mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
More link fixes
This commit is contained in:
Vinay Pamnani
parent
fc8ad4fff3
commit
213541dec2
@ -301,7 +301,7 @@ An example of Delete command is:
|
|||||||
|
|
||||||
## PowerShell and WMI Bridge Usage Guidance
|
## PowerShell and WMI Bridge Usage Guidance
|
||||||
|
|
||||||
The ApplicationControl CSP can also be managed locally from PowerShell or via Configuration Manager's task sequence scripting by using the [WMI Bridge Provider](./using-powershell-scripting-with-the-wmi-bridge-provider.md).
|
The ApplicationControl CSP can also be managed locally from PowerShell or via Configuration Manager's task sequence scripting by using the [WMI Bridge Provider](../understand/using-powershell-scripting-with-the-wmi-bridge-provider.md).
|
||||||
|
|
||||||
### Setup for using the WMI Bridge
|
### Setup for using the WMI Bridge
|
||||||
|
|
||||||
|
|||||||
@ -67,7 +67,7 @@ For more information, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Educ
|
|||||||
> [!Note]
|
> [!Note]
|
||||||
> You can't set both KioskModeApp and ShellLauncher at the same time on the device.
|
> You can't set both KioskModeApp and ShellLauncher at the same time on the device.
|
||||||
|
|
||||||
Starting in Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
|
Starting in Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](../understand/enterprise-app-management.md).
|
||||||
|
|
||||||
Here's an example:
|
Here's an example:
|
||||||
|
|
||||||
|
|||||||
@ -61,7 +61,7 @@ BitLocker
|
|||||||
```
|
```
|
||||||
|
|
||||||
> [!TIP]
|
> [!TIP]
|
||||||
> Some of the policies here are ADMX-backed policies. For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
|
> Some of the policies here are ADMX-backed policies. For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](../understand/enable-admx-backed-policies-in-mdm.md). For more information, see [Understanding ADMX-backed policies](../understand/understanding-admx-backed-policies.md).
|
||||||
|
|
||||||
<a href="" id="--device-vendor-msft-bitlocker"></a>**./Device/Vendor/MSFT/BitLocker**
|
<a href="" id="--device-vendor-msft-bitlocker"></a>**./Device/Vendor/MSFT/BitLocker**
|
||||||
Defines the root node for the BitLocker configuration service provider.
|
Defines the root node for the BitLocker configuration service provider.
|
||||||
|
|||||||
@ -921,7 +921,7 @@ For each channel node, the user can:
|
|||||||
- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel.
|
- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel.
|
||||||
- Specify an XPath query to filter events while exporting the channel event data.
|
- Specify an XPath query to filter events while exporting the channel event data.
|
||||||
|
|
||||||
For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md).
|
For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10]((../understand/diagnose-mdm-failures-in-windows-10.md).
|
||||||
|
|
||||||
To gather diagnostics using this CSP:
|
To gather diagnostics using this CSP:
|
||||||
|
|
||||||
|
|||||||
@ -232,7 +232,7 @@ Supported operation is Get.
|
|||||||
<a href="" id="provider-providerid-aadresourceid"></a>**Provider/*ProviderID*/AADResourceID**
|
<a href="" id="provider-providerid-aadresourceid"></a>**Provider/*ProviderID*/AADResourceID**
|
||||||
Optional. This ResourceID is used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you're trying to access.
|
Optional. This ResourceID is used when requesting the user token from the OMA DM session for Azure Active Directory (Azure AD) enrollments (Azure AD Join or Add Accounts). The token is audience-specific, which allows for different service principals (enrollment vs. device management). It can be an application ID or the endpoint that you're trying to access.
|
||||||
|
|
||||||
For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).
|
For more information about Azure AD enrollment, see [Azure Active Directory integration with MDM](../understand/azure-active-directory-integration-with-mdm.md).
|
||||||
|
|
||||||
<a href="" id="provider-providerid-enableomadmkeepalivemessage"></a>**Provider/*ProviderID*/EnableOmaDmKeepAliveMessage**
|
<a href="" id="provider-providerid-enableomadmkeepalivemessage"></a>**Provider/*ProviderID*/EnableOmaDmKeepAliveMessage**
|
||||||
Added in Windows 10, version 1511. A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow.
|
Added in Windows 10, version 1511. A boolean value that specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow.
|
||||||
@ -578,7 +578,7 @@ Supported operations are Get and Replace.
|
|||||||
|
|
||||||
<a href="" id="provider-providerid-configlock"></a>**Provider/*ProviderID*/ConfigLock**
|
<a href="" id="provider-providerid-configlock"></a>**Provider/*ProviderID*/ConfigLock**
|
||||||
|
|
||||||
Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected.
|
Optional. This node enables [Config Lock](../understand/config-lock.md) feature. If enabled, policies defined in the Config Lock document will be monitored and quickly remediated when a configuration drift is detected.
|
||||||
|
|
||||||
Default = Locked
|
Default = Locked
|
||||||
|
|
||||||
|
|||||||
@ -24,7 +24,7 @@ The table below shows the applicability of Windows:
|
|||||||
|Enterprise|Yes|Yes|
|
|Enterprise|Yes|Yes|
|
||||||
|Education|Yes|Yes|
|
|Education|Yes|Yes|
|
||||||
|
|
||||||
The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md).
|
The EnterpriseModernAppManagement configuration service provider (CSP) is used for the provisioning and reporting of modern enterprise apps. For details about how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](../understand/enterprise-app-management.md).
|
||||||
|
|
||||||
> [!Note]
|
> [!Note]
|
||||||
> Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP.
|
> Windows Holographic only supports per-user configuration of the EnterpriseModernAppManagement CSP.
|
||||||
@ -680,7 +680,7 @@ Supported operation is Execute.
|
|||||||
|
|
||||||
## Examples
|
## Examples
|
||||||
|
|
||||||
For examples of how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](enterprise-app-management.md).
|
For examples of how to use this CSP to for reporting apps inventory, installation and removal of apps for users, provisioning apps to devices, and managing app licenses, see [Enterprise app management](../understand/enterprise-app-management.md).
|
||||||
|
|
||||||
Query the device for a specific app subcategory, such as nonStore apps.
|
Query the device for a specific app subcategory, such as nonStore apps.
|
||||||
|
|
||||||
|
|||||||
|
Before Width: | Height: | Size: 16 KiB After Width: | Height: | Size: 16 KiB |
|
Before Width: | Height: | Size: 14 KiB After Width: | Height: | Size: 14 KiB |
|
Before Width: | Height: | Size: 13 KiB After Width: | Height: | Size: 13 KiB |
|
Before Width: | Height: | Size: 7.6 KiB After Width: | Height: | Size: 7.6 KiB |
|
Before Width: | Height: | Size: 6.0 KiB After Width: | Height: | Size: 6.0 KiB |
|
Before Width: | Height: | Size: 12 KiB After Width: | Height: | Size: 12 KiB |
|
Before Width: | Height: | Size: 23 KiB After Width: | Height: | Size: 23 KiB |
|
Before Width: | Height: | Size: 22 KiB After Width: | Height: | Size: 22 KiB |
|
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 18 KiB |
|
Before Width: | Height: | Size: 28 KiB After Width: | Height: | Size: 28 KiB |
|
Before Width: | Height: | Size: 43 KiB After Width: | Height: | Size: 43 KiB |
|
Before Width: | Height: | Size: 30 KiB After Width: | Height: | Size: 30 KiB |
@ -1,10 +1,10 @@
|
|||||||
### YamlMime:Landing
|
### YamlMime:Landing
|
||||||
|
|
||||||
title: Mobile Device Management # < 60 chars
|
title: Configuration Service Provider # < 60 chars
|
||||||
summary: Find out how to enroll Windows devices and manage company security policies and business applications. # < 160 chars
|
summary: Find out how to enroll Windows devices and manage company security policies and business applications. # < 160 chars
|
||||||
|
|
||||||
metadata:
|
metadata:
|
||||||
title: Mobile Device Management # Required; page title displayed in search results. Include the brand. < 60 chars.
|
title: Configuration Service Provider # Required; page title displayed in search results. Include the brand. < 60 chars.
|
||||||
description: Find out how to enroll Windows devices and manage company security policies and business applications. # Required; article description that is displayed in search results. < 160 chars.
|
description: Find out how to enroll Windows devices and manage company security policies and business applications. # Required; article description that is displayed in search results. < 160 chars.
|
||||||
ms.topic: landing-page # Required
|
ms.topic: landing-page # Required
|
||||||
services: windows-10
|
services: windows-10
|
||||||
|
|||||||
@ -115,7 +115,7 @@ Added in Windows 10, version 1703. The root node for grouping different configur
|
|||||||
Supported operations are Add, Get, and Delete.
|
Supported operations are Add, Get, and Delete.
|
||||||
|
|
||||||
<a href="" id="policy-configoperations-admxinstall"></a>**Policy/ConfigOperations/ADMXInstall**
|
<a href="" id="policy-configoperations-admxinstall"></a>**Policy/ConfigOperations/ADMXInstall**
|
||||||
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: <code>./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall</code>. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](win32-and-centennial-app-policy-configuration.md).
|
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: <code>./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall</code>. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see [Win32 and Desktop Bridge app policy configuration](../understand/win32-and-centennial-app-policy-configuration.md).
