From 1705a32acc833fed818efb1ca25c036fcdf6edf1 Mon Sep 17 00:00:00 2001 From: itsrlyAria <82474610+itsrlyAria@users.noreply.github.com> Date: Tue, 13 Apr 2021 13:32:55 -0700 Subject: [PATCH 01/59] Update policy-csp-update.md This is correcting the description of AU Options. --- windows/client-management/mdm/policy-csp-update.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index fd7d92d8dd..877a9da96c 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -461,7 +461,7 @@ Enables the IT admin to manage automatic update behavior to scan, download, and Supported operations are Get and Replace. -If the policy is not configured, end-users get the default behavior (Auto install and restart). +If the policy is not configured, end-users get the default behavior (Auto download and install). @@ -477,11 +477,12 @@ ADMX Info: The following list shows the supported values: - 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. -- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. -- 2 (default) – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. +- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. +- 2 – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. - 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. -- 4 – Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This setting option also sets the end-user control panel to read-only. +- 4 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. Note, this option is the same as 3, but restricts end user controls on the settings page. - 5 – Turn off automatic updates. +- 6 (default) - Updates automatically download and install at a time that is deemed optimal by the device. Restart will occur outside of active hours until the deadline is reached, if configured. > [!IMPORTANT] @@ -4607,4 +4608,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + From 23ea01415fe4d8071a74d45fc221fa9e405be1c0 Mon Sep 17 00:00:00 2001 From: itsrlyAria <82474610+itsrlyAria@users.noreply.github.com> Date: Tue, 13 Apr 2021 15:42:04 -0700 Subject: [PATCH 02/59] Update windows/client-management/mdm/policy-csp-update.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 877a9da96c..ddd91e3e65 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -479,7 +479,7 @@ The following list shows the supported values: - 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. - 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart. - 2 – Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device is not actively being used. This is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that does not shutdown properly on restart. -- 3 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. +- 3 – Auto install and restart at a specified time. The IT Admin specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. - 4 – Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. Note, this option is the same as 3, but restricts end user controls on the settings page. - 5 – Turn off automatic updates. - 6 (default) - Updates automatically download and install at a time that is deemed optimal by the device. Restart will occur outside of active hours until the deadline is reached, if configured. From fdf76f6155a97a4a01ff45bfd7875705f80087cf Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 11 Nov 2021 19:01:29 +0530 Subject: [PATCH 03/59] Update policy-csp-accounts.md --- .../mdm/policy-csp-accounts.md | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index ed466fe64a..3f4dada5e5 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -31,6 +31,9 @@ manager: dansimp
Accounts/AllowMicrosoftAccountSignInAssistant
+
+ Accounts/DomainNamesForEmailSync +
@@ -266,5 +269,69 @@ The following list shows the supported values:
+ +**Accounts/DomainNamesForEmailSync** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
EnterpriseYesYes
EducationYesYes
MobileYesYes
Mobile EnterpriseYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + + + + +The following list shows the supported values: + + + + +
\ No newline at end of file From 3f0b1172c9684b1213ee3c97412168b1f0ff34d8 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 11 Nov 2021 19:04:29 +0530 Subject: [PATCH 04/59] Update policy-csp-accounts.md --- windows/client-management/mdm/policy-csp-accounts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 3f4dada5e5..a82877322d 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -270,7 +270,7 @@ The following list shows the supported values: -**Accounts/DomainNamesForEmailSync** +**Accounts/DomainNamesForEmailSync** From 51624a1a63aa14a8f377e58e27a7ff9c7444fc02 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 11 Nov 2021 22:00:08 +0530 Subject: [PATCH 05/59] reemoved long title sentences this is my own PR, we could not able to identify adjustment is correct or not, before creating PR and before publishing. so we have to take a test drive. --- .../advanced-security-auditing-faq.yml | 24 +------------------ 1 file changed, 1 insertion(+), 23 deletions(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index a3f1fdac56..740c758d98 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -18,32 +18,10 @@ metadata: ms.date: 09/06/2021 ms.technology: windows-sec -title: Advanced security auditing FAQ +title: Advanced security auditing FAQ - This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - - - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) - - [What is the difference between audit policies located in Local Policies\\Audit Policy and audit policies located in Advanced Audit Policy Configuration?](#what-is-the-difference-between-audit-policies-located-in-local-policies--audit-policy-and-audit-policies-located-in-advanced-audit-policy-configuration-) - - [What is the interaction between basic audit policy settings and advanced audit policy settings?](#what-is-the-interaction-between-basic-audit-policy-settings-and-advanced-audit-policy-settings-) - - [How are audit settings merged by Group Policy?](#how-are-audit-settings-merged-by-group-policy-) - - [What is the difference between an object DACL and an object SACL?](#what-is-the-difference-between-an-object-dacl-and-an-object-sacl-) - - [Why are audit policies applied on a per-computer basis rather than per user?](#why-are-audit-policies-applied-on-a-per-computer-basis-rather-than-per-user-) - - [What are the differences in auditing functionality between versions of Windows?](#what-are-the-differences-in-auditing-functionality-between-versions-of-windows-) - - [Can I use advanced audit policy from a domain controller running Windows Server 2003 or Windows 2000 Server?](#can-i-use-advanced-audit-policies-from-a-domain-controller-running-windows-server-2003-or-windows-2000-server-) - - [What is the difference between success and failure events? Is something wrong if I get a failure audit?](#what-is-the-difference-between-success-and-failure-events--is-something-wrong-if-i-get-a-failure-audit-) - - [How can I set an audit policy that affects all objects on a computer?](#how-can-i-set-an-audit-policy-that-affects-all-objects-on-a-computer-) - - [How do I figure out why someone was able to access a resource?](#how-do-i-figure-out-why-someone-was-able-to-access-a-resource-) - - [How do I know when changes are made to access control settings, by whom, and what the changes were?](#how-do-i-know-when-changes-are-made-to-access-control-settings--by-whom--and-what-the-changes-were-) - - [How can I roll back security audit policies from the advanced audit policy to the basic audit policy?](#how-can-i-roll-back-security-audit-policies-from-the-advanced-audit-policy-to-the-basic-audit-policy-) - - [How can I monitor if changes are made to audit policy settings?](#how-can-i-monitor-if-changes-are-made-to-audit-policy-settings-) - - [How can I minimize the number of events that are generated?](#how-can-i-minimize-the-number-of-events-that-are-generated-) - - [What are the best tools to model and manage audit policy?](#what-are-the-best-tools-to-model-and-manage-audit-policies-) - - [Where can I find information about all the possible events that I might receive?](#where-can-i-find-information-about-all-the-possible-events-that-i-might-receive-) - - [Where can I find more detailed information?](#where-can-i-find-more-detailed-information-) - - sections: - name: Ignored questions: From 3e2144ceb259b1907d65ea5b09749ef8fc7c6833 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 4 Jan 2022 11:30:44 +0530 Subject: [PATCH 06/59] Update policy-csp-fileexplorer.md --- .../mdm/policy-csp-fileexplorer.md | 217 ++++++++++++++++++ 1 file changed, 217 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index 3599a3ce1a..58bfd56c27 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -28,15 +28,125 @@ manager: dansimp ## FileExplorer policies
+
+ FileExplorer/AllowOptionToShowNetwork +
+
+ FileExplorer/AllowOptionToShowThisPC +
FileExplorer/TurnOffDataExecutionPreventionForExplorer
FileExplorer/TurnOffHeapTerminationOnCorruption
+
+ FileExplorer/SetAllowedFolderLocations +
+
+ FileExplorer/SetAllowedStorageLocations +
+
+ + +**FileExplorer/AllowOptionToShowNetwork** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + + + + + +The following list shows the supported values: + +- 0 - Disabled +- 1 (default) - Enabled + + + + +ADMX Info: +- GP Friendly name: *Allow the user the option to show Network folder when restricted* +- GP name: *AllowOptionToShowNetwork* +- GP path: *File Explorer* +- GP ADMX file name: *Explorer.admx* + + + + +
+ + +**FileExplorer/AllowOptionToShowThisPC** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + + + + +The following list shows the supported values: + +- 0 - Disabled +- 1 (default) - Enabled + + + + +ADMX Info: +- GP Friendly name: *Allow the user the option to show Network folder when restricted* +- GP name: *AllowOptionToShowThisPC* +- GP path: *File Explorer* +- GP ADMX file name: *Explorer.admx* + + + +
@@ -109,6 +219,8 @@ ADMX Info: Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later. + + ADMX Info: - GP Friendly name: *Turn off heap termination on corruption* @@ -120,5 +232,110 @@ ADMX Info:
+ +**FileExplorer/SetAllowedFolderLocations** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + + + + + +The following list shows the supported values: + +- 0: all folders +- 15:Desktop, Documents, Pictures, Downloads +- 31:Desktop, Documents, Pictures, Downloads, Network +- 47:This PC (local drive), [Desktop, Documents, Pictures], Downloads +- 63:This PC , [Desktop, Documents, Pictures], Downloads, Network + + + + +ADMX Info: +- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer* +- GP name: *SetAllowedFolderLocations* +- GP path: *File Explorer* +- GP ADMX file name: *Explorer.admx* + + + + +
+ + +**FileExplorer/SetAllowedStorageLocations** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + + + + + +The following list shows the supported values: + +- 0: all storage locations +- 1: Removable Drives +- 2: Sync roots +- 3: Removable Drives, Sync roots, local drive + + + + +ADMX Info: +- GP Friendly name: *Configure which folders the user can enumerate and access to in File Explorer* +- GP name: *SetAllowedStorageLocations* +- GP path: *File Explorer* +- GP ADMX file name: *Explorer.admx* + + + + +
+ From 55fbc34b79fd43bcf4bdddf3ac8353d7a4033c3a Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 17 Jan 2022 15:09:22 +0530 Subject: [PATCH 07/59] Update policy-csp-fileexplorer.md --- windows/client-management/mdm/policy-csp-fileexplorer.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index 58bfd56c27..e58b5778de 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -78,6 +78,8 @@ manager: dansimp +This policy allows the user with an option to show the network folder when restricted. + @@ -127,6 +129,8 @@ ADMX Info: +This policy allows the user with an option to show this PC location when restricted. + @@ -260,6 +264,8 @@ ADMX Info: +This policy allows to configure folders that the user can enumerate and access in the File Explorer. + @@ -313,6 +319,8 @@ ADMX Info: +This policy allows to configure folders that the user can enumerate and access in the File Explorer. + From 81d5a723b89167516e78457dfa1e946152b2acdc Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 17 Jan 2022 19:37:38 +0530 Subject: [PATCH 08/59] Update policy-csp-accounts.md --- .../mdm/policy-csp-accounts.md | 42 +------------------ 1 file changed, 1 insertion(+), 41 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index a82877322d..81c59701ca 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -69,16 +69,6 @@ manager: dansimp - - - - - - - - - -
Yes Yes
MobileYesYes
Mobile EnterpriseYesYes
@@ -99,7 +89,7 @@ Specifies whether user is allowed to add non-MSA email accounts. Most restricted value is 0. > [!NOTE] -> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. Even if this policy is enforced, you can still provision non-MSA accounts using the [EMAIL2 CSP](email2-csp.md). +> This policy will only block UI/UX-based methods for adding non-Microsoft accounts. @@ -148,16 +138,6 @@ The following list shows the supported values: Yes Yes - - Mobile - Yes - Yes - - - Mobile Enterprise - Yes - Yes - @@ -224,16 +204,6 @@ The following list shows the supported values: Yes Yes - - Mobile - Yes - Yes - - - Mobile Enterprise - Yes - Yes - @@ -299,16 +269,6 @@ The following list shows the supported values: Yes Yes - - Mobile - Yes - Yes - - - Mobile Enterprise - Yes - Yes - From ccb8b6b269b7b0ee316d3740a764ad59629ab715 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 28 Mar 2022 15:37:46 +0530 Subject: [PATCH 09/59] Updated --- windows/client-management/mdm/accountmanagement-csp.md | 9 +++++++++ windows/client-management/mdm/accounts-csp.md | 9 +++++++++ 2 files changed, 18 insertions(+) diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index 5f2a7ff230..254aa5b416 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -32,6 +32,15 @@ AccountManagement --------ProfileInactivityThreshold ``` +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|No| +|Business|No|No| +|Enterprise|No|No| +|Education|No|No| + + **./Vendor/MSFT/AccountManagement** Root node for the AccountManagement configuration service provider. diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 1269c2797e..18d425c0f2 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -30,6 +30,15 @@ Accounts ------------LocalUserGroup ``` +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|No|No| +|Business|No|No| +|Enterprise|No|No| +|Education|No|No| + + **./Device/Vendor/MSFT/Accounts** Root node. From 205bbef7b88134e93f31cf71d5b95bd72dbea002 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 29 Mar 2022 00:23:03 +0530 Subject: [PATCH 10/59] Updated --- .../client-management/mdm/bitlocker-csp.md | 1 - .../mdm/cmpolicyenterprise-csp.md | 24 +++---- .../mdm/customdeviceui-csp.md | 9 ++- windows/client-management/mdm/defender-csp.md | 67 +++++++++++-------- .../client-management/mdm/devdetail-csp.md | 17 +++-- .../mdm/developersetup-csp.md | 8 +++ windows/client-management/mdm/supl-csp.md | 18 ++--- .../client-management/mdm/surfacehub-csp.md | 6 +- 8 files changed, 91 insertions(+), 59 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 6b83e9c150..95233b9ad6 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -69,7 +69,6 @@ Defines the root node for the BitLocker configuration service provider. Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption. - |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index d843207762..d2cf286284 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -14,19 +14,24 @@ ms.date: 06/26/2017 # CMPolicyEnterprise CSP +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|No|No| +|Education|Yes|Yes| The CMPolicyEnterprise configuration service provider is used by the enterprise to define rules that the Connection Manager uses to identify the correct connection for a connection request. > [!NOTE] > This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. - - -Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies +ach policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies **Policy Ordering**: There is no explicit ordering of policies. The general rule is that the most concrete or specific policy mappings take a higher precedence. -**Default Policies**: Policies are applied in order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available Wi-Fi network first and then any available APN. +**Default Policies**: Policies are applied in the order of their scope with the most specific policies considered before the more general policies. The phone’s default behavior applies to all applications and all domains and is only used when no other, more specific policy is available. The default policy is to use any available WiFi network first and then any available APN. The following shows the CMPolicyEnterprise configuration service provider management object in tree format as used by both Open Mobile Alliance (OMA) Client Provisioning and OMA Device Management. @@ -75,7 +80,7 @@ Specifies whether the list of connections is in preference order. A value of "0" specifies that the connections are not listed in order of preference. A value of "1" indicates that the listed connections are in order of preference. **Conn***XXX* -Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004". +Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three-digits, which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004". **ConnectionID** Specifies a unique identifier for a connection within a group of connections. The exact value is based on the Type parameter. @@ -90,10 +95,9 @@ For `CMST_CONNECTION_TYPE`, specify the GUID for the desired connection type. Th |CDMA|{274AD55A-4A70-4E35-93B3-AE2D2E6727FC}| |Legacy 3GPP|{6DE4C04B-B74E-47FA-99E5-8F2097C06A92}| |LTE|{2378E547-8312-46A5-905E-5C581E92693B}| -|Wi-Fi|{8568B401-858E-4B7B-B3DF-0FD4927F131B}| -|Wi-Fi hotspot|{072FC7DC-1D93-40D1-9BB0-2114D7D73434}| +|WiFi|{8568B401-858E-4B7B-B3DF-0FD4927F131B}| +|WiFi hotspot|{072FC7DC-1D93-40D1-9BB0-2114D7D73434}| - For `CMST_CONNECTION_NETWORK_TYPE`, specify the GUID for the desired network type. The curly brackets {} around the GUID are required. The following network types are available: @@ -136,7 +140,6 @@ Specifies the type of connection being referenced. The following list describes ## OMA client provisioning examples - Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. ```xml @@ -230,7 +233,6 @@ Adding a host-based mapping policy. In this example, the ConnectionId for type C ## OMA DM examples - Adding an application-based mapping policy: ```xml @@ -367,7 +369,6 @@ Adding a host-based mapping policy: ## Microsoft Custom Elements - |Element|Available| |--- |--- | |parm-query|Yes| @@ -376,7 +377,6 @@ Adding a host-based mapping policy: ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index 7a4eb3b5e1..e59eb1a383 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -14,6 +14,14 @@ ms.date: 06/26/2017 # CustomDeviceUI CSP +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|No|No| +|Education|Yes|Yes| + The CustomDeviceUI configuration service provider allows OEMs to implement their custom foreground application, as well as the background tasks to run on an IoT device running IoT Core. Only one foreground application is supported per device. Multiple background tasks are supported. The following shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. @@ -42,7 +50,6 @@ Package Full Name of the App that needs be launched in the background. This can ## SyncML examples - **Set StartupAppID** ```xml diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 6f404d4e29..041986e816 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -15,6 +15,15 @@ ms.date: 10/04/2021 # Defender CSP +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + > [!WARNING] > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. @@ -177,7 +186,7 @@ The following table describes the supported values: | 48 | Policy | | 49 | EUS (Enterprise Unwanted Software)| | 50 | Ransomware | -| 51 | ASR Rule | +| 51 | Azure Site Recovery Rule | Supported operation is Get. @@ -255,9 +264,9 @@ Supported operation is Get. The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources. The acceptable values for this parameter are: -- 0: Disabled. The Network Protection service will not block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections. +- 0: Disabled. The Network Protection service won't block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections. - 1: Enabled. The Network Protection service will block connections to malicious websites based on URL Reputation from the SmartScreen URL reputation service. -- 2: AuditMode. As above, but the Network Protection service will not block connections to malicious websites, but will instead log the access to the event log. +- 2: AuditMode. As above, but the Network Protection service won't block connections to malicious websites, but will instead log the access to the event log. Accepted values: Disabled, Enabled, and AuditMode Position: Named @@ -276,7 +285,7 @@ By default, network protection is not allowed to be enabled on Windows versions **EnableNetworkProtection/AllowNetworkProtectionOnWinServer** -By default, network protection is not allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode. +By default, network protection isn't allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode. - Type: Boolean - Position: Named @@ -585,11 +594,11 @@ An interior node to group Windows Defender configuration information. Supported operation is Get. **Configuration/TamperProtection** -Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. +Tamper protection helps protect important security features from unwanted changes and interference. This includes real-time protection, behavior monitoring, and more. Accepts signed string to turn the feature on or off. Settings are configured with an MDM solution, such as Intune and is available in Windows 10 Enterprise E5 or equivalent subscriptions. Send off blob to device to reset tamper protection state before setting this configuration to "not configured" or "unassigned" in Intune. -The data type is a Signed blob. +The data type is a Signed BLOB. Supported operations are Add, Delete, Get, Replace. @@ -603,7 +612,7 @@ When enabled or disabled exists on the client and admin moves the setting to not **Configuration/DisableLocalAdminMerge**
This policy setting controls whether or not complex list settings configured by a local administrator are merged with managed settings. This setting applies to lists such as threats and exclusions. -If you disable or do not configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, management settings will override preference settings. +If you disable or don't configure this setting, unique items defined in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, management settings will override preference settings. If you enable this setting, only items defined by management will be used in the resulting effective policy. Managed settings will override preference settings configured by the local administrator. @@ -621,31 +630,31 @@ Valid values are: - 0 (default) – Disable. **Configuration/HideExclusionsFromLocalAdmins**
-This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that are not Local Admins) exclusions are not visible, whether or not this setting is enabled. +This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled. -If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App and via PowerShell. +- If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app or via PowerShell. -If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app or via PowerShell. +- If you disable or don't configure this setting, Local Admins will be able to see exclusions in the Windows Security App and via PowerShell. > [!NOTE] > Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**. -Supported OS versions: Windows 10 +Supported OS versions: Windows 10 The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 – Enable. - 0 (default) – Disable. **Configuration/DisableCpuThrottleOnIdleScans**
-Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and will not throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur. +Indicates whether the CPU will be throttled for scheduled scans while the device is idle. This feature is enabled by default and won't throttle the CPU for scheduled scans performed when the device is otherwise idle, regardless of what ScanAvgCPULoadFactor is set to. For all other scheduled scans this flag will have no impact and normal throttling will occur. The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 (default) – Enable. @@ -656,7 +665,7 @@ Allow managed devices to update through metered connections. Data charges may ap The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 – Enable. @@ -667,7 +676,7 @@ This settings controls whether Network Protection is allowed to be configured in The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 – Enable. @@ -678,7 +687,7 @@ Allows an administrator to explicitly disable network packet inspection made by The data type is string. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. **Configuration/EnableFileHashComputation** Enables or disables file hash computation feature. @@ -686,7 +695,7 @@ When this feature is enabled Windows Defender will compute hashes for files it s The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 – Enable. @@ -697,15 +706,15 @@ The support log location setting allows the administrator to specify where the M Data type is string. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Intune Support log location setting UX supports three states: -- Not configured (default) - Does not have any impact on the default state of the device. +- Not configured (default) - Doesn't have any impact on the default state of the device. - 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path. - 0 - Disabled. Turns off the Support log location feature. -When enabled or disabled exists on the client and admin moves the setting to not configured, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. +When enabled or disabled exists on the client and admin moves the setting to not configure, it will not have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. More details: @@ -725,11 +734,11 @@ Current Channel (Broad): Devices will be offered updates only after the gradual Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only -If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. +If you disable or don't configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 0: Not configured (Default) @@ -758,11 +767,11 @@ Current Channel (Broad): Devices will be offered updates only after the gradual Critical: Devices will be offered updates with a 48-hour delay. Suggested for critical environments only -If you disable or do not configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. +If you disable or don't configure this policy, the device will stay up to date automatically during the gradual release cycle. Suitable for most devices. The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 0: Not configured (Default) @@ -784,10 +793,10 @@ Current Channel (Staged): Devices will be offered updates after the release cycl Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). -If you disable or do not configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. +If you disable or don't configure this policy, the device will stay up to date automatically during the daily release cycle. Suitable for most devices. The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid Values are: - 0: Not configured (Default) @@ -806,11 +815,11 @@ Devices will be offered all Microsoft Defender updates after the gradual release > [!NOTE] > This setting applies to both monthly as well as daily Microsoft Defender updates and will override any previously configured channel selections for platform and engine updates. -If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices. +If you disable or don't configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices. The data type is integer. -Supported operations are Add, Delete, Get, Replace. +Supported operations are Add, Delete, Get, and Replace. Valid values are: - 1 – Enabled. diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md index 7a1c219d01..e256226f20 100644 --- a/windows/client-management/mdm/devdetail-csp.md +++ b/windows/client-management/mdm/devdetail-csp.md @@ -14,6 +14,15 @@ ms.date: 03/27/2020 # DevDetail CSP +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + + The DevDetail configuration service provider handles the management object that provides device-specific parameters to the OMA DM server. These device parameters can be queried by servers using OMA DM commands. They aren't sent from the client to the server automatically. > [!NOTE] @@ -210,22 +219,22 @@ Returns the VoLTE service to on or off. This setting is only exposed to mobile o Supported operation is Get. **Ext/WlanIPv4Address** -Returns the IPv4 address of the active Wi-Fi connection. This address is only exposed to enterprise OMA DM servers. +Returns the IPv4 address of the active WiFi connection. This address is only exposed to enterprise OMA DM servers. Supported operation is Get. **Ext/WlanIPv6Address** -Returns the IPv6 address of the active Wi-Fi connection. This address is only exposed to enterprise OMA-DM servers. +Returns the IPv6 address of the active WiFi connection. This address is only exposed to enterprise OMA-DM servers. Supported operation is Get. **Ext/WlanDnsSuffix** -Returns the DNS suffix of the active Wi-Fi connection. This suffix is only exposed to enterprise OMA-DM servers. +Returns the DNS suffix of the active WiFi connection. This suffix is only exposed to enterprise OMA-DM servers. Supported operation is Get. **Ext/WlanSubnetMask** -Returns the subnet mask for the active Wi-Fi connection. This subnet mask is only exposed to enterprise OMA-DM servers. +Returns the subnet mask for the active WiFi connection. This subnet mask is only exposed to enterprise OMA-DM servers. Supported operation is Get. diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md index b27c178d3c..4ea714b2a9 100644 --- a/windows/client-management/mdm/developersetup-csp.md +++ b/windows/client-management/mdm/developersetup-csp.md @@ -14,6 +14,14 @@ ms.date: 06/26/2018 # DeveloperSetup CSP +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The DeveloperSetup configuration service provider (CSP) is used to configure Developer Mode on the device and connect to the Windows Device Portal. For more information about the Windows Device Portal, see [Windows Device Portal overview](/windows/uwp/debug-test-perf/device-portal). This CSP was added in Windows 10, version 1703. > [!NOTE] diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 32af3e680b..63a8370e40 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -14,6 +14,14 @@ ms.date: 09/12/2019 # SUPL CSP +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The SUPL configuration service provider is used to configure the location client, as shown in the following table: - **Location Service**: Connection type @@ -110,7 +118,6 @@ Optional. Specifies the positioning method that the SUPL client will use for mob |4|OTDOA| |5|AFLT| -  The default is 0. The default method in Windows devices provides high-quality assisted GNSS positioning for mobile originated position requests without loading the mobile operator’s network or location services. @@ -118,7 +125,6 @@ The default is 0. The default method in Windows devices provides high-quality as > The Mobile Station Assisted, OTDOA, and AFLT positioning methods must only be configured for test purposes.   - For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. **LocMasterSwitchDependencyNII** @@ -133,7 +139,6 @@ This value manages the settings for both SUPL and v2 UPL. If a device is configu |Off|0|Yes| |Off|1|No (unless privacyOverride is set)| - When the location toggle is set to Off and this value is set to 1, the following application requests will fail: - `noNotificationNoVerification` @@ -238,7 +243,6 @@ The default is 0. The default method provides high-quality assisted GNSS positio > The Mobile Station Assisted and AFLT positioning methods must only be configured for test purposes.   - For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. **LocMasterSwitchDependencyNII** @@ -282,7 +286,6 @@ Optional. Integer. Defines the minimum interval of time in seconds between mobil ## Unsupported Nodes - The following optional nodes are not supported on Windows devices. - ProviderID @@ -305,7 +308,6 @@ If a mobile operator requires the communication with the H-SLP to take place ove ## OMA Client Provisioning examples - Adding new configuration information for a H-SLP server for SUPL. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value. ```xml @@ -330,7 +332,7 @@ Adding new configuration information for a H-SLP server for SUPL. Values in ital ``` -Adding a SUPL and a V2 UPL account to the same device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value. +Adding a SUPL and a V2 UPL account to the same device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary BLOB must be included for the root certificate data value. ```xml @@ -361,7 +363,6 @@ Adding a SUPL and a V2 UPL account to the same device. Values in italic must be ## OMA DM examples - Adding a SUPL account to a device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value. ```xml @@ -436,7 +437,6 @@ Adding a SUPL account to a device. Values in italic must be replaced with correc ## Microsoft Custom Elements - The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning. |Elements|Available| diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index e0a043830c..c0cc89c25c 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -14,7 +14,7 @@ ms.date: 07/28/2017 # SurfaceHub CSP -The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511. +The SurfaceHub configuration service provider (CSP) is used to configure Microsoft Surface Hub settings. This CSP was added in Windows 10, version 1511, and later. The following shows the SurfaceHub CSP management objects in tree format. ``` @@ -216,7 +216,7 @@ If there is an error calling ValidateAndCommit, there is additional context for | 3 | Populating Exchange server address | Unable to auto-discover your Exchange server address. Try to manually specify the Exchange server address using the ExchangeServer field. | | 4 | Validating Exchange server address | Unable to validate the Exchange server address. Ensure that the ExchangeServer field is valid. | | 5 | Saving account information | Unable to save account details to the system. | -| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Make sure the EAS policy is configured correctly according to the admin guide. | +| 6 | Validating EAS policies | The device account uses an unsupported EAS policy. Ensure the EAS policy is configured correctly according to the admin guide. | The data type is integer. Supported operation is Get. @@ -254,7 +254,7 @@ The data type is integer. Supported operation is Get.

