer/ie11-deploy-guide/configure-settings-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,93 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how the Administrator can use the Settings page to set up Groups and roles, the Enterprise Mode Site List Portal environment, and the freeze dates for production changes.
author: eross-msft
ms.prod: ie11
title: Use the Settings page to finish setting up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Use the Settings page to finish setting up the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
The **Settings** page lets anyone with Administrator rights set up groups and roles, set up the Enterprise Mode Site List Portal environment, and choose the freeze dates for production changes.
## Use the Environment settings area
This area lets you specify the location of your production and pre-production environments, where to store your attachments, your settings location, and the website domain for email notifications.
**To add location info**
1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page.
The **Settings** page appears.
2. In the **Environment settings** area of the page, provide the info for your **Pre-production environment**, your **Production environment**, your **Attachments location**, your **Settings location**, and your **Website domain for email notifications**.
3. Click **Credentials** to add the appropriate domain, user name, and password for each location, and then click **OK**.
## Use the Group and role settings area
After you set up your email credentials, you'll be able to add or edit your Group info, along with picking which roles must be Approvers for the group.
**To add a new group and determine the required change request Approvers**
1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page.
The **Settings** page appears.
2. In the **Group and role settings** area of the page, click **Group details**.
The **Add or edit group names** box appears.
3. Click the **Add group** tab, and then add the following info:
- **New group name.** Type name of your new group.
- **Group head email.** Type the email address for the primary contact for the group.
- **Group head name.** This box automatically fills, based on the email address.
- **Active.** Click the check box to make the group active in the system. If you want to keep the group in the system, but you want to prevent access, clear this check box.
4. Click **Save**.
**To set a group's required Approvers**
1. In the **Group and role settings** area of the page, choose the group name you want to update with Approvers from the **Group name** box.
2. In the **Required approvers** area, choose which roles are required to approve a change request for the group. You can choose one or many roles.
- **App Manager.** All employees in the selected group must get change request approval by someone assigned this role.
You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box.
- **Group Head.** All employees in the selected group must get change request approval by someone assigned this role.
You can change the name of this role by clicking the pencil icon and providing a new name in the **Edit role name** box.
- **Administrator.** All employees in the selected group must get change request approval by someone assigned this role.
## Use the Freeze production changes area
This optional area lets you specify a period when your employees must stop adding changes to the current Enterprise Mode Site List. This must include both a start and an end date.
**To add the start and end dates**
1. Open the Enterprise Mode Site List Portal and click the **Settings** icon in the upper-right area of the page.
The **Settings** page appears.
2. In the **Freeze production changes** area of the page, use the calendars to provide the **Freeze start date** and the **Freeze end date**. Your employees can't add apps to the production Enterprise Mode Site List during this span of time.
3. Click **Save**.
## Related topics
- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)

69
browsers/internet-explorer/ie11-deploy-guide/create-change-request-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,69 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how to create a change request within the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: Create a change request using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Create a change request using the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
Employees assigned to the Requester role can create a change request. A change request is used to tell the Approvers and the Administrator that a website needs to be added or removed from the Enterprise Mode Site List. The employee can navigate to each stage of the process by using the workflow links provided at the top of each page of the portal.
>[!Important]
>Each Requester must have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
**To create a new change request**
1. The Requester (an employee that has been assigned the Requester role) signs into the Enterprise Mode Site List Portal, and clicks **Create new request**.
The **Create new request** page appears.
2. Fill out the required fields, based on the group and the app, including:
- **Group name.** Select the name of your group from the dropdown box.
- **App name.** Type the name of the app you want to add, delete, or update in the Enterprise Mode Site List.
- **Search all apps.** If you can't remember the name of your app, you can click **Search all apps** and search the list.
- **Add new app.** If your app isn't listed, you can click **Add new app** to add it to the list.
- **Requested by.** Automatically filled in with your name.
- **Description.** Add descriptive info about the app.
- **Requested change.** Select whether you want to **Add to EMIE**, **Delete from EMIE**, or **Update to EMIE**.
- **Reason for request.** Select the best reason for why you want to update, delete, or add the app.
- **Business impact (optional).** An optional area where you can provide info about the business impact of this app and the change.
- **App location (URL).** The full URL location to the app, starting with http:// or https://.
- **App best viewed in.** Select the best browser experience for the app. This can be Internet Explorer 5 through Internet Explorer 11 or one of the IE7Enterprise or IE8Enterprise modes.
- **Is an x-ua tag used?** Select **Yes** or **No** whether an x-ua-compatible tag is used by the app. For more info about x-ua-compatible tags, see the topics in [Defining document compatibility](https://msdn.microsoft.com/en-us/library/cc288325(v=vs.85).aspx).
4. Click **Save and continue** to save the request and get the app info sent to the pre-production environment site list for testing.
A message appears that the request was successful, including a **Request ID** number, saying that the change is being made to the pre-production environment site list.
5. The Requester gets an email with a batch script, that when run, configures their test machine for the pre-production environment, along with the necessary steps to make sure the changed info is correct.
- **If the change is correct.** The Requester asks the approvers to approve the change request by selecting **Successful** and clicking **Send for approval**.
- **If the change is incorrect.** The Requester can rollback the change in pre-production or ask for help from the Administrator.
## Next steps
After the change request is created, the Requester must make sure the suggested changes work in the pre-production environment. For these steps, see the [Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md) topic.

5
browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-overview-for-ie11.md
View File

@ -2,7 +2,7 @@
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company.
description: Use the topics in this section to learn how to set up and use Enterprise Mode, Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal for your company.
author: eross-msft
ms.prod: ie11
ms.assetid: d52ba8ba-b3c7-4314-ba14-0610e1d8456e
@ -26,7 +26,7 @@ Use the topics in this section to learn how to set up and use Enterprise Mode an
## In this section
|Topic |Description |
|---------------------------------------------------------------|-----------------------------------------------------------------------------------|
|[What is Enterprise Mode?](what-is-enterprise-mode.md) |Includes descriptions of the features of Enterprise Mode. |
|[Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)|Includes descriptions of the features of Enterprise Mode. |
|[Set up Enterprise Mode logging and data collection](set-up-enterprise-mode-logging-and-data-collection.md) |Guidance about how to turn on local control of Enterprise Mode and how to use ASP or the GitHub sample to collect data from your local computers. |
|[Turn on Enterprise Mode and use a site list](turn-on-enterprise-mode-and-use-a-site-list.md) |Guidance about how to turn on Enterprise Mode and set up a site list, using Group Policy or the registry. |
|[Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md) |Guidance about how to write the XML for your site list, including what not to include, how to use trailing slashes, and info about how to target specific sites. |
@ -34,6 +34,7 @@ Use the topics in this section to learn how to set up and use Enterprise Mode an
|[Check for a new Enterprise Mode site list xml file](check-for-new-enterprise-mode-site-list-xml-file.md) |Guidance about how the Enterprise Mode functionality looks for your updated site list. |
|[Turn on local control and logging for Enterprise Mode](turn-on-local-control-and-logging-for-enterprise-mode.md) |Guidance about how to turn on local control of Enterprise Mode, using Group Policy or the registry.|
|[Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) |Guidance about how to use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. |
|[Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) |Guidance about how to set up and use the Enterprise Mode Site List Manager, including how to add and update sites on your site list. |
|[Using Enterprise Mode](using-enterprise-mode.md) |Guidance about how to turn on either IE7 Enterprise Mode or IE8 Enterprise Mode. |
|[Fix web compatibility issues using document modes and the Enterprise Mode Site List](fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md) |Guidance about how to decide and test whether to use document modes or Enterprise Mode to help fix compatibility issues. |
|[Remove sites from a local Enterprise Mode site list](remove-sites-from-a-local-enterprise-mode-site-list.md) |Guidance about how to remove websites from a device's local Enterprise Mode site list. |

2
browsers/internet-explorer/ie11-deploy-guide/index.md
View File

@ -33,7 +33,7 @@ Because this content isn't intended to be a step-by-step guide, not all of the s
|[List of updated features and tools - Internet Explorer 11 (IE11)](updated-features-and-tools-with-ie11.md) |IE11 includes several new features and tools. This topic includes high-level info about the each of them. |
|[Install and Deploy Internet Explorer 11 (IE11)](install-and-deploy-ie11.md) |Use the topics in this section to learn how to customize your Internet Explorer installation package, how to choose the right method for installation, and how to deploy IE into your environment. You can also find more info about your virtualization options for legacy apps. |
|[Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md) |Use IE to collect data on computers running Windows Internet Explorer 8 through IE11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. |
|[Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) |Use the topics in this section to learn how to set up and use Enterprise Mode and the Enterprise Mode Site List Manager in your company. |
|[Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) |Use the topics in this section to learn how to set up and use Enterprise Mode, the Enterprise Mode Site List Manager, and the Enterprise Mode Site List Portal in your company. |
|[Group Policy and Internet Explorer 11 (IE11)](group-policy-and-ie11.md) |Use the topics in this section to learn about Group Policy and how to use it to manage IE. |
|[Manage Internet Explorer 11](manage-ie11-overview.md) |Use the topics in this section to learn about how to auto detect your settings, auto configure your configuration settings, and auto configure your proxy configuration settings for IE. |
|[Troubleshoot Internet Explorer 11 (IE11)](troubleshoot-ie11.md) |Use the topics in this section to learn how to troubleshoot several of the more common problems experienced with IE. |

49
browsers/internet-explorer/ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,49 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how Administrators can schedule approved change requests for production in the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: Schedule approved change requests for production using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Schedule approved change requests for production using the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
After a change request is approved, the original Requester can schedule the change for the production environment. The change can be immediate or set for a future time.
**To schedule an immediate change**
1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane.
2. The Requester clicks the **Approved** status for the change request.
The **Schedule changes** page appears.
3. The Requester clicks **Now**, and then clicks **Save**.
The update is scheduled to immediately update the production environment, and an email is sent to the Requester. After the update finishes, the Requester is asked to verify the changes.
**To schedule the change for a different day or time**
1. The Requester logs onto the Enterprise Mode Site List Portal and clicks **In Progress** from the left pane.
2. The Requester clicks the **Approved** status for the change request.
The **Schedule changes** page appears.
3. The Requester clicks **Schedule**, sets the **Preferred day**, **Preferred start time**, and the **Preferred end time**, and then clicks **Save**.
The update is scheduled to update the production environment on that day and time and an email is sent to the Requester. After the update finishes, the Requester will be asked to verify the changes.
## Next steps
After the update to the production environment completes, the Requester must again test the change. If the testing succeeds, the Requester can sign off on the change request. If the testing fails, the Requester can contact the Administrator group for more help. For the production environment testing steps, see the [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md) topic.

231
browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,231 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how to set up the Enterprise Mode Site List Portal for your organization.
author: eross-msft
ms.prod: ie11
title: Set up the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Set up the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later.
Before you can begin using the Enterprise Mode Site List Portal, you must set up your environment.
## Step 1 - Copy the deployment folder to the web server
You must download the deployment folder (**EMIEWebPortal/**), which includes all of the source code for the website, from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) site to your web server.
**To download the source code**
1. Download the deployment folder from the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) source code to your web server.
2. Install the Node.js® package manager, [npm](https://www.npmjs.com/).
>[!Note]
>You need to install the npm package manager to replace all the third-party libraries we removed to make the Enterprise Mode Site List Portal open-source.
3. Open File Explorer and then open the **EMIEWebPortal/** folder.
4. Press and hold **Shift**, right-click the window, then click **Open PowerShell window here**.
5. Type _npm i_ into the command prompt, then press **Enter**.
Installs the npm package manager and bulk adds all the third-party libraries back into your codebase.
6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, and then build the entire solution.
7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager.
## Step 2 - Create the Application Pool and website, by using IIS
Create a new Application Pool and the website, by using the IIS Manager.
**To create a new Application Pool**
1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Application Pools**, then click **Add Application Pool**.
The **Add Application Pool** box appears.
2. In the **Add Application Pool** box, enter the following info:
- **Name.** Type the name of your new application pool. For example, _EMIEWebAppPool_.
- **.NET CLR version.** Pick the version of .NET CLR used by your application pool from the drop-down box. It must be version 4.0 or higher.
- **Managed pipeline mode.** Pick **Integrated** from the drop-down box. IIS uses the integrated IIS and ASP.NET request-processing pipeline for managed content.
3. Click **OK**.
4. Select your new application pool from the **Application Pool** pane, click **Advanced Settings** from the **Edit Application Pool** area of the **Actions** pane.
The **Advanced Settings** box appears.
5. Make sure your **Identity** value is **ApplicationPoolIdentity**, click **OK**, and then close the box.
6. Open File Explorer and go to your deployment directory, created in Step 1. For example, _D:\EMIEWebApp_.
7. Right-click on the directory, click **Properties**, and then click the **Security** tab.
8. Add your new application pool to the list (for example, _IIS AppPool\EMIEWebAppPool_) with **Full control access**, making sure the location searches the local computer.
9. Add **Everyone** to the list with **Read & execute access**.
**To create the website**
1. In IIS Manager, expand your local computer in the **Connections** pane, right-click **Sites**, then click **Add Website**.
The **Add Website** box appears.
2. In the **Add Website** box, type the name of your website into the **Site name** box. For example, _EMIEWebApp_, and then click **Select**.
The **Select Application Pool** box appears.
4. Pick the name of the application pool created earlier in this step, and then click **OK**. For example, _EMIEWebAppPool_.
5. In the **Physical path** box, browse to your folder that contains your deployment directory. For example, _D:\EMIEWebApp_.
6. Set up your **Binding**, including your **Binding Type**, **IP address**, and **Port**, as appropriate for your organization.
7. Clear the **Start Website immediately** check box, and then click **OK**.
8. In IIS Manager, expand your local computer, and then double-click your new website. For example, _EMIEWebApp_.
The **<<i>website_name</i>> Home** pane appears.
9. Double-click the **Authentication** icon, right-click on **Windows Authentication**, and then click **Enable**.
>[!Note]
>You must also make sure that **Anonymous Authentication** is marked as **Enabled**.
10. Return to the **<<i>website_name</i>> Home** pane, and double-click the **Connection Strings** icon.
11. Open the **LOBMergedEntities Connection String** to edit:
- **Data source.** Type the name of your local computer.
- **Initial catalog.** The name of your database.
>[!Note]
>Step 3 of this topic provides the steps to create your database.
## Step 3 - Create and prep your database
Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables.
**To create and prep your database**
1. Start SQL Server Management Studio.
2. Open **Object Explorer** and then connect to an instance of the SQL Server Database Engine.
3. Expand the instance, right-click on **Databases**, and then click **New Database**.
4. Type a database name. For example, _EMIEDatabase_.
5. Leave all default values for the database files, and then click **OK**.
6. Open the **DatabaseScripts/Create DB Tables/1_CreateEMIETables.sql** query file, located in the deployment directory.
7. Replace the database name placeholder with the database name you created earlier. For example, _EMIEDatabase_.
8. Run the query.
## Step 4 - Map your Application Pool to a SQL Server role
Map your ApplicationPoolIdentity to your database, adding the db_owner role.
**To map your ApplicationPoolIdentity to a SQL Server role**
1. Start SQL Server Management Studio and connect to your database.
2. Expand the database instance and then open the server-level **Security** folder.
> [!IMPORTANT]
> Make sure you open the **Security** folder at the server level and not for the database.
3. Right-click **Logins**, and then click **New Login**.
The **Login-New** dialog box appears.
4. Type the following into the **Login name** box, based on your server instance type:
- **Local SQL Server instance.** If you have a local SQL Server instance, where IIS and SQL Server are on the same server, type the name of your Application Pool. For example, _IIS AppPool\EMIEWebAppPool_.
- **Remote SQL Server instance.** If you have a remote SQL Server instance, where IIS and SQL Server are on different servers, type `Domain\ServerName$`.
> [!IMPORTANT]
> Don't click **Search** in the **Login name** box. Login name searches will resolve to a ServerName\AppPool Name account and SQL Server Management Studio won't be able to resolve the account's virtual Security ID (SID).
5. Click **User Mapping** from the **Select a page** pane, click the checkbox for your database (for example, _EMIEDatabase_) from the **Users mapped to this login** pane, and then click **db_owner** from the list of available roles in the **Database role membership** pane.
6. Click **OK**.
## Step 5 - Restart the Application Pool and website
Using the IIS Manager, you must restart both your Application Pool and your website.
**To restart your Application Pool and website**
1. In IIS Manager, expand your local computer in the **Connections** pane, select your website, then click **Restart** from the **Manage Website** pane.
2. In the **Connections** pane, select your Application Pool, and then click **Recycle** from the **Application Pool Tasks** pane.
## Step 6 - Registering as an administrator
After you've created your database and website, you'll need to register yourself (or another employee) as an administrator for the Enterprise Mode Site List Portal.
**To register as an administrator**
1. Open Microsoft Edge and type your website URL into the Address bar. For example, http://emieportal:8085.
2. Click **Register now**.
3. Type your name or alias into the **Email** box, making sure it matches the info in the drop-down box.
4. Click **Administrator** from the **Role** box, and then click **Save**.
5. Append your website URL with `/#/EMIEAdminConsole` in the Address bar to go to your administrator console. For example, http://emieportal:8085/#/EMIEAdminConsole.
A dialog box appears, prompting you for the system user name and password. The default user name is EMIEAdmin and the default password is Admin123. We strongly recommend that you change the password by using the **Change password** link as soon as you're done with your first visit.
6. Select your name from the available list, and then click **Activate**.
7. Go to the Enterprise Mode Site List Portal Home page and sign in.
## Step 7 - Configure the SMTP server and port for email notification
After you've set up the portal, you need to configure your SMTP server and port for email notifications from the system.
**To set up your SMTP server and port for emails**
1. Open Visual Studio, and then open the web.config file from your deployment directory.
2. Update the SMTP server and port info with your info, using this format:
```
<add key="host" value="SMTPHOST.corp.contoso.com"/>
<add key="port" value="2500"/>
```
3. Open the **Settings** page in the Enterprise Mode Site List Portal, and then update the email account and password info.
## Step 8 - Register the scheduler service
Register the EMIEScheduler tool and service for production site list changes.
**To register the scheduler service**
1. Open File Explorer and go to EMIEWebPortal.SchedulerService\EMIEWebPortal.SchedulerService in your deployment directory, and then copy the **App_Data**, **bin**, and **Logs** folders to a separate folder. For example, C:\EMIEService\.
>[!Important]
>If you can't find the **bin** and **Logs** folders, you probably haven't built the Visual Studio solution. Building the solution creates the folders and files.
2. In Visual Studio start the Developer Command Prompt as an administrator, and then change the directory to the location of the InstallUtil.exe file. For example, _C:\Windows\Microsoft.NET\Framework\v4.0.30319_.
3. Run the command, `InstallUtil "<path_to_service>"`. For example, _InstallUtil "C:\EMIEService\bin\Debug\EMIEWebPortal.SchedulerService.exe"._
You'll be asked for your user name and password for the service.
4. Open the **Run** command, type `Services.msc`, and then start the EMIEScheduler service.
## Related topics
- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)

79
browsers/internet-explorer/ie11-deploy-guide/use-the-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,79 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Use the topics in this section to learn about how to use the Enterprise Mode Site List Portal.
ms.prod: ie11
title: Use the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Use the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
Enterprise Mode is a compatibility mode that runs on Internet Explorer 11, letting websites render using a modified browser configuration thats designed to emulate either Windows Internet Explorer 8 or Windows Internet Explorer 7, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
The Enterprise Mode Site List Portal is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management. Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later.
You can use IE11 and the Enterprise Mode Site List Portal to manage your Enterprise Mode Site List, hosted by the app, with multiple users.
## Minimum system requirements for portal and test machines
Some of the components in this table might also need additional system resources. Check the component's documentation for more information.
|Item |Description |
|-----|------------|
|Operating system |Windows 7 or later |
|Memory |16 GB RAM |
|Hard drive space |At least 8 GB of free space, formatted using the NTFS file system for better security |
|Active Directory (AD) |Devices must be domain-joined |
|SQL Server |Microsoft SQL Server Enterprise Edition 2012 or later |
|Visual Studio |Visual Studio 2015 or later |
|Node.js® package manager |npm Developer version or higher |
|Additional server infrastructure |Internet Information Service (IIS) 6.0 or later |
## Role assignments and available actions
Admins can assign roles to employees for the Enterprise Mode Site List Portal, allowing the employees to perform specific actions, as described in this table.
|Role assignment |Available actions |
|----------------|------------------|
|Requester |<ul><li>Create a change request</li><br><br><li>Validate changes in the pre-production environment</li><br><br><li>Rollback pre-production and production changes in case of failure</li><br><br><li>Send approval requests</li><br><br><li>View own requests</li><br><br><li>Sign off and close own requests</li></ul> |
|Approver<br><br>(includes the App Manager and Group Head roles) |<ul><li>All of the Requester actions, plus:</li><br><br><li>Approve requests</li></ul> |
|Administrator |<ul><li>All of the Requester and Approver actions, plus:</li><br><br><li>Add employees to the portal</li><br><br><li>Assign employee roles</li><br><br><li>Approve registrations to the portal</li><br><br><li>Configure portal settings (for example, determine the freeze schedule, determine the pre-production and production XML paths, and determine the attachment upload location)</li><br><br><li>Use the standalone Enterprise Mode Site List Manager page</li><br><br><li>View reports</li></ul> |
## Enterprise Mode Site List Portal workflow by employee role
The following workflow describes how to use the Enterprise Mode Site List Portal.
1. [The Requester submits a change request for an app](create-change-request-enterprise-mode-portal.md)
2. [The Requester tests the change request info, verifying its accuracy](verify-changes-preprod-enterprise-mode-portal.md)
3. [The Approver(s) group accepts the change request](approve-change-request-enterprise-mode-portal.md)
4. [The Requester schedules the change for the production environment](schedule-production-change-enterprise-mode-portal.md)
5. [The change is verified against the production site list and signed off](verify-changes-production-enterprise-mode-portal.md)
## Related topics
- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md)
- [Workflow-based processes for employees using the Enterprise Mode Site List Portal](workflow-processes-enterprise-mode-portal.md)
- [How to use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)
- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
 
 

66
browsers/internet-explorer/ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,66 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how to make sure your change request info is accurate within the pre-production environment of the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: Verify your changes using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Verify your changes using the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
>[!Important]
>This step requires that each Requester have access to a test machine with Administrator rights, letting him or her get to the pre-production environment to make sure that the requested change is correct.
The Requester successfully submits a change request to the Enterprise Mode Site List Portal and then gets an email, including:
- **EMIE_RegKey**. A batch file that when run, sets the registry key to point to the local pre-production Enterprise Mode Site List.
- **Test steps**. The suggested steps about how to test the change request details to make sure they're accurate in the pre-production environment.
- **EMIE_Reset**. A batch file that when run, reverts the changes made to the pre-production registry.
## Verify and send the change request to Approvers
The Requester tests the changes and then goes back into the Enterprise Mode Site List Portal, **Pre-production verification** page to verify whether the testing was successful.
**To verify changes and send to the Approver(s)**
1. On the **Pre-production verification** page, the Requester clicks **Successful** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results.
2. The Requester reviews the pre-defined Approver(s), and then clicks **Send for approval**.
The Requester, the Approver group, and the Administrator group all get an email, stating that the change request is waiting for approval.
**To rollback your pre-production changes**
1. On the **Pre-production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the change request and testing results.
2. Add a description about the issue into the **Issue description** box, and then click **Send failure details**.
The change request and issue info are sent to the Administrators.
3. The Requester clicks **Roll back** to roll back the changes in the pre-production environment.
After the Requester rolls back the changes, the request can be updated and re-submitted.
## View rolled back change requests
The original Requester and the Administrator(s) group can view the rolled back change requests.
**To view the rolled back change request**
- In the Enterprise Mode Site List Portal, click **Rolled back** from the left pane.
All rolled back change requests appear, with role assignment determining which ones are visible.
## Next steps
If the change request is certified as successful, the Requester must next send it to the Approvers for approval. For the Approver-related steps, see the [Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md) topic.

41
browsers/internet-explorer/ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,41 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how the Requester makes sure that the change request update is accurate within the production environment using the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: Verify the change request update in the production environment using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Verify the change request update in the production environment using the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
## Verify and sign off on the update in the production environment
The Requester tests the changes in the production environment and then goes back into the Enterprise Mode Site List Portal, **Production verification** page to verify whether the testing was successful.
**To verify the changes and sign off**
- On the **Production verification** page, the Requester clicks **Successful**, optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results, optionally includes a description of the change, and then clicks **Sign off**.
The Requester, Approver group, and Administrator group all get an email, stating that the change request has been signed off.
**To rollback production changes**
1. On the **Production verification** page, the Requester clicks **Failed** and optionally includes any attachments (only .jpeg, .png, .jpg and .txt files are allowed) to support the testing results.
2. Add a description about the issue into the **Change description** box, and then click **Send failure details**.
The info is sent to the Administrators.
3. The Requester clicks **Roll back** to roll back the changes in the production environment.
After the Requester rolls back the changes, the request is automatically handled in the production and pre-production environment site lists.

37
browsers/internet-explorer/ie11-deploy-guide/view-apps-enterprise-mode-site-list.md Normal file
View File

@ -0,0 +1,37 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how to view the active Enterprise Mode Site List from the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# View the apps included in the active Enterprise Mode Site List from the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
Any employee with access to the Enterprise Mode Site List Portal can view the apps included in the current Enterprise Mode Site List.
**To view the active Enterprise Mode Site List**
1. Open the Enterprise Mode Site List Portal and click the **Production sites list** icon in the upper-right area of the page.
The **Production sites list** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site.
2. Click any URL to view the actual site, using the compatibility mode and opening in the correct browser.
**To export the active Enterprise Mode Site List**
1. On the **Production sites list** page, click **Export**.
2. Save the ProductionSiteList.xlsx file.
The Excel file includes all apps in the current Enterprise Mode Site List, including URL, compatibility mode, and assigned browser.

49
browsers/internet-explorer/ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md Normal file
View File

@ -0,0 +1,49 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Details about how an Administrator can view the available Enterprise Mode reports from the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: View the available Enterprise Mode reports from the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# View the available Enterprise Mode reports from the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
Administrators can view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal.
**To view the reports**
1. Open the Enterprise Mode Site List Portal and click the **Enterprise Mode reports** icon in the upper-right area of the page.
The **Enterprise Mode reports** page appears, with each app showing its URL, the compatibility mode to use, and the assigned browser to open the site.
2. Use the calendars to provide the **From date** and **To date**, determining the span of time the report covers.
3. Click **Apply**.
The reports all change to reflect the appropriate timeframe and group, including:
- **Total number of websites in the site list.** A box at the top of the reports page that tells you the total number of websites included in the Enterprise Mode Sit List.
- **All websites by docmode.** Shows how many change requests exist, based on the different doc modes included in the **App best viewed in** field.
- **All websites by browser.** Shows how many apps require which browser, including **IE11**, **MSEdge**, or **None**.
- **All requests by status.** Shows how many change requests exist, based on each status.
- **All requests by change type.** Shows how many change requests exist, based on the **Requested change** field.
- **Request status by group.** Shows how many change requests exist, based on both group and status.
- **Reasons for request.** Shows how many change request reasons exist, based on the **Reason for request** field.
- **Requested changes by app name.** Shows what specific apps were **Added to site list**, **Deleted from site list**, or **Updated from site list**.

138
browsers/internet-explorer/ie11-deploy-guide/what-is-enterprise-mode.md
View File

@ -6,12 +6,12 @@ description: Info about the features included in Enterprise Mode with Internet E
author: eross-msft
ms.prod: ie11
ms.assetid: 3c77e9f3-eb21-46d9-b5aa-f9b2341cfefa
title: What is Enterprise Mode (Internet Explorer 11 for IT Pros)
title: Enterprise Mode and the Enterprise Mode Site List (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# What is Enterprise Mode?
# Enterprise Mode and the Enterprise Mode Site List
**Applies to:**
@ -21,28 +21,146 @@ ms.sitesec: library
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 8.1 Update and Windows 7 devices, lets websites render using a modified browser configuration thats designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
Internet Explorer and Microsoft Edge can work together to support your legacy web apps, while still defaulting to the higher bar for security and modern experiences enabled by Microsoft Edge. Working with multiple browsers can be difficult, particularly if you have a substantial number of internal sites. To help manage this dual-browser experience, we are introducing a new web tool specifically targeted towards larger organizations: the [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal).
Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to the latest version of IE. In particular, IE11 lets customers benefit from modern web standards, increased performance, improved security, and better reliability.
## Available dual-browser experiences
Based on the size of your legacy web app dependency, determined by the data collected with [Windows Upgrade Analytics](https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/), there are several options from which you can choose to configure your enterprise browsing environment:
## Enterprise Mode features
- Use Microsoft Edge as your primary browser.
- Use Microsoft Edge as your primary browser and use Enterprise Mode to open sites in Internet Explorer 11 (IE11) that use IE proprietary technologies.
- Use Microsoft Edge as your primary browser and open all intranet sites in IE11.
- Use IE11 as your primary browser and use Enterprise Mode to open sites in Microsoft Edge that use modern web technologies.
For more info about when to use which option, and which option is best for you, see the [Continuing to make it easier for Enterprise customers to upgrade to Internet Explorer 11 — and Windows 10](https://blogs.windows.com/msedgedev/2015/11/23/windows-10-1511-enterprise-improvements) blog.
## What is Enterprise Mode?
Enterprise Mode, a compatibility mode that runs on Internet Explorer 11 on Windows 10 devices, lets websites render using a modified browser configuration thats designed to emulate either Windows Internet Explorer 7 or Windows Internet Explorer 8, avoiding the common compatibility problems associated with web apps written and tested on older versions of Internet Explorer.
Many customers identify web app compatibility as a significant cost to upgrading because web apps need to be tested and upgraded before adopting a new browser. The improved compatibility provided by Enterprise Mode can help give customers confidence to upgrade to IE11, letting customers benefit from modern web standards, increased performance, improved security, and better reliability.
### Enterprise Mode features
Enterprise Mode includes the following features:
- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting a number of site patterns that arent currently supported by existing document modes.
- **Improved web app and website compatibility.** Through improved emulation, Enterprise Mode lets many legacy web apps run unmodified on IE11, supporting several site patterns that arent currently supported by existing document modes.
- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode. <p>
- **Tool-based management for website lists.** Use the Enterprise Mode Site List Manager to add website domains and domain paths and to specify whether a site renders using Enterprise Mode.
Download the [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853) or the [Enterprise Mode Site List Manager (schema v.1)](https://go.microsoft.com/fwlink/p/?LinkID=394378), based on your operating system and schema.
- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the **Tools** menu and to decide whether the Enterprise browser profile appears on the **Emulation** tab of the F12 developer tools.<p>**Important**<br>All centrally-made decisions override any locally-made choices. 
- **Centralized control.** You can specify the websites or web apps to interpret using Enterprise Mode, through an XML file on a website or stored locally. Domains and paths within those domains can be treated differently, allowing granular control. Use Group Policy to let users turn Enterprise Mode on or off from the Tools menu and to decide whether the Enterprise browser profile appears on the Emulation tab of the F12 developer tools.
>[!Important]
>All centrally-made decisions override any locally-made choices.
- **Integrated browsing.** When Enterprise Mode is set up, users can browse the web normally, letting the browser change modes automatically to accommodate Enterprise Mode sites.
- **Data gathering.** You can configure Enterprise Mode to collect local override data, posting back to a named server. This lets you "crowd source" compatibility testing from key users; gathering their findings to add to your central site list.
 
## Enterprise Mode and the Enterprise Mode Site List XML file
The Enterprise Mode Site List is an XML document that specifies a list of sites, their compat mode, and their intended browser. Using [Enterprise Mode Site List Manager (schema v.2)](https://go.microsoft.com/fwlink/p/?LinkId=716853), you can automatically start a webpage using a specific browser. In the case of IE11, the webpage can also be launched in a specific compat mode, so it always renders correctly. Your employees can easily view this site list by typing _about:compat_ in either Microsoft Edge or IE11.
 
Starting with Windows 10, version 1511 (also known as the Anniversary Update), you can also [restrict IE11 to only the legacy web apps that need it](https://blogs.windows.com/msedgedev/2016/05/19/edge14-ie11-better-together/), automatically sending sites not included in the Enterprise Mode Site List to Microsoft Edge.
### Site list xml file
This is a view of the [raw EMIE v2 schema.xml file](https://gist.github.com/kypflug/9e9961de771d2fcbd86b#file-emie-v2-schema-xml). There are equivalent Enterprise Mode Site List policies for both [Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility) and [Internet Explorer 11](turn-on-enterprise-mode-and-use-a-site-list.md). The Microsoft Edge list is used to determine which sites should open in IE11; while the IE11 list is used to determine the compat mode for a site, and which sites should open in Microsoft Edge. We recommend using one list for both browsers, where each policy points to the same XML file location.
```xml
<site-list version="205">
<!--- File creation header --->
<created-by>
<tool>EnterpriseSiteListManager</tool>
<version>10586</version>
<date-created>20150728.135021</date-created>
</created-by>
<!--- Begin Site List --->
<site url="www.cpandl.com">
<compat-mode>IE8Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>
<site url="www.woodgrovebank.com">
<compat-mode>default</compat-mode>
<open-in>IE11</open-in>
</site>
<site url="adatum.com">
<compat-mode>IE7Enterprise</compat-mode>
<open-in>IE11</open-in>
</site>
<site url="relecloud.com"/>
<!-- default for self-closing XML tag is
<compat-mode>default</compat-mode>
<open-in>none</open-in>
-->
<site url="relecloud.com/products">
<compat-mode>IE8Enterprise"</compat-mode>
<open-in>IE11</open-in>
</site>
<site url="contoso.com/travel">
<compat-mode>IE7</compat-mode>
<open-in>IE11</open-in>
</site>
<site url="fabrikam.com">
<compat-mode>IE7</compat-mode>
<open-in>IE11</open-in>
</site>
</site-list>
```
## Enterprise Mode Site List Manager and the Enterprise Mode Site List Portal tools
You can build and manage your Enterprise Mode Site List is by using any generic text editor. However, weve also provided a couple tools that can make that process even easier.
### Enterprise Mode Site List Manager
This tool helps you create error-free XML documents with simple n+1 versioning and URL verification. We recommend using this tool if your site list is relatively small. For more info about this tool, see the Use the [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
There are 2 versions of this tool, both supported on Windows 7, Windows 8.1, and Windows 10:
- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501). This is an older version of the schema that you must use if you want to create and update your Enterprise Mode Site List for devices running the v.1 version of the schema.
We strongly recommend moving to the new schema, v.2. For more info, see [Enterprise Mode schema v.2 guidance](enterprise-mode-schema-version-2-guidance.md).
- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974). The updated version of the schema, including new functionality. You can use this version of the schema to create and update your Enterprise Mode Site List for devices running the v.2 version of the schema.
If you open a v.1 version of your Enterprise Mode Site List using this version, it will update the schema to v.2, automatically. For more info, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md).
If your list is too large to add individual sites, or if you have more than one person managing the site list, we recommend using the Enterprise Site List Portal.
### Enterprise Mode Site List Portal
The [Enterprise Mode Site List Portal](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal) is an open-source web tool on GitHub that allows you to manage your Enterprise Mode Site List, hosted by the app, with multiple users. The portal is designed to use IIS and a SQL Server backend, leveraging Active Directory (AD) for employee management.
In addition to all the functionality of the Enterprise Mode Site List Manager tool, the Enterprise Mode Site List Portal helps you:
- Manage site lists from any device supporting Windows 7 or greater.
- Submit change requests.
- Operate offline through an on-premise solution.
- Provide role-based governance.
- Test configuration settings before releasing to a live environment.
Updates to your site list are made by submitting new change requests, which are then approved by a designated group of people, put into a pre-production environment for testing, and then deployed immediately, or scheduled for deployment later.
Because the tool is open-source, the source code is readily available for examination and experimentation. We encourage you to [fork the code, submit pull requests, and send us your feedback](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)! For more info about the Enterprise Mode Site List Portal, see the [Use the Enterprise Mode Site List Portal](use-the-enterprise-mode-portal.md) topics.
## Related topics
- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
- [Technical guidance, tools, and resources on Enterprise browsing](https://technet.microsoft.com/ie)
- [Enterprise Mode Site List Manager (schema v.1)](https://www.microsoft.com/download/details.aspx?id=42501)
- [Enterprise Mode Site List Manager (schema v.2)](https://www.microsoft.com/download/details.aspx?id=49974)
- [Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md)
- [Collect data using Enterprise Site Discovery](collect-data-using-enterprise-site-discovery.md)
- [Web Application Compatibility Lab Kit](https://technet.microsoft.com/microsoft-edge/mt612809.aspx)
- [Microsoft Services Support](https://www.microsoft.com/en-us/microsoftservices/support.aspx)
- [Find a Microsoft partner on Pinpoint](https://partnercenter.microsoft.com/pcv/search)

42
browsers/internet-explorer/ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md Normal file
View File

@ -0,0 +1,42 @@
---
localizationpriority: low
ms.mktglfcycl: deploy
ms.pagetype: appcompat
description: Use the topics in this section to learn how to perform all of the workflow-related processes in the Enterprise Mode Site List Portal.
author: eross-msft
ms.prod: ie11
title: Workflow-based processes for employees using the Enterprise Mode Site List Portal (Internet Explorer 11 for IT Pros)
ms.sitesec: library
---
# Workflow-based processes for employees using the Enterprise Mode Site List Portal
**Applies to:**
- Windows 10
- Windows 8.1
- Windows 7
- Windows Server 2012 R2
- Windows Server 2008 R2 with Service Pack 1 (SP1)
Use the topics in this section to learn how to perform the available Enterprise Mode Site List Portal processes, based on workflow.
## In this section
|Topic |Description |
|---------------------------------------------------------------|-----------------------------------------------------------------------------------|
|[Create a change request using the Enterprise Mode Site List Portal](create-change-request-enterprise-mode-portal.md)|Details about how the Requester creates a change request in the Enterprise Mode Site List Portal.|
|[Verify your changes using the Enterprise Mode Site List Portal](verify-changes-preprod-enterprise-mode-portal.md)|Details about how the Requester tests a change request in the pre-production environment of the Enterprise Mode Site List Portal.|
|[Approve a change request using the Enterprise Mode Site List Portal](approve-change-request-enterprise-mode-portal.md)|Details about how the Approver(s) approve a change request in the Enterprise Mode Site List Portal.|
|[Schedule approved change requests for production using the Enterprise Mode Site List Portal](schedule-production-change-enterprise-mode-portal.md)|Details about how the Requester schedules the approved change request update in the Enterprise Mode Site List Portal.|
|[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](verify-changes-production-enterprise-mode-portal.md)|Details about how the Requester tests an update in the production environment of the Enterprise Mode Site List Portal.|
|[View the apps currently on the Enterprise Mode Site List](view-apps-enterprise-mode-site-list.md)|Details about how anyone with access to the portal can review the apps already on the active Enterprise Mode Site List.|
|[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](view-enterprise-mode-reports-for-portal.md) |Details about how the Administrator can view the view the Microsoft-provided Enterprise Mode reports from the Enterprise Mode Site List Portal. |
## Related topics
- [Set up the Enterprise Mode Site List Portal](set-up-enterprise-mode-portal.md)
- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)