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)).
|
> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)).
|
||||||
|
|||||||
@ -1448,7 +1448,7 @@ The table below shows the applicability of Windows:
|
|||||||
<!--/Scope-->
|
<!--/Scope-->
|
||||||
<!--Description-->
|
<!--Description-->
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
|
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../understand/device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
|
||||||
|
|
||||||
Allows IT Admins to specify update delays for up to four weeks.
|
Allows IT Admins to specify update delays for up to four weeks.
|
||||||
|
|
||||||
@ -1527,7 +1527,7 @@ The table below shows the applicability of Windows:
|
|||||||
<!--/Scope-->
|
<!--/Scope-->
|
||||||
<!--Description-->
|
<!--Description-->
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
|
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../understand/device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
|
||||||
|
|
||||||
Allows IT Admins to specify other upgrade delays for up to eight months.
|
Allows IT Admins to specify other upgrade delays for up to eight months.
|
||||||
|
|
||||||
@ -2463,7 +2463,7 @@ The table below shows the applicability of Windows:
|
|||||||
<!--/Scope-->
|
<!--/Scope-->
|
||||||
<!--Description-->
|
<!--Description-->
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
|
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../understand/device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
|
||||||
|
|
||||||
Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
|
Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
|
||||||
|
|
||||||
@ -2787,7 +2787,7 @@ The table below shows the applicability of Windows:
|
|||||||
<!--/Scope-->
|
<!--/Scope-->
|
||||||
<!--Description-->
|
<!--Description-->
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
|
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](../understand/device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
|
||||||
|
|
||||||
Allows the IT admin to set a device to General Availability Channel train.
|
Allows the IT admin to set a device to General Availability Channel train.
|
||||||
|
|
||||||
|
|||||||
@ -29,7 +29,7 @@ The Provisioning configuration service provider is used for bulk user enrollment
|
|||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> Bulk enrollment does not work when two-factor authentication is enabled.
|
> Bulk enrollment does not work when two-factor authentication is enabled.
|
||||||
|
|
||||||
For bulk enrollment step-by-step guide, see [Bulk enrollment](bulk-enrollment-using-windows-provisioning-tool.md).
|
For bulk enrollment step-by-step guide, see [Bulk enrollment](../understand/bulk-enrollment-using-windows-provisioning-tool.md).
|
||||||
|
|
||||||
The following shows the Provisioning configuration service provider in tree format.
|
The following shows the Provisioning configuration service provider in tree format.
|
||||||
|
|
||||||
|
|||||||
@ -1,7 +1,8 @@
|
|||||||
items:
|
items:
|
||||||
- name: CSP Overview
|
- name: Overview
|
||||||
href: index.yml
|
href: index.yml
|
||||||
- name: Configuration service provider reference
|
- name: Configuration service provider reference
|
||||||
|
expanded: true
|
||||||
href: configuration-service-provider-reference.md
|
href: configuration-service-provider-reference.md
|
||||||
items:
|
items:
|
||||||
- name: Policy CSP
|
- name: Policy CSP
|
||||||
|
|||||||
@ -30,11 +30,11 @@ Windows supports automatic certificate renewal, also known as Renew On Behalf Of
|
|||||||
|
|
||||||
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
|
Auto certificate renewal is the only supported MDM client certificate renewal method for the device that's enrolled using WAB authentication. Meaning, the AuthPolicy is set to Federated. It also means if the server supports WAB authentication, then the MDM certificate enrollment server MUST also support client TLS to renew the MDM client certificate.
|
||||||
|
|
||||||
For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP’s](certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL.
|
For Windows devices, during the MDM client certificate enrollment phase or during MDM management section, the enrollment server or MDM server could configure the device to support automatic MDM client certificate renewal using [CertificateStore CSP’s](../mdm/certificatestore-csp.md) ROBOSupport node under CertificateStore/My/WSTEP/Renew URL.
|
||||||
|
|
||||||
With automatic renewal, the PKCS\#7 message content isn’t b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content.
|
With automatic renewal, the PKCS\#7 message content isn’t b64 encoded separately. With manual certificate renewal, there's an additional b64 encoding for PKCS\#7 message content.
|
||||||
|
|
||||||
During the automatic certificate renewal process, if the root certificate isn’t trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](certificatestore-csp.md).
|
During the automatic certificate renewal process, if the root certificate isn’t trusted by the device, the authentication will fail. Use one of device pre-installed root certificates, or configure the root cert over a DM session using the [CertificateStore CSP](../mdm/certificatestore-csp.md).
|
||||||
|
|
||||||
During the automatic certificate renew process, the device will deny HTTP redirect request from the server. It won't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used.
|
During the automatic certificate renew process, the device will deny HTTP redirect request from the server. It won't deny the request if the same redirect URL that the user accepted during the initial MDM enrollment process is used.
|
||||||
|
|
||||||
|
|||||||
@ -36,7 +36,7 @@ In Windows 10, the MDM protocol has been extended to better enable IT admins to
|
|||||||
|
|
||||||
The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update’s title, description, KB, update type, like a security update or service pack. For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
|
The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID. The Update ID is a GUID that identifies a particular update. The MDM will want to show IT-friendly information about the update, instead of a raw GUID, including the update’s title, description, KB, update type, like a security update or service pack. For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](/openspecs/windows_protocols/ms-wsusss/f49f0c3e-a426-4b4b-b401-9aeb2892815c).
|
||||||
|
|
||||||
For more information about the CSPs, see [Update CSP](update-csp.md) and the update policy area of the [Policy CSP](policy-configuration-service-provider.md).
|
For more information about the CSPs, see [Update CSP](../mdm/update-csp.md) and the update policy area of the [Policy CSP](../mdm/policy-configuration-service-provider.md).
|
||||||
|
|
||||||
The following diagram provides a conceptual overview of how this works:
|
The following diagram provides a conceptual overview of how this works:
|
||||||
|
|
||||||
@ -130,11 +130,11 @@ The following list describes a suggested model for applying updates.
|
|||||||
2. In the Test group, just let all updates flow.
|
2. In the Test group, just let all updates flow.
|
||||||
3. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues.
|
3. In the All Group, set up Quality Update deferral for seven days. Then, Quality Updates will be auto approved after the seven days. Definition Updates are excluded from Quality Update deferrals, and will be auto approved when they're available. This schedule can be done by setting Update/DeferQualityUpdatesPeriodInDays to seven, and just letting updates flow after seven days or pushing Pause if any issues.
|
||||||
|
|
||||||
Updates are configured using a combination of the [Update CSP](update-csp.md), and the update portion of the [Policy CSP](policy-configuration-service-provider.md).
|
Updates are configured using a combination of the [Update CSP](../mdm/update-csp.md), and the update portion of the [Policy CSP](../mdm/policy-configuration-service-provider.md).
|
||||||
|
|
||||||
### Update policies
|
### Update policies
|
||||||
|
|
||||||
The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
|
The enterprise IT can configure auto-update policies via OMA DM using the [Policy CSP](../mdm/policy-configuration-service-provider.md) (this functionality isn't supported in Windows 10 Home). Here's the CSP diagram for the Update node in Policy CSP.
|
||||||
|
|
||||||
The following information shows the Update policies in a tree format.
|
The following information shows the Update policies in a tree format.
|
||||||
|
|
||||||
@ -680,7 +680,7 @@ Value type is string and the default value is an empty string. If the setting is
|
|||||||
|
|
||||||
### Update management
|
### Update management
|
||||||
|
|
||||||
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following information shows the Update CSP in tree format.
|
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](../mdm/update-csp.md). The following information shows the Update CSP in tree format.
|
||||||
|
|
||||||
```console
|
```console
|
||||||
./Vendor/MSFT
|
./Vendor/MSFT
|
||||||
@ -835,7 +835,7 @@ Supported operation is Get.
|
|||||||
|
|
||||||
## <a href="" id="windows10version1607forupdatemanagement"></a> Windows 10, version 1607 for update management
|
## <a href="" id="windows10version1607forupdatemanagement"></a> Windows 10, version 1607 for update management
|
||||||
|
|
||||||
Here are the new policies added in Windows 10, version 1607 in [Policy CSP](policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices.
|
Here are the new policies added in Windows 10, version 1607 in [Policy CSP](../mdm/policy-configuration-service-provider.md). Use these policies for the Windows 10, version 1607 devices.
|
||||||
|
|
||||||
- Update/ActiveHoursEnd
|
- Update/ActiveHoursEnd
|
||||||
- Update/ActiveHoursStart
|
- Update/ActiveHoursStart
|
||||||
|
|||||||
@ -89,7 +89,7 @@ You can open the log files (.evtx files) in the Event Viewer on a Windows 10 PC
|
|||||||
|
|
||||||
## Collect logs remotely from Windows 10 PCs
|
## Collect logs remotely from Windows 10 PCs
|
||||||
|
|
||||||
When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this facility. The [DiagnosticLog CSP](diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels:
|
When the PC is already enrolled in MDM, you can remotely collect logs from the PC through the MDM channel if your MDM server supports this facility. The [DiagnosticLog CSP](../mdm/diagnosticlog-csp.md) can be used to enable an event viewer channel by full name. Here are the Event Viewer names for the Admin and Debug channels:
|
||||||
|
|
||||||
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FAdmin
|
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FAdmin
|
||||||
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug
|
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%2FDebug
|
||||||
@ -137,7 +137,7 @@ Example: Export the Debug logs
|
|||||||
|
|
||||||
## Collect logs remotely from Windows 10 Holographic
|
## Collect logs remotely from Windows 10 Holographic
|
||||||
|
|
||||||
For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](diagnosticlog-csp.md).