The data type is boolean. Supported operation is Get and Replace. **InBoxApps/Welcome/CurrentBackgroundPath** -

Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image. +

Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a 32-bit PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.

The data type is string. Supported operation is Get and Replace. From 54be22e9ac1b6b4a741c97e4a0713af2b99c1830 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 4 Apr 2022 15:19:14 +0530 Subject: [PATCH 11/59] Updated --- .../client-management/mdm/accountmanagement-csp.md | 8 -------- windows/client-management/mdm/accounts-csp.md | 9 --------- .../client-management/mdm/cmpolicyenterprise-csp.md | 12 +----------- windows/client-management/mdm/customdeviceui-csp.md | 7 ------- windows/client-management/mdm/developersetup-csp.md | 8 -------- 5 files changed, 1 insertion(+), 43 deletions(-) diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md index 254aa5b416..8f42b52db0 100644 --- a/windows/client-management/mdm/accountmanagement-csp.md +++ b/windows/client-management/mdm/accountmanagement-csp.md @@ -32,14 +32,6 @@ AccountManagement --------ProfileInactivityThreshold ``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| - **./Vendor/MSFT/AccountManagement** Root node for the AccountManagement configuration service provider. diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md index 18d425c0f2..1269c2797e 100644 --- a/windows/client-management/mdm/accounts-csp.md +++ b/windows/client-management/mdm/accounts-csp.md @@ -30,15 +30,6 @@ Accounts ------------LocalUserGroup ``` -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|No|No| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| - - **./Device/Vendor/MSFT/Accounts** Root node. diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index d5657c45d3..d07e72b9a5 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -14,23 +14,13 @@ ms.date: 06/26/2017 # CMPolicyEnterprise CSP -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|No|No| -|Education|Yes|Yes| - -======= - The CMPolicyEnterprise configuration service provider is used by the enterprise to define rules that the Connection Manager uses to identify the correct connection for a connection request. > [!NOTE] > This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies -======= + Each policy entry identifies one or more applications in combination with a host pattern. The policy entry is assigned a list of connection details that Connection Manager uses to satisfy connection requests matching the application and host patterns. CMPolicyEnterprise configuration service provider can have multiple policies diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index e59eb1a383..98f6c3c61b 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -14,13 +14,6 @@ ms.date: 06/26/2017 # CustomDeviceUI CSP -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|No|No| -|Education|Yes|Yes| The CustomDeviceUI configuration service provider allows OEMs to implement their custom foreground application, as well as the background tasks to run on an IoT device running IoT Core. Only one foreground application is supported per device. Multiple background tasks are supported. The following shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md index 4ea714b2a9..b27c178d3c 100644 --- a/windows/client-management/mdm/developersetup-csp.md +++ b/windows/client-management/mdm/developersetup-csp.md @@ -14,14 +14,6 @@ ms.date: 06/26/2018 # DeveloperSetup CSP -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - The DeveloperSetup configuration service provider (CSP) is used to configure Developer Mode on the device and connect to the Windows Device Portal. For more information about the Windows Device Portal, see [Windows Device Portal overview](/windows/uwp/debug-test-perf/device-portal). This CSP was added in Windows 10, version 1703. > [!NOTE] From 0aec98f98a3d21564fedb39c0aa39c687e825a04 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 4 Apr 2022 15:22:08 +0530 Subject: [PATCH 12/59] Update cmpolicyenterprise-csp.md --- windows/client-management/mdm/cmpolicyenterprise-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index d07e72b9a5..6c7a628a81 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -77,7 +77,7 @@ A value of "0" specifies that the connections aren't listed in order of preferen **Conn***XXX* Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three-digits, which increment starting from "000". For example, a policy which applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004". -======= + Enumerates the connections associated with the policy. Element names begin with "Conn" followed by three digits that increment starting from "000". For example, a policy which is applied to five connections would have element entries named "Conn000", "Conn001", "Conn002", "Conn003", and "Conn004". **ConnectionID** From 86b43f5b454bbdee076bbbb0cece5e9cc838e0bc Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Mon, 4 Apr 2022 23:58:03 +0530 Subject: [PATCH 13/59] Updated --- windows/client-management/mdm/bitlocker-csp.md | 1 + windows/client-management/mdm/tpmpolicy-csp.md | 9 +++++++++ windows/client-management/mdm/uefi-csp.md | 9 +++++++++ .../client-management/mdm/unifiedwritefilter-csp.md | 9 +++++++++ windows/client-management/mdm/update-csp.md | 10 ++++++++++ windows/client-management/mdm/vpnv2-csp.md | 11 ++++++++++- windows/client-management/mdm/w4-application-csp.md | 11 ++++++++++- windows/client-management/mdm/w7-application-csp.md | 13 +++++++++---- 8 files changed, 67 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index 33ec0aa74f..6c1b9368e4 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -71,6 +71,7 @@ Defines the root node for the BitLocker configuration service provider. Allows the administrator to require encryption that needs to be turned on by using BitLocker\Device Encryption. + |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index 6c01205868..aebdca3212 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -13,6 +13,15 @@ manager: dansimp # TPMPolicy CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval. diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index 8a3a6d1f58..093c971528 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -13,6 +13,15 @@ manager: dansimp # UEFI CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809. diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index 186d8823ae..e0f083cf64 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -14,6 +14,15 @@ ms.date: 06/26/2017 # UnifiedWriteFilter CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The UnifiedWriteFilter (UWF) configuration service provider enables the IT administrator to remotely manage the UWF to help protect physical storage media including any writable storage type. diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index c57a52f15f..f5a5bd0adb 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -14,6 +14,16 @@ ms.date: 02/23/2018 # Update CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The Update configuration service provider enables IT administrators to manage and control the rollout of new updates. > [!NOTE] diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index add96c2ec0..ac6ce3f1de 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -14,6 +14,15 @@ ms.date: 09/21/2021 # VPNv2 CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The VPNv2 configuration service provider allows the mobile device management (MDM) server to configure the VPN profile of the device. @@ -696,7 +705,7 @@ Supported operations include Get, Add, Replace, and Delete. Reserved for future use. **VPNv2/**ProfileName**/NativeProfile** -Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, L2TP). +Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (IKEv2, PPTP, and L2TP). **VPNv2/**ProfileName**/NativeProfile/Servers** Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index 026dcfb003..1c6f914c0e 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -14,6 +14,15 @@ ms.date: 06/26/2017 # w4 APPLICATION CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| Use an **APPLICATION** configuration service provider that has an APPID of w4 to configure Multimedia Messaging Service (MMS). @@ -47,7 +56,7 @@ This parameter takes a string value. The possible values to configure the NAME p - no value specified > [!NOTE] -> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. So after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc. +> The APPLICATION/NAME value is displayed in the UI. The APPLICATION/NAME value might not be saved on the device. Hence, after an upgrade, the MDM servers should resend APPLICATION/NAME to DMAcc. If no value is specified, the registry location will default to ``. diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index c69b5612ca..079d7923cd 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -14,6 +14,15 @@ ms.date: 06/26/2017 # w7 APPLICATION CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The APPLICATION configuration service provider that has an APPID of w7 is used for bootstrapping a device with an OMA DM account. Although this configuration service provider is used to set up an OMA DM account, it is managed over OMA Client Provisioning. @@ -54,7 +63,6 @@ APPLICATION > **Note**   All parm names and characteristic types are case sensitive and must use all uppercase. Both APPSRV and CLIENT credentials must be provided in provisioning XML. -  **APPADDR** This characteristic is used in the w7 APPLICATION characteristic to specify the DM server address. @@ -132,9 +140,7 @@ Optional. The INIT parameter is used in the APPLICATION characteristic to indica > **Note**   This node is only for mobile operators and MDM servers that try to use this will fail. This node is not supported in the enterprise MDM enrollment scenario. This parameter forces the device to attempt to connect with the OMA DM server. The connection attempt fails if the XML is set during the coldinit phase. A common cause of this failure is that immediately after coldinit is finished the radio is not yet ready. -   - **INITIALBACKOFFTIME** Optional. The INITIALBACKOFFTIME parameter is used in the APPLICATION characteristic to specify the initial wait time in milliseconds when the DM client retries for the first time. The wait time grows exponentially. This parameter takes a numeric value in string format. The default value is “16000”. You can get or set this parameter. @@ -183,7 +189,6 @@ Stores specifies which certificate stores the DM client will search to find the > **Note**   %EF%80%80 is the UTF8-encoded character U+F000.   - Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following: ```xml From bec86ae7fb283585d68a26212cb66c92e5a22bda Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 5 Apr 2022 00:11:24 +0530 Subject: [PATCH 14/59] Updated --- windows/client-management/mdm/tpmpolicy-csp.md | 2 +- windows/client-management/mdm/uefi-csp.md | 2 +- windows/client-management/mdm/unifiedwritefilter-csp.md | 1 - windows/client-management/mdm/update-csp.md | 2 +- windows/client-management/mdm/vpnv2-csp.md | 4 ++-- 5 files changed, 5 insertions(+), 6 deletions(-) diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index aebdca3212..a34197b788 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -25,7 +25,7 @@ The table below shows the applicability of Windows: The TPMPolicy configuration service provider (CSP) provides a mechanism to enable zero exhaust configuration on a Windows device for TPM software components. Zero exhaust is defined as no network traffic (diagnostic data or otherwise, such as downloading background images, Windows Updates, and so on.) from Windows and inbox applications to public IP addresses unless directly intended by the user. This allows the enterprise admin to configure devices where no network communication is initiated by the system without explicit approval. -The TPMPolicy CSP was added in Windows 10, version 1703. +The TPMPolicy CSP was added in Windows 10, version 1703, and later. The following shows the TPMPolicy configuration service provider in tree format. ``` diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index 093c971528..70a1273bfa 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -23,7 +23,7 @@ The table below shows the applicability of Windows: |Enterprise|Yes|Yes| |Education|Yes|Yes| -The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809. +The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809c, and later. > [!NOTE] > The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809). diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md index e0f083cf64..358e9ed61a 100644 --- a/windows/client-management/mdm/unifiedwritefilter-csp.md +++ b/windows/client-management/mdm/unifiedwritefilter-csp.md @@ -324,7 +324,6 @@ Supported operations are Get and Execute. ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/update-csp.md b/windows/client-management/mdm/update-csp.md index f5a5bd0adb..c3185ca305 100644 --- a/windows/client-management/mdm/update-csp.md +++ b/windows/client-management/mdm/update-csp.md @@ -72,7 +72,7 @@ The following shows the Update configuration service provider in tree format. > [!NOTE] > When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. -

The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. +

The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update.