117
education/get-started/get-started-with-microsoft-education.md
View File

@ -174,20 +174,22 @@ To learn more about the CSV files that are required and the info you need to inc
**<a name="assignclassroom"></a>Assign Classroom license**
The Classroom application is retired, but you will need to assign the Classroom Preview license to yourself and other global admins so that you can access the services. The single license will allow global admins to access both Classroom Preview and School Data Sync.
The Classroom application is retired, but you will need to assign the Classroom Preview license to global admin accounts that will be used to administer SDS. The single license allows global admins to access both Classroom Preview and School Data Sync.
1. In the <a href="https://portal.office.com/adminportal" target="_blank">Office 365 admin center</a>, select **Users > Active users**.
2. Select the checkbox for your global admin account.
3. In the account details window, under **Product licenses**, click **Edit**.
4. In the **Product licenses** page, turn on **Microsoft Classroom** and then click **Save**.
5. Confirm that you can access SDS. To do this, log in to <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a>.
5. Confirm that you can access SDS. To do this:
- Navigate to <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a> and click **Sign in**. When prompted, enter your global admin username and password to access the SDS portal. Or,
- From the Office 365 admin portal, go to **Admin centers** and click on **School Data Sync** to go to the SDS portal.
> [!NOTE]
> Only global admins can access SDS.
**<a name="usesdstoimportdata"></a>Use SDS to import student data**
1. If you haven't done so already, To do this, go to <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a>.
1. If you haven't done so already, go to the SDS portal, <a href="http://sds.microsoft.com" target="_blank">https://sds.microsoft.com</a>.
2. Click **Sign in**. You will see the **Settings** option for **Manage School Data Sync**.
**Figure 6** - Settings for managing SDS
@ -211,7 +213,7 @@ The Classroom application is retired, but you will need to assign the Classroom
![New SDS profile setup wizard](images/sds_updated_addnewprofile.png)
6. For the new profile, in the **Before you begin...** screen:
1. Enter a name for your profile, such as *ContosoElementarySchool*.
1. Enter a name for your profile, such as *Contoso_Profile_1*.
2. Select a sync method for your profile. For this walkthrough, select **CSV Files**.
Note that for any sync method that you choose, you can click the **View steps** link to get more information about the steps you need to take depending on the sync method of your choosing.
@ -219,11 +221,8 @@ The Classroom application is retired, but you will need to assign the Classroom
3. Click **Start**.
7. In the **Sync options** screen:
1. Select the domain for the schools/sections. If you have more than one domain, make sure you select the domain that corresponds to the profile you're creating.
2. In the **Select school and section properties** section, select the properties you want to sync. If you select additional properties, make sure you have these properties and values added in the CSV files. For the walkthrough, we're not changing the default values. These are:
- **School properties:** SIS ID, Name
- **Section properties:** SIS ID, School SIS ID, Section Name
3. In the **Select new or existing users** section, select either **New users** or **Existing users** based on the scenaro that applies to you.
1. In the **Select new or existing users** section, you can select either **New users** or **Existing users** based on the scenaro that applies to you. For this walkthrough, select **New users**.
<!--
- Choose **New users** if this is a brand new tenant and this is the first time that you're adding users.
Choose the **New users** option if you are using an unaltered version of the sample CSV files from [Download sample school data](#downloadcsvsamples) or if you created your own CSV files with new users.
@ -231,36 +230,45 @@ The Classroom application is retired, but you will need to assign the Classroom
- Choose **Existing users** if you already have a live production tenant, with teachers and students that already have active accounts in Office 365 (cloud only or synced from on-premise Active Directory).
Using the **Existing users** option, SDS will not attempt to create new users. Instead, it uses the identity matching options in the next section of the setup wizard to match the students and teachers in your CSV files to the user accounts that already exist in Azure. All additiional details for the students and teachers contained within the CSV files will be written as extension attributes on top of the already existing user objects. You can find more information about these settings on the main SDS deployment page for CSV-based deployments in <a href="http://aka.ms/sdscsv" target="_blank">How to deploy School Data Sync by using CSV files</a>.
4. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names.
5. In the **License Options** section, check the box to select the option.
6. Click **Next**.
-->
2. In the **Import data** section:
1. Click **Upload Files** to bring up the **Select data files to be uploaded** window.
2. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import.
3. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**.
4. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**.
4. After all the files are successfully uploaded, click **OK**.
3. Select the domain for the schools/sections. This domain will be used for the Section email addresses created during setup. If you have more than one domain, make sure you select the appropriate domain for the sync profile and subsequent sections being created.
4. In the **Select school and section properties** section, ensure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties, or deselect any properties, make sure you have the properties and values contained within the CSV files. For the walkthrough, you don't have to change the default.
5. In the **Sync option for Section Group Display Name**, check the box if you want to allow teachers to overwrite the section names. Otherwise, SDS will always reset the display name value for sections to the value contained within the CSV files.
6. In the **License Options** section, check the box to allow users being created to receive an Office 365 license.
7. Check the **Intune for Education** checkbox to allow users to receive the Intune for Education license and to create the SDS dynamic groups and security groups, which be used within Intune for Education.
8. Click **Next**.
**Figure 9** - Sync options for the new profile
![Specify sync options for the new SDS profile](images/sds_addnewprofile_syncoptions.png)
![Specify sync options for the new SDS profile](images/sds_profile_syncoptions.png)
8. In the **Teacher options** screen:
1. Select the domain for the teachers. SDS uses this to match teachers from your source data to their existing accounts in Office 365/Azure Active Directory. In the walkthrough, the CSV files are our source data.
2. In the **Select teacher properties** section, you can add optional teacher properties to sync. For this walkthrough, you don't have to change the default.
1. Select the domain for the teachers. SDS appends the selected domain suffix to the teacher's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The teacher will log in to Office 365 with the UserPrincipalName once the account is created.
2. In the **Select teacher properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
3. In the **Teacher licenses** section, choose the SKU to assign licenses for teachers. For this walkthrough, choose **STANDARDWOFFPACK_FACULTY**.
4. Click **Next**.
**Figure 10** - Specify options for teacher mapping
![Specify options for teacher mapping](images/sds_addnewprofile_teacheroptions.png)
![Specify options for teacher mapping](images/sds_profile_teacheroptions.png)
9. In the **Student options** screen:
1. Select the domain for the students. SDS uses this to match students from your source data to their existing accounts in Office 365/Azure Active Directory. In the walkthrough, the CSV files are our source data.
2. In the **Select student properties** section, you can add optional student properties to sync. For this walkthrough, you don't have to change the default.
1. Select the domain for the students. SDS appends the selected domain suffix to the student's username attribute contained in the CSV file, to build the UserPrincipalName for each user in Office 365/Azure Active Directory during the account creation process. The student will log in to Office 365 with the UserPrincipalName once the account is created.
2. In the **Select student properties** section, make sure the attributes that have been automatically selected for you align to your CSV files. If you select additional properties or deselect any properties, make sure you have the corresponding properties and values contained within the CSV files. For this walkthrough, you don't have to change the default.
3. In the **Student licenses** section, choose the SKU to assign licenses for students. For this walkthrough, choose **STANDARDWOFFPACK_STUDENT**.
4. Click **Next**.
**Figure 11** - Specify options for student mapping
![Specify options for student mapping](images/sds_addnewprofile_studentoptions.png)
![Specify options for student mapping](images/sds_profile_studentoptions.png)
10. In the profile **Review** page, review the summary and confirm that the values matches with the data you entered. Click **Create profile**.
10. In the profile **Review** page, review the summary and confirm that the options selected are correct. Click **Create profile**.
You will see a notification that your profile is being created.
@ -268,29 +276,22 @@ The Classroom application is retired, but you will need to assign the Classroom
**Figure 12** - SDS profile page
![SDS profile page](images/sds_profilepage.png)
![SDS profile page](images/sds_profile_profilepage.png)
12. After the profile name at the top, confirm that the status for your profile now says **Ready to sync**.
12. After the profile is created and finished **Setting up**, confirm that the status for your profile now says **Sync enabled**.
If the status still indicates that the profile is being set up, try refreshing the page until you see the status change to **Ready to sync**.
If the status still indicates that the profile is being set up, try refreshing the page until you see the status change to **Sync enabled**.
**Figure 13** - New profile is ready to sync
**Figure 13** - New profile is sync enabled
![Confirm that the new profile is ready](images/sds_profile_readytosync.png)
![Confirm that the new profile is sync enabled](images/sds_profile_syncenabled.png)
11. On the profile page, below the profile name and profile status, there are four options: **Upload Files**, **Start Sync**, **Edit**, and **Delete**. Click **Upload Files** and then follow these steps:
1. In the **Select data files to be uploaded** window, click **+ Add Files** and navigate to the directory where you saved the six CSV files required for data import.
2. In the File Explorer window, you will see a folder for the sample CSV files for the UK and six sample CSV files for the US. Select the CSV files that match your region/locale, and then click **Open**.
3. In the **Select data files to be uploaded** window, confirm that all six CSV files (School.csv, Section.csv, Student.csv, StudentEnrollment.csv, Teacher.csv, and TeacherRoster.csv) are listed and then click **Upload**.
4. After all the files are successfully uploaded, click **OK**.
12. On the profile page, click **Start Sync** and then follow these steps:
1. In the **Would you like to start sync for *Profile_Name?*** window, click **Start Sync**. *Profile_Name* should match the name you entered for your profile in the **Before you begin...** screen.
2. Confirm that sync successfully started for the file and then click **OK**.
> [!TIP]
> If you get errors during the pre-sync validation process, your profile status will change to **x Error**. To continue, review or resolve any pre-sync validation errors, and then click **Resume Sync** to start the synchronization cycle.
> [!NOTE]
> Sync times, like file download times, can vary widely depending on when you start the sync, how much data you are syncing, the complexity of your data (such as the number of users, schools, and class enrollments), overall system/network load, and other factors. Two people who start a sync at the same time may not have their syncs complete at the same time.
>
> You can refresh the page to confirm that your profile synced successfully.
Sync times, like file download times, can vary widely depending on when you start the sync, how much data you are syncing, the complexity of your data (such as the number of users, schools, and class enrollments), overall system/network load, and other factors. Two people who start a sync at the same time may not have their syncs complete at the same time.
You can refresh the page to confirm that your profile synced successfully.
That's it for importing sample school data using SDS.
@ -401,15 +402,15 @@ Intune for Education provides an **Express configuration** option so you can get
**Figure 22** - Expand the settings group to get more details
![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped.png)
![Expand the settings group to get more info](images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.png)
9. For this walkthrough, set the following settings:
- In the **Internet browser settings** group, change the **Send Do Not Track requests to help protect users' privacy** setting to **Block**.
- In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Private Microsoft Store for Business apps** to **Allow**.
- In the **Microsoft Edge settings** group, change the **Do-Not-Track headers** setting to **Require**.
- In the **App settings** group, change the **Microsoft Store for Business apps** setting to **Block**, and then set the **Require Microsoft Store for Business apps to be installed from private store** to **Require**.
**Figure 23** - Set some additional settings
![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettingsconfigured_cropped.png)
![Set some additional settings](images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.png)
10. Click **Next**. In the **Review** screen, you will see a summary of the apps and settings you selected to apply.
@ -517,6 +518,30 @@ We recommend using the latest build of Windows 10, version 1703 on your educatio
**<a name="usesetupschoolpcs"></a>Option 1: Set up a device using the Set up School PCs app**
IT administrators and technical teachers can use the Set up School PCs app to quickly set up PCs for students. A student PC set up using the app is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
![Set up School PCs app](images/suspc_getstarted_050817.png)
Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recommended education settings, using a quick USB setup. This app guides you through the creation of a student PC provisioning package and helps you save it to a USB drive. From there, just plug the USB drive into student PCs running Windows 10 Creators Update (version 1703). It automatically:
- Joins each student PC to your organization's Office 365 and Azure Active Directory tenant
- Enrolls each student PC into a mobile device management (MDM) provider, like Intune for Education, if licensed in your tenant. You can manage all the settings Set up School PCs sets later through MDM.
- Removes OEM preinstalled software from each student PC
- Auto-configures and saves a wireless network profile on each student PC
- Gives a friendly and unique name to each student device for future management
- Sets Microsoft-recommended school PC settings, including shared PC mode which provides faster sign-in and automatic account cleanup
- Enables optional guest account for younger students, lost passwords, or visitors
- Enables optional secure testing account
- Locks down the student PC to prevent mischievous activity:
* Prevents students from removing the PC from the school's device management system
* Prevents students from removing the Set up School PCs settings
- Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours
- Customizes the Start layout with Office
- Installs OneDrive for storing cloud-based documents and Sway for creating interactive reports, presentations, and more
- Uninstalls apps not specific to education, such as Solitaire
- Prevents students from adding personal Microsoft accounts to the PC
**To set up a device using the Set up School PCs app**
1. Follow the steps in <a href="https://docs.microsoft.com/en-us/education/windows/use-set-up-school-pcs-app" target="_blank">Use the Set up School PCs app</a> to quickly set up one or more student PCs.
2. Follow the steps in [5.2 Verify correct device setup](#52-verify-correct-device-setup).
@ -606,8 +631,8 @@ When a device is owned by the school, you may need to have a single persion addi
Follow the steps in this section to enable a single person to add many devices to your cloud infrastructure.
1. Sign in to the <a href="https://portal.office.com" target="_blank">Office 365 admin center</a>.
2. Click **Admin centers** and select **Azure AD** to go to the Azure portal.
3. Configure the device settings for the school's Active Directory. From the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>, select **Azure Active Directory > Users and groups > Device settings**.
2. Configure the device settings for the school's Active Directory. To do this, go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
3. Select **Azure Active Directory > Users and groups > Device settings**.
**Figure 40** - Device settings in the new Azure portal
@ -622,8 +647,8 @@ When students move from using one device to another, they may need to have their
Follow the steps in this section to ensure that settings for the each user follow them when they move from one device to another.
1. Sign in to the <a href="https://portal.office.com" target="_blank">Office 365 admin center</a>.
2. Click **Admin centers** and select **Azure AD** to go to the Azure portal.
3. Configure the device settings for the school's Active Directory. From the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>, select **Azure Active Directory > Users and groups > Device settings**.
3. Go to the new Azure portal, <a href="https://portal.azure.com" target="_blank">https://portal.azure.com</a>.
3. Select **Azure Active Directory > Users and groups > Device settings**.
4. Find the setting **Users may sync settings and enterprise app data** and change the value to **All**.
**Figure 41** - Enable settings to roam with users

BIN
education/get-started/images/i4e_expressconfiguration_choosesettings_additionalsettings_cropped.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 99 KiB

BIN
education/get-started/images/i4e_expressconfiguration_choosesettings_expandcollapse_cropped_052217.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
education/get-started/images/sds_profile_profilepage.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

BIN
education/get-started/images/sds_profile_studentoptions.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 74 KiB

BIN
education/get-started/images/sds_profile_syncenabled.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 8.9 KiB

BIN
education/get-started/images/sds_profile_syncoptions.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 125 KiB

BIN
education/get-started/images/sds_profile_teacheroptions.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 53 KiB

BIN
education/get-started/images/suspc_getstarted_050817.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 64 KiB

2
education/windows/TOC.md
View File

@ -17,6 +17,6 @@
### [For IT administrators: get Minecraft Education Edition](school-get-minecraft.md)
## [Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
## [Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
## [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md)
## [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)
## [Chromebook migration guide](chromebook-migration-guide.md)
## [Change history for Windows 10 for Education](change-history-edu.md)

8
education/windows/change-history-edu.md
View File

@ -12,6 +12,12 @@ author: CelesteDG
This topic lists new and updated topics in the [Windows 10 for Education](index.md) documentation.
## May 2017
| New or changed topic | Description |
| --- | ---- |
| [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md) | New. If you have an education tenant and use devices Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education. |
## RELEASE: Windows 10, version 1703 (Creators Update)
| New or changed topic | Description|
@ -35,7 +41,7 @@ This topic lists new and updated topics in the [Windows 10 for Education](index.
| New or changed topic | Description |
| --- | --- |
| [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business](windows-10-pro-to-pro-edu-upgrade.md) | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. |
| [Upgrade Windows 10 Pro to Pro Education from Windows Store for Business] | New. Learn how to opt-in to a free upgrade to Windows 10 Pro Education. As of May 2017, this topic has been replaced with [Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md). |
## November 2016

BIN
education/windows/images/1_howtosetup.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 63 KiB

BIN
education/windows/images/2_signinwithms.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
education/windows/images/i4e_editionupgrade.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
education/windows/images/msfe_clickemaillink_switchtoproedu.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

BIN
education/windows/images/msfe_manage.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 806 KiB

BIN
education/windows/images/msfe_manage_benefits_checktoconfirm.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 169 KiB

BIN
education/windows/images/msfe_manage_benefits_switchtoproedu.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 101 KiB

BIN
education/windows/images/msfe_manage_reverttowin10pro.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 119 KiB

BIN
education/windows/images/msfe_switchtoproedu_globaladminsemail_cancelswitch.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

BIN
education/windows/images/settings_connectedtoazuread_3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
education/windows/images/settings_setupworkorschoolaccount_2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
education/windows/images/settings_workorschool_1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
education/windows/images/suspc_createpackage_configurestudentpcsettings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 166 KiB

BIN
education/windows/images/suspc_createpackage_recommendedapps.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 80 KiB

BIN
education/windows/images/suspc_createpackage_signin.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 74 KiB

BIN
education/windows/images/suspc_createpackage_skipwifi_modaldialog.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
education/windows/images/suspc_createpackage_summary.PNG
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 64 KiB

After

Width:  |  Height:  |  Size: 67 KiB

BIN
education/windows/images/suspc_createpackage_takeatest.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 56 KiB

BIN
education/windows/images/suspc_savepackage_insertusb.PNG
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 57 KiB

After

Width:  |  Height:  |  Size: 44 KiB

BIN
education/windows/images/suspc_savepackage_ppkgisready.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 42 KiB

BIN
education/windows/images/wcd_productkey.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

7
education/windows/index.md
View File

@ -37,16 +37,17 @@ author: CelesteDG
<div class="side-by-side-content-right"><p><b>[Take tests in Windows 10](take-tests-in-windows-10.md)</b><br />Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.</p>
<p><b>[Chromebook migration guide](chromebook-migration-guide.md)</b><br />Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.</p>
## ![Deploy Windows 10 for education](images/PCicon.png) Deploy
## ![Deploy Windows 10 for Education](images/PCicon.png) Deploy
<p><b>[Set up Windows devices for education](set-up-windows-10.md)</b><br />Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.</p><p>
<p><b>[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)</b><br />Get step-by-step guidance to help you deploy Windows 10 in a school environment.</p>
<p><b>[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)</b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p>
<p><b><a href="https://technet.microsoft.com/en-us/windows/mt574244" target="_blank">Try it out: Windows 10 deployment (for education)</a></b><br />Learn how to upgrade devices running the Windows 7 operating system to Windows 10 Anniversary Update, and how to manage devices, apps, and users in Windows 10 Anniversary Update.<br /><br />For the best experience, use this guide in tandem with the <a href="https://vlabs.holsystems.com/vlabs/technet?eng=VLabs&auth=none&src=vlabs&altadd=true&labid=20949&lod=true" target="_blank">TechNet Virtual Lab: IT Pro Try-It-Out</a>.</p>
## ![Upgrade to Windows 10 for education](images/windows.png) Upgrade
### ![Switch to Windows 10 for Education](images/windows.png) Switch
<p><b>[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](switch-to-pro-education.md)</b><br />If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.</p>
<p><b>[Switch Windows 10 Pro to Pro Education from Microsoft Store for Education](windows-10-pro-to-pro-edu-upgrade.md)</b><br />If you have an education tenant and use Windows 10 Pro in your schools now, find out how you can opt-in to a free switch to Windows 10 Pro Education.</p>
## Windows 8.1

378
education/windows/switch-to-pro-education.md Normal file
View File

@ -0,0 +1,378 @@
---
title: Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S
description: Learn how IT Pros can opt into switching to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S.
keywords: switch, free switch, Windows 10 Pro to Windows 10 Pro Education, Windows 10 S to Windows 10 Pro Education, education customers, Windows 10 Pro Education, Windows 10 Pro, Windows 10 S
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
localizationpriority: high
author: CelesteDG
---
# Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S
Windows 10 Pro Education is a new offering in Windows 10, version 1607. This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings.
If you have an education tenant and use devices with Windows 10 Pro or Windows 10 S, global administrators can opt-in to a free switch to Windows 10 Pro Education depending on your scenario.
- [Switch from Windows 10 S to Windows 10 Pro Education](#switch-from-windows-10-s-to-windows-10-pro-education)
- [Switch from Windows 10 Pro to Windows 10 Pro Education](#switch-from-windows-10-pro-to-windows-10-pro-education)
To take advantage of this offering, make sure you meet the [requirements for switching](#requirements-for-switching). For academic customers who are eligible to switch to Windows 10 Pro Education, but are unable to use the above methods, contact Microsoft Support for assistance.
## Requirements for switching
Before you switch to Windows 10 Pro Education, make sure you meet these requirements:
- Devices must be running Windows 10 Pro, version 1607 or higher; or running Windows 10 S, version 1703
- Devices must be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices).
If you haven't domain joined your devices already, [prepare for deployment of Windows 10 Pro Education licenses](#preparing-for-deployment-of-windows-10-pro-education-licenses).
- The Azure AD tenant must be recognized as an education approved tenant.
- You must have a Microsoft Store for Education account.
- The user making the changes must be a member of the Azure AD global administrator group.
## Compare Windows 10 Pro and Pro Education editions
You can [compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10.
For more info about Windows 10 default settings and recommendations for education customers, see [Windows 10 configuration recommendations for education customers](configure-windows-for-education.md).
## Switch from Windows 10 S to Windows 10 Pro Education
There are two ways to switch from Windows 10 S to Windows 10 Pro Education, outlined below. Regardless of how you switch to Windows 10 Pro Education, note that you can only switch devices back to Windows 10 S through reimaging.
1. **Bulk switch through Microsoft Store for Education**
In this scenario, the global admin for the Azure AD education tenant can use Microsoft Store to switch all Windows 10 S devices on the tenant to Windows 10 Pro Education. See [Switch using Microsoft Store for Education](#switch-using-microsoft-store-for-education) for details on how to do this.
2. **Asynchronous switch**
In this scenario, the global admin must acquire the necessary keys and then select a method for key distribution.
**Key acquisition options:**
- Volume Licensing customers - For schools with active Microsoft Volume Licensing agreements, global admins can obtain free MAK keys for Windows 10 Pro Education.
> [!NOTE]
> Windows 10 S is a Qualified OS (QOS) for Academic Volume Licensing only.
- Non-Volume Licensing customers - For schools without an active Microsoft Volume Licensing agreement, the global admin can contact CSS, fill out a form and provide a proof of purchase to receive MAK keys for Windows 10 Pro Education.
**Key distribution options:**
- Bulk key distribution - You can apply MAK keys to switch the operating system on select devices or groups of devices using one of these methods:
- Use Microsoft Intune for Education. See [Switch using Intune for Education](#switch-using-intune-for-education) for details on how to do this.
- Use Windows Configuration Designer to create a provisioning package that will provision the switch on the device(s). See [Switch using Windows Configuration Designer](#switch-using-windows-configuration-designer) for details on how to do this.
- Use the mobile device management (MDM) policy, **UpgradeEditionWithProductKey**. See [Switch using MDM](#switch-using-mdm) for details on how to do this.
- Use scripting. See [Switch using scripting](#switch-using-scripting) for details on how to do this.
- Manual key entry - You can also manually apply the MAK key using one of these methods:
- Enter the MAK key in the Windows **Settings > Activation** page. See [Switch using the Activation page](#switch-using-the-activation-page) for details on how to do this.
- Install with a media and key through Windows setup. We don't recommend this option due to the potential for multi-reboot requirements.
## Switch from Windows 10 Pro to Windows 10 Pro Education
For schools that want to standardize all their Windows 10 Pro devices to Windows 10 Pro Education, a global admin for the school can opt-in to a free switch through the Microsoft Store for Education.
In this scenario:
- The IT admin of the tenant chooses to turn on the switch for all Azure AD joined devices.
- Any device that joins the Azure AD will switch automatically to Windows 10 Pro Education.
- The IT admin has the option to automatically roll back to Windows 10 Pro, if desired. See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro).
See [Switch using Microsoft Store for Education](#switch-using-microsoft-store-for-education) for details on how to do this.
## Switch options from Windows 10 S to Windows 10 Pro Education
If you want to switch only a few or a select group of Windows 10 S devices to Windows 10 Pro Education, you can use one of the following key distribution options once you've obtained the MAK keys for Windows 10 Pro Education. See [Switch from Windows 10 S to Windows 10 Pro Education](#switch-from-windows-10-s-to-windows-10-pro-education) for more info.
### Switch using Intune for Education
1. In Intune for Education, select **Groups** and then choose the group that you want to apply the MAK license key to.
For example, to apply the switch for all teachers, select **All Teachers** and then select **Settings**.
2. In the settings page, find **Edition upgrade** and then:
1. Select the edition in the **Edition to upgrade to** field
2. Enter the MAK license key in the **Product key** field
**Figure 1** - Enter the details for the Windows edition switch
![Enter the details for the Windows edition switch](images/i4e_editionupgrade.png)
3. The switch will automatically be applied to the group you selected.
### Switch using Windows Configuration Designer
You can use Windows Configuration Designer to create a provisioning package that you can use to switch the Windows edition for your device(s). [Install Windows Configuration Designer from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) to create a provisioning package.
1. In Windows Configuration Designer, select **Provision desktop devices** to open the simple editor and create a provisioning package for Windows desktop editions.
2. In the **Set up device** page, enter the MAK license key in the **Enter product key** field to switch to Windows 10 Pro Education.
**Figure 2** - Enter the license key
![Enter the license key to switch to Windows 10 Pro Education](images/wcd_productkey.png)
3. Complete the rest of the process for creating a provisioning package and then apply the package to the devices you want to switch to Windows 10 Pro Education.
For more information about using Windows Configuration Designer, see [Set up student PCs to join domain](https://technet.microsoft.com/en-us/edu/windows/set-up-students-pcs-to-join-domain).
### Switch using MDM
To switch Windows 10 S to Windows 10 Pro Education, enter the product key for the Windows 10 Pro Education edition in the **UpgradeEditionWithProductKey** policy setting of the [WindowsLicensing CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/windowslicensing-csp).
### Switch using scripting
You can switch from Windows 10 S to Windows 10 Pro Education by running the changepk.exe command-line tool. To do this, run the following command:
```
changepk.exe /ProductKey MAK_key_or_product_key
```
Replace *MAK_key_or_product_key* with the MAK key that you obtained for the Windows 10 edition switch.
### Switch using the Activation page
1. On the Windows device that you want to switch, open the **Settings** app.
2. Select **Update & security** > **Activation**, and then click **Change product key**.
3. In the **Enter a product key** window, enter the MAK key for Windows 10 Pro Education and click **Next**.
## Education customers with Azure AD joined devices
Academic institutions can easily move from Windows 10 S or Windows 10 Pro to Windows 10 Pro Education without using activation keys or reboots. When one of your users enters their Azure AD credentials associated with a Windows 10 Pro Education license, the operating system switches to Windows 10 Pro Education and all the appropriate Windows 10 Pro Education features are unlocked. Previously, only schools or organizations purchasing devices as part of the Shape the Future K-12 program or with a Microsoft Volume Licensing Agreement could deploy Windows 10 Pro Education to their users. Now, if you have an Azure AD for your organization, you can take advantage of the Windows 10 Pro Education features.
When you switch to Windows 10 Pro Education, you get the following benefits:
- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703, can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB).
- **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have.
- **Roll back options to Windows 10 Pro**
- When a user leaves the domain or you turn off the setting to automatically switch to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days).
- For devices that originally had Windows 10 Pro edition installed, when a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro.
See [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro) for more info.
For devices that originally had Windows 10 S installed, Windows 10 Pro Education cannot step back down to Windows 10 S. You will need to reimage these devices with Windows 10 S if you need to step down from Windows 10 Pro Education to Windows 10 S.
### Switch using Microsoft Store for Education
Once you enable the setting to switch to Windows 10 Pro Education, the switch will begin only after a user signs in to their device. The setting applies to the entire organization or tenant, so you cannot select which users will receive the switch. The switch will only apply to Windows 10 S and Windows 10 Pro devices.
**To turn on the automatic switch to Windows 10 Pro Education**
1. Sign in to [Microsoft Store for Education](https://businessstore.microsoft.com/) with your work or school account.
If this is the first time you're signing into the Microsoft Store for Education, you'll be prompted to accept the Microsoft Store for Education Terms of Use.
2. Click **Manage** from the top menu and then select the **Benefits tile**.
3. In the **Benefits** tile, look for the **Switch to Windows 10 Pro Education for free** link and then click it.
You will see the following page informing you that your school is eligible to switch free to Windows 10 Pro Education from Windows 10 S or Windows 10 Pro.
**Figure 3** - Switch Windows 10 Pro to Windows 10 Pro Education
![Eligible for free Windows 10 Pro to Windows 10 Pro Education switch](images/msfe_manage_benefits_switchtoproedu.png)
4. In the **Switch all your devices to Windows 10 Pro Education for free** page, check box next to **I understand enabling this setting will switch all domain-joined devices running Windows 10 Pro or Windows 10 S in my organization**.
**Figure 4** - Check the box to confirm
![Check the box to confirm](images/msfe_manage_benefits_checktoconfirm.png)
5. Click **Switch all my devices**.
A confirmation window pops up to let you know that an email has been sent to you to enable the switch.
6. Close the confirmation window and check the email to proceed to the next step.
7. In the email, click the link to **Switch to Windows 10 Pro Education**. Once you click the link, this will take you back to the Microsoft Store for Education portal.
**Figure 5** - Click the link in the email to switch to Windows 10 Pro Education
![Click the email link to switch to Windows 10 Pro Education](images/msfe_clickemaillink_switchtoproedu.png)
8. Click **Switch now** in the **Switching your device to Windows 10 Pro Education for free** page in the Microsoft Store.
You will see a window that confirms you've successfully switched all the devices in your organization to Windows 10 Pro Education, and each Azure AD joined device running Windows 10 Pro or Windows 10 S will automatically switch the next time someone in your organization signs in to the device.
9. Click **Close** in the **Success** window.
Enabling the automatic switch also triggers an email message notifying all global administrators in your organization about the switch. It also contains a link that enables any global administrators to cancel the switch if they choose. For more info about rolling back or canceling the switch, see [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro).\
**Figure 6** - Email notifying all global admins about the switch
![Email notifying all global admins about the switch](images/msfe_switchtoproedu_globaladminsemail_cancelswitch.png)
## Explore the switch experience
So what will users experience? How will they switch their devices?
### For existing Azure AD joined devices
Existing Azure AD domain joined devices will be switched to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed.
### For new devices that are not Azure AD joined
Now that you've turned on the setting to automatically switch to Windows 10 Pro Education, the users are ready to switch their devices running Windows 10 Pro, version 1607 or higher or Windows 10 S, version 1703 to Windows 10 Pro Education edition.
#### Step 1: Join users devices to Azure AD
Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703.
**To join a device to Azure AD the first time the device is started**
There are different methods you can use to join a device to Azure AD:
- For multiple devices, we recommend using the [Set up School PCs app](use-set-up-school-pcs-app.md) to create a provisioning package to quickly provision and set up Windows 10 devices for education.
- For individual devices, you can use the Set up School PCs app or go through the Windows 10 device setup experience. If you choose this option, see the following steps.
**To join a device to Azure AD using Windows device setup**
If the Windows device is running Windows 10, version 1703, follow these steps.
1. During initial device setup, on the **How would you like to set up?** page, select **Set up for an organization**, and then click **Next**.
**Figure 7** - Select how you'd like to set up the device
![Select how you'd like to set up the device](images/1_howtosetup.png)
2. On the **Sign in with Microsoft** page, enter the username and password to use with Office 365 or other services from Microsoft, and then click **Next**.
**Figure 8** - Enter the account details
![Enter the account details you use with Office 365 or other Microsoft services](images/2_signinwithms.png)
3. Go through the rest of Windows device setup. Once you're done, the device will be Azure AD joined to your school's subscription.
**To join a device to Azure AD when the device already has Windows 10 Pro, version 1703 or Windows 10 S, version 1703 installed and set up**
If the Windows device is running Windows 10, version 1703, follow these steps.
1. Go to **Settings > Accounts > Access work or school**.
**Figure 9** - Go to **Access work or school** in Settings
![Go to Access work or school in Settings](images/settings_workorschool_1.png)
2. In **Access work or school**, click **Connect**.
3. In the **Set up a work or school account** window, click the **Join this device to Azure Active Directory** option at the bottom.
**Figure 10** - Select the option to join the device to Azure Active Directory
![Select the option to join the device to Azure Active Directory](images/settings_setupworkorschoolaccount_2.png)
4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. This will join the device to the school's Azure AD.
5. To verify that the device was successfully joined to Azure AD, go back to **Settings > Accounts > Access work or school**. You should now see a connection under the **Connect to work or school** section that indicates the device is connected to Azure AD.
**Figure 11** - Verify the device connected to Azure AD
![Verify the device is connected to Azure AD](images/settings_connectedtoazuread_3.png)
#### Step 2: Sign in using Azure AD account
Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account. The Windows 10 Pro Education license associated with the user will enable Windows 10 Pro Education edition capabilities on the device.
#### Step 3: Verify that Pro Education edition is enabled
You can verify the Windows 10 Pro Education in **Settings &gt; Update & Security &gt; Activation**.
**Figure 12** - Windows 10 Pro Education in Settings
<img src="images/win-10-pro-edu-activated-subscription-active.png" alt="Windows 10 activated and subscription active" />
If there are any problems with the Windows 10 Pro Education license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
### Troubleshoot the user experience
In some instances, users may experience problems with the Windows 10 Pro Education switch. The most common problems that users may experience are as follows:
- The existing operating system (Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703) is not activated.
- The Windows 10 Pro Education switch has lapsed or has been removed.
Use the following figures to help you troubleshoot when users experience these common problems:
**Figure 13** - Illustrates a device in a healthy state, where the existing operating system is activated, and the Windows 10 Pro Education switch is active.
<img src="images/win-10-pro-edu-activated-subscription-active.png" alt="Windows 10 activated and subscription active" /></br></br>
**Figure 14** - Illustrates a device on which the existing operating system is not activated, but the Windows 10 Pro Education switch is active.
<img src="images/win-10-pro-edu-not-activated-subscription-active.png" alt="Windows 10 not activated and subscription active" /></br></br>
### Review requirements on devices
Devices must be running Windows 10 Pro, version 1607 or higher, or Windows 10 S, version 1703 and be Azure AD joined, or domain joined with Azure AD Connect. Customers who are federated with Azure AD are also eligible. You can use the following procedures to review whether a particular device meets requirements.
**To determine if a device is Azure AD joined**
1. Open a command prompt and type the following:
```
dsregcmd /status
```
2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
**To determine the version of Windows 10**
- At a command prompt, type:
```
winver
```
A popup window will display the Windows 10 version number and detailed OS build information.
> [!NOTE]
> If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be switched to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license.
### Roll back Windows 10 Pro Education to Windows 10 Pro
If your organization has the Windows 10 Pro to Windows 10 Pro Education switch enabled, and you decide to roll back to Windows 10 Pro or to cancel the switch, you can do this by:
- Logging into Microsoft Store for Education page and turning off the automatic switch.
- Selecting the link to turn off the automatic switch from the notification email sent to all global administrators.
Once the automatic switch to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were switched will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was switched may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that a switch was enabled and then turned off will never see their device change from Windows 10 Pro.
> [!NOTE]
> Devices that were switched from Windows 10 S to Windows 10 Pro Education cannot roll back to Windows 10 S.
**To roll back Windows 10 Pro Education to Windows 10 Pro**
1. Log in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/Store/Apps) with your school or work account, or follow the link from the notification email to turn off the automatic switch.
2. Select **Manage > Benefits** and locate the section **Windows 10 Pro Education** and follow the link.
3. In the **Revert to Windows 10 Pro** page, click **Revert to Windows 10 Pro**.
**Figure 15** - Revert to Windows 10 Pro
![Revert to Windows 10 Pro](images/msfe_manage_reverttowin10pro.png)
4. You will be asked if you're sure that you want to turn off automatic switches to Windows 10 Pro Education. Click **Yes**.
5. Click **Close** in the **Success** page.
All global admins get a confirmation email that a request was made to roll back your organization to Windows 10 Pro. If you, or another global admin, decide later that you want to turn on automatic switches again, you can do this by selecting **Switch to Windows 10 Pro Education for free** from the **Manage > Benefits** in the Microsoft Store for Education.
## Preparing for deployment of Windows 10 Pro Education licenses
If you have on-premises Active Directory Domain Services (AD DS) domains, users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Pro Education to users, you need to synchronize the identities in the on-premises AD DS domain with Azure AD.
You need to synchronize these identities so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Pro Education). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
Figure 11 illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
**Figure 16** - On-premises AD DS integrated with Azure AD
![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png)
For more information about integrating on-premises AD DS domains with Azure AD, see these resources:
- [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/)
- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
## Related topics
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)

70
education/windows/use-set-up-school-pcs-app.md
View File

@ -34,13 +34,10 @@ Set up School PCs makes it easy to set up Windows 10 PCs with Microsoft's recomm
* Prevents students from removing the PC from the school's device management system
* Prevents students from removing the Set up School PCs settings
- Keeps student PCs up-to-date without interfering with class time using Windows Update and maintenance hours
A student PC that's set up using the Set up School PCs provisioning package is tailored to provide students with the tools they need for learning while removing apps and features that they don't need.
* Customizes the Start layout with Office
* Installs OneDrive for cloud-based documents and places it on the Start menu and taskbar
* Uninstalls apps not specific to education, such as Solitaire
* [Gets the student PC ready for use in an education environment](configure-windows-for-education.md)
* Prevents students from adding personal Microsoft accounts to the PC
- Customizes the Start layout with Office
- Installs OneDrive for storing cloud-based documents and Sway for creating interactive reports, presentations, and more
- Uninstalls apps not specific to education, such as Solitaire
- Prevents students from adding personal Microsoft accounts to the PC
## Tips for success
@ -132,13 +129,21 @@ The **Set up School PCs** app guides you through the configuration choices for t
**Figure 2** - Verify that the account you selected shows up
![Verify that the account you selected shows up](images/suspc_choosesettings_signin_final.png)
![Verify that the account you selected shows up](images/suspc_createpackage_signin.png)
5. Click **Next**.
4. To allow the student PCs to automatically connect to your school's wireless network, in the **Select the school's wireless network** page:
1. Select the school's Wi-Fi network from the list of available wireless networks or manually add a wireless network.
2. Click **Next**.
2. Click **Next** if you added or selected a wireless network, or **Skip** to skip configuring a wireless network.
If you click **Skip**, you will see the following dialog.
* If you select **Got it**, you will go to the next page without Wi-Fi set up.
* If you select **Add Wi-Fi**, you will go back to the Wi-Fi page to add a wireless network.
**Figure 3** - Only skip Wi-Fi if you have a wired Ethernet connection
![Only skip Wi-Fi if you have a wired Ethernet connection](images/suspc_createpackage_skipwifi_modaldialog.png)
5. To assign a name to the student PCs, in the **Assign a name to these student PCs** page:
1. Add a short name that Set up School PCs will use as a prefix to identify and easily manage the group of devices, apps, and other settings through your device management client.
@ -168,9 +173,9 @@ The **Set up School PCs** app guides you through the configuration choices for t
- To change the default lock screen background or to use your school's custom lock screen background, click **Browse** to select a new lock screen background.
**Figure 3** - Configure student PC settings
**Figure 4** - Configure student PC settings
![Configure student PC settings](images/suspc_createpackage_settingspage.png)
![Configure student PC settings](images/suspc_createpackage_configurestudentpcsettings.png)
When you're doing configuring the student PC settings, click **Next**.
@ -180,50 +185,49 @@ The **Set up School PCs** app guides you through the configuration choices for t
If you set up Take a Test, this adds a **Take a Test** button on the student PC's sign-in screen. Windows will also lock down the student PC so that students can't access anything else while taking the test.
**Figure 4** - Configure the Take a Test app
**Figure 5** - Configure the Take a Test app
![Configure the Take a Test app](images/suspc_createpackage_takeatestpage.png)
![Configure the Take a Test app](images/suspc_createpackage_takeatest.png)
3. Click **Next** or **Skip** depending on whether you want to set up Take a Test.
<!-- comment out
7. If you want to add Microsoft Store for Education apps to the student PCs, you can select from the list of recommended apps in the **Add STEM and Makerspace apps to Student PCs** page.
1. Select the apps that you want to add. You'll see a checkmark on apps that you select.
2. Click **Next**.
8. In the **Add recommended apps** page, you can choose from a set of recommended Microsoft Store apps to provision. The recommended apps include Minecraft: Education Edition and several STEM and Makerspace apps.
1. Select the apps that you would like to provision and then click **Next** when you're done.
2. Click **Skip** if you don't want to provision any apps.
**Figure 4** - Select Microsoft Store apps to add to student PCs
**Figure 6** - Select from a set of recommended Microsoft Store apps
![Select Microsoft Store apps to add to student PCs](images/suspc_choosesettings_apps.png)
![Select from a set of recommended Microsoft Store apps](images/suspc_createpackage_recommendedapps.png)
-->
The set of recommended Microsoft Store for Education apps may vary from what we show here.
8. In the **Review package summary** page, make sure that all the settings you configured appear correctly.
9. In the **Review package summary** page, make sure that all the settings you configured appear correctly.
1. If you need to change any of the settings, you can on the sections to go back to that page and make your changes.
**Figure 5** - Review your settings and change them as needed
**Figure 7** - Review your settings and change them as needed
![Review your settings and change them as needed](images/suspc_createpackage_summary.png)
2. Click **Accept**.
9. In the **Insert a USB drive now** page:
10. In the **Insert a USB drive now** page:
1. Insert a USB drive to save your settings and create a provisioning package on the USB drive.
2. Set up School PCs will automatically detect the USB drive after it's inserted. Choose the USB drive from the list.
3. Click **Save** to save the provisioning package to the USB drive.
**Figure 6** - Select the USB drive and save the provisioning package
**Figure 8** - Select the USB drive and save the provisioning package
![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb_050817.png)
![Select the USB drive and save the provisioning package](images/suspc_savepackage_insertusb.png)
10. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
11. When the provisioning package is ready, you will see the name of the file and you can remove the USB drive. Click **Next** if you're done, or click **Add a USB** to save the same provisioning package to another USB drive.
**Figure 7** - Provisioning package is ready
**Figure 9** - Provisioning package is ready
![Provisioning package is ready](images/suspc_ppkgisready_050817.png)
![Provisioning package is ready](images/suspc_savepackage_ppkgisready.png)
12. Follow the instructions in the **Get the student PCs ready** page to start setting up the student PCs.
**Figure 8** - Line up the student PCs and get them ready for setup
**Figure 10** - Line up the student PCs and get them ready for setup
![Line up the student PCs and get them ready for setup](images/suspc_runpackage_getpcsready.png)
@ -232,7 +236,7 @@ The **Set up School PCs** app guides you through the configuration choices for t
Select **Create new package** if you need to create a new provisioning package. Otherwise, you can remove the USB drive if you're completely done creating the package.
**Figure 9** - Install the provisioning package on the student PCs
**Figure 11** - Install the provisioning package on the student PCs
![Install the provisioning package on the student PCs](images/suspc_runpackage_installpackage.png)
@ -250,19 +254,19 @@ The provisioning package on your USB drive is named `Set up School PCs.ppkg`. A
If the PC has gone past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
**Figure 10** - The first screen during first-run setup in Windows 10 Creators Update (version 1703)
**Figure 12** - The first screen during first-run setup in Windows 10 Creators Update (version 1703)
![The first screen to set up a new PC in Windows 10 Creators Update](images/win10_1703_oobe_firstscreen.png)
2. Insert the USB drive. Windows will recognize the drive and automatically install the provisioning package.
**Figure 11** - Windows automatically detects the provisioning package and installs it
**Figure 13** - Windows automatically detects the provisioning package and installs it
![Windows automatically detects the provisioning package and installs it](images/suspc_studentpcsetup_installingsetupfile.png)
3. You can remove the USB drive when you see the message that you can remove the removable media. You can then use the USB drive to start provisioning another student PC.
**Figure 12** - Remove the USB drive when you see the message that the media can be removed
**Figure 14** - Remove the USB drive when you see the message that the media can be removed
![You can remove the USB drive when you see the message that the media can be removed](images/suspc_setup_removemediamessage.png)