|
For holographic already enrolled in MDM, you can remotely collect MDM logs through the MDM channel using the [DiagnosticLog CSP](../mdm/diagnosticlog-csp.md).
|
||||||
|
|
||||||
You can use the DiagnosticLog CSP to enable the ETW provider. The provider ID is 3DA494E4-0FE2-415C-B895-FB5265C5C83B. The following examples show how to enable the ETW provider:
|
You can use the DiagnosticLog CSP to enable the ETW provider. The provider ID is 3DA494E4-0FE2-415C-B895-FB5265C5C83B. The following examples show how to enable the ETW provider:
|
||||||
|
|
||||||
@ -231,7 +231,7 @@ Stop collector trace logging
|
|||||||
</SyncML>
|
</SyncML>
|
||||||
```
|
```
|
||||||
|
|
||||||
After the logs are collected on the device, you can retrieve the files through the MDM channel using the FileDownload portion of the DiagnosticLog CSP. For details, see [DiagnosticLog CSP](diagnosticlog-csp.md).
|
After the logs are collected on the device, you can retrieve the files through the MDM channel using the FileDownload portion of the DiagnosticLog CSP. For details, see [DiagnosticLog CSP](../mdm/diagnosticlog-csp.md).
|
||||||
|
|
||||||
## View logs
|
## View logs
|
||||||
|
|
||||||
@ -263,7 +263,7 @@ For best results, ensure that the PC or VM on which you're viewing logs matches
|
|||||||
|
|
||||||
## Collect device state data
|
## Collect device state data
|
||||||
|
|
||||||
Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](diagnosticlog-csp.md), version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files.
|
Here's an example of how to collect current MDM device state data using the [DiagnosticLog CSP](../mdm/diagnosticlog-csp.md), version 1.3, which was added in Windows 10, version 1607. You can collect the file from the device using the same FileDownload node in the CSP as you do for the etl files.
|
||||||
|
|
||||||
```xml
|
```xml
|
||||||
<?xml version="1.0"?>
|
<?xml version="1.0"?>
|
||||||
|
|||||||
@ -17,7 +17,7 @@ manager: aaroncz
|
|||||||
|
|
||||||
Here's how to configure Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM).
|
Here's how to configure Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM).
|
||||||
|
|
||||||
Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](./policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
|
Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](../mdm/policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](../mdm/policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy.
|
||||||
|
|
||||||
Summary of steps to enable a policy:
|
Summary of steps to enable a policy:
|
||||||
- Find the policy from the list ADMX policies.
|
- Find the policy from the list ADMX policies.
|
||||||
@ -35,7 +35,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
|
|||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> See [Understanding ADMX policies in Policy CSP](../understand/understanding-admx-backed-policies.md).
|
> See [Understanding ADMX policies in Policy CSP](../understand/understanding-admx-backed-policies.md).
|
||||||
|
|
||||||
1. Find the policy from the list [ADMX policies](./policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description.
|
1. Find the policy from the list [ADMX policies](../mdm/policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description.
|
||||||
- GP Friendly name
|
- GP Friendly name
|
||||||
- GP name
|
- GP name
|
||||||
- GP ADMX file name
|
- GP ADMX file name
|
||||||
@ -105,7 +105,7 @@ See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https:/
|
|||||||
|
|
||||||
2. Find the variable names of the parameters in the ADMX file.
|
2. Find the variable names of the parameters in the ADMX file.
|
||||||
|
|
||||||
You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
|
You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](../mdm/policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -30,7 +30,7 @@ Windows 10 offers the ability for management servers to:
|
|||||||
|
|
||||||
## Inventory your apps
|
## Inventory your apps
|
||||||
|
|
||||||
Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
|
Windows 10 lets you inventory all apps deployed to a user, and inventory all apps for all users of a device on Windows 10 for desktop editions. The [EnterpriseModernAppManagement](../mdm/enterprisemodernappmanagement-csp.md) configuration service provider (CSP) inventories packaged apps and doesn't include traditional Win32 apps installed via MSI or executables. When the apps are inventoried, they're separated based on the following app classifications:
|
||||||
|
|
||||||
- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
|
- Store - Apps that are from the Microsoft Store. Apps can be directly installed from the Store or delivered with the enterprise from the Store for Business
|
||||||
- nonStore - Apps that weren't acquired from the Microsoft Store.
|
- nonStore - Apps that weren't acquired from the Microsoft Store.
|
||||||
@ -164,7 +164,7 @@ Here are the nodes for each package full name:
|
|||||||
- Users
|
- Users
|
||||||
- IsProvisioned
|
- IsProvisioned
|
||||||
|
|
||||||
For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md).
|
For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](../mdm/enterprisemodernappmanagement-csp.md).
|
||||||
|
|
||||||
### App inventory
|
### App inventory
|
||||||
|
|
||||||
@ -210,7 +210,7 @@ Here are the nodes for each license ID:
|
|||||||
- LicenseUsage
|
- LicenseUsage
|
||||||
- RequestedID
|
- RequestedID
|
||||||
|
|
||||||
For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md).
|
For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP](../mdm/enterprisemodernappmanagement-csp.md).
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> The LicenseID in the CSP is the content ID for the license.
|
> The LicenseID in the CSP is the content ID for the license.
|
||||||
@ -253,7 +253,7 @@ To deploy apps that aren't from the Microsoft Store, you must configure the Appl
|
|||||||
|
|
||||||
The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device, or a root certificate in the Trusted Root of the device. The policy isn't configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
|
The AllowAllTrustedApps policy enables the installation apps that are trusted by a certificate in the Trusted People on the device, or a root certificate in the Trusted Root of the device. The policy isn't configured by default, which means only apps from the Microsoft Store can be installed. If the management server implicitly sets the value to off, the setting is disabled in the settings panel on the device.
|
||||||
|
|
||||||
For more information about the AllowAllTrustedApps policy, see [Policy CSP](policy-configuration-service-provider.md).
|
For more information about the AllowAllTrustedApps policy, see [Policy CSP](../mdm/policy-configuration-service-provider.md).
|
||||||
|
|
||||||
Here are some examples.
|
Here are some examples.
|
||||||
|
|
||||||
@ -291,7 +291,7 @@ AllowDeveloperUnlock policy enables the development mode on the device. The Allo
|
|||||||
|
|
||||||
Deployment of apps to Windows 10 for desktop editions requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device.
|
Deployment of apps to Windows 10 for desktop editions requires that there's a chain to a certificate on the device. The app can be signed with a root certificate on the device (such as Symantec Enterprise), an enterprise owned root certificate, or a peer trust certificate deployed on the device.
|
||||||
|
|
||||||
For more information about the AllowDeveloperUnlock policy, see [Policy CSP](policy-configuration-service-provider.md).
|
For more information about the AllowDeveloperUnlock policy, see [Policy CSP](../mdm/policy-configuration-service-provider.md).
|
||||||
|
|
||||||
Here's an example.
|
Here's an example.
|
||||||
|
|
||||||
@ -323,7 +323,7 @@ Here's an example.
|
|||||||
|
|
||||||
## Install your apps
|
## Install your apps
|
||||||
|
|
||||||
You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store. Or, they're installed from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) to install apps.
|
You can install apps to a specific user or to all users of a device. Apps are installed directly from the Microsoft Store. Or, they're installed from a host location, such as a local disk, UNC path, or HTTPS location. Use the AppInstallation node of the [EnterpriseModernAppManagement CSP](../mdm/enterprisemodernappmanagement-csp.md) to install apps.
|
||||||
|
|
||||||
### Deploy apps to user from the Store
|
### Deploy apps to user from the Store
|
||||||
|
|
||||||
@ -889,7 +889,7 @@ The Universal Windows app can share application data between the users of the de
|
|||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> This is only applicable to multi-user devices.
|
> This is only applicable to multi-user devices.
|
||||||
|
|
||||||
The AllowSharedUserAppData policy in [Policy CSP](policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API.
|
The AllowSharedUserAppData policy in [Policy CSP](../mdm/policy-configuration-service-provider.md) enables or disables app packages to share data between app packages when there are multiple users. If you enable this policy, applications can share data between packages in their package family. Data can be shared through ShareLocal folder for that package family and local machine. This folder is available through the Windows.Storage API.
|
||||||
|
|
||||||
If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there's any shared data, and /Remove-SharedAppxData to remove it).
|
If you disable this policy, applications can't share user application data among multiple users. However, pre-written shared data will persist. The clean pre-written shared data, use DISM ((/Get-ProvisionedAppxPackage to detect if there's any shared data, and /Remove-SharedAppxData to remove it).
|
||||||
|
|
||||||
|
|||||||
@ -57,7 +57,7 @@ MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/
|
|||||||
|
|
||||||
Below are protocol changes for MAM enrollment:
|
Below are protocol changes for MAM enrollment:
|
||||||
- MDM discovery isn't supported.
|
- MDM discovery isn't supported.
|
||||||
- APPAUTH node in [DMAcc CSP](dmacc-csp.md) is optional.
|
- APPAUTH node in [DMAcc CSP](../mdm/dmacc-csp.md) is optional.
|
||||||
- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication.
|
- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication.
|
||||||
|
|
||||||
Here's an example provisioning XML for MAM enrollment.