The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (i.e., updates to the virus and spyware definitions on devices) and Security Updates (i.e., product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index ac6ce3f1de..0bfb6fce06 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -559,7 +559,7 @@ An optional flag to enable Always On mode. This will automatically connect the V Preserving user Always On preference -Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. +Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually uncheck the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference. Key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config` Value: AutoTriggerDisabledProfilesList @@ -735,7 +735,7 @@ Required for native profiles. Type of tunneling protocol used. This value can be Value type is chr. Supported operations include Get, Add, Replace, and Delete. > [!NOTE] -> The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt protocols in following order: SSTP, IKEv2, PPTP and then L2TP. This order is not customizable. +> The **Automatic** option means that the device will try each of the built-in tunneling protocols until one succeeds. It will attempt protocols in following order: SSTP, IKEv2, PPTP, and then L2TP. This order is not customizable. **VPNv2/**ProfileName**/NativeProfile/Authentication** Required node for native profile. It contains authentication information for the native VPN profile. From 4c5d5d2b3ef8b45f0af540cf74ac1efda4e934b7 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 5 Apr 2022 00:59:06 +0530 Subject: [PATCH 15/59] Update vpnv2-csp.md --- windows/client-management/mdm/vpnv2-csp.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 0bfb6fce06..ef763b68fa 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -29,13 +29,13 @@ The VPNv2 configuration service provider allows the mobile device management (MD Here are the requirements for this CSP: - VPN configuration commands must be wrapped in an Atomic block in SyncML. -- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you are using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure WIP policies. +- For best results, configure your VPN certificates first before pushing down VPN profiles to devices. If you're using Windows Information Protection (WIP) (formerly known as Enterprise Data Protection), then you should configure VPN first before you configure WIP policies. - Instead of changing individual properties, follow these steps to make any changes: - Send a Delete command for the ProfileName to delete the entire profile. - Send the entire profile again with new values wrapped in an Atomic block. - In certain conditions you can change some properties directly, but we do not recommend it. + In certain conditions you can change some properties directly, but we don't recommend it. The XSDs for all EAP methods are shipped in the box and can be found at the following locations: @@ -341,7 +341,7 @@ Supported operations include Get, Add, and Delete. Optional node. List of applications set to trigger the VPN. If any of these apps are launched and the VPN profile is currently the active profile, this VPN profile will be triggered to connect. **VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId -A sequential integer identifier that allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you should not skip numbers. +A sequential integer identifier that allows the ability to specify multiple apps for App Trigger. Sequencing must start at 0 and you shouldn't skip numbers. Supported operations include Get, Add, Replace, and Delete. @@ -349,7 +349,7 @@ Supported operations include Get, Add, Replace, and Delete. App Node under the Row Id. **VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Id** -App identity, which is either an app’s package family name or file path. The type is inferred by the Id, and therefore cannot be specified in the get only App/Type field +App identity, which is either an app’s package family name or file path. The type is inferred by the Id, and therefore can't be specified in the get only App/Type field **VPNv2/**ProfileName**/AppTriggerList/**appTriggerRowId**/App/Type** Returns the type of **App/Id**. This value can be either of the following: @@ -364,10 +364,10 @@ Optional node. List of routes to be added to the routing table for the VPN inter Every computer that runs TCP/IP makes routing decisions. These decisions are controlled by the IP routing table. Adding values under this node updates the routing table with routes for the VPN interface post connection. The values under this node represent the destination prefix of IP routes. A destination prefix consists of an IP address prefix and a prefix length. -Adding a route here allows the networking stack to identify the traffic that needs to go over the VPN interface for split tunnel VPN. Some VPN servers can configure this during connect negotiation and do not need this information in the VPN Profile. Please check with your VPN server administrator to determine whether you need this information in the VPN profile. +Adding a route here allows the networking stack to identify the traffic that needs to go over the VPN interface for split tunnel VPN. Some VPN servers can configure this during connect negotiation and don't need this information in the VPN Profile. Check with your VPN server administrator to determine whether you need this information in the VPN profile. **VPNv2/**ProfileName**/RouteList/**routeRowId -A sequential integer identifier for the RouteList. This is required if you are adding routes. Sequencing must start at 0. +A sequential integer identifier for the RouteList. This is required if you're adding routes. Sequencing must start at 0. Supported operations include Get, Add, Replace, and Delete. @@ -397,7 +397,7 @@ Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/DomainNameInformationList** Optional node. Name Resolution Policy Table (NRPT) rules for the VPN profile. -The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any additional flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface. +The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings stored in the Windows registry that determines the DNS client behavior when issuing queries and processing responses. Each row in the NRPT represents a rule for a portion of the namespace for which the DNS client issues queries. Before issuing name resolution queries, the DNS client consults the NRPT to determine if any another flags must be set in the query. After receiving the response, the client again consults the NRPT to check for any special processing or policy requirements. In the absence of the NRPT, the client operates based on the DNS servers and suffixes set on the interface. > [!NOTE] > Only applications using the [Windows DNS API](/windows/win32/dns/dns-reference) can make use of the NRPT and therefore all settings configured within the DomainNameInformationList section. Applications using their own DNS implementation bypass the Windows DNS API. One example of applications not using the Windows DNS API is nslookup, so always use the PowerShell CmdLet [Resolve-DNSName](/powershell/module/dnsclient/resolve-dnsname) to check the functionality of the NRPT. @@ -418,7 +418,7 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/DomainNameType** Returns the namespace type. This value can be one of the following: -- FQDN - If the DomainName was not prepended with a**.** and applies only to the fully qualified domain name (FQDN) of a specified host. +- FQDN - If the DomainName wasn't prepended with a**.** and applies only to the fully qualified domain name (FQDN) of a specified host. - Suffix - If the DomainName was prepended with a**.** and applies to the specified namespace, all records in that namespace, and all subdomains. Value type is chr. Supported operation is Get. @@ -429,7 +429,7 @@ List of comma-separated DNS Server IP addresses to use for the namespace. Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/WebProxyServers** -Optional. Web Proxy Server IP address if you are redirecting traffic through your intranet. +Optional. Web Proxy Server IP address if you're redirecting traffic through your intranet. > [!NOTE] > Currently only one web proxy server is supported. @@ -439,7 +439,7 @@ Value type is chr. Supported operations include Get, Add, Replace, and Delete. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/AutoTrigger** Added in Windows 10, version 1607. Optional. Boolean to determine whether this domain name rule will trigger the VPN. -If set to False, this DomainName rule will not trigger the VPN. +If set to False, this DomainName rule won't trigger the VPN. If set to True, this DomainName rule will trigger the VPN @@ -448,7 +448,7 @@ By default, this value is false. Value type is bool. **VPNv2/**ProfileName**/DomainNameInformationList/**dniRowId**/Persistent** -Added in Windows 10, version 1607. A boolean value that specifies if the rule being added should persist even when the VPN is not connected. Value values: +Added in Windows 10, version 1607. A boolean value that specifies if the rule being added should persist even when the VPN isn't connected. Value values: - False (default) - This DomainName rule will only be applied when VPN is connected. - True - This DomainName rule will always be present and applied. From 10c666cbfe275dee9f4393e83ec7cbefde1f8f18 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Tue, 5 Apr 2022 12:32:45 +0530 Subject: [PATCH 16/59] Updated MDM -Search CSP-DisableSearch Updated as per task : 5857645. Thanks! OOB- must be published around SV2 release of documentation. --- .../policy-configuration-service-provider.md | 5 +- .../mdm/policy-csp-search.md | 57 ++++++++++++++++++- 2 files changed, 59 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index db53557678..88bfae707f 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -70,7 +70,7 @@ Policy

Supported operation is Get. **Policy/Config** -

Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. +

Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value) the configuration source can use the Policy/Result path to retrieve the resulting value.

Supported operation is Get. @@ -8360,6 +8360,9 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC

Search/DisableRemovableDriveIndexing
+
+ Search/DisableSearch +
Search/DoNotUseWebResults
diff --git a/windows/client-management/mdm/policy-csp-search.md b/windows/client-management/mdm/policy-csp-search.md index 5c7775b5f5..6f065c334d 100644 --- a/windows/client-management/mdm/policy-csp-search.md +++ b/windows/client-management/mdm/policy-csp-search.md @@ -14,7 +14,6 @@ manager: dansimp # Policy CSP - Search -
@@ -57,6 +56,9 @@ manager: dansimp
Search/DisableRemovableDriveIndexing
+
+ Search/DisableSearch +
Search/DoNotUseWebResults
@@ -629,6 +631,57 @@ The following list shows the supported values:
+ +**Search/DisableSearch** + + + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|No|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes| + + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +This policy setting completely disables Search UI and all its entry points such as keyboard shortcuts and touch-pad gestures. + +It removes the Search button from the Taskbar and the corresponding option in the Settings. It also disables type-to-search in the Start menu and removes the Start menu's search box. + + + +ADMX Info: + +- GP Friendly name: *Fully disable Search UI* +- GP name: *DisableSearch* +- GP path: *Windows Components/Search* +- GP ADMX file name: *Search.admx* + + + +The following list shows the supported values: + +- 0 (default) – Do not disable search. +- 1 – Disable search. + + + + +
+ **Search/DoNotUseWebResults** @@ -761,7 +814,7 @@ The following list shows the supported values: -If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index.. +If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this computer's index. From 1539a42ec92a106ef653ff3c73b330170a44bac1 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Tue, 5 Apr 2022 19:19:51 +0530 Subject: [PATCH 17/59] Updated --- windows/client-management/mdm/multisim-csp.md | 9 +++++++++ windows/client-management/mdm/nap-csp.md | 16 +++++++++++++--- windows/client-management/mdm/napdef-csp.md | 14 ++++++++++++-- .../client-management/mdm/networkproxy-csp.md | 16 +++++++++++++--- .../mdm/networkqospolicy-csp.md | 14 ++++++++++++-- windows/client-management/mdm/nodecache-csp.md | 15 ++++++++++++--- windows/client-management/mdm/office-csp.md | 9 +++++++++ .../client-management/mdm/passportforwork-csp.md | 2 ++ .../client-management/mdm/personalization-csp.md | 10 ++++++++++ .../client-management/mdm/policymanager-csp.md | 10 ++++++++++ .../client-management/mdm/provisioning-csp.md | 9 +++++++++ windows/client-management/mdm/proxy-csp.md | 9 +++++++++ windows/client-management/mdm/pxlogical-csp.md | 9 +++++++++ 13 files changed, 129 insertions(+), 13 deletions(-) diff --git a/windows/client-management/mdm/multisim-csp.md b/windows/client-management/mdm/multisim-csp.md index aa2284255f..a2823f1674 100644 --- a/windows/client-management/mdm/multisim-csp.md +++ b/windows/client-management/mdm/multisim-csp.md @@ -13,6 +13,15 @@ manager: dansimp # MultiSIM CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The MultiSIM configuration service provider (CSP) is used by the enterprise to manage devices with dual SIM single active configuration. An enterprise can set policies on whether that user can switch between SIM slots, specify which slot is the default, and whether the slot is embedded. This CSP was added in Windows 10, version 1803. diff --git a/windows/client-management/mdm/nap-csp.md b/windows/client-management/mdm/nap-csp.md index e3edb1b0d1..6226dc5d20 100644 --- a/windows/client-management/mdm/nap-csp.md +++ b/windows/client-management/mdm/nap-csp.md @@ -14,6 +14,16 @@ ms.date: 06/26/2017 # NAP CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The NAP (Network Access Point) Configuration Service Provider is used to manage and query GPRS and CDMA connections. > [!Note] @@ -67,7 +77,7 @@ Root node. ***NAPX*** Required. Defines the name of the network access point. -It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead). +It is recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two network access points, use "NAP0" and "NAP1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), however, no spaces may appear in the name (use %20 instead). ***NAPX*/NAPID** Required. Specifies the identifier of the destination network. @@ -97,7 +107,7 @@ The following table shows some commonly used ADDRTYPE values and the types of co Optional node. Specifies the authentication information, including the protocol, user name, and password. ***NAPX*/AuthInfo/AuthType** -Optional. Specifies the method of authentication. Some supported protocols are PAP, CHAP, HTTP-BASIC, HTTP-DIGEST, WTLS-SS, MD5. +Optional. Specifies the method of authentication. Some supported protocols are PAP, CHAP, HTTP-BASIC, HTTP-DIGEST, WTLS-SS, and MD5. ***NAPX*/AuthInfo/AuthName** Optional. Specifies the user name and domain to be used during authentication. This field is in the form *Domain*\\*UserName*. @@ -111,7 +121,7 @@ Queries of this field will return a string composed of sixteen asterisks (\*). Node. ***NAPX*/Bearer/BearerType** -Required. Specifies the network type of the destination network. This can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, WiFi. +Required. Specifies the network type of the destination network. This can be set to GPRS, CDMA2000, WCDMA, TDMA, CSD, DTPT, and WiFi. ## Related articles diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md index 341c72e038..47ce672a7e 100644 --- a/windows/client-management/mdm/napdef-csp.md +++ b/windows/client-management/mdm/napdef-csp.md @@ -14,7 +14,17 @@ ms.date: 06/26/2017 # NAPDEF CSP -The NAPDEF configuration service provider is used to add, modify, or delete WAP network access points (NAPs). For complete information about these settings, see the standard WAP specification WAP-183-ProvCont-20010724-a. +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + +The NAPDEF configuration service provider is used to add, modify, or delete WAP Network Access Points (NAPs). For complete information about these settings, see the standard WAP specification WAP-183-ProvCont-20010724-a. > [!Note] > You cannot use NAPDEF CSP on the desktop to update the Push Proxy Gateway (PPG) list. @@ -71,7 +81,7 @@ A query of this parameter returns asterisks (\*) in the results. **AUTHTYPE** Specifies the protocol used to authenticate the user. -The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols. Note +The only permitted values for this element are "POP" (Password Authentication Protocol) and "CHAP" (Challenge Handshake Authentication Protocol) authentication protocols. > [!Note] > **AuthName** and **AuthSecret** are not created if **AuthType** is not included in the initial device configuration. **AuthName** and **AuthSecret** cannot be changed if **AuthType** is not included in the provisioning XML used to make the change. diff --git a/windows/client-management/mdm/networkproxy-csp.md b/windows/client-management/mdm/networkproxy-csp.md index 743fe416fa..e25829d8fa 100644 --- a/windows/client-management/mdm/networkproxy-csp.md +++ b/windows/client-management/mdm/networkproxy-csp.md @@ -13,11 +13,21 @@ manager: dansimp # NetworkProxy CSP -The NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and Wi-Fi connections. These settings do not apply to VPN connections. This CSP was added in Windows 10, version 1703. +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + +The NetworkProxy configuration service provider (CSP) is used to configure a proxy server for ethernet and WiFi connections. These settings do not apply to VPN connections. This CSP was added in Windows 10, version 1703. How the settings work: -- If auto-detect is enabled, the system tries to find the path to a proxy auto config (PAC) script and download it. +- If auto-detect is enabled, the system tries to find the path to a Proxy Auto Config (PAC) script and download it. - If #1 fails and a setup script is specified, the system tries to download the explicitly configured PAC script. - If #2 fails and a proxy server is specified, the system tries to use the explicitly configured proxy server. - Otherwise, the system tries to reach the site directly. @@ -63,7 +73,7 @@ Address to the PAC script you want to use. The data type is string. Supported operations are Get and Replace. Starting in Windows 10, version 1803, the Delete operation is also supported. **ProxyServer** -Node for configuring a static proxy for Ethernet and Wi-Fi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections. +Node for configuring a static proxy for Ethernet and WiFi connections. The same proxy server is used for all protocols - including HTTP, HTTPS, FTP, and SOCKS. These settings do not apply to VPN connections. Supported operation is Get. diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index 464a920e6d..02952562e5 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -13,6 +13,16 @@ manager: dansimp # NetworkQoSPolicy CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The NetworkQoSPolicy configuration service provider creates network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions. This CSP was added in Windows 10, version 1703. The following conditions are supported: @@ -71,7 +81,7 @@ NetworkQoSPolicy

