diff --git a/windows/client-management/mdm/applicationcontrol-csp.md b/windows/client-management/mdm/applicationcontrol-csp.md
index 9ec2279561..c3328def36 100644
--- a/windows/client-management/mdm/applicationcontrol-csp.md
+++ b/windows/client-management/mdm/applicationcontrol-csp.md
@@ -301,7 +301,7 @@ An example of Delete command is:
## PowerShell and WMI Bridge Usage Guidance
-The ApplicationControl CSP can also be managed locally from PowerShell or via Configuration Manager's task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md).
+The ApplicationControl CSP can also be managed locally from PowerShell or via Configuration Manager's task sequence scripting by using the [WMI Bridge Provider](../understand/using-powershell-scripting-with-the-wmi-bridge-provider.md).
### Setup for using the WMI Bridge
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index 000851dfa0..4494ac1c21 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -67,7 +67,7 @@ For more information, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Educ
> [!Note]
> You can't set both KioskModeApp and ShellLauncher at the same time on the device.
-Starting in Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
+Starting in Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](../understand/enterprise-app-management.md).
Here's an example:
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 6224931d73..8f01636988 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -61,7 +61,7 @@ BitLocker
```
> [!TIP]
-> Some of the policies here are ADMX-backed policies. For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
+> Some of the policies here are ADMX-backed policies. For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](../understand/enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](../understand/understanding-admx-backed-policies.md).
**./Device/Vendor/MSFT/BitLocker**
Defines the root node for the BitLocker configuration service provider.
diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md
index 631460d250..f39440cc18 100644
--- a/windows/client-management/mdm/diagnosticlog-csp.md
+++ b/windows/client-management/mdm/diagnosticlog-csp.md
@@ -921,7 +921,7 @@ For each channel node, the user can:
- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel.
- Specify an XPath query to filter events while exporting the channel event data.
-For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md).
+For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10]((../understand/diagnose-mdm-failures-in-windows-10.md).
To gather diagnostics using this CSP:
diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md
index a0caeb384a..8265e92c95 100644
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@@ -232,7 +232,7 @@ Supported operation is Get.
**Provider/*ProviderID*/AADResourceID**
Optional. This ResourceID is used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you're trying to access.
-For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
+For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](../understand/azure-active-directory-integration-with-mdm.md).
**Provider/*ProviderID*/EnableOmaDmKeepAliveMessage**
Added in Windows 10, version 1511. A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow.
@@ -578,7 +578,7 @@ Supported operations are Get and Replace.
**Provider/*ProviderID*/ConfigLock**
-Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected.
+Optional. This node enables [Config Lock](../understand/config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected.
Default = Locked
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index 328d75b558..550d2bc51b 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -24,7 +24,7 @@ The table below shows the applicability of Windows:
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
-The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md).
+The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](../understand/enterprise-app-management.md).
> [!Note]
> Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP.
@@ -680,7 +680,7 @@ Supported operation is Execute.
## Examples
-For examples of how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md).
+For examples of how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](../understand/enterprise-app-management.md).
Query the device for a specific app subcategory, such as nonStore apps.
diff --git a/windows/client-management/understand/images/certfiltering1.png b/windows/client-management/mdm/images/certfiltering1.png
similarity index 100%
rename from windows/client-management/understand/images/certfiltering1.png
rename to windows/client-management/mdm/images/certfiltering1.png
diff --git a/windows/client-management/understand/images/certfiltering2.png b/windows/client-management/mdm/images/certfiltering2.png
similarity index 100%
rename from windows/client-management/understand/images/certfiltering2.png
rename to windows/client-management/mdm/images/certfiltering2.png
diff --git a/windows/client-management/understand/images/certfiltering3.png b/windows/client-management/mdm/images/certfiltering3.png
similarity index 100%
rename from windows/client-management/understand/images/certfiltering3.png
rename to windows/client-management/mdm/images/certfiltering3.png
diff --git a/windows/client-management/understand/images/vpnv2-csp-choosenetworkconnection.png b/windows/client-management/mdm/images/vpnv2-csp-choosenetworkconnection.png
similarity index 100%
rename from windows/client-management/understand/images/vpnv2-csp-choosenetworkconnection.png
rename to windows/client-management/mdm/images/vpnv2-csp-choosenetworkconnection.png
diff --git a/windows/client-management/understand/images/vpnv2-csp-networkconnections.png b/windows/client-management/mdm/images/vpnv2-csp-networkconnections.png
similarity index 100%
rename from windows/client-management/understand/images/vpnv2-csp-networkconnections.png
rename to windows/client-management/mdm/images/vpnv2-csp-networkconnections.png
diff --git a/windows/client-management/understand/images/vpnv2-csp-rasphone.png b/windows/client-management/mdm/images/vpnv2-csp-rasphone.png
similarity index 100%
rename from windows/client-management/understand/images/vpnv2-csp-rasphone.png
rename to windows/client-management/mdm/images/vpnv2-csp-rasphone.png
diff --git a/windows/client-management/understand/images/vpnv2-csp-setupnewconnection.png b/windows/client-management/mdm/images/vpnv2-csp-setupnewconnection.png
similarity index 100%
rename from windows/client-management/understand/images/vpnv2-csp-setupnewconnection.png
rename to windows/client-management/mdm/images/vpnv2-csp-setupnewconnection.png
diff --git a/windows/client-management/understand/images/vpnv2-csp-setupnewconnection2.png b/windows/client-management/mdm/images/vpnv2-csp-setupnewconnection2.png
similarity index 100%
rename from windows/client-management/understand/images/vpnv2-csp-setupnewconnection2.png
rename to windows/client-management/mdm/images/vpnv2-csp-setupnewconnection2.png
diff --git a/windows/client-management/understand/images/vpnv2-csp-testproperties.png b/windows/client-management/mdm/images/vpnv2-csp-testproperties.png
similarity index 100%
rename from windows/client-management/understand/images/vpnv2-csp-testproperties.png
rename to windows/client-management/mdm/images/vpnv2-csp-testproperties.png
diff --git a/windows/client-management/understand/images/vpnv2-csp-testproperties2.png b/windows/client-management/mdm/images/vpnv2-csp-testproperties2.png
similarity index 100%
rename from windows/client-management/understand/images/vpnv2-csp-testproperties2.png
rename to windows/client-management/mdm/images/vpnv2-csp-testproperties2.png
diff --git a/windows/client-management/understand/images/vpnv2-csp-testproperties3.png b/windows/client-management/mdm/images/vpnv2-csp-testproperties3.png
similarity index 100%
rename from windows/client-management/understand/images/vpnv2-csp-testproperties3.png
rename to windows/client-management/mdm/images/vpnv2-csp-testproperties3.png
diff --git a/windows/client-management/understand/images/vpnv2-csp-testproperties4.png b/windows/client-management/mdm/images/vpnv2-csp-testproperties4.png
similarity index 100%
rename from windows/client-management/understand/images/vpnv2-csp-testproperties4.png
rename to windows/client-management/mdm/images/vpnv2-csp-testproperties4.png
diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml
index 3eac4dc012..103d83e76e 100644
--- a/windows/client-management/mdm/index.yml
+++ b/windows/client-management/mdm/index.yml
@@ -1,10 +1,10 @@
### YamlMime:Landing
-title: Mobile Device Management # < 60 chars
+title: Configuration Service Provider # < 60 chars
summary: Find out how to enroll Windows devices and manage company security policies and business applications. # < 160 chars
metadata:
- title: Mobile Device Management # Required; page title displayed in search results. Include the brand. < 60 chars.
+ title: Configuration Service Provider # Required; page title displayed in search results. Include the brand. < 60 chars.
description: Find out how to enroll Windows devices and manage company security policies and business applications. # Required; article description that is displayed in search results. < 160 chars.
ms.topic: landing-page # Required
services: windows-10
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index fd86cf59f4..9f70631773 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -115,7 +115,7 @@ Added in Windows 10, version 1703. The root node for grouping different configur
Supported operations are Add, Get, and Delete.
**Policy/ConfigOperations/ADMXInstall**
-Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md).
+Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](../understand/win32-and-centennial-app-policy-configuration.md).
> [!NOTE]
> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)).
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 37ef1ecd8d..225f55edfb 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1448,7 +1448,7 @@ The table below shows the applicability of Windows:
> [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../understand/device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
Allows IT Admins to specify update delays for up to four weeks.
@@ -1527,7 +1527,7 @@ The table below shows the applicability of Windows:
> [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../understand/device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
Allows IT Admins to specify other upgrade delays for up to eight months.
@@ -2463,7 +2463,7 @@ The table below shows the applicability of Windows:
> [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../understand/device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
@@ -2787,7 +2787,7 @@ The table below shows the applicability of Windows:
> [!NOTE]
-> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
+> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../understand/device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
Allows the IT admin to set a device to General Availability Channel train.
diff --git a/windows/client-management/mdm/provisioning-csp.md b/windows/client-management/mdm/provisioning-csp.md
index 1b640b1ba3..c07dc4e935 100644
--- a/windows/client-management/mdm/provisioning-csp.md
+++ b/windows/client-management/mdm/provisioning-csp.md
@@ -29,7 +29,7 @@ The Provisioning configuration service provider is used for bulk user enrollment
> [!NOTE]
> Bulk enrollment does not work when two-factor authentication is enabled.
-For bulk enrollment step-by-step guide, see [Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md).
+For bulk enrollment step-by-step guide, see [Bulk enrollment](../understand/bulk-enrollment-using-windows-provisioning-tool.md).
The following shows the Provisioning configuration service provider in tree format.
diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml
index 49dc9578b2..8cea6ebd6f 100644
--- a/windows/client-management/mdm/toc.yml
+++ b/windows/client-management/mdm/toc.yml
@@ -1,7 +1,8 @@
items:
- - name: CSP Overview
+ - name: Overview
href: index.yml
- name: Configuration service provider reference
+ expanded: true
href: configuration-service-provider-reference.md
items:
- name: Policy CSP
diff --git a/windows/client-management/understand/certificate-renewal-windows-mdm.md b/windows/client-management/understand/certificate-renewal-windows-mdm.md
index 96a2369975..c02b6ae6c4 100644
--- a/windows/client-management/understand/certificate-renewal-windows-mdm.md
+++ b/windows/client-management/understand/certificate-renewal-windows-mdm.md
@@ -1,10 +1,10 @@
---
title: Certificate Renewal
description: Learn how to find all the resources that you need to provide continuous access to client certificates.
-MS-HAID:
+MS-HAID:
- 'p\_phdevicemgmt.certificate\_renewal'
- 'p\_phDeviceMgmt.certificate\_renewal\_windows\_mdm'
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -30,18 +30,18 @@ Windows supports automatic certificate renewal, also known as Renew On Behalf Of
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
-For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP’s](certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL.
+For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP’s](../mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL.
With automatic renewal, the PKCS\#7 message content isn’t b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content.
-During the automatic certificate renewal process, if the root certificate isn’t trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](certificatestore-csp.md).
+During the automatic certificate renewal process, if the root certificate isn’t trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](../mdm/certificatestore-csp.md).
During the automatic certificate renew process, the device will deny HTTP redirect request from the server. It won't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used.
The following example shows the details of an automatic renewal request.
```xml
-
@@ -62,7 +62,7 @@ The following example shows the details of an automatic renewal request.
user@contoso.com
+ "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">
@@ -73,9 +73,9 @@ The following example shows the details of an automatic renewal request.
http://schemas.microsoft.com/5.0.0.0/ConfigurationManager/Enrollment/DeviceEnrollmentToken
http://docs.oasis-open.org/ws-sx/ws-trust/200512/Renew
-
BinarySecurityTokenInsertedHere
diff --git a/windows/client-management/understand/device-update-management.md b/windows/client-management/understand/device-update-management.md
index bd5f317fc2..c65aa8a2e4 100644
--- a/windows/client-management/understand/device-update-management.md
+++ b/windows/client-management/understand/device-update-management.md
@@ -1,7 +1,7 @@
---
title: Mobile device management MDM for device updates
description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -12,7 +12,7 @@ ms.date: 11/15/2017
ms.collection: highpri
---
-# Mobile device management (MDM) for device updates
+# Mobile device management (MDM) for device updates
>[!TIP]
>If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq).
@@ -36,7 +36,7 @@ In Windows 10, the MDM protocol has been extended to better enable IT admins to
The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update’s title, description, KB, update type, like a security update or service pack. For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
-For more information about the CSPs, see [Update CSP](update-csp.md) and the update policy area of the [Policy CSP](policy-configuration-service-provider.md).
+For more information about the CSPs, see [Update CSP](../mdm/update-csp.md) and the update policy area of the [Policy CSP](../mdm/policy-configuration-service-provider.md).
The following diagram provides a conceptual overview of how this works:
@@ -130,11 +130,11 @@ The following list describes a suggested model for applying updates.
2. In the Test group, just let all updates flow.
3. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues.
-Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md).
+Updates are configured using a combination of the [Update CSP](../mdm/update-csp.md), and the update portion of the [Policy CSP](../mdm/policy-configuration-service-provider.md).
### Update policies
-The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
+The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](../mdm/policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
The following information shows the Update policies in a tree format.
@@ -179,7 +179,7 @@ Policy
**Update/ActiveHoursEnd**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. When used with **Update/ActiveHoursStart**, it allows the IT admin to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. There's a 12-hour maximum from start time.
@@ -193,7 +193,7 @@ The default is 17 (5 PM).
**Update/ActiveHoursMaxRange**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
@@ -235,7 +235,7 @@ The following list shows the supported values:
> [!IMPORTANT]
> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
-
+
If the policy isn't configured, end users get the default behavior (Auto install and restart).
@@ -312,7 +312,7 @@ The following list shows the supported values:
**Update/BranchReadinessLevel**
> [!NOTE]
-> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
+> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
@@ -680,7 +680,7 @@ Value type is string and the default value is an empty string. If the setting is
### Update management
-The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following information shows the Update CSP in tree format.
+The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](../mdm/update-csp.md). The following information shows the Update CSP in tree format.
```console
./Vendor/MSFT
@@ -731,7 +731,7 @@ The update approval list enables IT to approve individual updates and update cla
> [!NOTE]
> For the Windows 10 build, the client may need to reboot after additional updates are added.
-
+
Supported operations are Get and Add.
@@ -835,7 +835,7 @@ Supported operation is Get.
## Windows 10, version 1607 for update management
-Here are the new policies added in Windows 10, version 1607 in [Policy CSP](policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices.
+Here are the new policies added in Windows 10, version 1607 in [Policy CSP](../mdm/policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices.
- Update/ActiveHoursEnd
- Update/ActiveHoursStart
diff --git a/windows/client-management/understand/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/understand/diagnose-mdm-failures-in-windows-10.md
index b28a49b37e..aa5766fc03 100644
--- a/windows/client-management/understand/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/understand/diagnose-mdm-failures-in-windows-10.md
@@ -1,7 +1,7 @@
---
title: Diagnose MDM failures in Windows 10
description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -19,10 +19,10 @@ To help diagnose enrollment or device management issues in Windows 10 devices ma
## Download the MDM Diagnostic Information log from Windows 10 PCs
1. On your managed device, go to **Settings** > **Accounts** > **Access work or school**.
-1. Click your work or school account, then click **Info.**
+1. Click your work or school account, then click **Info.**
-1. At the bottom of the **Settings** page, click **Create report**.
+1. At the bottom of the **Settings** page, click **Create report**.
1. A window opens that shows the path to the log files. Click **Export**.
@@ -89,7 +89,7 @@ You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC
## Collect logs remotely from Windows 10 PCs
-When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this facility. The [DiagnosticLog CSP](diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels:
+When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this facility. The [DiagnosticLog CSP](../mdm/diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels:
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FAdmin
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug
@@ -137,7 +137,7 @@ Example: Export the Debug logs
## Collect logs remotely from Windows 10 Holographic
-For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md).
+For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](../mdm/diagnosticlog-csp.md).
You can use the DiagnosticLog CSP to enable the ETW provider. The provider ID is 3DA494E4-0FE2-415C-B895-FB5265C5C83B. The following examples show how to enable the ETW provider:
@@ -231,7 +231,7 @@ Stop collector trace logging
```
-After the logs are collected on the device, you can retrieve the files through the MDM channel using the FileDownload portion of the DiagnosticLog CSP. For details, see [DiagnosticLog CSP](diagnosticlog-csp.md).
+After the logs are collected on the device, you can retrieve the files through the MDM channel using the FileDownload portion of the DiagnosticLog CSP. For details, see [DiagnosticLog CSP](../mdm/diagnosticlog-csp.md).
## View logs
@@ -263,7 +263,7 @@ For best results, ensure that the PC or VM on which you're viewing logs matches
## Collect device state data
-Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](diagnosticlog-csp.md), version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files.
+Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](../mdm/diagnosticlog-csp.md), version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files.
```xml
diff --git a/windows/client-management/understand/enable-admx-backed-policies-in-mdm.md b/windows/client-management/understand/enable-admx-backed-policies-in-mdm.md
index 275e57f3ae..864f47a614 100644
--- a/windows/client-management/understand/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/understand/enable-admx-backed-policies-in-mdm.md
@@ -17,7 +17,7 @@ manager: aaroncz
Here's how to configure Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM).
-Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](./policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
+Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](../mdm/policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](../mdm/policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
Summary of steps to enable a policy:
- Find the policy from the list ADMX policies.
@@ -35,7 +35,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
> [!NOTE]
> See [Understanding ADMX policies in Policy CSP](../understand/understanding-admx-backed-policies.md).
-1. Find the policy from the list [ADMX policies](./policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description.
+1. Find the policy from the list [ADMX policies](../mdm/policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description.
- GP Friendly name
- GP name
- GP ADMX file name
@@ -105,7 +105,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
2. Find the variable names of the parameters in the ADMX file.
- You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
+ You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](../mdm/policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
diff --git a/windows/client-management/understand/enterprise-app-management.md b/windows/client-management/understand/enterprise-app-management.md
index d2dc640f22..aa49005c0a 100644
--- a/windows/client-management/understand/enterprise-app-management.md
+++ b/windows/client-management/understand/enterprise-app-management.md
@@ -1,7 +1,7 @@
---
title: Enterprise app management
description: This article covers one of the key mobile device management (MDM) features in Windows 10 for managing the lifecycle of apps across all of Windows.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -30,7 +30,7 @@ Windows 10 offers the ability for management servers to:
## Inventory your apps
-Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
+Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](../mdm/enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
- nonStore - Apps that weren't acquired from the Microsoft Store.
@@ -41,7 +41,7 @@ These classifications are represented as nodes in the EnterpriseModernAppManagem
The following information shows the EnterpriseModernAppManagement CSP in a tree format:
```console
-./Device/Vendor/MSFT
+./Device/Vendor/MSFT
or
./User/Vendor/MSFT
EnterpriseAppManagement
@@ -164,7 +164,7 @@ Here are the nodes for each package full name:
- Users
- IsProvisioned
-For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md).
+For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](../mdm/enterprisemodernappmanagement-csp.md).
### App inventory
@@ -210,7 +210,7 @@ Here are the nodes for each license ID:
- LicenseUsage
- RequestedID
-For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md).
+For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](../mdm/enterprisemodernappmanagement-csp.md).
> [!NOTE]
> The LicenseID in the CSP is the content ID for the license.
@@ -253,7 +253,7 @@ To deploy apps that aren't from the Microsoft Store, you must configure the Appl
The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device, or a root certificate in the Trusted Root of the device. The policy isn't configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
-For more information about the AllowAllTrustedApps policy, see [Policy CSP](policy-configuration-service-provider.md).
+For more information about the AllowAllTrustedApps policy, see [Policy CSP](../mdm/policy-configuration-service-provider.md).
Here are some examples.
@@ -271,14 +271,14 @@ Here are some examples.
2
-
+ ./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowAllTrustedApps
-
- int
- text/plain
-
- 1
+
+ int
+ text/plain
+
+ 1
```
@@ -291,7 +291,7 @@ AllowDeveloperUnlock policy enables the development mode on the device. The Allo
Deployment of apps to Windows 10 for desktop editions requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device.
-For more information about the AllowDeveloperUnlock policy, see [Policy CSP](policy-configuration-service-provider.md).
+For more information about the AllowDeveloperUnlock policy, see [Policy CSP](../mdm/policy-configuration-service-provider.md).
Here's an example.
@@ -309,21 +309,21 @@ Here's an example.
2
-
+ ./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowDeveloperUnlock
-
- int
- text/plain
-
- 1
+
+ int
+ text/plain
+
+ 1
```
## Install your apps
-You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store. Or, they're installed from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
+You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store. Or, they're installed from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](../mdm/enterprisemodernappmanagement-csp.md) to install apps.
### Deploy apps to user from the Store
@@ -381,7 +381,7 @@ Here's an example of an offline license installation.
1
-
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppLicenses/StoreLicenses/{LicenseID}/AddLicense
@@ -420,7 +420,7 @@ Here's an example of a line-of-business app installation.
./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}
-
+
1
@@ -447,7 +447,7 @@ Here's an example of an app installation with dependencies.
./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName
-
+
1
@@ -481,7 +481,7 @@ Here's an example of an app installation with dependencies and optional packages
./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName
-
+
1
@@ -499,9 +499,9 @@ Here's an example of an app installation with dependencies and optional packages
-
-
@@ -542,7 +542,7 @@ Here's an example of app installation.
./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName
-
+
1
@@ -579,7 +579,7 @@ Here's an example of app installation with dependencies.
./Device/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName
-
+
1
@@ -626,7 +626,7 @@ Here's an example of a query for a specific app installation.
2
-
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}?list=StructData
@@ -640,7 +640,7 @@ Here's an example of a query for all app installations.
2
-
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation?list=StructData
@@ -659,7 +659,7 @@ Here's an example of an alert.
1226
- ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstall
+ ./User/Vendor/MSFT/EnterpriseModernAppManagement/AppInstallation/{PackageFamilyName}/HostedInstallReversed-Domain-Name:com.microsoft.mdm.EnterpriseHostedAppInstall.result
@@ -723,7 +723,7 @@ You can remove provisioned apps from a device for a specific version, or for all
> [!NOTE]
> You can only remove an app that has an inventory value IsProvisioned = 1.
-
+
Removing provisioned app occurs in the device context.
Here's an example for removing a provisioned app from a device.
@@ -889,7 +889,7 @@ The Universal Windows app can share application data between the users of the de
> [!NOTE]
> This is only applicable to multi-user devices.
-The AllowSharedUserAppData policy in [Policy CSP](policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API.
+The AllowSharedUserAppData policy in [Policy CSP](../mdm/policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API.
If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there's any shared data, and /Remove-SharedAppxData to remove it).
@@ -911,14 +911,14 @@ Here's an example.
2
-
+ ./Vendor/MSFT/Policy/Config/ApplicationManagement/AllowSharedUserAppData
-
- int
- text/plain
-
- 1
+
+ int
+ text/plain
+
+ 1
```
diff --git a/windows/client-management/understand/implement-server-side-mobile-application-management.md b/windows/client-management/understand/implement-server-side-mobile-application-management.md
index 9d71b7234b..8c44332a51 100644
--- a/windows/client-management/understand/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/understand/implement-server-side-mobile-application-management.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 08/03/2022
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
@@ -57,7 +57,7 @@ MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/
Below are protocol changes for MAM enrollment:
- MDM discovery isn't supported.
-- APPAUTH node in [DMAcc CSP](dmacc-csp.md) is optional.
+- APPAUTH node in [DMAcc CSP](../mdm/dmacc-csp.md) is optional.
- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication.
Here's an example provisioning XML for MAM enrollment.
@@ -74,26 +74,26 @@ Here's an example provisioning XML for MAM enrollment.
```
-Since the [Poll](dmclient-csp.md#provider-providerid-poll) node isn’t provided above, the device would default to once every 24 hours.
+Since the [Poll](../mdm/dmclient-csp.md#provider-providerid-poll) node isn’t provided above, the device would default to once every 24 hours.
## Supported CSPs
MAM on Windows supports the following configuration service providers (CSPs). All other CSPs will be blocked. Note the list may change later based on customer feedback:
-- [AppLocker CSP](applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps.
-- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.
-- [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
-- [DevInfo CSP](devinfo-csp.md).
-- [DMAcc CSP](dmacc-csp.md).
-- [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL.
-- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has Windows Information Protection policies.
-- [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
-- [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management.
-- [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas.
-- [Reporting CSP](reporting-csp.md) for retrieving Windows Information Protection logs.
-- [RootCaTrustedCertificates CSP](rootcacertificates-csp.md).
-- [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
-- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
+- [AppLocker CSP](../mdm/applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps.
+- [ClientCertificateInstall CSP](../mdm/clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.
+- [DeviceStatus CSP](../mdm/devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
+- [DevInfo CSP](../mdm/devinfo-csp.md).
+- [DMAcc CSP](../mdm/dmacc-csp.md).
+- [DMClient CSP](../mdm/dmclient-csp.md) for polling schedules configuration and MDM discovery URL.
+- [EnterpriseDataProtection CSP](../mdm/enterprisedataprotection-csp.md) has Windows Information Protection policies.
+- [Health Attestation CSP](../mdm/healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
+- [PassportForWork CSP](../mdm/passportforwork-csp.md) for Windows Hello for Business PIN management.
+- [Policy CSP](../mdm/policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas.
+- [Reporting CSP](../mdm/reporting-csp.md) for retrieving Windows Information Protection logs.
+- [RootCaTrustedCertificates CSP](../mdm/rootcacertificates-csp.md).
+- [VPNv2 CSP](../mdm/vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
+- [WiFi CSP](../mdm/wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
## Device lock policies and EAS
diff --git a/windows/client-management/understand/mdm-overview.md b/windows/client-management/understand/mdm-overview.md
index d0e376cd1f..9d47a3fdf8 100644
--- a/windows/client-management/understand/mdm-overview.md
+++ b/windows/client-management/understand/mdm-overview.md
@@ -56,9 +56,8 @@ For information about the MDM policies defined in the Intune security baseline,
## Learn about device management
- [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
-- [Enterprise app management](enterprise-app-management.md)
+- [Enterprise app management](../understand/enterprise-app-management.md)
- [Mobile device management (MDM) for device updates](device-update-management.md)
-- [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md)
- [OMA DM protocol support](oma-dm-protocol-support.md)
- [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md)
- [Server requirements for OMA DM](server-requirements-windows-mdm.md)
@@ -66,7 +65,7 @@ For information about the MDM policies defined in the Intune security baseline,
## Learn about configuration service providers
-- [Configuration service provider reference](configuration-service-provider-reference.md)
- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md)
- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal)
+- [Configuration service provider reference](../mdm/configuration-service-provider-reference.md)
diff --git a/windows/client-management/understand/new-in-windows-mdm-enrollment-management.md b/windows/client-management/understand/new-in-windows-mdm-enrollment-management.md
index 715e8578ea..344c6c81ff 100644
--- a/windows/client-management/understand/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/understand/new-in-windows-mdm-enrollment-management.md
@@ -1,10 +1,10 @@
---
title: What's new in MDM enrollment and management
description: Discover what's new and breaking changes in Windows 10 and Windows 11 mobile device management (MDM) enrollment and management experience across all Windows 10 devices.
-MS-HAID:
+MS-HAID:
- 'p\_phdevicemgmt.mdm\_enrollment\_and\_management\_overview'
- 'p\_phDeviceMgmt.new\_in\_windows\_mdm\_enrollment\_management'
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -25,75 +25,75 @@ For details about Microsoft mobile device management protocols for Windows 10 an
| New or updated article | Description |
|--|--|
-| [DeviceStatus](devicestatus-csp.md) | Added the following node:
MDMClientCertAttestation |
-| [eUUICs](euiccs-csp.md) | Added the following node:
IsDiscoveryServer |
-| [PersonalDataEncryption](personaldataencryption-csp.md) | New CSP |
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
Windowslogon/EnableMPRNotifications |
+| [SecureAssessment](../mdm/secureassessment-csp.md) | Added the following node:
Asssessments |
+| [WindowsAutopilot](../mdm/windowsautopilot-csp.md) | Added the following node:
HardwareMismatchRemediationData |
## What's new in MDM for Windows 11, version 21H2
| New or updated article | Description |
|--|--|
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
Virtualizationbasedtechnology/RequireUEFIMemoryAttributesTable |
+| [DMClient CSP](../mdm/dmclient-csp.md) | Updated the description of the following nodes:
Provider/ProviderID/ConfigLock/Lock
Provider/ProviderID/ConfigLock/UnlockDuration
Provider/ProviderID/ConfigLock/SecuredCore |
+| [PrinterProvisioning](../mdm/universalprint-csp.md) | New CSP |
## What's new in MDM for Windows 10, version 20H2
|New or updated article|Description|
|-----|-----|
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
Multitasking/BrowserAltTabBlowout|
-| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:
Properties/SleepMode |
-| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:
Settings/AllowWindowsDefenderApplicationGuard |
+| [Policy CSP](../mdm/policy-configuration-service-provider.md) | Added the following nodes:
Multitasking/BrowserAltTabBlowout|
+| [SurfaceHub CSP](../mdm/surfacehub-csp.md) | Added the following new node:
Properties/SleepMode |
+| [WindowsDefenderApplicationGuard CSP](../mdm/windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:
Settings/AllowWindowsDefenderApplicationGuard |
## What's new in MDM for Windows 10, version 2004
| New or updated article | Description |
|-----|-----|
-| [Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
Updated the following policy in Windows 10, version 2004:
DeliveryOptimization/DOCacheHost
Deprecated the following policies in Windows 10, version 2004:
DeliveryOptimization/DOMaxDownloadBandwidth
DeliveryOptimization/DOMaxUploadBandwidth
DeliveryOptimization/DOPercentageMaxDownloadBandwidth |
+| [DevDetail CSP](../mdm/devdetail-csp.md) | Added the following new node:
Ext/Microsoft/DNSComputerName |
+| [EnterpriseModernAppManagement CSP](../mdm/enterprisemodernappmanagement-csp.md) | Added the following node:
IsStub |
+| [SUPL CSP](../mdm/supl-csp.md) | Added the following node:
FullVersion |
## What's new in MDM for Windows 10, version 1909
| New or updated article | Description |
|-----|-----|
-| [BitLocker CSP](bitlocker-csp.md) | Added the following nodes:
ConfigureRecoveryPasswordRotation
RotateRecoveryPasswords
RotateRecoveryPasswordsStatus
RotateRecoveryPasswordsRequestID|
+| [BitLocker CSP](../mdm/bitlocker-csp.md) | Added the following nodes:
ConfigureRecoveryPasswordRotation
RotateRecoveryPasswords
RotateRecoveryPasswordsStatus
RotateRecoveryPasswordsRequestID|
## What's new in MDM for Windows 10, version 1903
| New or updated article | Description |
|-----|-----|
-|[Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
WindowsLogon/EnableFirstLogonAnimation|
-| [Policy CSP - Audit](policy-csp-audit.md) | Added the new Audit policy CSP. |
-| [ApplicationControl CSP](applicationcontrol-csp.md) | Added the new CSP. |
-| [Defender CSP](defender-csp.md) | Added the following new nodes:
Health/TamperProtectionEnabled
Health/IsVirtualMachine
Configuration
Configuration/TamperProtection
Configuration/EnableFileHashComputation |
-| [DiagnosticLog CSP](diagnosticlog-csp.md) [DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:
Policy
Policy/Channels
Policy/Channels/ChannelName
Policy/Channels/ChannelName/MaximumFileSize
Policy/Channels/ChannelName/SDDL
Policy/Channels/ChannelName/ActionWhenFull
Policy/Channels/ChannelName/Enabled
DiagnosticArchive
DiagnosticArchive/ArchiveDefinition
DiagnosticArchive/ArchiveResults |
-| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | Added the new CSP. |
-| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes:
SecurityKey
SecurityKey/UseSecurityKeyForSignin |
+|[Policy CSP](../mdm/policy-configuration-service-provider.md) | Added the following nodes:
WindowsLogon/EnableFirstLogonAnimation|
+| [Policy CSP - Audit](../mdm/policy-csp-audit.md) | Added the new Audit policy CSP. |
+| [ApplicationControl CSP](../mdm/applicationcontrol-csp.md) | Added the new CSP. |
+| [Defender CSP](../mdm/defender-csp.md) | Added the following new nodes:
Health/TamperProtectionEnabled
Health/IsVirtualMachine
Configuration
Configuration/TamperProtection
Configuration/EnableFileHashComputation |
+| [DiagnosticLog CSP](../mdm/diagnosticlog-csp.md) [DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903. Added the new 1.4 version of the DDF. Added the following new nodes:
Policy
Policy/Channels
Policy/Channels/ChannelName
Policy/Channels/ChannelName/MaximumFileSize
Policy/Channels/ChannelName/SDDL
Policy/Channels/ChannelName/ActionWhenFull
Policy/Channels/ChannelName/Enabled
DiagnosticArchive
DiagnosticArchive/ArchiveDefinition
DiagnosticArchive/ArchiveResults |
+| [EnrollmentStatusTracking CSP](../mdm/enrollmentstatustracking-csp.md) | Added the new CSP. |
+| [PassportForWork CSP](../mdm/passportforwork-csp.md) | Added the following new nodes:
SecurityKey
SecurityKey/UseSecurityKeyForSignin |
## What's new in MDM for Windows 10, version 1809
| New or updated article | Description |
|-----|-----|
-|[Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:
WindowsLogon/DontDisplayNetworkSelectionUI |
+| [BitLocker CSP](../mdm/bitlocker-csp.md) | Added a new node AllowStandardUserEncryption.
Added support for Windows 10 Pro. |
+| [Defender CSP](../mdm/defender-csp.md) | Added a new node Health/ProductStatus. |
+| [DevDetail CSP](../mdm/devdetail-csp.md) | Added a new node SMBIOSSerialNumber. |
+| [EnterpriseModernAppManagement CSP](../mdm/enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node. |
+| [Office CSP](../mdm/office-csp.md) | Added FinalStatus setting. |
+| [PassportForWork CSP](../mdm/passportforwork-csp.md) | Added new settings. |
+| [RemoteWipe CSP](../mdm/remotewipe-csp.md) | Added new settings. |
+| [SUPL CSP](../mdm/supl-csp.md) | Added three new certificate nodes. |
+| [TenantLockdown CSP](../mdm/tenantlockdown-csp.md) | Added new CSP. |
+| [Wifi CSP](../mdm/wifi-csp.md) | Added a new node WifiCost. |
+| [WindowsDefenderApplicationGuard CSP](../mdm/windowsdefenderapplicationguard-csp.md) | Added new settings. |
+| [WindowsLicensing CSP](../mdm/windowslicensing-csp.md) | Added S mode settings and SyncML examples. |
+| [Win32CompatibilityAppraiser CSP](../mdm/win32compatibilityappraiser-csp.md) | New CSP. |
## Breaking changes and known issues
@@ -111,7 +111,7 @@ Passing CDATA in data in SyncML to ConfigManager and CSPs doesn't work in Window
### SSL settings in IIS server for SCEP must be set to "Ignore"
-The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10 and Windows 11.
+The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10 and Windows 11.
@@ -151,7 +151,7 @@ EAP XML must be updated with relevant information for your environment. This tas
For information about EAP Settings, see .
-For information about generating an EAP XML, see [EAP configuration](eap-configuration.md).
+For information about generating an EAP XML, see [EAP configuration](../mdm/eap-configuration.md).
For more information about extended key usage, see .
@@ -176,7 +176,7 @@ The following XML sample explains the properties for the EAP TLS XML including c
> [!NOTE]
> For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements.
-
+
```xml
@@ -281,7 +281,7 @@ The following XML sample explains the properties for the EAP TLS XML including c
Alternatively you can use the following procedure to create an EAP Configuration XML.
-1. Follow steps 1 through 7 in [EAP configuration](eap-configuration.md).
+1. Follow steps 1 through 7 in [EAP configuration](../mdm/eap-configuration.md).
2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.).
@@ -304,7 +304,7 @@ Alternatively you can use the following procedure to create an EAP Configuration
7. Close the rasphone dialog box.
-8. Continue following the procedure in [EAP configuration](eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering.
+8. Continue following the procedure in [EAP configuration](../mdm/eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering.
> [!NOTE]
> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)).
@@ -320,7 +320,7 @@ In Azure AD joined Windows 10 and Windows 11, provisioning /.User resources fail
### Requirements to note for VPN certificates also used for Kerberos Authentication
-If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that don't meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication.
+If you want to use the certificate used for VPN authentication also for Kerberos authentication (required if you need access to on-premises resources using NTLM or Kerberos), the user's certificate must meet the requirements for smart card certificate, the Subject field should contain the DNS domain name in the DN or the SAN should contain a fully qualified UPN so that the DC can be located from the DNS registrations. If certificates that don't meet these requirements are used for VPN, users may fail to access resources that require Kerberos authentication.
### Device management agent for the push-button reset is not working
diff --git a/windows/client-management/understand/push-notification-windows-mdm.md b/windows/client-management/understand/push-notification-windows-mdm.md
index 5f5f318d06..78c0736c75 100644
--- a/windows/client-management/understand/push-notification-windows-mdm.md
+++ b/windows/client-management/understand/push-notification-windows-mdm.md
@@ -1,10 +1,10 @@
---
title: Push notification support for device management
description: The DMClient CSP supports the ability to configure push-initiated device management sessions.
-MS-HAID:
+MS-HAID:
- 'p\_phdevicemgmt.push\_notification\_support\_for\_device\_management'
- 'p\_phDeviceMgmt.push\_notification\_windows\_mdm'
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -17,7 +17,7 @@ ms.date: 09/22/2017
# Push notification support for device management
-The [DMClient CSP](dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/previous-versions/windows/apps/hh913756(v=win.10)), a management server can request a device to establish a management session with the server through a push notification. A device is provided with a PFN for an application. This provision results in the device getting configured, to support a push to it by the management server. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting).
+The [DMClient CSP](../mdm/dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/previous-versions/windows/apps/hh913756(v=win.10)), a management server can request a device to establish a management session with the server through a push notification. A device is provided with a PFN for an application. This provision results in the device getting configured, to support a push to it by the management server. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting).
To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a management session with a device, it can utilize the token and the device ChannelURI, and begin communicating with the device.
diff --git a/windows/client-management/understand/structure-of-oma-dm-provisioning-files.md b/windows/client-management/understand/structure-of-oma-dm-provisioning-files.md
index d34d3c1746..f054846aef 100644
--- a/windows/client-management/understand/structure-of-oma-dm-provisioning-files.md
+++ b/windows/client-management/understand/structure-of-oma-dm-provisioning-files.md
@@ -1,7 +1,7 @@
---
title: Structure of OMA DM provisioning files
description: Learn about the structure of OMA DM provisioning files, for example how each message is composed of a header, specified by the SyncHdr element, and a message body.
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
ms.author: vinpa
ms.topic: article
@@ -81,7 +81,7 @@ This information is used to by the client device to properly manage the DM sessi
The following example shows the header component of a DM message. In this case, OMA DM version 1.2 is used as an example only.
> [!NOTE]
-> The `` node value for the `` element in the SyncHdr of the device-generated DM package should be the same as the value of ./DevInfo/DevID. For more information about DevID, see [DevInfo configuration service provider](devinfo-csp.md).
+> The `` node value for the `` element in the SyncHdr of the device-generated DM package should be the same as the value of ./DevInfo/DevID. For more information about DevID, see [DevInfo configuration service provider](../mdm/devinfo-csp.md).
diff --git a/windows/client-management/understand/understanding-admx-backed-policies.md b/windows/client-management/understand/understanding-admx-backed-policies.md
index c21a7a2573..76eda97db5 100644
--- a/windows/client-management/understand/understanding-admx-backed-policies.md
+++ b/windows/client-management/understand/understanding-admx-backed-policies.md
@@ -7,13 +7,13 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 03/23/2020
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
# Understanding ADMX policies
-Due to increased simplicity and the ease with which devices can be targeted, enterprise businesses are finding it increasingly advantageous to move their PC management to a cloud-based device management solution. Unfortunately, the modern Windows PC device-management solutions lack the critical policy and app settings configuration capabilities that are supported in a traditional PC management solution.
+Due to increased simplicity and the ease with which devices can be targeted, enterprise businesses are finding it increasingly advantageous to move their PC management to a cloud-based device management solution. Unfortunately, the modern Windows PC device-management solutions lack the critical policy and app settings configuration capabilities that are supported in a traditional PC management solution.
Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support expanded to allow access of selected set of Group Policy administrative templates (ADMX policies) for Windows PCs via the Policy configuration service provider (CSP). This expanded access ensures that enterprises can keep their devices compliant and prevent the risk on compromising security of their devices managed through the cloud.
@@ -24,34 +24,34 @@ In addition to standard MDM policies, the Policy CSP can also handle selected se
ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe settings of applications, which are separate from the OS and can usually be downloaded and installed on a PC.
Depending on the specific category of the settings that they control (OS or application), the administrative template settings are found in the following two locations in the Local Group Policy Editor:
- OS settings: Computer Configuration/Administrative Templates
-- Application settings: User Configuration/Administrative Templates
+- Application settings: User Configuration/Administrative Templates
In a domain controller/Group Policy ecosystem, Group Policies are automatically added to the registry of the client computer or user profile by the Administrative Templates Client Side Extension (CSE) whenever the client computer processes a Group Policy. Conversely, in an MDM-managed client, ADMX files are applied to define policies independent of Group Policies. Therefore, in an MDM-managed client, a Group Policy infrastructure, including the Group Policy Service (gpsvc.exe), isn't required.
An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP doesn't rely upon any aspect of the Group Policy client stack, including the PC's Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM.
-Windows maps the name and category path of a Group Policy to an MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX policies supported by MDM, see [Policy CSP - ADMX policies](./policy-configuration-service-provider.md).
+Windows maps the name and category path of a Group Policy to an MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\\`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX policies supported by MDM, see [Policy CSP - ADMX policies](../mdm/policy-configuration-service-provider.md).
## ADMX files and the Group Policy Editor
-To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrator must use a UI, such as the Group Policy Editor (gpedit.msc), to gather the necessary data. The MDM ISV console UI determines how to gather the needed Group Policy data from the IT administrator. ADMX Group Policies are organized in a hierarchy and can have a scope of machine, user, or both. The Group Policy example in the next section uses a machine-wide Group Policy named "Publishing Server 2 Settings." When this Group Policy is selected, its available states are **Not Configured**, **Enabled**, and **Disabled**.
+To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrator must use a UI, such as the Group Policy Editor (gpedit.msc), to gather the necessary data. The MDM ISV console UI determines how to gather the needed Group Policy data from the IT administrator. ADMX Group Policies are organized in a hierarchy and can have a scope of machine, user, or both. The Group Policy example in the next section uses a machine-wide Group Policy named "Publishing Server 2 Settings." When this Group Policy is selected, its available states are **Not Configured**, **Enabled**, and **Disabled**.
-The ADMX file that the MDM ISV uses to determine what UI to display to the IT administrator is the same ADMX file that the client uses for the policy definition. The ADMX file is processed either by the OS at build time or set by the client at OS runtime. In either case, the client and the MDM ISV must be synchronized with the ADMX policy definitions. Each ADMX file corresponds to a Group Policy category and typically contains several policy definitions, each of which represents a single Group Policy. For example, the policy definition for the "Publishing Server 2 Settings" is contained in the appv.admx file, which holds the policy definitions for the Microsoft Application Virtualization (App-V) Group Policy category.
+The ADMX file that the MDM ISV uses to determine what UI to display to the IT administrator is the same ADMX file that the client uses for the policy definition. The ADMX file is processed either by the OS at build time or set by the client at OS runtime. In either case, the client and the MDM ISV must be synchronized with the ADMX policy definitions. Each ADMX file corresponds to a Group Policy category and typically contains several policy definitions, each of which represents a single Group Policy. For example, the policy definition for the "Publishing Server 2 Settings" is contained in the appv.admx file, which holds the policy definitions for the Microsoft Application Virtualization (App-V) Group Policy category.
Group Policy option button setting:
- If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur:
- - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data.
+ - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data.
- The MDM client stack receives this data, which causes the Policy CSP to update the device's registry per the ADMX policy definition.
- If **Disabled** is selected and you click **Apply**, the following events occur:
- - The MDM ISV server sets up a Replace SyncML command with a payload set to ``.
+ - The MDM ISV server sets up a Replace SyncML command with a payload set to ``.
- The MDM client stack receives this command, which causes the Policy CSP to either delete the device's registry settings, set the registry keys, or both, per the state change directed by the ADMX policy definition.
- If **Not Configured** is selected and you click **Apply**, the following events occur:
- - MDM ISV server sets up a Delete SyncML command.
+ - MDM ISV server sets up a Delete SyncML command.
- The MDM client stack receives this command, which causes the Policy CSP to delete the device's registry settings per the ADMX policy definition.
The following diagram shows the main display for the Group Policy Editor.
@@ -65,15 +65,15 @@ The following diagram shows the settings for the "Publishing Server 2 Settings"
Most Group Policies are a simple Boolean type. For a Boolean Group Policy, if you select **Enabled**, the options panel contains no data input fields and the payload of the SyncML is simply ``. However, if there are data input fields in the options panel, the MDM server must supply this data. The following *Enabling a Group Policy* example illustrates this complexity. In this example, 10 name-value pairs are described by `` tags in the payload, which correspond to the 10 data input fields in the Group Policy Editor options panel for the "Publishing Server 2 Settings" Group Policy. The ADMX file, which defines the Group Policies, is consumed by the MDM server, similarly to how the Group Policy Editor consumes it. The Group Policy Editor displays a UI to receive the complete Group Policy instance data, which the MDM server's IT administrator console must also do. For every `` element and ID attribute in the ADMX policy definition, there must be a corresponding `` element and ID attribute in the payload. The ADMX file drives the policy definition and is required by the MDM server via the SyncML protocol.
> [!IMPORTANT]
-> Any data entry field that is displayed in the Group Policy page of the Group Policy Editor must be supplied in the encoded XML of the SyncML payload. The SyncML data payload is equivalent to the user-supplied Group Policy data through GPEdit.msc.
+> Any data entry field that is displayed in the Group Policy page of the Group Policy Editor must be supplied in the encoded XML of the SyncML payload. The SyncML data payload is equivalent to the user-supplied Group Policy data through GPEdit.msc.
-For more information about the Group Policy description format, see [Administrative Template File (ADMX) format](/previous-versions/windows/desktop/Policy/admx-schema). Elements can be Text, MultiText, Boolean, Enum, Decimal, or List (for more information, see [policy elements](/previous-versions/windows/desktop/Policy/element-elements)).
+For more information about the Group Policy description format, see [Administrative Template File (ADMX) format](/previous-versions/windows/desktop/Policy/admx-schema). Elements can be Text, MultiText, Boolean, Enum, Decimal, or List (for more information, see [policy elements](/previous-versions/windows/desktop/Policy/element-elements)).
For example, if you search for the string, "Publishing_Server2_Name_Prompt" in both the *Enabling a policy* example and its corresponding ADMX policy definition in the appv.admx file, you'll find the following occurrences:
Enabling a policy example:
```XML
-``
+``
```
Appv.admx file:
@@ -120,15 +120,15 @@ The following SyncML examples describe how to set an MDM policy that is defined
./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2
- ]]>
@@ -233,7 +233,7 @@ This section describes sample SyncML for the various ADMX elements like Text, Mu
### How a Group Policy policy category path and name are mapped to an MDM area and policy name
-Below is the internal OS mapping of a Group Policy to an MDM area and name. This mapping is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store. ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User.
+Below is the internal OS mapping of a Group Policy to an MDM area and name. This mapping is part of a set of Windows manifest that when compiled parses out the associated ADMX file, finds the specified Group Policy policy and stores that definition (metadata) in the MDM Policy CSP client store. ADMX backed policies are organized hierarchically. Their scope can be **machine**, **user**, or have a scope of **both**. When the MDM policy is referred to through a SyncML command and the Policy CSP URI, as shown below, this metadata is referenced and determines what registry keys are set or removed. Machine-scope policies are referenced via .\Device and the user scope policies via .\User.
`./[Device|User]/Vendor/MSFT/Policy/Config/[config|result]//`
@@ -480,7 +480,7 @@ Variations of the `list` element are dictated by attributes. These attributes ar
### Decimal Element
```XML
-
diff --git a/windows/client-management/understand/win32-and-centennial-app-policy-configuration.md b/windows/client-management/understand/win32-and-centennial-app-policy-configuration.md
index 824f17444b..37c2ac98c2 100644
--- a/windows/client-management/understand/win32-and-centennial-app-policy-configuration.md
+++ b/windows/client-management/understand/win32-and-centennial-app-policy-configuration.md
@@ -7,12 +7,12 @@ ms.prod: w10
ms.technology: windows
author: vinaypamnani-msft
ms.date: 03/23/2020
-ms.reviewer:
+ms.reviewer:
manager: aaroncz
---
# Win32 and Desktop Bridge app ADMX policy Ingestion
-
+
## In this section
- [Overview](#overview)
@@ -25,13 +25,13 @@ manager: aaroncz
## Overview
-Starting in Windows 10, version 1703, you can ingest ADMX files (ADMX ingestion) and set those ADMX policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies.
+Starting in Windows 10, version 1703, you can ingest ADMX files (ADMX ingestion) and set those ADMX policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies.
NOTE: Starting from the following Windows 10 version Replace command is supported
-- Windows 10, version 1903 with KB4512941 and KB4517211 installed
-- Windows 10, version 1809 with KB4512534 and KB installed
-- Windows 10, version 1803 with KB4512509 and KB installed
-- Windows 10, version 1709 with KB4516071 and KB installed
+- Windows 10, version 1903 with KB4512941 and KB4517211 installed
+- Windows 10, version 1809 with KB4512534 and KB installed
+- Windows 10, version 1803 with KB4512509 and KB installed
+- Windows 10, version 1709 with KB4516071 and KB installed
When the ADMX policies are ingested, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys, except for the following locations:
@@ -53,7 +53,7 @@ When the ADMX policies are ingested, the registry keys to which each policy is w
- software\microsoft\windows\windows search\preferences\
- software\microsoft\exchange\
- software\policies\microsoft\vba\security\
-- software\microsoft\onedrive
+- software\microsoft\onedrive
- software\Microsoft\Edge
- Software\Microsoft\EdgeUpdate\
@@ -61,7 +61,7 @@ When the ADMX policies are ingested, the registry keys to which each policy is w
> Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still ingest ADMX files and set ADMX policies regardless of whether the device is domain joined or non-domain joined.
> [!NOTE]
-> Settings that cannot be configured using custom policy ingestion have to be set by pushing the appropriate registry keys directly (for example, by using PowerShell script).
+> Settings that cannot be configured using custom policy ingestion have to be set by pushing the appropriate registry keys directly (for example, by using PowerShell script).
## Ingesting an app ADMX file
@@ -204,7 +204,7 @@ The following ADMX file example shows how to ingest a Win32 or Desktop Bridge ap
**Request Syncml**
The ADMX file is escaped and sent in SyncML format through the Policy CSP URI, `./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}/{SettingType}/{FileUid or AdmxFileName}`.
-When the ADMX file is imported, the policy states for each new policy are the same as those in a regular MDM policy: Enabled, Disabled, or Not Configured.
+When the ADMX file is imported, the policy states for each new policy are the same as those in a regular MDM policy: Enabled, Disabled, or Not Configured.
The following example shows an ADMX file in SyncML format:
@@ -365,7 +365,7 @@ The following example shows an ADMX file in SyncML format:
21102Add200
```
-### URI format for configuring an app policy
+### URI format for configuring an app policy
The following example shows how to derive a Win32 or Desktop Bridge app policy name and policy area name:
@@ -394,7 +394,7 @@ The following example shows how to derive a Win32 or Desktop Bridge app policy n
```
-As documented in [Policy CSP](policy-configuration-service-provider.md), the URI format to configure a policy via Policy CSP is:
+As documented in [Policy CSP](../mdm/policy-configuration-service-provider.md), the URI format to configure a policy via Policy CSP is:
'./{user or device}/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}'.
**User or device policy**