|
Here's an example provisioning XML for MAM enrollment.
|
||||||
@ -74,26 +74,26 @@ Here's an example provisioning XML for MAM enrollment.
|
|||||||
</wap-provisioningdoc>
|
</wap-provisioningdoc>
|
||||||
```
|
```
|
||||||
|
|
||||||
Since the [Poll](dmclient-csp.md#provider-providerid-poll) node isn’t provided above, the device would default to once every 24 hours.
|
Since the [Poll](../mdm/dmclient-csp.md#provider-providerid-poll) node isn’t provided above, the device would default to once every 24 hours.
|
||||||
|
|
||||||
## Supported CSPs
|
## Supported CSPs
|
||||||
|
|
||||||
MAM on Windows supports the following configuration service providers (CSPs). All other CSPs will be blocked. Note the list may change later based on customer feedback:
|
MAM on Windows supports the following configuration service providers (CSPs). All other CSPs will be blocked. Note the list may change later based on customer feedback:
|
||||||
|
|
||||||
- [AppLocker CSP](applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps.
|
- [AppLocker CSP](../mdm/applocker-csp.md) for configuration of Windows Information Protection enterprise allowed apps.
|
||||||
- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.
|
- [ClientCertificateInstall CSP](../mdm/clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.
|
||||||
- [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
|
- [DeviceStatus CSP](../mdm/devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
|
||||||
- [DevInfo CSP](devinfo-csp.md).
|
- [DevInfo CSP](../mdm/devinfo-csp.md).
|
||||||
- [DMAcc CSP](dmacc-csp.md).
|
- [DMAcc CSP](../mdm/dmacc-csp.md).
|
||||||
- [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL.
|
- [DMClient CSP](../mdm/dmclient-csp.md) for polling schedules configuration and MDM discovery URL.
|
||||||
- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has Windows Information Protection policies.
|
- [EnterpriseDataProtection CSP](../mdm/enterprisedataprotection-csp.md) has Windows Information Protection policies.
|
||||||
- [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
|
- [Health Attestation CSP](../mdm/healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
|
||||||
- [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management.
|
- [PassportForWork CSP](../mdm/passportforwork-csp.md) for Windows Hello for Business PIN management.
|
||||||
- [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas.
|
- [Policy CSP](../mdm/policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas.
|
||||||
- [Reporting CSP](reporting-csp.md) for retrieving Windows Information Protection logs.
|
- [Reporting CSP](../mdm/reporting-csp.md) for retrieving Windows Information Protection logs.
|
||||||
- [RootCaTrustedCertificates CSP](rootcacertificates-csp.md).
|
- [RootCaTrustedCertificates CSP](../mdm/rootcacertificates-csp.md).
|
||||||
- [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
|
- [VPNv2 CSP](../mdm/vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
|
||||||
- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
|
- [WiFi CSP](../mdm/wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
|
||||||
|
|
||||||
|
|
||||||
## Device lock policies and EAS
|
## Device lock policies and EAS
|
||||||
|
|||||||
@ -56,9 +56,8 @@ For information about the MDM policies defined in the Intune security baseline,
|
|||||||
## Learn about device management
|
## Learn about device management
|
||||||
|
|
||||||
- [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
|
- [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md)
|
||||||
- [Enterprise app management](enterprise-app-management.md)
|
- [Enterprise app management](../understand/enterprise-app-management.md)
|
||||||
- [Mobile device management (MDM) for device updates](device-update-management.md)
|
- [Mobile device management (MDM) for device updates](device-update-management.md)
|
||||||
- [Enable offline upgrades to Windows 10 for Windows Embedded 8.1 Handheld devices](enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md)
|
|
||||||
- [OMA DM protocol support](oma-dm-protocol-support.md)
|
- [OMA DM protocol support](oma-dm-protocol-support.md)
|
||||||
- [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md)
|
- [Structure of OMA DM provisioning files](structure-of-oma-dm-provisioning-files.md)
|
||||||
- [Server requirements for OMA DM](server-requirements-windows-mdm.md)
|
- [Server requirements for OMA DM](server-requirements-windows-mdm.md)
|
||||||
@ -66,7 +65,7 @@ For information about the MDM policies defined in the Intune security baseline,
|
|||||||
|
|
||||||
## Learn about configuration service providers
|
## Learn about configuration service providers
|
||||||
|
|
||||||
- [Configuration service provider reference](configuration-service-provider-reference.md)
|
|
||||||
- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
|
- [WMI providers supported in Windows 10](wmi-providers-supported-in-windows.md)
|
||||||
- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md)
|
- [Using PowerShell scripting with the WMI Bridge Provider](using-powershell-scripting-with-the-wmi-bridge-provider.md)
|
||||||
- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal)
|
- [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal)
|
||||||
|
- [Configuration service provider reference](../mdm/configuration-service-provider-reference.md)
|
||||||
|
|||||||
@ -25,75 +25,75 @@ For details about Microsoft mobile device management protocols for Windows 10 an
|
|||||||
|
|
||||||
| New or updated article | Description |
|
| New or updated article | Description |
|
||||||
|--|--|
|
|--|--|
|
||||||
| [DeviceStatus](devicestatus-csp.md) | Added the following node:<br><li>MDMClientCertAttestation |
|
| [DeviceStatus](../mdm/devicestatus-csp.md) | Added the following node:<br><li>MDMClientCertAttestation |
|
||||||
| [eUUICs](euiccs-csp.md) | Added the following node:<br><li>IsDiscoveryServer |
|
| [eUUICs](../mdm/euiccs-csp.md) | Added the following node:<br><li>IsDiscoveryServer |
|
||||||
| [PersonalDataEncryption](personaldataencryption-csp.md) | New CSP |
|
| [PersonalDataEncryption](../mdm/personaldataencryption-csp.md) | New CSP |
|
||||||
| [Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:<br><li>Accounts/RestrictToEnterpriseDeviceAuthenticationOnly<br><li>DesktopAppInstaller/EnableAdditionalSources<br><li>DesktopAppInstaller/EnableAllowedSources<br><li>DesktopAppInstaller/EnableAppInstaller<br><li>DesktopAppInstaller/EnableDefaultSource<br><li>DesktopAppInstaller/EnableExperimentalFeatures<br><li>DesktopAppInstaller/EnableHashOverride<br><li>DesktopAppInstaller/EnableLocalManifestFiles<br><li>DesktopAppInstaller/EnableMicrosoftStoreSource<br><li>DesktopAppInstaller/EnableMSAppInstallerProtocol<br><li>DesktopAppInstaller/EnableSettings<br><li>DesktopAppInstaller/SourceAutoUpdateInterval<br><li>Education/EnableEduThemes<br><li>Experience/AllowSpotlightCollectionOnDesktop<br><li>FileExplorer/DisableGraphRecentItems<br><li>HumanPresence/ForceInstantDim<br><li>InternetExplorer/EnableGlobalWindowListInIEMode<br><li>InternetExplorer/HideIEAppRetirementNotification<br><li>InternetExplorer/ResetZoomForDialogInIEMode<br><li>LocalSecurityAuthority/AllowCustomSSPsAPs<br><li>LocalSecurityAuthority/ConfigureLsaProtectedProcess<br><li>MixedReality/AllowCaptivePortalBeforeLogon<br><li>MixedReality/AllowLaunchUriInSingleAppKiosk<br><li>MixedReality/AutoLogonUser<br><li>MixedReality/ConfigureMovingPlatform<br><li>MixedReality/ConfigureNtpClient<br><li>MixedReality/ManualDownDirectionDisabled<br><li>MixedReality/NtpClientEnabled<br><li>MixedReality/SkipCalibrationDuringSetup<br><li>MixedReality/SkipTrainingDuringSetup<br><li>NetworkListManager/AllowedTlsAuthenticationEndpoints<br><li>NetworkListManager/ConfiguredTLSAuthenticationNetworkName<br><li>Printers/ConfigureCopyFilesPolicy<br><li>Printers/ConfigureDriverValidationLevel<br><li>Printers/ConfigureIppPageCountsPolicy<br><li>Printers/ConfigureRedirectionGuard<br><li>Printers/ConfigureRpcConnectionPolicy<br><li>Printers/ConfigureRpcListenerPolicy<br><li>Printers/ConfigureRpcTcpPort<br><li>Printers/ManageDriverExclusionList<br><li>Printers/RestrictDriverInstallationToAdministrators<br><li>RemoteDesktopServices/DoNotAllowWebAuthnRedirection<br><li>Search/AllowSearchHighlights<br><li>Search/DisableSearch<br><li>SharedPC/EnabledSharedPCModeWithOneDriveSync<br><li>Start/DisableControlCenter<br><li>Start/DisableEditingQuickSettings<br><li>Start/HideRecommendedSection<br><li>Start/HideTaskViewButton<br><li>Start/SimplifyQuickSettings<br><li>Stickers/EnableStickers<br><li>Textinput/allowimenetworkaccess<br><li>Update/NoUpdateNotificationDuringActiveHours<br><li>WebThreatDefense/EnableService<br><li>WebThreatDefense/NotifyMalicious<br><li>WebThreatDefense/NotifyPasswordReuse<br><li>WebThreatDefense/NotifyUnsafeApp<br><li>Windowslogon/EnableMPRNotifications |