The supported operations are Add, Get, Delete, and Replace. ***Name*/AppPathNameMatchCondition** -

Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. +

Specifies the name of an application to be used to match the network traffic, such as `application.exe` or `%ProgramFiles%\application.exe`.

The data type is char. @@ -111,7 +121,7 @@ NetworkQoSPolicy

The supported operations are Add, Get, Delete, and Replace. ***Name*/DSCPAction** -

The differentiated services code point (DSCP) value to apply to matching network traffic. +

The Differentiated Services Code Point (DSCP) value to apply to matching network traffic.

Valid values are 0-63. diff --git a/windows/client-management/mdm/nodecache-csp.md b/windows/client-management/mdm/nodecache-csp.md index 4ac44047b0..b94af26c6a 100644 --- a/windows/client-management/mdm/nodecache-csp.md +++ b/windows/client-management/mdm/nodecache-csp.md @@ -14,6 +14,15 @@ ms.date: 06/26/2017 # NodeCache CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The NodeCache configuration service provider is used to manage the client cache. This configuration service provider is to be used only by enterprise management servers. It provides a level of abstraction that decouples the management of the node list from a specific backing store. It synchronizes the client cache with the server side cache. It also provides an API for monitoring device-side cache changes. @@ -72,7 +81,7 @@ NodeCache Required. The root node for the NodeCache object. Supported operation is Get. This configuration service provider is used for enterprise device management only. This is a predefined MIME type to identify this managed object in OMA DM syntax. ***ProviderID*** -Optional. Group settings per DM server. Each group of settings is distinguished by the server’s Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one *ProviderID* node under **NodeCache**. Scope is dynamic. +Optional. Group settings per DM server. Each group of settings is distinguished by the server’s Provider ID. It should be the same DM server **PROVIDER-ID** value that was supplied through the [w7 APPLICATION configuration service provider](w7-application-csp.md) XML during the enrollment process. Only one enterprise management server is supported. That is, there should be only one **ProviderID** node under **NodeCache**. Scope is dynamic. Supported operations are Get, Add, and Delete. @@ -384,9 +393,9 @@ It represents this: ``` Id is the node ID that was added by the MDM server, and Uri is the path that the node is tracking. -If a Uri is not set, the node will always be reported as changed, as in Node id 10. +If a Uri is not set, the node will always be reported as changed, as in Node ID 10. -The value inside of the node tag is the actual value returned by the Uri, which means that for Node Id 20 the DeviceName did not match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously. +The value inside of the node tag is the actual value returned by the Uri, which means that for Node ID 20 the DeviceName did not match what was previously expected, and the device name is now U09NRU5FV1ZBTFVF instead of what it was previously. ## Related topics diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md index 79204c2935..a3435d97ad 100644 --- a/windows/client-management/mdm/office-csp.md +++ b/windows/client-management/mdm/office-csp.md @@ -13,6 +13,15 @@ manager: dansimp # Office CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/office-deployment-tool-configuration-options) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](/intune/apps-add-office365). diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index 68bd28dd1e..28f58be0a4 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -14,6 +14,8 @@ ms.date: 07/19/2019 # PassportForWork CSP +c + The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to login to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards. > [!IMPORTANT] diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index 67b7f88ce5..2fb9cf27d0 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -13,6 +13,16 @@ manager: dansimp # Personalization CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|No|No| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + The Personalization CSP can set the lock screen and desktop background images. Setting these policies also prevents the user from changing the image. You can also use the Personalization settings in a provisioning package. This CSP was added in Windows 10, version 1703. diff --git a/windows/client-management/mdm/policymanager-csp.md b/windows/client-management/mdm/policymanager-csp.md index ecef629054..414eb77060 100644 --- a/windows/client-management/mdm/policymanager-csp.md +++ b/windows/client-management/mdm/policymanager-csp.md @@ -14,6 +14,16 @@ ms.date: 06/28/2017 # PolicyManager CSP +The table below shows the applicability of Windows: + +|Edition|Windows 10|Windows 11| +|--- |--- |--- | +|Home|Yes|Yes| +|Pro|Yes|Yes| +|Business|Yes|Yes| +|Enterprise|Yes|Yes| +|Education|Yes|Yes| + PolicyManager CSP is deprecated. Use [Policy CSP](policy-configuration-service-provider.md) instead. - -[Proxy CSP](proxy-csp.md) - - - -|Home|Pro|Business|Enterprise|Education| -|--- |--- |--- |--- |--- | -|Yes|Yes|Yes|Yes|Yes| - - - - [PXLogical CSP](pxlogical-csp.md) @@ -700,18 +688,6 @@ Additional lists: - -[PolicyManager CSP](policymanager-csp.md) - - - -|Home|Pro|Business|Enterprise|Education| -|--- |--- |--- |--- |--- | -|No|No|No|No|No| - - - - [Provisioning CSP](provisioning-csp.md) diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md index 2fb9cf27d0..70d8468f2f 100644 --- a/windows/client-management/mdm/personalization-csp.md +++ b/windows/client-management/mdm/personalization-csp.md @@ -18,8 +18,8 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|Yes|Yes| -|Business|Yes|Yes| +|Pro|No|No| +|Business|No|No| |Enterprise|Yes|Yes| |Education|Yes|Yes| diff --git a/windows/client-management/mdm/policymanager-csp.md b/windows/client-management/mdm/policymanager-csp.md deleted file mode 100644 index ff8d1157b5..0000000000 --- a/windows/client-management/mdm/policymanager-csp.md +++ /dev/null @@ -1,30 +0,0 @@ ---- -title: PolicyManager CSP -description: Learn how PolicyManager CSP is deprecated. For Windows 10 devices you should use Policy CSP, which replaces PolicyManager CSP. -ms.assetid: 048427b1-6024-4660-8660-bd91c583f7f9 -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: dansimp -ms.date: 06/28/2017 ---- - -# PolicyManager CSP - - -PolicyManager CSP is deprecated. Use [Policy CSP](policy-configuration-service-provider.md) instead. - - - -## Related articles - -[Policy CSP](policy-configuration-service-provider.md) - -[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/proxy-csp.md b/windows/client-management/mdm/proxy-csp.md deleted file mode 100644 index 50eef646bf..0000000000 --- a/windows/client-management/mdm/proxy-csp.md +++ /dev/null @@ -1,136 +0,0 @@ ---- -title: PROXY CSP -description: Learn how the PROXY configuration service provider (CSP) is used to configure proxy connections. -ms.assetid: 9904d44c-4a1e-4ae7-a6c7-5dba06cb16ce -ms.reviewer: -manager: dansimp -ms.author: dansimp -ms.topic: article -ms.prod: w10 -ms.technology: windows -author: dansimp -ms.date: 06/26/2017 ---- - -# PROXY CSP - -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|Yes|Yes| -|Pro|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - -The PROXY configuration service provider is used to configure proxy connections. - -> [!NOTE] -> Use [CM\_ProxyEntries CSP](cm-proxyentries-csp.md) instead of PROXY CSP, which will be deprecated in a future release. - -This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_NETWORKING\_ADMIN capabilities to be accessed from a network configuration application. - -For the PROXY CSP, you can't use the Replace command unless the node already exists. - -The following example shows the PROXY configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol isn't supported by this configuration service provider. - -``` -./Vendor/MSFT/Proxy -----* ---------ProxyId ---------Name ---------AddrType ---------Addr ---------AddrFQDN ---------ConRefs -------------* -----------------ConRef ---------Domains -------------* -----------------DomainName ---------Ports -------------* -----------------PortNbr -----------------Services ---------------------* -------------------------ServiceName ---------ProxyType ---------ProxyParams -------------WAP -----------------Trust -----------------PushEnabled ---------Ext -------------Microsoft -----------------Guid -``` - -**./Vendor/MSFT/Proxy** -Root node for the proxy connection. - -***ProxyName*** -Defines the name of a proxy connection. - -It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two proxy connections, use "PROXY0" and "PROXY1" as the element names. Any unique name can be used if desired (such as "GPRS-NAP"), but no spaces may appear in the name (use %20 instead). - -The addition, update, and deletion of this subtree of nodes have to be specified in a single atomic transaction. - -***ProxyName*/PROXYID** -Specifies the unique identifier of the proxy connection. - -***ProxyName*/NAME** -Specifies the user-friendly name of the proxy connection. - -***ProxyName*/ADDR** -Specifies the address of the proxy server. - -This value may be the network name of the server, or any other string (such as an IP address) used to uniquely identify the proxy connection. - -***ProxyName*/ADDRTYPE** -Specifies the type of address used to identify the proxy server. - -The valid values are IPV4, IPV6, E164, ALPHA. - -***ProxyName*/PROXYTYPE** -Specifies the type of proxy connection. - -Depending on the ProxyID, the valid values are ISA, WAP, SOCKS, or NULL. - -***ProxyName*/Ports** -Node for port information. - -***ProxyName*/Ports/_PortName_** -Defines the name of a port. - -It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two ports, use "PORT0" and "PORT1" as the element names. - -***ProxyName*/Ports/*PortName*/PortNbr** -Specifies the port number to be associated with the parent port. - -***ProxyName*/Ports/*PortName*/Services** -Node for services information. - -***ProxyName*/Ports/Services/_ServiceName_** -Defines the name of a service. - -It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two services, use "SERVICE0" and "SERVICE1" as the element names. - -***ProxyName*/Ports/Services/*ServiceName*/ServiceName** -Specifies the protocol to be associated with the parent port. - -One commonly used value is "HTTP". - -***ProxyName*/ConRefs** -Node for connection reference information - -***ProxyName*/ConRefs/_ConRefName_** -Defines the name of a connection reference. - -It's recommended that this element name is specified as a numbered node beginning at zero. For example, to provision two connection references, use "CONREF0" and "CONREF1" as the element names. - -***ProxyName*/ConRefs/*ConRefName*/ConRef** -Specifies one single connectivity object associated with the proxy connection. - -## Related topics - -[Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md index 3ed355f52b..6401374804 100644 --- a/windows/client-management/mdm/pxlogical-csp.md +++ b/windows/client-management/mdm/pxlogical-csp.md @@ -14,16 +14,6 @@ ms.date: 06/26/2017 # PXLOGICAL configuration service provider -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|Yes|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| - The PXLOGICAL configuration service provider is used to add, remove, or modify WAP logical and physical proxies by using WAP or the standard Windows techniques. > [!NOTE] diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index ee13358bb5..24c2a5134b 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -835,12 +835,8 @@ items: href: policy-csp-windowssandbox.md - name: WirelessDisplay href: policy-csp-wirelessdisplay.md - - name: PolicyManager CSP - href: policymanager-csp.md - name: Provisioning CSP href: provisioning-csp.md - - name: PROXY CSP - href: proxy-csp.md - name: PXLOGICAL CSP href: pxlogical-csp.md - name: Reboot CSP From 3cb495516270dab40e1802cd4868fa875a921fd3 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Wed, 27 Apr 2022 11:57:54 +0530 Subject: [PATCH 26/59] updated --- .../client-management/mdm/cmpolicyenterprise-csp.md | 2 +- windows/client-management/mdm/customdeviceui-csp.md | 10 ---------- windows/client-management/mdm/w7-application-csp.md | 12 +++++++----- 3 files changed, 8 insertions(+), 16 deletions(-) diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index 45e8e08d88..88fbce2433 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -19,7 +19,7 @@ The table below shows the applicability of Windows: |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|No|No|| +|Pro|No|No| |Business|No|No| |Enterprise|No|No| |Education|No|No| diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index d8714619c2..295768d539 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -14,16 +14,6 @@ ms.date: 06/26/2017 # CustomDeviceUI CSP -The table below shows the applicability of Windows: - -|Edition|Windows 10|Windows 11| -|--- |--- |--- | -|Home|No|No| -|Pro|No|No|| -|Business|No|No| -|Enterprise|No|No| -|Education|No|No| - The CustomDeviceUI configuration service provider allows OEMs to implement their custom foreground application, as well as the background tasks to run on an IoT device running IoT Core. Only one foreground application is supported per device. Multiple background tasks are supported. The following shows the CustomDeviceUI configuration service provider in tree format as used by both the Open Mobile Alliance (OMA) Device Management (DM) and OMA Client Provisioning. diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index bf6b0eddbe..420ccb5691 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -26,7 +26,8 @@ The table below shows the applicability of Windows: The APPLICATION configuration service provider that has an APPID of w7 is used for bootstrapping a device with an OMA DM account. Although this configuration service provider is used to set up an OMA DM account, it's managed over OMA Client Provisioning. -> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. +> [!Note] +> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. The following shows the configuration service provider in tree format as used by OMA Client Provisioning. @@ -60,7 +61,8 @@ APPLICATION ---SSLCLIENTCERTSEARCHCRITERIA ``` -> **Note**   All parm names and characteristic types are case sensitive and must use all uppercase. +> [!Note] +> All parm names and characteristic types are case sensitive and must use all uppercase. Both APPSRV and CLIENT credentials must be provided in provisioning XML. @@ -119,7 +121,8 @@ Required. The APPID parameter is used in the APPLICATION characteristic to diffe **BACKCOMPATRETRYDISABLED** Optional. The BACKCOMPATRETRYDISABLED parameter is used in the APPLICATION characteristic to specify whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr (not including the first time). -> **Note**   This parameter doesn't contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled. +> [!Note] +> This parameter doesn't contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled.   @@ -188,10 +191,9 @@ The supported names are Subject and Stores; wildcard certificate search isn't su Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive. -> [!Note]   +> [!Note] > %EF%80%80 is the UTF8-encoded character U+F000. - Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following syntax: ```xml From c14fc16498accc04a3d118b25a2bcb36b001b604 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Mon, 2 May 2022 20:30:13 +0530 Subject: [PATCH 27/59] Reverting as per feedback --- windows/client-management/mdm/defender-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 932d4dd958..055242aa57 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -640,9 +640,9 @@ Valid values are: **Configuration/HideExclusionsFromLocalAdmins**