263
education/windows/windows-10-pro-to-pro-edu-upgrade.md
View File

@ -1,263 +0,0 @@
---
title: Switch Windows 10 Pro to Pro Education
description: Describes how IT Pros can opt into switching from Windows 10 Pro to Windows 10 Pro Education from the Microsoft Store for Education.
keywords: switch, Pro to Pro Education, education customers
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: edu
localizationpriority: high
author: CelesteDG
---
# Switch Windows 10 Pro to Pro Education from Microsoft Store for Education
Windows 10 Pro Education is a new offering in Windows 10 Anniversary Update (Windows 10, version 1607). This edition builds on the commercial version of Windows 10 Pro and provides important management controls needed in schools by providing education-specific default settings.
If you have an education tenant and use Windows 10 Pro in your schools now, global administrators can opt-in to a free switch to Windows 10 Pro Education through the Microsoft Store for Education. To take advantage of this offering, make sure you meet the [requirements for switching](#requirements-for-switching).
Starting with Windows 10, version 1607, academic institutions can easily move from Windows 10 Pro to Windows 10 Pro Education—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Pro Education license, the operating system turns from Windows 10 Pro to Windows 10 Pro Education and all the appropriate Windows 10 Pro Education features are unlocked. When a license expires or is transferred to another user, the Windows 10 Pro Education device seamlessly steps back down to Windows 10 Pro.
Previously, only schools or organizations purchasing devices as part of the Shape the Future K-12 program or with a Microsoft Volume Licensing Agreement could deploy Windows 10 Pro Education to their users. Now, if you have a Azure AD for your organization, you can take advantage of the Windows 10 Pro Education features.
When you switch to Windows 10 Pro Education, you get the following benefits:
- **Windows 10 Pro Education edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Pro Education Current Branch (CB). This benefit does not include Long Term Service Branch (LTSB).
- **Support from one to hundreds of users**. The Windows 10 Pro Education program does not have a limitation on the number of licenses an organization can have.
- **Roll back to Windows 10 Pro at any time**. When a user leaves the domain or you turn off the setting to automatic switch to Windows 10 Pro Education, the device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 30 days).
In summary, the Windows 10 Pro Education free switch through the Microsoft Store for Education is an offering that provides organizations easier, more flexible access to the benefits of Windows 10 Pro Education edition.
## Compare Windows 10 Pro and Pro Education editions
In Windows 10, version 1607, the Windows 10 Pro Education edition contains the same features as the Windows 10 Pro edition except for the following differences:
- Cortana is removed from Windows 10 Pro Education
- Options to manage Windows 10 tips and tricks and Windows Store suggestions
See [Windows 10 editions for education customers](windows-editions-for-education-customers.md) for more info about Windows 10 Pro Education and you can also [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare) to find out more about the features we support in other editions of Windows 10.
## Requirements for switching
Before you switch from Windows 10 Pro to Windows 10 Pro Education, make sure you meet these requirements:
- Devices must be:
- Running Windows 10 Pro, version 1607
- Must be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. For more information, see [Review requirements on devices](#review-requirements-on-devices).
If you haven't domain joined your devices already, [prepare for deployment of Windows 10 Pro Education licenses](#preparing-for-deployment-of-windows-10-pro-education-licenses).
- The user making the changes must be a member of the Azure AD global administrator group.
- The Azure AD tenant must be recognized as an education approved tenant.
- You must have a Microsoft Store for Education account.
## Switch from Windows 10 Pro to Windows 10 Pro Education
Once you enable the setting to switch Windows 10 Pro to Windows 10 Pro Education, the switch will begin only after a user signs in to their device. The setting applies to the entire organization so you cannot select which users will receive the switch.
**To turn on the automatic switch from Windows 10 Pro to Windows 10 Pro Education**
1. Sign in to [Microsoft Store for Education](https://businessstore.microsoft.com/en-us/Store/Apps) with your work or school account.
If this is the first time you're signing into the Microsoft Store, you'll be prompted to accept the Microsoft Store for Business and Education License Agreement.
2. Go to **Manage > Account information**.
3. In the **Account information** page, look for the **Automatic Windows 10 Pro Education upgrade** section and follow the link.
You will see the following page informing you that your school is eligible for a free automatic switch from Windows 10 Pro to Windows 10 Pro Education.
![Eligible for free Windows 10 Pro to Windows 10 Pro Education switch](images/wsfb_win10_pro_to proedu_upgrade_eligibility_page.png)
**Figure 1** - Switch Windows 10 Pro to Windows 10 Pro Education
4. Select **I understand enabling this setting will impact all devices running Windows 10 Pro in my organization**.
5. Click **Send me email with a link to enable this upgrade** to receive an email with a link to the switch.
![Email with Windows 10 Pro to Pro Education switch link](images/wsfb_win10_pro_to_proedu_email_upgrade_link.png)
**Figure 2** - Email notification with a link to enable the switch
6. Click **Enable the automatic upgrade now** to turn on automatic switches.
![Enable the automatic switch](images/wsfb_win10_pro_to proedu_upgrade_enable.png).
**Figure 3** - Enable the automatic switch
Enabling the automatic switch also triggers an email message notifying all global administrators in your organization about the switch. It also contains a link that enables any global administrators to cancel the switch, if they choose. For more info about rolling back or canceling the switch, see [Roll back Windows 10 Pro Education to Windows 10 Pro](#roll-back-windows-10-pro-education-to-windows-10-pro).
![Email informing other global admins about the switch](images/wsfb_win10_pro_to proedu_upgrade_email_global_admins.png).
**Figure 4** - Notification email sent to all global administrators
7. Click **Close** in the **Success** page.
In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see a message informing you when the switch was enabled and the name of the admin who enabled the switch.
![Summary page about the switch](images/wsfb_win10_pro_to proedu_upgrade_summary.png)
**Figure 5** - Details about the automatic switch
## Explore the switch experience
So what will the users experience? How will they switch their devices?
### For existing Azure AD domain joined devices
Existing Azure AD domain joined devices will be switched from Windows 10 Pro to Windows 10 Pro Education the next time the user logs in. That's it! No additional steps are needed.
### For new devices that are not Azure AD domain joined
Now that you've turned on the setting to automatically switch Windows 10 Pro to Windows 10 Pro Education, the users are ready to switch their devices running Windows 10 Pro, version 1607 edition to Windows 10 Pro Education edition.
#### Step 1: Join users devices to Azure AD
Users can join a device to Azure AD the first time they start the device (during setup), or they can join a device that they already use running Windows 10 Pro, version 1607.
**To join a device to Azure AD the first time the device is started**
1. During the initial setup, on the **Who owns this PC?** page, select **My organization**, and then click **Next**, as illustrated in **Figure 6**.
<img src="images/windows-who-owns.png" alt="Who owns this PC? page in Windows 10 setup" width="624" height="351" />
**Figure 6** - The “Who owns this PC?” page in initial Windows 10 setup
2. On the **Choose how youll connect** page, select **Join Azure AD**, and then click **Next**, as illustrated in **Figure 7**.
<img src="images/windows-choose-how.png" alt="Choose how you'll connect - page in Windows 10 setup" width="624" height="351" />
**Figure 7** - The “Choose how youll connect” page in initial Windows 10 setup
3. On the **Lets get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 8**.
<img src="images/windows-lets-get.png" alt="Let's get you signed in - page in Windows 10 setup" width="624" height="351" />
**Figure 8** - The “Lets get you signed in” page in initial Windows 10 setup
Now the device is Azure AD joined to the companys subscription.
**To join a device to Azure AD when the device already has Windows 10 Pro, version 1607 installed and set up**
1. Go to **Settings &gt; Accounts &gt; Access work or school**, as illustrated in **Figure 9**.
<img src="images/win10-connect-to-work-or-school.png" alt="Connect to work or school configuration" />
**Figure 9** - Connect to work or school configuration in Settings
2. In **Set up a work or school account**, click **Join this device to Azure Active Directory**, as illustrated in **Figure 10**.
<img src="images/win10-set-up-work-or-school.png" alt="Set up a work or school account" />
**Figure 10** - Set up a work or school account
3. On the **Lets get you signed in** page, enter the Azure AD credentials, and then click **Sign in**, as illustrated in **Figure 11**.
<img src="images/win10-lets-get-2.png" alt="Let's get you signed in - dialog box" />
**Figure 11** - The “Lets get you signed in” dialog box
Now the device is Azure AD joined to the companys subscription.
#### Step 2: Sign in using Azure AD account
Once the device is joined to your Azure AD subscription, the user will sign in by using his or her Azure AD account, as illustrated in **Figure 12**. The Windows 10 Pro Education license associated with the user will enable Windows 10 Pro Education edition capabilities on the device.
<img src="images/windows-sign-in.png" alt="Sign in, Windows 10" width="624" height="351" />
**Figure 12** - Sign in by using Azure AD account
#### Step 3: Verify that Pro Education edition is enabled
You can verify the Windows 10 Pro Education in **Settings &gt; Update & Security &gt; Activation**, as illustrated in **Figure 13**.
<span id="win-10-activated-subscription-active"/>
**Figure 13** - Windows 10 Pro Education in Settings
<img src="images/win-10-pro-edu-activated-subscription-active.png" alt="Windows 10 activated and subscription active" />
If there are any problems with the Windows 10 Pro Education license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
## Troubleshoot the user experience
In some instances, users may experience problems with the Windows 10 Pro Education switch. The most common problems that users may experience are as follows:
- The existing Windows 10 Pro, version 1607 operating system is not activated.
- The Windows 10 Pro Education switch has lapsed or has been removed.
Use the following figures to help you troubleshoot when users experience these common problems:
<span id="win-10-activated-subscription-active"/>
**Figure 13** - Illustrates a device in a healthy state, where Windows 10 Pro, version 1607 is activated and the Windows 10 Pro Education switch is active.
<img src="images/win-10-pro-edu-activated-subscription-active.png" alt="Windows 10 activated and subscription active" />
<span id="win-10-not-activated"/>
**Figure 14** - Illustrates a device on which Windows 10 Pro, version 1607 is not activated, but the Windows 10 Pro Education switch is active.
<img src="images/win-10-pro-edu-not-activated-subscription-active.png" alt="Windows 10 not activated and subscription active" /><br><br>
### Review requirements on devices
Devices must be running Windows 10 Pro, version 1607, and be Azure Active Directory joined, or domain joined with Azure AD Connect. Customers who are federated with Azure Active Directory are also eligible. You can use the following procedures to review whether a particular device meets requirements.
**To determine if a device is Azure Active Directory joined**
1. Open a command prompt and type **dsregcmd /status**.
2. Review the output under Device State. If the **AzureAdJoined** status is YES, the device is Azure Active Directory joined.
**To determine the version of Windows 10**
- At a command prompt, type:
**winver**
A popup window will display the Windows 10 version number and detailed OS build information.
If a device is running a previous version of Windows 10 Pro (for example, version 1511), it will not be switched to Windows 10 Pro Education when a user signs in, even if the user has been assigned a license.
## Roll back Windows 10 Pro Education to Windows 10 Pro
If your organization has the Windows 10 Pro to Windows 10 Pro Education switch enabled, and you decide to roll back to Windows 10 Pro or to cancel the switch, you can do this by:
- Logging into Microsoft Store for Education page and turning off the automatic switch.
- Selecting the link to turn off the automatic switch from the notification email sent to all global administrators.
Once the automatic switch to Windows 10 Pro Education is turned off, the change is effective immediately. Devices that were switched will revert to Windows 10 Pro only after the license has been refreshed (every 30 days) and the next time the user signs in. This means that a user whose device was switched may not immediately see Windows 10 Pro Education rolled back to Windows 10 Pro for up to 30 days. However, users who haven't signed in during the time that an switch was enabled and then turned off will never see their device change from Windows 10 Pro.
**To roll back Windows 10 Pro Education to Windows 10 Pro**
1. Log in to [Microsoft Store for Education](https://businessstore.microsoft.com/en-us/Store/Apps) with your school or work account, or follow the link from the notification email to turn off the automatic switch.
2. Select **Manage > Account information** and locate the section **Automatic Windows 10 Pro Education upgrade** and follow the link.
3. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, select **Turn off the automatic upgrade to Windows 10 Pro Education**.
![Turn off automatic switch to Windows 10 Pro Education](images/wsfb_win10_pro_to proedu_upgrade_disable.png)
**Figure 15** - Link to turn off the automatic switch
4. You will be asked if you're sure that you want to turn off automatic switches to Windows 10 Pro Education. Click **Yes**.
5. Click **Close** in the **Success** page.
6. In the **Upgrade Windows 10 Pro to Windows 10 Pro Education** page, you will see information on when the switch was disabled.
If you decide later that you want to turn on automatic switches again, you can do this from the **Upgrade Windows 10 Pro to Windows 10 Pro Education**.
## Preparing for deployment of Windows 10 Pro Education licenses
If you have on-premises Active Directory Domain Services (AD DS) domains, users will use their domain-based credentials to sign in to the AD DS domain. Before you start deploying Windows 10 Pro Education to users, you need to synchronize the identities in the on-premises AD DS domain with Azure AD.
You need to synchronize these identities so that users will have a *single identity* that they can use to access their on-premises apps and cloud services that use Azure AD (such as Windows 10 Pro Education). This means that users can use their existing credentials to sign in to Azure AD and access the cloud services that you provide and manage for them.
**Figure 16** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](http://www.microsoft.com/en-us/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png)
**Figure 16** - On-premises AD DS integrated with Azure AD
For more information about integrating on-premises AD DS domains with Azure AD, see these resources:
- [Integrating your on-premises identities with Azure Active Directory](http://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect/)
- [Azure AD + Domain Join + Windows 10](https://blogs.technet.microsoft.com/enterprisemobility/2016/02/17/azure-ad-domain-join-windows-10/)
## Related topics
[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)
[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)
[Compare Windows 10 editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare)

2
education/windows/windows-editions-for-education-customers.md
View File

@ -39,7 +39,7 @@ Existing devices running Windows 10 Pro, currently activated with the original O
Customers with Academic Volume Licensing agreements with rights for Windows can get Windows 10 Pro Education through the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
Customers who deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
Customers who deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](https://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](https://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
## Windows 10 Education

4
windows/access-protection/credential-guard/credential-guard-considerations.md
View File

@ -28,9 +28,9 @@ in the Deep Dive into Credential Guard video series.
- You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
- Credential Guard uses hardware security so some features, such as Windows To Go, are not supported.
## NTLM and CHAP Considerations
## Wi-fi and VPN Considerations
When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.
When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for WiFi and VPN connections.
## Kerberos Considerations

6
windows/access-protection/credential-guard/credential-guard-manage.md
View File

@ -97,7 +97,7 @@ If you enable Credential Guard by using Group Policy, the steps to enable Window
You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot
DG_Readiness_Tool_v3.2.ps1 -Enable -AutoReboot
```
### Credential Guard deployment in virtual machines
@ -126,7 +126,7 @@ You can view System Information to check that Credential Guard is running on a P
You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v3.0.ps1 -Ready
DG_Readiness_Tool_v3.2.ps1 -Ready
```
> [!NOTE]
@ -194,7 +194,7 @@ For more info on virtualization-based security and Device Guard, see [Device Gua
You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot
DG_Readiness_Tool_v3.2.ps1 -Disable -AutoReboot
```
#### Disable Credential Guard for a virtual machine

3
windows/access-protection/docfx.json
View File

@ -32,7 +32,8 @@
"externalReference": [],
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
},
"fileMetadata": {},
"template": [],

152
windows/access-protection/enterprise-certificate-pinning.md
View File

@ -6,7 +6,7 @@ author: MikeStephens-MS
description: Enterprise certificate pinning is a Windows feature for remembering, or “pinning” a root, issuing certificate authority, or end entity certificate to a given domain name.
manager: alanth
ms.prod: w10
ms.technology: security
ms.technology: windows
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
@ -71,141 +71,41 @@ Each PinRule element contains a sequence of one or more Site elements and a sequ
The PinRules element can have the following attributes.
For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml) or [Representing a Duration in XML](#representing-a-duration-in-xml).
- **Duration** or **NextUpdate**
Specifies when the Pin Rules will expire.
Either is required.
**NextUpdate** takes precedence if both are specified.
**Duration**, represented as an XML TimeSpan data type, does not allow years and months.
You represent the **NextUpdate** attribute as a XML DateTime data type in UTC.
**Required?** Yes. At least one is required.
- **LogDuration** or **LogEndDate**
Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
**LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified.
You represent **LogDuration** as an XML TimeSpan data type, which does not allow years and months.
If neither attribute is specified, auditing expiration uses **Duration** or **NextUpdate** attributes.
**Required?** No.
- **ListIdentifier**
Provides a friendly name for the list of pin rules.
Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL).
**Required?** No.
| Attribute | Description | Required |
|-----------|-------------|----------|
| **Duration** or **NextUpdate** | Specifies when the Pin Rules will expire. Either is required. **NextUpdate** takes precedence if both are specified. <br> **Duration**, represented as an XML TimeSpan data type, does not allow years and months. You represent the **NextUpdate** attribute as a XML DateTime data type in UTC. | **Required?** Yes. At least one is required. |
| **LogDuration** or **LogEndDate** | Configures auditing only to extend beyond the expiration of enforcing the Pin Rules. <br> **LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified. <br> You represent **LogDuration** as an XML TimeSpan data type, which does not allow years and months. <br> If neither attribute is specified, auditing expiration uses **Duration** or **NextUpdate** attributes. | No. |
| **ListIdentifier** | Provides a friendly name for the list of pin rules. Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL). | No. |
#### PinRule Element
The **PinRule** element can have the following attributes:
The **PinRule** element can have the following attributes.
- **Name**
Uniquely identifies the **PinRule**.
Windows uses this attribute to identify the element for a parsing error or for verbose output.
The attribute is not included in the generated certificate trust list (CTL).
**Required?** Yes.
- **Error**
Describes the action Windows performs when it encounters a PIN mismatch.
You can choose from the following string values:
- **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
- **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate does not match the name of the site. This typically results in prompting the user before accessing the site.
- **None** - The default value. No error is returned. You can use this setting to audit the pin rules without introducing any user friction.
**Required?** No.
- **Log**
A Boolean value represent as string that equals **true** or **false**.
By default, logging is enabled (**true**).
**Required?** No.
| Attribute | Description | Required |
|-----------|-------------|----------|
| **Name** | Uniquely identifies the **PinRule**. Windows uses this attribute to identify the element for a parsing error or for verbose output. The attribute is not included in the generated certificate trust list (CTL). | Yes.|
| **Error** | Describes the action Windows performs when it encounters a PIN mismatch. You can choose from the following string values: <br>- **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site. <br>- **InvalidName** - Windows reports the certificate protecting the site as if the name on the certificate does not match the name of the site. This typically results in prompting the user before accessing the site. <br>- **None** - The default value. No error is returned. You can use this setting to audit the pin rules without introducing any user friction. | No. |
| **Log** | A Boolean value represent as string that equals **true** or **false**. By default, logging is enabled (**true**). | No. |
#### Certificate element
The **Certificate** element can have the following attributes:
The **Certificate** element can have the following attributes.
- **File**
Path to a file containing one or more certificates.
Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst.
These files can also be Base64 formatted.
All **Site** elements included in the same **PinRule** element can match any of these certificates.
**Required?** Yes (File, Directory or Base64 must be present).
- **Directory**
Path to a directory containing one or more of the above certificate files.
Skips any files not containing any certificates.
**Required?** Yes (File, Directory or Base64 must be present).
- **Base64**
Base64 encoded certificate(s).
Where the certificate(s) can be encoded as:
- single certificate
- p7b
- sst.
This allows the certificates to be included in the XML file without a file directory dependency.
> [!Note]
> You can use **certutil -encode** to a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule.
**Required?** Yes (File, Directory or Base64 must be present).
- **EndDate**
Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this elements certificates.
If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.
For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).
**Required?** No.
| Attribute | Description | Required |
|-----------|-------------|----------|
| **File** | Path to a file containing one or more certificates. Where the certificate(s) can be encoded as: <br>- single certificate <br>- p7b <br>- sst <br> These files can also be Base64 formatted. All **Site** elements included in the same **PinRule** element can match any of these certificates. | Yes (File, Directory or Base64 must be present). |
| **Directory** | Path to a directory containing one or more of the above certificate files. Skips any files not containing any certificates. | Yes (File, Directory or Base64 must be present). |
| **Base64** | Base64 encoded certificate(s). Where the certificate(s) can be encoded as: <br>- single certificate <br>- p7b <br> - sst <br> This allows the certificates to be included in the XML file without a file directory dependency. <br> Note: <br> You can use **certutil -encode** to convert a .cer file into base64. You can then use Notepad to copy and paste the base64 encoded certificate into the pin rule. | Yes (File, Directory or Base64 must be present). |
| **EndDate** | Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule. <br>If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this elements certificates.<br> If the current time is past the **EndDate**, then, when creating the certificate trust list (CTL), the parser outputs a warning message and exclude the certificate(s) from the Pin Rule in the generated CTL.<br> For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml).| No.|
#### Site element
The **Site** element can have the following attributes:
The **Site** element can have the following attributes.
- **Domain**
Contains the DNS name to be matched for this pin rule.
When creating the certificate trust list, the parser normalizes the input name string value as follows:
- If the DNS name has a leading "*" it is removed.
- Non-ASCII DNS name are converted to ASCII Puny Code.
- Upper case ASCII characters are converted to lower case.
If the normalized name has a leading ".", then, wildcard left hand label matching is enabled.
For example, ".xyz.com" would match "abc.xyz.com".
**Required?** Yes.
- **AllSubdomains**
By default, wildcard left hand label matching is restricted to a single left hand label.
This attribute can be set to "true" to enable wildcard matching of all of the left hand labels.
For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.
**Required?** No.
| Attribute | Description | Required |
|-----------|-------------|----------|
| **Domain** | Contains the DNS name to be matched for this pin rule. When creating the certificate trust list, the parser normalizes the input name string value as follows: <br>- If the DNS name has a leading "*" it is removed. <br>- Non-ASCII DNS name are converted to ASCII Puny Code. <br>- Upper case ASCII characters are converted to lower case. <br>If the normalized name has a leading ".", then, wildcard left hand label matching is enabled. For example, ".xyz.com" would match "abc.xyz.com". | Yes.|
| **AllSubdomains** | By default, wildcard left hand label matching is restricted to a single left hand label. This attribute can be set to "true" to enable wildcard matching of all of the left-hand labels.<br>For example, setting this attribute would also match "123.abc.xyz.com" for the ".xyz.com" domain value.| No.|
### Create a Pin Rules Certificate Trust List
@ -302,10 +202,6 @@ Sign-in to the reference computer using domain administrator equivalent credenti
To assist in constructing certificate pinning rules, you can configure the **PinRulesLogDir** setting under the certificate chain configuration registry key to include a parent directory to log pin rules.
```code
HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config
```
| Name | Value |
|------|-------|
| Key | HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CertDllCreateCertificateChainEngine\Config |

3
windows/application-management/docfx.json
View File

@ -32,7 +32,8 @@
"externalReference": [],
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
},
"fileMetadata": {},
"template": [],

1
windows/client-management/TOC.md
View File

@ -9,4 +9,5 @@
## [Reset a Windows 10 Mobile device](reset-a-windows-10-mobile-device.md)
## [Windows 10 Mobile deployment and management guide](windows-10-mobile-and-mdm.md)
## [Windows libraries](windows-libraries.md)
## [Mobile Device Management](mdm/index.md)
## [Change history for Client management](change-history-for-client-management.md)

3
windows/client-management/docfx.json
View File

@ -32,7 +32,8 @@
"externalReference": [],
"globalMetadata": {
"uhfHeaderId": "MSDocsHeader-WindowsIT",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json"
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows"
},
"fileMetadata": {},
"template": [],

221
windows/client-management/mdm/TOC.md Normal file
View File

@ -0,0 +1,221 @@
# [Mobile device management](index.md)
## [What's new in MDM enrollment and management](new-in-windows-mdm-enrollment-management.md)
## [Mobile device enrollment](mobile-device-enrollment.md)
### [MDM enrollment of Windows devices](mdm-enrollment-of-windows-devices.md)
### [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
### [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
### [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
## [Understanding ADMX-backed policies](understanding-admx-backed-policies.md)
## [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md)
## [Implement server-side support for mobile application management on Windows](implement-server-side-mobile-application-management.md)
## [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md)
## [Deploy and configure App-V apps using MDM](appv-deploy-and-config.md)
## [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
### [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md)
### [Register your free Azure Active Directory subscription](register-your-free-azure-active-directory-subscription.md)
## [Enterprise app management](enterprise-app-management.md)
## [Device update management](device-update-management.md)
## [Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md)
## [Management tool for the Windows Store for Business](management-tool-for-windows-store-for-business.md)
### [REST API reference for Windows Store for Business](rest-api-reference-windows-store-for-business.md)
#### [Data structures for Windows Store for Business](data-structures-windows-store-for-business.md)
#### [Get Inventory](get-inventory.md)
#### [Get product details](get-product-details.md)
#### [Get localized product details](get-localized-product-details.md)
#### [Get offline license](get-offline-license.md)
#### [Get product packages](get-product-packages.md)
#### [Get product package](get-product-package.md)
#### [Get seats](get-seats.md)
#### [Get seat](get-seat.md)
#### [Assign seats](assign-seats.md)
#### [Reclaim seat from user](reclaim-seat-from-user.md)
#### [Bulk assign and reclaim seats from users](bulk-assign-and-reclaim-seats-from-user.md)
#### [Get seats assigned to a user](get-seats-assigned-to-a-user.md)
## [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md)
## [Certificate renewal](certificate-renewal-windows-mdm.md)
## [Disconnecting from the management infrastructure (unenrollment)](disconnecting-from-mdm-unenrollment.md)
## [Enterprise settings, policies, and app management](windows-mdm-enterprise-settings.md)
## [Push notification support for device management](push-notification-windows-mdm.md)
## [OMA DM protocol support](oma-dm-protocol-support.md)
## [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md)
## [Server requirements for OMA DM](server-requirements-windows-mdm.md)
## [DMProcessConfigXMLFiltered](dmprocessconfigxmlfiltered.md)
## [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md)
## [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
## [Create a custom configuration service provider](create-a-custom-configuration-service-provider.md)
### [Design a custom configuration service provider](design-a-custom-windows-csp.md)
### [IConfigServiceProvider2](iconfigserviceprovider2.md)
#### [IConfigServiceProvider2::ConfigManagerNotification](iconfigserviceprovider2configmanagernotification.md)
#### [IConfigServiceProvider2::GetNode](iconfigserviceprovider2getnode.md)
### [ICSPNode](icspnode.md)
#### [ICSPNode::Add](icspnodeadd.md)
#### [ICSPNode::Clear](icspnodeclear.md)
#### [ICSPNode::Copy](icspnodecopy.md)
#### [ICSPNode::DeleteChild](icspnodedeletechild.md)
#### [ICSPNode::DeleteProperty](icspnodedeleteproperty.md)
#### [ICSPNode::Execute](icspnodeexecute.md)
#### [ICSPNode::GetChildNodeNames](icspnodegetchildnodenames.md)
#### [ICSPNode::GetProperty](icspnodegetproperty.md)
#### [ICSPNode::GetPropertyIdentifiers](icspnodegetpropertyidentifiers.md)
#### [ICSPNode::GetValue](icspnodegetvalue.md)
#### [ICSPNode::Move](icspnodemove.md)
#### [ICSPNode::SetProperty](icspnodesetproperty.md)
#### [ICSPNode::SetValue](icspnodesetvalue.md)
### [ICSPNodeTransactioning](icspnodetransactioning.md)
### [ICSPValidate](icspvalidate.md)
### [Samples for writing a custom configuration service provider](samples-for-writing-a-custom-configuration-service-provider.md)
## [Configuration service provider reference](configuration-service-provider-reference.md)
### [ActiveSync CSP](activesync-csp.md)
#### [ActiveSync DDF file](activesync-ddf-file.md)
### [AllJoynManagement CSP](alljoynmanagement-csp.md)
#### [AllJoynManagement DDF](alljoynmanagement-ddf.md)
### [APPLICATION CSP](application-csp.md)
### [AppLocker CSP](applocker-csp.md)
#### [AppLocker DDF file](applocker-ddf-file.md)
#### [AppLocker XSD](applocker-xsd.md)
### [AssignedAccess CSP](assignedaccess-csp.md)
#### [AssignedAccess DDF file](assignedaccess-ddf.md)
### [BitLocker CSP](bitlocker-csp.md)
#### [BitLocker DDF file](bitlocker-ddf-file.md)
### [BOOTSTRAP CSP](bootstrap-csp.md)
### [BrowserFavorite CSP](browserfavorite-csp.md)
### [CellularSettings CSP](cellularsettings-csp.md)
### [CertificateStore CSP](certificatestore-csp.md)
#### [CertificateStore DDF file](certificatestore-ddf-file.md)
### [CleanPC CSP](cleanpc-csp.md)
#### [CleanPC DDF](cleanpc-ddf.md)
### [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)
#### [ClientCertificateInstall DDF file](clientcertificateinstall-ddf-file.md)
### [CM_CellularEntries CSP](cm-cellularentries-csp.md)
### [CM_ProxyEntries CSP](cm-proxyentries-csp.md)
### [CMPolicy CSP](cmpolicy-csp.md)
### [CMPolicyEnterprise CSP](cmpolicyenterprise-csp.md)
#### [CMPolicyEnterprise DDF file](cmpolicyenterprise-ddf-file.md)
### [CustomDeviceUI CSP](customdeviceui-csp.md)
#### [CustomDeviceUI DDF file](customdeviceui-ddf.md)
### [Defender CSP](defender-csp.md)
#### [Defender DDF file](defender-ddf.md)
### [DevDetail CSP](devdetail-csp.md)
#### [DevDetail DDF file](devdetail-ddf-file.md)
### [DeveloperSetup CSP](developersetup-csp.md)
#### [DeveloperSetup DDF](developersetup-ddf.md)
### [DeviceInstanceService CSP](deviceinstanceservice-csp.md)
### [DeviceLock CSP](devicelock-csp.md)
#### [DeviceLock DDF file](devicelock-ddf-file.md)
### [DeviceManageability CSP](devicemanageability-csp.md)
#### [DeviceManageability DDF](devicemanageability-ddf.md)
### [DeviceStatus CSP](devicestatus-csp.md)
#### [DeviceStatus DDF](devicestatus-ddf.md)
### [DevInfo CSP](devinfo-csp.md)
#### [DevInfo DDF file](devinfo-ddf-file.md)
### [DiagnosticLog CSP](diagnosticlog-csp.md)
#### [DiagnosticLog DDF file](diagnosticlog-ddf.md)
### [DMAcc CSP](dmacc-csp.md)
#### [DMAcc DDF file](dmacc-ddf-file.md)
### [DMClient CSP](dmclient-csp.md)
#### [DMClient DDF file](dmclient-ddf-file.md)
### [DMSessionActions CSP](dmsessionactions-csp.md)
#### [DMSessionActions DDF file](dmsessionactions-ddf.md)
### [DynamicManagement CSP](dynamicmanagement-csp.md)
#### [DynamicManagement DDF file](dynamicmanagement-ddf.md)
### [EMAIL2 CSP](email2-csp.md)
#### [EMAIL2 DDF file](email2-ddf-file.md)
### [EnterpriseAPN CSP](enterpriseapn-csp.md)
#### [EnterpriseAPN DDF](enterpriseapn-ddf.md)
### [EnterpriseAppManagement CSP](enterpriseappmanagement-csp.md)
### [EnterpriseAppVManagement CSP](enterpriseappvmanagement-csp.md)
#### [EnterpriseAppVManagement DDF file](enterpriseappvmanagement-ddf.md)
### [EnterpriseAssignedAccess CSP](enterpriseassignedaccess-csp.md)
#### [EnterpriseAssignedAccess DDF file](enterpriseassignedaccess-ddf.md)
#### [EnterpriseAssignedAccess XSD](enterpriseassignedaccess-xsd.md)
### [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
#### [EnterpriseDataProtection DDF file](enterprisedataprotection-ddf-file.md)
### [EnterpriseDesktopAppManagement CSP](enterprisedesktopappmanagement-csp.md)
#### [EnterpriseDesktopAppManagement DDF](enterprisedesktopappmanagement-ddf-file.md)
#### [EnterpriseDesktopAppManagement XSD](enterprisedesktopappmanagement2-xsd.md)
### [EnterpriseExt CSP](enterpriseext-csp.md)
#### [EnterpriseExt DDF file](enterpriseext-ddf.md)
### [EnterpriseExtFileSystem CSP](enterpriseextfilessystem-csp.md)
#### [EnterpriseExtFileSystem DDF file](enterpriseextfilesystem-ddf.md)
### [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md)
#### [EnterpriseModernAppManagement DDF](enterprisemodernappmanagement-ddf.md)
#### [EnterpriseModernAppManagement XSD](enterprisemodernappmanagement-xsd.md)
### [FileSystem CSP](filesystem-csp.md)
### [HealthAttestation CSP](healthattestation-csp.md)
#### [HealthAttestation DDF](healthattestation-ddf.md)
### [HotSpot CSP](hotspot-csp.md)
### [Maps CSP](maps-csp.md)
#### [Maps DDF](maps-ddf-file.md)
### [Messaging CSP](messaging-csp.md)
#### [Messaging DDF file](messaging-ddf.md)
### [NAP CSP](nap-csp.md)
### [NAPDEF CSP](napdef-csp.md)
### [NetworkProxy CSP](networkproxy-csp.md)
#### [NetworkProxy DDF file](networkproxy-ddf.md)
### [NetworkQoSPolicy CSP](networkqospolicy-csp.md)
#### [NetworkQoSPolicy DDF file](networkqospolicy-ddf.md)
### [NodeCache CSP](nodecache-csp.md)
#### [NodeCache DDF file](nodecache-ddf-file.md)
### [Office CSP](office-csp.md)
#### [Office DDF](office-ddf.md)
### [PassportForWork CSP](passportforwork-csp.md)
#### [PassportForWork DDF file](passportforwork-ddf.md)
### [Personalization CSP](personalization-csp.md)
#### [Personalization DDF file](personalization-ddf.md)
### [Policy CSP](policy-configuration-service-provider.md)
#### [Policy DDF file](policy-ddf-file.md)
#### [ApplicationRestrictions XSD](applicationrestrictions-xsd.md)
### [PolicyManager CSP](policymanager-csp.md)
### [Provisioning CSP](provisioning-csp.md)
### [PROXY CSP](proxy-csp.md)
### [PXLOGICAL CSP](pxlogical-csp.md)
### [Reboot CSP](reboot-csp.md)
#### [Reboot DDF file](reboot-ddf-file.md)
### [Registry CSP](registry-csp.md)
#### [Registry DDF file](registry-ddf-file.md)
### [RemoteFind CSP](remotefind-csp.md)
#### [RemoteFind DDF file](remotefind-ddf-file.md)
### [RemoteLock CSP](remotelock-csp.md)
#### [RemoteLock DDF file](remotelock-ddf-file.md)
### [RemoteRing CSP](remotering-csp.md)
#### [RemoteRing DDF file](remotering-ddf-file.md)
### [RemoteWipe CSP](remotewipe-csp.md)
#### [RemoteWipe DDF file](remotewipe-ddf-file.md)
### [Reporting CSP](reporting-csp.md)
#### [Reporting DDF file](reporting-ddf-file.md)
### [RootCATrustedCertificates CSP](rootcacertificates-csp.md)
#### [RootCATrustedCertificates DDF file](rootcacertificates-ddf-file.md)
### [SecureAssessment CSP](secureassessment-csp.md)
#### [SecureAssessment DDF file](secureassessment-ddf-file.md)
### [SecurityPolicy CSP](securitypolicy-csp.md)
### [SharedPC CSP](sharedpc-csp.md)
#### [SharedPC DDF file](sharedpc-ddf-file.md)
### [Storage CSP](storage-csp.md)
#### [Storage DDF file](storage-ddf-file.md)
### [SUPL CSP](supl-csp.md)
#### [SUPL DDF file](supl-ddf-file.md)
### [SurfaceHub CSP](surfacehub-csp.md)
#### [SurfaceHub DDF file](surfacehub-ddf-file.md)
### [UnifiedWriteFilter CSP](unifiedwritefilter-csp.md)
#### [UnifiedWriteFilter DDF file](unifiedwritefilter-ddf.md)
### [Update CSP](update-csp.md)
#### [Update DDF file](update-ddf-file.md)
### [VPN CSP](vpn-csp.md)
#### [VPN DDF file](vpn-ddf-file.md)
### [VPNv2 CSP](vpnv2-csp.md)
#### [VPNv2 DDF file](vpnv2-ddf-file.md)
#### [ProfileXML XSD](vpnv2-profile-xsd.md)
#### [EAP configuration](eap-configuration.md)
### [w4 APPLICATION CSP](w4-application-csp.md)
### [w7 APPLICATION CSP](w7-application-csp.md)
### [WiFi CSP](wifi-csp.md)
#### [WiFi DDF file](wifi-ddf-file.md)
### [Win32AppInventory CSP](win32appinventory-csp.md)
#### [Win32AppInventory DDF file](win32appinventory-ddf-file.md)
### [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)
#### [WindowsAdvancedThreatProtection DDF file](windowsadvancedthreatprotection-ddf.md)
### [WindowsLicensing CSP](windowslicensing-csp.md)
#### [WindowsLicensing DDF file](windowslicensing-ddf-file.md)
### [WindowsSecurityAuditing CSP](windowssecurityauditing-csp.md)
#### [WindowsSecurityAuditing DDF file](windowssecurityauditing-ddf-file.md)

265
windows/client-management/mdm/activesync-csp.md Normal file
View File

@ -0,0 +1,265 @@
---
title: ActiveSync CSP
description: ActiveSync CSP
ms.assetid: c65093ef-bd36-4f32-9dab-edb7bcfb3188
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# ActiveSync CSP
The ActiveSync configuration service provider is used to set up and change settings for Exchange ActiveSync. After an Exchange account has been updated over-the-air by the ActiveSync configuration service provider, the device must be powered off and then powered back on to see sync status.
Configuring Windows Live ActiveSync accounts through this configuration service provider is not supported.
> **Note**  
The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync path will work if the user is logged in. The CSP fails when no user is logged in.
The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term.
 
The following diagram shows the ActiveSync configuration service provider management objects in tree format as used by Open Mobile Alliance Device Management (OMA DM), OMA Client Provisioning, and Enterprise DM.
![activesync csp (cp)](images/provisioning-csp-activesync-cp.png)
<a href="" id="--user-vendor-msft-activesync"></a>**./User/Vendor/MSFT/ActiveSync**
The root node for the ActiveSync configuration service provider.
> **Note**  
The target user must be logged in for the CSP to succeed. The correct way to configure an account is to use the ./User/Vendor/MSFT/ActiveSync path.
On the desktop, only per user configuration (./User/Vendor/MSFT/ActiveSync) is supported. However, the ./Vendor/MSFT/ActiveSync will work if the user is logged in. The CSP fails when no user is logged in.
The ./Vendor/MSFT/ActiveSync path is deprecated, but will continue to work in the short term.
 
The supported operation is Get.
<a href="" id="accounts"></a>**Accounts**
The root node for all ActiveSync accounts.
The supported operation is Get.
<a href="" id="account-guid"></a>***Account GUID***
Defines a specific ActiveSync account. A globally unique identifier (GUID) must be generated for each ActiveSync account on the device.
Supported operations are Get, Add, and Delete.
When managing over OMA DM, make sure to always use a unique GUID. Provisioning with an account that has the same GUID as an existing one deletes the existing account and does not create the new account.
Braces { } are required around the GUID. In OMA Client Provisioning, you can type the braces. For example:
``` syntax
<characteristic type="{C556E16F-56C4-4EDB-9C64-D9469EE1FBE0}"/>
```
For OMA DM, you must use the ASCII values of %7B and %7D for the opening and closing braces, respectively. For example, if the GUID is "C556E16F-56C4-4EDB-9C64-D9469EE1FBE0", type:
``` syntax
<Target>
<LocURI>
./Vendor/MSFT/ActiveSync/Accounts/%7BC556E16F-56C4-4EDB-9C64-D9469EE1FBE0%7D
</LocURI>
</Target>
```
<a href="" id="account-guid-emailaddress"></a>***Account GUID*/EmailAddress**
Required. A character string that specifies the email address associated with the Exchange ActiveSync account.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
This email address is entered by the user during setup and must be in the fully qualified email address format, for example, "someone@example.com".
<a href="" id="account-guid-domain"></a>***Account GUID*/Domain**
Optional for Exchange. Specifies the domain name of the Exchange server.
Supported operations are Get, Replace, Add, and Delete.
<a href="" id="account-guid-accounticon"></a>***Account GUID*/AccountIcon**
Required. A character string that specifies the location of the icon associated with the account.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
The account icon can be used as a tile in the **Start** list or an icon in the applications list under **Settings &gt; email & accounts**. Some icons are already provided on the device. The suggested icon for POP/IMAP or generic ActiveSync accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.genericmail.png. The suggested icon for Exchange Accounts is at res://AccountSettingsSharedRes{*ScreenResolution*}!%s.office.outlook.png. Custom icons can be added if desired.
<a href="" id="account-guid-accounttype"></a>***Account GUID*/AccountType**
Required. A character string that specifies the account type.
Supported operations are Get and Add (cannot Add after the account is created).
This value is entered during setup and cannot be modified once entered. An Exchange account is indicated by the string value "Exchange".
<a href="" id="account-guid-accountname"></a>***Account GUID*/AccountName**
Required. A character string that specifies the name that refers to the account on the device.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
<a href="" id="account-guid-password"></a>***Account GUID*/Password**
Required. A character string that specifies the password for the account.
Supported operations are Get, Replace, Add, and Delete.
For the Get command, only asterisks are returned.
<a href="" id="account-guid-servername"></a>***Account GUID*/ServerName**
Required. A character string that specifies the server name used by the account.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
<a href="" id="account-guid-username"></a>***Account GUID*/UserName**
Required. A character string that specifies the user name for the account.
Supported operations are Get, and Add (cannot Add after the account is created).
The user name cannot be changed after a sync has been successfully performed. The user name can be in the fully qualified format "someone@example.com", or just "username", depending on the type of account created. For most Exchange accounts, the user name format is just "username", whereas for Microsoft, Google, Yahoo, and most POP/IMAP accounts, the user name format is "someone@example.com".
<a href="" id="options"></a>**Options**
Node for other parameters.
<a href="" id="options-calendaragefilter"></a>**Options/CalendarAgeFilter**
Specifies the time window used for syncing calendar items to the device. Value type is chr.
<a href="" id="options-logging"></a>**Options/Logging**
Required. A character string that specifies whether diagnostic logging is enabled and at what level. The default is 0 (disabled).
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
Valid values are one of the following:
- 0 (default) - Logging is off.
- 1 - Basic logging is enabled.
- 2 - Advanced logging is enabled.
Logging is set to off by default. The user might be asked to set this to Basic or Advanced when having a sync issue that customer support is investigating. Setting the logging level to Advanced has more of a performance impact than Basic.
<a href="" id="options-mailbodytype"></a>**Options/MailBodyType**
Indicates the email format. Valid values:
- 0 - none
- 1 - text
- 2 - HTML
- 3 - RTF
- 4 - MIME
<a href="" id="options-mailhtmltruncation"></a>**Options/MailHTMLTruncation**
Specifies the size beyond which HTML-formatted email messages are truncated when they are synchronized to the mobile device. The value is specified in KB. A value of -1 disables truncation.
<a href="" id="options-mailplaintexttruncation"></a>**Options/MailPlainTextTruncation**
This setting specifies the size beyond which text-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.
<a href="" id="options-usessl"></a>**Options/UseSSL**
Optional. A character string that specifies whether SSL is used.
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
Valid values are:
- 0 - SSL is not used.
- 1 (default) - SSL is used.
<a href="" id="options-schedule"></a>**Options/Schedule**
Required. A character string that specifies the time until the next sync is performed, in minutes. The default value is -1.
Supported operations are Get and Replace.
Valid values are one of the following:
- -1 (default) - A sync will occur as items are received
- 0 - All syncs must be performed manually
- 15 - Sync every 15 minutes
- 30 - Sync every 30 minutes
- 60 - Sync every 60 minutes
<a href="" id="options-mailagefilter"></a>**Options/MailAgeFilter**
Required. A character string that specifies the time window used for syncing email items to the device. The default value is 3.
Supported operations are Get and Replace.
Valid values are one of the following:
- 0 No age filter is used, and all email items are synced to the device.
- 2 Only email up to three days old is synced to the device.
- 3 (default) Email up to a week old is synced to the device.
- 4 Email up to two weeks old is synced to the device.
- 5 Email up to a month old is synced to the device.
<a href="" id="options-contenttypes-content-type-guid"></a>**Options/ContentTypes/****_Content Type GUID_**
Defines the type of content to be individually enabled/disabled for sync.
The *GUID* values allowed are one of the following:
- Email: "{c6d47067-6e92-480e-b0fc-4ba82182fac7}"
- Contacts: "{0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}"
- Calendar: "{4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}"
- Tasks: "{783ae4f6-4c12-4423-8270-66361260d4f1}"
<a href="" id="options-contenttypes-content-type-guid-enabled"></a>**Options/ContentTypes/*Content Type GUID*/Enabled**
Required. A character string that specifies whether sync is enabled or disabled for the selected content type. The default is "1" (enabled).
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
Valid values are one of the following:
- 0 - Sync for email, contacts, calendar, or tasks is disabled.
- 1 (default) - Sync is enabled.
<a href="" id="options-contenttypes-content-type-guid-name"></a>**Options/ContentTypes/*Content Type GUID*/Name**
Required. A character string that specifies the name of the content type.
> **Note**  In Windows 10, this node is currently not working.
 
Supported operations are Get, Replace, and Add (cannot Add after the account is created).
When you use Add or Replace inside an atomic block in the SyncML, the CSP returns an error and provisioning fails. When you use Add or Replace outside of the atomic block, the error is ignored and the account is provisioned as expected.
<a href="" id="policies"></a>**Policies**
Node for mail body type and email age filter.
<a href="" id="policies-mailbodytype"></a>**Policies/MailBodyType**
Required. Specifies the email body type: HTML or plain.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
<a href="" id="policies-maxmailagefilter"></a>**Policies/MaxMailAgeFilter**
Required. Specifies the time window used for syncing mail items to the device.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

693
windows/client-management/mdm/activesync-ddf-file.md Normal file
View File

@ -0,0 +1,693 @@
---
title: ActiveSync DDF file
description: ActiveSync DDF file
ms.assetid: c4cd4816-ad8f-45b2-9b81-8abb18254096
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# ActiveSync DDF file
This topic shows the OMA DM device description framework (DDF) for the **ActiveSync** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[
<?oma-dm-ddf-ver supported-versions="1.2"?>
]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>ActiveSync</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The root node for ActiveSync configuration.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/ActiveSync</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>Accounts</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The parent node group all active sync accounts.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Defines a specific ActiveSync account. A globally unique identifier (GUID) must be generated for each ActiveSync account on the device.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Account GUID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>EmailAddress</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>The email address the user entered during setup. This is the email address that is associated with the Exchange ActiveSync account and it is required.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Domain</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Domain name of the Exchange server</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AccountIcon</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specify the location of the icon associated with the account.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AccountType</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specify the account type.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>AccountName</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>The name that refers to the account on the phone.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Password</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>A character string that specifies the password for the account.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ServerName</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the server name used by the account.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>UserName</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the user name for the account.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Options</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies whether email, contacts, and calendar need to synchronize by default, and sets preference such as sync schedule, truncation sizes, and logging.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>CalendarAgeFilter</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the time window used for syncing calendar items to the phone.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Logging</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies whether diagnostic logging is enabled and at what level.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MailBodyType</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Indicates format type of the Email. Supported values are 0 (none), 1 (text), 2 (HTML), 3 (RTF), and 4 (MIME).</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MailHTMLTruncation</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>This setting specifies the size beyond which HTML-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MailPlainTextTruncation</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>This setting specifies the size beyond which text-formatted e-mail messages are truncated when they are synchronized to the mobile phone. The value is specified in KB. A value of -1 disables truncation.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Schedule</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the time until the next sync is performed in minutes.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>UseSSL</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies whether SSL is used.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MailAgeFilter</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the time window used for syncing email items to the phone.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ContentTypes</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Enables or disables syncing email, contacts, task, and calendar.Each is represented by a GUID.Email: {c6d47067-6e92-480e-b0fc-4ba82182fac7}. Contacts: {0dd8685c-e272-4fcb-9ecf-2ead7ea2497b}.Calendar: {4a5d9fe0-f139-4a63-a5a4-4f31ceea02ad}. Tasks:{783ae4f6-4c12-4423-8270-66361260d4f1}</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<OneOrN>1</OneOrN>
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Content Type GUID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Enabled</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Enables or disables Sync for Email, contacts, calendar, and Tasks.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Name</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>The name of the content type.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>Policies</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the mail body type and email age filter.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>MailBodyType</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the email body type. HTML or plain</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>MaxMailAgeFilter</NodeName>
<DFProperties>
<AccessType>
<Get />
<Add />
<Replace />
<Delete />
</AccessType>
<Description>Specifies the time window used for syncing mail items to the device.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[ActiveSync configuration service provider](activesync-csp.md)
 
 

97
windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md Normal file
View File

@ -0,0 +1,97 @@
---
title: Add an Azure AD tenant and Azure AD subscription
description: Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription.
ms.assetid: 36D94BEC-A6D8-47D2-A547-EBD7B7D163FA
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Add an Azure AD tenant and Azure AD subscription
Here's a step-by-step guide to adding an Azure Active Directory tenant, adding an Azure AD subscription, and registering your subscription.
> **Note**  If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. For step-by-step guide to register this free subscription, see [Register your free Azure Active Directory subscription.](#register-your-free-azure-active-directory-subscription)
1. Sign-up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization.
![sign up for azure ad tenant](images/azure-ad-add-tenant1.png)
2. Enter the information for your organization. Click **check availability** to verify that domain name that you selected is available.
![sign up for azure ad](images/azure-ad-add-tenant2.png)
3. Complete the login and country information. You must provide a valid phone number, then click **Send text message** or **Call me**.
![create azure account](images/azure-ad-add-tenant3.png)
4. Enter the code that you receive and then click **Verify code**. After the code is verified and the continue button turns green, click **continue**.
![add aad tenant](images/azure-ad-add-tenant3-b.png)
5. After you finish creating your Azure account, you are ready to add an Azure AD subscription.
If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to Office 356 portal, <https://portal.office.com/> and then sign in using the admin account that you just created in Step 4 (for example, user1@contosoltd.onmicrosoftcom).
![login to office 365](images/azure-ad-add-tenant4.png)
6. Click **Install software**.
![login to office 365](images/azure-ad-add-tenant5.png)
7. In the Office 365 portal, select **Purchase Services** from the left nagivation.
![purchase service option in admin center menu](images/azure-ad-add-tenant6.png)
8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then click to purchase.
![azure active directory option in purchase services page](images/azure-ad-add-tenant7.png)
9. Continue with your purchase.
![azure active directory premium payment page](images/azure-ad-add-tenant8.png)
10. After the purchase is completed, you can login to your Office 365 Admin Portal and you will see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint, Exchange, etc...).
![admin center left navigation menu](images/azure-ad-add-tenant9.png)
When you choose Azure AD, it will take you to the Azure AD portal where you can manage your Azure AD applications.
## Register your free Azure Active Directory subscription
If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Enterprise Mobility Suite, or other Microsoft services, you have a free subscription to Azure AD. Here's a step-by-step guide to register your free Azure AD subscription using an Office 365 Premium Business subscription.
1. Sign in to the Office 365 portal at <https://portal.office.com> using your organization's account.
![register azuread](images/azure-ad-add-tenant10.png)
2. On the **Home** page, click on the Admin tools icon.
![register azuread](images/azure-ad-add-tenant11.png)
3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.
![register azuread](images/azure-ad-add-tenant12.png)
4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**.
![register azuread](images/azure-ad-add-tenant13.png)
5. It may take a few minutes to process the request.
![register azuread](images/azure-ad-add-tenant14.png)
6. You will see a welcome page when the process completes.
![register azuread](images/azure-ad-add-tenant15.png)
 

147
windows/client-management/mdm/alljoynmanagement-csp.md Normal file
View File

@ -0,0 +1,147 @@
---
title: AllJoynManagement CSP
description: The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus.
ms.assetid: 468E0EE5-EED3-48FF-91C0-89F9D159AA8C
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# AllJoynManagement CSP
The AllJoynManagement configuration service provider (CSP) allows an IT administrator to enumerate the AllJoyn devices that are connected to the AllJoyn bus. The devices must support the Microsoft AllJoyn configuration interface (com.microsoft.alljoynmanagement.config). You can also push configuration files to the same devices. To populate the various nodes when setting new configuration, we recommend that you do a query first, to get the actual values for all the nodes in all the attached devices. You can then use the information from the query to set the node values when pushing the new configuration.
> **Note**  
The AllJoynManagement configuration service provider (CSP) is only supported in Windows 10 IoT Core (IoT Core).
This CSP was added in Windows 10, version 1511.
 
For the firewall settings, note that PublicProfile and PrivateProfile are mutually exclusive. The Private Profile must be set on the directly on the device itself, and the only supported operation is Get. For PublicProfile, both Add and Get are supported. This CSP is intended to be used in conjunction with the AllJoyn Device System Bridge, and an understanding of the bridge will help when determining when and how to use this CSP. For more information, see [Device System Bridge (DSB) Project](http://go.microsoft.com/fwlink/p/?LinkId=615876) and [AllJoyn Device System Bridge](http://go.microsoft.com/fwlink/p/?LinkId=615877).
The following diagram shows the AllJoynManagement configuration service provider in tree format
![alljoynmanagement csp diagram](images/provisioning-csp-alljoynmanagement.png)
The following list describes the characteristics and parameters.
<a href="" id="--vendor-msft-alljoynmanagement"></a>**./Vendor/MSFT/AllJoynManagement**
The root node for the AllJoynManagement configuration service provider.
<a href="" id="services"></a>**Services**
List of all AllJoyn objects that are discovered on the AllJoyn bus. All AllJoyn objects that expose the "com.microsoft.alljoynmanagement.config" are included.
<a href="" id="services-node-name"></a>**Services/****_Node name_**
The unique AllJoyn device ID (a GUID) that hosts one or more configurable objects.
<a href="" id="services-node-name-port"></a>**Services/*Node name*/Port**
The set of ports that the AllJoyn object uses to communicate configuration settings. Typically only one port is used for communication, but it is possible to specify additional ports.
<a href="" id="services-node-name-port-node-name"></a>**Services/*Node name*/Port/****_Node name_**
Port number used for communication. This is specified by the configurable AllJoyn object and reflected here.
<a href="" id="services-node-name-port-node-name-cfgobject"></a>**Services/*Node name*/Port/*Node name*/CfgObject**
The set of configurable interfaces that are available on the port of the AllJoyn object.
<a href="" id="services-node-name-port-node-name-cfgobject-node-name"></a>**Services/*Node name*/Port/*Node name*/CfgObject/****_Node name_**
The remainder of this URI is an escaped path to the configurable AllJoyn object hosted by the parent ServiceID and accessible by the parent PortNum.
For example an AllJoyn Bridge with the Microsoft specific AllJoyn configuration interface "\\FabrikamService\\BridgeConfig" would be specified in the URI as: %2FFabrikamService%2FBridgeConfig.
<a href="" id="credentials"></a>**Credentials**
This is the credential store. An administrator can set credentials for each AllJoyn device that requires authentication at this node.
When a SyncML request arrives in the CSP to replace or query a configuration item on an AllJoyn object that requires authentication, then the CSP uses the credentials stored here during the authentication phase.
<a href="" id="credentials-node-name"></a>**Credentials/****_Node name_**
This is the same service ID specified in \\AllJoynManagement\\Services\\ServiceID URI. It is typically implemented as a GUID.
<a href="" id="credentials-node-name-key"></a>**Credentials/*Node name*/Key**
An alphanumeric key value that conforms to the AllJoyn SRP KEYX authentication standard.
<a href="" id="firewall"></a>**Firewall**
Firewall setting for the AllJoyn service.
<a href="" id="firewall-publicprofile"></a>**Firewall/PublicProfile**
Boolean value to enable or disable the AllJoyn router service (AJRouter.dll) for public network profile.
<a href="" id="firewall-privateprofile"></a>**Firewall/PrivateProfile**
Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enabled for private network profile.
## Examples
Set adapter configuration
``` syntax
<?xml version="1.0" encoding="utf-8"?>
SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/AllJoynManagement/Services/_ALLJOYN_DEVICE_ID_/Port/27/Configuration/%2FDSBService%2FAdapterConfig</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">b64</Format>
</Meta> <Data>PAA/AHgAbQBsACAAdgBlAHIAcwBpAG8AbgA9ACIAMQAuADAAIgA/AD4ADQAKADwAQgBhAGMATgBlAHQAQwBmAGcAPgANAAoACQA8AEIAQgBNAEQAUwBlAHIAdgBlAHIAPgANAAoACQAJADwASQBQAEEAZABkAHIAZQBzAHMAPgAxADIANwAuADAALgAwAC4AMQA8AC8ASQBQAEEAZABkAHIAZQBzAHMAPgANAAoACQAJADwAUABvAHIAdAA+ADQANwA4ADAAOAA8AC8AUABvAHIAdAA+AA0ACgAJADwALwBCAEIATQBEAFMAZQByAHYAZQByAD4ADQAKADwALwBCAGEAYwBOAGUAdABDAGYAZwA+AA0ACgAAAA==</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
You should replace \_ALLJOYN\_DEVICE\_ID\_ with an actual device ID. Note that the data is base-64 encoded representation of the configuration file that you are setting.
Get PIN data
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/AllJoynManagement/Credentials?list=StructData</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
Get the firewall PrivateProfile
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/AllJoynManagement/Firewall/PrivateProfile</LocURI>
</Target>
</Item>
</Get>
<Final/>
</SyncBody>
</SyncML>
```
 
 

339
windows/client-management/mdm/alljoynmanagement-ddf.md Normal file
View File

@ -0,0 +1,339 @@
---
title: AllJoynManagement DDF
description: AllJoynManagement DDF
ms.assetid: 540C2E60-A041-4749-A027-BBAF0BB046E4
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# AllJoynManagement DDF
This topic shows the OMA DM device description framework (DDF) for the **AllJoynManagement** configuration service provider. This CSP was added in Windows 10, version 1511.
You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>AllJoynManagement</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Services</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This is the list of AllJoyn Objects that are discovered on the AllJoyn bus. Only AllJoyn Objects that expose the "com.microsoft.alljoynmanagement.config" will be shown here.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The Unique AllJoyn About Device ID, a GUID, that Hosts one or more configurable objects
.
</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>ServiceID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Port</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The set of Ports that this AllJoyn Object uses to communicate configuration settings through.
Typically, only one port is used for communication, but it is possible that additional ports may be specified.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The AllJoyn Port Number to communicate on. This is specified by the Configurable AllJoyn Object and is reflected here.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>PortNum</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>CfgObject</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The set of configurable interfaces that are available on the Port of the AllJoyn Object</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The remainder of this URI is an escaped path to the Configurable AllJoyn Object Hosted by the parent ServiceID and Accessible by the parent PortNum.
For example an AllJoyn Bridge with the Microsoft specific AllJoyn Configuration Interface "\ASBService\BridgeConfig" would be specified in the URI as: %2FASBService%2FBridgeConfig
</Description>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<OneOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>CfgObjectPath</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>Credentials</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This is the Credential Store. An Administrator can set credentials for each AllJoyn device that requires authentication at this node.
If a SYNCML request arrives in the CSP to replace or query a configuration item on an AllJoyn Object that requires authentication, then the CSP will use the Credentials stored here during the authentication phase.
</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>This is the same ServiceID as specified in the \AllJoynManagement\Services\ServiceID URI.
It is typically implemented as a GUID.</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ServiceID</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Key</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>An Alphanumeric KEY value that conforms to the AllJoyn SRP KEYX Authentication Standard</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
<NodeName>Firewall</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Firewall setting for the AllJoyn service (AJRouter.dll).</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>PublicProfile</NodeName>
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<Description>Boolean value to enable or disable the AllJoyn router service (AJRouter.dll) for Public network profile.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>PrivateProfile</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Boolean value indicating whether AllJoyn router service (AJRouter.dll) is enabled for Private network profile.</Description>
<DFFormat>
<bool />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[AllJoynManagement configuration service provider](alljoynmanagement-csp.md)
 
 

40
windows/client-management/mdm/application-csp.md Normal file
View File

@ -0,0 +1,40 @@
---
title: APPLICATION configuration service provider
description: APPLICATION configuration service provider
ms.assetid: 0705b5e9-a1e7-4d70-a73d-7f758ffd8099
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# APPLICATION configuration service provider
The APPLICATION configuration service provider is used to configure an application transport using Open Mobile Alliance (OMA) Client Provisioning.
OMA considers each transport to be an application and requires a corresponding APPLICATION configuration service provider. The following list shows the supported transports.
- w7, for bootstrapping a device with an OMA Device Management (OMA DM) account. For more information, see [w7 APPLICATION configuration service provider](w7-application-csp.md)
- w4, for configuring Multimedia Messaging Service (MMS). For more information, see [w4 APPLICATION configuration service provider](w4-application-csp.md)
The APPID parameter differentiates these application transports. Each APPID must be registered with OMA, and any APPLICATION configuration service provider must be in the root of the provisioning document.
For the device to decode correctly, provisioning XML that contains the APPLICATION characteristic must support OMA Client Provisioning version 1.1.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

126
windows/client-management/mdm/applicationrestrictions-xsd.md Normal file
View File

@ -0,0 +1,126 @@
---
title: ApplicationRestrictions XSD
description: Here's the XSD for the ApplicationManagement/ApplicationRestrictions policy.
ms.assetid: A5AA2B59-3736-473E-8F70-A90FD61EE426
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# ApplicationRestrictions XSD
Here's the XSD for the ApplicationManagement/ApplicationRestrictions policy.
``` syntax
<?xml version="1.0" encoding="utf-8"?>
<xs:schema id="AppPolicy_xsd"
attributeFormDefault="unqualified"
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
targetNamespace="http://schemas.microsoft.com/phone/2013/policy"
xmlns="http://schemas.microsoft.com/phone/2013/policy"
xmlns:m="http://schemas.microsoft.com/phone/2013/policy"
>
<!-- Non-empty string must have a non-whitespace character at the beginning and end -->
<xs:simpleType name="ST_NonEmptyString">
<xs:restriction base="xs:string">
<xs:minLength value="1"/>
<xs:maxLength value="32767"/>
<xs:pattern value="[^\s]|([^\s].*[^\s])"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="ST_Publisher">
<xs:restriction base="xs:string">
<xs:maxLength value="256"/>
</xs:restriction>
</xs:simpleType>
<xs:simpleType name="CT_LowerCaseGuid">
<xs:annotation>
<xs:documentation>GUID must use lowercase letters</xs:documentation>
</xs:annotation>
<xs:restriction base="ST_NonEmptyString">
<xs:pattern value="\{[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\}"/>
</xs:restriction>
</xs:simpleType>
<xs:complexType name="CT_Application">
<xs:attribute name="ProductId" type="CT_LowerCaseGuid" />
</xs:complexType>
<xs:complexType name="CT_ApplicationWithPublisher">
<xs:attribute name="ProductId" type="CT_LowerCaseGuid" />
<xs:attribute name="PublisherName" type="ST_Publisher" use="optional" />
</xs:complexType>
<xs:complexType name="CT_AllowedPublisher">
<xs:sequence>
<xs:element name="DenyApp" type="CT_Application" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="PublisherName" type="ST_Publisher" use="required" />
</xs:complexType>
<xs:complexType name="CT_DeniedPublisher">
<xs:sequence>
<xs:element name="AllowApp" type="CT_Application" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
<xs:attribute name="PublisherName" type="ST_Publisher" use="required" />
</xs:complexType>
<xs:element name="Deny">
<xs:complexType>
<xs:sequence>
<xs:element name="App" type="CT_Application" minOccurs="0" maxOccurs="unbounded" />
<xs:element name="Publisher" type="CT_DeniedPublisher" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="Allow">
<xs:complexType>
<xs:sequence>
<xs:element name="App" type="CT_ApplicationWithPublisher" minOccurs="0" maxOccurs="unbounded" />
<xs:element name="Publisher" type="CT_AllowedPublisher" minOccurs="0" maxOccurs="unbounded" />
</xs:sequence>
</xs:complexType>
</xs:element>
<xs:element name="AppPolicy">
<xs:complexType>
<xs:choice minOccurs="0" maxOccurs="1">
<xs:element ref="Deny" />
<xs:element ref="Allow" />
</xs:choice>
<xs:attribute name="Version" use="required" type="xs:unsignedLong" />
</xs:complexType>
<!-- Uniqueness Checks -->
<xs:unique name="NoDuplicateProductIDs">
<xs:selector xpath=".//*"/>
<xs:field xpath="@ProductId"/>
</xs:unique>
<!-- Uniqueness Checks -->
<xs:unique name="NoDuplicatePublisherNames">
<xs:selector xpath=".//*"/>
<xs:field xpath="@PublisherName"/>
</xs:unique>
</xs:element>
</xs:schema>
```
 
 

1410
windows/client-management/mdm/applocker-csp.md Normal file
View File

File diff suppressed because it is too large Load Diff

683
windows/client-management/mdm/applocker-ddf-file.md Normal file
View File

@ -0,0 +1,683 @@
---
title: AppLocker DDF file
description: AppLocker DDF file
ms.assetid: 79E199E0-5454-413A-A57A-B536BDA22496
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# AppLocker DDF file
This topic shows the OMA DM device description framework (DDF) for the **AppLocker** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>AppLocker</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ApplicationLaunchRestrictions</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Grouping</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>EXE</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnforcementMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>NonInteractiveProcessEnforcement</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>MSI</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnforcementMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>Script</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnforcementMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>StoreApps</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnforcementMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>DLL</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EnforcementMode</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>NonInteractiveProcessEnforcement</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>CodeIntegrity</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<b64 />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
<Node>
<NodeName>EnterpriseDataProtection</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFTitle>Grouping</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>EXE</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>StoreApps</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>Policy</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[AppLocker configuration service provider](applocker-csp.md)
 
 

1291
windows/client-management/mdm/applocker-xsd.md Normal file
View File

File diff suppressed because it is too large Load Diff

453
windows/client-management/mdm/appv-deploy-and-config.md Normal file
View File

@ -0,0 +1,453 @@
---
title: Deploy and configure App-V apps using MDM
description: Deploy and configure App-V apps using MDM
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Deploy and configure App-V apps using MDM
## Executive summary
<p>Microsoft Application Virtualization (App-V) apps have typically been configured, deployed, and managed through on-premise group policies using System Center Configuration Manager (SCCM) or App-V server. In Windows 10, version 1703, App-V apps can be configured, deployed, and managed using mobile device management (MDM), matching their on-premise counterparts.</p>
<p>MDM services can be used to publish App-V packages to clients running Windows 10, version 1703 (or later). All capabilities such as App-V enablement, configuration, and publishing can be completed using the EnterpriseAppVManagement CSP.</p>
### EnterpriseAppVManagement CSP node structure
[EnterpriseAppVManagement CSP reference](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp)
![enterpriseappvmanagement csp](images/provisioning-csp-enterpriseappvmanagement.png)
<p>(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.</p>
<p><b>AppVPublishing</b> - An exec action node that contains the App-V publishing configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.</p>
- EnterpriseAppVManagement
- AppVPackageManagement
- **AppVPublishing**
- LastSync
- LastError
- LastErrorDescription
- SyncStatusDescription
- SyncProgress
- Sync
- PublishXML
- AppVDynamicPolicy
<p>Sync command:</p>
[App-V Sync protocol reference]( https://msdn.microsoft.com/enus/library/mt739986.aspx)
<p><b>AppVDynamicPolicy</b> - A read/write node that contains the App-V dynamic configuration for an MDM device (applied globally to all users for that device) or a specific MDM user.</p>
- EnterpriseAppVManagement
- AppVPackageManagement
- AppVPublishing
- **AppVDynamicPolicy**
- [ConfigurationId]
- Policy
<p>Dynamic policy examples:</p>
[Dynamic configuration processing](https://technet.microsoft.com/en-us/itpro/windows/manage/appv-application-publishing-and-client-interaction#bkmk-dynamic-config">Dynamic configuration processing)
<p><b>AppVPackageManagement</b> - Primarily read-only App-V package inventory data for MDM servers to query current packages.</p>
- EnterpriseAppVManagement
- **AppVPackageManagement**
- [EnterpriseID]
- [PackageFamilyName]
- [PackageFullName]
- Name
- Version
- Publisher
- InstallLocation
- InstallDate
- Users
- AppVPackageID
- AppVVersionId
- AppVPackageUri
- AppVPublishing
- AppVDynamicPolicy
<p>The examples in the scenarios section demonstrate how the publishing document should be created to successfully publish packages, dynamic policies, and connection groups.</p>
## Scenarios addressed in App-V MDM functionality
<p>All App-V group policies will be reflected by having a corresponding CSP that can be set using the Policy CSP. The CSPs match all on-premise App-V configuration capabilities. In addition, new App-V package management capability has been added to closely match the App-V PowerShell functionality.</p>
<p>A complete list of App-V policies can be found here:</p>
[ADMX-backed policy reference](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-admx-backed)
[EnterpriseAppVManagement CSP reference](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp)
### SyncML examples
<p>The following SyncML examples address specific App-V client scenarios.</p>
#### Enable App-V client
<p>This example shows how to enable App-V on the device.</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowAppvClient</LocURI>
</Target>
<Data>&lt;enabled/&gt;</Data>
</Item>
</Replace>
```
#### Configure App-V client
<p>This example shows how to allow package scripts to run during package operations (publish, run, and unpublish). Allowing package scripts assists in package deployments (add and publish of App-V apps).</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Meta>
<Format>chr</Format>
<Type>text/plain</Type>
</Meta>
<Target>
<LocURI>./Device/Vendor/MSFT/Policy/Config/AppVirtualization/AllowPackageScripts</LocURI>
</Target>
<Data>&lt;enabled/&gt;</Data>
</Item>
</Replace>
```
<p>Complete list of App-V policies can be found here:</p>
[Policy CSP](https://msdn.microsoft.com/en-us/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider)
#### SyncML with package published for a device (global to all users for that device)
<p>This SyncML example shows how to publish a package globally on an MDM enrolled device for all device users.</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="fd6b51c7-959e-4d04-ac36-a8244a5693d0" PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
</Packages>
<NoGroup>
<Package PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
</NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
<p>*PackageUrl can be a UNC or HTTP/HTTPS endpoint.</p>
#### SyncML with package (with dynamic configuration policy) published for a device (global to all users on that device)
<p>This SyncML example shows how to publish a package globally, with a policy that adds two shortcuts for the package, on an MDM enrolled device.</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVDynamicPolicy/38/Policy</ LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<DeploymentConfiguration PackageId="57650ac1-1731-4b4c-899ca25548374dab" DisplayName="Skype_RS2Win10_X64" xmlns="http://schemas.microsoft.com/appv/2010/deploymentconfiguration">
<MachineConfiguration></MachineConfiguration>
<UserConfiguration>
<Subsystems>
<Shortcuts Enabled="true">
<Extensions>
<Extension Category="AppV.Shortcut">
<Shortcut>
<File>[{ThisPCDesktopFolder}]\Skype_FromMDM.lnk</File>
<Target>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</Target>
<Icon>[{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico</Icon>
<Arguments/>
<WorkingDirectory>[{ProgramFilesX86}]\Skype\</WorkingDirectory>
<AppUserModelId>Skype.Desktop.Application</AppUserModelId>
<Description>Launch Skype</Description>
<ShowCommand>1</ShowCommand>
<ApplicationId>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</ApplicationId>
</Shortcut>
</Extension>
<Extension Category="AppV.Shortcut">
<Shortcut>
<File>[{Common Desktop}]\Skype_FromMDMAlso.lnk</File>
<Target>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</Target>
<Icon>[{Windows}]\Installer\{FC965A47-4839-40CA-B61818F486F042C6}\SkypeIcon.exe.0.ico</Icon>
<Arguments/>
<WorkingDirectory>[{ProgramFilesX86}]\Skype\</WorkingDirectory>
<AppUserModelId>Skype.Desktop.Application</AppUserModelId>
<Description>Launch Skype</Description>
<ShowCommand>1</ShowCommand>
<ApplicationId>[{ProgramFilesX86}]\Skype\Phone\Skype.exe</ApplicationId>
</Shortcut>
</Extension>
</Extensions>
</Shortcuts>
</Subsystems>
</UserConfiguration>
</DeploymentConfiguration>
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" PackageId="57650ac11731-4b4c-899c-a25548374dab">
<DeploymentConfiguration ConfigurationId="38" Path="38" Timestamp="2012-08-27T16:14:30.87" /></Package>
</Packages>
<NoGroup>
<Package PackageId="57650ac1-1731-4b4c-899ca25548374dab"/>
</NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
<p>*PackageUrl can be a UNC or HTTP/HTTPS endpoint.</p>
#### SyncML with package (using user config deployment) published for a specific user
<p>This SyncML example shows how to publish a package for a specific MDM user.</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="c68b054c-ff5f-45a6-9b41-788f2194e3c1" PackageId="e9a51aaf-5d9a48df-96e2-3372a278bca4"></Package>
</Packages>
<NoGroup>
<Package PackageId="e9a51aaf-5d9a-48df-96e23372a278bca4"/>
</NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
#### SyncML for publishing mixed-mode connection group containing global and user-published packages
<p>This SyncML example shows how to publish a connection group, and group applications and plugins together.</p>
> [!NOTE]
> The user connection group has the user-only package as optional in this example, which implies users without the optional package can continue to launch the global package within the same connection group.
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXM L</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" PackageId="57650ac11731-4b4c-899c-a25548374dab"></Package>
</Packages>
</Publishing>
</Data>
</Item>
</Exec>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML< /LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="c68b054c-ff5f-45a6-9b41-788f2194e3c1" PackageId="e9a51aaf-5d9a48df-96e2-3372a278bca4"></Package>
<Package PackageUrl="http://hostname/serverpackages/apppackage.appv" VersionId="fd6b51c7-959e-4d04-ac36-a8244a5693d0" PackageId="565d8479-394d-439c-824d0e09b7ee732c"></Package>
</Packages>
<NoGroup>
<Package PackageId="565d8479-394d-439c-824d0e09b7ee732c"/>
</NoGroup>
<Groups>
<Group GroupId="98d5cebd-165f-403b-a426-7a1f6ae9c399" VersionId="AE76602B-5613-4BAD-9EE5-1728FA55B699" Priority="46" Name="Try7">
<Package PackageId="57650ac1-1731-4b4c-899ca25548374dab" VersionId="05fcf098-c949-4ea4-9aee-757abd33e0e4" VersionOptional="false" PackageOptional="false"/>
<Package PackageId="e9a51aaf-5d9a-48df-96e23372a278bca4" VersionOptional="true" PackageOptional="true"/>
</Group>
</Groups>
</Publishing>
</Data>
</Item>
</Exec>
```
#### Unpublish example SyncML for all global packages
<p>This SyncML example shows how to unpublish all global packages on the device by sending an empty package and connection group list in the SyncML.</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Replace>
<Exec>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPublishing/Sync/PublishXML</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">xml</Format>
<Type xmlns="syncml:metinf">text/plain</Type>
</Meta>
<Data>
<Publishing Protocol="2.0">
<Packages></Packages>
<NoGroup></NoGroup>
</Publishing>
</Data>
</Item>
</Exec>
```
#### Query packages on a device
<p>These SyncML examples return all global, and user-published packages on the device.</p>
``` syntax
<Get>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData</LocURI>
</Target>
</Item>
</Get>
```
``` syntax
<Get>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/EnterpriseAppVManagement/AppVPackageManagement?list=StructData</LocURI>
</Target>
</Item>
</Get>
```

135
windows/client-management/mdm/assign-seats.md Normal file
View File

@ -0,0 +1,135 @@
---
title: Assign seat
description: The Assign seat operation assigns seat for a specified user in the Windows Store for Business.
ms.assetid: B42BF490-35C9-405C-B5D6-0D9F0E377552
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Assign seat
The **Assign seat** operation assigns seat for a specified user in the Windows Store for Business.
## Request
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Method</th>
<th>Request URI</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>POST</p></td>
<td><p>https://bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats/{username}</p></td>
</tr>
</tbody>
</table>
 
### URI parameters
The following parameters may be specified in the request URI.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Parameter</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>productId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier for an application that is used by the Store for Business.</p></td>
</tr>
<tr class="even">
<td><p>skuId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier that specifies a specific SKU of an application.</p></td>
</tr>
<tr class="odd">
<td><p>username</p></td>
<td><p>string</p></td>
<td><p>Requires UserPrincipalName (UPN). User name of the target user account.</p></td>
</tr>
</tbody>
</table>
## Response
### Response body
The response body contains [SeatDetails](data-structures-windows-store-for-business.md#seatdetails).
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th>Error code</th>
<th>Description</th>
<th>Retry</th>
<th>Data field</th>
<th>Details</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>400</p></td>
<td><p>Invalid parameters</p></td>
<td><p>No</p></td>
<td><p>Parameter name</p>
<p>Reason: Invalid parameter</p>
<p>Details: String</p></td>
<td><p>Invalid can include productId, skuId or userName</p></td>
</tr>
<tr class="even">
<td><p>404</p></td>
<td><p>Not found</p></td>
<td></td>
<td><p>Item type: Inventory, User, Seat</p>
<p>Values: ProductId/SkuId, UserName, ProductId/SkuId/UserName</p></td>
<td><p>ItemType: Inventory User Seat</p>
<p>Values: ProductId/SkuId UserName ProductId/SkuId/UserName</p></td>
</tr>
<tr class="odd">
<td><p>409</p></td>
<td><p>Conflict</p></td>
<td></td>
<td><p>Reason: Not online</p></td>
<td></td>
</tr>
</tbody>
</table>
 
 

141
windows/client-management/mdm/assignedaccess-csp.md Normal file
View File

@ -0,0 +1,141 @@
---
title: AssignedAccess CSP
description: The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode.
ms.assetid: 421CC07D-6000-48D9-B6A3-C638AAF83984
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# AssignedAccess CSP
The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device in the kiosk mode running the application specified in the CSP configuration.
For step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211)
> **Note**  The AssignedAccess CSP is only supported in Windows 10 Enterprise and Windows 10 Education.
 
The following diagram shows the AssignedAccess configuration service provider in tree format
![assignedaccess csp diagram](images/provisioning-csp-assignedaccess.png)
<a href="" id="--vendor-msft-assignedaccess"></a>**./Vendor/MSFT/AssignedAccess**
Root node for the CSP.
<a href="" id="assignedaccess-kioskmodeapp"></a>**AssignedAccess/KioskModeApp**
A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, follow the information in [this Microsoft website](http://go.microsoft.com/fwlink/p/?LinkId=404220).
In Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
Here's an example:
``` syntax
{"Account":"redmond\\kioskuser","AUMID":"Microsoft.Windows.Contoso_cw5n1h2txyewy!Microsoft.ContosoApp.ContosoApp"}
```
When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name.
> **Note**  The domain name can be optional if the user name is unique across the system.
 
For a local account, the domain name should be the device name. When Get is executed on this node, the domain name is always returned in the output.
The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
## Examples
KioskModeApp Add
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Add>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>{"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}</Data>
</Item>
</Add>
<Final />
</SyncBody>
</SyncML>
```
KioskModeApp Delete
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Delete>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI>
</Target>
</Item>
</Delete>
<Final />
</SyncBody>
</SyncML>
```
KioskModeApp Get
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Get>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI>
</Target>
</Item>
</Get>
<Final />
</SyncBody>
</SyncML>
```
KioskModeApp Replace
``` syntax
<SyncML xmlns='SYNCML:SYNCML1.2'>
<SyncBody>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/AssignedAccess/KioskModeApp</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>{"Account":"Domain\\AccountName","AUMID":"Microsoft.WindowsAlarms_8wekyb3d8bbwe!App"}</Data>
</Item>
</Replace>
<Final />
</SyncBody>
</SyncML>
```
 
 

101
windows/client-management/mdm/assignedaccess-ddf.md Normal file
View File

@ -0,0 +1,101 @@
---
title: AssignedAccess DDF
description: AssignedAccess DDF
ms.assetid: 224FADDB-0EFD-4E5A-AE20-1BD4ABE24306
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# AssignedAccess DDF
This topic shows the OMA DM device description framework (DDF) for the **AssignedAccess** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>AssignedAccess</NodeName>
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>KioskModeApp</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This node can accept and return json string which comprises of account name and AUMID for Kiosk mode app.
Example: {"User":"domain\\user", "AUMID":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"}.
When configuring kiosk mode app, account name will be used to find the target user. Account name includes domain name and user name. Domain name can be optional if user name is unique across the system. For a local account, domain name should be machine name. When "Get" is executed on this node, domain name is always returned in the output.
This node supports Add, Delete, Replace and Get methods. When there's no configuration, "Get" and "Delete" methods fail. When there's already a configuration for kiosk mode app, "Add" method fails. The data pattern for "Add" and "Replace" is the same. </Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[AssignedAccess configuration service provider](assignedaccess-csp.md)
 
 

925
windows/client-management/mdm/azure-active-directory-integration-with-mdm.md Normal file
View File

@ -0,0 +1,925 @@
---
title: Azure Active Directory integration with MDM
description: Azure Active Directory is the world largest enterprise cloud identity management service.
ms.assetid: D03B0765-5B5F-4C7B-9E2B-18E747D504EE
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
<head>
<style type='text/css'> table.topalign td { vertical-align: top } </style>
</head>
# Azure Active Directory integration with MDM
Azure Active Directory is the world largest enterprise cloud identity management service. Its used by millions of organizations to access Office 365 and thousands of business applications from Microsoft and third party software as a service (SaaS) vendors. Many of the rich Windows 10 experiences for organizational users (such as store access or OS state roaming) use Azure AD as the underlying identity infrastructure. Windows 10 provides an integrated configuration experience with Azure AD, allowing devices to be registered in Azure AD and enrolled into MDM in a smooth integrated flow.
Once a device is enrolled in MDM, the MDM can enforce compliance with corporate policies, add or remove apps, and more. Additionally, the MDM can report a devices compliance Azure AD. This enables Azure AD to allow access to corporate resources or applications secured by Azure AD only to devices that comply with policies. To support these rich experiences with their MDM product, MDM vendors can integrate with Azure AD. This topic describes the steps involved.
## Connect to Azure AD
Several ways to connect your devices:
For company-owned devices:
- Join Windows to a traditional Active Directory domain
- Join Windows to Azure AD
For personal devices (BYOD):
- Add a Microsoft work account to Windows
### Azure AD Join
Company owned devices are traditionally joined to the on-premises Active Directory domain of the organization. These devices can be managed using Group Policy or computer management software such as System Center Configuration Manager. In Windows 10, its also possible to manage domain joined devices with an MDM.
Windows 10 introduces a new way to configure and deploy corporate owned Windows devices. This mechanism is called Azure AD Join. Like traditional domain join, Azure AD Join allows devices to become known and managed by an organization. However, with Azure AD Join, Windows authenticates to Azure AD instead of authenticating to a domain controller.
Azure AD Join also enables company owned devices to be automatically enrolled in, and managed by an MDM. Furthermore, Azure AD Join can be performed on a store-bought PC, in the out-of-box experience (OOBE), which helps organizations streamline their device deployment. An administrator can require that users belonging to one or more groups enroll their devices for management with an MDM. If a user is configured to require automatic enrollment during Azure AD Join, this enrollment becomes a mandatory step to configure Windows. If the MDM enrollment fails, then the device will not be joined to Azure AD.
> **Important**  Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](https://msdn.microsoft.com/library/azure/dn499825.aspx) license.
 
### BYOD scenario
Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If thats the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. Its important to note that in the BYOD case, users can reject the MDM Terms of Use—in which case the device is not enrolled in MDM and access to corporate resources is typically restricted.
## Integrated MDM enrollment and UX
Two Azure AD MDM enrollment scenarios:
- Joining a device to Azure AD for company-owned devices
- Adding a work account to a personal device (BYOD)
In both scenarios, Azure AD is responsible for authenticating the user and the device, which provides a verified unique device identifier that can be used fo MDM enrollment.
In both scenarios, the enrollment flow provides an opportunity for the MDM service to render it's own UI, using a web view. MDM vendors should use this to render the Terms of Use (TOU), which can be different for company-owned and BYOD devices. MDM vendors can also use the web view to render additional UI elements, such as asking for a one-time PIN, if this is part of the business process of the organization.
In the out-of-the-box scenario, the web view is 100% full screen, which gives the MDM vendor the ability to paint an edge-to-edge experience. With great power comes great responsibility! It is important that MDM vendors who chose to integrate with Azure AD to respect the Windows 10 design guidelines to the letter. This includes using a responsive web design and respecting the Windows accessibility guidelines, which includes the forward and back buttons that are properly wired to the navigation logic. Additional details are provided later in this topic.
For Azure AD enrollment to work for an Active Directory Federated Services (AD FS) backed Azure AD account, you must enable password authentication for the intranet on the ADFS service as described in solution \#2 in [this article](http://go.microsoft.com/fwlink/?LinkId=690246).
Once a user has an Azure AD account added to Windows 10 and enrolled in MDM, the enrollment can be manages through **Settings** &gt; **Accounts** &gt; **Work access**. Device management of either Azure AD Join for corporate scenarios or BYOD scenarios are similar.
> **Note**  Users cannot remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account.
 
### MDM endpoints involved in Azure AD integrated enrollment
Azure AD MDM enrollment is a two-step process:
1. Display the Terms of Use and gather user consent.
This is a passive flow where the user is redirected in a browser control (webview) to the URL of the Terms of Use of the MDM.
2. Enroll the device.
This is an active flow where Windows OMA DM agent calls the MDM service to enroll the device.
To support Azure AD enrollment, MDM vendors must host and expose a Terms of Use endpoint and an MDM enrollment endpoint.
<a href="" id="terms-of-use-endpoint-"></a>**Terms of Use endpoint**
Use this endpoint to inform users of the ways in which their device can be controlled by their organization. The Terms of Use page is responsible for collecting users consent before the actual enrollment phase begins.
Its important to understand that the Terms of Use flow is a "black box" to Windows and Azure AD. The whole web view is redirected to the Terms of Use URL, and the user is expected to be redirected back after approving (or in some cases rejecting) the Terms. This design allows the MDM vendor to customize their Terms of Use for different scenarios (e.g., different levels of control are applied on BYOD vs. company-owned devices) or implement user/group based targeting (e.g. users in certain geographies may be subject to stricter device management policies).
The Terms of Use endpoint can be used to implement additional business logic, such as collecting a one-time PIN provided by IT to control device enrollment. However, MDM vendors must not use the Terms of Use flow to collect user credentials, which could lead to a highly degraded user experience. Its not needed, since part of the MDM integration ensures that the MDM service can understand tokens issued by Azure AD.
<a href="" id="mdm-enrollment-endpoint"></a>**MDM enrollment endpoint**
After the users accepts the Terms of Use, the device is registered in Azure AD and the automatic MDM enrollment begins.
The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Subsequently, the device is enrolled for management with the MDM. This is done by calling the enrollment endpoint and requesting enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is made available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
![azure ad enrollment flow](images/azure-ad-enrollment-flow.png)
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654). A sample for reporting device compliance is provided later in this topic.
## Make the MDM a reliable party of Azure AD
To participate in the integrated enrollment flow outlined in the previous section, the MDM must be able to consume access tokens issued by Azure AD. To report compliance to Azure AD, the MDM must be able to authenticate itself to Azure AD and obtain authorization in the form of an access token that allows it to invoke the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654).
### Add a cloud-based MDM
A cloud-based MDM is a SaaS application that provides device management capabilities in the cloud. It is a multi-tenant application. This application is registered with Azure AD in the home tenant of the MDM vendor. When an IT admin decides to use this MDM solution, an instance of this application is made visible in the tenant of the customer.
The MDM vendor must first register the application in their home tenant and mark it as a multi-tenant application. Here a code sample from GitHub that explains how to add multi-tenant applications to Azure AD, [WepApp-WebAPI-MultiTenant-OpenIdConnect-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613661).
> **Note**  For the MDM provider, if you don't have an existing Azure AD tentant with an Azure AD subscription that you manage, follow the step-by-step guide in [Add an Azure AD tenant and Azure AD subscription](add-an-azure-ad-tenant-and-azure-ad-subscription.md) to set up a tenant, add a subscription, and manage it via the Azure Portal.
 
The keys used by the MDM application to request access tokens from Azure AD are managed within the tenant of the MDM vendor and not visible to individual customers. The same key is used by the multi-tenant MDM application to authenticate itself with Azure AD, regardless of the customer tenent to which the device being managed belongs.
Use the following steps to register a cloud-based MDM application with Azure AD. At this time, you need to work with the Azure AD engineering team to expose this application through the Azure AD app gallery.
1. Login to the Azure Management Portal using an admin account in your home tenant.
2. In the left navigation, click on the **Active Directory**.
3. Click the directory tenant where you want to register the application.
Ensure that you are logged into your home tenant.
4. Click the **Applications** tab.
5. In the drawer, click **Add**.
6. Click **Add an application my organization is developing**.
7. Enter a friendly name for the application, such as ContosoMDM, select **Web Application and or Web API**, then click **Next**.
8. Enter the login URL for your MDM service.
9. For the App ID, enter **https://&lt;your\_tenant\_name&gt;/ContosoMDM**, then click OK.
10. While still in the Azure portal, click the **Configure** tab of your application.
11. Mark your application as **multi-tenant**.
12. Find the client ID value and copy it.
You will need this later when configuring your application. This client ID is used when obtaining access tokens and adding applications to the Azure AD app gallery.
13. Generate a key for your application and copy it.
You will need this to call the Azure AD Graph API to report device compliance. This is covered in the subsequent section.
For more information about how to register a sample application with Azure AD, see the steps to register the **TodoListService Web API** in [NativeClient-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613667)
### Add an on-premises MDM
An on-premises MDM application is inherently different that a cloud MDM. It is a single-tenant application that is present uniquely within the tenant of the customer. Therefore, customers must add the application directly within their own tenant. Additionally, each instance of an on-premises MDM application must be registered separately and has a separate key for authentication with Azure AD.
The customer experience for adding an on-premises MDM to their tenant is similar to that as the cloud-based MDM. There is an entry in the Azure AD app gallery to add an on-premises MDN to the tenant and administrators can configure the required URLs for enrollment and Terms of Use.
Your on-premises MDM product must expose a configuration experience where administrators can provide the client ID, app ID, and the key configured in their directory for that MDM application. You can use this client ID and key to request tokens from Azure AD when reporting device compliance.
For more information about registering applications with Azure AD, see [Basics of Registering an Application in Azure AD](http://go.microsoft.com/fwlink/p/?LinkId=613671).
### Key management and security guidelines
The application keys used by your MDM service are a sensitive resource. They should be protected and rolled over periodically for greater security. Access tokens obtained by your MDM service to call the Azure AD Graph API are bearer tokens and should be protected to avoid unauthorized disclosure.
For security best practices, see [Windows Azure Security Essentials](http://go.microsoft.com/fwlink/p/?LinkId=613715).
You can rollover the application keys used by a cloud-based MDM service without requiring a customer interaction. There is a single set of keys across all customer tenants that are managed by the MDM vendor in their Azure AD tenant.
For the on-premises MDM, the keys used to authenticate with Azure AD are within the tenant of the customer and must be rolled over by the customer's administrator. In this case, you should provide guidance to the customers about rolling over and protecting the keys to improved security.
## Publish your MDM app to Azure AD app gallery
IT administrators use the Azure AD app gallery to add an MDM for their organization to use. The app gallery is a rich store with over 2400 SaaS applications that are integrated with Azure AD.
The following image illustrates how MDM applications will show up in the Azure app gallery in a category dedicated to MDM software.
![azure ad add an app for mdm](images/azure-ad-app-gallery.png)
### Add cloud-based MDM to the app gallery
You should work with the Azure AD engineering team if your MDM application is cloud-based. The following table shows the required information to create an entry in the Azure AD app gallery.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Item</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p><strong>Application ID</strong></p></td>
<td style="vertical-align:top"><p>The client ID of your MDM app that is configured within your tenant. This is the unique identifier for your multi-tenant app.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p><strong>Publisher</strong></p></td>
<td style="vertical-align:top"><p>A string that identifies the publisher of the app.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p><strong>Application URL</strong></p></td>
<td style="vertical-align:top"><p>A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL is not used for the actual enrollment.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p><strong>Description</strong></p></td>
<td style="vertical-align:top"><p>A brief description of your MDM app, which must be under 255 characters.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p><strong>Icons</strong></p></td>
<td style="vertical-align:top"><p>A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215</p></td>
</tr>
</tbody>
</table>
 
### Add on-premises MDM to the app gallery
There are no special requirements for adding on-premises MDM to the app gallery.There is a generic entry for administrator to add an app to their tenant.
However, key management is different for on-premises MDM. You must obtain the client ID (app ID) and key assigned to the MDM app within the customer's tenant. These are used to obtain authorization to access the Azure AD Graph API and for reporting device compliance.
## Themes
The pages rendered by the MDM as part of the integrated enrollment process must use Windows 10 templates ([Download the Windows 10 templates and CSS files](http://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip)). This is important for enrollment during the Azure AD Join experience in OOBE where all of the pages are edge-to-edge HTML pages. Don't try to copy the templates because you'll never get the button placement right. Using the shared Windows 10 templates ensure a seamless experience for the customers.
There are 3 distinct scenarios:
1. MDM enrollment as part of Azure AD Join in Windows OOBE.
2. MDM enrollment as part of Azure AD Join, after Windows OOBE from **Settings**.
3. MDM enrollment as part of adding a Microsoft work account on a personal device (BYOD).
Scenarios 1, 2, and 3 are available in Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. Scenarios 1 and 3 are available in Windows 10 Mobile. Support for scenario 1 was added in Windows 10 Mobile, version 1511.
The CSS files provided by Microsoft contains version information and we recommend that you use the latest version. There are separate CSS files for desktop and mobile devices, OOBE, and post-OOBE experiences. [Download the Windows 10 templates and CSS files](http://download.microsoft.com/download/3/E/5/3E535D52-6432-47F6-B460-4E685C5D543A/MDM-ISV_1.1.3.zip).
### Using themes
An MDM page must adhere to a predefined theme depending on the scenario that is displayed. For example, if the CXH-HOSTHTTP header is FRX, which is the OOBE scenario, the page must support a dark theme with blue background color, which uses WinJS file Ui-dark.css ver 4.0 and oobe-desktop.css ver 1.0.4.
<table>
<colgroup>
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
<col width="20%" />
</colgroup>
<thead>
<tr class="header">
<th>CXH-HOST (HTTP HEADER)</th>
<th>Senario</th>
<th>Background Theme</th>
<th>WinJS</th>
<th>Scenario CSS</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top">FRX</td>
<td style="vertical-align:top">OOBE</td>
<td style="vertical-align:top">Dark theme + blue background color</td>
<td style="vertical-align:top">Filename: Ui-dark.css</td>
<td style="vertical-align:top">Filename: oobe-dekstop.css</td>
</tr>
<tr class="even">
<td style="vertical-align:top">MOSET</td>
<td style="vertical-align:top">Settings/
<p>Post OOBE</p></td>
<td style="vertical-align:top">Light theme</td>
<td style="vertical-align:top">Filename: Ui-light.css</td>
<td style="vertical-align:top">Filename: settings-desktop.css</td>
</tr>
</tbody>
</table>
 
## Terms of Use protocol semantics
The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows performs a full-page redirect to this endpoint. This enables the MDM to display the terms and conditions that apply and allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue.
### Redirect to the Terms of Use endpoint
This is a full page redirect to the Terms of User endpoint hosted by the MDM. Here is an example URL, https:<span></span>//fabrikam.contosomdm.com/TermsOfUse.
The following parameters are passed in the query string:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Item</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>redirect_uri</p></td>
<td style="vertical-align:top"><p>After the user accepts or rejects the Terms of Use, the user is redirected to this URL.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>client-request-id</p></td>
<td style="vertical-align:top"><p>A GUID that is used to correlate logs for diagnostic and debugging purposes. You use this parameter to log or trace the state of the enrollment request to help find the root cause in case of failures.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>api-version</p></td>
<td style="vertical-align:top"><p>Specifies the version of the protocol requested by the client. This provides a mechanism to support version revisions of the protocol.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>mode</p></td>
<td style="vertical-align:top"><p>Specifies that the device is corporate owned when mode=azureadjoin. This parameter is not present for BYOD devices.</p></td>
</tr>
</tbody>
</table>
 
### Access token
A bearer access token is issued by Azure AD is passed in the authorization header of the HTTP request. Here is a typical format:
**Authorization: Bearer** CI6MTQxmCF5xgu6yYcmV9ng6vhQfaJYw…
The following claims are expected in the access token passed by Windows to the Terms of Use endpoint:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Item</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>Object ID</p></td>
<td style="vertical-align:top"><p>Identifier of the user object corresponding to the authenticated user.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>UPN</p></td>
<td style="vertical-align:top"><p>A claim containing the user principal name (UPN) of the authenticated user.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>TID</p></td>
<td style="vertical-align:top"><p>A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Resource</p></td>
<td style="vertical-align:top"><p>A sanitized URL representing the MDM application. Example, https:<span></span>//fabrikam.contosomdm.com.</p></td>
</tr>
</tbody>
</table>
 
> **Note**  There is no device ID claim in the access token because the device may not yet be enrolled at this time.
 
To retrieve the list of group memberships for the user, you can use the [Azure AD Graph API](http://go.microsoft.com/fwlink/p/?LinkID=613654).
Here's an example URL.
``` syntax
https://fabrikam.contosomdm.com/TermsOfUse?redirect_uri=ms-appx-web://ContosoMdm/ToUResponse&client-request-id=34be581c-6ebd-49d6-a4e1-150eff4b7213&api-version=1.0
Authorization: Bearer eyJ0eXAiOi
```
The MDM is expected to validate the signature of the access token to ensure it was issued by Azure AD and ensure that recipient is appropriate.
### Terms of Use content
The MDM may perform other additional redirects as necessary before displaying the Terms of Use content to the user. The appropriate Terms of Use content should be returned to the caller (Windows) so it can be displayed to the end user in the browser control.
The Terms of Use content should contain the following buttons:
- **Accept** - the user accepts the Terms of Use and proceeds with enrollment.
- **Decline** - the user declines and stops the enrollment process.
The Terms of Use content must be consistent with the theme used for the other pages rendered during this process.
### Terms of Use endpoint processing logic
At this point, the user is on the Terms of Use page shown during the OOBE or from the Setting experiences. The user has the following options on the page:
- **User clicks on the Accept button** - The MDM must redirect to the URI specified by the redirect\_uri parameter in the incoming request. The following query string parameters are expected:
- **IsAccepted** - This mandatory Boolean must be set to true.
- **OpaqueBlob** - Required parameter if the user accepts. The MDM may use this make some information available to the enrollment endpoint. The value persisted here is made available unchanged at the enrollment endpoint. The MDM may use this parameter for correlation purposes.
- Here is an example redirect - ms-appx-web://MyApp1/ToUResponse?OpaqueBlob=value&IsAccepted=true
- **User clicks on the Decline button** - The MDM must redirect to the URI specified in redirect\_uri in the incoming request. The following query string parameters are expected:
- **IsAccepted** - This mandatory Boolean must be set to false. This also applies if the user skipped the Terms of Use.
- **OpaqueBlob** - This parameter is not expected to be used because the enrollment is stopped with an error message displayed to the user.
Users skip the Terms of Use when they are adding a Microsoft work account to their device. However, then cannot skip it during the Azure AD Join process. The decline button must not be shown in the Azure AD Join process because MDM enrollment cannot be declined by the user if configured by the administrator for the Azure AD Join.
We recommend that you send the client-request-id parameters in the query string as part of this redirect response.
### Terms Of Use Error handling
If an error was encountered during the terms of use processing, the MDM can return two parameters an error and error\_description parameter in its redirect request back to Windows. Note that the URL should be encoded and the contents of the error\_description should be in English plain text. This text is not visible to the end-user and therefore localization of the error description text is not a concern.
Here is the URL format:
``` syntax
HTTP/1.1 302
Location:
<redirect_uri>?error=access_denied&error_description=Access%20is%20denied%2E
Example:
HTTP/1.1 302
Location: ms-appx-web://App1/ToUResponse?error=access_denied&error_description=Acess%20is%20denied%2E
```
The following table shows the error codes.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Cause</th>
<th>HTTP status</th>
<th>Error</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>api-version</p></td>
<td style="vertical-align:top"><p>302</p></td>
<td style="vertical-align:top"><p>invalid_request</p></td>
<td style="vertical-align:top"><p>unsupported version</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Tenant or user data are missingor other required prerequisites for device enrollment are not met</p></td>
<td style="vertical-align:top"><p>302</p></td>
<td style="vertical-align:top"><p>unauthorized_client</p></td>
<td style="vertical-align:top"><p>unauthorized user or tenant</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Azure AD token validation failed</p></td>
<td style="vertical-align:top"><p>302</p></td>
<td style="vertical-align:top"><p>unauthorized_client</p></td>
<td style="vertical-align:top"><p>unauthorized_client</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>internal service error</p></td>
<td style="vertical-align:top"><p>302</p></td>
<td style="vertical-align:top"><p>server_error</p></td>
<td style="vertical-align:top"><p>internal service error</p></td>
</tr>
</tbody>
</table>
 
## Enrollment protocol with Azure AD
With Azure integrated MDM enrollment, there is no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments.
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Detail</th>
<th>Traditional MDM enrollment</th>
<th>Azure AD Join (corporate-owned device)</th>
<th>Azure AD add a work account (user-owned device)</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top"><p>MDM auto-discovery using email address to retrieve MDM discovery URL</p></td>
<td style="vertical-align:top"><p>Enrollment</p></td>
<td style="vertical-align:top"><p>Not applicable</p>
<p>Discovery URL provisioned in Azure</p></td>
<td style="vertical-align:top"><p></p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Uses MDM discovery URL</p></td>
<td style="vertical-align:top"><p>Enrollment</p>
<p>Enrollment renewal</p>
<p>ROBO</p></td>
<td style="vertical-align:top"><p>Enrollment</p>
<p>Enrollment renewal</p>
<p>ROBO</p></td>
<td style="vertical-align:top"><p>Enrollment</p>
<p>Enrollment renewal</p>
<p>ROBO</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Is MDM enrollment required?</p></td>
<td style="vertical-align:top"><p>Yes</p></td>
<td style="vertical-align:top"><p>Yes</p></td>
<td style="vertical-align:top"><p>No</p>
<p>User can decline.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Authentication type</p></td>
<td style="vertical-align:top"><p>OnPremise</p>
<p>Federated</p>
<p>Certificate</p></td>
<td style="vertical-align:top"><p>Federated</p></td>
<td style="vertical-align:top"><p>Federated</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>EnrollmentPolicyServiceURL</p></td>
<td style="vertical-align:top"><p>Optional (all auth)</p></td>
<td style="vertical-align:top"><p>Optional (all auth)</p>
<p></p></td>
<td style="vertical-align:top"><p>Optional (all auth)</p>
<p></p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>EnrollmentServiceURL</p></td>
<td style="vertical-align:top"><p>Required (all auth)</p></td>
<td style="vertical-align:top"><p>Used (all auth)</p></td>
<td style="vertical-align:top"><p>Used (all auth)</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL</p></td>
<td style="vertical-align:top"><p>Highly recommended</p></td>
<td style="vertical-align:top"><p>Highly recommended</p></td>
<td style="vertical-align:top"><p>Highly recommended</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>AuthenticationServiceURL used</p></td>
<td style="vertical-align:top"><p>Used (Federated auth)</p></td>
<td style="vertical-align:top"><p>Skipped</p></td>
<td style="vertical-align:top"><p>Skipped</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>BinarySecurityToken</p></td>
<td style="vertical-align:top"><p>Custom per MDM</p></td>
<td style="vertical-align:top"><p>Azure AD issued token</p></td>
<td style="vertical-align:top"><p>Azure AD issued token</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>EnrollmentType</p></td>
<td style="vertical-align:top"><p>Full</p></td>
<td style="vertical-align:top"><p>Device</p></td>
<td style="vertical-align:top"><p>Full</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>Enrolled certificate type</p></td>
<td style="vertical-align:top"><p>User certificate</p></td>
<td style="vertical-align:top"><p>Device certificate</p></td>
<td style="vertical-align:top"><p>User certificate</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>Enrolled certificate store</p></td>
<td style="vertical-align:top"><p>My/User</p></td>
<td style="vertical-align:top"><p>My/System</p></td>
<td style="vertical-align:top"><p>My/User</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>CSR subject name</p></td>
<td style="vertical-align:top"><p>User Principal Name</p></td>
<td style="vertical-align:top"><p>Device ID</p></td>
<td style="vertical-align:top"><p>User Principal Name</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top"><p>EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL</p></td>
<td style="vertical-align:top"><p>Not supported</p></td>
<td style="vertical-align:top"><p>Supported</p></td>
<td style="vertical-align:top"><p>Supported</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top"><p>CSPs accessible during enrollment</p></td>
<td style="vertical-align:top"><p>Windows 10 support:</p>
<ul>
<li>DMClient</li>
<li>CertificateStore</li>
<li>RootCATrustedCertificates</li>
<li>ClientCertificateInstall</li>
<li>EnterpriseModernAppManagement</li>
<li>PassportForWork</li>
<li>Policy</li>
<li>w7 APPLICATION</li>
</ul>
<p>Legacy support:</p>
<ul>
<li>EnterpriseAppManagement (Windows Phone 8.1)</li>
</ul></td>
<td style="vertical-align:top"><p>same as traditional MDM enrollment</p></td>
<td style="vertical-align:top"><p>same as traditional MDM enrollment</p></td>
</tr>
</tbody>
</table>
 
## Management protocol with Azure AD
There are two different MDM enrollment types that take advantage of integration with Azure AD and therefore make use of Azure AD user and device identities. Depending on the enrollment type, the MDM service may need to manage a single user or multiple users.
<a href="" id="multiple-user-management-for-azure-ad-joined-devices"></a>**Multiple user management for Azure AD joined devices**
In this scenario the MDM enrollment applies to every Azure AD user who logs on to the Azure AD joined device - call this enrollment type a device enrollment or a multi-user enrollment. The management server can determine the user identity, conclude what policies are targeted for this user, and send corresponding policies to the device. To allow management server to identify current user that is logged on to the device, the OMA DM client uses the Azure AD user tokens. Each management session contains an additional HTTP header that contains an Azure AD user token. This information is provided in the DM package sent to the management server. However, in some circumstances Azure AD user token is not sent over to the management server. One such scenario happens immediately after MDM enrollments completes during Azure AD join process. Until Azure AD join process is finished and Azure AD user logs on to the machine, Azure AD user token is not available to OMA-DM process. Typically MDM enrollment completes before Azure AD user logs on to machine and the initial management session does not contain an Azure AD user token. The management server should check if the token is missing and only send device policies in such case. Another possible reason for a missing Azure AD token in the OMA-DM payload is when a guest user is logged on to the device.
<a href="" id="adding-a-work-account-and-mdm-enrollment-to-a-device"></a>**Adding a work account and MDM enrollment to a device**
In this scenario, the MDM enrollment applies to a single user who initially added his work account and enrolled the device. In this enrollment type the management server can ignore Azure AD tokens that may be sent over during management session. Whether Azure AD token is present or missing, the management server sends both user and device policies to the device.
<a href="" id="evaluating-azure-ad-user-tokens"></a>**Evaluating Azure AD user tokens**
The Azure AD token is in the HTTP Authorization header in the following format:
``` syntax
Authorization:Bearer <Azure AD User Token Inserted here>
```
Additional claims may be present in the Azure AD token, such as:
- User - user currently logged in
- Device compliance - value set the the MDM service into Azure
- Device ID - identifies the device that is checking in
- Tenant ID
Access token issued by Azure AD are JSON web tokens (JWTs). A valid JWT token is presented by Windows at the MDM enrollment endpoint to initiate the enrollment process. There are a couple of options to evaluate the tokens:
- Use the JWT Token Handler extension for WIF to validate the contents of the access token and extract claims required for use. For more information, see [JSON Web Token Handler](http://go.microsoft.com/fwlink/p/?LinkId=613820).
- Refer to the Azure AD authentication code samples to get a sample for working with access tokens. For an example, see [NativeClient-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613667).
## Device Alert 1224 for Azure AD user token
An alert is sent when the DM session starts and there is an Azure AD user logged in. The alert is sent in OMA DM pkg\#1. Here's an example:
``` syntax
Alert Type: com.microsoft/MDM/AADUserToken
Alert sample:
<SyncBody>
<Alert>
<CmdID>1</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/AADUserToken</Type>
<Format xmlns=”syncml:metinf”>chr</Format>
</Meta>
<Data>UserToken inserted here</Data>
</Item>
</Alert>
… other xml tags …
</SyncBody>
```
## Determine when a user is logged in through polling
An alert is send to the MDM server in DM package\#1.
- Alert type - com.microsoft/MDM/LoginStatus
- Alert format - chr
- Alert data - provide login status information for the current active logged in user.
- Logged in user who has an Azure AD account - predefined text: user.
- Logged in user without an Azure AD account- predefined text: others.
- No active user - predefined text:none
Here's an example.
``` syntax
<SyncBody>
<Alert>
<CmdID>1</CmdID>
<Data>1224</Data>
<Item>
<Meta>
<Type xmlns=”syncml:metinf”>com.microsoft/MDM/LoginStatus</Type>
<Format xmlns=”syncml:metinf”>chr</Format>
</Meta>
<Data>user</Data>
</Item>
</Alert>
… other xml tags …
</SyncBody>
```
## Report device compliance to Azure AD
Once a device is enrolled with the MDM for management, corporate policies configured by the IT administrator are enforced on the device. The device compliance with configured policies is evaluated by the MDM and then reported to Azure AD. This section covers the Graph API call you can use to report a device compliance status to Azure AD.
For a sample that illustrates how an MDM can obtain an access token using OAuth 2.0 client\_credentials grant type, see [Daemon\_CertificateCredential-DotNet](http://go.microsoft.com/fwlink/p/?LinkId=613822).
- **Cloud-based MDM** - If your product is a cloud-based multi-tenant MDM service, you have a single key configured for your service within your tenant. Use this key to authenticate the MDM service with Azure AD, in order to obtain authorization.
- **On-premises MDM** - If your product is an on-premises MDM, customers must configure your product with the key used to authenticate with Azure AD. This is because each on-premises instance of your MDM product has a different tenant-specific key. For this purpose, you may need to expose a configuration experience in your MDM product that enables administrators to specify the key to be used to authenticate with Azure AD.
### Use Azure AD Graph API
The following sample REST API call illustrates how an MDM can use the Azure AD Graph API to report compliance status of a device currently being managed by it.
``` syntax
Sample Graph API Request:
PATCH https://graph.windows.net/contoso.com/devices/db7ab579-3759-4492-a03f-655ca7f52ae1?api-version=beta HTTP/1.1
Authorization: Bearer eyJ0eXAiO………
Accept: application/json
Content-Type: application/json
{ “isManaged”:true,
“isCompliant”:true
}
```
Where:
- **contoso.com** This is the name of the Azure AD tenant to whose directory the device has been joined.
- **db7ab579-3759-4492-a03f-655ca7f52ae1** This is the device identifier for the device whose compliance information is being reported to Azure AD.
- **eyJ0eXAiO**……… This is the bearer access token issued by Azure AD to the MDM that authorizes the MDM to call the Azure AD Graph API. The access token is placed in the HTTP authorization header of the request.
- **isManaged** and **isCompliant** - These Boolean attributes indicates compliance status.
- **api-version** - Use this parameter to specify which version of the graph API is being requested.
Response:
- Success - HTTP 204 with No Content.
- Failure/Error - HTTP 404 Not Found. This error may be returned if the specified device or tenant cannot be found.
## Data loss during unenrollment from Azure Active Directory Join
When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
![aadj unenerollment](images/azure-ad-unenrollment.png)
## Error codes
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Code</th>
<th>ID</th>
<th>Error message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td style="vertical-align:top">0x80180001</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180002</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_DEVICE_AUTHENTICATION_ERROR</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180003</td>
<td style="vertical-align:top">&quot;idErrorAuthorizationFailure&quot;, // MENROLL_E_DEVICE_AUTHORIZATION_ERROR</td>
<td style="vertical-align:top"><p>This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180004</td>
<td style="vertical-align:top">&quot;idErrorMDMCertificateError&quot;, // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR</td>
<td style="vertical-align:top"><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180005</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180006</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180007</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180008</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // MENROLL_E_DEVICE_UNKNOWN_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180009</td>
<td style="vertical-align:top">&quot;idErrorAlreadyInProgress&quot;, // MENROLL_E_ENROLLMENT_IN_PROGRESS</td>
<td style="vertical-align:top"><p>Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x8018000A</td>
<td style="vertical-align:top">&quot;idErrorMDMAlreadyEnrolled&quot;, // MENROLL_E_DEVICE_ALREADY_ENROLLED</td>
<td style="vertical-align:top"><p>This device is already enrolled. You can contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x8018000D</td>
<td style="vertical-align:top">&quot;idErrorMDMCertificateError&quot;, // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID</td>
<td style="vertical-align:top"><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x8018000E</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_PASSWORD_NEEDED</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x8018000F</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // MENROLL_E_WAB_ERROR</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180010</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // MENROLL_E_CONNECTIVITY</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180012</td>
<td style="vertical-align:top">&quot;idErrorMDMCertificateError&quot;, // MENROLL_E_INVALIDSSLCERT</td>
<td style="vertical-align:top"><p>There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180013</td>
<td style="vertical-align:top">&quot;idErrorDeviceLimit&quot;, // MENROLL_E_DEVICECAPREACHED</td>
<td style="vertical-align:top"><p>Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180014</td>
<td style="vertical-align:top">&quot;idErrorMDMNotSupported&quot;, // MENROLL_E_DEVICENOTSUPPORTED</td>
<td style="vertical-align:top"><p>This feature is not supported. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180015</td>
<td style="vertical-align:top">&quot;idErrorMDMNotSupported&quot;, // MENROLL_E_NOTSUPPORTED</td>
<td style="vertical-align:top"><p>This feature is not supported. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180016</td>
<td style="vertical-align:top">&quot;idErrorMDMRenewalRejected&quot;, // MENROLL_E_NOTELIGIBLETORENEW</td>
<td style="vertical-align:top"><p>The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180017</td>
<td style="vertical-align:top">&quot;idErrorMDMAccountMaintenance&quot;, // MENROLL_E_INMAINTENANCE</td>
<td style="vertical-align:top"><p>The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x80180018</td>
<td style="vertical-align:top">&quot;idErrorMDMLicenseError&quot;, // MENROLL_E_USERLICENSE</td>
<td style="vertical-align:top"><p>There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x80180019</td>
<td style="vertical-align:top">&quot;idErrorInvalidServerConfig&quot;, // MENROLL_E_ENROLLMENTDATAINVALID</td>
<td style="vertical-align:top"><p>Looks like the server is not correctly configured. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">&quot;rejectedTermsOfUse&quot;</td>
<td style="vertical-align:top">&quot;idErrorRejectedTermsOfUse&quot;</td>
<td style="vertical-align:top"><p>Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c0001</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c0002</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_DEVICE_AUTHENTICATION_ERROR</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c0003</td>
<td style="vertical-align:top">&quot;idErrorAuthorizationFailure&quot;, // DSREG_E_DEVICE_AUTHORIZATION_ERROR</td>
<td style="vertical-align:top"><p>This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c0006</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // DSREG_E_DEVICE_INTERNALSERVICE_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c000B</td>
<td style="vertical-align:top">&quot;idErrorUntrustedServer&quot;, // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED</td>
<td style="vertical-align:top">The server being contacted is not trusted. Contact your system administrator with the error code {0}.</td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c000C</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // DSREG_E_DISCOVERY_FAILED</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c000E</td>
<td style="vertical-align:top">&quot;idErrorDeviceLimit&quot;, // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED</td>
<td style="vertical-align:top"><p>Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c000F</td>
<td style="vertical-align:top">&quot;idErrorDeviceRequiresReboot&quot;, // DSREG_E_DEVICE_REQUIRES_REBOOT</td>
<td style="vertical-align:top"><p>A reboot is required to complete device registration.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c0010</td>
<td style="vertical-align:top">&quot;idErrorInvalidCertificate&quot;, // DSREG_E_DEVICE_AIK_VALIDATION_ERROR</td>
<td style="vertical-align:top"><p>Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c0011</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_DEVICE_ATTESTATION_ERROR</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c0012</td>
<td style="vertical-align:top">&quot;idErrorServerConnectivity&quot;, // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR</td>
<td style="vertical-align:top"><p>There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}</p></td>
</tr>
<tr class="odd">
<td style="vertical-align:top">0x801c0013</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_TENANTID_NOT_FOUND</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
<tr class="even">
<td style="vertical-align:top">0x801c0014</td>
<td style="vertical-align:top">&quot;idErrorAuthenticationFailure&quot;, // DSREG_E_USERSID_NOT_FOUND</td>
<td style="vertical-align:top"><p>There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.</p></td>
</tr>
</tbody>
</table>
 
 

682
windows/client-management/mdm/bitlocker-csp.md Normal file
View File

@ -0,0 +1,682 @@
---
title: BitLocker CSP
description: BitLocker CSP
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# BitLocker CSP
The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703.
> [!Note]
> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes.
> You must send all the settings together in a single SyncML to be effective.
A Get operation on any of the settings, except for RequireDeviceEncryption and RequireStorageCardEncryption, returns
the setting configured by the admin.
For RequireDeviceEncryption and RequireStorageCardEncryption, the Get operation returns the actual status of enforcement to the admin, such as if TPM protection is required and if encryption is required. And if the device has BitLocker enabled but with password protector, the status reported is 0. A Get operation on RequireDeviceEncryption does not verify that the a minimum PIN length is enforced (SystemDrivesMinimumPINLength).
The following diagram shows the BitLocker configuration service provider in tree format.
![bitlocker csp](images/provisioning-csp-bitlocker.png)
<a href="" id="--device-vendor-msft-bitlocker"></a>**./Device/Vendor/MSFT/BitLocker**
<p style="margin-left: 20px">Defines the root node for the BitLocker configuration service provider.</p>
<a href="" id="requirestoragecardencryption"></a>**RequireStorageCardEncryption**
<p style="margin-left: 20px">Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU.</p>
<p style="margin-left: 20px">Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.</p>
<p style="margin-left: 20px">If you want to disable this policy use the following SyncML:</p>
``` syntax
<SyncML>
<SyncBody>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
</SyncBody>
</SyncML>
```
<p style="margin-left: 20px">Data type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="requiredeviceencryption"></a>**RequireDeviceEncryption**
<p style="margin-left: 20px">Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption.</p>
<p style="margin-left: 20px">Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.</p>
<p style="margin-left: 20px">If you want to disable this policy use the following SyncML:</p>
``` syntax
<SyncML>
<SyncBody>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
</SyncBody>
</SyncML>
```
<p style="margin-left: 20px">Data type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**
<p style="margin-left: 20px">Allows you to set the default encrytion method for each of the different drive types. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)" (Policy EncryptionMethodWithXts_Name).</p>
<p style="margin-left: 20px">This setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.</p>
<p style="margin-left: 20px">If you enable this setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511.</p>
<p style="margin-left: 20px">If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.</p>
<p style="margin-left: 20px"> Sample value for this node to enable this policy and set the encryption methods is:</p>
``` syntax
<enabled/><data id="EncryptionMethodWithXtsOsDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsFdvDropDown_Name" value="xx"/><data id="EncryptionMethodWithXtsRdvDropDown_Name" value="xx"/>
```
<p style="margin-left: 20px">EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives</p>
<p style="margin-left: 20px">EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.</p>
<p style="margin-left: 20px">EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.</p>
<p style="margin-left: 20px"> The possible values for 'xx' are:</p>
<ul>
<li>3 = AES-CBC 128</li>
<li>4 = AES-CBC 256</li>
<li>6 = XTS-AES 128</li>
<li>7 = XTS-AES 256</li>
</ul>
<p style="margin-left: 20px"> If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="systemdrivesrequirestartupauthentication"></a>**SystemDrivesRequireStartupAuthentication**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup" (ConfigureAdvancedStartup_Name ).</p>
<p style="margin-left: 20px">This setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This setting is applied when you turn on BitLocker.</p>
> [!Note]
> Only one of the additional authentication options can be required at startup, otherwise an error occurs.
<p style="margin-left: 20px">If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.</p>
<p style="margin-left: 20px">On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.</p>
<p style="margin-left: 20px">If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.</p>
<p style="margin-left: 20px">If you disable or do not configure this setting, users can configure only basic options on computers with a TPM.</p>
> [!Note]
> If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="ConfigureNonTPMStartupKeyUsage_Name" value="xx"/><data id="ConfigureTPMStartupKeyUsageDropDown_Name" value="yy"/><data id="ConfigurePINUsageDropDown_Name" value="yy"/><data id="ConfigureTPMPINKeyUsageDropDown_Name" value="yy"/><data id="ConfigureTPMUsageDropDown_Name" value="yy"/>
```
<p style="margin-left: 20px">Data id:</p>
<ul>
<li>ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive).</li>
<li>ConfigureTPMStartupKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key.</li>
<li>ConfigurePINUsageDropDown_Name = (for computer with TPM) Configure TPM startup PIN.</li>
<li>ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN.</li>
<li>ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.</li>
</ul>
<p style="margin-left: 20px">The possible values for 'xx' are:</p>
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
<p style="margin-left: 20px">The possible values for 'yy' are:</p>
<ul>
<li>2 = Optional</li>
<li>1 = Required</li>
<li>0 = Disallowed</li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="systemdrivesminimumpinlength"></a>**SystemDrivesMinimumPINLength**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup" (GP MinimumPINLength_Name).</p>
<p style="margin-left: 20px">This setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.</p>
<p style="margin-left: 20px">If you enable this setting, you can require a minimum number of digits to be used when setting the startup PIN.</p>
<p style="margin-left: 20px">If you disable or do not configure this setting, users can configure a startup PIN of any length between 6 and 20 digits.</p>
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="MinPINLength" value="xx"/>
```
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name).</p>
<p style="margin-left: 20px">This setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
</p>
<p style="margin-left: 20px">If you set the value to "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).</o>
<p style="margin-left: 20px">If you set the value to "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.</p>
<p style="margin-left: 20px">If you set the the value to "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.</p>
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/>
```
<p style="margin-left: 20px">The possible values for 'xx' are:</p>
<ul>
<li>0 = Empty</li>
<li>1 = Use default recovery message and URL.</li>
<li>2 = Custom recovery message is set.</li>
<li>3 = Custom recovery URL is set.</li>
<li>'yy' = string of max length 900.</li>
<li>'zz' = string of max length 500.</li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
> [!Note]
> Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="systemdrivesrecoveryoptions"></a>**SystemDrivesRecoveryOptions**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).</p>
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This setting is applied when you turn on BitLocker.</p>
<p style="margin-left: 20px">The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.</p>
<p style="margin-left: 20px">In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.</p>
<p style="margin-left: 20px">Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.</p>
<p style="margin-left: 20px">Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.</p>
<p style="margin-left: 20px">Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.</p>
> [!Note]
> If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
<p style="margin-left: 20px">If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.</p>
<p style="margin-left: 20px">If this setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.</p>
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="OSAllowDRA_Name" value="xx"/><data id="OSRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="OSRecoveryKeyUsageDropDown_Name" value="yy"/><data id="OSHideRecoveryPage_Name" value="xx"/><data id="OSActiveDirectoryBackup_Name" value="xx"/><data id="OSActiveDirectoryBackupDropDown_Name" value="zz"/><data id="OSRequireActiveDirectoryBackup_Name" value="xx"/>
```
<p style="margin-left: 20px">The possible values for 'xx' are:</p>
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
<li></li>
</ul>
<p style="margin-left: 20px">The possible values for 'yy' are:</p>
<ul>
<li>2 = Allowed</li>
<li>1 = Required</li>
<li>0 = Disallowed</li>
</ul>
<p style="margin-left: 20px">The possible values for 'zz' are:</p>
<ul>
<li>2 = Store recovery passwords only</li>
<li>1 = Store recovery passwords and key packages</li>
<li></li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="fixeddrivesrecoveryoptions"></a>**FixedDrivesRecoveryOptions**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (FDVRecoveryUsage_Name).</p>
<p style="margin-left: 20px">This setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This setting is applied when you turn on BitLocker.</p>
<p style="margin-left: 20px">The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.</p>
<p style="margin-left: 20px">In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.</p>
<p style="margin-left: 20px">Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.</p>
<p style="margin-left: 20px">Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.</p>
<p style="margin-left: 20px">Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.</p>
<p style="margin-left: 20px">Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.</p>
> [!Note]
> If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field is set, a recovery password is automatically generated.
<p style="margin-left: 20px">If you enable this setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.</p>
<p style="margin-left: 20px">If this setting is not configured or disabled, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.</p>
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="FDVAllowDRA_Name" value="xx"/><data id="FDVRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="FDVRecoveryKeyUsageDropDown_Name" value="yy"/><data id="FDVHideRecoveryPage_Name" value="xx"/><data id="FDVActiveDirectoryBackup_Name" value="xx"/><data id="FDVActiveDirectoryBackupDropDown_Name" value="zz"/><data id="FDVRequireActiveDirectoryBackup_Name" value="xx"/>
```
<p style="margin-left: 20px">The possible values for 'xx' are:</p>
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
<p style="margin-left: 20px">The possible values for 'yy' are:</p>
<ul>
<li>2 = Allowed</li>
<li>1 = Required</li>
<li>0 = Disallowed</li>
</ul>
<p style="margin-left: 20px">The possible values for 'zz' are:</p>
<ul>
<li>2 = Store recovery passwords only</li>
<li>1 = Store recovery passwords and key packages</li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="fixeddrivesrequireencryption"></a>**FixedDrivesRequireEncryption**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).</p>
<p style="margin-left: 20px">This setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.</p>
<p style="margin-left: 20px">If you enable this setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.</p>
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/>
```
<p style="margin-left: 20px">If you disable or do not configure this setting, all fixed data drives on the computer will be mounted with read and write access. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
<p style="margin-left: 20px">Data type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="removabledrivesrequireencryption"></a>**RemovableDrivesRequireEncryption**
<p style="margin-left: 20px">This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).</p>
<p style="margin-left: 20px">This setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.</p>
<p style="margin-left: 20px">If you enable this setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.</p>
<p style="margin-left: 20px">If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.</p>
<p style="margin-left: 20px">If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.</p>
> [!Note]
> This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
<p style="margin-left: 20px">Sample value for this node to enable this policy is:</p>
``` syntax
<enabled/><data id="RDVCrossOrg" value="xx"/>
```
<p style="margin-left: 20px">The possible values for 'xx' are:</p>
<ul>
<li>true = Explicitly allow</li>
<li>false = Policy not set</li>
</ul>
<p style="margin-left: 20px">Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
```
### SyncML example
The following example is provided to show proper format and should not be taken as a recommendation.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<!-- Phone only policy -->
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Replace>
<!-- All of the following policies are only supported on desktop SKU -->
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;EncryptionMethodWithXtsOsDropDown_Name&quot; value=&quot;4&quot;/&gt;
&lt;data id=&quot;EncryptionMethodWithXtsFdvDropDown_Name&quot; value=&quot;7&quot;/&gt;
&lt;data id=&quot;EncryptionMethodWithXtsRdvDropDown_Name&quot; value=&quot;4&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;ConfigureNonTPMStartupKeyUsage_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;ConfigureTPMStartupKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;ConfigurePINUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;ConfigureTPMPINKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;ConfigureTPMUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;MinPINLength&quot; value=&quot;6&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;RecoveryMessage_Input&quot; value=&quot;blablablabla&quot;/&gt;
&lt;data id=&quot;PrebootRecoveryInfoDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;RecoveryUrl_Input&quot; value=&quot;blablabla&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;OSAllowDRA_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;OSRecoveryPasswordUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;OSRecoveryKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;OSHideRecoveryPage_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;OSActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;OSActiveDirectoryBackupDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;OSRequireActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;FDVAllowDRA_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;FDVRecoveryPasswordUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;FDVRecoveryKeyUsageDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;FDVHideRecoveryPage_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;FDVActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
&lt;data id=&quot;FDVActiveDirectoryBackupDropDown_Name&quot; value=&quot;2&quot;/&gt;
&lt;data id=&quot;FDVRequireActiveDirectoryBackup_Name&quot; value=&quot;true&quot;/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
</Data>
</Item>
</Replace>
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption</LocURI>
</Target>
<Data>
&lt;enabled/&gt;
&lt;data id=&quot;RDVCrossOrg&quot; value=&quot;true&quot;/&gt;
</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>
```
<a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**
<p style="margin-left: 20px">Allows the Admin to disable the warning prompt for other disk encryption on the user machines.</p>
<p style="margin-left: 20px">The following list shows the supported values:</p>
- 0 Disables the warning prompt.
- 1 (default) Warning prompt allowed.
<p style="margin-left: 20px">Admin should set the value to 0 to disable the warning. If you want to disable this policy use the following SyncML:</p>
``` syntax
<Replace>
<CmdID>110</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/DisableWarningForOtherDiskEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
```

598
windows/client-management/mdm/bitlocker-ddf-file.md Normal file
View File

@ -0,0 +1,598 @@
---
title: BitLocker DDF file
description: BitLocker DDF file
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# BitLocker DDF file
This topic shows the OMA DM device description framework (DDF) for the **BitLocker** configuration service provider.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>BitLocker</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/BitLocker</MIME>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>RequireStorageCardEncryption</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to require storage card encryption on the device.
The format is integer.
This policy is only valid for mobile SKU.
Sample value for this node to enable this policy:
1
Disabling the policy will not turn off the encryption on the storage card. But will stop prompting the user to turn it on.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireStorageCardEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RequireDeviceEncryption</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Allows the Admin to require encryption to be turned on using BitLocker\Device Encryption.
The format is integer.
Sample value for this node to enable this policy:
1
Disabling the policy will not turn off the encryption on the system drive. But will stop prompting the user to turn it on.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RequireDeviceEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>0</Data>
</Item>
</Replace>
</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EncryptionMethodByDriveType</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted, or if encryption is in progress.
If you enable this policy setting you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10 (Version 1511).
If you disable or do not configure this policy setting, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by any setup script.”
The format is string.
Sample value for this node to enable this policy and set the encryption methods is:
&lt;enabled/&gt;&lt;data id=&quot;EncryptionMethodWithXtsOsDropDown_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;EncryptionMethodWithXtsFdvDropDown_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;EncryptionMethodWithXtsRdvDropDown_Name&quot; value=&quot;xx&quot;/&gt;
EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives.
EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
The possible values for 'xx' are:
3 = AES-CBC 128
4 = AES-CBC 256
6 = XTS-AES 128
7 = XTS-AES 256
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/EncryptionMethodByDriveType</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP EncryptionMethodWithXts_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SystemDrivesRequireStartupAuthentication</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you turn on BitLocker.
Note: Only one of the additional authentication options can be required at startup, otherwise a policy error occurs.
If you want to use BitLocker on a computer without a TPM, set the "ConfigureNonTPMStartupKeyUsage_Name" data. In this mode either a password or a USB drive is required for start-up. When using a startup key, the key information used to encrypt the drive is stored on the USB drive, creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to use one of the BitLocker recovery options to access the drive.
On a computer with a compatible TPM, four types of authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts, it can use only the TPM for authentication, or it can also require insertion of a USB flash drive containing a startup key, the entry of a 6-digit to 20-digit personal identification number (PIN), or both.
If you enable this policy setting, users can configure advanced startup options in the BitLocker setup wizard.
If you disable or do not configure this policy setting, users can configure only basic options on computers with a TPM.
Note: If you want to require the use of a startup PIN and a USB flash drive, you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizard.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;ConfigureNonTPMStartupKeyUsage_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;ConfigureTPMStartupKeyUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;ConfigurePINUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;ConfigureTPMPINKeyUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;ConfigureTPMUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;
ConfigureNonTPMStartupKeyUsage_Name = Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
All of the below settings are for computers with a TPM.
ConfigureTPMStartupKeyUsageDropDown_Name = Configure TPM startup key.
ConfigurePINUsageDropDown_Name = Configure TPM startup PIN.
ConfigureTPMPINKeyUsageDropDown_Name = Configure TPM startup key and PIN.
ConfigureTPMUsageDropDown_Name = Configure TPM startup.
The possible values for 'xx' are:
true = Explicitly allow
false = Policy not set
The possible values for 'yy' are:
2 = Optional
1 = Required
0 = Disallowed
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRequireStartupAuthentication</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP ConfigureAdvancedStartup_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SystemDrivesMinimumPINLength</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 6 digits and can have a maximum length of 20 digits.
If you enable this policy setting, you can require a minimum number of digits to be used when setting the startup PIN.
If you disable or do not configure this policy setting, users can configure a startup PIN of any length between 6 and 20 digits.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;MinPINLength&quot; value=&quot;xx&quot;/&gt;
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesMinimumPINLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP MinimumPINLength_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SystemDrivesRecoveryMessage</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key recovery screen when the OS drive is locked.
If you set the "1" (Use default recovery message and URL), the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message, you must keep the policy enabled and set the value "1" (Use default recovery message and URL).
If you set the "2" (Use custom recovery message), the message you set in the "RecoveryMessage_Input" data field will be displayed in the pre-boot key recovery screen. If a recovery URL is available, include it in the message.
If you set the "3" (Use custom recovery URL), the URL you type in the "RecoveryUrl_Input" data field will replace the default URL in the default recovery message, which will be displayed in the pre-boot key recovery screen.
Note: Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;PrebootRecoveryInfoDropDown_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;RecoveryMessage_Input&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;RecoveryUrl_Input&quot; value=&quot;zz&quot;/&gt;
The possible values for 'xx' are:
0 = Empty
1 = Use default recovery message and URL.
2 = Custom recovery message is set.
3 = Custom recovery URL is set.
'yy' = string of max length 900.
'zz' = string of max length 500.
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP PrebootRecoveryInfo_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>SystemDrivesRecoveryOptions</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.
The "OSAllowDRA_Name" (Allow certificate-based data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
In "OSRecoveryPasswordUsageDropDown_Name" and "OSRecoveryKeyUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Set "OSHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
Set "OSActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services), to choose which BitLocker recovery information to store in AD DS for operating system drives (OSActiveDirectoryBackupDropDown_Name). If you set "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you set "2" (Backup recovery password only), only the recovery password is stored in AD DS.
Set the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
Note: If the "OSRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for operating system drives) data field is set, a recovery password is automatically generated.
If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected operating system drives.
If this policy setting is disabled or not configured, the default recovery options are supported for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified by the user including the recovery password and recovery key, and recovery information is not backed up to AD DS.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;OSAllowDRA_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;OSRecoveryPasswordUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;OSRecoveryKeyUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;OSHideRecoveryPage_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;OSActiveDirectoryBackup_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;OSActiveDirectoryBackupDropDown_Name&quot; value=&quot;zz&quot;/&gt;&lt;data id=&quot;OSRequireActiveDirectoryBackup_Name&quot; value=&quot;xx&quot;/&gt;
The possible values for 'xx' are:
true = Explicitly allow
false = Policy not set
The possible values for 'yy' are:
2 = Allowed
1 = Required
0 = Disallowed
The possible values for 'zz' are:
2 = Store recovery passwords only
1 = Store recovery passwords and key packages
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryOptions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP OSRecoveryUsage_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FixedDrivesRecoveryOptions</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.
The "FDVAllowDRA_Name" (Allow data recovery agent) data field is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
In "FDVRecoveryPasswordUsageDropDown_Name" (Configure user storage of BitLocker recovery information) set whether users are allowed, required, or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.
Set "FDVHideRecoveryPage_Name" (Omit recovery options from the BitLocker setup wizard) to prevent users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker, instead BitLocker recovery options for the drive are determined by the policy setting.
Set "FDVActiveDirectoryBackup_Name" (Save BitLocker recovery information to Active Directory Domain Services) to enable saving the recovery key to AD.
Set the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives) data field if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
Set the "FDVActiveDirectoryBackupDropDown_Name" (Configure storage of BitLocker recovery information to AD DS) to choose which BitLocker recovery information to store in AD DS for fixed data drives. If you select "1" (Backup recovery password and key package), both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you select "2" (Backup recovery password only) only the recovery password is stored in AD DS.
Note: If the "FDVRequireActiveDirectoryBackup_Name" (Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" data field is set, a recovery password is automatically generated.
If you enable this policy setting, you can control the methods available to users to recover data from BitLocker-protected fixed data drives.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;FDVAllowDRA_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;FDVRecoveryPasswordUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;FDVRecoveryKeyUsageDropDown_Name&quot; value=&quot;yy&quot;/&gt;&lt;data id=&quot;FDVHideRecoveryPage_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;FDVActiveDirectoryBackup_Name&quot; value=&quot;xx&quot;/&gt;&lt;data id=&quot;FDVActiveDirectoryBackupDropDown_Name&quot; value=&quot;zz&quot;/&gt;&lt;data id=&quot;FDVRequireActiveDirectoryBackup_Name&quot; value=&quot;xx&quot;/&gt;
The possible values for 'xx' are:
true = Explicitly allow
false = Policy not set
The possible values for 'yy' are:
2 = Allowed
1 = Required
0 = Disallowed
The possible values for 'zz' are:
2 = Store recovery passwords only
1 = Store recovery passwords and key packages
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRecoveryOptions</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP FDVRecoveryUsage_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FixedDrivesRequireEncryption</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.
If you enable this policy setting, all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
If you disable or do not configure this policy setting, all fixed data drives on the computer will be mounted with read and write access.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/FixedDrivesRequireEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP FDVDenyWriteAccess_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>RemovableDrivesRequireEncryption</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access.
If the "RDVCrossOrg" (Deny write access to devices configured in another organization) option is set, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" group policy setting.
If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access.
Note: This policy setting can be overridden by the group policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" group policy setting is enabled this policy setting will be ignored.
The format is string.
Sample value for this node to enable this policy is:
&lt;enabled/&gt;&lt;data id=&quot;RDVCrossOrg&quot; value=&quot;xx&quot;/&gt;
The possible values for 'xx' are:
true = Explicitly allow
false = Policy not set
Disabling the policy will let the system choose the default behaviors.
If you want to disable this policy use the following SyncML:
<Replace>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/BitLocker/RemovableDrivesRequireEncryption</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>&lt;disabled/&gt;</Data>
</Item>
</Replace>
Note: Maps to GP RDVDenyWriteAccess_Name policy.
</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```

48
windows/client-management/mdm/bootstrap-csp.md Normal file
View File

@ -0,0 +1,48 @@
---
title: BOOTSTRAP CSP
description: BOOTSTRAP CSP
ms.assetid: b8acbddc-347f-4543-a45b-ad2ffae3ffd0
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# BOOTSTRAP CSP
The BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device.
> **Note**  BOOTSTRAP CSP is only supported in Windows 10 Mobile.
 
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
 
The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
![bootstrap csp (cp)](images/provisioning-csp-bootstrap-cp.png)
<a href="" id="context-allow"></a>**CONTEXT-ALLOW**
Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value.
<a href="" id="provurl"></a>**PROVURL**
Required. Specifies the location of a Trusted Provisioning Server (TPS). The PROVURL value must be a complete URL string with a maximum length of 256 characters.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

113
windows/client-management/mdm/browserfavorite-csp.md Normal file
View File

@ -0,0 +1,113 @@
---
title: BrowserFavorite CSP
description: BrowserFavorite CSP
ms.assetid: 5d2351ff-2d6a-4273-9b09-224623723cbf
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# BrowserFavorite CSP
The BrowserFavorite configuration service provider is used to add and remove URLs from the favorites list on a device.
> **Note**  BrowserFavorite CSP is only supported in Windows Phone 8.1.
 
The BrowserFavorite configuration service provider manages only the favorites at the root favorite folder level. It does not manage subfolders under the root favorite folder nor does it manage favorites under a subfolder.
> **Note**  
This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_INTERNET\_EXPLORER\_FAVORITES capabilities to be accessed from a network configuration application.
 
The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
![browserfavorite csp (cp)](images/provisioning-csp-browserfavorite-cp.png)
<a href="" id="favorite-name-------------"></a>***favorite name***
Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
> **Note**  The *favorite name* should contain only characters that are valid in the Windows file system. The invalid characters are: \\ / : \* ? " &lt; &gt; |
 
Adding the same favorite twice adds only one occurrence to the Favorites list. If a favorite is added when another favorite with the same name but a different URL is already in the Favorites list, the existing favorite is replaced with the new favorite.
<a href="" id="url"></a>**URL**
Optional. Specifies the complete URL for the favorite.
## OMA client provisioning examples
Adding a new browser favorite.
``` syntax
<?xml version="1.0" encoding="UTF-8" ?>
<wap-provisioningdoc>
<characteristic type="BrowserFavorite">
<characteristic type="Help and how-to">
<parm name="URL" value="http://www.microsoft.com/windowsphone/en-US/howto/wp7/default.aspx"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Elements</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>noparm</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top-level query: Yes</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

119
windows/client-management/mdm/bulk-assign-and-reclaim-seats-from-user.md Normal file
View File

@ -0,0 +1,119 @@
---
title: Bulk assign and reclaim seats from users
description: The Bulk assign and reclaim seats from users operation returns reclaimed or assigned seats in the Windows Store for Business.
ms.assetid: 99E2F37D-1FF3-4511-8969-19571656780A
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Bulk assign and reclaim seats from users
The **Bulk assign and reclaim seats from users** operation returns reclaimed or assigned seats in the Windows Store for Business.
## Request
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Method</th>
<th>Request URI</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>POST</p></td>
<td><p>https:<span></span>//bspmts.mp.microsoft.com/V1/Inventory/{productId}/{skuId}/Seats</p></td>
</tr>
</tbody>
</table>
 
### URI parameters
The following parameters may be specified in the request URI.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th>Parameter</th>
<th>Type</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>productId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier for an application that is used by the Store for Business.</p></td>
</tr>
<tr class="even">
<td><p>skuId</p></td>
<td><p>string</p></td>
<td><p>Required. Product identifier that specifies a specific SKU of an application.</p></td>
</tr>
<tr class="odd">
<td><p>username</p></td>
<td><p>string</p></td>
<td><p>Requires UserPrincipalName (UPN). User name of the target user account.</p></td>
</tr>
<tr class="even">
<td><p>seatAction</p></td>
<td><p>[SeatAction](data-structures-windows-store-for-business.md#seataction)</p></td>
<td></td>
</tr>
</tbody>
</table>
 
## Response
### Response body
The response body contains [BulkSeatOperationResultSet](data-structures-windows-store-for-business.md#bulkseatoperationresultset).
<table>
<colgroup>
<col width="25%" />
<col width="25%" />
<col width="25%" />
<col width="25%" />
</colgroup>
<thead>
<tr class="header">
<th>Error code</th>
<th>Description</th>
<th>Retry</th>
<th>Data field</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>404</p></td>
<td><p>Not found</p></td>
<td></td>
<td><p>Item type: Inventory</p>
<p>Values: ProductId/SkuId</p></td>
</tr>
</tbody>
</table>
 
 

169
windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md Normal file
View File

@ -0,0 +1,169 @@
---
title: Bulk enrollment
description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10.
MS-HAID:
- 'p\_phdevicemgmt.bulk\_enrollment'
- 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool'
ms.assetid: DEB98FF3-CC5C-47A1-9277-9EF939716C87
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Bulk enrollment
Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 desktop and mobile devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
## Typical use cases
- Set up devices in bulk for large organizations to be managed by MDM.
- Set up kiosks, such as ATMs or point-of-sale (POS) terminals.
- Set up school computers.
- Set up industrial machinery.
- Set handheld POS devices.
On the desktop, you can create an Active Directory account, such as "enrollment@contoso.com" and give it only the ability to join the domain. Once the desktop is joined with that admin account, then standard users in the domain can log in to use it. This is especially useful in getting a large number of desktop ready to use within a domain.
On the desktop and mobile devices, you can use an enrollment certificate or enrollment username and password, such as "enroll@contoso.com" and "enrollmentpassword." These credentials are used in the provisioning package, which you can use to enroll multiple devices to the MDM service. Once the devices are joined, many users can use them.
> **Note**  
> - Bulk-join is not supported in Azure Active Directory Join.
> - Bulk enrollment does not work in Intune standalone enviroment.
> - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console.
 
## What you need
- Windows 10 devices
- Windows Imaging and Configuration Designer (ICD) tool
To get the ICD tool, download the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information about the ICD tool, see [Windows Imaging and Configuration Designer](https://msdn.microsoft.com/library/windows/hardware/dn916113) and [Getting started with Windows ICD](https://msdn.microsoft.com/library/windows/hardware/dn916112).
- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.)
- Wi-Fi credentials, computer name scheme, and anything else required by your organization.
Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain.
## Create and apply a provisioning package for on-premise authentication
Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Click **Advanced Provisioning**.
![icd start page](images/bulk-enrollment7.png)
3. Enter a project name and click **Next**.
4. Select **All Windows editions**, since Provisioning CSP is common to all Windows 10 editions, then click **Next**.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
6. Expand **Runtime settings** &gt; **Workplace**.
7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**.
The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
8. On the left navigation pane, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
Here is the list of available settings:
- **AuthPolicy** - Select **OnPremise**.
- **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
- **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - Password
For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
Here is the screenshot of the ICD at this point.
![bulk enrollment screenshot](images/bulk-enrollment.png)
9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
10. When you are done adding all the settings, on the **File** menu, click **Save**.
11. On the main menu click **Export** &gt; **Provisioning package**.
![icd menu for export](images/bulk-enrollment2.png)
12. Enter the values for your package and specify the package output location.
![enter package information](images/bulk-enrollment3.png)
![enter additonal information for package information](images/bulk-enrollment4.png)
![specify file location](images/bulk-enrollment6.png)
13. Click **Build**.
![icb build window](images/bulk-enrollment5.png)
14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
15. Apply the package to your devices.
## Create and apply a provisioning package for certificate authentication
Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
2. Click **Advanced Provisioning**.
3. Enter a project name and click **Next**.
4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows 10 editions.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
6. Specify the certificate.
1. Go to **Runtime settings** &gt; **Certificates** &gt; **ClientCertificates**.
2. Enter a **CertificateName** and then click **Add**.
3. Enter the **CertificatePasword**.
4. For **CertificatePath**, browse and select the certificate to be used.
5. Set **ExportCertificate** to False.
6. For **KeyLocation**, select **Software only**.
![icd certificates section](images/bulk-enrollment8.png)
7. Specify the workplace settings.
1. Got to **Workplace** &gt; **Enrollments**.
2. Enter the **UPN** for the enrollment and then click **Add**.
The UPN is a unique identifier for the enrollment. For bulk enrollment, this must be a service account that is allowed to enroll multiple users, such as "enrollment@contoso.com".
3. On the left column, expand the **UPN** and then enter the information for the rest of the settings for enrollment process.
Here is the list of available settings:
- **AuthPolicy** - Select **Certificate**.
- **DiscoveryServiceFullUrl** - specify the full URL for the discovery service.
- **EnrollmentServiceFullUrl** - Optional and in most cases, it should be left blank.
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - the certificate thumbprint.
For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
8. Configure the other settings, such as the Wi-Fi connection so that the device can join a network before joining MDM (e.g., **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
9. When you are done adding all the settings, on the **File** menu, click **Save**.
10. Export and build the package (steps 10-13 in the procedure above).
11. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
12. Apply the package to your devices.
## Apply a provisioning package
Here's the list of topics about applying a provisioning package:
- [Apply a package on the first-run setup screen (out-of-the-box experience)](https://technet.microsoft.com/itpro/windows/deploy/provision-pcs-for-initial-deployment#apply-package) - topic in Technet.
- [Apply a package to a Windows 10 desktop edition image](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN
- [Apply a package to a Windows 10 Mobile image](https://msdn.microsoft.com/library/windows/hardware/dn916107.aspx#to_apply_a_provisioning_package_to_a_mobile_image) - topic in MSDN.
- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - topic below
## Apply a package from the Settings menu
1. Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
2. Click **Add or remove a provisioning package**.
3. Click **Add a package**.
## <a href="" id="validate-that-the-provisioning-package-was-applied-"></a>Validate that the provisioning package was applied
1. Go to **Settings** &gt; **Accounts** &gt; **Access work or school**.
2. Click **Add or remove a provisioning package**.
You should see the your package listed.
## Retry logic in case of a failure
If the provisioning engine receives a failure from a CSP it will retry to provision 3 times in a row.
If all immediate attempts fail, a delayed task is launched to try provisioning again later. It will retry 4 times at a decaying rate of 15 minutes -&gt; 1 hr -&gt; 4 hr -&gt; "Next System Start". These attempts will be run from a SYSTEM context.
It will also retry to apply the provisioning each time it is launched, if started from somewhere else as well.
In addition, provisioning will be restarted in a SYSTEM context after a login and the system has been idle ([details on idle conditions](https://msdn.microsoft.com/library/windows/desktop/aa383561.aspx)).
## Other provisioning topics
Here are links to step-by-step provisioning topics in Technet.
- [Provision PCs with apps and certificates for initial deployment](https://technet.microsoft.com/itpro/windows/deploy/provision-pcs-with-apps-and-certificates)
- [Provision PCs with common settings for initial deployment](https://technet.microsoft.com/itpro/windows/deploy/provision-pcs-for-initial-deployment)
 

68
windows/client-management/mdm/cellularsettings-csp.md Normal file
View File

@ -0,0 +1,68 @@
---
title: CellularSettings CSP
description: CellularSettings CSP
ms.assetid: ce8b6f16-37ca-4aaf-98b0-306d12e326df
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# CellularSettings CSP
The CellularSettings configuration service provider is used to configure cellular settings on a mobile device.
> [!Note]
> Starting in Windows 10, version 1703 the CellularSettings CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
The following image shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
![provisioning\-csp\-cellularsettings](images/provisioning-csp-cellularsettings.png)
<a href="" id="dataroam"></a>**DataRoam**
<p style="margin-left: 20px"> Optional. Integer. Specifies the default roaming value. Valid values are:</p>
<table style="margin-left: 20px"><table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Value</th>
<th>Setting</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>0</p></td>
<td><p>Dont roam</p></td>
</tr>
<tr class="even">
<td><p>1</p></td>
<td><p>Dont roam (or Domestic roaming if applicable)</p></td>
</tr>
<tr class="odd">
<td><p>2</p></td>
<td><p>Roam</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

513
windows/client-management/mdm/certificate-authentication-device-enrollment.md Normal file
View File

@ -0,0 +1,513 @@
---
title: Certificate authentication device enrollment
description: This section provides an example of the mobile device enrollment protocol using certificate authentication policy.
ms.assetid: 57DB3C9E-E4C9-4275-AAB5-01315F9D3910
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Certificate authentication device enrollment
This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
> **Note**  To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107).
## In this topic
- [Discovery service](#discovery-service)
- [Enrollment policy web service](#enrollment-policy-web-service)
- [Enrollment web service](#enrollment-web-service)
For the list of enrollment scenarios not supported in Windows 10, see [Enrollment scenarios not supported](mobile-device-enrollment.md#enrollment-scenarios-not-supported).
## Discovery Service
The following example shows the discovery service request.
``` syntax
POST /EnrollmentServer/Discovery.svc HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
User-Agent: Windows Enrollment Client
Host: EnterpriseEnrollment.Contoso.com
Content-Length: xxx
Cache-Control: no-cache
<?xml version="1.0"?>
<s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover
</a:Action>
<a:MessageID>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://ENROLLTEST.CONTOSO.COM/EnrollmentServer/Discovery.svc
</a:To>
</s:Header>
<s:Body>
<Discover xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment/">
<request xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<EmailAddress>user@contoso.com</EmailAddress>
<OSEdition>101</OSEdition> <!--New in Windows 10-->
<OSVersion>10.0.0.0</OSVersion> <!--New in Windows 10-->
<RequestVersion>3.0</RequestVersion> <!--Updated in Windows 10-->
<DeviceType>WindowsPhone</DeviceType> <!--Legacy in Windows 10 for Windows Phone/Handheld-->
<ApplicationVersion>10.0.0.0</ApplicationVersion>
<AuthPolicies>Certificate</AuthPolicies> <!--New in Windows 10-->
</request>
</Discover>
</s:Body>
</s:Envelope>
```
The following example shows the discovery service response.
```
HTTP/1.1 200 OK
Content-Length: 865
Content-Type: application/soap+xml; charset=utf-8
Server: EnterpriseEnrollment.Contoso.com
Date: Tue, 02 Aug 2012 00:32:56 GMT
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/DiscoverResponse
</a:Action>
<ActivityId>
d9eb2fdd-e38a-46ee-bd93-aea9dc86a3b8
</ActivityId>
<a:RelatesTo>urn:uuid: 748132ec-a575-4329-b01b-6171a9cf8478</a:RelatesTo>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<DiscoverResponse
xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment">
<DiscoverResult>
<AuthPolicy>Certificate</AuthPolicy>
<EnrollmentVersion>3.0</EnrollmentVersion>
<EnrollmentPolicyServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentPolicyServiceUrl>
<EnrollmentServiceUrl>
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</EnrollmentServiceUrl>
</DiscoverResult>
</DiscoverResponse>
</s:Body>
</s:Envelope>
```
## Enrollment policy web service
The following example shows the policy web service request.
```
POST /ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
User-Agent: Windows Enrollment Client
Host: enrolltest.contoso.com
Content-Length: xxxx
Cache-Control: no-cache
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPolicies
</a:Action>
<a:MessageID>urn:uuid:72048B64-0F19-448F-8C2E-B4C661860AA0</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://enrolltest.contoso.com/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To>
<wsse:Security s:mustUnderstand="1">
<wsse:BinarySecurityToken wsse:ValueType="X509v3” wsse:Id="mytoken wsse:EncodingType=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken>
</wsse:Security>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetPolicies
xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
<client>
<lastUpdate xsi:nil="true"/>
<preferredLanguage xsi:nil="true"/>
</client>
<requestFilter xsi:nil="true"/>
</GetPolicies>
<ac:AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<ac:ContextItem Name="OSPlatform">
<ac:Value>WindowsMobile</ac:Value>
<ac:ContextItem Name="OSEdition">
<ac:Value>Core</ac:Value>
<ac:ContextItem Name="OSVersion">
<ac:Value>9.0.9999.0</ac:Value>
<ac:ContextItem Name="DeviceName">
<ac:Value>MY_WINDOWS_DEVICE</ac:Value>
<ac:ContextItem Name="MACAddress">
<ac:Value>FF:FF:FF:FF:FF:FF</ac:Value>
<ac:ContextItem Name="IMEI">
<ac:Value>49015420323756</ac:Value>
<ac:ContextItem Name="EnrollmentType">
<ac:Value>Lite</ac:Value>
<ac:ContextItem Name="DeviceType">
<ac:Value>WindowsPhone</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="ApplicationVersion">
<ac:Value>10.0.0.0</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="DeviceID">
<ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value>
</ac:AdditionalContext>
</s:Body>
</s:Envelope>
```
The following snippet shows the policy web service response.
```
HTTP/1.1 200 OK
Date: Fri, 03 Aug 2012 20:00:00 GMT
Server: <sever name here>
Content-Type: application/soap+xml
Content-Length: xxxx
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<s:Envelope
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse
</a:Action>
<ActivityId CorrelationId="08d2997e-e8ac-4c97-a4ce-d263e62186ab"
xmlns="http://schemas.microsoft.com/2004/09/ServiceModel/Diagnostics">
d4335d7c-e192-402d-b0e7-f5d550467e3c</ActivityId>
<a:RelatesTo>urn:uuid: 69960163-adad-4a72-82d2-bb0e5cff5598</a:RelatesTo>
</s:Header>
<s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema">
<GetPoliciesResponse
xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
<response>
<policyFriendlyName xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<nextUpdateHours xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<policiesNotChanged xsi:nil="true"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
<policies>
<policy>
<policyOIDReference>0</policyOIDReference>
<cAs xsi:nil="true" />
<attributes>
<policySchema>3</policySchema>
<privateKeyAttributes>
<minimalKeyLength>2048</minimalKeyLength>
<keySpec xsi:nil="true" />
<keyUsageProperty xsi:nil="true" />
<permissions xsi:nil="true" />
<algorithmOIDReference xsi:nil="true" />
<cryptoProviders xsi:nil="true" />
</privateKeyAttributes>
<supersededPolicies xsi:nil="true" />
<privateKeyFlags xsi:nil="true" />
<subjectNameFlags xsi:nil="true" />
<enrollmentFlags xsi:nil="true" />
<generalFlags xsi:nil="true" />
<hashAlgorithmOIDReference>0</hashAlgorithmOIDReference>
<rARequirements xsi:nil="true" />
<keyArchivalAttributes xsi:nil="true" />
<extensions xsi:nil="true" />
</attributes>
</policy>
</policies>
</response>
<cAs xsi:nil="true" />
<oIDs>
<oID>
<value>1.3.14.3.2.29</value>
<group>1</group>
<oIDReferenceID>0</oIDReferenceID>
<defaultName>szOID_OIWSEC_sha1RSASign</defaultName>
</oID>
</oIDs>
</GetPoliciesResponse>
</s:Body>
</s:Envelope>
```
## Enrollment web service
The following example shows the enrollment web service request.
```
POST /EnrollmentServer/DeviceEnrollmentWebService.svc HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8
User-Agent: Windows Enrollment Client
Host: enrolltest.contoso.com
Content-Length: 3242
Cache-Control: no-cache
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"
xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"
xmlns:wst="http://docs.oasis-open.org/ws-sx/ws-trust/200512"
xmlns:ac="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep
</a:Action>
<a:MessageID>urn:uuid:0d5a1441-5891-453b-becf-a2e5f6ea3749</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://enrolltest.contoso.com:443/ENROLLMENTSERVER/DEVICEENROLLMENTWEBSERVICE.SVC
</a:To>
<wsse:Security s:mustUnderstand="1">
<wsu:Timestamp>
<wsu:Created>2014-10-16T17:55:13Z</wsu:Created> <!-- Start time in UTC -->
<wsu:Expires>2014-10-16T17:57:13Z </wsu:Expires> <!-- Expiration time in UTC -->
</wsu:Timestamp>
<wsse:BinarySecurityToken wsse:ValueType=
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentUserToken
wsse:EncodingType=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns=
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
wsu:Id=”29801C2F-F26B-46AD-984B-AFAEFB545FF8”>
B64EncodedSampleBinarySecurityToken
</wsse:BinarySecurityToken> <!—X509v3 Exported Public Cert, B64 Encoded, includes ID reference value to reference -->
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-
1.0.xsd”>
<ds:SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1/>
<ds:Reference URI="#envelop">
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha256"/>
<ds:DigestValue>MessageDigestValue</ds:DigestValue>
<!-- Digest value of message using digest method -->
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SignedMessageBlob/ds:SignatureValue>
<!-- Digest value of message signed with the users private key using RSA-SHA256 -->
<ds:KeyInfo>
<wsse:SecurityTokenReference>
<wsse:Reference URI="29801C2F-F26B-46AD-984B-AFAEFB545FF8"
ValueType="http://docs.oasis-open.org/wss/2004/01/
oasis-200401-wss-x509-token-profile-1.0#X509"/>
<!-— References BinarySecurityToken that contains public key to verify signature -->
</wsse:SecurityTokenReference>
</ds:KeyInfo>
</ds:Signature>
</wsse:Security>
</s:Header>
<s:Body>
<wst:RequestSecurityToken>
<wst:TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</wst:TokenType>
<wst:RequestType>
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Issue</wst:RequestType>
<wsse:BinarySecurityToken
ValueType="http://schemas.microsoft.com/windows/pki/2009/01/enrollment#PKCS10"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary">
DER format PKCS#10 certificate request in Base64 encoding Insterted Here
</wsse:BinarySecurityToken>
<ac:AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<ac:ContextItem Name="OSEdition"> <!--New in Windows 10-->
<ac:Value></ac:Value>
<ac:ContextItem Name="OSVersion"> <!--New in Windows 10-->
<ac:Value>10.0.0.0</ac:Value>
<ac:ContextItem Name="DeviceName"> <!--New in Windows 10-->
<ac:Value>MY_WINDOWS_DEVICE</ac:Value>
<ac:ContextItem Name="MAC"> <!--New in Windows 10 -->
<ac:Value>FF:FF:FF:FF:FF:FF</ac:Value>
<ac:ContextItem Name="MAC"> <!--New in Windows 10 -->
<ac:Value>CC:CC:CC:CC:CC:CC</ac:Value>
<ac:ContextItem Name="IMEI"> <!--New in Windows 10-->
<ac:Value>49015420323756</ac:Value>
<ac:ContextItem Name="EnrollmentType"> <!--New in Windows 10-->
<ac:Value>Full</ac:Value>
<ac:ContextItem Name="DeviceType"> <!—From Windows Phone 8.1-->
<ac:Value>WindowsPhone</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="ApplicationVersion"> <!—From Windows Phone 8.1-->
<ac:Value>10.0.0.0</ac:Value>
</ac:ContextItem>
<ac:ContextItem Name="DeviceID"> <!--From Handheld 8.1 -->
<ac:Value>7BA748C8-703E-4DF2-A74A-92984117346A</ac:Value>
<ac:ContextItem Name="EnrollmentData">
<ac:Value>3J4KLJ9SDJFAL93JLAKHJSDFJHAO83HAKSHFLAHSKFNHNPA2934342</ac:Value>
<ac:ContextItem Name="TargetedUserLoggedIn">
<ac:Value>True</ac:Value>
</ac:AdditionalContext>
</wst:RequestSecurityToken>
</s:Body>
</s:Envelope>
```
The following example shows the enrollment web service response.
```
HTTP/1.1 200 OK
Cache-Control: private
Content-Length: 10231
Content-Type: application/soap+xml; charset=utf-8
Server: Microsoft-IIS/7.0
Date: Fri, 03 Aug 2012 00:32:59 GMT
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:a="http://www.w3.org/2005/08/addressing"
xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<Action s:mustUnderstand="1" >
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RSTRC/wstep
</Action>
<a:RelatesTo>urn:uuid:81a5419a-496b-474f-a627-5cdd33eed8ab</a:RelatesTo>
<o:Security s:mustUnderstand="1" xmlns:o=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2012-08-02T00:32:59.420Z</u:Created>
<u:Expires>2012-08-02T00:37:59.420Z</u:Expires>
</u:Timestamp>
</o:Security>
</s:Header>
<s:Body>
<RequestSecurityTokenResponseCollection
xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<RequestSecurityTokenResponse>
<TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</TokenType>
<RequestedSecurityToken>
<BinarySecurityToken
ValueType=
"http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc"
EncodingType=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
B64EncodedSampleBinarySecurityToken
</BinarySecurityToken>
</RequestedSecurityToken>
<RequestID xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollment">0
</RequestID>
</RequestSecurityTokenResponse>
</RequestSecurityTokenResponseCollection>
</s:Body>
</s:Envelope>
```
The following example shows the encoded provisioning XML.
```
<wap-provisioningdoc version="1.1">
<characteristic type="CertificateStore">
<characteristic type="Root">
<characteristic type="System">
<characteristic type="031336C933CC7E228B88880D78824FB2909A0A2F">
<parm name="EncodedCertificate" value="B64 encoded cert insert here" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="CertificateStore">
<characteristic type="My" >
<characteristic type="User">
<characteristic type="F9A4F20FC50D990FDD0E3DB9AFCBF401818D5462">
<parm name="EncodedCertificate" value="B64EncodedCertInsertedHere" />
</characteristic>
<characteristic type="PrivateKeyContainer"/>
<!-- This tag must be present for XML syntax correctness. -->
</characteristic>
<characteristic type="WSTEP">
<characteristic type="Renew">
<!—If the datatype for ROBOSupport, RenewPeriod, and RetryInterval tags exist, they must be set explicitly. -->
<parm name="ROBOSupport" value="true" datatype="boolean"/>
<parm name="RenewPeriod" value="60" datatype="integer"/>
<parm name="RetryInterval" value="4" datatype="integer"/>
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="APPLICATION">
<parm name="APPID" value="w7"/>
<parm name="PROVIDER-ID" value="TestMDMServer"/>
<parm name="NAME" value="Microsoft"/>
<parm name="ADDR" value="https://DM.contoso.com:443/omadm/Windows.ashx"/>
<parm name="CONNRETRYFREQ" value="6" />
<parm name="INITIALBACKOFFTIME" value="30000" />
<parm name="MAXBACKOFFTIME" value="120000" />
<parm name="BACKCOMPATRETRYDISABLED" />
<parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" />
<parm name="SSLCLIENTCERTSEARCHCRITERIA" value=
"Subject=DC%3dcom%2cDC%3dmicrosoft%2cCN%3dUsers%2cCN%3dAdministrator&amp;amp;Stores=My%5CUser"/>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="CLIENT"/>
<parm name="AAUTHTYPE" value="DIGEST"/>
<parm name="AAUTHSECRET" value="password1"/>
<parm name="AAUTHDATA" value="B64encodedBinaryNonceInsertedHere"/>
</characteristic>
<characteristic type="APPAUTH">
<parm name="AAUTHLEVEL" value="APPSRV"/>
<parm name="AAUTHTYPE" value="BASIC"/>
<parm name="AAUTHNAME" value="testclient"/>
<parm name="AAUTHSECRET" value="password2"/>
</characteristic>
</characteristic>
<characteristic type="DMClient"> <!-- In Windows 10, an enrollment server should use DMClient CSP XML to configure DM polling schedules. -->
<characteristic type="Provider">
<!-- ProviderID in DMClient CSP must match to PROVIDER-ID in w7 APPLICATION characteristics -->
<characteristic type="TestMDMServer">
<parm name="UPN" value="UserPrincipalName" datatype="string" />
<characteristic type="Poll">
<parm name="NumberOfFirstRetries" value="8" datatype="integer" />
<parm name="IntervalForFirstSetOfRetries" value="15" datatype="integer" />
<parm name="NumberOfSecondRetries" value="5" datatype="integer" />
<parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
<parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
<!-- Windows 10 supports MDM push for real-time communication. The DM client long term polling schedules retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.-->
<parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" />
<parm name="PollOnLogin" value="true" datatype="boolean" />
</characteristic>
<parm name="EntDeviceName" value="Administrator_Windows" datatype="string" />
</characteristic>
</characteristic>
</characteristic>
<!-- For Windows 10, we have removed EnterpriseAppManagement from the enrollment
protocol. This configuration service provider is being deprecated for Windows 10. -->
</wap-provisioningdoc>
```
 

184
windows/client-management/mdm/certificate-renewal-windows-mdm.md Normal file
View File

@ -0,0 +1,184 @@
---
title: Certificate Renewal
description: The enrolled client certificate expires after a period of use.
MS-HAID:
- 'p\_phdevicemgmt.certificate\_renewal'
- 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm'
ms.assetid: F910C50C-FF67-40B0-AAB0-CA7CE02A9619
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# Certificate Renewal
The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account, and the enrollment client gets a new client certificate from the enrollment server and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported.
> **Note**  Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered.
 
## In this topic
- [Automatic certificate renewal request](#automatic-certificate-renewal-request)
- [Certificate renewal schedule configuration](#certificate-renewal-schedule-configuration)
- [Certificate renewal response](#certificate-renewal-response)
- [Configuration service providers supported during MDM enrollment and certificate renewal](#configuration-service-providers-supported-during-mdm-enrollment-and-certificate-renewal)
<a href="" id="automatic-certificate-renewal"></a>
## Automatic certificate renewal request
In addition to manual certificate renewal, Windows includes support for automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that does not require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to perform client Transport Layer Security (TLS). The user security token is not needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate based client authentication for automatic certificate renewal.
> **Note**  Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI.
 
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that is enrolled using WAB authentication (meaning that the AuthPolicy is set to Federated). It also means if the server supports WAB authentication, the MDM certificate enrollment server MUST also support client TLS in order to renew the MDM client certificate.
For the device that is enrolled with the OnPremise authentication method, for backward compatibility, the default renewal method is user manual certificate renewal. However, for Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal via CertificateStore CSPs ROBOSupport node under CertificateStore/My/WSTEP/Renew URL. For more information about Renew related configuration settings, refer to the CertificateStore configuration service provider.
Unlike manual certificate renewal where there is an additional b64 encoding for PKCS\#7 message content, with automatic renewal, the PKCS\#7 message content isnt b64 encoded separately.
During the automatic certificate renewal process, if the root certificate isnt trusted by the device, the authentication will fail. Make sure using one of device pre-installed root certificates or provision the root cert over a DM session via CertificateStore Configuration Service Provider.
During the automatic certificate renew process, the device will deny HTTP redirect request from the server unless it is the same redirect URL that the user explicitly accepted during the initial MDM enrollment process.
The following example shows the details of an automatic renewal request.
```
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope"
xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">
<s:Header>
<a:Action s:mustUnderstand="1">
http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep</a:Action>
<a:MessageID>urn:uuid:61a17f2c-42e9-4a45-9c85-f15c1c8baee8</a:MessageID>
<a:ReplyTo>
<a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address>
</a:ReplyTo>
<a:To s:mustUnderstand="1">
https://dm.contoso.com/EnrollmentService/DeviceEnrollmentService.svc</a:To>
<o:Security s:mustUnderstand="1" xmlns:o=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
<u:Timestamp u:Id="_0">
<u:Created>2011-07-11T19:49:08.579Z</u:Created>
<u:Expires>2011-07-11T19:54:08.579Z</u:Expires>
</u:Timestamp>
<o:UsernameToken u:Id="uuid-2a734df6-b227-4e60-82a8-ed53c574b718-5">
<o:Username>user@contoso.com</o:Username>
<o:Password o:Type=
"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
</o:Password>
</o:UsernameToken>
</o:Security>
</s:Header>
<s:Body>
<RequestSecurityToken xmlns="http://docs.oasis-open.org/ws-sx/ws-trust/200512">
<TokenType>
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
</TokenType>
<RequestType>http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew</RequestType>
<BinarySecurityToken
ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#PKCS7"
EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd#base64binary"
xmlns="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
BinarySecurityTokenInsertedHere
</BinarySecurityToken>
<AdditionalContext xmlns="http://schemas.xmlsoap.org/ws/2006/12/authorization">
<ContextItem Name="DeviceType">
<Value>WindowsPhone</Value>
</ContextItem>
<ContextItem Name="ApplicationVersion">
<Value>5.0.7616.0</Value>
</ContextItem>
</AdditionalContext>
</RequestSecurityToken>
</s:Body>
</s:Envelope>
```
<a href="" id="certificate-renewal-schedule"></a>
## Certificate renewal schedule configuration
In Windows, the renewal period can only be set during the MDM enrollment phase. Windows supports a certificate renewal period and renewal failure retry to be configurable by both MDM enrollment server and later by the MDM management server using CertificateStore CSPs RenewPeriod and RenewInterval nodes. The device could retry automatic certificate renewal multiple times until the certificate expires. For manual certificate renewal, instead of only reminding the user once, the Windows device will remind the user with a prompt dialog at every renewal retry time until the certificate is expired.
For more information about the parameters, see the CertificateStore configuration service provider.
Unlike manual certificate renewal, the device will not perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure that the device has enough time to perform an automatic renewal, we recommend that you set a renewal period a couple months (40-60 days) before the certificate expires and set the renewal retry interval to be every few days such as every 4-5 days instead every 7 days (weekly) to increase the chance that the device will a connectivity at different days of the week.
> **Note**  For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval.
> For Windows Phone 8.1 devices upgraded to Windows 10 Mobile, renewal will happen at the configured ROBO internal. This is expected and by design.
 
## Certificate renewal response
When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment):
- The signature of the PKCS\#7 BinarySecurityToken is correct
- The clients certificate is in the renewal period
- The certificate was issued by the enrollment service
- The requester is the same as the requester for initial enrollment
- For standard clients request, the client hasnt been blocked
After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA.
> **Note**  The HTTP server response must not be chunked; it must be sent as one message.
The following example shows the details of an certificate renewal response.
```
<wap-provisioningdoc version="1.1">
<characteristic type="CertificateStore">
<!-- Root certificate provision is only needed here if it is not in the device already --> <characteristic type="Root">
<characteristic type="System">
<characteristic type="EncodedRootCertHashInsertedHere ">
<parm name="EncodedCertificate" value="EncodedCertInsertedHere" />
</characteristic>
</characteristic>
</characteristic>
<characteristic type="My" >
<characteristic type="User">
<characteristic type="EncodedClientCertHashInsertedHere">
<parm name="EncodedCertificate" value="EncodedCertInsertedHere" />
<characteristic type="PrivateKeyContainer"/>
</characteristic>
</characteristic>
</characteristic>
</characteristic>
<characteristic type="APPLICATION">
<parm name="PROVIDER-ID" value="TestMDMServer"/>
</characteristic>
</wap-provisioningdoc>
```
> **Note**  The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time.
 
<a href="" id="csp-support-during-enrollment-and-renewal"></a>
## Configuration service providers supported during MDM enrollment and certificate renewal
The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider.
- CertificateStore
- w7 APPLICATION
- DMClient
- EnterpriseAppManagement
 

637
windows/client-management/mdm/certificatestore-csp.md Normal file
View File

@ -0,0 +1,637 @@
---
title: CertificateStore CSP
description: CertificateStore CSP
ms.assetid: 0fe28629-3cc3-42a0-91b3-3624c8462fd3
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# CertificateStore CSP
The CertificateStore configuration service provider is used to add secure socket layers (SSL), intermediate, and self-signed certificates.
> **Note**   The CertificateStore configuration service provider does not support installing client certificates.
 
For the CertificateStore CSP, you cannot use the Replace command unless the node already exists.
The following diagram shows the CertificateStore configuration service provider management object in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
![provisioning\-csp\-certificatestore](images/provisioning-csp-certificatestore.png)
<a href="" id="root-system"></a>**Root/System**
Defines the certificate store that contains root, or self-signed, certificates.
Supported operation is Get.
> **Note**  Root/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing root certificates.
 
<a href="" id="ca-system"></a>**CA/System**
Defines the certificate store that contains cryptographic information, including intermediary certification authorities.
Supported operation is Get.
> **Note**  CA/System is case sensitive. Please use the RootCATrustedCertificates CSP moving forward for installing CA certificates.
 
<a href="" id="my-user"></a>**My/User**
Defines the certificate store that contains public keys for client certificates. This is only used by enterprise servers to push down the public key of a client certificate. The client certificate is used by the device client to authenticate itself to the enterprise server for device management and downloading enterprise applications.
Supported operation is Get.
> **Note**  My/User is case sensitive.
 
<a href="" id="my-system"></a>**My/System**
Defines the certificate store that contains public key for client certificate. This is only used by enterprise server to push down the public key of the client cert. The client cert is used by the device to authenticate itself to the enterprise server for device management and enterprise app downloading.
Supported operation is Get.
> **Note**  My/System is case sensitive.
 
<a href="" id="certhash"></a>***CertHash***
Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
Supported operations are Get, Delete, and Replace.
<a href="" id="certhash-encodedcertificate"></a>***CertHash*/EncodedCertificate**
Required. Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="certhash-issuedby"></a>***CertHash*/IssuedBy**
Required. Returns the name of the certificate issuer. This is equivalent to the *Issuer* member in the CERT\_INFO data structure.
Supported operation is Get.
<a href="" id="certhash-issuedto"></a>***CertHash*/IssuedTo**
Required. Returns the name of the certificate subject. This is equivalent to the *Subject* member in the CERT\_INFO data structure.
Supported operation is Get.
<a href="" id="certhash-validfrom"></a>***CertHash*/ValidFrom**
Required. Returns the starting date of the certificate's validity. This is equivalent to the *NotBefore* member in the CERT\_INFO structure.
Supported operation is Get.
<a href="" id="certhash-validto"></a>***CertHash*/ValidTo**
Required. Returns the expiration date of the certificate. This is equivalent to the *NotAfter* member in the CERT\_INFO structure.
Supported operation is Get.
<a href="" id="certhash-templatename"></a>***CertHash*/TemplateName**
Required. Returns the certificate template name.
Supported operation is Get.
<a href="" id="my-scep"></a>**My/SCEP**
Required for Simple Certificate Enrollment Protocol (SCEP) certificate enrollment. The parent node grouping the SCEP certificate related settings.
Supported operation is Get.
> **Note**  Please use the ClientCertificateInstall CSP to install SCEP certificates moving forward. All enhancements to SCEP will happen in that CSP.
 
<a href="" id="my-scep-uniqueid"></a>**My/SCEP/****_UniqueID_**
Required for SCEP certificate enrollment. A unique ID to differentiate certificate enrollment requests. Format is node.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="my-scep-uniqueid-install"></a>**My/SCEP/*UniqueID*/Install**
Required for SCEP certificate enrollment. Parent node to group SCEP certificate install related request. Format is node.
Supported operations are Add, Replace, and Delete.
> **Note**   Though the children nodes under Install support Replace commands, after the Exec command is sent to the device, the device takes the values that are set when the Exec command is accepted. You should not expect the node value change that occurs after the Exec command is accepted to impact the current undergoing enrollment. You should check the Status node value and make sure that the device is not at an unknown stage before changing the children node values.
 
<a href="" id="my-scep-uniqueid-install-serverurl"></a>**My/SCEP/*UniqueID*/Install/ServerURL**
Required for SCEP certificate enrollment. Specifies the certificate enrollment server. The server could specify multiple server URLs separated by a semicolon. Value type is string.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-challenge"></a>**My/SCEP/*UniqueID*/Install/Challenge**
Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Value type is chr.
Supported operations are Get, Add, Replace, and Delete.
Challenge will be deleted shortly after the Exec command is accepted.
<a href="" id="my-scep-uniqueid-install-ekumapping"></a>**My/SCEP/*UniqueID*/Install/EKUMapping**
Required. Specifies the extended key usages and subject to SCEP server configuration. The list of OIDs are separated by a plus sign **+**, such as OID1+OID2+OID3. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-keyusage"></a>**My/SCEP/*UniqueID*/Install/KeyUsage**
Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or fourth (0x80) or both bits set. If the value does not have those bits set, configuration will fail. Value type is an integer.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-subjectname"></a>**My/SCEP/*UniqueID*/Install/SubjectName**
Required. Specifies the subject name. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-keyprotection"></a>**My/SCEP/*UniqueID*/Install/KeyProtection**
Optional. Specifies the location of the private key. Although the private key is protected by TPM, it is not protected with TPM PIN. SCEP enrolled certificate does not support TPM PIN protection.
Supported values are one of the following:
- 1 Private key is protected by device TPM.
- 2 Private key is protected by device TPM if the device supports TPM.
- 3 (default) Private key is only saved in the software KSP.
Value type is an integer.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-retrydelay"></a>**My/SCEP/*UniqueID*/Install/RetryDelay**
Optional. Specifies the device retry waiting time in minutes when the SCEP server sends the pending status. Default value is 5 and the minimum value is 1. Value type is an integer.
Supported operations are Get, Add, and Delete.
<a href="" id="my-scep-uniqueid-install-retrycount"></a>**My/SCEP/*UniqueID*/Install/RetryCount**
Optional. Special to SCEP. Specifies the device retry times when the SCEP server sends pending status. Value type is an integer. Default value is 3. Max value cannot be larger than 30. If it is larger than 30, the device will use 30. The min value is 0, which means no retry.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-templatename"></a>**My/SCEP/*UniqueID*/Install/TemplateName**
Optional. OID of certificate template name. Note that this name is typically ignored by the SCEP server; therefore, the MDM server typically does not need to provide it. Value type is chr.
Supported operations are Get, Add, and Delete.
<a href="" id="my-scep-uniqueid-install-keylength"></a>**My/SCEP/*UniqueID*/Install/KeyLength**
Required for enrollment. Specify private key length (RSA). Value type is an integer. Valid values are 1024, 2048, 4096. NGC key lengths supported should be specified.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-hashalgorithm"></a>**My/SCEP/*UniqueID*/Install/HashAlgorithm**
Required for enrollment. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by the MDM server. If multiple hash algorithm families are specified, they must be separated with +.
Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-cathumbprint"></a>**My/SCEP/*UniqueID*/Install/CAThumbprint**
Required. Specifies the root CA thumbprint. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks CA certificate from SCEP server for a match with this certificate. If it does not match, the authentication fails. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-subjectalternativenames"></a>**My/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
Optional. Specifies the subject alternative name. Multiple alternative names can be specified. Each name is the combination of name format+actual name. Refer to the name type definition in MSDN. Each pair is separated by semicolon. For example, multiple subject alternative names are presented in the format *&lt;nameformat1&gt;*+*&lt;actual name1&gt;*;*&lt;name format 2&gt;*+*&lt;actual name2&gt;*. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
<a href="" id="my-scep-uniqueid-install-validperiod"></a>**My/SCEP/*UniqueID*/Install/ValidPeriod**
Optional. Specifies the units for the valid period. Value type is chr.
Supported operations are Get, Add, Delete, and Replace.
Valid values are one of the following:
- Days (default)
- Months
- Years
> **Note**   The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server.
 
<a href="" id="my-scep-uniqueid-install-validperiodunits"></a>**My/SCEP/*UniqueID*/Install/ValidPeriodUnits**
Optional. Specifies desired number of units used in validity period and subject to SCEP server configuration. Default is 0. The units are defined in ValidPeriod node. The valid period specified by MDM overwrites the valid period specified in the certificate template. For example, if ValidPeriod is days and ValidPeriodUnits is 30, it means the total valid duration is 30 days. Value type is an integer.
Supported operations are Get, Add, Delete, and Replace.
> **Note**   The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) of the SCEP server as part of certificate enrollment request. How this valid period is used to create the certificate depends on the MDM server.
 
<a href="" id="my-scep-uniqueid-install-enroll"></a>**My/SCEP/*UniqueID*/Install/Enroll**
Required. Triggers the device to start the certificate enrollment. The MDM server can later query the device to find out whether the new certificate is added. Value type is null, which means that this node does not contain a value.
Supported operation is Exec.
<a href="" id="my-wstep-certthumbprint"></a>**My/WSTEP/CertThumbprint**
Optional. Returns the current MDM client certificate thumbprint. If renewal succeeds, it shows the renewed certificate thumbprint. If renewal fails or is in progress, it shows the thumbprint of the cert that needs to be renewed. Value type is chr.
Supported operation is Get.
<a href="" id="my-scep-uniqueid-status"></a>**My/SCEP/*UniqueID*/Status**
Required. Specifies the latest status for the certificate due to enrollment request. Value type is chr.
Supported operation is Get.
Valid values are one of the following:
- 1 Finished successfully.
- 2 Pending. The device has not finished the action, but has received the SCEP server pending response.
- 16 - Action failed.
- 32 Unknown.
<a href="" id="my-scep-uniqueid-errorcode"></a>**My/SCEP/*UniqueID*/ErrorCode**
Optional. The integer value that indicates the HRESULT of the last enrollment error code.
Supported operation is Get.
<a href="" id="my-scep-uniqueid-certthumbprint"></a>**My/SCEP/*UniqueID*/CertThumbprint**
Optional. Specifies the current certificate thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. Value type is chr.
Supported operation is Get.
<a href="" id="my-scep-uniqueid-respondentserverurl"></a>**My/SCEP/*UniqueID*/RespondentServerUrl**
Required. Returns the URL of the SCEP server that responded to the enrollment request. Value type is string.
Supported operation is Get.
<a href="" id="my-wstep"></a>**My/WSTEP**
Required for MDM enrolled device. The parent node that hosts the MDM enrollment client certificate related settings that is enrolled via WSTEP. The nodes under WSTEP are mostly for MDM client certificate renew requests. Value type is node.
Supported operation is Get.
<a href="" id="my-wstep-renew"></a>**My/WSTEP/Renew**
Optional. The parent node to group renewal related settings.
Supported operation is Get.
<a href="" id="my-wstep-renew-serverurl"></a>**My/WSTEP/Renew/ServerURL**
Optional. Specifies the URL of certificate renewal server. If this node does not exist, the client uses the initial certificate enrollment URL.
> **Note**  The renewal process follows the same steps as device enrollment, which means that it starts with Discovery service, followed by Enrollment policy service, and then Enrollment web service.
 
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="my-wstep-renew-renewalperiod"></a>**My/WSTEP/Renew/RenewalPeriod**
Optional. The time (in days) to trigger the client to initiate the MDM client certificate renew process before the MDM certificate expires. The MDM server cannot set and update the renewal period. This parameter applies to both manual certificate renewal and request on behalf of (ROBO) certificate renewal. It is recommended that the renew period is set a couple of months before the certificate expires to ensure that the certificate gets renewed successfully with data connectivity.
The default value is 42 and the valid values are 1 1000. Value type is an integer.
Supported operations are Add, Get, Delete, and Replace.
> **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
 
<a href="" id="my-wstep-renew-retryinterval"></a>**My/WSTEP/Renew/RetryInterval**
Optional. Specifies the retry interval (in days) when the previous renewal failed. It applies to both manual certificate renewal and ROBO automatic certificate renewal. The retry schedule stops at the certificate expiration date.
For ROBO renewal failure, the client retries the renewal periodically until the device reaches the certificate expiration date. This parameter specifies the waiting period for ROBO renewal retries.
For manual retry failure, there are no built-in retries. The user can retry later. At the next scheduled certificate renewal retry period, the device prompts the credential dialog again.
The default value is 7 and the valid values are 1 1000 AND =&lt; RenewalPeriod, otherwise it will result in errors. Value type is an integer.
Supported operations are Add, Get, Delete, and Replace.
> **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
 
<a href="" id="my-wstep-renew-robosupport"></a>**My/WSTEP/Renew/ROBOSupport**
Optional. Notifies the client if the MDM enrollment server supports ROBO auto certificate renewal. Value type is bool.
ROBO is the only supported renewal method for Windows 10. This value is ignored and always considered to be true.
Supported operations are Add, Get, Delete, and Replace.
> **Note**   When you set the renewal schedule over SyncML DM commands to ROBOSupport, RenewalPeriod, and RetryInterval, you must wrap them in Atomic commands.
 
<a href="" id="my-wstep-renew-status"></a>**My/WSTEP/Renew/Status**
Required. Shows the latest action status for this certificate. Value type is an integer.
Supported operation is Get.
Supported values are one of the following:
- 0 Not started.
- 1 Renewal in progress.
- 2 Renewal succeeded.
- 3 Renewal failed.
<a href="" id="my-wstep-renew-errorcode"></a>**My/WSTEP/Renew/ErrorCode**
Optional. If certificate renewal fails, this integer value indicates the HRESULT of the last error code during the renewal process. Value type is an integer.
Supported operation is Get.
<a href="" id="my-wstep-renew-lastrenewalattempttime"></a>**My/WSTEP/Renew/LastRenewalAttemptTime**
Added in Windows 10, version 1607. Time of the last attempted renewal.
Supported operation is Get.
<a href="" id="my-wstep-renew-renewnow"></a>**My/WSTEP/Renew/RenewNow**
Added in Windows 10, version 1607. Initiates a renewal now.
Supported operation is Execute.
<a href="" id="my-wstep-renew-retryafterexpiryinterval"></a>**My/WSTEP/Renew/RetryAfterExpiryInterval**
Added in Windows 10, version 1703. How long after the enrollment certificate has expired before trying to renew.
Supported operations are Add, Get, and Replace.
## Examples
Add a root certificate to the MDM server.
``` syntax
<Add>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/CertificateStore/Root/System/<CertificateHashInsertedhere>/EncodedCertificate
</LocURI>
</Target>
<Data>B64EncodedCertInsertedHere</Data>
<Meta>
<Format xmlns="syncml:metinf">b64</Format>
</Meta>
</Item>
</Add>
```
Get all installed client certificates.
``` syntax
<Get>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/CertificateStore/My/User?list=StructData
</LocURI>
</Target>
</Item>
</Get>
```
Delete a root certificate.
``` syntax
<Delete>
<CmdID>1</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/CertificateStore/Root/System/<CertificateHashInsertedHere>
</LocURI>
</Target>
</Item>
</Delete>
```
Configure the device to enroll a client certificate through SCEP.
``` syntax
<Atomic>
<CmdID>100</CmdID>
<Add>
<CmdID>1</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Add>
<CmdID>2</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/RetryCount</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>3</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/RetryDelay</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>4</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyUsage</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>160</Data>
</Item>
</Add>
<Add>
<CmdID>5</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1024</Data>
</Item>
</Add>
<Add>
<CmdID>6</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/HashAlgorithm</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>SHA-1</Data>
</Item>
</Add>
<Add>
<CmdID>7</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/SubjectName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>CN=AnnaLee</Data>
</Item>
</Add>
<Add>
<CmdID>8</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/SubjectAlternativeNames</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>11+tom@MyDomain.Contoso.com;3+MyDomain.Contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>9</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ValidPeriod</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>Years</Data>
</Item>
</Add>
<Add>
<CmdID>10</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ValidPeriodUnits</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>11</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/EKUMapping</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2</Data>
</Item>
</Add>
<Add>
<CmdID>12</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/KeyProtection</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>3</Data>
</Item>
</Add>
<Add>
<CmdID>13</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/ServerURL</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>https://contoso.com/certsrv/ctcep.dll</Data>
</Item>
</Add>
<Add>
<CmdID>14</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/Challenge</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>ChallengeInsertedHere</Data>
</Item>
</Add>
<Add>
<CmdID>15</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/CAThumbprint</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>CAThumbprintInsertedHere</Data>
</Item>
</Add>
<Exec>
<CmdID>16</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/SCEP/CertSCEP1/Install/Enroll</LocURI>
</Target>
</Item>
</Exec>
</Atomic>
```
Configure the device to automatically renew an MDM client certificate with the specified renew period and retry interval.
``` syntax
<Atomic>
<CmdID>1</CmdID>
<Replace>
<CmdID>2</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/ROBOSupport</LocURI></Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Replace>
<Replace>
<CmdID>3</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/RenewPeriod</LocURI></Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>60</Data>
</Item>
</Replace>
<Replace>
<CmdID>4</CmdID>
<Item>
<Target><LocURI>./Vendor/MSFT/CertificateStore/My/WSTEP/Renew/RetryInterval</LocURI></Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>4</Data>
</Item>
</Replace>
</Atomic>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

1677
windows/client-management/mdm/certificatestore-ddf-file.md Normal file
View File

File diff suppressed because it is too large Load Diff

30
windows/client-management/mdm/cleanpc-csp.md Normal file
View File

@ -0,0 +1,30 @@
---
title: CleanPC CSP
description: The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703.
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# CleanPC CSP
The CleanPC configuration service provider (CSP) allows removal of user-installed and pre-installed applications, with the option to persist user data. This CSP was added in Windows 10, version 1703.
The following diagram shows the CleanPC configuration service provider in tree format.
![CleanPC csp diagram](images/provisioning-csp-cleanpc.png)
<a href="" id="--device-vendor-msft-cleanpc"></a>**./Device/Vendor/MSFT/CleanPC**
<p style="margin-left: 20px">The root node for the CleanPC configuration service provider.</p>
<a href="" id="cleanpcwithoutretaininguserdata"></a>**CleanPCWithoutRetainingUserData**
<p style="margin-left: 20px">An integer specifying a CleanPC operation without any retention of user data.
<p style="margin-left: 20px">The only supported operation is Execute.
<a href="" id="cleanpcwithoutretaininguserdata"></a>**CleanPCRetainingUserData**
<p style="margin-left: 20px">An integer specifying a CleanPC operation with retention of user data.
<p style="margin-left: 20px">The only supported operation is Execute.

105
windows/client-management/mdm/cleanpc-ddf.md Normal file
View File

@ -0,0 +1,105 @@
---
title: CleanPC DDF
description: This topic shows the OMA DM device description framework (DDF) for the CleanPC configuration service provider. DDF files are used only with OMA DM provisioning XML.
ms.assetid: A2182898-1577-4675-BAE5-2A3A9C2AAC9B
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# CleanPC DDF
This topic shows the OMA DM device description framework (DDF) for the **CleanPC** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>CleanPC</NodeName>
<Path>./Device/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Allow removal of user installed and pre-installed applications, with option to persist user data</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/CleanPC</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName>CleanPCWithoutRetainingUserData</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<Description>CleanPC operation without any retention of User data</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>CleanPCRetainingUserData</NodeName>
<DFProperties>
<AccessType>
<Exec />
</AccessType>
<Description>CleanPC operation with retention of User data</Description>
<DFFormat>
<int />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</MgmtTree>
```
 
 

672
windows/client-management/mdm/clientcertificateinstall-csp.md Normal file
View File

@ -0,0 +1,672 @@
---
title: ClientCertificateInstall CSP
description: ClientCertificateInstall CSP
ms.assetid: B624EB73-2972-47F2-9D7E-826D641BF8A7
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# ClientCertificateInstall CSP
The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates.
For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block.
> **Note**  
Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue.
You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
The following image shows the ClientCertificateInstall configuration service provider in tree format.
![clientcertificateinstall csp](images/provisioning-csp-clientcertificateinstall.png)
<a href="" id="device-or-user"></a>**Device or User**
<p style="margin-left: 20px">For device certificates, use **./Device/Vendor/MSFT** path and for user certificates use **./User/Vendor/MSFT** path.
<a href="" id="clientcertificateinstall"></a>**ClientCertificateInstall**
<p style="margin-left: 20px">The root node for the ClientCertificateInstaller configuration service provider.
<a href="" id="clientcertificateinstall-pfxcertinstall"></a>**ClientCertificateInstall/PFXCertInstall**
<p style="margin-left: 20px">Required for PFX certificate installation. The parent node grouping the PFX certificate related settings.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid"></a>**ClientCertificateInstall/PFXCertInstall/****_UniqueID_**
<p style="margin-left: 20px">Required for PFX certificate installation. A unique ID to differentiate different certificate install requests.
<p style="margin-left: 20px">The data type format is node.
<p style="margin-left: 20px">Supported operations are Get, Add, and Delete .
<p style="margin-left: 20px">Calling Delete on this node should delete the certificates and the keys that were installed by the corresponding PFX blob.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-keylocation"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/KeyLocation**
<p style="margin-left: 20px">Required for PFX certificate installation. Indicates the KeyStorage provider to target the private key installation to.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<p style="margin-left: 20px">The data type is an integer corresponding to one of the following values:
| Value | Description |
|-------|---------------------------------------------------------------------------------------------------------------|
| 1 | Install to TPM if present, fail if not present. |
| 2 | Install to TPM if present. If not present, fallback to software. |
| 3 | Install to software. |
| 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified |
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-containername"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName**
<p style="margin-left: 20px">ptional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail.
<p style="margin-left: 20px">Date type is string.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertblob"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertBlob**
<p style="margin-left: 20px">CRYPT\_DATA\_BLOB structure that contains a PFX packet with the exported and encrypted certificates and keys. The Add operation triggers the addition to the PFX certificate. This requires that all the other nodes under UniqueID that are parameters for PFX installation (Container Name, KeyLocation, CertPassword, KeyExportable) are present before this is called. This also sets the Status node to the current Status of the operation.
<p style="margin-left: 20px">The data type format is binary.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<p style="margin-left: 20px">If a blob already exists, the Add operation will fail. If Replace is called on this node, the existing certificates are overwritten.
<p style="margin-left: 20px">If Add is called on this node for a new PFX, the certificate will be added. When a certificate does not exist, Replace operation on this node will fail.
<p style="margin-left: 20px">In other words, using Replace or Add will result in the effect of either overwriting the old certificate or adding a new certificate CRYPT\_DATA\_BLOB, which can be found in [CRYPT\_INTEGER\_BLOB](http://go.microsoft.com/fwlink/p/?LinkId=523871).
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpassword"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPassword**
<p style="margin-left: 20px">Password that protects the PFX blob. This is required if the PFX is password protected.
<p style="margin-left: 20px">Data Type is a string.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpasswordencryptiontype"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionType**
<p style="margin-left: 20px">Optional. Used to specify whtether the PFX certificate password is encrypted with the MDM certificate by the MDM sever.
<p style="margin-left: 20px">The data type is int. Valid values:
- 0 - Password is not encrypted.
- 1 - Password is encrypted with the MDM certificate.
- 2 - Password is encrypted with custom certificate.
<p style="margin-left: 20px">When PFXCertPasswordEncryptionType =2, you must specify the store name in PFXCertPasswordEncryptionStore setting.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxkeyexportable"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable**
<p style="margin-left: 20px">Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM.
> **Note**  You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail.
 
<p style="margin-left: 20px">The data type bool.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-thumbprint"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Thumbprint**
<p style="margin-left: 20px">Returns the thumbprint of the installed PFX certificate.
<p style="margin-left: 20px">The datatype is a string.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-status"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/Status**
<p style="margin-left: 20px">Required. Returns the error code of the PFX installation from the GetLastError command called after the PfxImportCertStore.
<p style="margin-left: 20px">Data type is an integer.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="clientcertificateinstall-pfxcertinstall-uniqueid-pfxcertpasswordencryptionstore"></a>**ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXCertPasswordEncryptionStore**
<p style="margin-left: 20px">Added in Windows 10, version 1511. When PFXCertPasswordEncryptionType = 2, it specifies the store name of the certificate used for decrypting the PFXCertPassword.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep"></a>**ClientCertificateInstall/SCEP**
<p style="margin-left: 20px">Node for SCEP.
> **Note**  An alert is sent after the SCEP certificate is installed.
 
<a href="" id="clientcertificateinstall-scep-uniqueid"></a>**ClientCertificateInstall/SCEP/****_UniqueID_**
<p style="margin-left: 20px">A unique ID to differentiate different certificate installation requests.
<p style="margin-left: 20px">Supported operations are Get, Add, Replace, and Delete.
<a href="" id="clientcertificateinstall-scep-uniqueid-install"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install**
<p style="margin-left: 20px">A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests.
<p style="margin-left: 20px">Supported operations are Get, Add, Replace, and Delete.
> **Note**  Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values.
 
<a href="" id="clientcertificateinstall-scep-uniqueid-install-serverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL**
<p style="margin-left: 20px">Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Get, Add, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-challenge"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Challenge**
<p style="margin-left: 20px">Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge. Challenge is deleted shortly after the Exec command is accepted.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-ekumapping"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/EKUMapping**
<p style="margin-left: 20px">Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus **+**. For example, *OID1*+*OID2*+*OID3*.
Data type is string.
<p style="margin-left: 20px">Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesnt have those bits set, the configuration will fail.
<p style="margin-left: 20px">Data type is int.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectname"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
<p style="margin-left: 20px">Required. Specifies the subject name.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyprotection"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection**
<p style="margin-left: 20px">Optional. Specifies where to keep the private key.
> **Note**  Even if the private key is protected by TPM, it is not protected with a TPM PIN.
 
<p style="margin-left: 20px">The data type is an integer corresponding to one of the following values:
| Value | Description |
|-------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 1 | Private key protected by TPM. |
| 2 | Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1. |
| 3 | (Default) Private key saved in software KSP. |
| 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specifed, otherwise enrollment will fail. |
 
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-retrydelay"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
<p style="margin-left: 20px">Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
<p style="margin-left: 20px">Data type format is an integer.
<p style="margin-left: 20px">The default value is 5.
<p style="margin-left: 20px">The minimum value is 1.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-retrycount"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryCount**
<p style="margin-left: 20px">Optional. Unique to SCEP. Specifies the device retry times when the SCEP server sends a pending status.
<p style="margin-left: 20px">Data type is integer.
<p style="margin-left: 20px">Default value is 3.
<p style="margin-left: 20px">Maximum value is 30. If the value is larger than 30, the device will use 30.
<p style="margin-left: 20px">Minimum value is 0, which indicates no retry.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-templatename"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName**
<p style="margin-left: 20px">Optional. OID of certificate template name.
> **Note**  This name is typically ignored by the SCEP server; therefore the MDM server typically doesnt need to provide it.
 
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keylength"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyLength**
<p style="margin-left: 20px">Required for enrollment. Specify private key length (RSA).
<p style="margin-left: 20px">Data type is integer.
<p style="margin-left: 20px">Valid values are 1024, 2048, and 4096.
<p style="margin-left: 20px">For Windows Hello for Business (formerly known as Microsoft Passport for Work) , only 2048 is the supported key length.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-hashalgorithm"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/HashAlgorithm**
<p style="margin-left: 20px">Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated with **+**.
<p style="margin-left: 20px">For Windows Hello for Business, only SHA256 is the supported algorithm.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-cathumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/CAThumbprint**
<p style="margin-left: 20px">Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectalternativenames"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectAlternativeNames**
<p style="margin-left: 20px">Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information.
<p style="margin-left: 20px">Each pair is separated by semicolon. For example, multiple SANs are presented in the format of *\[name format1\]*+*\[actual name1\]*;*\[name format 2\]*+*\[actual name2\]*.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiod"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriod**
<p style="margin-left: 20px">Optional. Specifies the units for the valid certificate period.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Valid values are:
- Days (Default)
- Months
- Years
> **Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
 
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-validperiodunits"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits**
<p style="margin-left: 20px">Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.
<p style="margin-left: 20px">Data type is string.
>**Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate.
 
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-containername"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName**
<p style="margin-left: 20px">Optional. Specifies the Windows Hello for Business container name (if Windows Hello for Business KSP is chosen for the node). If this node is not specified when Windows Hello for Business KSP is chosen, the enrollment will fail.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-customtexttoshowinprompt"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/CustomTextToShowInPrompt**
<p style="margin-left: 20px">Optional. Specifies the custom text to show on the Windows Hello for Business PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-enroll"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/Enroll**
<p style="margin-left: 20px">Required. Triggers the device to start the certificate enrollment. The device will not notify MDM server after certificate enrollment is done. The MDM server could later query the device to find out whether new certificate is added.
<p style="margin-left: 20px">The date type format is Null, meaning this node doesnt contain a value.
<p style="margin-left: 20px">The only supported operation is Execute.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-aadkeyidentifierlist"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/AADKeyIdentifierList**
<p style="margin-left: 20px">Optional. Specify the AAD Key Identifier List as a list of semicolon separated values. On Enroll, the values in this list are validated against the AAD Key present on the device. If no match is found, enrollment will fail.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-certthumbprint"></a>**ClientCertificateInstall/SCEP/*UniqueID*/CertThumbprint**
<p style="margin-left: 20px">Optional. Specifies the current certificates thumbprint if certificate enrollment succeeds. It is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value.
<p style="margin-left: 20px">If the certificate on the device becomes invalid (Cert expired, Cert chain is not valid, private key deleted) then it will return an empty string.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">The only supported operation is Get.
<a href="" id="clientcertificateinstall-scep-uniqueid-status"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Status**
<p style="margin-left: 20px">Required. Specifies latest status of the certificated during the enrollment request.
<p style="margin-left: 20px">Data type is string. Valid values:
<p style="margin-left: 20px">The only supported operation is Get.
| Value | Description |
|-------|---------------------------------------------------------------------------------------------------|
| 1 | Finished successfully |
| 2 | Pending (the device hasnt finished the action but has received the SCEP server pending response) |
| 16 | Action failed |
| 32 | Unknown |
 
<a href="" id="clientcertificateinstall-scep-uniqueid-errorcode"></a>**ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode**
<p style="margin-left: 20px">Optional. An integer value that indicates the HRESULT of the last enrollment error code.
<p style="margin-left: 20px">The only supported operation is Get.
<a href="" id="clientcertificateinstall-scep-uniqueid-respondentserverurl"></a>**ClientCertificateInstall/SCEP/*UniqueID*/RespondentServerUrl**
<p style="margin-left: 20px">Required. Returns the URL of the SCEP server that responded to the enrollment request.
<p style="margin-left: 20px">Data type is string.
<p style="margin-left: 20px">The only supported operation is Get.
## Example
Enroll a client certificate through SCEP.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Atomic>
<Add>
<CmdID>301</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere></LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">node</Format>
</Meta>
</Item>
</Add>
<Add>
<CmdID>302</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/RetryCount</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>303</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/RetryDelay</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>304</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/KeyUsage</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>160</Data>
</Item>
</Add>
<Add>
<CmdID>305</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/KeyLength</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1024</Data>
</Item>
</Add>
<Add>
<CmdID>306</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/HashAlgorithm</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>SHA-1</Data>
</Item>
</Add>
<Add>
<CmdID>307</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/SubjectName</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>CN=ContosoCSP</Data>
</Item>
</Add>
<Add>
<CmdID>308</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/SubjectAlternativeNames</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data></Data>
</Item>
</Add>
<Add>
<CmdID>309</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/ValidPeriod</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>Years</Data>
</Item>
</Add>
<Add>
<CmdID>310</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/ValidPeriodUnits</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>311</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/EKUMapping</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>1.3.6.1.4.1.311.10.3.12+1.3.6.1.4.1.311.10.3.4+1.3.6.1.4.1.311.20.2.2+1.3.6.1.5.5.7.3.2</Data>
</Item>
</Add>
<Add>
<CmdID>312</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/KeyProtection</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>3</Data>
</Item>
</Add>
<Add>
<CmdID>313$</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/ServerURL</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>http://constoso.com/certsrv/mscep/mscep.dll</Data>
</Item>
</Add>
<Add>
<CmdID>314</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/Challenge</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>1234CB055B7EBF384A9486A22B7559A5</Data>
</Item>
</Add>
<Add>
<CmdID>315</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/CAThumbprint</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>12345087E648875D1DF5D9F9FF89DD10</Data>
</Item>
</Add>
<Exec>
<CmdID>316</CmdID>
<Item>
<Target>
<LocURI>./Device/Vendor/MSFT/ClientCertificateInstall/SCEP/<InsertUniqueIDHere>/Install/Enroll</LocURI>
</Target>
</Item>
</Exec>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate fro "My" store.
``` syntax
<SyncML>
<SyncBody>
<Delete>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C</LocURI>
</Target>
</Item>
</Delete>
<Atomic>
<CmdID>$CmdID$</CmdID>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/KeyLocation</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>2</Data>
</Item>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertBlob</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>Base64_Encode_Cert_Blob</Data>
</Item>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPassword</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>Base64Encoded_Encrypted_Password_Blog</Data>
</Item>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionType</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
</Meta>
<Data>2</Data>
</Item>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXCertPasswordEncryptionStore</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">chr</Format>
</Meta>
<Data>My</Data>
</Item>
</Add>
<Add>
<CmdID>$CmdID$</CmdID>
<Item>
<Target>
<LocURI>./User/Vendor/MSFT/ClientCertificateInstall/PFXCertInstall/813A171D7341E1DA90D4A01878DD5328D351900C/PFXKeyExportable</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">bool</Format>
</Meta>
<Data>true</Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

1067
windows/client-management/mdm/clientcertificateinstall-ddf-file.md Normal file
View File

File diff suppressed because it is too large Load Diff

314
windows/client-management/mdm/cm-cellularentries-csp.md Normal file
View File

@ -0,0 +1,314 @@
---
title: CM\_CellularEntries CSP
description: CM\_CellularEntries CSP
ms.assetid: f8dac9ef-b709-4b76-b6f5-34c2e6a3c847
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# CM\_CellularEntries CSP
The CM\_CellularEntries configuration service provider is used to configure the General Packet Radio Service (GPRS) entries on the device. It defines each GSM data access point.
> [!Note]
> Starting in the next major update to Windows 10, the CM\_CellularEntries CSP is supported in Windows 10 Home, Pro, Enterprise, and Education editions.
This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application.
The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
![cm\-cellularentries csp](images/provisioning-csp-cm-cellularentries.png)
<a href="" id="entryname"></a>**_entryname_**
<p style="margin-left: 20px">Defines the name of the connection.</p>
<p style="margin-left: 20px">The [CMPolicy configuration service provider](cmpolicy-csp.md) uses the value of *entryname* to identify the connection that is associated with a policy and [CM\_ProxyEntries configuration service provider](cm-proxyentries-csp.md) uses the value of *entryname* to identify the connection that is associated with a proxy.</p>
<a href="" id="alwayson"></a>**AlwaysOn**
<p style="margin-left: 20px">Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available.
<p style="margin-left: 20px">A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS.
<p style="margin-left: 20px">A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs.
<p style="margin-left: 20px">There must be at least one AlwaysOn Internet connection provisioned for the mobile operator.
<a href="" id="authtype"></a>**AuthType**
<p style="margin-left: 20px">Optional. Type: String. Specifies the method of authentication used for a connection.
<p style="margin-left: 20px">A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None".
<a href="" id="connectiontype"></a>**ConnectionType**
<p style="margin-left: 20px">Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available:
<table style="margin-left: 20px"><table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<tbody>
<tr class="odd">
<td><p>gprs</p></td>
<td><p>Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE).</p></td>
</tr>
<tr class="even">
<td><p>cdma</p></td>
<td><p>Used for CDMA type connections (1XRTT + EVDO).</p></td>
</tr>
<tr class="odd">
<td><p>lte</p></td>
<td><p>Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.</p></td>
</tr>
<tr class="even">
<td><p>legacy</p></td>
<td><p>Used for GPRS + GSM + EDGE + UMTS connections.</p></td>
</tr>
<tr class="odd">
<td><p>lte_iwlan</p></td>
<td><p>Used for GPRS type connections that may be offloaded over WiFi</p></td>
</tr>
<tr class="even">
<td><p>iwlan</p></td>
<td><p>Used for connections that are implemented over WiFi offload only</p></td>
</tr>
</tbody>
</table>
 
<a href="" id="desc-langid"></a>**Desc.langid**
<p style="margin-left: 20px">Optional. Specifies the UI display string used by the defined language ID.
<p style="margin-left: 20px"> A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as `Desc.0409` with a value of `"GPRS Connection"` will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no **Desc** parameter is provisioned for a given language, the system will default to the name used to create the entry.
<a href="" id="enabled"></a>**Enabled**
<p style="margin-left: 20px"> Specifies if the connection is enabled.
<p style="margin-left: 20px"> A value of "0" specifies that the connection is disabled. A value of "1" specifies that the connection is enabled.
<a href="" id="ipheadercompression"></a>**IpHeaderCompression**
<p style="margin-left: 20px"> Optional. Specifies if IP header compression is enabled.
<p style="margin-left: 20px"> A value of "0" specifies that IP header compression for the connection is disabled. A value of "1" specifies that IP header compression for the connection is enabled.
<a href="" id="password"></a>**Password**
<p style="margin-left: 20px"> Required if AuthType is set to a value other than "None". Specifies the password used to connect to the APN.
<a href="" id="swcompression"></a>**SwCompression**
<p style="margin-left: 20px"> Optional. Specifies if software compression is enabled.
<p style="margin-left: 20px"> A value of "0" specifies that software compression for the connection is disabled. A value of "1" specifies that software compression for the connection is enabled.
<a href="" id="username"></a>**UserName**
<p style="margin-left: 20px"> Required if AuthType is set to a value other than "None". Specifies the user name used to connect to the APN.
<a href="" id="userequiresmappingspolicy"></a>**UseRequiresMappingsPolicy**
<p style="margin-left: 20px"> Optional. Specifies if the connection requires a corresponding mappings policy.
<p style="margin-left: 20px"> A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present.
<p style="margin-left: 20px"> For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic.
<a href="" id="version"></a>**Version**
<p style="margin-left: 20px"> Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider.
<p style="margin-left: 20px"> This value must be "1" if included.
<a href="" id="gprsinfoaccesspointname"></a>**GPRSInfoAccessPointName**
<p style="margin-left: 20px"> Specifies the logical name to select the GPRS gateway. For more information about allowable values, see GSM specification 07.07 "10.1.1 Define PDP Context +CGDCONT".
<a href="" id="roaming"></a>**Roaming**
<p style="margin-left: 20px"> Optional. Type: Int. This parameter specifies the roaming conditions under which the connection should be activated. The following conditions are available:
- 0 - Home network only.
- 1 (default)- All roaming conditions (home and roaming).
- 2 - Home and domestic roaming only.
- 3 - Domestic roaming only.
- 4 - Non-domestic roaming only.
- 5 - Roaming only.
<a href="" id="oemconnectionid"></a>**OEMConnectionID**
<p style="margin-left: 20px"> Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value is not specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
<a href="" id="apnid"></a>**ApnId**
<p style="margin-left: 20px"> Optional. Type: Int. Specifies the purpose of the APN. If a value is not specified, the default value is "0" (none). This parameter is only used on LTE devices.
<a href="" id="iptype"></a>**IPType**
<p style="margin-left: 20px"> Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value is not specified, the default value is "IPv4".
> [!Warning]  
> Do not use IPv6 or IPv4v6xlat on a device or network that does not support IPv6. Data functionality will not work. In addition, the device will not be able to connect to a roaming network that does not support IPv6 unless you configure roaming connections with an IPType of IPv4v6.
 
<a href="" id="exemptfromdisablepolicy"></a>**ExemptFromDisablePolicy**
<p style="margin-left: 20px"> Added back in Windows 10, version 1511. Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value is not specified, the default value is "0" (not exempt).
<p style="margin-left: 20px"> To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed.
> [!Important]  
> Do not set ExemptFromDisablePolicy to "1", ExemptFromRoaming to "1", or UseRequiresMappingsPolicy to "1" for general purpose connections.
<p style="margin-left: 20px"> To avoid UX inconsistency with certain value combinations of ExemptFromDisablePolicy and AllowMmsIfDataIsOff, when you do not set ExemptFromDisablePolicy to 1 (default is 0), you should:
- Hide the toggle for AllowMmsIfDataIsOff by setting AllowMmsIfDataIsOffEnabled to 0 (default is 1)
- Set AllowMMSIfDataIsOff to 1 (default is 0)
 
<a href="" id="exemptfromroaming"></a>**ExemptFromRoaming**
<p style="margin-left: 20px"> Added back in Windows 10, version 1511. Optional. Type: Int. This should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value is not specified, the default value is "0" (not exempt).
<a href="" id="tetheringnai"></a>**TetheringNAI**
<p style="margin-left: 20px"> Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection is not a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value is not specified, the default value is "0".
<a href="" id="idledisconnecttimeout"></a>**IdleDisconnectTimeout**
<p style="margin-left: 20px"> Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds.
> [!Important]  
<p style="margin-left: 20px"> You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used.
 
> [!Note]  
> If tear-down/activation requests occur too frequently, this value should be set to greater than 5 seconds.
 
<a href="" id="simiccid"></a>**SimIccId**
<p style="margin-left: 20px"> For single SIM phones, this parm is optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
<a href="" id="purposegroups"></a>**PurposeGroups**
<p style="margin-left: 20px"> Optional. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
- Internet - 3E5545D2-1137-4DC8-A198-33F1C657515F
- MMS - 53E2C5D3-D13C-4068-AA38-9C48FF2E55A8
- IMS - 474D66ED-0E4B-476B-A455-19BB1239ED13
- SUPL - 6D42669F-52A9-408E-9493-1071DCC437BD
- Purchase - 95522B2B-A6D1-4E40-960B-05E6D3F962AB (added in the next version of Windows 10)
- Administrative - 2FFD9261-C23C-4D27-8DCF-CDE4E14A3364 (added in the next version of Windows 10)
## Additional information
To delete a connection, you must first delete any associated proxies and then delete the connection. The following example shows how to delete the proxy and then the connection.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_ProxyEntries">
<nocharacteristic type="GPRS_Proxy"/>
</characteristic>
<characteristic type="CM_CellularEntries">
<nocharacteristic type="GPRS1"/>
</characteristic>
</wap-provisioningdoc>
```
## OMA client provisioning examples
Configuring a GPRS connection:
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="GPRSConn">
<parm name="ConnectionType" value="gprs" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="apn.adatum.com" />
</characteristic>
<parm name="AlwaysOn" value="0" />
<parm name="Enabled" value="1" />
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
Configuring an LTE connection:
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="LteConn">
<parm name="ConnectionType" value="lte" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="INTERNET_LTE" />
</characteristic>
<parm name="ApnId" value="0" />
<parm name="IPType" value="IPv4v6" />
<parm name="Enabled" value="1" />
<parm name="OemConnectionId" value="01234567-89AB-CDEF-0123-456789ABCDEF" />
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
Configuring a CDMA connection:
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="CDMAConn">
<parm name="Version" value="1"/>
<parm name="AuthType" value="chap" />
<parm name="ConnectionType" value="cdma"/>
<parm name="Enabled" value="1"/>
<parm name="AlwaysOn" value="0"/>
<parm name="UseRequiresMappingsPolicy" value="0"/>
<parm name="UserName" value="user@adatum.com"/>
<parm name="Password" value="fakeuserpassword"/>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>characteristic-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

150
windows/client-management/mdm/cm-proxyentries-csp.md Normal file
View File

@ -0,0 +1,150 @@
---
title: CM\_ProxyEntries CSP
description: CM\_ProxyEntries CSP
ms.assetid: f4c3dc71-c85a-4c68-9ce9-19f408ff7a0a
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# CM\_ProxyEntries CSP
The CM\_ProxyEntries configuration service provider is used to configure proxy connections on the mobile device.
> **Note**  CM\_ProxyEntries CSP is only supported in Windows 10 Mobile.
 
> **Note**   This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
 
The following diagram shows the CM\_ProxyEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP) and OMA Device Management(OMA DM). Support for OMA DM was added in Windows 10, version 1607.
![cm\-proxyentries csp (cp)](images/provisioning-csp-cm-proxyentries-cp.png)
<a href="" id="entryname"></a>**entryname**
Defines the name of the connection proxy.
Each cellular entry can have only one proxy entry. For example, an Internet connection can have no more than one HTTP proxy specified but it might also have a WAP proxy. If two applications need access to the same APN but one application needs a proxy and the other application cannot have a proxy, two entries can be created with different names for the same APN.
<a href="" id="connectionname"></a>**ConnectionName**
Specifies the name of the connection the proxy is associated with. This is the APN name of a connection configured using the [CM\_CellularEntries configuration service provider](cm-cellularentries-csp.md).
<a href="" id="bypasslocal"></a>**BypassLocal**
Specifies if the proxy should be bypassed when local hosts are accessed by the device.
A value of "0" specifies that the proxy bypass for local hosts is disabled. A value of "1" specifies that the proxy bypass for local hosts is enabled.
<a href="" id="enable"></a>**Enable**
Specifies if the proxy is enabled.
A value of "0" specifies that the proxy is disabled. A value of "1" specifies that the proxy is enabled.
<a href="" id="exception"></a>**Exception**
Specifies a list of external hosts which should bypass the proxy when accessed.
The exception list is a semi-colon delimited list of host names. For example, to bypass the proxy when either MSN or Yahoo is accessed, the value for the Exception list would be "www.msn.com;www.yahoo.com".
<a href="" id="password"></a>**Password**
Specifies the password used to connect to the proxy.
Passwords are only required for WAP and SOCKS proxies and are not used for HTTP proxies. Queries of this parameter return a string composed of asterisks (\*).
When setting the password, passing in the same string causes the new password to be ignored and does not change the existing password.
<a href="" id="port"></a>**Port**
Specifies the port number of the proxy server.
<a href="" id="server"></a>**Server**
Specifies the name of the proxy server.
<a href="" id="type"></a>**Type**
Specifies the type of proxy connection for this entry.
The following list enumerates the values allowed for the Type parameter.
- "0" = Null proxy
- "1" = HTTP proxy
- "2" = WAP proxy
- "4" = SOCKS4 proxy
- "5" = SOCKS5 proxy
The Null proxy can be used to allow Connection Manager to treat one network as a super set of another network by creating a null proxy from one network to the other.
<a href="" id="username"></a>**UserName**
Specifies the username used to connect to the proxy.
## Additional information
To delete both a proxy and its associated connection, you must delete the proxy first, and then delete the connection. The following example shows how to delete the proxy and then the connection.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_ProxyEntries">
<nocharacteristic type="GPRS_Proxy"/>
</characteristic>
<characteristic type="CM_CellularEntries">
<nocharacteristic type="GPRS1"/>
</characteristic>
</wap-provisioningdoc>
```
## Microsoft Custom Elements
The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top level query: Yes</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

513
windows/client-management/mdm/cmpolicy-csp.md Normal file
View File

@ -0,0 +1,513 @@
---
title: CMPolicy CSP
description: CMPolicy CSP
ms.assetid: 62623915-9747-4eb1-8027-449827b85e6b
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# CMPolicy CSP
The CMPolicy configuration service provider defines rules that the Connection Manager uses to identify the correct connection for a connection request.
> **Note**  
This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
 
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicy configuration service provider can have multiple policies
**Policy Ordering**: There is no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phones default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
The following diagram shows the CMPolicy configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
![cmpolicy csp (dm,cp)](images/provisioning-csp-cmpolicy.png)
<a href="" id="policyname"></a>***policyName***
Defines the name of the policy.
<a href="" id="sid"></a>**SID**
The value of SID depends on the ClientType.
For Universal Windows Platform (UWP) app-based mapping policies, SID is the Package family name without curly brackets {}, not the application.
For non-UWP application-based mapping policies, SID is the application product ID in GUID format. The curly brackets {} around the GUID are required.
For host-based mapping policies, SID must be set to `*`.
<a href="" id="clienttype"></a>**ClientType**
Specifies the mapping policy type.
The following list describes the available mapping policy types:
- Application-based mapping policies are applied to applications. To specify this mapping type, use the value `app`.
- Host-based mapping policies are applied to all types of clients requesting connections to specified host(s). To specify this mapping type, use the value `*`.
<a href="" id="host"></a>**Host**
Specifies the name of a host pattern. The host name is matched to the connection request to select the right policy to use.
The host pattern can have two wild cards, "\*" and "+". The host pattern is not a URL pattern and there is no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com".
<a href="" id="orderedconnections"></a>**OrderedConnections**
Specifies whether the list of connections is in preference order.
A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
<a href="" id="connxxx"></a>**Conn****_XXX_**
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
<a href="" id="connectionid"></a>**ConnectionID**
Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter.
For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you have a connection configured by using the CM\_CellularEntries configuration service provider, the connection name could be the name of the connection. If you have a NAP configured with the NAPID set to “GPRS1”, the connection name could be “GPRS1@WAP”.
For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. The curly brackets {} around the GUID are required. The following connection types are available:
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Connection type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GSM</p></td>
<td><p>{A05DC613-E393-40ad-AA89-CCCE04277CD9}</p></td>
</tr>
<tr class="even">
<td><p>CDMA</p></td>
<td><p>{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}</p></td>
</tr>
<tr class="odd">
<td><p>Legacy 3GPP</p></td>
<td><p>{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}</p></td>
</tr>
<tr class="even">
<td><p>LTE</p></td>
<td><p>{2378E547-8312-46A5-905E-5C581E92693B}</p></td>
</tr>
<tr class="odd">
<td><p>Wi-Fi</p></td>
<td><p>{8568B401-858E-4B7B-B3DF-0FD4927F131B}</p></td>
</tr>
<tr class="even">
<td><p>Wi-Fi hotspot</p></td>
<td><p>{072FC7DC-1D93-40D1-9BB0-2114D7D73434}</p></td>
</tr>
</tbody>
</table>
 
For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Network type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GPRS</p></td>
<td><p>{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}</p></td>
</tr>
<tr class="even">
<td><p>1XRTT</p></td>
<td><p>{B1E700AE-A62F-49FF-9BBE-B880C995F27D}</p></td>
</tr>
<tr class="odd">
<td><p>EDGE</p></td>
<td><p>{C347F8EC-7095-423D-B838-7C7A7F38CD03}</p></td>
</tr>
<tr class="even">
<td><p>WCDMA UMTS</p></td>
<td><p>{A72F04C6-9BE6-4151-B5EF-15A53E12C482}</p></td>
</tr>
<tr class="odd">
<td><p>WCDMA FOMA</p></td>
<td><p>{B8326098-F845-42F3-804E-8CC3FF7B50B4}</p></td>
</tr>
<tr class="even">
<td><p>1XEVDO</p></td>
<td><p>{DD42DF39-EBDF-407C-8146-1685416401B2}</p></td>
</tr>
<tr class="odd">
<td><p>1XEVDV</p></td>
<td><p>{61BF1BFD-5218-4CD4-949C-241CA3F326F6}</p></td>
</tr>
<tr class="even">
<td><p>HSPA HSDPA</p></td>
<td><p>{047F7282-BABD-4893-AA77-B8B312657F8C}</p></td>
</tr>
<tr class="odd">
<td><p>HSPA HSUPA</p></td>
<td><p>{1536A1C6-A4AF-423C-8884-6BDDA3656F84}</p></td>
</tr>
<tr class="even">
<td><p>LTE</p></td>
<td><p>{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}</p></td>
</tr>
<tr class="odd">
<td><p>EHRPD</p></td>
<td><p>{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet 10Mbps</p></td>
<td><p>{97D3D1B3-854A-4C32-BD1C-C13069078370}</p></td>
</tr>
<tr class="odd">
<td><p>Ethernet 100Mbps</p></td>
<td><p>{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet Gbps</p></td>
<td><p>{556C1E6B-B8D4-448E-836D-9451BA4CCE75}</p></td>
</tr>
</tbody>
</table>
 
For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available:
<table>
<colgroup>
<col width="20%" />
<col width="80%" />
</colgroup>
<thead>
<tr class="header">
<th>Device type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Cellular device</p></td>
<td><p>{F9A53167-4016-4198-9B41-86D9522DC019}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet</p></td>
<td><p>{97844272-00C7-4572-B20A-D8D861C095F2}</p></td>
</tr>
<tr class="odd">
<td><p>Bluetooth</p></td>
<td><p>{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}</p></td>
</tr>
<tr class="even">
<td><p>Virtual</p></td>
<td><p>{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}</p></td>
</tr>
</tbody>
</table>
 
<a href="" id="type"></a>**Type**
Specifies the type of connection being referenced. The following list describes the available connection types:
- `CMST_CONNECTION_NAME` A connection specified by name.
- `CMST_CONNECTION_TYPE` Any connection of a specified type.
- `CMST_CONNECTION_NETWORK_TYPE` Any connection of a specified network type.
- `CMST_CONNECTION_DEVICE_TYPE` Any connection of the specified device type.
## OMA client provisioning examples
Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="GPRSConn1">
<parm name="ConnectionType" value="gprs" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="apn.adatum.com" />
</characteristic>
<parm name="AlwaysOn" value="0" />
<parm name="Enabled" value="1" />
</characteristic>
</characteristic>
<characteristic type="CMPolicy">
<characteristic type="Policy1">
<parm name="SID" value="{A05D1234-F393-9385-AA89-CD3E049367D2}" />
<parm name="ClientType" value="app" />
<parm name="Host" value="*.+" />
<parm name="OrderedConnections" value="1" />
<characteristic type="Connections">
<characteristic type="Conn000">
<parm name="Type" value="CMST_CONNECTION_DEVICE_TYPE" />
<parm name="ConnectionId" value="{F9A53167-4016-4198-9B41-86D9522DC019}" />
</characteristic>
<characteristic type="Conn001">
<parm name="Type" value="CMST_CONNECTION_NETWORK_TYPE" />
<parm name="ConnectionId" value="{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}" />
</characteristic>
<characteristic type="Conn002">
<parm name="Type" value="CMST_CONNECTION_NAME" />
<parm name="ConnectionId" value="GPRSConn1" />
</characteristic>
<characteristic type="Conn003">
<parm name="Type" value="CMST_CONNECTION_TYPE" />
<parm name="ConnectionId" value="{072FC7DC-1D93-40d1-9BB0-2114D7D73434}" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="GPRSConn1">
<parm name="ConnectionType" value="gprs" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="apn.adatum.com" />
</characteristic>
<parm name="AlwaysOn" value="0" />
<parm name="Enabled" value="1" />
</characteristic>
</characteristic>
<characteristic type="CMPolicy">
<characteristic type="Policy3">
<parm name="SID" value="*" />
<parm name="ClientType" value="*" />
<parm name="Host" value="*.contoso.com" />
<parm name="OrderedConnections" value="1" />
<characteristic type="Connections">
<characteristic type="Conn000">
<parm name="Type" value="CMST_CONNECTION_DEVICE_TYPE" />
<parm name="ConnectionId" value="{F9A53167-4016-4198-9B41-86D9522DC019}" />
</characteristic>
<characteristic type="Conn001">
<parm name="Type" value="CMST_CONNECTION_NETWORK_TYPE" />
<parm name="ConnectionId" value="{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}" />
</characteristic>
<characteristic type="Conn002">
<parm name="Type" value="CMST_CONNECTION_NAME" />
<parm name="ConnectionId" value="GPRSConn1" />
</characteristic>
<characteristic type="Conn003">
<parm name="Type" value="CMST_CONNECTION_TYPE" />
<parm name="ConnectionId" value="{072FC7DC-1D93-40d1-9BB0-2114D7D73434}" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
## OMA DM examples
Adding an application-based mapping policy:
``` syntax
<SyncML>
<SyncBody>
<Atomic>
<CmdID>8000</CmdID>
<Add>
<CmdID>8051</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/SID</LocURI>
</Target>
<Data>{A05D1234-F393-9385-AA89-CD3E049367D2}</Data>
</Item>
</Add>
<Add>
<CmdID>8052</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/ClientType</LocURI>
</Target>
<Data>app</Data>
</Item>
</Add>
<Add>
<CmdID>8053</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/Host</LocURI>
</Target>
<Data>*.+</Data>
</Item>
</Add>
<Add>
<CmdID>8054</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/OrderedConnections</LocURI>
</Target>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>8055</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/Connections/Conn000/ConnectionId</LocURI>
</Target>
<Data>{A05DC613-E393-40AD-AA89-CCCE04277CD9}</Data>
</Item>
</Add>
<Add>
<CmdID>8056</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy4/Connections/Conn000/Type</LocURI>
</Target>
<Data>CMST_CONNECTION_DEVICE_TYPE</Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
Adding a host-based mapping policy:
``` syntax
<SyncML>
<SyncBody>
<Atomic>
<CmdID>8000</CmdID>
<Add>
<CmdID>8049</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/SID</LocURI>
</Target>
<Data>*</Data>
</Item>
</Add>
<Add>
<CmdID>8050</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/ClientType</LocURI>
</Target>
<Data>*</Data>
</Item>
</Add>
<Add>
<CmdID>8051</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/Host</LocURI>
</Target>
<Data>*.contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>8052</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/OrderedConnections</LocURI>
</Target>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>8053</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/Connections/Conn000/ConnectionId</LocURI>
</Target>
<Data>{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}</Data>
</Item>
</Add>
<Add>
<CmdID>8054</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicy/BTHPolicy6/Connections/Conn000/Type</LocURI>
</Target>
<Data>CMST_CONNECTION_NETWORK_TYPE</Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
## Microsoft Custom Elements
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top level query: Yes</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

513
windows/client-management/mdm/cmpolicyenterprise-csp.md Normal file
View File

@ -0,0 +1,513 @@
---
title: CMPolicyEnterprise CSP
description: CMPolicyEnterprise CSP
ms.assetid: A0BE3458-ABED-4F80-B467-F842157B94BF
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# CMPolicyEnterprise CSP
The CMPolicyEnterprise configuration service provider is used by the enterprise to define rules that the Connection Manager uses to identify the correct connection for a connection request.
> **Note**  
This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application.
 
Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies
**Policy Ordering**: There is no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence.
**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phones default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN.
The following diagram shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management.
![cmpolicy csp (dm,cp)](images/provisioning-csp-cmpolicyenterprise.png)
<a href="" id="policyname"></a>***policyName***
Defines the name of the policy.
<a href="" id="sid"></a>**SID**
The value of SID depends on the ClientType.
For Universal Windows Platform (UWP) app-based mapping policies, SID is the Package family name without curly brackets {}, not the application.
For non-UWP application-based mapping policies, SID is the application product ID in GUID format. The curly brackets {} around the GUID are required.
For host-based mapping policies, SID must be set to `*`.
<a href="" id="clienttype"></a>**ClientType**
Specifies the mapping policy type.
The following list describes the available mapping policy types:
- Application-based mapping policies are applied to applications. To specify this mapping type, use the value `app`.
- Host-based mapping policies are applied to all types of clients requesting connections to specified host(s). To specify this mapping type, use the value `*`.
<a href="" id="host"></a>**Host**
Specifies the name of a host pattern. The host name is matched to the connection request to select the right policy to use.
The host pattern can have two wild cards, "\*" and "+". The host pattern is not a URL pattern and there is no concept of transport or paths on the specific host. For example, the host pattern might be "\*.host\_name.com" to match any prefix to the host\_name.com domains. The host pattern will match "www.host\_name.com" and "mail.host\_name.com", but it will not match "host\_name.com".
<a href="" id="orderedconnections"></a>**OrderedConnections**
Specifies whether the list of connections is in preference order.
A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference.
<a href="" id="connxxx"></a>**Conn****_XXX_**
Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004".
<a href="" id="connectionid"></a>**ConnectionID**
Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter.
For `CMST_CONNECTION_NAME`, specify the connection name. For example, if you have a connection configured by using the CM\_CellularEntries configuration service provider, the connection name could be the name of the connection. If you have a NAP configured with the NAPID set to “GPRS1”, the connection name could be “GPRS1@WAP”.
For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. The curly brackets {} around the GUID are required. The following connection types are available:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Connection type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GSM</p></td>
<td><p>{A05DC613-E393-40ad-AA89-CCCE04277CD9}</p></td>
</tr>
<tr class="even">
<td><p>CDMA</p></td>
<td><p>{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}</p></td>
</tr>
<tr class="odd">
<td><p>Legacy 3GPP</p></td>
<td><p>{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}</p></td>
</tr>
<tr class="even">
<td><p>LTE</p></td>
<td><p>{2378E547-8312-46A5-905E-5C581E92693B}</p></td>
</tr>
<tr class="odd">
<td><p>Wi-Fi</p></td>
<td><p>{8568B401-858E-4B7B-B3DF-0FD4927F131B}</p></td>
</tr>
<tr class="even">
<td><p>Wi-Fi hotspot</p></td>
<td><p>{072FC7DC-1D93-40D1-9BB0-2114D7D73434}</p></td>
</tr>
</tbody>
</table>
 
For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Network type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>GPRS</p></td>
<td><p>{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}</p></td>
</tr>
<tr class="even">
<td><p>1XRTT</p></td>
<td><p>{B1E700AE-A62F-49FF-9BBE-B880C995F27D}</p></td>
</tr>
<tr class="odd">
<td><p>EDGE</p></td>
<td><p>{C347F8EC-7095-423D-B838-7C7A7F38CD03}</p></td>
</tr>
<tr class="even">
<td><p>WCDMA UMTS</p></td>
<td><p>{A72F04C6-9BE6-4151-B5EF-15A53E12C482}</p></td>
</tr>
<tr class="odd">
<td><p>WCDMA FOMA</p></td>
<td><p>{B8326098-F845-42F3-804E-8CC3FF7B50B4}</p></td>
</tr>
<tr class="even">
<td><p>1XEVDO</p></td>
<td><p>{DD42DF39-EBDF-407C-8146-1685416401B2}</p></td>
</tr>
<tr class="odd">
<td><p>1XEVDV</p></td>
<td><p>{61BF1BFD-5218-4CD4-949C-241CA3F326F6}</p></td>
</tr>
<tr class="even">
<td><p>HSPA HSDPA</p></td>
<td><p>{047F7282-BABD-4893-AA77-B8B312657F8C}</p></td>
</tr>
<tr class="odd">
<td><p>HSPA HSUPA</p></td>
<td><p>{1536A1C6-A4AF-423C-8884-6BDDA3656F84}</p></td>
</tr>
<tr class="even">
<td><p>LTE</p></td>
<td><p>{B41CBF43-6994-46FF-9C2F-D6CA6D45889B}</p></td>
</tr>
<tr class="odd">
<td><p>EHRPD</p></td>
<td><p>{7CFA04A5-0F3F-445C-88A4-C86ED2AD94EA}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet 10Mbps</p></td>
<td><p>{97D3D1B3-854A-4C32-BD1C-C13069078370}</p></td>
</tr>
<tr class="odd">
<td><p>Ethernet 100Mbps</p></td>
<td><p>{A8F4FE66-8D04-43F5-9DD2-2A85BD21029B}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet Gbps</p></td>
<td><p>{556C1E6B-B8D4-448E-836D-9451BA4CCE75}</p></td>
</tr>
</tbody>
</table>
 
For `CMST_CONNECTION_DEVICE_TYPE`, specify the GUID for the desired device type. The curly brackets {} around the GUID are required. The following device types are available:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Device type</th>
<th>GUID</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Cellular device</p></td>
<td><p>{F9A53167-4016-4198-9B41-86D9522DC019}</p></td>
</tr>
<tr class="even">
<td><p>Ethernet</p></td>
<td><p>{97844272-00C7-4572-B20A-D8D861C095F2}</p></td>
</tr>
<tr class="odd">
<td><p>Bluetooth</p></td>
<td><p>{1D793123-701A-4fd0-B6AE-9C3C57E99C2C}</p></td>
</tr>
<tr class="even">
<td><p>Virtual</p></td>
<td><p>{EAA02CE5-9C70-4E87-97FE-55C9DEC847D4}</p></td>
</tr>
</tbody>
</table>
 
<a href="" id="type"></a>**Type**
Specifies the type of connection being referenced. The following list describes the available connection types:
- `CMST_CONNECTION_NAME` A connection specified by name.
- `CMST_CONNECTION_TYPE` Any connection of a specified type.
- `CMST_CONNECTION_NETWORK_TYPE` Any connection of a specified device type.
- `CMST_CONNECTION_DEVICE_TYPE` Any connection of the specified network type.
## OMA client provisioning examples
Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="GPRSConn1">
<parm name="ConnectionType" value="gprs" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="apn.adatum.com" />
</characteristic>
<parm name="AlwaysOn" value="0" />
<parm name="Enabled" value="1" />
</characteristic>
</characteristic>
<characteristic type="CMPolicyEnterprise">
<characteristic type="Policy1">
<parm name="SID" value="{A05D1234-F393-9385-AA89-CD3E049367D2}" />
<parm name="ClientType" value="app" />
<parm name="Host" value="*.+" />
<parm name="OrderedConnections" value="1" />
<characteristic type="Connections">
<characteristic type="Conn000">
<parm name="Type" value="CMST_CONNECTION_DEVICE_TYPE" />
<parm name="ConnectionId" value="{F9A53167-4016-4198-9B41-86D9522DC019}" />
</characteristic>
<characteristic type="Conn001">
<parm name="Type" value="CMST_CONNECTION_NETWORK_TYPE" />
<parm name="ConnectionId" value="{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}" />
</characteristic>
<characteristic type="Conn002">
<parm name="Type" value="CMST_CONNECTION_NAME" />
<parm name="ConnectionId" value="GPRSConn1" />
</characteristic>
<characteristic type="Conn003">
<parm name="Type" value="CMST_CONNECTION_TYPE" />
<parm name="ConnectionId" value="{072FC7DC-1D93-40d1-9BB0-2114D7D73434}" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider.
``` syntax
<wap-provisioningdoc>
<characteristic type="CM_CellularEntries">
<characteristic type="GPRSConn1">
<parm name="ConnectionType" value="gprs" />
<characteristic type="DevSpecificCellular">
<parm name="GPRSInfoAccessPointName" value="apn.adatum.com" />
</characteristic>
<parm name="AlwaysOn" value="0" />
<parm name="Enabled" value="1" />
</characteristic>
</characteristic>
<characteristic type="CMPolicyEnterprise">
<characteristic type="Policy3">
<parm name="SID" value="*" />
<parm name="ClientType" value="*" />
<parm name="Host" value="*.contoso.com" />
<parm name="OrderedConnections" value="1" />
<characteristic type="Connections">
<characteristic type="Conn000">
<parm name="Type" value="CMST_CONNECTION_DEVICE_TYPE" />
<parm name="ConnectionId" value="{F9A53167-4016-4198-9B41-86D9522DC019}" />
</characteristic>
<characteristic type="Conn001">
<parm name="Type" value="CMST_CONNECTION_NETWORK_TYPE" />
<parm name="ConnectionId" value="{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}" />
</characteristic>
<characteristic type="Conn002">
<parm name="Type" value="CMST_CONNECTION_NAME" />
<parm name="ConnectionId" value="GPRSConn1" />
</characteristic>
<characteristic type="Conn003">
<parm name="Type" value="CMST_CONNECTION_TYPE" />
<parm name="ConnectionId" value="{072FC7DC-1D93-40d1-9BB0-2114D7D73434}" />
</characteristic>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
```
## OMA DM examples
Adding an application-based mapping policy:
``` syntax
<SyncML>
<SyncBody>
<Atomic>
<CmdID>8000</CmdID>
<Add>
<CmdID>8051</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/SID</LocURI>
</Target>
<Data>{A05D1234-F393-9385-AA89-CD3E049367D2}</Data>
</Item>
</Add>
<Add>
<CmdID>8052</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/ClientType</LocURI>
</Target>
<Data>app</Data>
</Item>
</Add>
<Add>
<CmdID>8053</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/Host</LocURI>
</Target>
<Data>*.+</Data>
</Item>
</Add>
<Add>
<CmdID>8054</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/OrderedConnections</LocURI>
</Target>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>8055</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/Connections/Conn000/ConnectionId</LocURI>
</Target>
<Data>{A05DC613-E393-40AD-AA89-CCCE04277CD9}</Data>
</Item>
</Add>
<Add>
<CmdID>8056</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy4/Connections/Conn000/Type</LocURI>
</Target>
<Data>CMST_CONNECTION_DEVICE_TYPE</Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
Adding a host-based mapping policy:
``` syntax
<SyncML>
<SyncBody>
<Atomic>
<CmdID>8000</CmdID>
<Add>
<CmdID>8049</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/SID</LocURI>
</Target>
<Data>*</Data>
</Item>
</Add>
<Add>
<CmdID>8050</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/ClientType</LocURI>
</Target>
<Data>*</Data>
</Item>
</Add>
<Add>
<CmdID>8051</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/Host</LocURI>
</Target>
<Data>*.contoso.com</Data>
</Item>
</Add>
<Add>
<CmdID>8052</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/OrderedConnections</LocURI>
</Target>
<Data>1</Data>
</Item>
</Add>
<Add>
<CmdID>8053</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/Connections/Conn000/ConnectionId</LocURI>
</Target>
<Data>{AFB7D659-FC1F-4EA5-BDD0-0FDA62676D96}</Data>
</Item>
</Add>
<Add>
<CmdID>8054</CmdID>
<Item>
<Target>
<LocURI>./Vendor/MSFT/CMPolicyEnterprise/BTHPolicy6/Connections/Conn000/Type</LocURI>
</Target>
<Data>CMST_CONNECTION_NETWORK_TYPE</Data>
</Item>
</Add>
</Atomic>
<Final/>
</SyncBody>
</SyncML>
```
## Microsoft Custom Elements
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Element</th>
<th>Available</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>parm-query</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="even">
<td><p>nocharacteristic</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>characteristic-query</p></td>
<td><p>Yes</p>
<p>Recursive query: Yes</p>
<p>Top level query: Yes</p></td>
</tr>
</tbody>
</table>
 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

315
windows/client-management/mdm/cmpolicyenterprise-ddf-file.md Normal file
View File

@ -0,0 +1,315 @@
---
title: CMPolicyEnterprise DDF file
description: CMPolicyEnterprise DDF file
ms.assetid: 065EF07A-0CF3-4EE5-B620-3464A75B7EED
ms.author: maricia
ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
---
# CMPolicyEnterprise DDF file
This topic shows the OMA DM device description framework (DDF) for the **CMPolicyEnterprise** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
"http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
[<?oma-dm-ddf-ver supported-versions="1.2"?>]>
<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>CMPolicyEnterprise</NodeName>
<!-- NOTE: from here below, CMPolicy and CMPolicyEnterprise should be identical -->
<Path>./Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/CMPolicyEnterprise</MIME>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<Description>The name of the policy</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>PolicyName</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>SID</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>The value of SID depends on the ClienType</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>SID</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>ClientType</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Specifies the mapping policy type</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ClientType</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Host</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Specifies the name of a host pattern</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Host</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>OrderedConnections</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Specifies whether the list of connections is in preference order</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>OrderedConnection</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Connections</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<CaseSense>
<CS />
</CaseSense>
<DFTitle>Connections</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName></NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
</AccessType>
<Description>Connection associated with the policy</Description>
<DFFormat>
<node />
</DFFormat>
<Occurrence>
<ZeroOrMore />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ConnXXX</DFTitle>
<DFType>
<DDFName></DDFName>
</DFType>
</DFProperties>
<Node>
<NodeName>ConnectionID</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>A unique identifier for a connection within a group of connections</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>ConnectionID</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Type</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>The type of connection being referenced</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<CaseSense>
<CIS />
</CaseSense>
<DFTitle>Type</DFTitle>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</Node>
</Node>
</MgmtTree>
```
## Related topics
[CMPolicyEnterprise configuration service provider](cmpolicyenterprise-csp.md)
 
 

2486
windows/client-management/mdm/configuration-service-provider-reference.md Normal file
View File

File diff suppressed because it is too large Load Diff

Some files were not shown because too many files have changed in this diff Show More