|
| [Policy CSP](../mdm/policy-configuration-service-provider.md) | Added the following nodes:<br><li>Accounts/RestrictToEnterpriseDeviceAuthenticationOnly<br><li>DesktopAppInstaller/EnableAdditionalSources<br><li>DesktopAppInstaller/EnableAllowedSources<br><li>DesktopAppInstaller/EnableAppInstaller<br><li>DesktopAppInstaller/EnableDefaultSource<br><li>DesktopAppInstaller/EnableExperimentalFeatures<br><li>DesktopAppInstaller/EnableHashOverride<br><li>DesktopAppInstaller/EnableLocalManifestFiles<br><li>DesktopAppInstaller/EnableMicrosoftStoreSource<br><li>DesktopAppInstaller/EnableMSAppInstallerProtocol<br><li>DesktopAppInstaller/EnableSettings<br><li>DesktopAppInstaller/SourceAutoUpdateInterval<br><li>Education/EnableEduThemes<br><li>Experience/AllowSpotlightCollectionOnDesktop<br><li>FileExplorer/DisableGraphRecentItems<br><li>HumanPresence/ForceInstantDim<br><li>InternetExplorer/EnableGlobalWindowListInIEMode<br><li>InternetExplorer/HideIEAppRetirementNotification<br><li>InternetExplorer/ResetZoomForDialogInIEMode<br><li>LocalSecurityAuthority/AllowCustomSSPsAPs<br><li>LocalSecurityAuthority/ConfigureLsaProtectedProcess<br><li>MixedReality/AllowCaptivePortalBeforeLogon<br><li>MixedReality/AllowLaunchUriInSingleAppKiosk<br><li>MixedReality/AutoLogonUser<br><li>MixedReality/ConfigureMovingPlatform<br><li>MixedReality/ConfigureNtpClient<br><li>MixedReality/ManualDownDirectionDisabled<br><li>MixedReality/NtpClientEnabled<br><li>MixedReality/SkipCalibrationDuringSetup<br><li>MixedReality/SkipTrainingDuringSetup<br><li>NetworkListManager/AllowedTlsAuthenticationEndpoints<br><li>NetworkListManager/ConfiguredTLSAuthenticationNetworkName<br><li>Printers/ConfigureCopyFilesPolicy<br><li>Printers/ConfigureDriverValidationLevel<br><li>Printers/ConfigureIppPageCountsPolicy<br><li>Printers/ConfigureRedirectionGuard<br><li>Printers/ConfigureRpcConnectionPolicy<br><li>Printers/ConfigureRpcListenerPolicy<br><li>Printers/ConfigureRpcTcpPort<br><li>Printers/ManageDriverExclusionList<br><li>Printers/RestrictDriverInstallationToAdministrators<br><li>RemoteDesktopServices/DoNotAllowWebAuthnRedirection<br><li>Search/AllowSearchHighlights<br><li>Search/DisableSearch<br><li>SharedPC/EnabledSharedPCModeWithOneDriveSync<br><li>Start/DisableControlCenter<br><li>Start/DisableEditingQuickSettings<br><li>Start/HideRecommendedSection<br><li>Start/HideTaskViewButton<br><li>Start/SimplifyQuickSettings<br><li>Stickers/EnableStickers<br><li>Textinput/allowimenetworkaccess<br><li>Update/NoUpdateNotificationDuringActiveHours<br><li>WebThreatDefense/EnableService<br><li>WebThreatDefense/NotifyMalicious<br><li>WebThreatDefense/NotifyPasswordReuse<br><li>WebThreatDefense/NotifyUnsafeApp<br><li>Windowslogon/EnableMPRNotifications |
|
||||||
| [SecureAssessment](secureassessment-csp.md) | Added the following node:<br><li>Asssessments |
|
| [SecureAssessment](../mdm/secureassessment-csp.md) | Added the following node:<br><li>Asssessments |
|
||||||
| [WindowsAutopilot](windowsautopilot-csp.md) | Added the following node:<br><li>HardwareMismatchRemediationData |
|
| [WindowsAutopilot](../mdm/windowsautopilot-csp.md) | Added the following node:<br><li>HardwareMismatchRemediationData |
|
||||||
|
|
||||||
## What's new in MDM for Windows 11, version 21H2
|
## What's new in MDM for Windows 11, version 21H2
|
||||||
|
|
||||||
| New or updated article | Description |
|
| New or updated article | Description |
|
||||||
|--|--|
|
|--|--|
|
||||||
| [Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:<br><li>Kerberos/PKInitHashAlgorithmConfiguration<br><li>Kerberos/PKInitHashAlgorithmSHA1<br><li>Kerberos/PKInitHashAlgorithmSHA256<br><li>Kerberos/PKInitHashAlgorithmSHA384<br><li>Kerberos/PKInitHashAlgorithmSHA512<br><li>NewsAndInterests/AllowNewsAndInterests<br><li>Experiences/ConfigureChatIcon<br><li>Start/ConfigureStartPins<br><li>Virtualizationbasedtechnology/HypervisorEnforcedCodeIntegrity<br><li>Virtualizationbasedtechnology/RequireUEFIMemoryAttributesTable |
|
| [Policy CSP](../mdm/policy-configuration-service-provider.md) | Added the following nodes:<br><li>Kerberos/PKInitHashAlgorithmConfiguration<br><li>Kerberos/PKInitHashAlgorithmSHA1<br><li>Kerberos/PKInitHashAlgorithmSHA256<br><li>Kerberos/PKInitHashAlgorithmSHA384<br><li>Kerberos/PKInitHashAlgorithmSHA512<br><li>NewsAndInterests/AllowNewsAndInterests<br><li>Experiences/ConfigureChatIcon<br><li>Start/ConfigureStartPins<br><li>Virtualizationbasedtechnology/HypervisorEnforcedCodeIntegrity<br><li>Virtualizationbasedtechnology/RequireUEFIMemoryAttributesTable |
|
||||||
| [DMClient CSP](dmclient-csp.md) | Updated the description of the following nodes:<br><li>Provider/ProviderID/ConfigLock/Lock<br><li>Provider/ProviderID/ConfigLock/UnlockDuration<br><li>Provider/ProviderID/ConfigLock/SecuredCore |
|
| [DMClient CSP](../mdm/dmclient-csp.md) | Updated the description of the following nodes:<br><li>Provider/ProviderID/ConfigLock/Lock<br><li>Provider/ProviderID/ConfigLock/UnlockDuration<br><li>Provider/ProviderID/ConfigLock/SecuredCore |
|
||||||
| [PrinterProvisioning](universalprint-csp.md) | New CSP |
|
| [PrinterProvisioning](../mdm/universalprint-csp.md) | New CSP |
|
||||||
|
|
||||||
## What's new in MDM for Windows 10, version 20H2
|
## What's new in MDM for Windows 10, version 20H2
|
||||||
|
|
||||||
|New or updated article|Description|
|
|New or updated article|Description|
|
||||||
|-----|-----|
|
|-----|-----|
|
||||||
| [Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:<br><li>Experience/DisableCloudOptimizedContent<br><li>LocalUsersAndGroups/Configure<br><li>MixedReality/AADGroupMembershipCacheValidityInDays<br><li>MixedReality/BrightnessButtonDisabled<br><li>MixedReality/FallbackDiagnostics<br><li>MixedReality/MicrophoneDisabled<br><li>MixedReality/VolumeButtonDisabled<br><li>Multitasking/BrowserAltTabBlowout|
|
| [Policy CSP](../mdm/policy-configuration-service-provider.md) | Added the following nodes:<br><li>Experience/DisableCloudOptimizedContent<br><li>LocalUsersAndGroups/Configure<br><li>MixedReality/AADGroupMembershipCacheValidityInDays<br><li>MixedReality/BrightnessButtonDisabled<br><li>MixedReality/FallbackDiagnostics<br><li>MixedReality/MicrophoneDisabled<br><li>MixedReality/VolumeButtonDisabled<br><li>Multitasking/BrowserAltTabBlowout|
|
||||||
| [SurfaceHub CSP](surfacehub-csp.md) | Added the following new node:<br><li>Properties/SleepMode |
|
| [SurfaceHub CSP](../mdm/surfacehub-csp.md) | Added the following new node:<br><li>Properties/SleepMode |
|
||||||
| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:<br><li>Settings/AllowWindowsDefenderApplicationGuard |
|
| [WindowsDefenderApplicationGuard CSP](../mdm/windowsdefenderapplicationguard-csp.md) | Updated the description of the following node:<br><li>Settings/AllowWindowsDefenderApplicationGuard |
|
||||||
|
|
||||||
## What's new in MDM for Windows 10, version 2004
|
## What's new in MDM for Windows 10, version 2004
|
||||||
|
|
||||||
| New or updated article | Description |
|
| New or updated article | Description |
|
||||||
|-----|-----|
|
|-----|-----|
|
||||||
| [Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:<br><li>ApplicationManagement/BlockNonAdminUserInstall<br><li>Bluetooth/SetMinimumEncryptionKeySize<br><li>DeliveryOptimization/DOCacheHostSource<br><li>DeliveryOptimization/DOMaxBackgroundDownloadBandwidth<br><li>DeliveryOptimization/DOMaxForegroundDownloadBandwidth<br><li>Education/AllowGraphingCalculator<br><li>TextInput/ConfigureJapaneseIMEVersion<br><li>TextInput/ConfigureSimplifiedChineseIMEVersion<br><li>TextInput/ConfigureTraditionalChineseIMEVersion<br><br>Updated the following policy in Windows 10, version 2004:<br><li>DeliveryOptimization/DOCacheHost<br><br>Deprecated the following policies in Windows 10, version 2004:<br><li>DeliveryOptimization/DOMaxDownloadBandwidth<br><li>DeliveryOptimization/DOMaxUploadBandwidth<br><li>DeliveryOptimization/DOPercentageMaxDownloadBandwidth |
|
| [Policy CSP](../mdm/policy-configuration-service-provider.md) | Added the following nodes:<br><li>ApplicationManagement/BlockNonAdminUserInstall<br><li>Bluetooth/SetMinimumEncryptionKeySize<br><li>DeliveryOptimization/DOCacheHostSource<br><li>DeliveryOptimization/DOMaxBackgroundDownloadBandwidth<br><li>DeliveryOptimization/DOMaxForegroundDownloadBandwidth<br><li>Education/AllowGraphingCalculator<br><li>TextInput/ConfigureJapaneseIMEVersion<br><li>TextInput/ConfigureSimplifiedChineseIMEVersion<br><li>TextInput/ConfigureTraditionalChineseIMEVersion<br><br>Updated the following policy in Windows 10, version 2004:<br><li>DeliveryOptimization/DOCacheHost<br><br>Deprecated the following policies in Windows 10, version 2004:<br><li>DeliveryOptimization/DOMaxDownloadBandwidth<br><li>DeliveryOptimization/DOMaxUploadBandwidth<br><li>DeliveryOptimization/DOPercentageMaxDownloadBandwidth |
|
||||||
| [DevDetail CSP](devdetail-csp.md) | Added the following new node:<br><li>Ext/Microsoft/DNSComputerName |
|
| [DevDetail CSP](../mdm/devdetail-csp.md) | Added the following new node:<br><li>Ext/Microsoft/DNSComputerName |
|
||||||
| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added the following node:<br><li>IsStub |
|
| [EnterpriseModernAppManagement CSP](../mdm/enterprisemodernappmanagement-csp.md) | Added the following node:<br><li>IsStub |
|
||||||
| [SUPL CSP](supl-csp.md) | Added the following node:<br><li>FullVersion |
|
| [SUPL CSP](../mdm/supl-csp.md) | Added the following node:<br><li>FullVersion |
|
||||||
|
|
||||||
## What's new in MDM for Windows 10, version 1909
|
## What's new in MDM for Windows 10, version 1909
|
||||||
|
|
||||||
| New or updated article | Description |
|
| New or updated article | Description |
|
||||||
|-----|-----|
|
|-----|-----|
|
||||||
| [BitLocker CSP](bitlocker-csp.md) | Added the following nodes:<br><li>ConfigureRecoveryPasswordRotation<br><li>RotateRecoveryPasswords<br><li>RotateRecoveryPasswordsStatus<br><li>RotateRecoveryPasswordsRequestID|
|
| [BitLocker CSP](../mdm/bitlocker-csp.md) | Added the following nodes:<br><li>ConfigureRecoveryPasswordRotation<br><li>RotateRecoveryPasswords<br><li>RotateRecoveryPasswordsStatus<br><li>RotateRecoveryPasswordsRequestID|
|
||||||
|
|
||||||
## What's new in MDM for Windows 10, version 1903
|
## What's new in MDM for Windows 10, version 1903
|
||||||
|
|
||||||
| New or updated article | Description |
|
| New or updated article | Description |
|
||||||
|-----|-----|
|
|-----|-----|
|
||||||
|[Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:<br><li>DeliveryOptimization/DODelayCacheServerFallbackBackground<br><li>DeliveryOptimization/DODelayCacheServerFallbackForeground<br><li>DeviceHealthMonitoring/AllowDeviceHealthMonitoring<br><li>DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope<br><li>DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination<br><li>DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs<br><li>DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs<br><li>Experience/ShowLockOnUserTile<br><li>InternetExplorer/AllowEnhancedSuggestionsInAddressBar<br><li>InternetExplorer/DisableActiveXVersionListAutoDownload<br><li>InternetExplorer/DisableCompatView<br><li>InternetExplorer/DisableFeedsBackgroundSync<br><li>InternetExplorer/DisableGeolocation<br><li>InternetExplorer/DisableWebAddressAutoComplete<br><li>InternetExplorer/NewTabDefaultPage<br><li>Power/EnergySaverBatteryThresholdOnBattery<br><li>Power/EnergySaverBatteryThresholdPluggedIn<br><li>Power/SelectLidCloseActionOnBatterybr><li>Power/SelectLidCloseActionPluggedIn<br><li>Power/SelectPowerButtonActionOnBattery<br><li>Power/SelectPowerButtonActionPluggedIn<br><li>Power/SelectSleepButtonActionOnBattery<br><li>Power/SelectSleepButtonActionPluggedIn<br><li>Power/TurnOffHybridSleepOnBattery<br><li>Power/TurnOffHybridSleepPluggedIn<br><li>Power/UnattendedSleepTimeoutOnBattery<br><li>Power/UnattendedSleepTimeoutPluggedIn<br><li>Privacy/LetAppsActivateWithVoice<br><li>Privacy/LetAppsActivateWithVoiceAboveLock<br><li>Search/AllowFindMyFiles<br><li>ServiceControlManager/SvchostProcessMitigation<br><li>System/AllowCommercialDataPipelinebr><li>System/TurnOffFileHistory<br><li>TimeLanguageSettings/ConfigureTimeZonebr><li>Troubleshooting/AllowRecommendations<br><li>Update/AutomaticMaintenanceWakeUp<br><li>Update/ConfigureDeadlineForFeatureUpdates<br><li>Update/ConfigureDeadlineForQualityUpdates<br><li>Update/ConfigureDeadlineGracePeriod<br><li>WindowsLogon/AllowAutomaticRestartSignOn<br><li>WindowsLogon/ConfigAutomaticRestartSignOn<br><li>WindowsLogon/EnableFirstLogonAnimation|
|
|[Policy CSP](../mdm/policy-configuration-service-provider.md) | Added the following nodes:<br><li>DeliveryOptimization/DODelayCacheServerFallbackBackground<br><li>DeliveryOptimization/DODelayCacheServerFallbackForeground<br><li>DeviceHealthMonitoring/AllowDeviceHealthMonitoring<br><li>DeviceHealthMonitoring/ConfigDeviceHealthMonitoringScope<br><li>DeviceHealthMonitoring/ConfigDeviceHealthMonitoringUploadDestination<br><li>DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs<br><li>DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs<br><li>Experience/ShowLockOnUserTile<br><li>InternetExplorer/AllowEnhancedSuggestionsInAddressBar<br><li>InternetExplorer/DisableActiveXVersionListAutoDownload<br><li>InternetExplorer/DisableCompatView<br><li>InternetExplorer/DisableFeedsBackgroundSync<br><li>InternetExplorer/DisableGeolocation<br><li>InternetExplorer/DisableWebAddressAutoComplete<br><li>InternetExplorer/NewTabDefaultPage<br><li>Power/EnergySaverBatteryThresholdOnBattery<br><li>Power/EnergySaverBatteryThresholdPluggedIn<br><li>Power/SelectLidCloseActionOnBatterybr><li>Power/SelectLidCloseActionPluggedIn<br><li>Power/SelectPowerButtonActionOnBattery<br><li>Power/SelectPowerButtonActionPluggedIn<br><li>Power/SelectSleepButtonActionOnBattery<br><li>Power/SelectSleepButtonActionPluggedIn<br><li>Power/TurnOffHybridSleepOnBattery<br><li>Power/TurnOffHybridSleepPluggedIn<br><li>Power/UnattendedSleepTimeoutOnBattery<br><li>Power/UnattendedSleepTimeoutPluggedIn<br><li>Privacy/LetAppsActivateWithVoice<br><li>Privacy/LetAppsActivateWithVoiceAboveLock<br><li>Search/AllowFindMyFiles<br><li>ServiceControlManager/SvchostProcessMitigation<br><li>System/AllowCommercialDataPipelinebr><li>System/TurnOffFileHistory<br><li>TimeLanguageSettings/ConfigureTimeZonebr><li>Troubleshooting/AllowRecommendations<br><li>Update/AutomaticMaintenanceWakeUp<br><li>Update/ConfigureDeadlineForFeatureUpdates<br><li>Update/ConfigureDeadlineForQualityUpdates<br><li>Update/ConfigureDeadlineGracePeriod<br><li>WindowsLogon/AllowAutomaticRestartSignOn<br><li>WindowsLogon/ConfigAutomaticRestartSignOn<br><li>WindowsLogon/EnableFirstLogonAnimation|
|
||||||
| [Policy CSP - Audit](policy-csp-audit.md) | Added the new Audit policy CSP. |
|
| [Policy CSP - Audit](../mdm/policy-csp-audit.md) | Added the new Audit policy CSP. |
|
||||||
| [ApplicationControl CSP](applicationcontrol-csp.md) | Added the new CSP. |
|
| [ApplicationControl CSP](../mdm/applicationcontrol-csp.md) | Added the new CSP. |
|
||||||
| [Defender CSP](defender-csp.md) | Added the following new nodes:<br><li>Health/TamperProtectionEnabled<br><li>Health/IsVirtualMachine<br><li>Configuration<br><li>Configuration/TamperProtection<br><li>Configuration/EnableFileHashComputation |
|
| [Defender CSP](../mdm/defender-csp.md) | Added the following new nodes:<br><li>Health/TamperProtectionEnabled<br><li>Health/IsVirtualMachine<br><li>Configuration<br><li>Configuration/TamperProtection<br><li>Configuration/EnableFileHashComputation |
|
||||||
| [DiagnosticLog CSP](diagnosticlog-csp.md) <br> [DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903. <br>Added the new 1.4 version of the DDF. <br>Added the following new nodes:<br><li>Policy<br><li>Policy/Channels<br><li>Policy/Channels/ChannelName<br><li>Policy/Channels/ChannelName/MaximumFileSize<br><li>Policy/Channels/ChannelName/SDDL<br><li>Policy/Channels/ChannelName/ActionWhenFull<br><li>Policy/Channels/ChannelName/Enabled<br><li>DiagnosticArchive<br><li>DiagnosticArchive/ArchiveDefinition<br><li>DiagnosticArchive/ArchiveResults |
|
| [DiagnosticLog CSP](../mdm/diagnosticlog-csp.md) <br> [DiagnosticLog DDF](diagnosticlog-ddf.md) | Added version 1.4 of the CSP in Windows 10, version 1903. <br>Added the new 1.4 version of the DDF. <br>Added the following new nodes:<br><li>Policy<br><li>Policy/Channels<br><li>Policy/Channels/ChannelName<br><li>Policy/Channels/ChannelName/MaximumFileSize<br><li>Policy/Channels/ChannelName/SDDL<br><li>Policy/Channels/ChannelName/ActionWhenFull<br><li>Policy/Channels/ChannelName/Enabled<br><li>DiagnosticArchive<br><li>DiagnosticArchive/ArchiveDefinition<br><li>DiagnosticArchive/ArchiveResults |
|
||||||
| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | Added the new CSP. |
|
| [EnrollmentStatusTracking CSP](../mdm/enrollmentstatustracking-csp.md) | Added the new CSP. |
|
||||||
| [PassportForWork CSP](passportforwork-csp.md) | Added the following new nodes:<br><li>SecurityKey<br><li>SecurityKey/UseSecurityKeyForSignin |
|
| [PassportForWork CSP](../mdm/passportforwork-csp.md) | Added the following new nodes:<br><li>SecurityKey<br><li>SecurityKey/UseSecurityKeyForSignin |
|
||||||
|
|
||||||
|
|
||||||
## What's new in MDM for Windows 10, version 1809
|
## What's new in MDM for Windows 10, version 1809
|
||||||
|
|
||||||
| New or updated article | Description |
|
| New or updated article | Description |
|
||||||
|-----|-----|
|
|-----|-----|
|
||||||
|[Policy CSP](policy-configuration-service-provider.md) | Added the following nodes:<br><li>ApplicationManagement/LaunchAppAfterLogOn<br><li>ApplicationManagement/ScheduleForceRestartForUpdateFailures<br><li>Authentication/EnableFastFirstSignIn (Preview mode only<br><li>Authentication/EnableWebSignIn (Preview mode only<br><li>Authentication/PreferredAadTenantDomainName<br><li>Browser/AllowFullScreenMode<br><li>Browser/AllowPrelaunch<br><li>Browser/AllowPrinting<br><li>Browser/AllowSavingHistory<br><li>Browser/AllowSideloadingOfExtensions<br><li>Browser/AllowTabPreloading<br><li>Browser/AllowWebContentOnNewTabPage<br><li>Browser/ConfigureFavoritesBar<br><li>Browser/ConfigureHomeButton<br><li>Browser/ConfigureKioskMode<br><li>Browser/ConfigureKioskResetAfterIdleTimeout<br><li>Browser/ConfigureOpenMicrosoftEdgeWith<br><li>Browser/ConfigureTelemetryForMicrosoft365Analytics<br><li>Browser/PreventCertErrorOverrides<br><li>Browser/SetHomeButtonURL<br><li>Browser/SetNewTabPageURL<br><li>Browser/UnlockHomeButton<br><li>Defender/CheckForSignaturesBeforeRunningScan<br><li>Defender/DisableCatchupFullScan<br><li>Defender/DisableCatchupQuickScan<br><li>Defender/EnableLowCPUPriority<br><li>Defender/SignatureUpdateFallbackOrder<br><li>Defender/SignatureUpdateFileSharesSources<br><li>DeviceGuard/ConfigureSystemGuardLaunch<br><li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs<br><li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses<br><li>DeviceInstallation/PreventDeviceMetadataFromNetwork<br><li>DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings<br><li>DmaGuard/DeviceEnumerationPolicy<br><li>Experience/AllowClipboardHistory<br><li>Experience/DoNotSyncBrowserSettings<br><li>Experience/PreventUsersFromTurningOnBrowserSyncing<br><li>Kerberos/UPNNameHints<br><li>Privacy/AllowCrossDeviceClipboard<br><li>Privacy/DisablePrivacyExperience<br><li>Privacy/UploadUserActivities<br><li>Security/RecoveryEnvironmentAuthentication<br><li>System/AllowDeviceNameInDiagnosticData<br><li>System/ConfigureMicrosoft365UploadEndpoint<br><li>System/DisableDeviceDelete<br><li>System/DisableDiagnosticDataViewer<br><li>Storage/RemovableDiskDenyWriteAccess<br><li>TaskManager/AllowEndTask<br><li>Update/DisableWUfBSafeguards<br><li>Update/EngagedRestartDeadlineForFeatureUpdates<br><li>Update/EngagedRestartSnoozeScheduleForFeatureUpdates<br><li>Update/EngagedRestartTransitionScheduleForFeatureUpdates<br><li>Update/SetDisablePauseUXAccess<br><li>Update/SetDisableUXWUAccess<br><li>WindowsDefenderSecurityCenter/DisableClearTpmButton<br><li>WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning<br><li>WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl<br><li>WindowsLogon/DontDisplayNetworkSelectionUI |
|
|[Policy CSP](../mdm/policy-configuration-service-provider.md) | Added the following nodes:<br><li>ApplicationManagement/LaunchAppAfterLogOn<br><li>ApplicationManagement/ScheduleForceRestartForUpdateFailures<br><li>Authentication/EnableFastFirstSignIn (Preview mode only<br><li>Authentication/EnableWebSignIn (Preview mode only<br><li>Authentication/PreferredAadTenantDomainName<br><li>Browser/AllowFullScreenMode<br><li>Browser/AllowPrelaunch<br><li>Browser/AllowPrinting<br><li>Browser/AllowSavingHistory<br><li>Browser/AllowSideloadingOfExtensions<br><li>Browser/AllowTabPreloading<br><li>Browser/AllowWebContentOnNewTabPage<br><li>Browser/ConfigureFavoritesBar<br><li>Browser/ConfigureHomeButton<br><li>Browser/ConfigureKioskMode<br><li>Browser/ConfigureKioskResetAfterIdleTimeout<br><li>Browser/ConfigureOpenMicrosoftEdgeWith<br><li>Browser/ConfigureTelemetryForMicrosoft365Analytics<br><li>Browser/PreventCertErrorOverrides<br><li>Browser/SetHomeButtonURL<br><li>Browser/SetNewTabPageURL<br><li>Browser/UnlockHomeButton<br><li>Defender/CheckForSignaturesBeforeRunningScan<br><li>Defender/DisableCatchupFullScan<br><li>Defender/DisableCatchupQuickScan<br><li>Defender/EnableLowCPUPriority<br><li>Defender/SignatureUpdateFallbackOrder<br><li>Defender/SignatureUpdateFileSharesSources<br><li>DeviceGuard/ConfigureSystemGuardLaunch<br><li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs<br><li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses<br><li>DeviceInstallation/PreventDeviceMetadataFromNetwork<br><li>DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings<br><li>DmaGuard/DeviceEnumerationPolicy<br><li>Experience/AllowClipboardHistory<br><li>Experience/DoNotSyncBrowserSettings<br><li>Experience/PreventUsersFromTurningOnBrowserSyncing<br><li>Kerberos/UPNNameHints<br><li>Privacy/AllowCrossDeviceClipboard<br><li>Privacy/DisablePrivacyExperience<br><li>Privacy/UploadUserActivities<br><li>Security/RecoveryEnvironmentAuthentication<br><li>System/AllowDeviceNameInDiagnosticData<br><li>System/ConfigureMicrosoft365UploadEndpoint<br><li>System/DisableDeviceDelete<br><li>System/DisableDiagnosticDataViewer<br><li>Storage/RemovableDiskDenyWriteAccess<br><li>TaskManager/AllowEndTask<br><li>Update/DisableWUfBSafeguards<br><li>Update/EngagedRestartDeadlineForFeatureUpdates<br><li>Update/EngagedRestartSnoozeScheduleForFeatureUpdates<br><li>Update/EngagedRestartTransitionScheduleForFeatureUpdates<br><li>Update/SetDisablePauseUXAccess<br><li>Update/SetDisableUXWUAccess<br><li>WindowsDefenderSecurityCenter/DisableClearTpmButton<br><li>WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning<br><li>WindowsDefenderSecurityCenter/HideWindowsSecurityNotificationAreaControl<br><li>WindowsLogon/DontDisplayNetworkSelectionUI |
|
||||||
| [BitLocker CSP](bitlocker-csp.md) | Added a new node AllowStandardUserEncryption.<br><li>Added support for Windows 10 Pro. |
|
| [BitLocker CSP](../mdm/bitlocker-csp.md) | Added a new node AllowStandardUserEncryption.<br><li>Added support for Windows 10 Pro. |
|
||||||
| [Defender CSP](defender-csp.md) | Added a new node Health/ProductStatus. |
|
| [Defender CSP](../mdm/defender-csp.md) | Added a new node Health/ProductStatus. |
|
||||||
| [DevDetail CSP](devdetail-csp.md) | Added a new node SMBIOSSerialNumber. |
|
| [DevDetail CSP](../mdm/devdetail-csp.md) | Added a new node SMBIOSSerialNumber. |
|
||||||
| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node. |
|
| [EnterpriseModernAppManagement CSP](../mdm/enterprisemodernappmanagement-csp.md) | Added NonRemovable setting under AppManagement node. |
|
||||||
| [Office CSP](office-csp.md) | Added FinalStatus setting. |
|
| [Office CSP](../mdm/office-csp.md) | Added FinalStatus setting. |
|
||||||
| [PassportForWork CSP](passportforwork-csp.md) | Added new settings. |
|
| [PassportForWork CSP](../mdm/passportforwork-csp.md) | Added new settings. |
|
||||||
| [RemoteWipe CSP](remotewipe-csp.md) | Added new settings. |
|
| [RemoteWipe CSP](../mdm/remotewipe-csp.md) | Added new settings. |
|
||||||
| [SUPL CSP](supl-csp.md) | Added three new certificate nodes. |
|
| [SUPL CSP](../mdm/supl-csp.md) | Added three new certificate nodes. |
|
||||||
| [TenantLockdown CSP](tenantlockdown-csp.md) | Added new CSP. |
|
| [TenantLockdown CSP](../mdm/tenantlockdown-csp.md) | Added new CSP. |
|
||||||
| [Wifi CSP](wifi-csp.md) | Added a new node WifiCost. |
|
| [Wifi CSP](../mdm/wifi-csp.md) | Added a new node WifiCost. |
|
||||||
| [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md) | Added new settings. |
|
| [WindowsDefenderApplicationGuard CSP](../mdm/windowsdefenderapplicationguard-csp.md) | Added new settings. |
|
||||||
| [WindowsLicensing CSP](windowslicensing-csp.md) | Added S mode settings and SyncML examples. |
|
| [WindowsLicensing CSP](../mdm/windowslicensing-csp.md) | Added S mode settings and SyncML examples. |
|
||||||
| [Win32CompatibilityAppraiser CSP](win32compatibilityappraiser-csp.md) | New CSP. |
|
| [Win32CompatibilityAppraiser CSP](../mdm/win32compatibilityappraiser-csp.md) | New CSP. |
|
||||||
|
|
||||||
## Breaking changes and known issues
|
## Breaking changes and known issues
|
||||||
|
|
||||||
@ -151,7 +151,7 @@ EAP XML must be updated with relevant information for your environment. This tas
|
|||||||
|
|
||||||
For information about EAP Settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>.
|
For information about EAP Settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>.
|
||||||
|
|
||||||
For information about generating an EAP XML, see [EAP configuration](eap-configuration.md).
|
For information about generating an EAP XML, see [EAP configuration](../mdm/eap-configuration.md).
|
||||||
|
|
||||||
For more information about extended key usage, see <https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12>.
|
For more information about extended key usage, see <https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.12>.
|
||||||
|
|
||||||
@ -281,7 +281,7 @@ The following XML sample explains the properties for the EAP TLS XML including c
|
|||||||
|
|
||||||
Alternatively you can use the following procedure to create an EAP Configuration XML.
|
Alternatively you can use the following procedure to create an EAP Configuration XML.
|
||||||
|
|
||||||
1. Follow steps 1 through 7 in [EAP configuration](eap-configuration.md).
|
1. Follow steps 1 through 7 in [EAP configuration](../mdm/eap-configuration.md).
|
||||||
|
|
||||||
2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.).
|
2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop-down menu (this drop-down menu selects EAP TLS.).
|
||||||
|
|
||||||
@ -304,7 +304,7 @@ Alternatively you can use the following procedure to create an EAP Configuration
|
|||||||
|
|
||||||
7. Close the rasphone dialog box.
|
7. Close the rasphone dialog box.
|
||||||
|
|
||||||
8. Continue following the procedure in [EAP configuration](eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering.
|
8. Continue following the procedure in [EAP configuration](../mdm/eap-configuration.md) from Step 9 to get an EAP TLS profile with appropriate filtering.
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)).
|
> You can also set all the other applicable EAP Properties through this UI as well. A guide to what these properties mean can be found in [Extensible Authentication Protocol (EAP) Settings for Network Access](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh945104(v=ws.11)).
|
||||||
|
|||||||
@ -17,7 +17,7 @@ ms.date: 09/22/2017
|
|||||||
|
|
||||||
# Push notification support for device management
|
# Push notification support for device management
|
||||||
|
|
||||||
The [DMClient CSP](dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/previous-versions/windows/apps/hh913756(v=win.10)), a management server can request a device to establish a management session with the server through a push notification. A device is provided with a PFN for an application. This provision results in the device getting configured, to support a push to it by the management server. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting).
|
The [DMClient CSP](../mdm/dmclient-csp.md) supports the ability to configure push-initiated device management sessions. Using the [Windows Notification Services (WNS)](/previous-versions/windows/apps/hh913756(v=win.10)), a management server can request a device to establish a management session with the server through a push notification. A device is provided with a PFN for an application. This provision results in the device getting configured, to support a push to it by the management server. Once the device is configured, it registers a persistent connection with the WNS cloud (Battery Sense and Data Sense conditions permitting).
|
||||||
|
|
||||||
To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a management session with a device, it can utilize the token and the device ChannelURI, and begin communicating with the device.
|
To initiate a device management session, the management server must first authenticate with WNS using its SID and client secret. Once authenticated, the server receives a token to initiate a raw push notification for any ChannelURI. When the management server wants to initiate a management session with a device, it can utilize the token and the device ChannelURI, and begin communicating with the device.
|
||||||
|
|
||||||
|
|||||||
@ -81,7 +81,7 @@ This information is used to by the client device to properly manage the DM sessi
|
|||||||
The following example shows the header component of a DM message. In this case, OMA DM version 1.2 is used as an example only.
|
The following example shows the header component of a DM message. In this case, OMA DM version 1.2 is used as an example only.
|
||||||
|
|
||||||
> [!NOTE]
|
> [!NOTE]
|
||||||
> The `<LocURI>` node value for the `<Source>` element in the SyncHdr of the device-generated DM package should be the same as the value of ./DevInfo/DevID. For more information about DevID, see [DevInfo configuration service provider](devinfo-csp.md).
|
> The `<LocURI>` node value for the `<Source>` element in the SyncHdr of the device-generated DM package should be the same as the value of ./DevInfo/DevID. For more information about DevID, see [DevInfo configuration service provider](../mdm/devinfo-csp.md).
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@ -30,7 +30,7 @@ In a domain controller/Group Policy ecosystem, Group Policies are automatically
|
|||||||
|
|
||||||
An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP doesn't rely upon any aspect of the Group Policy client stack, including the PC's Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM.
|
An ADMX file can either be shipped with Windows (located at `%SystemRoot%\policydefinitions`) or it can be ingested to a device through the Policy CSP URI (`./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`). Inbox ADMX files are processed into MDM policies at OS-build time. ADMX files that are ingested are processed into MDM policies post-OS shipment through the Policy CSP. Because the Policy CSP doesn't rely upon any aspect of the Group Policy client stack, including the PC's Group Policy Service (GPSvc), the policy handlers that are ingested to the device are able to react to policies that are set by the MDM.
|
||||||
|
|
||||||
Windows maps the name and category path of a Group Policy to an MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\<area>\<policy>`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX policies supported by MDM, see [Policy CSP - ADMX policies](./policy-configuration-service-provider.md).
|
Windows maps the name and category path of a Group Policy to an MDM policy area and policy name by parsing the associated ADMX file, finding the specified Group Policy, and storing the definition (metadata) in the MDM Policy CSP client store. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, `.\[device|user]\vendor\msft\policy\[config|result]\<area>\<policy>`, this metadata is referenced and determines which registry keys are set or removed. For a list of ADMX policies supported by MDM, see [Policy CSP - ADMX policies](../mdm/policy-configuration-service-provider.md).
|
||||||
|
|
||||||
<!-- [!TIP] -->
|
<!-- [!TIP] -->
|
||||||
<!-- Intune has added a number of ADMX administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](/intune/administrative-templates-windows) -->
|
<!-- Intune has added a number of ADMX administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](/intune/administrative-templates-windows) -->
|
||||||
|
|||||||
@ -394,7 +394,7 @@ The following example shows how to derive a Win32 or Desktop Bridge app policy n
|
|||||||
</policy>
|
</policy>
|
||||||
```
|
```
|
||||||
|
|
||||||
As documented in [Policy CSP](policy-configuration-service-provider.md), the URI format to configure a policy via Policy CSP is:
|
As documented in [Policy CSP](../mdm/policy-configuration-service-provider.md), the URI format to configure a policy via Policy CSP is:
|
||||||
'./{user or device}/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}'.
|
'./{user or device}/Vendor/MSFT/Policy/Config/{AreaName}/{PolicyName}'.
|
||||||
|
|
||||||
**User or device policy**
|
**User or device policy**
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user