This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled. -- If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app or via PowerShell. +If you disable or don't configure this setting, Local Admins will be able to see the exclusion list in the Windows Security App and via PowerShell. -- If you disable or don't configure this setting, Local Admins will be able to see the exclusion list in the Windows Security App and via PowerShell. +If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app or via PowerShell. > [!NOTE] > Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**. From 87f0c743705f8cc8039ba6609fa9cc8973c7a689 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi <89069896+alekyaj@users.noreply.github.com> Date: Mon, 2 May 2022 20:38:15 +0530 Subject: [PATCH 28/59] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 055242aa57..09ce8bcd26 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -640,9 +640,9 @@ Valid values are: **Configuration/HideExclusionsFromLocalAdmins**
This policy setting controls whether or not exclusions are visible to Local Admins. For end users (that aren't Local Admins) exclusions aren't visible, whether or not this setting is enabled. -If you disable or don't configure this setting, Local Admins will be able to see the exclusion list in the Windows Security App and via PowerShell. +If you disable or do not configure this setting, Local Admins will be able to see exclusions in the Windows Security App, in the registry, and via PowerShell. -If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app or via PowerShell. +If you enable this setting, Local Admins will no longer be able to see the exclusion list in the Windows Security app, in the registry, or via PowerShell. > [!NOTE] > Applying this setting will not remove exclusions, it will only prevent them from being visible to Local Admins. This is reflected in **Get-MpPreference**. From 6233e35d98729bc8d5c43c7a7ab47c8c6e1ec554 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Wed, 4 May 2022 10:23:59 -0700 Subject: [PATCH 29/59] integrate editor feedback --- windows/client-management/mdm/policy-csp-update.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index ae1de9ffc8..935119b6c9 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -429,8 +429,8 @@ The following list shows the supported values: - 0: Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With this option, users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel. - 1: Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). - 2: Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update installs updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This behavior is the default for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence). -- 3: Auto install and restart at a specified time. You specify the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. -- 4: Auto install and restart at a specified time. You specify the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. This option is the same as `3`, but restricts end user controls on the settings page. +- 3: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. +- 4: Auto install and restart at a specified time. You specify the installation day and time. If no day and time is specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is signed in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. This option is the same as `3`, but restricts end user controls on the settings page. - 5: Turn off automatic updates. - 6 (default): Updates automatically download and install at an optimal time determined by the device. Restart occurs outside of active hours until the deadline is reached, if configured. From 4c63746745e33a7d3e30ad2ee50d1617d7a67001 Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Sat, 7 May 2022 21:49:18 +0200 Subject: [PATCH 30/59] implementing #10379 #10379: please find a reference link that confirms this edit. I suggest this link but an SME can confirm more https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352 --- .../credential-guard/credential-guard-known-issues.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index 3599199593..e9ecd31edf 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -59,6 +59,9 @@ The following known issues have been fixed by servicing releases made available ## Known issues involving third-party applications +The following issue affects MSCHAPv2 +Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a very popular enterprise implementation. + The following issue affects the Java GSS API. See the following Oracle bug database article: - [JDK-8161921: Windows Defender Credential Guard doesn't allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921) From b0a26ecc32805da48e4ecb79f5add92a262c5e5a Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Sun, 8 May 2022 20:29:34 +0200 Subject: [PATCH 31/59] implementing #10334 implementing #10334 I added the error 0x80072F8F as reported, and classified it based on this link, please verify: https://windowsinstructed.com/how-to-fix-0x80072f8f-a-security-error-occurred/ --- .../hello-for-business/hello-errors-during-pin-creation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 72148e773a..5960a280fc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -84,9 +84,9 @@ For errors listed in this table, contact Microsoft Support for assistance. | Hex | Cause | |-------------|---------| -| 0X80072F0C | Unknown | | 0x80070057 | Invalid parameter or argument is passed. | -| 0x80090010 | NTE_PERM | +| 0X80072F0C | Unknown | +| 0x80072F8F | A mismatch happens between the system's clock and the activation servers' clock when trying to activate windows | 0x80090010 | NTE_PERM | | 0x80090020 | NTE\_FAIL | | 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. | | 0x8009002D | NTE\_INTERNAL\_ERROR | From be4266f3b12ad3d6fc7226701cbc2badcd7f37a3 Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Sun, 8 May 2022 22:04:20 +0200 Subject: [PATCH 32/59] implementing #10325 #10325 States that the events here are not available in Windows Server 2016 and up. I left this note but the poster of this issue asked for a link to document the way to find out if an event is applicable in these environments. Please provide such link. --- .../event-id-explanations.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 1b9d67ff10..76ba75181b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -20,6 +20,14 @@ ms.technology: windows-sec # Understanding Application Control events +**Applies to** + +- Windows 10 +- Windows 11 +- Windows Server 2016 and up * + +* Not all events are available in Windows Server 2016 and up, e.g. (eg: 3099, 31xx). + A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations: - Events about WDAC policy activation and the control of executables, dlls, and drivers appear in **Applications and Services logs** > **Microsoft** > **Windows** > **CodeIntegrity** > **Operational** From 4aa3ee163222ae6e49056607c8ad67e8d770eee0 Mon Sep 17 00:00:00 2001 From: Michael Bendel-Paulson <58821673+tehmichael@users.noreply.github.com> Date: Mon, 9 May 2022 10:28:57 -0500 Subject: [PATCH 33/59] Correcting typo on line 268 Changing line 268 from "- the do not know their password." to "- they do not know their password." to correct typo. --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index f54986956f..2bfe923e1c 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -265,7 +265,7 @@ The account options on a user account includes an option -- **Smart card is requ **SCRIL setting for a user on Active Directory Users and Computers.** When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because: -- the do not know their password. +- they do not know their password. - their password is 128 random bits of data and is likely to include non-typable characters. - the user is not asked to change their password - domain controllers do not allow passwords for interactive authentication From 64af0ff66f20a4ddc876817b29070adb6ea15412 Mon Sep 17 00:00:00 2001 From: cbrito01 Date: Mon, 9 May 2022 15:14:54 -0500 Subject: [PATCH 34/59] Update windowsautopilot-csp.md It appears that the string "Because the CSP description should be more general/high level" --- windows/client-management/mdm/windowsautopilot-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index b50c42c129..9c7026b977 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -18,7 +18,7 @@ ms.date: 02/07/2022 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot.” with “The WindowsAutopilot CSP exposes Windows Autopilot related device information.” Because the CSP description should be more general/high level. +The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot.” with “The WindowsAutopilot CSP exposes Windows Autopilot related device information.” **./Vendor/MSFT/WindowsAutopilot** From b99e24bb3008173e1937cfd48f4b51d6ad97765c Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 9 May 2022 15:20:18 -0700 Subject: [PATCH 35/59] Update event-id-explanations.md --- .../event-id-explanations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index 76ba75181b..d597eb2fe6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 04/30/2022 +ms.date: 05/09/2022 ms.technology: windows-sec --- From ec2c91f10179c79f714648dbb2b4b381d3ea82a1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Mon, 9 May 2022 15:32:00 -0700 Subject: [PATCH 36/59] Update windowsautopilot-csp.md --- windows/client-management/mdm/windowsautopilot-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index 9c7026b977..e1462facd4 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 02/07/2022 +ms.date: 05/09/2022 --- # WindowsAutoPilot CSP From 942661b7331b211ef303b1aebf37f5c31cfcd686 Mon Sep 17 00:00:00 2001 From: cbrito01 Date: Tue, 10 May 2022 08:11:24 -0500 Subject: [PATCH 37/59] Update windows/client-management/mdm/windowsautopilot-csp.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/windowsautopilot-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/windowsautopilot-csp.md b/windows/client-management/mdm/windowsautopilot-csp.md index e1462facd4..3f6f27deaf 100644 --- a/windows/client-management/mdm/windowsautopilot-csp.md +++ b/windows/client-management/mdm/windowsautopilot-csp.md @@ -18,7 +18,7 @@ ms.date: 05/09/2022 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. -The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot.” with “The WindowsAutopilot CSP exposes Windows Autopilot related device information.” +The WindowsAutopilot CSP collects hardware information about a device and formats it into a BLOB. This BLOB is used as input for calling Windows Autopilot Service to mark a device as remediation required if the device underwent a hardware change that affects its ability to use Windows Autopilot. **./Vendor/MSFT/WindowsAutopilot** From 7c859e256d9b3797e744ce9f345cb4109f2beaf3 Mon Sep 17 00:00:00 2001 From: Anders Ahl <58516456+GenerAhl@users.noreply.github.com> Date: Tue, 10 May 2022 15:48:51 +0200 Subject: [PATCH 38/59] Update config-lock.md Clarified that there's a pause function as well as a turn off function. --- windows/client-management/mdm/config-lock.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/config-lock.md b/windows/client-management/mdm/config-lock.md index 26a30c88a6..be7b22d518 100644 --- a/windows/client-management/mdm/config-lock.md +++ b/windows/client-management/mdm/config-lock.md @@ -77,7 +77,7 @@ Config Lock is designed to ensure that a Secured-Core PC isn't unintentionally m ## FAQ **Can an IT admins disable Config Lock ?**
- Yes. IT admins can use MDM to turn off Config Lock.
+ Yes. IT admins can use MDM to turn off Config Lock completely or put it in temporary unlock mode for helpdesk activities.
### List of locked policies From 1616ceba791d261134dc0a6455d2bc5283611403 Mon Sep 17 00:00:00 2001 From: Artem Pronichkin Date: Mon, 16 May 2022 20:07:58 -0700 Subject: [PATCH 39/59] + Windows Server 2022; clarification on TPM event * Added support for Windows Server 2022 * Clarification on where to look for Event ID 51 to check for TPM usage --- .../credential-guard/credential-guard-manage.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index f5c9ad4cbf..9e30541c4e 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -26,6 +26,7 @@ ms.custom: - Windows 11 - Windows Server 2016 - Windows Server 2019 +- Windows Server 2022 ## Enable Windows Defender Credential Guard @@ -204,9 +205,13 @@ DG_Readiness_Tool_v3.6.ps1 -Ready - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] - You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0. + - You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs → Microsoft → Windows → Kernel-Boot* event log. The full event text will read like this: - - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**. + ``` + VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0. + ``` + + If you are running with a TPM, the TPM PCR mask value will be something other than 0. - You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command: From f99460406c4cf7299ff0985057d081fc619b89ce Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Tue, 17 May 2022 17:10:34 +0200 Subject: [PATCH 40/59] Update windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../event-id-explanations.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index d597eb2fe6..eaaf841ead 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -24,9 +24,7 @@ ms.technology: windows-sec - Windows 10 - Windows 11 -- Windows Server 2016 and up * - -* Not all events are available in Windows Server 2016 and up, e.g. (eg: 3099, 31xx). +- Windows Server 2016 and later (limited events) A Windows Defender Application Control (WDAC) policy logs events locally in Windows Event Viewer in either enforced or audit mode. These events are generated under two locations: From 840d8a5292f889ac4ffd2695ea6b00b7a3a9826a Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Tue, 17 May 2022 17:12:34 +0200 Subject: [PATCH 41/59] Update windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-errors-during-pin-creation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 5960a280fc..6ac7938191 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -86,7 +86,7 @@ For errors listed in this table, contact Microsoft Support for assistance. |-------------|---------| | 0x80070057 | Invalid parameter or argument is passed. | | 0X80072F0C | Unknown | -| 0x80072F8F | A mismatch happens between the system's clock and the activation servers' clock when trying to activate windows | 0x80090010 | NTE_PERM | +| 0x80072F8F | A mismatch happens between the system's clock and the activation server's clock when attempting to activate Windows. | 0x80090010 | NTE_PERM | | 0x80090020 | NTE\_FAIL | | 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. | | 0x8009002D | NTE\_INTERNAL\_ERROR | From 595fde525d895186f84b2f02ac48c89695ccbbc3 Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Tue, 17 May 2022 17:13:50 +0200 Subject: [PATCH 42/59] Update windows/security/identity-protection/credential-guard/credential-guard-known-issues.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../credential-guard/credential-guard-known-issues.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index e9ecd31edf..7d71cc00ce 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -59,8 +59,9 @@ The following known issues have been fixed by servicing releases made available ## Known issues involving third-party applications -The following issue affects MSCHAPv2 -Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a very popular enterprise implementation. +The following issue affects MSCHAPv2: + +- [Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a very popular enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352). The following issue affects the Java GSS API. See the following Oracle bug database article: From 0c443eae9ab829b47f14f73eafbdc140fcea9626 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 18 May 2022 15:30:36 +0530 Subject: [PATCH 43/59] Update configuration-service-provider-reference.md --- .../mdm/configuration-service-provider-reference.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index 50bf42a87a..af0136eebe 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -834,7 +834,6 @@ Additional lists: [SurfaceHub](surfacehub-csp.md) - |Home|Pro|Business|Enterprise|Education| @@ -930,7 +929,6 @@ Additional lists: [W4 Application CSP](w4-application-csp.md) - |Home|Pro|Business|Enterprise|Education| @@ -1027,7 +1025,6 @@ Additional lists: [w7 Application CSP](w7-application-csp.md) - |Home|Pro|Business|Enterprise|Education| From ca09170fa3bb29636448bef975ad6e876f62b38d Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 18 May 2022 15:43:04 +0530 Subject: [PATCH 44/59] Updated --- .openpublishing.redirection.json | 12 +++++++++++- windows/client-management/mdm/passportforwork-csp.md | 2 +- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 6ba49fc316..fbb92c77c4 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19514,6 +19514,16 @@ "source_path": "windows/education/developers.yml", "redirect_url": "/education/", "redirect_document_id": true - } + }, + { + "source_path": "windows/client-management/mdm/proxy-csp.md", + "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/mdm/policymanager-csp.md", + "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference", + "redirect_document_id": false + } ] } \ No newline at end of file diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md index c836751312..145efad2c6 100644 --- a/windows/client-management/mdm/passportforwork-csp.md +++ b/windows/client-management/mdm/passportforwork-csp.md @@ -24,7 +24,7 @@ The table below shows the applicability of Windows: |Enterprise|Yes|Yes| |Education|Yes|Yes| -The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to login to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards. +The PassportForWork configuration service provider is used to provision Windows Hello for Business (formerly Microsoft Passport for Work). It allows you to log in to Windows using your Active Directory or Azure Active Directory account and replace passwords, smartcards, and virtual smart cards. > [!IMPORTANT] From cb118513117d7764bf8eba506492fa45d30554e8 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Wed, 18 May 2022 16:00:18 +0530 Subject: [PATCH 45/59] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index fbb92c77c4..b99cce7ca9 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19498,7 +19498,7 @@ { "source_path": "windows/education/itadmins.yml", "redirect_url": "/education/", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/education/partners.yml", From 93488a8b113fe61892857da9fa4436a831ba1928 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 19 May 2022 00:41:34 +0530 Subject: [PATCH 46/59] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 8e62d23bdc..f639ba3adb 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19448,7 +19448,7 @@ { "source_path": "windows/security/threat-protection/intelligence/supply-chain-malware.md", "redirect_url": "/microsoft-365/security/intelligence/supply-chain-malware", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/threat-protection/intelligence/support-scams.md", From d376f1d90e9912f2a87b257188d9fbd56d3cc28d Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Wed, 18 May 2022 14:33:17 -0700 Subject: [PATCH 47/59] Update .openpublishing.redirection.json update format of entries to stay consistent with existing entries Fix redirect entry to ensure redirect(s) remain functional --- .openpublishing.redirection.json | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index f639ba3adb..6d778cce26 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19496,8 +19496,8 @@ "redirect_document_id": false }, { - "source_path": "windows/education/itadmins.yml", - "redirect_url": "/education/", + "source_path": "education/itadmins.yml", + "redirect_url": "/education", "redirect_document_id": false }, { @@ -19521,35 +19521,29 @@ "redirect_document_id": false }, { - "source_path": "windows/education/developers.yml", "redirect_url": "/education/", "redirect_document_id": true }, { - "source_path": "windows/client-management/mdm/proxy-csp.md", - + "source_path": "windows/client-management/mdm/proxy-csp.md", "source_path": "education/developers.yml", "redirect_url": "/education", "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/enterpriseappmanagement-csp.md", - "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference", "redirect_document_id": false }, { - "source_path": "windows/client-management/mdm/policymanager-csp.md", - "source_path": "windows/client-management/mdm/messaging-ddf.md", "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference", "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/messaging-csp.md", - "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference", "redirect_document_id": false } From 11d3f6858d3b7d62e3a2e582d8451a11b6d2d2fc Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 19 May 2022 11:05:29 +0530 Subject: [PATCH 48/59] Updated --- .openpublishing.redirection.json | 7 +------ .../mdm/configuration-service-provider-reference.md | 12 ------------ 2 files changed, 1 insertion(+), 18 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index f639ba3adb..bc312ec2fe 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19527,29 +19527,24 @@ "redirect_document_id": true }, { - "source_path": "windows/client-management/mdm/proxy-csp.md", - + "source_path": "education/developers.yml", "redirect_url": "/education", "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/enterpriseappmanagement-csp.md", - "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference", "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/policymanager-csp.md", - - "source_path": "windows/client-management/mdm/messaging-ddf.md", "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference", "redirect_document_id": false }, { "source_path": "windows/client-management/mdm/messaging-csp.md", - "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference", "redirect_document_id": false } diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md index efe69d99ba..d12b45b482 100644 --- a/windows/client-management/mdm/configuration-service-provider-reference.md +++ b/windows/client-management/mdm/configuration-service-provider-reference.md @@ -801,10 +801,6 @@ Additional lists: [SurfaceHub](surfacehub-csp.md) -|Home|Pro|Business|Enterprise|Education| -|--- |--- |--- |--- |--- | -|||||| - @@ -898,10 +894,6 @@ Additional lists: [W4 Application CSP](w4-application-csp.md) -|Home|Pro|Business|Enterprise|Education| -|--- |--- |--- |--- |--- | -|||||| - @@ -997,10 +989,6 @@ Additional lists: [w7 Application CSP](w7-application-csp.md) -|Home|Pro|Business|Enterprise|Education| -|--- |--- |--- |--- |--- | -|||||| - From 31d36e144a1ac4e06b5fc244b17a49204e3ac68c Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 19 May 2022 11:10:27 +0530 Subject: [PATCH 49/59] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index a4f8caed29..19453e7cf9 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19526,11 +19526,6 @@ "redirect_document_id": true }, { -<<<<<<< HEAD - -======= - "source_path": "windows/client-management/mdm/proxy-csp.md", ->>>>>>> d376f1d90e9912f2a87b257188d9fbd56d3cc28d "source_path": "education/developers.yml", "redirect_url": "/education", "redirect_document_id": false @@ -19542,10 +19537,6 @@ }, { "source_path": "windows/client-management/mdm/policymanager-csp.md", -<<<<<<< HEAD -======= - "source_path": "windows/client-management/mdm/messaging-ddf.md", ->>>>>>> d376f1d90e9912f2a87b257188d9fbd56d3cc28d "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference", "redirect_document_id": false }, From b3810925319eba25daf81c8ae1b39e6f208d4664 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Thu, 19 May 2022 12:27:06 +0530 Subject: [PATCH 50/59] Update .openpublishing.redirection.json --- .openpublishing.redirection.json | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 19453e7cf9..d324d9f9d1 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19520,11 +19520,6 @@ "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference", "redirect_document_id": false }, - { - "source_path": "windows/education/developers.yml", - "redirect_url": "/education/", - "redirect_document_id": true - }, { "source_path": "education/developers.yml", "redirect_url": "/education", @@ -19536,7 +19531,7 @@ "redirect_document_id": false }, { - "source_path": "windows/client-management/mdm/policymanager-csp.md", + "source_path": "windows/client-management/mdm/messaging-ddf.md", "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference", "redirect_document_id": false }, @@ -19544,6 +19539,16 @@ "source_path": "windows/client-management/mdm/messaging-csp.md", "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference", "redirect_document_id": false + }, + { + "source_path": "windows/client-management/mdm/policymanager-csp.md", + "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference", + "redirect_document_id": false + }, + { + "source_path": "windows/client-management/mdm/proxy-csp.md", + "redirect_url": "/windows/client-management/mdm/configuration-service-provider-reference", + "redirect_document_id": false } ] } From 29e232361136d8bf7287ca7294e76efeb293d220 Mon Sep 17 00:00:00 2001 From: Pla5ma <57805183+Pla5ma@users.noreply.github.com> Date: Thu, 19 May 2022 15:18:15 +0200 Subject: [PATCH 51/59] Update special-identities.md Added missing information. --- .../identity-protection/access-control/special-identities.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md index 66754be796..db7379ba1f 100644 --- a/windows/security/identity-protection/access-control/special-identities.md +++ b/windows/security/identity-protection/access-control/special-identities.md @@ -485,8 +485,8 @@ Any user accessing the system through Terminal Services has the Terminal Server | Attribute | Value | | :--: | :--: | -| Well-Known SID/RID | | -|Object Class| | +| Well-Known SID/RID | S-1-5-90 | +|Object Class| Foreign Security Principal| |Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| |Default User Rights| [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
[Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege
| From 378c160435c5275e2aa0d0f1b227aad078ae39a5 Mon Sep 17 00:00:00 2001 From: Tarun Maganur <104856032+Tarun-Edu@users.noreply.github.com> Date: Thu, 19 May 2022 09:59:09 -0700 Subject: [PATCH 52/59] Update windows-11-se-overview.md Added the following entry |eTests |4.0.25 |Win32 |CASAS| --- education/windows/windows-11-se-overview.md | 1 + 1 file changed, 1 insertion(+) diff --git a/education/windows/windows-11-se-overview.md b/education/windows/windows-11-se-overview.md index 7ce8bd2724..be73736a92 100644 --- a/education/windows/windows-11-se-overview.md +++ b/education/windows/windows-11-se-overview.md @@ -52,6 +52,7 @@ Windows 11 SE comes with some preinstalled apps. The following apps can also run |DRC INSIGHT Online Assessments |12.0.0.0 |Store |Data recognition Corporation| |Duo from Cisco |2.25.0 |Win32 |Cisco| |e-Speaking Voice and Speech recognition |4.4.0.8 |Win32 |e-speaking| +|eTests |4.0.25 |Win32 |CASAS| |FortiClient |7.0.1.0083 |Win32 |Fortinet| |Free NaturalReader |16.1.2 |Win32 |Natural Soft| |GoGuardian |1.4.4 |Win32 |GoGuardian| From e8cdcf3d7512539238d80e12f062b7ae67892128 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Thu, 19 May 2022 11:08:02 -0700 Subject: [PATCH 53/59] Update hello-hybrid-key-whfb-settings-dir-sync.md Enterprise Key admins --- .../hello-hybrid-key-whfb-settings-dir-sync.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 3843fecaa8..30592d92d8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -44,6 +44,8 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 5. In the **Enter the object names to select** text box, type the name of the service account used as an AD DS Connector account and click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. +Note: If your AD has multiple domains in your forest. Your ADConnect accounts needs to be part of "Enterprise Key Admins" group to write the keys across other domain users. + ### Section Review > [!div class="checklist"] @@ -63,4 +65,4 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) 5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md) 6. Configure Windows Hello for Business settings: Directory Synchronization (*You are here*) -7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) \ No newline at end of file +7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md) From b665497693fc9247cc51b21fe1070c4daa2445d9 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Thu, 19 May 2022 12:43:52 -0600 Subject: [PATCH 54/59] Update hello-errors-during-pin-creation.md Fix matrix row 89 (now 89 and 90). Delete spaces, add pipe and return to create separate line. Header suggestion should resolve. --- .../hello-for-business/hello-errors-during-pin-creation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 6ac7938191..4753b3c6f4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -86,7 +86,8 @@ For errors listed in this table, contact Microsoft Support for assistance. |-------------|---------| | 0x80070057 | Invalid parameter or argument is passed. | | 0X80072F0C | Unknown | -| 0x80072F8F | A mismatch happens between the system's clock and the activation server's clock when attempting to activate Windows. | 0x80090010 | NTE_PERM | +| 0x80072F8F | A mismatch happens between the system's clock and the activation server's clock when attempting to activate Windows.| +| 0x80090010 | NTE_PERM | | 0x80090020 | NTE\_FAIL | | 0x80090027 | Caller provided a wrong parameter. If third-party code receives this error, they must change their code. | | 0x8009002D | NTE\_INTERNAL\_ERROR | @@ -105,7 +106,6 @@ For errors listed in this table, contact Microsoft Support for assistance. | ​0x801C044C | There is no core window for the current thread. | | 0x801c004D | DSREG_NO_DEFAULT_ACCOUNT: NGC provisioning is unable to find the default WAM account to use to request AAD token for provisioning. Unable to enroll a device to use a PIN for login. | - ## Related topics - [Windows Hello for Business](hello-identity-verification.md) From 076d4360ef2c0429a638f966f149df50addf16e3 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 19 May 2022 16:48:57 -0700 Subject: [PATCH 55/59] remove extra line --- .../auditing/advanced-security-auditing-faq.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml index 7ff0ddd4d4..cb4136a227 100644 --- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml +++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.yml @@ -20,10 +20,7 @@ metadata: title: Advanced security auditing FAQ -summary: This topic for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. - - - [What is Windows security auditing and why might I want to use it?](#what-is-windows-security-auditing-and-why-might-i-want-to-use-it-) - +summary: This article for the IT professional lists questions and answers about understanding, deploying, and managing security audit policies. sections: - name: Ignored From 76e8709cc86bcb8b904cec2c62d01eaf9ed52b6d Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Thu, 19 May 2022 17:23:03 -0700 Subject: [PATCH 56/59] edit contribution --- .../hello-hybrid-key-whfb-settings-dir-sync.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md index 30592d92d8..b964f460e9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md @@ -44,7 +44,8 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 5. In the **Enter the object names to select** text box, type the name of the service account used as an AD DS Connector account and click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. -Note: If your AD has multiple domains in your forest. Your ADConnect accounts needs to be part of "Enterprise Key Admins" group to write the keys across other domain users. +> [!NOTE] +> If your Active Directory forest has multiple domains, your ADConnect accounts need to be members of the **Enterprise Key Admins** group. This membership is needed to write the keys to other domain users. ### Section Review From 2ba8f32dfb39417b34fc9c5548986acf726786fb Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 20 May 2022 15:45:40 +0530 Subject: [PATCH 57/59] Updated --- windows/client-management/mdm/defender-csp.md | 10 ++++---- windows/client-management/mdm/supl-csp.md | 2 +- .../client-management/mdm/surfacehub-csp.md | 2 +- windows/client-management/mdm/uefi-csp.md | 4 ++-- .../mdm/w7-application-csp.md | 24 ++++--------------- 5 files changed, 13 insertions(+), 29 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 2f2daa96b2..24f01509db 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -363,7 +363,7 @@ Network Protection inspects DNS traffic that occurs over a UDP channel, to provi **EnableNetworkProtection/DisableHttpParsing** -Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". +Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -373,7 +373,7 @@ Network Protection inspects HTTP traffic to see if a connection is being made to **EnableNetworkProtection/DisableRdpParsing** -Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true". +Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -383,7 +383,7 @@ Network Protection inspects RDP traffic so that it can block connections from kn **EnableNetworkProtection/DisableSshParsing** -Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true". +Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If Enable Network Protection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -393,7 +393,7 @@ Network Protection inspects SSH traffic, so that it can block connections from k **EnableNetworkProtection/DisableTlsParsing** -Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". +Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if Enable Network Protection is set to enabled. HTTP inspection can be disabled by setting this value to "$true". - Type: Boolean - Position: Named @@ -726,7 +726,7 @@ Intune Support log location setting UX supports three states: - 1 - Enabled. Enables the Support log location feature. Requires admin to set custom file path. - 0 - Disabled. Turns off the Support log location feature. -When enabled or disabled exists on the client and admin moves the setting to be configured not , it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. +When enabled or disabled exists on the client and admin moves the setting to not configured, it won't have any impact on the device state. To change the state to either enabled or disabled would require to be set explicitly. More details: diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index 9aa02addc6..001e41698e 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -102,7 +102,7 @@ Added in Windows 10, version 2004. Optional. Determines the full version (X.Y.Z **MCCMNCPairs** Required. List all of the MCC and MNC pairs owned by the mobile operator. This list is used to verify that the UICC matches the network and SUPL can be used. When the UICC and network don't match, the device uses the default location service and doesn't use SUPL. -This value is a string with the format "(X1, Y1)(X2, Y2)…(Xn, Yn)", in which `X` is an MCC and `Y` is an MNC. +This value is a string with the format `(X1, Y1)(X2, Y2)…(Xn, Yn)`, in which `X` is an MCC and `Y` is an MNC. For OMA DM, if the format for this node is incorrect the entry will be ignored and an error will be returned, but the configuration service provider will continue processing the rest of the parameters. diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 84efea687e..5b8229bb45 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -321,7 +321,7 @@ Invitations to collaborate from the Whiteboard app aren't allowed. **InBoxApps/Whiteboard/SigninDisabled** -Sign-in from the Whiteboard app aren't allowed. +Sign-ins from the Whiteboard app aren't allowed. - The data type is boolean. - Supported operation is Get and Replace. diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md index 776d45433d..174bdb6025 100644 --- a/windows/client-management/mdm/uefi-csp.md +++ b/windows/client-management/mdm/uefi-csp.md @@ -60,7 +60,7 @@ Uefi ``` The following list describes the characteristics and parameters. -**./Vendor/MSFT/Uefi** +**./Vendor/MSFT/UEFI** Root node. **DeviceIdentifier** @@ -89,7 +89,7 @@ Retrieves the binary result package of the previous Identity/Apply operation. Supported operation is Get. **Permissions** -Node for settings permission operations.. +Node for settings permission operations. **Permissions/Current** Retrieves XML from UEFI that describes the current UEFI settings permissions. diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index 420ccb5691..3ba0e48d8e 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -29,7 +29,6 @@ The APPLICATION configuration service provider that has an APPID of w7 is used f > [!Note] > This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. - The following shows the configuration service provider in tree format as used by OMA Client Provisioning. ```console @@ -62,10 +61,9 @@ APPLICATION ``` > [!Note] -> All parm names and characteristic types are case sensitive and must use all uppercase. +> All parameter names and characteristic types are case sensitive and must use all uppercase. Both APPSRV and CLIENT credentials must be provided in provisioning XML. - **APPADDR** This characteristic is used in the w7 APPLICATION characteristic to specify the DM server address. @@ -109,9 +107,9 @@ Optional. The AAUTHTYPE parameter of the APPAUTH characteristic is used to get o Valid values: -- BASIC - specifies that the SyncML DM 'syncml:auth-basic' authentication type. +- BASIC - specifies that the SyncML DM `syncml:auth-basic` authentication type. -- DIGEST - specifies that the SyncML DM 'syncml:auth-md5' authentication type. +- DIGEST - specifies that the SyncML DM `syncml:auth-md5` authentication type. - When AAUTHLEVEL is CLIENT, then AAUTHTYPE must be DIGEST. When AAUTHLEVEL is APPSRV, AAUTHTYPE can be BASIC or DIGEST. @@ -124,8 +122,6 @@ Optional. The BACKCOMPATRETRYDISABLED parameter is used in the APPLICATION chara > [!Note] > This parameter doesn't contain a value. The existence of this parameter means backward compatibility retry is disabled. If the parameter is missing, it means backward compatibility retry is enabled. -  - **CONNRETRYFREQ** Optional. The CONNRETRYFREQ parameter is used in the APPLICATION characteristic to specify how many retries the DM client performs when there are Connection Manager-level or WinInet-level errors. This parameter takes a numeric value in string format. The default value is “3”. You can set this parameter. @@ -144,7 +140,6 @@ Optional. The INIT parameter is used in the APPLICATION characteristic to indica > [!Note] > This node is only for mobile operators and MDM servers that try to use this will fail. This node isn't supported in the enterprise MDM enrollment scenario. This parameter forces the device to attempt to connect with the OMA DM server. The connection attempt fails if the XML is set during the coldinit phase. A common cause of this failure is that immediately after coldinit is finished the radio isn't yet ready. -   **INITIALBACKOFFTIME** Optional. The INITIALBACKOFFTIME parameter is used in the APPLICATION characteristic to specify the initial wait time in milliseconds when the DM client retries for the first time. The wait time grows exponentially. This parameter takes a numeric value in string format. The default value is “16000”. You can get or set this parameter. @@ -192,7 +187,7 @@ The supported names are Subject and Stores; wildcard certificate search isn't su Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive. > [!Note] -> %EF%80%80 is the UTF8-encoded character U+F000. +> `%EF%80%80` is the UTF8-encoded character U+F000. Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following syntax: @@ -203,15 +198,4 @@ Subject specifies the certificate to search for. For example, to specify that yo ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - -  - -  - - - - - - From 23df2923e83d28aca3ba83cd0a46e44bc2519699 Mon Sep 17 00:00:00 2001 From: Nimisha Satapathy Date: Fri, 20 May 2022 19:53:26 +0530 Subject: [PATCH 58/59] Updated --- .../mdm/policy-csp-fileexplorer.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-fileexplorer.md b/windows/client-management/mdm/policy-csp-fileexplorer.md index e58b5778de..ae91c0694e 100644 --- a/windows/client-management/mdm/policy-csp-fileexplorer.md +++ b/windows/client-management/mdm/policy-csp-fileexplorer.md @@ -264,18 +264,18 @@ ADMX Info: -This policy allows to configure folders that the user can enumerate and access in the File Explorer. +This policy configures the folders that the user can enumerate and access in the File Explorer. The following list shows the supported values: -- 0: all folders -- 15:Desktop, Documents, Pictures, Downloads -- 31:Desktop, Documents, Pictures, Downloads, Network -- 47:This PC (local drive), [Desktop, Documents, Pictures], Downloads -- 63:This PC , [Desktop, Documents, Pictures], Downloads, Network +- 0: All folders +- 15:Desktop, Documents, Pictures, and Downloads +- 31:Desktop, Documents, Pictures, Downloads, and Network +- 47:This PC (local drive), [Desktop, Documents, Pictures], and Downloads +- 63:This PC, [Desktop, Documents, Pictures], Downloads, and Network @@ -319,7 +319,7 @@ ADMX Info: -This policy allows to configure folders that the user can enumerate and access in the File Explorer. +This policy configures the folders that the user can enumerate and access in the File Explorer. From 77ed0df0d6ebd203dc9482e1a2ee1538ccce7a17 Mon Sep 17 00:00:00 2001 From: Artem Pronichkin Date: Fri, 20 May 2022 09:00:18 -0700 Subject: [PATCH 59/59] Update credential-guard-manage.md Update event log formatting per suggestons --- .../credential-guard/credential-guard-manage.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 9e30541c4e..a5041cd575 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -205,13 +205,7 @@ DG_Readiness_Tool_v3.6.ps1 -Ready - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] - - You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs → Microsoft → Windows → Kernel-Boot* event log. The full event text will read like this: - - ``` - VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0. - ``` - - If you are running with a TPM, the TPM PCR mask value will be something other than 0. + - You can also verify that TPM is being used for key protection by checking **Event ID 51** in *Applications and Services logs → Microsoft → Windows → Kernel-Boot* event log. The full event text will read like this: `VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.` If you are running with a TPM, the TPM PCR mask value will be something other than 0. - You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command: