deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 08:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into dansimp-ie-retire

Browse Source
This commit is contained in:
Daniel Simpson 2022-05-11 13:31:35 -07:00 committed by GitHub
commit 26fa4be1d6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
67 changed files with 3041 additions and 1943 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
education/includes/education-content-updates.md
View File

@ -2,6 +2,27 @@
## Week of May 02, 2022
| Published On |Topic title | Change |
|------|------------|--------|
| 5/3/2022 | [Reset devices with Autopilot Reset](/education/windows/autopilot-reset) | modified |
| 5/3/2022 | [Change history for Windows 10 for Education (Windows 10)](/education/windows/change-history-edu) | modified |
| 5/3/2022 | [Change to Windows 10 Education from Windows 10 Pro](/education/windows/change-to-pro-education) | modified |
| 5/3/2022 | [Chromebook migration guide (Windows 10)](/education/windows/chromebook-migration-guide) | modified |
| 5/3/2022 | [Windows 10 configuration recommendations for education customers](/education/windows/configure-windows-for-education) | modified |
| 5/3/2022 | [Deploy Windows 10 in a school district (Windows 10)](/education/windows/deploy-windows-10-in-a-school-district) | modified |
| 5/3/2022 | [Deploy Windows 10 in a school (Windows 10)](/education/windows/deploy-windows-10-in-a-school) | modified |
| 5/3/2022 | [Deployment recommendations for school IT administrators](/education/windows/edu-deployment-recommendations) | modified |
| 5/3/2022 | [For IT administrators get Minecraft Education Edition](/education/windows/school-get-minecraft) | modified |
| 5/3/2022 | [What's in Set up School PCs provisioning package](/education/windows/set-up-school-pcs-provisioning-package) | modified |
| 5/3/2022 | [Take a Test app technical reference](/education/windows/take-a-test-app-technical) | modified |
| 5/3/2022 | [Set up Take a Test on multiple PCs](/education/windows/take-a-test-multiple-pcs) | modified |
| 5/3/2022 | [For teachers get Minecraft Education Edition](/education/windows/teacher-get-minecraft) | modified |
| 5/3/2022 | [Test Windows 10 in S mode on existing Windows 10 education devices](/education/windows/test-windows10s-for-edu) | modified |
## Week of April 25, 2022

292
template.md Normal file
View File

@ -0,0 +1,292 @@
---
title: # ARTICLE TITLE in 55 chars or less, most important for SEO. Best to match H1 and TOC, but doesn't have to.
description: # A summary of the content. 75-300 characters. Used in site search. Sometimes used on a search engine results page for improved SEO. Always end with period.
ms.date: mm/dd/yyyy
ms.prod: windows
ms.technology: windows #more to come...
ms.topic: conceptual #reference troubleshooting how-to end-user-help overview (more in contrib guide)
ms.localizationpriority: medium #high null
author: # GitHub username (aczechowski)
ms.author: # MS alias (aaroncz)
ms.reviewer: # MS alias of feature PM, optional
manager: # MS alias of manager (dougeby)
ms.collection: # optional
- # highpri - high priority, strategic, important, current, etc. articles
- # openauth - the article is owned by PM or community for open authoring
---
# Metadata and Markdown Template
_Applies to:_
- Windows 11
- Windows 10
This docs.ms template contains examples of markdown syntax, and guidance on setting the metadata. It's available in the root directory of the Windows repository (`~\windows-docs-pr\template.md`).
When you create a new markdown file article, **Save as** this template to a new file, fill out the metadata as specified below, set the H1 heading above (`#`) to the title of the article, and delete the template content.
## Metadata
The full metadata block is above the markdown between the `---` lines. For more information, see [Metadata attributes](https://review.docs.microsoft.com/en-us/help/contribute/metadata-attributes?branch=main) in the contributor guide. Some key notes:
- You _must_ have a space between the colon (`:`) and the value for a metadata element.
- Remove all metadata comments (`#`)
- Colons in a value (like the title) break the metadata parser. In their place, use the HTML encoding `:` (for example, `title: Azure Rights Management: the basics`).
- `title`: This title appears in search engine results and the browser tab.
- Don't end with a period.
- Use Microsoft style _sentence case_.
- The title can match the H1 heading (`#`) and the name in the toc.yml, but doesn't have to.
- It should be roughly 55 characters or less for best search engine optimization (SEO).
- `description`: Summarize the content, shows in search engine results. 75-300 characters. Always end with a period.
- `ms.date`: After you Save As this template to the target file, with the Docs Authoring Pack extension installed, right-click anywhere in the .md file to **Update `ms.date` metadata value** and save the file.
- `author`: The author field contains the **Github username** of the author.
- This value is used in GitHub notifications, assignments, and other build automation in both the private and public repositories.
- It's also used to display the first (left-most) contributor in the published article.
- `ms.author` & `manager`: Microsoft aliases. ms.author and author are typically the same.
- `ms.reviewer`: Optionally can specify the name of the PM associated with the article. Just for reference, not currently used by any automation.
- `ms.prod`: Should always be `windows` for Windows content. (Some older articles still use `w10` and `w11`.)
- `ms.technology`: Select one of the options based on the feature area. Currently the only option is `windows`.
- `ms.topic`: Select one of the options based on the content type. This attribute is used in calculating content health (different content types are used differently by customers, so have different metrics).
- `ms.localizationpriority`: **Medium** is the default, which is machine translation. For specific, high-priority content that requires human translation (extra cost), set this value to **high**. For any components that are only `en-us`, set this value to **null** for no localization.
## Basic markdown and GFM
All basic and Github-flavored markdown (GFM) is supported. For more information, see the following articles:
- [Docs Markdown reference in the Contributor Guide](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main)
- [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax)
- [Github-flavored markdown (GFM) documentation](https://docs.github.com/github/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax)
## Headings
Examples of first- and second-level headings are above.
There **must** be only one first-level heading (`#`, also known as H1) in your article, which is displayed as the published title at the top of the page.
Second-level headings (`##`, also known as H2) generate the on-page TOC that appears in the **In this article** section beside or underneath the on-page title.
Limit the length of second-level headings to avoid excessive line wraps.
Make sure _all_ headings of any level have a unique name for the article. The build creates an anchor for all headings on the page using kebab formatting. For example, from the [Docs Markdown reference](https://review.docs.microsoft.com/help/contribute/markdown-reference?branch=main) article, the heading **Alerts (Note, Tip, Important, Caution, Warning)** becomes the anchor `#alerts-note-tip-important-caution-warning`. If there are duplicate headings, then the anchors don't behave properly. This behavior also applies when using include files, make sure the headings are unique across the main markdown file, and all include markdown files.
Don't skip levels. For example, don't have an H3 (`###`) without a parent H2 (`##`).
Configuration Manager content does use custom anchors in some articles. They're almost always prefixed with `bkmk_`, for example, `bkmk_client`. These anchors can help reduce the anchor size, but does require HTML code that may not always be supported by the docs build system. There's other functionality with the Docs Authoring Pack and the build validation that only works with native header anchors. Use custom anchors sparingly, and remove them in older articles when possible. When removing custom anchors, make sure to update all internal links from the old custom anchor to the native header kebab format.
### Third-level heading
Third-level headings (and beyond) can be any length, as they don't appear **In this article**.
#### Fourth-level heading
##### Fifth level heading
## Text styling
_Italics_ (a single asterisk (`*`) also works, but the underscore (`_`) helps differentiate with the double asterisk (`**`) for bold)
**Bold**
~~Strikethrough~~
## Links
> [!TIP]
> Use the **Docs Authoring Pack** extension to easily add links!
>
> 1. **Alt** + **M** to open the Docs Authoring Pack menu.
> 1. Select **Link** and then follow the prompts.
>
> It supports headings in the current and other files too! (Just not the custom `bkmk` anchors that are sometimes used in this content.)
For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
### Article in the same repo
To link to an article in the same repo, use **file-relative links**. These links have the path to the target as relative to the current file, and always include the `.md` or `.yml` extension. For example, `[Windows client documentation for IT Pros](index.yml)`
#### Link to headings
To link to a heading _in the same markdown file_, add just the anchor as the link. It's either a custom HTML anchor (`#bkmk_client`) or the kebab case of the header. For example: `[Link to an article in the same repo](#article-in-the-same-repo)`. Kebab case is preferred over a custom anchor, as the build validates the link. Make sure headings aren't duplicated in the same article.
To link to a heading _in a markdown file in the same repo_, use relative linking + hashtag linking. For example: `[Windows 11 availability](../whats-new/windows-11-plan.md#windows-11-availability)`
### Another docs.ms article
To link to another docs.ms article not in the same repo, use a **root-relative link**. This style supports the potential future use of the doc content in a separate disconnected environment, like for a high security government customer, which would have a different domain. For example, `[Public contributor guide](/contribute/additional-resources)`.
### External URLs
To link to an external file, use the full URL as the link. For example: `[Github](https://www.github.com)`
- The link should always be **HTTPS**.
- Remove any local from the URL, unless it doesn't work without it. Most all microsoft.com properties support language neutral URLs.
### Example links
If you need to provide an example of a URL in the article, enclose it in a code block. For example: `https://www.contoso.com`
This style makes sure the URL is ignored during build validation and the broken links report.
### Tips for links
When your pull request runs, the build system validates all file-relative links and non-custom anchors. It will return a warning if it can't resolve a link.
VSCode supports file-relative links and non-custom anchors, so you can easily navigate between pages, and test that links are valid.
There's a broken link report that runs once a week in the build system, get the report from OPS.
Don't use URL shorteners like `go.microsoft.com/fwlink` or `aka.ms`. Include the full URL to the target.
For more information, see [Add links to articles](https://review.docs.microsoft.com/help/contribute/links-how-to?branch=main) in the contributor guide.
## Lists
### Ordered lists
1. This list is ordered.
1. This list is ordered.
1. This list is ordered.
1. This list is ordered.
1. This list is ordered.
You can explicitly number each line if needed, but this style lets the build autonumber it. This style is beneficial if you need to add or remove a step.
#### Ordered list with an embedded list
1. This list is ordered.
1. This list is ordered.
1. This list is ordered.
1. This list is ordered.
1. This list is embedded.
1. This list is embedded.
1. This list is ordered.
1. This list is ordered.
### Unordered Lists
- This list is bulleted.
- This list is bulleted.
- This list is bulleted.
- This list is bulleted.
- This list is bulleted.
#### Unordered list with embedded lists
- This list is bulleted.
- This list is bulleted.
- This list is bulleted.
- This list is embedded.
- This list is embedded.
- This list is bulleted.
- This list is bulleted.
1. This list is embedded and ordered.
1. This list is embedded and ordered.
- This list is bulleted.
## Horizontal rule
---
## Tables
| Tables | Are | Cool |
| ------------- |:-------------:| -----:|
| col 3 is | right-aligned | $1600 |
| col 2 is | centered | $12 |
| col 1 is default | left-aligned | $1 |
The Docs Authoring Pack has features to manage markdown tables. Select the entire table, then right-click to see the options.
## Code
### Codeblock
```json
{
"aggregator": {
"batchSize": 1000,
flushTimeout": "00:00:30"
}
}
```
### In-line code
This sentence includes an example of `in-line code`.
## Blockquote
> The drought had lasted now for ten million years, and the reign of the terrible lizards had long since ended. Here on the Equator, in the continent which would one day be known as Africa, the battle for existence had reached a new climax of ferocity, and the victor was not yet in sight. In this barren and desiccated land, only the small or the swift or the fierce could flourish, or even hope to survive.
## Images
Use the Docs Authoring Pack menu to easily insert media.
Always include alt text for accessibility, and always end it with a period.
### Static Image
:::image type="content" source="media/deploy1.png" alt-text="A graphic of a laptop as a suitcase.":::
### Image with lightbox
:::image type="content" source="media/deploy2.png" alt-text="A graphic of a computer with external monitor." lightbox="media/W10-WaaS-poster.PNG":::
### Animated gif
:::image type="content" source="media/docs-filter-toc.gif" alt-text="Animated gif of 'filter by title' option in the table of contents.":::
### Linked Image
[![Alt text for linked image.](memdocs/media/docs-github-edit.png)](https://azure.microsoft.com)
## Alerts
### Note
> [!NOTE]
> This is NOTE
### Warning
> [!WARNING]
> This is WARNING
### Tip
> [!TIP]
> This is TIP
### Caution
> [!CAUTION]
> This is CAUTION
### Important
> [!IMPORTANT]
> This is IMPORTANT
## Videos
### YouTube
> [!VIDEO https://www.youtube.com/embed/rnhnZTrSZzI]
## docs.ms extensions
> [!div class="nextstepaction"]
> [Next step action](/mem/configmgr)

14
windows/client-management/mdm/Language-pack-management-csp.md
View File

@ -13,6 +13,16 @@ ms.date: 06/22/2021
# Language Pack Management CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|Yes|
|Business|No|No|
|Enterprise|No|Yes|
|Education|No|Yes|
The Language Pack Management CSP allows a direct way to provision languages remotely in Windows. MDMs like Intune can use management commands remotely to devices to configure language-related settings for System and new users.
1. Enumerate installed languages and features with GET command on the "InstalledLanguages" node. Below are the samples:
@ -81,3 +91,7 @@ The Language Pack Management CSP allows a direct way to provision languages remo
4. Get/Set System Preferred UI Language with GET or REPLACE command on the "SystemPreferredUILanguages" Node
**./Device/Vendor/MSFT/LanguagePackManagement/LanguageSettings/SystemPreferredUILanguages**
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

111
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -79,7 +79,14 @@ For a local account, the domain name should be the device name. When Get is exec
The supported operations are Add, Delete, Get and Replace. When there's no configuration, the Get and Delete methods fail. When there's already a configuration for kiosk mode app, the Add method fails. The data pattern for Add and Replace is the same.
<a href="" id="assignedaccess-configuration"></a>**./Device/Vendor/MSFT/AssignedAccess/Configuration**
Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For details about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). Here's the schema for the [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
Added in Windows 10, version 1709. Specifies the settings that you can configure in the kiosk or device. This node accepts an AssignedAccessConfiguration xml as input to configure the device experience. For more information about the configuration settings in the XML, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps). For more information on the schema, see [AssignedAccessConfiguration](#assignedaccessconfiguration-xsd).
Updated in Windows 10, version 1909. Added Microsoft Edge kiosk mode support. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like "shift+alt+a", where "shift" and "alt" are the modifiers and "a" is the key.
> [!Note]
> In Windows 10, version 1803 the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
>
> Starting in Windows 10, version 1803 the KioskModeApp node becomes No-Op if Configuration node is configured on the device. That Add/Replace/Delete command on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even its not effective.
Enterprises can use this to easily configure and manage the curated lockdown experience.
@ -248,7 +255,7 @@ KioskModeApp Replace
## AssignedAccessConfiguration XSD
Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
The schema below is for AssignedAccess Configuration up to Windows 10 20H2 release.
```xml
<?xml version="1.0" encoding="utf-8"?>
@ -259,11 +266,13 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/201810/config"/>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2020/config"/>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2021/config"/>
<xs:complexType name="profile_list_t">
<xs:sequence minOccurs="1" >
@ -273,8 +282,14 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
<xs:complexType name="kioskmodeapp_t">
<xs:attribute name="AppUserModelId" type="xs:string"/>
<xs:attributeGroup ref="ClassicApp_attributeGroup"/>
</xs:complexType>
<xs:attributeGroup name="ClassicApp_attributeGroup">
<xs:attribute ref="v4:ClassicAppPath"/>
<xs:attribute ref="v4:ClassicAppArguments" use="optional"/>
</xs:attributeGroup>
<xs:complexType name="profile_t">
<xs:choice>
<xs:sequence minOccurs="1" maxOccurs="1">
@ -283,7 +298,19 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
<xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
<xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1"/>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1">
<xs:key name="mutualExclusionAumidOrClassicAppPath">
<xs:selector xpath="."/>
<xs:field xpath="@AppUserModelId|@v4:ClassicAppPath"/>
</xs:key>
<xs:unique name="mutualExclusionAumidOrClassicAppArgumentsOptional">
<xs:selector xpath="."/>
<xs:field xpath="@AppUserModelId|@v4:ClassicAppArguments"/>
</xs:unique>
</xs:element>
<xs:element ref="v4:BreakoutSequence" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:choice>
<xs:attribute name="Id" type="guid_t" use="required"/>
<xs:attribute name="Name" type="xs:string" use="optional"/>
@ -384,6 +411,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
<xs:simpleType name="specialGroupType_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Visitor"/>
<xs:enumeration value="DeviceOwner"/>
</xs:restriction>
</xs:simpleType>
@ -422,7 +450,7 @@ Below schema is for AssignedAccess Configuration up to Windows 10 1803 release.
</xs:all>
</xs:complexType>
</xs:element>
</xs:schema>
</xs:schema>);
```
Here's the schema for new features introduced in Windows 10 1809 release
@ -501,7 +529,32 @@ Schema for Windows 10 prerelease
</xs:schema>
```
To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure auto-launch feature that is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
The schema below is for features introduced in Windows 10, version 1909 which has added support for Microsoft Edge kiosk mode and breakout key sequence customization.
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:vc="http://www.w3.org/2007/XMLSchema-versioning"
vc:minVersion="1.1"
xmlns="http://schemas.microsoft.com/AssignedAccess/2021/config"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2021/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2021/config"
>
<xs:attribute name="ClassicAppPath" type="xs:string"/>
<xs:attribute name="ClassicAppArguments" type="xs:string"/>
<xs:element name="BreakoutSequence" type="BreakoutSequence_t" />
<xs:complexType name="BreakoutSequence_t">
<xs:attribute name="Key" type="xs:string" use="required"/>
</xs:complexType>
</xs:schema>
```
To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature that's added in the 1809 release, use the below sample. Notice an alias r1809 is given to the 201810 namespace for the 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline.
```xml
<AssignedAccessConfiguration
@ -517,6 +570,7 @@ To authorize a compatible configuration XML that includes 1809 or prerelease ele
## Example AssignedAccessConfiguration XML
Example XML configuration for a multi-app kiosk:
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
@ -568,6 +622,53 @@ To authorize a compatible configuration XML that includes 1809 or prerelease ele
</AssignedAccessConfiguration>
```
Example XML configuration for a Microsoft Edge kiosk. This Microsoft Edge kiosk is configured to launch www.bing.com on startup in a public browsing mode.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
>
<Profiles>
<Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
<KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe"
v4:ClassicAppArguments="--no-first-run --kiosk-idle-timeout-minutes=5 --kiosk www.bing.com"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>EdgeKioskUser</Account>
<DefaultProfile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
Example XML configuration for setting a breakout sequence to be Ctrl+A on a Microsoft Edge kiosk.
> [!NOTE]
> **BreakoutSequence** can be applied to any kiosk type, not just an Edge kiosk.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
>
<Profiles>
<Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
<KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe"
v4:ClassicAppArguments="--no-first-run --kiosk-idle-timeout-minutes=5 --kiosk www.bing.com"/>
<v4:BreakoutSequence Key="Ctrl+A"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>EdgeKioskUser</Account>
<DefaultProfile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
## Configuration examples
XML encoding (escaped) and CDATA of the XML in the Data node will both ensure that DM client can properly interpret the SyncML and send the configuration xml as string (in original format, unescaped) to AssignedAccess CSP to handle.

6
windows/client-management/mdm/assignedaccess-ddf.md
View File

@ -22,8 +22,7 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](https://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](https://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is for Windows 10, version 1803.
The XML below is for Windows 10, version 1909.
```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
@ -50,7 +49,7 @@ The XML below is for Windows 10, version 1803.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/2.0/MDM/AssignedAccess</MIME>
<MIME>com.microsoft/4.0/MDM/AssignedAccess</MIME>
</DFType>
</DFProperties>
<Node>
@ -208,4 +207,3 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu

26
windows/client-management/mdm/devicemanageability-csp.md
View File

@ -1,6 +1,6 @@
---
title: DeviceManageability CSP
description: The DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device.
description: Learn how the DeviceManageability configuration service provider (CSP) is used to retrieve general information about MDM configuration capabilities on the device.
ms.assetid: FE563221-D5B5-4EFD-9B60-44FE4066B0D2
ms.reviewer:
manager: dansimp
@ -14,6 +14,15 @@ ms.date: 11/01/2017
# DeviceManageability CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DeviceManageability configuration service provider (CSP) is used to retrieve the general information about MDM configuration capabilities on the device. This CSP was added in Windows 10, version 1607.
@ -30,6 +39,7 @@ DeviceManageability
------------ConfigInfo (Added in Windows 10, version 1709)
------------EnrollmentInfo (Added in Windows 10, version 1709)
```
<a href="" id="--device-vendor-msft-devicemanageability"></a>**./Device/Vendor/MSFT/DeviceManageability**
Root node to group information about runtime MDM configuration capability on the target device.
@ -50,14 +60,20 @@ Added in Windows 10, version 1709. Configuration information string value set by
ConfigInfo value can only be set by the provider that owns the ProviderID. The value is readable by other config sources.
Data type is string. Supported operations are Add, Get, Delete, and Replace.
Data type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="capabilities-cspversions"></a>**Provider/_ProviderID_/EnrollmentInfo**
Added in Windows 10, version 1709. Enrollment information string value set by the configuration source and sent during MDM enrollment. It's readable by MDM server during sync session.
Data type is string. Supported operations are Add, Get, Delete, and Replace. 
Data type is string.
Supported operations are Add, Get, Delete, and Replace. 
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

98
windows/client-management/mdm/devicestatus-csp.md
View File

@ -1,6 +1,6 @@
---
title: DeviceStatus CSP
description: The DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
description: Learn how the DeviceStatus configuration service provider keeps track of device inventory and queries the compliance state of devices within the enterprise.
ms.assetid: 039B2010-9290-4A6E-B77B-B2469B482360
ms.reviewer:
manager: dansimp
@ -14,6 +14,15 @@ ms.date: 06/25/2021
# DeviceStatus CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DeviceStatus configuration service provider is used by the enterprise to keep track of device inventory and query the state of compliance of these devices with their enterprise policies.
@ -63,15 +72,16 @@ DeviceStatus
--------VirtualizationBasedSecurityStatus
--------LsaCfgCredGuardStatus
```
<a href="" id="devicestatus"></a>**DeviceStatus**
The root node for the DeviceStatus configuration service provider.
<a href="" id="devicestatus-securebootstate"></a>**DeviceStatus/SecureBootState**
Indicates whether secure boot is enabled. The value is one of the following values:
- 0 - Not supported
- 1 - Enabled
- 2 - Disabled
- 0 - Not supported
- 1 - Enabled
- 2 - Disabled
Supported operation is Get.
@ -138,9 +148,9 @@ Supported operation is Get.
<a href="" id="devicestatus-networkidentifiers-macaddress-type"></a>**DeviceStatus/NetworkIdentifiers/*MacAddress*/Type**
Type of network connection. The value is one of the following values:
- 2 - WLAN (or other Wireless interface)
- 1 - LAN (or other Wired interface)
- 0 - Unknown
- 2 - WLAN (or other Wireless interface)
- 1 - LAN (or other Wired interface)
- 0 - Unknown
Supported operation is Get.
@ -150,8 +160,8 @@ Node for the compliance query.
<a href="" id="devicestatus-compliance-encryptioncompliance"></a>**DeviceStatus/Compliance/EncryptionCompliance**
Boolean value that indicates compliance with the enterprise encryption policy for OS (system) drives. The value is one of the following values:
- 0 - Not encrypted
- 1 - Encrypted
- 0 - Not encrypted
- 1 - Encrypted
Supported operation is Get.
@ -179,8 +189,9 @@ Supported operation is Get.
Added in Windows, version 1803. Read only node that specifies the device mode.
Valid values:
- 0 - The device is in standard configuration
- 1 - The device is in S mode configuration
- 0 - The device is in standard configuration.
- 1 - The device is in S mode configuration.
Supported operation is Get.
@ -194,15 +205,16 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi
Valid values:
- 0 - The security software reports that it isn't the most recent version.
- 1 (default) - The security software reports that it's the most recent version.
- 2 Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
- 0 - The security software reports that it isn't the most recent version.
- 1 (default) - The security software reports that it's the most recent version.
- 2 Not applicable. It is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
Supported operation is Get.
If more than one antivirus provider is active, this node returns:
- 1 If every active antivirus provider has a valid signature status.
- 0 If any of the active antivirus providers has an invalid signature status.
- 1 If every active antivirus provider has a valid signature status.
- 0 If any of the active antivirus providers has an invalid signature status.
This node also returns 0 when no antivirus provider is active.
@ -211,38 +223,39 @@ Added in Windows, version 1607. Integer that specifies the status of the antivi
Valid values:
- 0 Antivirus is on and monitoring.
- 1 Antivirus is disabled.
- 2 Antivirus isn't monitoring the device/PC or some options have been turned off.
- 3 (default) Antivirus is temporarily not completely monitoring the device/PC.
- 4 Antivirus not applicable for this device. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
- 0 Antivirus is on and monitoring.
- 1 Antivirus is disabled.
- 2 Antivirus isn't monitoring the device/PC or some options have been turned off.
- 3 (default) Antivirus is temporarily not completely monitoring the device/PC.
- 4 Antivirus not applicable for this device. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
Supported operation is Get.
<a href="" id="devicestatus-antispyware"></a>**DeviceStatus/Antispyware**
Added in Windows, version 1607. Node for the antispyware query.
Added in Windows, version 1607. Node for the anti-spyware query.
Supported operation is Get.
<a href="" id="devicestatus-antispyware-signaturestatus"></a>**DeviceStatus/Antispyware/SignatureStatus**
Added in Windows, version 1607. Integer that specifies the status of the antispyware signature.
Added in Windows, version 1607. Integer that specifies the status of the anti-spyware signature.
Valid values:
- 0 - The security software reports that it isn't the most recent version.
- 1 - The security software reports that it's the most recent version.
- 2 - Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
- 0 - The security software reports that it isn't the most recent version.
- 1 - The security software reports that it's the most recent version.
- 2 - Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
Supported operation is Get.
If more than one antispyware provider is active, this node returns:
- 1 If every active antispyware provider has a valid signature status.
- 0 If any of the active antispyware providers has an invalid signature status.
If more than one anti-spyware provider is active, this node returns:
This node also returns 0 when no antispyware provider is active.
- 1 If every active anti-spyware provider has a valid signature status.
- 0 If any of the active anti-spyware providers has an invalid signature status.
This node also returns 0 when no anti-spyware provider is active.
<a href="" id="devicestatus-antispyware-status"></a>**DeviceStatus/Antispyware/Status**
Added in Windows, version 1607. Integer that specifies the status of the antispyware.
Added in Windows, version 1607. Integer that specifies the status of the anti-spyware.
Valid values:
@ -263,11 +276,11 @@ Added in Windows, version 1607. Integer that specifies the status of the firewa
Valid values:
- 0 Firewall is on and monitoring.
- 1 Firewall has been disabled.
- 2 Firewall isn't monitoring all networks or some rules have been turned off.
- 3 (default) Firewall is temporarily not monitoring all networks.
- 4 Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
- 0 Firewall is on and monitoring.
- 1 Firewall has been disabled.
- 2 Firewall isn't monitoring all networks or some rules have been turned off.
- 3 (default) Firewall is temporarily not monitoring all networks.
- 4 Not applicable. This value is returned for devices like the phone that don't have an antivirus (where the API doesnt exist.)
Supported operation is Get.
@ -327,15 +340,15 @@ Added in Windows, version 1709. Virtualization-based security hardware requirem
Supported operation is Get.
<a href="" id="devicestatus-deviceguard-virtualizationbasedsecuritystatus"></a>**DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus**
Added in Windows, version 1709. Virtualization-based security status. Value is one of the following values:
Added in Windows, version 1709. Virtualization-based security status. Value is one of the following:
- 0 - Running
- 1 - Reboot required
- 2 - 64-bit architecture required
- 3 - Not licensed
- 4 - Not configured
- 5 - System doesn't meet hardware requirements
- 42 Other. Event logs in Microsoft-Windows-DeviceGuard have more details
- 42 Other. Event logs in Microsoft-Windows-DeviceGuard have more details.
Supported operation is Get.
@ -346,7 +359,10 @@ Added in Windows, version 1709. Local System Authority (LSA) credential guard s
- 1 - Reboot required
- 2 - Not licensed for Credential Guard
- 3 - Not configured
- 4 - VBS not running
- 4 - VBS not running
Supported operation is Get.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

45
windows/client-management/mdm/devinfo-csp.md
View File

@ -14,17 +14,25 @@ ms.date: 06/26/2017
# DevInfo CSP
The table below shows the applicability of Windows:
The DevInfo configuration service provider handles the managed object that provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DevInfo configuration service provider handles the managed object, which provides device information to the OMA DM server. This device information is automatically sent to the OMA DM server at the beginning of each OMA DM session.
> [!NOTE]
> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
 
For the DevInfo CSP, you can't use the Replace command unless the node already exists.
The following example shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol isn't supported by this configuration service provider.
The following shows the DevInfo configuration service provider management object in tree format as used by OMA Device Management. The OMA Client provisioning protocol isn't supported by this configuration service provider.
```
.
DevInfo
@ -34,6 +42,7 @@ DevInfo
----DmV
----Lang
```
<a href="" id="devid"></a>**DevId**
Required. Returns an application-specific global unique device identifier by default.
@ -41,25 +50,22 @@ Supported operation is Get.
The **UseHWDevID** parm of the [DMAcc configuration service provider](dmacc-csp.md) or DMS configuration service provider can be used to modify the return value to instead return a hardware device ID as follows:
- For GSM phones, the IMEI is returned.
- For CDMA phones, the MEID is returned.
- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns an application specific global unique identifier (GUID) irrespective of the value of UseHWDevID.
- For GSM phones, the IMEI is returned.
- For CDMA phones, the MEID is returned.
- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
- For Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), it returns an application specific global unique identifier (GUID) irrespective of the value of UseHWDevID.
<a href="" id="man"></a>**Man**
Required. Returns the name of the OEM. For Windows 10 for desktop editions, it returns the SystemManufacturer as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemManufacturer.
If no name is found, the value returned is "Unknown".
If no name is found, this returns to "Unknown".
Supported operation is Get.
<a href="" id="mod"></a>**Mod**
Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10 for desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName.
Required. Returns the name of the hardware device model as specified by the mobile operator. For Windows 10/Windows 11 desktop editions, it returns the SystemProductName as defined in HKEY\_LOCAL\_MACHINE\\HARDWARE\\DESCRIPTION\\System\\BIOS\\SystemProductName.
If no name is found, the value returned is "Unknown".
If no name is found, this returns to "Unknown".
Supported operation is Get.
@ -75,15 +81,4 @@ Supported operation is Get.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)
 
 

98
windows/client-management/mdm/diagnosticlog-csp.md
View File

@ -14,6 +14,16 @@ ms.date: 11/19/2019
# DiagnosticLog CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DiagnosticLog configuration service provider (CSP) provides the following feature areas:
- [DiagnosticArchive area](#diagnosticarchive-area). Capture and upload event logs, log files, and registry values for troubleshooting.
- [Policy area](#policy-area). Configure Windows event log policies, such as maximum log size.
@ -68,7 +78,9 @@ Rest of the nodes in the DiagnosticLog CSP are described within their respective
## DiagnosticArchive area
The DiagnosticArchive functionality within the DiagnosticLog CSP is used to trigger devices to gather troubleshooting data into a zip archive file and upload that archive to cloud storage. DiagnosticArchive is designed for ad-hoc troubleshooting scenarios, such as an IT admin investigating an app installation failure using a collection of event log events, registry values, and app or OS log files.
The DiagnosticArchive functionality within the DiagnosticLog CSP is used to trigger devices to gather troubleshooting data into a zip archive file and upload that archive to cloud storage.
DiagnosticArchive is designed for ad-hoc troubleshooting scenarios, such as an IT admin investigating an app installation failure using a collection of event log events, registry values, and app or OS log files.
> [!NOTE]
> DiagnosticArchive is a "break glass" backstop option for device troubleshooting. Diagnostic data such as log files can grow to many gigabytes. Gathering, transferring, and storing large amounts of data may burden the user's device, the network and cloud storage. Management servers invoking DiagnosticArchive must take care to minimize data gathering frequency and scope.
@ -90,7 +102,7 @@ The data type is string.
Expected value:
Set and Execute are functionality equivalent, and each accepts a `Collection` XML snippet (as a string) describing what data to gather and where to upload it. The results are zipped and uploaded to the specified SasUrl. The zipped filename format is "DiagLogs-{ComputerName}-YYYYMMDDTHHMMSSZ.zip".
With Windows 10 KB5011543, Windows 11 KB5011563 we have added support for an additional element which will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML.
With Windows 10 KB5011543, Windows 11 KB5011563, we have added support for an extra element that will determine whether the output file generated by the CSP is a flattened folder structure, instead of having individual folders for each directive in the XML.
The following example shows a `Collection` XML:
@ -110,13 +122,15 @@ The following example shows a `Collection` XML:
</Collection>
```
The XML should include the following elements within the `Collection` element:
**ID**
**ID**:
The ID value uniquely identifies this data-gathering request. To avoid accidental repetition of data gathering, the CSP ignores subsequent Set or Execute invocations with the same ID value. The CSP expects the value to be populated when the request is received, so it must be generated by the IT admin or the management server.
**SasUrl**
The SasUrl value is the target URI to which the CSP uploads the zip file containing the gathered data. It's the responsibility of the management server to provision storage in such a way that the storage server accepts the device's HTTP PUT to this URL. For example, the device management service could:
- Provision cloud storage reachable by the target device, such as a Microsoft Azure blob storage container
- Generate a Shared Access Signature URL granting the possessor (the target device) time-limited write access to the storage container
- Pass this value to the CSP on the target device through the `Collection` XML as the `SasUrl` value.
@ -132,7 +146,7 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- **Events**
- Exports all events from the named Windows event log.
- Expected input value: A named event log channel such as "Application" or "Microsoft-Windows-DeviceGuard/Operational".
- Output format: Creates a .evtx file.
- Output format: Creates an .evtx file.
- **Commands**
- This directive type allows the execution of specific commands such as ipconfig.exe. Note that DiagnosticArchive and the Commands directives aren't a general-purpose scripting platform. These commands are allowed in the DiagnosticArchive context to handle cases where critical device information may not be available through existing log files.
@ -183,7 +197,6 @@ The SasUrl value is the target URI to which the CSP uploads the zip file contain
- Flattens folder structure, instead of having individual folders for each directive in the XML.
- The value “Flattened” is the only supported value for the OutputFileFormat. If the OutputFileFormat is absent in the XML, or if explicitly set to something other than Flattened, it will leave the file structure in old structure.
<a href="" id="diagnosticarchive-archiveresults"></a>**DiagnosticArchive/ArchiveResults**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting displays the results of the last archive run.
@ -191,7 +204,7 @@ The supported operation is Get.
The data type is string.
A Get to the above URI will return the results of the data gathering for the last diagnostics request. For the example above it returns:
A Get to the above URI will return the results of the data gathering for the last diagnostics request. For the example above:
``` xml
<SyncML>
@ -254,6 +267,7 @@ la--- 1/4/2021 2:45 PM 1
la--- 1/4/2021 2:45 PM 2
la--- 12/2/2020 6:27 PM 2701 results.xml
```
Each data gathering directive from the original `Collection` XML corresponds to a folder in the output.
For example, the first directive was:
@ -262,7 +276,8 @@ For example, the first directive was:
<RegistryKey HRESULT="0">HKLM\Software\Policies</RegistryKey>
</Collection>
```
then folder `1` will contain the corresponding `export.reg` file.
Then, folder `1` will contain the corresponding `export.reg` file.
The `results.xml` file is the authoritative map to the output. It includes a status code for each directive. The order of the directives in the file corresponds to the order of the output folders. Using `results.xml` the administrator can see what data was gathered, what failures may have occurred, and which folders contain which output. For example, the following `results.xml` content indicates that registry export of HKLM\Software\Policies was successful and the data can be found in folder `1`. It also indicates that `netsh.exe wlan show profiles` command failed.
@ -275,6 +290,7 @@ The `results.xml` file is the authoritative map to the output. It includes a sta
```
Administrators can apply automation to 'results.xml' to create their own preferred views of the data. For example, the following PowerShell one-liner extracts from the XML an ordered list of the directives with status code and details.
```powershell
Select-XML -Path results.xml -XPath '//RegistryKey | //Command | //Events | //FoldersFiles' | Foreach-Object -Begin {$i=1} -Process { [pscustomobject]@{DirectiveNumber=$i; DirectiveHRESULT=$_.Node.HRESULT; DirectiveInput=$_.Node.('#text')} ; $i++}
```
@ -375,8 +391,8 @@ Added in version 1.4 of the CSP in Windows 10, version 1903. Dynamic node to rep
Supported operations are Add, Delete, and Get.
Add **Channel**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -398,7 +414,9 @@ Add **Channel**
</SyncBody>
</SyncML>
```
Delete **Channel**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -416,7 +434,9 @@ Delete **Channel**
</SyncBody>
</SyncML>
```
Get **Channel**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -434,6 +454,7 @@ Get **Channel**
</SyncBody>
</SyncML>
```
<a href="" id="policy-channels-channelname-maximumfilesize"></a>**Policy/Channels/_ChannelName_/MaximumFileSize**
Added in version 1.4 of the CSP in Windows 10, version 1903. This policy setting specifies the maximum size of the log file in megabytes.
@ -446,6 +467,7 @@ Supported operations are Add, Delete, Get, and Replace.
The data type is integer.
Add **MaximumFileSize**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -470,6 +492,7 @@ Add **MaximumFileSize**
```
Delete **MaximumFileSize**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -487,7 +510,9 @@ Delete **MaximumFileSize**
</SyncBody>
</SyncML>
```
Get **MaximumFileSize**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -507,6 +532,7 @@ Get **MaximumFileSize**
```
Replace **MaximumFileSize**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -542,6 +568,7 @@ Default string is as follows:
`https://docs.microsoft.com/windows/'desktop/WES/eventmanifestschema-channeltype-complextype`
Add **SDDL**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -566,6 +593,7 @@ Add **SDDL**
```
Delete **SDDL**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
@ -586,6 +614,7 @@ Delete **SDDL**
```
Get **SDDL**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -605,6 +634,7 @@ Get **SDDL**
```
Replace **SDDL**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -642,8 +672,10 @@ The following are the possible values:
If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration.
If you disable or don't configure this policy setting, the locally configured value will be used as default. Every channel that is installed, whether inbox or by ISVs, is responsible for defining its own local configuration, and that configuration can be changed by any administrator. Values set via this policy override but don't replace local configuration.
Add **ActionWhenFull**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -668,6 +700,7 @@ Add **ActionWhenFull**
```
Delete **ActionWhenFull**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -687,6 +720,7 @@ Delete **ActionWhenFull**
```
Get **ActionWhenFull**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -706,6 +740,7 @@ Get **ActionWhenFull**
```
Replace **ActionWhenFull**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -737,12 +772,14 @@ Supported operations are Add, Delete, Get, and Replace.
The data type is boolean.
The following are the possible values:
- TRUE—Enables the channel.
- FALSE—Disables the channel.
If you disable or don't configure this policy setting, the locally configured value is used as default.
Get **Enabled**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -762,6 +799,7 @@ Get **Enabled**
```
Add **Enabled**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -786,6 +824,7 @@ Add **Enabled**
```
Delete **Enabled**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -805,6 +844,7 @@ Delete **Enabled**
```
Replace **Enabled**
``` xml
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
@ -831,6 +871,7 @@ Replace **Enabled**
## EtwLog area
The Event Tracing for Windows (ETW) log feature of the DiagnosticLog CSP is used to control the following types of event tracing:
- [Collector-based tracing](#collector-based-tracing)
- [Channel-based tracing](#channel-based-tracing)
@ -842,31 +883,31 @@ This type of event tracing collects event data from a collection of registered E
An event collector is a container of registered ETW providers. Users can add or delete a collector node and register or unregister multiple providers in this collector.
The ***CollectorName*** must be unique within the CSP and must not be a valid event channel name or a provider GUID.
The *CollectorName* must be unique within the CSP and must not be a valid event channel name or a provider GUID.
The DiagnosticLog CSP maintains a log file for each collector node and the log file is overwritten if a start command is triggered again on the same collector node.
For each collector node, the user can:
- Start or stop the session with all registered and enabled providers
- Query session status
- Change trace log file mode
- Change trace log file size limit
- Start or stop the session with all registered and enabled providers.
- Query session status.
- Change trace log file mode.
- Change trace log file size limit.
The configurations log file mode and log file size limit don't take effect while trace session is in progress. These attributes are applied when user stops the current session and then starts it again for this collector.
For each registered provider in this collector, the user can:
- Specify keywords to filter events from this provider
- Change trace level to filter events from this provider
- Enable or disable the provider in the trace session
- Specify keywords to filter events from this provider.
- Change trace level to filter events from this provider.
- Enable or disable the provider in the trace session.
The changes on **State**, **Keywords**, and **TraceLevel** takes effect immediately while trace session is in progress.
> [!NOTE]
> Microsoft-WindowsPhone-Enterprise-Diagnostics-Provider (GUID - 3da494e4-0fe2-415C-b895-fb5265c5c83b) has the required debug resource files built into Windows OS, which will allow the logs files to be decoded on the remote machine. Any other logs may not have the debug resources required to decode.
### Channel-based tracing
### Channel-based tracing
The type of event tracing exports event data from a specific channel. This method is only supported on the desktop.
@ -876,9 +917,9 @@ The DiagnosticLog CSP maintains a log file for each channel node and the log fil
For each channel node, the user can:
- Export channel event data into a log file (.evtx)
- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel
- Specify an XPath query to filter events while exporting the channel event data
- Export channel event data into a log file (.evtx).
- Enable or disable the channel from Event Log service to allow or disallow event data being written into the channel.
- Specify an XPath query to filter events while exporting the channel event data.
For more information about using DiagnosticLog to collect logs remotely from a PC or mobile device, see [Diagnose MDM failures in Windows 10](diagnose-mdm-failures-in-windows-10.md).
@ -887,13 +928,13 @@ To gather diagnostics using this CSP:
1. Specify a *CollectorName* for the container of the target ETW providers.
2. (Optional) Set logging and log file parameters using the following options:
- <a href="#etwlog-collectors-collectorname-tracelogfilemode">TraceLogFileMode</a>
- <a href="#etwlog-collectors-collectorname-logfilesizelimitmb">LogFileSizeLimitMB</a>
- [TraceLogFileMode](#etwlog-collectors-collectorname-tracelogfilemode)
- [LogFileSizeLimitMB](#etwlog-collectors-collectorname-logfilesizelimitmb)
3. Indicate one or more target ETW providers by supplying its *ProviderGUID* to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
3. Indicate one or more target ETW providers by supplying its **ProviderGUID** to the Add operation of EtwLog/Collectors/*CollectorName*/Providers/*ProviderGUID*.
4. (Optional) Set logging and log file parameters using the following options:
- <a href="#etwlog-collectors-collectorname-providers-providerguid-tracelevel">TraceLevel</a>
- <a href="#etwlog-collectors-collectorname-providers-providerguid-keywords">Keywords</a>
- [TraceLevel](#etwlog-collectors-collectorname-providers-providerguid-tracelevel)
- [Keywords](#etwlog-collectors-collectorname-providers-providerguid-keywords)
5. Start logging using **TraceControl** EXECUTE command “START”.
6. Perform actions on the target device that will generate activity in the log files.
7. Stop logging using **TraceControl** EXECUTE command “STOP”.
@ -1439,7 +1480,7 @@ The supported value is Execute.
## FileDownload area
The FileDownload feature of the DiagnosticLog CSP enables a management server to pull data directly from the device. In the FileDownload context the client and server roles are conceptually reversed, with the management server acting as a client to download the data from the managed device.
The FileDownload feature of the DiagnosticLog CSP enables a management server to pull data directly from the device. In the FileDownload context, the client and server roles are conceptually reversed, with the management server acting as a client to download the data from the managed device.
### Comparing FileDownload and DiagnosticArchive
@ -1624,6 +1665,7 @@ The supported operation is Get.
### Reading a log file
To read a log file:
1. Enumerate log file under **./Vendor/MSFT/DiagnosticLog/FileDownload/DMChannel**.
2. Select a log file in the Enumeration result.
3. Set **BlockSizeKB** per DM server payload limitation.
@ -1632,3 +1674,7 @@ To read a log file:
6. Get **BlockData** for upload log block.
7. Increase **BlockIndexToRead**.
8. Repeat steps 5 to 7 until **BlockIndexToRead == (BlockIndexToRead 1)**.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

51
windows/client-management/mdm/dmacc-csp.md
View File

@ -14,16 +14,24 @@ ms.date: 06/26/2017
# DMAcc CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DMAcc configuration service provider allows an OMA Device Management (DM) version 1.2 server to handle OMA DM account objects. The server can use this configuration service provider to add a new account or to manage an existing account, including an account that was bootstrapped by using the [w7 APPLICATION configuration service provider](w7-application-csp.md)
> **Note**  This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
> [!Note]
>This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application.
For the DMAcc CSP, you can't use the Replace command unless the node already exists.
The following example shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol isn't supported by this configuration service provider.
The following shows the DMAcc configuration service provider management object in tree format as used by OMA Device Management version 1.2. The OMA Client Provisioning protocol isn't supported by this configuration service provider.
```
./SyncML
@ -237,13 +245,10 @@ Required. Specifies the role mask that the OMA DM session runs with when it comm
If this parameter isn't present, the DM session is given the role mask of the OMA DM session that the server created. The following list shows the valid security role masks and their values.
- 4 = SECROLE\_OPERATOR
- 8 = SECROLE\_MANAGER
- 16 = SECROLE\_USER\_AUTH
- 128 = SECROLE\_OPERATOR\_TPS
- 4 = SECROLE\_OPERATO
- 8 = SECROLE\_MANAGE
- 16 = SECROLE\_USER\_AUT
- 128 = SECROLE\_OPERATOR\_TPS
The acceptable access roles for this node can't be more than the roles assigned to the DMAcc object.
@ -256,11 +261,9 @@ The default value of "FALSE" specifies that an application-specific GUID is retu
A value is "TRUE" specifies that the hardware device ID will be provided for the ./DevInfo/DevID element and the Source LocURI for the OMA DM package that is sent to the server. In this case:
- For GSM phones, the IMEI is returned.
- For CDMA phones, the MEID is returned.
- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
- For GSM phones, the IMEI is returned.
- For CDMA phones, the MEID is returned.
- For dual SIM phones, this value is retrieved from the UICC of the primary data line.
Value type is bool. Supported operations are Add, Get, and Replace.
@ -292,9 +295,8 @@ The supported names are Subject and Stores; wildcard certificate search isn't su
Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name isn't case sensitive.
> **Note**   %EF%80%80 is the UTF8-encoded character U+F000.
> [!Note]
> %EF%80%80 is the UTF8-encoded character U+F000.
Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following schema:
@ -312,15 +314,4 @@ Supported operations are Add, and Replace.
## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md)

137
windows/client-management/mdm/dmclient-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 11/01/2017
# DMClient CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DMClient configuration service provider (CSP) has more enterprise-specific mobile device management (MDM) configuration settings. These settings identify the device in the enterprise domain, include security mitigation for certificate renewal, and are used for server-triggered enterprise unenrollment.
@ -66,6 +75,7 @@ DMClient
----Unenroll
----UpdateManagementServiceAddress
```
<a href="" id="msft"></a>**./Vendor/MSFT**
All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path.
@ -104,8 +114,6 @@ Supported operations are Get and Add.
> Although hardware device IDs are guaranteed to be unique, there's a concern that this isn't ultimately enforceable during a DM session. The device ID could be changed through the w7 APPLICATION CSPs **USEHWDEVID** parm by another management server. So during enterprise bootstrap and enrollment, a new device ID is specified by the enterprise server.
This node is required and must be set by the server before the client certificate renewal is triggered.
<a href="" id="provider-providerid-exchangeid"></a>**Provider/*ProviderID*/ExchangeID**
Optional. Character string that contains the unique Exchange device ID used by the Outlook account of the user the session is running against. The enterprise management server can correlate and merge records for:
@ -115,8 +123,6 @@ Optional. Character string that contains the unique Exchange device ID used by t
> [!NOTE]
> In some cases for the desktop, this node will return "not found" until the user sets up their email.
Supported operation is Get.
The following XML is a Get command example:
@ -148,8 +154,6 @@ Required. The character string that contains the device management server addres
> [!NOTE]
> When the **ManagementServerAddressList** value is set, the device ignores the value.
The DMClient CSP will save the address to the same location as the w7 and DMS CSPs. The save ensures the management client has a single place to retrieve the current server address. The initial value for this node is the same server address value as bootstrapped using the [w7 APPLICATION configuration service provider](w7-application-csp.md).
Starting in Windows 10, version 1511, this node supports multiple server addresses in the format &lt;URL1&gt;&lt;URL2&gt;&lt;URL3&gt;. If there's only a single URL, then the &lt;&gt; aren't required. This feature is supported on Windows client devices.
@ -159,7 +163,7 @@ During a DM session, the device will use the first address on the list and then
Supported operations are Add, Get, and Replace.
<a href="" id="provider-providerid-upn"></a>**Provider/*ProviderID*/UPN**
Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This information is useful when the user email address changes in the identity system. Or, when the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
Optional. Allows the management server to update the User Principal Name (UPN) of the enrolled user. This information is useful when the user's email address changes in the identity system. Or, when the user enters an invalid UPN during enrollment, and fixes the UPN during federated enrollment. The UPN will be recorded and the UX will reflect the updated UPN.
Supported operations are Get and Replace.
@ -199,8 +203,6 @@ Optional. Used by the management server to set the DM session version that the s
Once you set the value to 2.0, it won't go back to 1.0.
Supported operations are Get, Replace, and Delete.
<a href="" id="provider-providerid-maxsyncapplicationversion"></a>**Provider/*ProviderID*/MaxSyncApplicationVersion**
@ -279,8 +281,6 @@ Added in Windows 10, version 1607. The list of management server URLs in the fo
> [!NOTE]
> The &lt; and &gt; should be escaped.
```xml
<Replace>
<CmdID>101</CmdID>
@ -299,23 +299,31 @@ If ManagementServerAddressList node is set, the device will only use the server
When the server isn't responding after a specified number of retries, the device tries to use the next server URL in the list. It keeps trying until it gets a successful connection. After the server list is updated, the client uses the updated list at the next session starting with the first one in the list.
Supported operations are Get and Replace. Value type is string.
Supported operations are Get and Replace.
Value type is string.
<a href="" id="provider-providerid-managementservertoupgradeto"></a>**Provider/*ProviderID*/ManagementServerToUpgradeTo**
Optional. Added in Windows 10, version 1703. Specify the Discovery server URL of the MDM provider to upgrade to for a Mobile Application Management (MAM) enrolled device.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-numberofdaysafterlostcontacttounenroll"></a>**Provider/*ProviderID*/NumberOfDaysAfterLostContactToUnenroll**
Optional. Number of days after last successful sync to unenroll.
Supported operations are Add, Delete, Get, and Replace. Value type is integer.
Supported operations are Add, Delete, Get, and Replace.
Value type is integer.
<a href="" id="provider-providerid-aadsenddevicetoken"></a>**Provider/*ProviderID*/AADSendDeviceToken**
Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this feature will cause the client to send a Device Token if the User Token can't be obtained.
Supported operations are Add, Delete, Get, and Replace. Value type is bool.
Supported operations are Add, Delete, Get, and Replace.
Value type is bool.
<a href="" id="provider-providerid-poll"></a>**Provider/*ProviderID*/Poll**
Optional. Polling schedules must use the DMClient CSP. The Registry paths previously associated with polling using the Registry CSP are now deprecated.
@ -442,7 +450,7 @@ Optional. This node enables [Config Lock](config-lock.md) feature. If enabled, p
Default = Locked
> [!Note]
>If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
> If the device isn't a Secured-core PC, then this feature won't work. To know more, see [Secured-core PC](/windows-hardware/design/device-experiences/oem-highly-secure).
<a href="" id="provider-providerid-configlock-lock"></a>**Provider/*ProviderID*/ConfigLock/Lock**
@ -504,22 +512,30 @@ Supported operations are Add, Delete, and Get.
<a href="" id="provider-providerid-customenrollmentcompletepage-title"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/Title**
Optional. Added in Windows 10, version 1703. Specifies the title of the all done page that appears at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-customenrollmentcompletepage-bodytext"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/BodyText**
Optional. Added in Windows 10, version 1703. Specifies the body text of the all done page that appears at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-customenrollmentcompletepage-hyperlinkhref"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkHref**
Optional. Added in Windows 10, version 1703. Specifies the URL that's shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-customenrollmentcompletepage-hyperlinktext"></a>**Provider/*ProviderID*/CustomEnrollmentCompletePage/HyperlinkText**
Optional. Added in Windows 10, version 1703. Specifies the display text for the URL that's shown at the end of the MDM enrollment flow.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-"></a>**Provider/*ProviderID*/FirstSyncStatus**
Optional node. Added in Windows 10, version 1709.
@ -527,17 +543,23 @@ Optional node. Added in Windows 10, version 1709.
<a href="" id="provider-providerid-firstsyncstatus-expectedpolicies"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedPolicies**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to policies the management service provider expects to configure, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectednetworkprofiles "></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedNetworkProfiles**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to Wi-Fi profiles and VPN profiles the management service provider expects to configure, delimited by the character L"\xF000".
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedmsiapppackages"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedMSIAppPackages**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseDesktopAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example, `./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID1/Status;4"\xF000" ./User/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/ProductID2/Status;2` This represents App Package ProductID1 containing four apps, and ProductID2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedmodernapppackages"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedModernAppPackages**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to App Packages the management service provider expects to configure using the EnterpriseModernAppManagement CSP, delimited by the character L"\xF000". The LocURI will be followed by a semicolon and a number, representing the number of apps included in the App Package. We won't verify that number. For example,
@ -549,62 +571,86 @@ Required. Added in Windows 10, version 1709. This node contains a list of LocURI
This syntax represents App Package PackageFullName containing four apps, and PackageFullName2 containing two apps.
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedpfxcerts"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedPFXCerts**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-expectedscepcerts"></a>**Provider/*ProviderID*/FirstSyncStatus/ExpectedSCEPCerts**
Required. Added in Windows 10, version 1709. This node contains a list of LocURIs that refer to SCEP certs the management service provider expects to configure using the ClientCertificateInstall CSP, delimited by the character L"\xF000" (the CSP_LIST_DELIMITER).
Supported operations are Add, Delete, Get, and Replace. Value type is string.
Supported operations are Add, Delete, Get, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-timeoutuntilsyncfailure"></a>**Provider/*ProviderID*/FirstSyncStatus/TimeOutUntilSyncFailure**
Required. Added in Windows 10, version 1709. This node determines how long we will poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day).
Required. Added in Windows 10, version 1709. This node determines how long we'll poll until we surface an error message to the user. The unit of measurement is minutes. Default value will be 60, while maximum value will be 1,440 (one day).
Supported operations are Get and Replace. Value type is integer.
Supported operations are Get and Replace.
Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-serverhasfinishedprovisioning"></a>**Provider/*ProviderID*/FirstSyncStatus/ServerHasFinishedProvisioning**
Required. Added in Windows 10, version 1709. This node is set by the server to inform the UX that the server has finished configuring the device. It was added so that the server can “change its mind" about what it needs to configure on the device. When this node is set, many other DM Client nodes can't be changed. If this node isn't True, the UX will consider the configuration a failure. Once set to true, it would reject attempts to change it back to false with CFGMGR_E_COMMANDNOTALLOWED. This node applies to the per user expected policies and resources lists.
Supported operations are Get and Replace. Value type is boolean.
Supported operations are Get and Replace.
Value type is boolean.
<a href="" id="provider-providerid-firstsyncstatus-issyncdone"></a>**Provider/*ProviderID*/FirstSyncStatus/IsSyncDone**
Required. Added in Windows 10, version 1709. This node, when doing a get, tells the server if the “First Syncs" are done and the device is fully configured. `Set` triggers the UX to override whatever state it's in, and tell the user that the device is configured. It can't be set from True to False (it won't change its mind if the sync is done), and it can't be set from True to True (to prevent notifications from firing multiple times). This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is boolean.
Supported operations are Get and Replace.
Value type is boolean.
<a href="" id="provider-providerid-firstsyncstatus-wasdevicesuccessfullyprovisioned"></a>**Provider/*ProviderID*/FirstSyncStatus/WasDeviceSuccessfullyProvisioned**
Required. Added in Windows 10, version 1709. Integer node determining if a device was successfully configured. 0 is failure, 1 is success, 2 is in progress. Once the value is changed to 0 or 1, the value can't be changed again. The client will change the value of success or failure and update the node. The server can force a failure or success message to appear on the device by setting this value and then setting the IsSyncDone node to true. This node only applies to the user MDM status page (on a per user basis).
Supported operations are Get and Replace. Value type is integer.
Supported operations are Get and Replace.
Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-blockinstatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/BlockInStatusPage**
Required. Device Only. Added in Windows 10, version 1803. This node determines if the MDM progress page is blocking in the Azure AD joined or DJ++ case, and which remediation options are available.
Supported operations are Get and Replace. Value type is integer.
Supported operations are Get and Replace.
Value type is integer.
<a href="" id="provider-providerid-firstsyncstatus-allowcollectlogsbutton"></a>**Provider/*ProviderID*/FirstSyncStatus/AllowCollectLogsButton**
Required. Added in Windows 10, version 1803. This node decides if the MDM progress page displays the Collect Logs button.
Supported operations are Get and Replace. Value type is bool.
Supported operations are Get and Replace.
Value type is bool.
<a href="" id="provider-providerid-firstsyncstatus-customerrortext"></a>**Provider/*ProviderID*/FirstSyncStatus/CustomErrorText**
Required. Added in Windows 10, version 1803. This node allows the MDM to set custom error text, detailing what the user needs to do if there's an error.
Supported operations are Add, Get, Delete, and Replace. Value type is string.
Supported operations are Add, Get, Delete, and Replace.
Value type is string.
<a href="" id="provider-providerid-firstsyncstatus-skipdevicestatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/SkipDeviceStatusPage**
Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM device progress page skips after Azure AD joined or Hybrid Azure AD joined in OOBE.
Supported operations are Get and Replace. Value type is bool.
Supported operations are Get and Replace.
Value type is bool.
<a href="" id="provider-providerid-firstsyncstatus-skipuserstatuspage"></a>**Provider/*ProviderID*/FirstSyncStatus/SkipUserStatusPage**
Required. Device only. Added in Windows 10, version 1803. This node decides if the MDM user progress page skips after Azure AD joined or DJ++ after user login.
Supported operations are Get and Replace. Value type is bool.
Supported operations are Get and Replace.
Value type is bool.
<a href="" id="provider-providerid-enhancedapplayersecurity"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity**
Required node. Added in Windows 10, version 1709.
@ -614,22 +660,30 @@ Supported operation is Get.
<a href="" id="provider-providerid-enhancedapplayersecurity-securitymode"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/SecurityMode**
Required. Added in Windows 10, version 1709. This node specifies how the client will do the app layer signing and encryption. 0: no op; 1: sign only; 2: encrypt only; 3: sign and encrypt. The default value is 0.
Supported operations are Add, Get, Replace, and Delete. Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
Value type is integer.
<a href="" id="provider-providerid-enhancedapplayersecurity-usecertifrevocationcheckoffline"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/UseCertIfRevocationCheckOffline**
Required. Added in Windows 10, version 1709. When this node is set, it tells the client to use the certificate even when the client can't check the certificate's revocation status because the device is offline. The default value is set.
Supported operations are Add, Get, Replace, and Delete. Value type is boolean.
Supported operations are Add, Get, Replace, and Delete.
Value type is boolean.
<a href="" id="provider-providerid-enhancedapplayersecurity-cert0"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert0**
Required. Added in Windows 10, version 1709. The node contains the primary certificate - the public key to use.
Supported operations are Add, Get, Replace, and Delete. Value type is string.
Supported operations are Add, Get, Replace, and Delete.
Value type is string.
<a href="" id="provider-providerid-enhancedapplayersecurity-cert1"></a>**Provider/*ProviderID*/EnhancedAppLayerSecurity/Cert1**
Required. Added in Windows 10, version 1709. The node contains the secondary certificate - the public key to use.
Supported operations are Add, Get, Replace, and Delete. Value type is string.
Supported operations are Add, Get, Replace, and Delete.
Value type is string.
<a href="" id="provider-providerid-unenroll"></a>**Provider/*ProviderID*/Unenroll**
Required. The node accepts unenrollment requests using the OMA DM Exec command and calls the enrollment client to unenroll the device from the management server whose provider ID is specified in the `<Data>` tag under the `<Item>` element. Scope is permanent.
@ -658,5 +712,4 @@ The following SyncML shows how to remotely unenroll the device. This command sho
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

62
windows/client-management/mdm/dmsessionactions-csp.md
View File

@ -13,10 +13,19 @@ manager: dansimp
# DMSessionActions CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The DMSessionActions configuration service provider (CSP) is used to manage:
- the number of sessions the client skips if the device is in a low-power state
- the number of sessions the client skips if the device is in a low-power state.
- which CSP nodes should send an alert back to the server if there were any changes.
This CSP was added in Windows 10, version 1703.
@ -62,42 +71,59 @@ DMSessionActions
------------MaxSkippedSessionsInLowPowerState
------------MaxTimeSessionsSkippedInLowPowerState
```
<a href="" id="vendor-msft-dmsessionactions"></a>**./Device/Vendor/MSFT/DMSessionActions or ./User/Vendor/MSFT/DMSessionActions**
<p>Defines the root node for the DMSessionActions configuration service provider.</p>
Defines the root node for the DMSessionActions configuration service provider.
<a href="" id="providerid"></a>***ProviderID***
<p>Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache. </p>
Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.
<p>Scope is dynamic. Supported operations are Get, Add, and Delete.</p>
Scope is dynamic. Supported operations are Get, Add, and Delete.
<a href="" id="checkinalertconfiguration"></a>***ProviderID*/CheckinAlertConfiguration**
<p>Node for the custom configuration of alerts to be sent during MDM sync session.</p>
Node for the custom configuration of alerts to be sent during MDM sync session.
<a href="" id="nodes"></a>***ProviderID*/CheckinAlertConfiguration/Nodes**
<p>Required. Root node for URIs to be queried. Scope is dynamic.</p>
Required. Root node for URIs to be queried. Scope is dynamic.
<p>Supported operation is Get.</p>
Supported operation is Get.
<a href="" id="nodeid"></a>***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID***
<p>Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.</p>
Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.
<p>Supported operations are Get, Add, and Delete.</p>
Supported operations are Get, Add, and Delete.
<a href="" id="nodeuri"></a>***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID*/NodeURI**
<p>Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.</p>
<p>Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.
Value type is string.
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="alertdata"></a>**AlertData**
<p>Node to query the custom alert per server configuration</p>
<p>Value type is string. Supported operation is Get.</p>
Node to query the custom alert per server configuration
Value type is string.
Supported operation is Get.
<a href="" id="powersettings"></a>**PowerSettings**
<p>Node for power-related configurations</p>
Node for power-related configurations.
<a href="" id="maxskippedsessionsinlowpowerstate"></a>**PowerSettings/MaxSkippedSessionsInLowPowerState**
<p>Maximum number of continuous skipped sync sessions when the device is in low-power state.</p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
Maximum number of continuous skipped sync sessions when the device is in low-power state.
Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
<a href="" id="maxtimesessionsskippedinlowpowerstate"></a>**PowerSettings/MaxTimeSessionsSkippedInLowPowerState**
<p>Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state. </p>
<p>Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.
Value type is integer.
Supported operations are Add, Get, Replace, and Delete.
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

90
windows/client-management/mdm/dynamicmanagement-csp.md
View File

@ -14,7 +14,17 @@ ms.collection: highpri
# DynamicManagement CSP
Windows 10 allows you to manage devices differently depending on location, network, or time.  In Windows 10, version 1703 the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device cant reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|No|No|
|Business|No|No|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
Windows 10 or Windows 11 allows you to manage devices differently depending on location, network, or time.  Added in Windows 10, version 1703, the focus is on the most common areas of concern expressed by organizations. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device isn't within the corporate building or campus. Once configured, these settings will be enforced even if the device cant reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs.
This CSP was added in Windows 10, version 1703.
@ -33,13 +43,18 @@ DynamicManagement
------------Altitude
----AlertsEnabled
```
<a href="" id="dynamicmanagement"></a>**DynamicManagement**
<p>The root node for the DynamicManagement configuration service provider.</p>
The root node for the DynamicManagement configuration service provider.
<a href="" id="notificationsenabled"></a>**NotificationsEnabled**
<p>Boolean value for sending notification to the user of a context change.</p>
<p>Default value is False. Supported operations are Get and Replace.</p>
<p>Example to turn on NotificationsEnabled:</p>
Boolean value for sending notification to the user of a context change.
Default value is False.
Supported operations are Get and Replace.
Example to turn on NotificationsEnabled:
```xml
<Replace>
@ -56,45 +71,64 @@ DynamicManagement
</Item>
</Replace>
```
<a href="" id="activelist"></a>**ActiveList**
<p>A string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000..</p>
<p>Supported operation is Get.</p>
A string containing the list of all active ContextIDs on the device. Delimiter is unicode character 0xF000.
Supported operation is Get.
<a href="" id="contexts"></a>**Contexts**
<p>Node for context information.</p>
<p>Supported operation is Get.</p>
Node for context information.
Supported operation is Get.
<a href="" id="contextid"></a>***ContextID***
<p>Node created by the server to define a context. Maximum number of characters allowed is 38.</p>
<p>Supported operations are Add, Get, and Delete.</p>
Node created by the server to define a context. Maximum number of characters allowed is 38.
Supported operations are Add, Get, and Delete.
<a href="" id="signaldefinition"></a>**SignalDefinition**
<p>Signal Definition XML.</p>
<p>Value type is string. Supported operations are Add, Get, Delete, and Replace.</p>
Signal Definition XML.
Value type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="settingspack"></a>**SettingsPack**
<p>Settings that get applied when the Context is active.</p>
<p>Value type is string. Supported operations are Add, Get, Delete, and Replace.</p>
Settings that get applied when the Context is active.
Value type is string.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="settingspackresponse"></a>**SettingsPackResponse**
<p>Response from applying a Settings Pack that contains information on each individual action.</p>
<p>Value type is string. Supported operation is Get.</p>
Response from applying a Settings Pack that contains information on each individual action.
Value type is string.
Supported operation is Get.
<a href="" id="contextstatus"></a>**ContextStatus**
<p>Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.</p>
<p>Value type is integer. Supported operation is Get.</p>
Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly is failed.
Value type is integer.
Supported operation is Get.
<a href="" id="altitude"></a>**Altitude**
<p>A value that determines how to handle conflict resolution of applying multiple contexts on the device. This value is required and must be distinct of other priorities.</p>
<p>Value type is integer. Supported operations are Add, Get, Delete, and Replace.</p>
A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.
Value type is integer.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="alertsenabled"></a>**AlertsEnabled**
<p>A Boolean value for sending an alert to the server when a context fails.</p>
<p>Supported operations are Get and Replace.</p>
A Boolean value for sending an alert to the server when a context fails.
Supported operations are Get and Replace.
## Examples
Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100-meters radius of the specified latitude/longitude
Disable Cortana based on Geo location and time, from 9am-5pm, when in the 100-meters radius of the specified latitude/longitude
```xml
<Replace>
@ -203,7 +237,7 @@ Disable camera using network trigger with time trigger, from 9-5, when ip4 gatew
</Replace>
```
Delete a context
Delete a context:
```xml
<Delete>
@ -216,7 +250,7 @@ Delete a context
</Delete>
```
Get ContextStatus and SignalDefinition from a specific context
Get ContextStatus and SignalDefinition from a specific context:
```xml
<Get>
@ -236,3 +270,7 @@ Get ContextStatus and SignalDefinition from a specific context
</Item>
</Get>
```
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

131
windows/client-management/mdm/email2-csp.md
View File

@ -14,6 +14,15 @@ ms.date: 06/26/2017
# EMAIL2 CSP
The table below shows the applicability of Windows:
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|Yes|Yes|
|Pro|Yes|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
The EMAIL2 configuration service provider (CSP) is used to configure Simple Mail Transfer Protocol (SMTP) email accounts.
@ -81,9 +90,8 @@ Supported operations are Get, Add, and Delete.
The braces {} around the GUID are required in the EMAIL2 configuration service provider.
- For OMA Client Provisioning, the braces can be sent literally. For example, `<characteristic type="{C556E16F-56C4-4edb-9C64-D9469EE1FBE0}"/>`.
- For OMA DM, the braces must be sent using ASCII values of 0x7B and 0x7D respectively. For example, `<Target><LocURI>./Vendor/MSFT/EMAIL2/0x7BC556E16F-56C4-4edb-9C64-D9469EE1FBE0x7D</LocURI></Target>`
- For OMA Client Provisioning, the braces can be sent literally. For example, `<characteristic type="{C556E16F-56C4-4edb-9C64-D9469EE1FBE0}"/>`
- For OMA DM, the braces must be sent using ASCII values of 0x7B and 0x7D respectively. For example, `<Target><LocURI>./Vendor/MSFT/EMAIL2/0x7BC556E16F-56C4-4edb-9C64-D9469EE1FBE0x7D</LocURI></Target>`
<a href="" id="accounticon"></a>**ACCOUNTICON**
Optional. Returns the location of the icon associated with the account.
@ -99,9 +107,8 @@ Supported operations are Get, Add, Replace, and Delete.
Valid values are:
- Email: normal email
- VVM: visual voice mail
- Email: Normal email
- VVM: Visual voice mail
<a href="" id="authname"></a>**AUTHNAME**
Required. Character string that specifies the name used to authorize the user to a specific email account (also known as the user's logon name).
@ -113,16 +120,14 @@ Optional. Character string that specifies whether the outgoing server requires a
Supported operations are Get, Add, Replace, and Delete.
Value options:
Value options are:
- 0 - Server authentication isn't required.
- 1 - Server authentication is required.
- 0 - Server authentication isn't required.
- 1 - Server authentication is required.
> [!NOTE]
> If this value isn't specified, then no SMTP authentication is done. Also, this is different from SMTPALTENABLED.
 
<a href="" id="authsecret"></a>**AUTHSECRET**
Optional. Character string that specifies the user's password. The same password is used for SMTP authentication.
@ -140,18 +145,15 @@ Supported operations are Get, Add, Replace, and Delete.
Value options:
- -1: Specifies that all email currently on the server should be downloaded.
- 7: Specifies that seven days worth of email should be downloaded.
- 14: Specifies that 14 days worth of email should be downloaded.
- 30: Specifies that 30 days worth of email should be downloaded.
- -1: Specifies that all email currently on the server should be downloaded.
- 7: Specifies that seven days worth of email should be downloaded.
- 14: Specifies that 14 days worth of email should be downloaded.
- 30: Specifies that 30 days worth of email should be downloaded.
<a href="" id="inserver"></a>**INSERVER**
Required. Character string that specifies the name of the incoming server name and port number. This string is limited to 62 characters. If the standard port number is used, then you don't have to specify the port number. The value format is:
- server name:port number
- server name:port number
Supported operations are Get, Add, and Replace.
@ -162,20 +164,16 @@ Supported operations are Get, Add, Replace, and Delete.
Value options:
- 0 - Email updates must be performed manually.
- 15 (default) - Wait for 15 minutes between updates.
- 30 - Wait for 30 minutes between updates.
- 60 - Wait for 60 minutes between updates.
- 120 - Wait for 120 minutes between updates.
- 0 - Email updates must be performed manually
- 15 (default) - Wait for 15 minutes between updates
- 30 - Wait for 30 minutes between updates
- 60 - Wait for 60 minutes between updates
- 120 - Wait for 120 minutes between updates.
<a href="" id="keepmax"></a>**KEEPMAX**
Optional. Specifies the maximum size for a message attachment. Attachments beyond this size will not be downloaded but it will remain on the server. The message itself will be downloaded. This value can be set only for IMAP4 accounts.
The limit is specified in KB
The limit is specified in KB.
Value options are 0, 25, 50, 125, and 250.
@ -191,7 +189,7 @@ Supported operations are Get, Add, Replace, and Delete.
<a href="" id="outserver"></a>**OUTSERVER**
Required. Character string that specifies the name of the messaging service's outgoing email server. Limited to 62 characters. The value format is:
- server name:port number
- server name:port number
Supported operations are Get, Add, Delete, and Replace.
@ -208,8 +206,6 @@ Supported operations are Get, Add, Replace, and Delete.
> [!NOTE]
> The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
 
<a href="" id="servicetype"></a>**SERVICETYPE**
Required. Character string that specifies the type of email service to create or edit (for example, "IMAP4" or "POP3").
@ -217,8 +213,6 @@ Supported operations are Get, Add, Replace, and Delete.
> **Note**   The EMAIL2 Configuration Service Provider doesn't support the OMA DM **Replace** command on the parameters **SERVICENAME** and **SERVICETYPE**. To replace either the email account name or the account service type, the existing email account must be deleted and then a new one must be created.
 
<a href="" id="retrieve"></a>**RETRIEVE**
Optional. Specifies the maximum size in bytes for messages retrieved from the incoming email server. Messages beyond this size are retrieved, but truncated.
@ -227,10 +221,10 @@ Value options are 512, 1024, 2048, 5120, 20480, and 51200.
Supported operations are Get, Add, Replace, and Delete.
<a href="" id="serverdeleteaction"></a>**SERVERDELETEACTION**
Optional. Character string that specifies how message is deleted on server. Value options:
Optional. Character string that specifies how message is deleted on server. Value options are:
- 1 - delete message on the server
- 2 - keep the message on the server (delete to the Trash folder).
- 1 - Delete message on the server.
- 2 - Keep the message on the server (delete to the Trash folder).
Any other value results in default action, which depends on the transport.
@ -244,19 +238,19 @@ Value type is string. Supported operations are Get, Add, Replace, and Delete.
<a href="" id="syncingcontenttypes"></a>**SYNCINGCONTENTTYPES**
Required. Specifies a bitmask for which content types are supported for syncing, like Mail, Contacts, and Calendar.
- No data (0x0)
- Contacts (0x1)
- Mail (0x2)
- Appointments (0x4)
- Tasks (0x8)
- Notes (0x10)
- Feeds (0x60)
- Network Photo (0x180)
- Group and room (0x200)
- Chat (0x400)
- Email Recipient Email (0x800)
- Server Link (0x1000)
- All items (0xffffffff)
- No data (0x0)
- Contacts (0x1)
- Mail (0x2)
- Appointments (0x4)
- Tasks (0x8)
- Notes (0x10)
- Feeds (0x60)
- Network Photo (0x180)
- Group and room (0x200)
- Chat (0x400)
- Email Recipient Email (0x800)
- Server Link (0x1000)
- All items (0xffffffff)
Supported operations are Get, Add, Replace, and Delete.
@ -322,10 +316,10 @@ Optional. Character string that specifies if the incoming email server requires
Supported operations are Get, Add, Replace, and Delete.
Value options:
Value options are:
- 0 - SSL isn't required.
- 1 - SSL is required.
- 0 - SSL isn't required.
- 1 - SSL is required.
<a href="" id="tagprops-812c000b"></a>**TAGPROPS/812C000B**
Optional. Character string that specifies if the outgoing email server requires SSL.
@ -334,37 +328,28 @@ Supported operations are Get and Replace.
Value options:
- 0 - SSL isn't required.
- 1 - SSL is required.
- 0 - SSL isn't required.
- 1 - SSL is required.
## Remarks
When an application removal or configuration roll-back is provisioned, the EMAIL2 CSP passes the request to Configuration Manager, which handles the transaction externally. When a MAPI application is removed, the accounts that were created with it are deleted. All messages and other properties that the transport (like Short Message Service \[SMS\], Post Office Protocol \[POP\], or Simple Mail Transfer Protocol \[SMTP\]) might have stored, are lost. If an attempt to create a new email account is unsuccessful, the new account is automatically deleted. If an attempt to edit an existing account is unsuccessful, the original configuration is automatically rolled back (restored).
For OMA DM, the EMAIL2 CSP handles the Replace command differently from most other configuration service providers. For the EMAIL2 CSP, Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it's left out in the \<LocURI>\</LocURI\> block. There are separate parameters defined for the outgoing server logon credentials. The following are the usage rules for these credentials:
- The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set.
- If some of the outgoing server credentials parameters are present, then the EMAIL2 Configuration Service Provider will be considered in error.
- Account details cannot be queried unless the account GUID is known. Currently, there's no way to perform a top-level query for account GUIDs.
- The incoming server logon credentials are used (AUTHNAME, AUTHSECRET, and DOMAIN) unless the outgoing server credentials are set.
- If some of the outgoing server credentials parameters are present, then the EMAIL2 Configuration Service Provider will be considered in error.
- Account details can't be queried unless the account GUID is known. Currently, there's no way to perform a top-level query for account GUIDs.
If the connection to the mail server is initiated with deferred SSL, the mail server can send STARTTLS as a server capability and TLS will be enabled. The following steps show how to enable TLS.
1. The device attempts to connect to the mail server using SSL.
2. If the SSL connection fails, the device attempts to connect using deferred SSL.
3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device doesn't attempt another connection.
4. If the user didn't select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection.
5. If the connection succeeds using any of the encryption protocols, the device requests the server capabilities.
6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, then the device enables TLS. TLS isn't enabled on connections using SSL or non-SSL.
1. The device attempts to connect to the mail server using SSL
2. If the SSL connection fails, the device attempts to connect using deferred SSL
3. If the connection fails over both SSL and deferred SSL, and the user selected **Server requires encrypted (SSL) connection**, the device doesn't attempt another connection
4. If the user didn't select **Server requires encrypted (SSL) connection**, the device attempts to establish a non-SSL connection
5. If the connection succeeds using any of the encryption protocols, the device requests the server capabilities.
6. If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL, then the device enables TLS. TLS isn't enabled on connections using SSL or non-SSL.
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)

5
windows/client-management/mdm/policy-csp-devicelock.md
View File

@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: dansimp
ms.localizationpriority: medium
ms.date: 09/27/2019
ms.date: 05/09/2022
ms.reviewer:
manager: dansimp
---
@ -72,6 +72,9 @@ manager: dansimp
<hr/>
> [!Important]
> The DeviceLock CSP utilizes the [Exchange ActiveSync Policy Engine](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)). When password length and complexity rules are applied, all the local user and administrator accounts are marked to change their password at the next sign in to ensure complexity requirements are met. For additional information, see [Password length and complexity supported by account types](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn282287(v=ws.11)#password-length-and-complexity-supported-by-account-types)).
<!--Policy-->
<a href="" id="devicelock-allowidlereturnwithoutpassword"></a>**DeviceLock/AllowIdleReturnWithoutPassword**

116
windows/client-management/mdm/policy-csp-update.md
View File

@ -266,7 +266,7 @@ ms.collection: highpri
Allows the IT admin (when used with **Update/ActiveHoursStart**) to manage a range of active hours where update reboots aren't scheduled. This value sets the end time. there's a 12-hour maximum from start time.
> [!NOTE]
> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
@ -361,7 +361,7 @@ ADMX Info:
Allows the IT admin (when used with **Update/ActiveHoursEnd**) to manage a range of hours where update reboots aren't scheduled. This value sets the start time. There's a 12-hour maximum from end time.
> [!NOTE]
> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
@ -426,12 +426,12 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 0 - Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end users to manage data usage. With these option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 1 - Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end user is prompted to schedule the restart time. The end user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end user to control the start time reduces the risk of accidental data loss caused by applications that don't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
- 2 (default) - Auto install and restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. Automatic restarting when a device isn't being used is the default behavior for unmanaged devices. Devices are updated quickly, but it increases the risk of accidental data loss caused by an application that doesn't shut down properly on restart. For more information, see [Automatic maintenance](/windows/win32/taskschd/task-maintenence).
- 3 Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
- 4 Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
- 5 Turn off automatic updates.
- 3 - Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart.
- 4 - Auto install and restart without end-user control. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device isn't in use and isn't running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates right away. If a restart is required, then the device is automatically restarted when the device isn't actively being used. This setting option also sets the end-user control panel to read-only.
- 5 - Turn off automatic updates.
> [!IMPORTANT]
@ -536,8 +536,8 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 Not configured.
- 1 Allowed. Accepts updates received through Microsoft Update.
- 0 - Not configured.
- 1 - Allowed. Accepts updates received through Microsoft Update.
> [!NOTE]
> Setting this policy back to **0** or **Not configured** doesn't revert the configuration to receive updates from Microsoft Update automatically. In order to revert the configuration, you can run the PowerShell commands that are listed below to remove the Microsoft Update service:.
@ -588,8 +588,8 @@ This policy is specific to desktop and local publishing via WSUS for third-party
<!--SupportedValues-->
The following list shows the supported values:
- 0 Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
- 1 Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
- 0 - Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
- 1 - Allowed. Accepts updates received through an intranet Microsoft update service location, if they're signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
<!--/SupportedValues-->
<!--/Policy-->
@ -629,7 +629,7 @@ Even when Windows Update is configured to receive updates from an intranet updat
Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft Store to stop working.
> [!NOTE]
> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
> This policy applies only when the desktop or device is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
<!--/Description-->
<!--ADMXMapped-->
@ -643,8 +643,8 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 Update service isn't allowed.
- 1 (default) Update service is allowed.
- 0 - Update service isn't allowed.
- 1 (default) - Update service is allowed.
<!--/SupportedValues-->
<!--/Policy-->
@ -856,8 +856,8 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 1 (default) Auto Dismissal.
- 2 User Dismissal.
- 1 (default) - Auto Dismissal.
- 2 - User Dismissal.
<!--/SupportedValues-->
<!--/Policy-->
@ -1306,7 +1306,7 @@ Defers Feature Updates for the specified number of days.
Supported values are 0-365 days.
> [!IMPORTANT]
> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
> The default maximum number of days to defer an update has been increased from 180 (Windows 10, version 1607) to 365 in Windows 10, version 1703.
<!--/Description-->
<!--ADMXMapped-->
@ -1393,7 +1393,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
Allows IT Admins to specify update delays for up to four weeks.
@ -1471,7 +1471,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
Allows IT Admins to specify other upgrade delays for up to eight months.
@ -1616,18 +1616,18 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
Available in Windows Update for Business (WUfB) devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a WUfB device should skip safeguards.
Available in Windows Update for Business devices running Windows 10, version 1809 and above and installed with October 2020 security update. This policy setting specifies that a Windows Update for Business device should skip safeguards.
Safeguard holds prevent a device with a known compatibility issue from being offered a new OS version. The offering will proceed once a fix is issued and is verified on a held device. The aim of safeguards is to protect the device and user from a failed or poor upgrade experience.
The safeguard holds protection is provided by default to all the devices trying to update to a new Windows 10 Feature Update version via Windows Update.
IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the “Disable safeguards for Feature Updates” Group Policy.
IT admins can, if necessary, opt devices out of safeguard protections using this policy setting or via the "Disable safeguards for Feature Updates" Group Policy.
> [!NOTE]
> Opting out of the safeguards can put devices at risk from known performance issues. We recommend opting out only in an IT environment for validation purposes. Further, you can leverage the Windows Insider Program for Business Release Preview Channel in order to validate the upcoming Windows 10 Feature Update version without the safeguards being applied.
>
> The disable safeguards policy will revert to “Not Configured” on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsofts default protection from known issues for each new feature update.
> The disable safeguards policy will revert to "Not Configured" on a device after moving to a new Windows 10 version, even if previously enabled. This ensures the admin is consciously disabling Microsoft's default protection from known issues for each new feature update.
>
> Disabling safeguards doesn't guarantee your device will be able to successfully update. The update may still fail on the device and will likely result in a bad experience post upgrade as you're bypassing the protection given by Microsoft pertaining to known issues.
@ -2069,8 +2069,8 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) Allow Windows Update drivers.
- 1 Exclude Windows Update drivers.
- 0 (default) - Allow Windows Update drivers.
- 1 - Exclude Windows Update drivers.
<!--/SupportedValues-->
<!--/Policy-->
@ -2121,8 +2121,8 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) Disabled.
- 1 Enabled.
- 0 (default) - Disabled.
- 1 - Enabled.
<!--/SupportedValues-->
<!--/Policy-->
@ -2164,8 +2164,8 @@ Specifies whether to ignore the MO download limit (allow unlimited downloading)
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) Don't ignore MO download limit for apps and their updates.
- 1 Ignore MO download limit (allow unlimited downloading) for apps and their updates.
- 0 (default) - Don't ignore MO download limit for apps and their updates.
- 1 - Ignore MO download limit (allow unlimited downloading) for apps and their updates.
<!--/SupportedValues-->
<!--Validation-->
@ -2217,8 +2217,8 @@ Specifies whether to ignore the MO download limit (allow unlimited downloading)
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) Don't ignore MO download limit for OS updates.
- 1 Ignore MO download limit (allow unlimited downloading) for OS updates.
- 0 (default) - Don't ignore MO download limit for OS updates.
- 1 - Ignore MO download limit (allow unlimited downloading) for OS updates.
<!--/SupportedValues-->
<!--Validation-->
@ -2312,7 +2312,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
@ -2333,8 +2333,8 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) Deferrals aren't paused.
- 1 Deferrals are paused.
- 0 (default) - Deferrals aren't paused.
- 1 - Deferrals are paused.
<!--/SupportedValues-->
<!--/Policy-->
@ -2383,8 +2383,8 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) Feature Updates aren't paused.
- 1 Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner.
- 0 (default) - Feature Updates aren't paused.
- 1 - Feature Updates are paused for 35 days or until value set to back to 0, whichever is sooner.
<!--/SupportedValues-->
<!--/Policy-->
@ -2476,8 +2476,8 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) Quality Updates aren't paused.
- 1 Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
- 0 (default) - Quality Updates aren't paused.
- 1 - Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
<!--/SupportedValues-->
<!--/Policy-->
@ -2580,7 +2580,7 @@ ADMX Info:
<!--/ADMXMapped-->
<!--SupportedValues-->
Value type is a string containing a Windows product, for example, “Windows 11” or “11” or “Windows 10”.
Value type is a string containing a Windows product, for example, "Windows 11" or "11" or "Windows 10".
<!--/SupportedValues-->
<!--Example-->
@ -2624,7 +2624,7 @@ By using this Windows Update for Business policy to upgrade devices to a new pro
<!--/Scope-->
<!--Description-->
> [!NOTE]
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
Allows the IT admin to set a device to General Availability Channel train.
@ -2640,8 +2640,8 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) User gets upgrades from General Availability Channel (Targeted).
- 1 User gets upgrades from General Availability Channel.
- 0 (default) - User gets upgrades from General Availability Channel (Targeted).
- 1 - User gets upgrades from General Availability Channel.
<!--/SupportedValues-->
<!--/Policy-->
@ -2675,7 +2675,7 @@ The following list shows the supported values:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end user. EULAs are approved once an update is approved.
@ -2686,8 +2686,8 @@ Supported operations are Get and Replace.
<!--SupportedValues-->
The following list shows the supported values:
- 0 Not configured. The device installs all applicable updates.
- 1 The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
- 0 - Not configured. The device installs all applicable updates.
- 1 - The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
<!--/SupportedValues-->
<!--/Policy-->
@ -2769,7 +2769,7 @@ Supported values are 15, 30, or 60 (minutes).
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Allows the IT Admin to specify the period for autorestart warning reminder notifications.
@ -2839,14 +2839,14 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) Every day
- 1 Sunday
- 2 Monday
- 3 Tuesday
- 4 Wednesday
- 5 Thursday
- 6 Friday
- 7 Saturday
- 0 (default) - Every day
- 1 - Sunday
- 2 - Monday
- 3 - Tuesday
- 4 - Wednesday
- 5 - Thursday
- 6 - Friday
- 7 - Saturday
<!--/SupportedValues-->
<!--/Policy-->
@ -3110,7 +3110,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
Enables the IT admin to schedule the time of the update installation.
@ -3178,8 +3178,8 @@ ADMX Info:
<!--SupportedValues-->
The following list shows the supported values:
- 0 (default) Enabled
- 1 Disabled
- 0 (default) - Enabled
- 1 - Disabled
<!--/SupportedValues-->
<!--/Policy-->
@ -3675,9 +3675,9 @@ Display options for update notifications. This policy allows you to define what
Options:
- 0 (default) Use the default Windows Update notifications
- 1 Turn off all notifications, excluding restart warnings
- 2 Turn off all notifications, including restart warnings
- 0 (default) - Use the default Windows Update notifications
- 1 - Turn off all notifications, excluding restart warnings
- 2 - Turn off all notifications, including restart warnings
> [!IMPORTANT]
> If you choose not to get update notifications and also define other Group policies so that devices aren't automatically getting updates, neither you nor device users will be aware of critical security, quality, or feature updates, and your devices may be at risk.

4
windows/client-management/mdm/update-ddf-file.md
View File

@ -560,7 +560,7 @@ The XML below is for Windows 10, version 1803.
</AccessType>
<Description>
Roll back Latest Quality Update, if the machine meets the following conditions:
Condition 1: Device must be WUfB Connected
Condition 1: Device must be Windows Update for Business connected
Condition 2: Device must be in a Paused State
Condition 3: Device must have the Latest Quality Update installed on the device (Current State)
If the conditions are not true, the device will not Roll Back the Latest Quality Update.
@ -588,7 +588,7 @@ The XML below is for Windows 10, version 1803.
</AccessType>
<Description>
Roll Back Latest Feature Update, if the machine meets the following conditions:
Condition 1: Device must be WUfB Connected
Condition 1: Device must be Windows Update for Business connected
Condition 2: Device must be in Paused State
Condition 3: Device must have the Latest Feature Update Installed on the device (Current State)
Condition 4: Machine should be within the uninstall period

10
windows/configuration/guidelines-for-assigned-access-app.md
View File

@ -46,7 +46,9 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t
## Guidelines for web browsers
Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
In Windows 10, version 1909, assigned access adds support for the new Microsoft Edge kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](/DeployEdge/microsoft-edge-configure-kiosk-mode).
In Windows 10, version 1809, Microsoft Edge Legacy includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy).
In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but arent allowed to go to a competitor's website.
@ -156,6 +158,12 @@ You can create your own web browser Windows app by using the WebView class. Lear
Avoid selecting Windows apps that may expose the information you dont want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access.
## Customize your breakout sequence
Assigned access allows for the specification of a new breakout sequence. A breakout sequence is a keyboard shortcut that stops the kiosk experience and brings the user back to the lock screen. By default the breakout sequence is configured to be ctrl+alt+delete, a common Windows keyboard shortcut. It is recommended that this is set to a non-standard Windows shortcut to prevent disruptions in the kiosk experience.
There is currently no user interface for customizing the breakout sequence in Windows settings, so it would need to be specified in a provisioning method where an XML format such as MDM is used.
## App configuration
Some apps may require additional configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access.

5
windows/configuration/kiosk-single-app.md
View File

@ -342,3 +342,8 @@ If you press **Ctrl + Alt + Del** and do not sign in to another account, after a
`HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
> [!NOTE]
> **IdleTimeOut** doesn't apply to the new Microsoft Edge kiosk mode.
The Breakout Sequence of **Ctrl + Alt + Del** is the default, but this sequence can be configured to be a different sequence of keys. The breakout sequence uses the format **modifiers + keys**. An example breakout sequence would look something like **Shift + Alt + a**, where **Shift** and **Alt** are the modifiers and **a** is the key value. For more information, see [Microsoft Edge kiosk XML sample](/windows/configuration/kiosk-xml#microsoft-edge-kiosk-xml-sample).

60
windows/configuration/kiosk-xml.md
View File

@ -254,16 +254,40 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
```
## Microsoft Edge Kiosk XML Sample
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
>
<Profiles>
<Profile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}">
<KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe"
<KioskModeApp v4:ClassicAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe"
v4:ClassicAppArguments="--no-first-run --kiosk-idle-timeout-minutes=5 --kiosk www.bing.com"/>
<v4:BreakoutSequence Key="Ctrl+A"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>EdgeKioskUser</Account>
<DefaultProfile Id="{AFF9DA33-AE89-4039-B646-3A5706E92957}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
## Global Profile Sample XML
Global Profile is supported on:
- Windows 10 version 2004+
- Windows 11
- Windows 10, version 2004 and later
Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user.
Global Profile is designed for scenarios where a user doesn't have a designated profile, yet you still want the user to run in lockdown mode. It's also used as mitigation when a profile can't be determined for a user.
This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in.
This sample demonstrates that only a global profile is used, with no active user configured. Global Profile will be applied when every non-admin account signs in.
```xml
<?xml version="1.0" encoding="utf-8" ?>
@ -642,13 +666,12 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n
## XSD for AssignedAccess configuration XML
>[!NOTE]
>Updated for Windows 10, version 1903+.
> [!NOTE]
> Updated for Windows 10, version 1903 and later.
The following XML schema is for AssignedAccess Configuration up to Windows 10 1803 release:
The following XML schema is for AssignedAccess Configuration up to Windows 10, version 1803 release:
```xml
<?xml version="1.0" encoding="utf-8"?>
<xs:schema
elementFormDefault="qualified"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
@ -656,11 +679,13 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/201810/config"/>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2020/config"/>
<xs:import namespace="http://schemas.microsoft.com/AssignedAccess/2021/config"/>
<xs:complexType name="profile_list_t">
<xs:sequence minOccurs="1" >
@ -670,8 +695,14 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18
<xs:complexType name="kioskmodeapp_t">
<xs:attribute name="AppUserModelId" type="xs:string"/>
<xs:attributeGroup ref="ClassicApp_attributeGroup"/>
</xs:complexType>
<xs:attributeGroup name="ClassicApp_attributeGroup">
<xs:attribute ref="v4:ClassicAppPath"/>
<xs:attribute ref="v4:ClassicAppArguments" use="optional"/>
</xs:attributeGroup>
<xs:complexType name="profile_t">
<xs:choice>
<xs:sequence minOccurs="1" maxOccurs="1">
@ -680,7 +711,19 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18
<xs:element name="StartLayout" type="xs:string" minOccurs="1" maxOccurs="1"/>
<xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
</xs:sequence>
<xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1"/>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1">
<xs:key name="mutualExclusionAumidOrClassicAppPath">
<xs:selector xpath="."/>
<xs:field xpath="@AppUserModelId|@v4:ClassicAppPath"/>
</xs:key>
<xs:unique name="mutualExclusionAumidOrClassicAppArgumentsOptional">
<xs:selector xpath="."/>
<xs:field xpath="@AppUserModelId|@v4:ClassicAppArguments"/>
</xs:unique>
</xs:element>
<xs:element ref="v4:BreakoutSequence" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
</xs:choice>
<xs:attribute name="Id" type="guid_t" use="required"/>
<xs:attribute name="Name" type="xs:string" use="optional"/>
@ -781,6 +824,7 @@ The following XML schema is for AssignedAccess Configuration up to Windows 10 18
<xs:simpleType name="specialGroupType_t">
<xs:restriction base="xs:string">
<xs:enumeration value="Visitor"/>
<xs:enumeration value="DeviceOwner"/>
</xs:restriction>
</xs:simpleType>

172
windows/configuration/wcd/wcd-admxingestion.md
View File

@ -15,21 +15,59 @@ manager: dougeby
# ADMXIngestion (Windows Configuration Designer reference)
Starting in Windows 10, version 1703, you can import (*ingest*) select Group Policy administrative templates (ADMX files) and configure values for ADMX-backed policies in a provisioning package. To see which types of ADMX-backed policies can be applied, see [Win32 and Desktop Bridge app policy configuration overview](/windows/client-management/mdm/win32-and-centennial-app-policy-configuration).
Starting in Windows 10, version 1703, you can import (*ingest*) Group Policy administrative templates (ADMX files) and configure values for ADMX-backed policies in a provisioning package. To see which types of ADMX-backed policies can be applied, see [Win32 and Desktop Bridge app policy configuration overview](/windows/client-management/mdm/win32-and-centennial-app-policy-configuration).
- The settings under [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) allow you to set values for policies in the imported ADMX file.
- The settings under [ConfigOperations](#configoperations) specify the ADMX file to be imported.
>[!IMPORTANT]
>Only per-device policies can be set using a provisioning package.
>Only device scope policies (class="Machine" or class="Both") can be set using a provisioning package.
## Applies to
| Setting groups | Windows client | Surface Hub | HoloLens | IoT Core |
| Setting groups | Windows client | Surface Hub | HoloLens | IoT Enterprise |
| --- | :---: | :---: | :---: | :---: |
| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) | ✔️ | | | |
| [ConfigOperations](#configoperations) | ✔️ | | | |
| [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) | ✔️ | | | ✔️ |
| [ConfigOperations](#configoperations) | ✔️ | | | ✔️ |
## ConfigOperations
Use **ConfigOperations** to import ADMX policies from an ADMX file.
1. Enter an app name, and then click **Add**.
This can be any name you assign, so choose something descriptive to help you identify its purpose. For example, if you are importing ADMX for Chromium Edge, enter an app name.
Example, `MSEdgeEfficiencyMode`
2. Select the app name in the Customizations pane, select a setting type, and then click **Add**.
The choices, **Policy** and **Preference**, have no impact on the behavior of the settings, and are only provided for your convenience should you want to categorize the settings you add.
3. Select the setting type in the Customizations pane. In the **AdmxFileUid** field, enter the name of the ADMX file or a unique ID for the file, and then click **Add**.
The **AdmxFileUid** can be any string, but must be unique in the provisioning package. Using the name of the ADMX file will help you identify the file in the future.
Example, `MSEdgeEfficiencyMode`
>[!NOTE]
>Keeping the AdmxFileUid and AppName the same will help prevent authorizing errors.
4. Select the AdmxFileUid in the Customizations pane, and paste the contents of the ADMX file in the text field. Before copying the contents of the ADMX file, you must convert it to a single-line. See [Convert multi-line to single line](#convert) for instructions.
>[!NOTE]
>When you have a large ADMX file, you may want to only include specific settings. Instead of pasting in the entire ADMX file, you can paste just one or more specific policies (after converting them to single-line).
Example, EfficiencyMode
```XML
<policy class="Both" displayName="$(string.EfficiencyMode)" explainText="$(string.EfficiencyMode_Explain)" key="Software\Policies\Microsoft\Edge" name="EfficiencyMode" presentation="$(presentation.EfficiencyMode)"> <parentCategory ref="Performance"/> <supportedOn ref="SUPPORTED_WIN7_V96"/> <elements> <enum id="EfficiencyMode" valueName="EfficiencyMode"> <item displayName="$(string.EfficiencyMode_AlwaysActive)"> <value> <decimal value="0"/> </value> </item> <item displayName="$(string.EfficiencyMode_NeverActive)"> <value> <decimal value="1"/> </value> </item> <item displayName="$(string.EfficiencyMode_ActiveWhenUnplugged)"> <value> <decimal value="2"/> </value> </item> <item displayName="$(string.EfficiencyMode_ActiveWhenUnpluggedBatteryLow)"> <value> <decimal value="3"/> </value> </item> </enum> </elements> </policy>
```
5. Repeat for each ADMX, or set of ADMX policies, that you want to add, and then configure [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) for each one.
<span id="convert"/>
## ConfigADMXInstalledPolicy
@ -40,59 +78,121 @@ In **ConfigADMXInstalledPolicy**, you provide a policy setting and value for tha
1. Enter an area name, and then click **Add**. The structure of the area name is the following:
`AppName (from ConfigOperations)`~`SettingType`~`category name from ADMX`
`<AppName (from ConfigOperations)>~<SettingType>~<category name from ADMX>`
See [Category and policy in ADMX](#category-and-policy-in-admx) for more information. A setting may have multiple levels of category names, as in the following example.
Example: `Office16~Policy~L_MicrosoftOfficemachine~L_Updates`
Example: `MSEdgeEfficiencyMode~Policy~microsoft_edge~Performance`
2. Select the area name in the Customization pane, enter a policy name from the ADMX, and then click **Add**. For example, `L_HideEnableDisableUpdates`.
3. Select the policy name in the Customization pane, and then enter a value from the ADMX in the text field. For example, `<disabled/>`.
2. Select the area name in the Customization pane, enter a policy name from the ADMX, and then click **Add**.
## ConfigOperations
Example, `EfficiencyMode`.
Use **ConfigOperations** to import an ADMX file or policies from an ADMX file.
3. Select the policy name in the Customization pane, and then enter a value from the ADMX in the text field.
1. Enter an app name, and then click **Add**.
Example, `<enabled/><data id="EfficiencyMode" Value="2">`.
This can be any name you assign, so choose something descriptive to help you identify its purpose. For example, if you are importing ADMX for Office 16, enter an app name of **Office 16**.
2. Select the app name in the Customizations pane, select a setting type, and then click **Add**.
## Category and policy in ADMX
The choices, **Policy** and **Preference**, have no impact on the behavior of the settings, and are only provided for your convenience should you want to categorize the settings you add.
3. Select the setting type in the Customizations pane. In the **AdmxFileUid** field, enter the name of the ADMX file or a unique ID for the file, and then click **Add**.
The following samples show the ADMX file for Chromium Edge used in the examples in the procedures above. The first sample highlights the category names.
The **AdmxFileUid** can be any string, but must be unique in the provisioning package. Using the name of the ADMX file will help you identify the file in the future.
```XML
<categories>
<category displayName="$(string.microsoft_edge)" name="microsoft_edge"/>
<category displayName="$(string.Performance_group)" name="Performance">
<parentCategory ref="microsoft_edge"/>
</category>
</categories>
```
<!--![Snippet of ADMX shows category names highlighted.](../images/admx-category.png)-->
4. Select the AdmxFileUid in the Customizations pane, and paste the contents of the ADMX file in the text field. Before copying the contents of the ADMX file, you must convert it to a single-line. See [Convert multi-line to single line](#convert) for instructions.
The next sample highlights the specific policy.
>[!NOTE]
>When you have a large ADMX file, you may want to only include specific settings. Instead of pasting in the entire ADMX file, you can paste just one or more specific policies (after converting them to single-line).
5. Repeat for each ADMX, or set of ADMX policies, that you want to add, and then configure [ConfigADMXInstalledPolicy](#configadmxinstalledpolicy) for each one.
```XML
<policy class="Both" displayName="$(string.EfficiencyMode)" explainText="$(string.EfficiencyMode_Explain)" key="Software\Policies\Microsoft\Edge" name="EfficiencyMode" presentation="$(presentation.EfficiencyMode)">
<parentCategory ref="Performance"/>
<supportedOn ref="SUPPORTED_WIN7_V96"/>
<elements>
<enum id="EfficiencyMode" valueName="EfficiencyMode">
<item displayName="$(string.EfficiencyMode_AlwaysActive)">
<value>
<decimal value="0"/>
</value>
</item>
<item displayName="$(string.EfficiencyMode_NeverActive)">
<value>
<decimal value="1"/>
</value>
</item>
<item displayName="$(string.EfficiencyMode_ActiveWhenUnplugged)">
<value>
<decimal value="2"/>
</value>
</item>
<item displayName="$(string.EfficiencyMode_ActiveWhenUnpluggedBatteryLow)">
<value>
<decimal value="3"/>
</value>
</item>
</enum>
</elements>
</policy>
```
<!--![Snipped of ADMX shows policy setting highlighted.](../images/admx-policy.png)-->
<span id="convert"/>
## Convert multi-line to single line
Use the following PowerShell cmdlet to remove carriage returns and line feeds from a multi-line file to create a single-line file that you can paste in **AdmxFileUid**.
```PS
$path="file path"
(Get-Content $admxFile -Raw).Replace("`r`n","") | Set-Content $path -Force
$outputFile = "output.admx"
$inputFile = "input.admx"
(Get-Content $inputFile -Raw).Replace("`r`n","") | Set-Content $outputFile -Force
```
## Category and policy in ADMX
The following images show snippets of the ADMX file for Office 16 that are used in the examples in the procedures above. The first image highlights the category names.
![Snippet of ADMX shows category names highlighted.](../images/admx-category.png)
The next image highlights the specific policy.
![Snipped of ADMX shows policy setting highlighted.](../images/admx-policy.png)
## Configuration Samples
Example: Edge Efficiency Mode
```XML
<?xml version="1.0" encoding="utf-8"?>
<WindowsCustomizations>
<PackageConfig xmlns="urn:schemas-Microsoft-com:Windows-ICD-Package-Config.v1.0">
<ID>{d1ab1e3e-6e6d-4bd5-b35b-34cca18d2e16}</ID>
<Name>MSEdgeEfficiencyMode</Name>
<Version>1.1</Version>
<OwnerType>OEM</OwnerType>
<Rank>0</Rank>
<Notes></Notes>
</PackageConfig>
<Settings xmlns="urn:schemas-microsoft-com:windows-provisioning">
<Customizations>
<Common>
<ADMXIngestion>
<ConfigADMXInstalledPolicy>
<AreaName>
<PolicyName AreaName="MSEdgeEfficiencyMode~Policy~microsoft_edge~Performance" Name="MSEdgeEfficiencyMode~Policy~microsoft_edge~Performance">
<SetAdmxPolicy PolicyName="EfficiencyMode" Name="EfficiencyMode">&lt;enabled/&gt;&lt;data id="EfficiencyMode" value="2"/&gt;</SetAdmxPolicy>
</PolicyName>
</AreaName>
</ConfigADMXInstalledPolicy>
<ConfigOperations>
<ADMXInstall>
<AppName>
<SettingType AppName="MSEdgeEfficiencyMode" Name="MSEdgeEfficiencyMode">
<ADMXFileUniqueID SettingType="Policy" Name="Policy">
<InsertADMXFile AdmxFileUid="MSEdgeEfficiencyMode" Name="MSEdgeEfficiencyMode">&lt;?xml version="1.0" ?&gt;&lt;policyDefinitions revision="1.0" schemaVersion="1.0" xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions"&gt; &lt;!--microsoft_edge version: 96.0.1054.62--&gt; &lt;policyNamespaces&gt; &lt;target namespace="Microsoft.Policies.Edge" prefix="microsoft_edge"/&gt; &lt;using namespace="Microsoft.Policies.Windows" prefix="windows"/&gt; &lt;/policyNamespaces&gt; &lt;resources minRequiredRevision="1.0"/&gt; &lt;supportedOn&gt; &lt;definitions&gt; &lt;definition displayName="$(string.SUPPORTED_WIN7_V96)" name="SUPPORTED_WIN7_V96"/&gt; &lt;/definitions&gt; &lt;/supportedOn&gt; &lt;categories&gt; &lt;category displayName="$(string.microsoft_edge)" name="microsoft_edge"/&gt; &lt;category displayName="$(string.Performance_group)" name="Performance"&gt; &lt;parentCategory ref="microsoft_edge"/&gt; &lt;/category&gt; &lt;/categories&gt; &lt;policies&gt; &lt;policy class="Both" displayName="$(string.EfficiencyMode)" explainText="$(string.EfficiencyMode_Explain)" key="Software\Policies\Microsoft\Edge" name="EfficiencyMode" presentation="$(presentation.EfficiencyMode)"&gt; &lt;parentCategory ref="Performance"/&gt; &lt;supportedOn ref="SUPPORTED_WIN7_V96"/&gt; &lt;elements&gt; &lt;enum id="EfficiencyMode" valueName="EfficiencyMode"&gt; &lt;item displayName="$(string.EfficiencyMode_AlwaysActive)"&gt; &lt;value&gt; &lt;decimal value="0"/&gt; &lt;/value&gt; &lt;/item&gt; &lt;item displayName="$(string.EfficiencyMode_NeverActive)"&gt; &lt;value&gt; &lt;decimal value="1"/&gt; &lt;/value&gt; &lt;/item&gt; &lt;item displayName="$(string.EfficiencyMode_ActiveWhenUnplugged)"&gt; &lt;value&gt; &lt;decimal value="2"/&gt; &lt;/value&gt; &lt;/item&gt; &lt;item displayName="$(string.EfficiencyMode_ActiveWhenUnpluggedBatteryLow)"&gt; &lt;value&gt; &lt;decimal value="3"/&gt; &lt;/value&gt; &lt;/item&gt; &lt;/enum&gt; &lt;/elements&gt; &lt;/policy&gt; &lt;/policies&gt;&lt;/policyDefinitions&gt;</InsertADMXFile>
</ADMXFileUniqueID>
</SettingType>
</AppName>
</ADMXInstall>
</ConfigOperations>
</ADMXIngestion>
</Common>
</Customizations>
</Settings>
</WindowsCustomizations>
```
## Related topics

2
windows/configuration/windows-10-accessibility-for-ITPros.md
View File

@ -89,3 +89,5 @@ This topic helps IT administrators learn about built-in accessibility features,
[Inclusive Design](https://www.microsoft.com/design/inclusive)
[Accessibility guide for Microsoft 365 Apps](/deployoffice/accessibility-guide)

4
windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
View File

@ -145,8 +145,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica
On **MDT01**:
1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01.
2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120117_en_US.exe) to **D:\\setup\\adobe** on MDT01.
2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120117_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
4. Right-click the **Applications** node, and create a new folder named **Adobe**.

2
windows/deployment/do/waas-delivery-optimization-reference.md
View File

@ -190,7 +190,7 @@ Starting in Windows 10, version 1803, specifies the maximum foreground download
### Maximum Background Download Bandwidth
Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads. However, downloads from LAN peers are not throttled even when this policy is set.
Starting in Windows 10, version 1803, specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. **The default value of "0"** means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads. However, downloads from LAN peers are not throttled even when this policy is set.
### Percentage of Maximum Download Bandwidth

12
windows/deployment/update/how-windows-update-works.md
View File

@ -90,6 +90,18 @@ When users start scanning in Windows Update through the Settings panel, the foll
- Windows Update uses the thread ID filtering to concentrate on one particular task.
![Windows Update scan log 1.](images/update-scan-log-1.png)
#### Proxy Behavior
For Windows Update (WU) scans URLs that are used for update detection ([MS-WUSP]: SimpleAuth Web Service | Microsoft Docs, [MS-WUSP]: Client Web Service | Microsoft Docs):
- System proxy is attempted (set using the `netsh` command).
- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then user proxy is attempted (generally it is the logged-in user).
> [!Note]
> For intranet WSUS update service URLs, we provide an option via Windows Update policy to select the proxy behavior.
For WU URLs that _aren't_ used for update detection, such as for download or reporting:
- User proxy is attempted.
- If WUA fails to reach the service due to a certain proxy, service, or authentication error code, then the system proxy is attempted.
#### Identifies service IDs

BIN
windows/deployment/update/media/update-compliance-diagnostic-data-viewer.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 581 KiB

40
windows/deployment/update/update-compliance-configuration-script.md
View File

@ -8,11 +8,12 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.pagetype: deploy
audience: itpro
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
ms.date: 04/27/2022
---
# Configuring devices through the Update Compliance Configuration Script
@ -98,3 +99,38 @@ Open `RunConfig.bat` and configure the following (assuming a first-run, with `ru
| 93 | Failed to update value for EnableAllowUCProcessing|
| 94 | Unexpected exception in EnableAllowUCProcessing|
| 99 | Device is not Windows 10.|
## Verify device configuration
In some cases, you may need to manually verify the device configuration has the `AllowUpdateComplianceProcessing` policy enabled. To verify the setting, use the following steps:
1. Download and enable the **Diagnostic Data Viewer**. For more information, see [Diagnostic Data Viewer overview](/windows/privacy/diagnostic-data-viewer-overview#install-and-use-the-diagnostic-data-viewer).
1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
1. Under **View diagnostic data**, select **On** for the following option:
- Windows 11: **Turn on the Diagnostic Data Viewer (uses up to 1 GB of hard drive space)**
- Windows 10: **Turn on this setting to see your data in the Diagnostic Data Viewer. (Setting uses up to 1GB of hard drive space.)**
1. Select **Open Diagnostic Data Viewer**.
- If the application isn't installed, select **Get** when you're asked to download the [Diagnostic Data Viewer from the Microsoft Store](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
- If the application is already installed, it will open. You can either close the application before running a scan for software updates, or use the refresh button to fetch the new data after the scan is completed.
1. Check for software updates on the client device.
- Windows 11:
1. Go to **Start**, select **Settings** > **Windows Update**.
1. Select **Check for updates** then wait for the update check to complete.
- Windows 10:
1. Go to **Start**, select **Settings** > **Update & Security** > **Windows Update**.
1. Select **Check for updates** then wait for the update check to complete.
1. Run the **Diagnostic Data Viewer**.
1. Go to **Start**, select **Settings** > **Privacy** > **Diagnostics & feedback**.
1. Under **View diagnostic data**, select **Open Diagnostic Data Viewer**.
1. When the Diagnostic Data Viewer opens, type `SoftwareUpdateClientTelemetry` in the search field. Verify the following items:
- The **EnrolledTenantID** field under **m365a** should equal the [CommercialID](update-compliance-get-started.md#get-your-commercialid) of your Log Analytics workspace for Update Compliance.
- The **MSP** field value under **protocol** should be either `16` or `18`.
- If you need to send this data to Microsoft Support, select **Export data**.
:::image type="content" alt-text="Screenshot of the Diagnostic Data Viewer displaying the data from SoftwareUpdateClientTelemetry. The export data option and the fields for MSP and EnrolledTenantID are outlined in red." source="./media/update-compliance-diagnostic-data-viewer.png" lightbox="./media/update-compliance-diagnostic-data-viewer.png":::

4
windows/deployment/update/wufb-wsus.md
View File

@ -1,5 +1,5 @@
---
title: Use Windows Update for Business (WUfB) and Windows Server Update Services (WSUS) together
title: Use Windows Update for Business and Windows Server Update Services (WSUS) together
description: Learn how to use Windows Update for Business and WSUS together using the new scan source policy.
ms.prod: w10
ms.mktglfcycl: manage
@ -23,7 +23,7 @@ ms.topic: article
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
The Windows update scan source policy enables you to choose what types of updates to get from either [WSUS](waas-manage-updates-wsus.md) or Windows Update for Business (WUfB) service.
The Windows update scan source policy enables you to choose what types of updates to get from either [WSUS](waas-manage-updates-wsus.md) or Windows Update for Business service.
We added the scan source policy starting with the [September 1, 2021—KB5005101 (OS Builds 19041.1202, 19042.1202, and 19043.1202) Preview](https://support.microsoft.com/help/5005101) update and it applies to Window 10, version 2004 and above and Windows 11. This policy changes the way devices determine whether to scan against a local WSUS server or Windows Update service.

154
windows/hub/doc-test.md Normal file
View File

@ -0,0 +1,154 @@
---
title: Doc team test
description: A test article for the doc team's use.
ms.date: 05/10/2022
ms.prod: windows
ms.technology: windows
ms.topic: reference
ms.localizationpriority: null
ROBOTS: NOINDEX
author: aczechowski
ms.author: aaroncz
ms.reviewer: mstewart
manager: dougeby
---
# Doc team test
This article is for testing purposes only.
> [!NOTE]
> For more markdown examples and tips, see the **template.md** file at the root of the repository. Including examples of links and images.
## Basic Markdown and GFM
All basic and Github-flavored markdown is supported. For more information, see:
- [Baseline markdown syntax](https://daringfireball.net/projects/markdown/syntax)
- [Github-flavored markdown (GFM) documentation](https://guides.github.com/features/mastering-markdown)
## Headings
Examples of first and second-level headings are above.
There **must** be only one first level heading in your article, which will be displayed as the on-page title.
Second-level headings will generate the on-page TOC that appears in the "In this article" section underneath the on-page title.
### Third-level heading (`###`)
#### Fourth-level heading (`####`)
##### Fifth-level heading (`#####`)
## Text styling
_Italics_ (`_`)
**Bold** (`**`)
~~Strikethrough~~ (`~~`)
## Lists
### Ordered lists
1. This
1. Is
1. An
1. Ordered
1. List
#### Ordered list with an embedded list
1. Here
1. Comes
1. An
1. Embedded
1. Scarlett
1. Professor Plum
1. Ordered
1. List
### Unordered Lists
- This
- Is
- A
- Bulleted
- List
#### Unordered list with an embedded list
- This
- Bulleted
- List
- Peacock
- Green
- Contains
- Other
1. Colonel Mustard
1. Yellow
1. gold
1. White
1. cream
1. silver
- Lists
## Horizontal rule
---
## Tables
| Tables | Are | Cool |
|---------------------|:-------------:|------:|
| Column 3 is | Right-aligned | $1600 |
| Column 2 is | Centered | $12 |
| Column 1 is default | Left-aligned | $1 |
## Code
### Code block
```json
{
"aggregator": {
"batchSize": 1000,
flushTimeout": "00:00:30"
}
}
```
### In-line code
This example is for `in-line code`.
## Blockquotes
> The drought had lasted now for ten million years, and the reign of the terrible lizards had long since ended. Here on the Equator, in the continent which would one day be known as Africa, the battle for existence had reached a new climax of ferocity, and the victor was not yet in sight. In this barren and desiccated land, only the small or the swift or the fierce could flourish, or even hope to survive.
## Alerts
### Note
> [!NOTE]
> This alert is a NOTE
### Warning
> [!WARNING]
> This alert is a WARNING
### Tip
> [!TIP]
> This alert is a TIP
### Caution
> [!CAUTION]
> This alert is a CAUTION
### Important
> [!IMPORTANT]
> This alert is a IMPORTANT

6
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
View File

@ -6809,7 +6809,7 @@ The following fields are available:
- **oSVersion** Build number of the device.
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **wUfBConnected** Result of WUfB connection check.
- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@ -6823,7 +6823,7 @@ The following fields are available:
- **oSVersion** Build number of the device.
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **wUfBConnected** Result of WUfB connection check.
- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@ -6864,7 +6864,7 @@ The following fields are available:
- **oSVersion** Build number of the device.
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **wUfBConnected** Result of WUfB connection check.
- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted

10
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
View File

@ -8296,7 +8296,7 @@ The following fields are available:
- **oSVersion** Build number of the device.
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **wUfBConnected** Result of WUfB connection check.
- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@ -8310,7 +8310,7 @@ The following fields are available:
- **oSVersion** Build number of the device.
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **wUfBConnected** Result of WUfB connection check.
- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@ -8351,7 +8351,7 @@ The following fields are available:
- **oSVersion** Build number of the device.
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **wUfBConnected** Result of WUfB connection check.
- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualitySucceeded
@ -9584,8 +9584,8 @@ The following fields are available:
- **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU.
- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed.
- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed.
- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed.
- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed.
- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed.
- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed.
- **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is.
- **UnifiedInstallerPlatformType** The enum indicating the type of platform detected.
- **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU.

14
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md
View File

@ -3627,7 +3627,7 @@ The following fields are available:
- **IsDeviceUninstallActive** Indicates whether the OS (operating system) on the device was recently updated.
- **IsDeviceUpdateNotificationLevel** Indicates whether the device has a set policy to control update notifications.
- **IsDeviceUpdateServiceManaged** Indicates whether the device uses WSUS (Windows Server Update Services).
- **IsDeviceWUFBManaged** If device is WUfB managed.
- **IsDeviceWUFBManaged** If device is Windows Update for Business managed.
- **IsDeviceZeroExhaust** Indicates whether the device subscribes to the Zero Exhaust policy to minimize connections from Windows to Microsoft.
- **IsGreaterThanMaxRetry** Indicates whether the DTU (Direct to Update) service has exceeded its maximum retry count.
- **IsVolumeLicensed** Indicates whether a volume license was used to authenticate the operating system or applications on the device.
@ -6257,8 +6257,8 @@ The following fields are available:
- **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU.
- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed.
- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed.
- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed.
- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed.
- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed.
- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed.
- **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is.
- **UnifiedInstallerPlatformType** The enum indicating the type of platform detected.
- **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU.
@ -6374,7 +6374,7 @@ The following fields are available:
- **CV** Correlation vector.
- **GlobalEventCounter** The global event counter counts the total events for the provider.
- **PackageVersion** The version for the current package.
- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for WUFB cloud membership.
- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for Windows Update for Business cloud membership.
### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin
@ -8457,7 +8457,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** This is the device info.
- **wUfBConnected** Result of WUfB connection check.
- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@ -8472,7 +8472,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** Represents the device info.
- **wUfBConnected** Result of WUfB connection check.
- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@ -8509,7 +8509,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** Device in the General Availability Channel.
- **wUfBConnected** Result of WUfB connection check.
- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted

29
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -58,6 +58,11 @@ The following sections list the components that make network connections to Micr
The following table lists management options for each setting, For Windows 10 (beginning with Windows 10 Enterprise version 1607) and Windows 11.
> [!IMPORTANT]
> **If you need assistance with troubleshooting issues, please refer to**:</br>
> - [Keep your device running smoothly](https://support.microsoft.com/topic/keep-your-device-running-smoothly-with-recommended-troubleshooting-ec76fe10-4ac8-ce9d-49c6-757770fe68f1)</br>
> - [CSP - Troubleshooting](/windows/client-management/mdm/policy-csp-troubleshooting)
| Setting | UI | Group Policy | Registry |
| - | :-: | :-: | :-: |
@ -114,7 +119,8 @@ The following table lists management options for each setting, For Windows 10 (
| [28. Delivery Optimization](#bkmk-updates) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [29. Windows Update](#bkmk-wu) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | |
| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
| [32. Widgets](#bkmk-widgets) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
### Settings for Windows Server 2016 with Desktop Experience
@ -591,7 +597,7 @@ Alternatively, you can configure the following Registry keys as described:
| - | - |
| Allow Address Bar drop-down list suggestions | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI<br/>REG_DWORD name: ShowOneBox<br/> Set to **0**|
| Allow configuration updates for the Books Library | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\BooksLibrary<br/>REG_DWORD name: AllowConfigurationUpdateForBooksLibrary<br/> Set to **0**|
| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main<br/>REG_SZ name: Use FormSuggest<br/>Value : **No** |
| Configure Autofill | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main<br/>REG_SZ name: Use FormSuggest<br/>Value: **No** |
| Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main<br/>REG_DWORD name: DoNotTrack<br/> REG_DWORD: **1** |
| Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main<br/>REG_SZ name: FormSuggest Passwords<br /> REG_SZ: **No** |
| Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes<br/>REG_DWORD name: ShowSearchSuggestionsGlobal <br />Value: **0**|
@ -861,6 +867,8 @@ Use Settings > Privacy & security to configure some settings that may be importa
- [18.23 Voice Activation](#bkmk-voice-act)
- [18.24 News and interests](#bkmk-priv-news)
### <a href="" id="bkmk-general"></a>18.1 General
**General** includes options that don't fall into other areas.
@ -1528,6 +1536,13 @@ To turn this Off in the UI:
- Create a REG_DWORD registry setting named **LetAppsActivateWithVoiceAboveLock** in **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\AppPrivacy** with a **value of 2 (two)**
### <a href="" id="bkmk-priv-news"></a>18.24 News and interests
In the **Windows Feeds** area, you can choose which apps have access to your diagnostic information.
To turn this off:
- Create a REG_DWORD registry setting named **EnableFeeds** in **HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\Windows Feeds** with a **value of 0 (zero)**.
### <a href="" id="bkmk-spp"></a>19. Software Protection Platform
@ -1722,7 +1737,7 @@ In Group Policy, configure:
-and-
- Create a SZ registry setting named **ConfigureAppInstallControl** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SmartScreen** with a value of **Anywhere**.
- Create an SZ registry setting named **ConfigureAppInstallControl** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\\SmartScreen** with a value of **Anywhere**.
### <a href="" id="bkmk-spotlight"></a>25. Personalized Experiences
@ -1905,6 +1920,14 @@ You can turn off Services Configuration by setting the following registry entrie
Add a REG_DWORD value named **DisableOneSettingsDownloads** to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection** and set the value to **1**.
### <a href="" id="bkmk-widgets"></a>32. Widgets
Widgets is a news and feeds service that can be customized by the user. If you turn off this service, apps using this service may stop working.
You can turn off Widgets by setting the following registry entries:
Add a REG_DWORD value named **AllowWidgets** to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Widgets** and set the value to **0**.
### <a href="" id="bkmk-allowedtraffic"></a> Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline
|Allowed traffic endpoints|

8
windows/privacy/manage-windows-11-endpoints.md
View File

@ -40,7 +40,7 @@ The following methodology was used to derive these network endpoints:
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@ -55,8 +55,8 @@ The following methodology was used to derive these network endpoints:
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
@ -154,4 +154,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

4
windows/privacy/manage-windows-1809-endpoints.md
View File

@ -164,6 +164,10 @@ If you [turn off traffic for this endpoint](manage-connections-from-windows-oper
## Certificates
Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.
If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.
The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It's possible to [turn off traffic to this endpoint](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update), but that isn't recommended because when root certificates are updated over time, applications and websites may stop working because they didn't receive an updated root certificate the application uses.
Additionally, it's used to download certificates that are publicly known to be fraudulent.

20
windows/privacy/manage-windows-1903-endpoints.md
View File

@ -37,11 +37,11 @@ The following methodology was used to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
> [!NOTE]
@ -52,10 +52,10 @@ The following methodology was used to derive these network endpoints:
|Area|Description|Protocol|Destination|
|----------------|----------|----------|------------|
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|blob.weather.microsoft.com|
|||HTTP|tile-service.weather.microsoft.com
|||HTTP|tile-service.weather.microsoft.com
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US
||The following endpoints are used to download updates to the Weather app Live Tile. If you turn off traffic to this endpoint, no Live Tiles will be updated.|HTTP|`blob.weather.microsoft.com`|
|||HTTP|tile-service.weather.microsoft.com|
|||HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/livetile/?Language=en-US|
||The following endpoint is used for Twitter updates. To turn off traffic for these endpoints, either uninstall Twitter or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|*.twimg.com*|
||The following endpoint is used for Candy Crush Saga updates. To turn off traffic for this endpoint, either uninstall Candy Crush Saga or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|candycrushsoda.king.com|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Microsoft 365 admin center's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|evoke-windowsservices-tas.msedge.net|
@ -68,7 +68,7 @@ The following methodology was used to derive these network endpoints:
|Azure |The following endpoints are related to Azure. |HTTPS|wd-prod-*fe*.cloudapp.azure.com|
|||HTTPS|ris-prod-atm.trafficmanager.net|
|||HTTPS|validation-v2.sls.trafficmanager.net|
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||HTTP|ctldl.windowsupdate.com|
|Cortana and Search|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoint is used to get images that are used for Microsoft Store suggestions. If you turn off traffic for this endpoint, you will block images that are used for Microsoft Store suggestions.|HTTPS|store-images.*microsoft.com|
@ -186,5 +186,5 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

12
windows/privacy/manage-windows-1909-endpoints.md
View File

@ -36,10 +36,10 @@ The following methodology was used to derive these network endpoints:
1. Set up the latest version of Windows 10 on a test virtual machine using the default settings.
2. Leave the device(s) running idle for a week ("idle" means a user is not interacting with the system/device).
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@ -54,8 +54,8 @@ The following methodology was used to derive these network endpoints:
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
|||HTTP|tile-service.weather.microsoft.com/en-us/livetile/preinstall|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|evoke-windowsservices-tas.msedge.net
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLS v1.2|evoke-windowsservices-tas.msedge.net|
|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|HTTPS|www.bing.com*|
@ -136,5 +136,5 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

10
windows/privacy/manage-windows-2004-endpoints.md
View File

@ -39,7 +39,7 @@ The following methodology was used to derive these network endpoints:
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@ -53,9 +53,9 @@ The following methodology was used to derive these network endpoints:
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoints are used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|blob.weather.microsoft.com|
|||HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2|evoke-windowsservices-tas.msedge.net|
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2|www.bing.com*|
@ -137,5 +137,5 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

10
windows/privacy/manage-windows-20H2-endpoints.md
View File

@ -40,7 +40,7 @@ The following methodology was used to derive these network endpoints:
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@ -54,8 +54,8 @@ The following methodology was used to derive these network endpoints:
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
@ -82,7 +82,7 @@ The following methodology was used to derive these network endpoints:
||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com|
|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com|
||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge wont be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won't be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
@ -155,4 +155,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

30
windows/privacy/manage-windows-21H1-endpoints.md
View File

@ -40,7 +40,7 @@ The following methodology was used to derive these network endpoints:
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@ -52,10 +52,10 @@ The following methodology was used to derive these network endpoints:
|Area|Description|Protocol|Destination|
|----------------|----------|----------|------------|
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft Store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
@ -66,9 +66,11 @@ The following methodology was used to derive these network endpoints:
||The following endpoint is used to authenticate a device. If you turn off traffic for this endpoint, the device will not be authenticated.|HTTPS|login.live.com*|
|Device metadata|The following endpoint is used to retrieve device metadata. If you turn off traffic for this endpoint, metadata will not be updated for the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#4-device-metadata-retrieval)|
|||HTTP|dmd.metaservices.microsoft.com|
|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. <br/>If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|Diagnostic Data|The following endpoints are used by the Connected User Experiences and Telemetry component and connects to the Microsoft Data Management service. If you turn off traffic for this endpoint, diagnostic and usage information, which helps Microsoft find and fix problems and improve our products and services, will not be sent back to Microsoft. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLSv1.2/HTTPS/HTTP|v10.events.data.microsoft.com|
||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|v20.events.data.microsoft.com|
|||HTTP|www.microsoft.com|
||The following endpoints are used by Windows Error Reporting. To turn off traffic for these endpoints, enable the following Group Policy: **Administrative Templates** > **Windows Components** > **Windows Error Reporting** > **Disable Windows Error Reporting**. This means error reporting information will not be sent back to Microsoft.|TLSv1.2|telecommand.telemetry.microsoft.com|
|||TLS v1.2/HTTPS/HTTP|watson.*.microsoft.com|
|Font Streaming|The following endpoints are used to download fonts on demand. If you turn off traffic for these endpoints, you will not be able to download fonts on demand.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#6-font-streaming)|
|||HTTPS|fs.microsoft.com|
@ -80,8 +82,8 @@ The following methodology was used to derive these network endpoints:
||The following endpoints are used for Microsoft accounts to sign in. If you turn off traffic for these endpoints, users cannot sign in with Microsoft accounts. |TLSv1.2/HTTPS|login.live.com|
|Microsoft Edge|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#13-microsoft-edge)|
||This traffic is related to the Microsoft Edge browser.|HTTPS|iecvlist.microsoft.com|
||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge wont be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the Web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
||The following endpoint is used by Microsoft Edge Update service to check for new updates. If you disable this endpoint, Microsoft Edge won't be able to check for and apply new edge updates.|TLSv1.2/HTTPS/HTTP|msedge.api.cdp.microsoft.com|
|Microsoft forward link redirection service (FWLink)|The following endpoint is used by the Microsoft forward link redirection service (FWLink) to redirect permanent web links to their actual, sometimes transitory, URL. FWlinks are similar to URL shorteners, just longer. If you disable this endpoint, Windows Defender won't be able to update its malware definitions; links from Windows and other Microsoft products to the web won't work; and PowerShell updateable Help won't update. To disable the traffic, instead, disable the traffic that's getting forwarded.|HTTP|go.microsoft.com|
|Microsoft Store|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
||The following endpoint is used to download image files that are called when applications run (Microsoft Store or Inbox MSN Apps). If you turn off traffic for these endpoints, the image files won't be downloaded, and apps cannot be installed or updated from the Microsoft Store. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.|HTTPS|img-prod-cms-rt-microsoft-com.akamaized.net|
||The following endpoint is needed to load the content in the Microsoft Store app.|HTTPS|livetileedge.dsx.mp.microsoft.com|
@ -107,10 +109,10 @@ The following methodology was used to derive these network endpoints:
|Settings|The following endpoint is used as a way for apps to dynamically update their configuration. Apps such as System Initiated User Feedback and the Xbox app use it. If you turn off traffic for this endpoint, an app that uses this endpoint may stop working.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-priv-feedback)|
|||TLSv1.2/HTTPS/HTTP|settings-win.data.microsoft.com|
|||HTTPS|settings.data.microsoft.com|
|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
|Skype|The following endpoint is used to retrieve Skype configuration values. To turn off traffic for this endpoint, either uninstall the app or disable the Microsoft Store. If you disable the Microsoft Store, other Microsoft Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious apps and users will still be able to open them.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
|||HTTPS/HTTP|*.pipe.aria.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|config.edge.skype.com|
|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).]( manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|Teams|The following endpoint is used for Microsoft Teams application.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#26-microsoft-store)|
|||TLSv1.2/HTTPS/HTTP|config.teams.microsoft.com|
|Windows Defender|The following endpoint is used for Windows Defender when Cloud-based Protection is enabled. If you turn off traffic for this endpoint, the device will not use Cloud-based Protection.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-defender)|
|||HTTPS/TLSv1.2|wdcp.microsoft.com|
@ -124,7 +126,7 @@ The following methodology was used to derive these network endpoints:
|||HTTP|emdl.ws.microsoft.com|
||The following endpoints are used to download operating system patches, updates, and apps from Microsoft Store. If you turn off traffic for these endpoints, the device will not be able to download updates for the operating system.|TLSv1.2/HTTPS/HTTP|*.dl.delivery.mp.microsoft.com|
|||HTTP|*.windowsupdate.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
||The following endpoints enable connections to Windows Update, Microsoft Update, and the online services of the Store. If you turn off traffic for these endpoints, the device will not be able to connect to Windows Update and Microsoft Update to help keep the device secure. Also, the device will not be able to acquire and update apps from the Microsoft Store. These are dependent on also enabling "Device authentication" and "Microsoft Account" endpoints.|TLSv1.2/HTTPS/HTTP|*.delivery.mp.microsoft.com|
|||TLSv1.2/HTTPS/HTTP|*.update.microsoft.com|
||The following endpoint is used for compatibility database updates for Windows.|HTTPS|adl.windows.com|
||The following endpoint is used for content regulation. If you turn off traffic for this endpoint, the Windows Update Agent will be unable to contact the endpoint and fallback behavior will be used. This may result in content being either incorrectly downloaded or not downloaded at all.|TLSv1.2/HTTPS/HTTP|tsfe.trafficshaping.dsp.mp.microsoft.com|
@ -137,6 +139,7 @@ The following methodology was used to derive these network endpoints:
To view endpoints for other versions of Windows 10 Enterprise, see:
- [Manage connection endpoints for Windows 10, version 21H2](manage-windows-21H2-endpoints.md)
- [Manage connection endpoints for Windows 10, version 20H2](manage-windows-20H2-endpoints.md)
- [Manage connection endpoints for Windows 10, version 2004](manage-windows-2004-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1909](manage-windows-1909-endpoints.md)
- [Manage connection endpoints for Windows 10, version 1903](manage-windows-1903-endpoints.md)
@ -145,6 +148,7 @@ To view endpoints for other versions of Windows 10 Enterprise, see:
To view endpoints for non-Enterprise Windows 10 editions, see:
- [Windows 10, version 21H1, connection endpoints for non-Enterprise editions](windows-endpoints-21H1-non-enterprise-editions.md)
- [Windows 10, version 20H2, connection endpoints for non-Enterprise editions](windows-endpoints-20H2-non-enterprise-editions.md)
- [Windows 10, version 2004, connection endpoints for non-Enterprise editions](windows-endpoints-2004-non-enterprise-editions.md)
- [Windows 10, version 1909, connection endpoints for non-Enterprise editions](windows-endpoints-1909-non-enterprise-editions.md)
- [Windows 10, version 1903, connection endpoints for non-Enterprise editions](windows-endpoints-1903-non-enterprise-editions.md)
@ -153,4 +157,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

8
windows/privacy/manage-windows-21h2-endpoints.md
View File

@ -40,7 +40,7 @@ The following methodology was used to derive these network endpoints:
3. Use globally accepted network protocol analyzer/capturing tools and log all background egress traffic.
4. Compile reports on traffic going to public IP addresses.
5. The test virtual machine(s) was logged into using a local account, and was not joined to a domain or Azure Active Directory.
6. All traffic was captured in our lab using a IPV4 network. Therefore, no IPV6 traffic is reported here.
6. All traffic was captured in our lab using an IPV4 network. Therefore, no IPV6 traffic is reported here.
7. These tests were conducted in an approved Microsoft lab. It's possible your results may be different.
8. These tests were conducted for one week, but if you capture traffic for longer you may have different results.
@ -54,8 +54,8 @@ The following methodology was used to derive these network endpoints:
|Apps|||[Learn how to turn off traffic to the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-windowsstore)|
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTP|tile-service.weather.microsoft.com|
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS/HTTP|cdn.onenote.net|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net
|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2/HTTPS|evoke-windowsservices-tas.msedge.net|
|Certificates|Certificates are digital files, stored on client devices, used to both encrypt data and verify the identity of an individual or organization. Trusted root certificates issued by a certification authority (CA) are stored in a certificate trust list (CTL). The Automatic Root Certificates Update mechanism contacts Windows Updates to update the CTL. If a new version of the CTL is identified, the list of trusted root certificates cached on the local device will be updated. Untrusted certificates are certificates where the server certificate issuer is unknown or is not trusted by the service. Untrusted certificates are also stored in a list on the local device and updated by the Automatic Root Certificates Update mechanism.<br> <br>If automatic updates are turned off, applications and websites may stop working because they did not receive an updated root certificate that the application uses. Additionally, the list of untrusted certificates will no longer be updated, which increases the attack vector on the device. ||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||TLSv1.2/HTTPS/HTTP|ctldl.windowsupdate.com|
|Cortana and Live Tiles|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2/HTTPS/HTTP|www.bing.com*|
@ -152,4 +152,4 @@ To view endpoints for non-Enterprise Windows 10 editions, see:
## Related links
- [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)
- [Network infrastructure requirements for Microsoft Intune](/mem/intune/fundamentals/intune-endpoints)

6
windows/privacy/required-windows-11-diagnostic-events-and-fields.md
View File

@ -6328,7 +6328,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** This is the device info.
- **wUfBConnected** Result of WUfB connection check.
- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@ -6343,7 +6343,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** Represents the device info.
- **wUfBConnected** Result of WUfB connection check.
- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@ -6380,7 +6380,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** Device in the General Availability Channel.
- **wUfBConnected** Result of WUfB connection check.
- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted

12
windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md
View File

@ -5789,8 +5789,8 @@ The following fields are available:
- **UnifiedInstallerDeviceIsProSkuHresult** The result code from checking whether a device is Pro SKU.
- **UnifiedInstallerDeviceIsSccmManaged** Boolean indicating whether a device is SCCM managed.
- **UnifiedInstallerDeviceIsSccmManagedHresult** The result code from checking whether a device is SCCM managed.
- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Wufb managed.
- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Wufb managed.
- **UnifiedInstallerDeviceWufbManaged** Boolean indicating whether a device is Windows Update for Business managed.
- **UnifiedInstallerDeviceWufbManagedHresult** The result code from checking whether a device is Windows Update for Business managed.
- **UnifiedInstallerPlatformResult** The result code from checking what platform type the device is.
- **UnifiedInstallerPlatformType** The enum indicating the type of platform detected.
- **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU.
@ -5917,7 +5917,7 @@ The following fields are available:
- **CV** Correlation vector.
- **GlobalEventCounter** The global event counter for counting total events for the provider.
- **PackageVersion** The version for the current package.
- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for WUFB cloud membership.
- **UpdateHealthToolsServiceBlockedByNoDSSJoinHr** The result code returned when checking for Windows Update for Business cloud membership.
### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin
@ -7212,7 +7212,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** This is the device info.
- **wUfBConnected** Result of WUfB connection check.
- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
@ -7227,7 +7227,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** Represents the device info.
- **wUfBConnected** Result of WUfB connection check.
- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
@ -7270,7 +7270,7 @@ The following fields are available:
- **paused** Indicates whether the device is paused.
- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
- **sacDevice** Device in the General Availability Channel.
- **wUfBConnected** Result of WUfB connection check.
- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted

18
windows/security/identity-protection/access-control/security-identifiers.md
View File

@ -21,7 +21,9 @@ ms.date: 04/19/2017
**Applies to**
- Windows 10
- Windows 11
- Windows Server 2016
- Windows Server 2019
This topic for the IT professional describes security identifiers and how they work in regards to accounts and groups in the Windows operating system.
@ -208,7 +210,7 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
| S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.|
| S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.|
| S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.|
| S-1-5-17 | IIS_USRS| An account that is used by the default Internet Information Services (IIS) user.|
| S-1-5-17 | IUSR| An account that is used by the default Internet Information Services (IIS) user.|
| S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem.<br/>System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.<br/>When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.|
| S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.|
| S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.|
@ -243,6 +245,7 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
|S-1-5-32-560|Builtin\Windows Authorization Access Group|An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.|
|S-1-5-32-561|Builtin\Terminal Server License Servers|An alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.|
|S-1-5-32-562|Builtin\Distributed COM Users|An alias. A group for COM to provide computer-wide access controls that govern access to all call, activation, or launch requests on the computer.|
|S-1-5-32-568|Builtin\IIS_IUSRS|An alias. A built-in group account for IIS users.|
|S-1-5-32-569|Builtin\Cryptographic Operators|A built-in local group. Members are authorized to perform cryptographic operations.|
|S-1-5-32-573|Builtin\Event Log Readers|A built-in local group. Members of this group can read event logs from local computer.|
|S-1-5-32-574|Builtin\Certificate Service DCOM Access|A built-in local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.|
@ -314,6 +317,19 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCache
All Capability SIDs are prefixed by S-1-15-3
## Examples of registry keys taken from Windows 11, version 21H2, 64-bit Enterprise edition
You may see the following registry keys under AllCachedCapabilities:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows
All Capability SIDs are prefixed by S-1-15-3
## See also
- [Access Control Overview](access-control.md)

4
windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
View File

@ -24,7 +24,7 @@ ms.reviewer:
- Windows 11
**Requirements:**
* Windows Hello for Business deployment (Hybrid or On-premises)
* Windows Hello for Business deployment (Cloud, Hybrid or On-premises)
* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments)
* Windows 10, version 1709 or newer, or Windows 11
* Bluetooth, Bluetooth capable phone - optional
@ -396,4 +396,4 @@ Multi-factor unlock writes events to event log under **Application and Services
|5520|Unlock policy not configured|
|6520|Warning event|
|7520|Error event|
|8520|Success event|
|8520|Success event|

32
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
View File

@ -13,8 +13,9 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
ms.date: 4/30/2021
ms.reviewer:
ms.date: 05/04/2022
ms.reviewer: prsriva
---
# Configure Device Registration for Hybrid Azure AD joined key trust Windows Hello for Business
@ -25,7 +26,7 @@ ms.reviewer:
- Hybrid deployment
- Key trust
You are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication.
You're ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication.
> [!NOTE]
> Before proceeding, you should familiarize yourself with device registration concepts such as:
@ -33,27 +34,30 @@ You are ready to configure device registration for your hybrid environment. Hybr
> * Azure AD joined devices
> * Hybrid Azure AD joined devices
>
> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](/azure/active-directory/device-management-introduction)
> You can learn about this and more by reading [What is a device identity](/azure/active-directory/devices/overview)
## Configure Azure for Device Registration
## Configure Hybrid Azure AD join
Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](/azure/active-directory/devices/device-management-azure-portal).
Follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-plan) page. In the **Select your scenario based on your identity infrastructure** section, identify your configuration (either **Managed environment** or **Federated environment**) and perform only the steps applicable to your environment.
Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](/azure/active-directory/devices/hybrid-azuread-join-manual) page. In the **Configuration steps** section, identify your configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps:
- Configure Azure AD Connect to sync the user's on-premises UPN to the onPremisesUserPrincipalName attribute in Azure AD.
- Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD.
<br><br>
You can learn more about this scenario by reading [Review on-premises UPN support for Hybrid Azure Ad join](/azure/active-directory/devices/hybrid-azuread-join-plan#review-on-premises-ad-users-upn-support-for-hybrid-azure-ad-join).
<hr>
> [!NOTE]
> Windows Hello for Business Hybrid key trust is not supported if your users' on-premises domain cannot be added as a verified domain in Azure AD.
## Follow the Windows Hello for Business hybrid key trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. Configure Azure Device Registration (*You are here*)
3. [New installation baseline](hello-hybrid-key-new-install.md)
4. [Configure directory synchronization](hello-hybrid-key-trust-dirsync.md)
5. Configure Azure Device Registration (*you're here*)
6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
7. [Sign-in and provision](hello-hybrid-key-whfb-provision.md)

9
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
View File

@ -36,6 +36,13 @@ Next, you need to synchronize the on-premises Active Directory with Azure Active
<br>
If the user principal name (UPN) in your on-premises Active Directory is different from the UPN in Azure AD, you also need to complete the following steps:
- Configure Azure AD Connect to sync the user's on-premises UPN to the onPremisesUserPrincipalName attribute in Azure AD.
- Add the domain name of the on-premises UPN as a [verified domain](/azure/active-directory/fundamentals/add-custom-domain) in Azure AD.
> [!NOTE]
> Windows Hello for Business Hybrid key trust is not supported if your users' on-premises domain cannot be added as a verified domain in Azure AD.
<hr>
## Follow the Windows Hello for Business hybrid key trust deployment guide
@ -46,4 +53,4 @@ Next, you need to synchronize the on-premises Active Directory with Azure Active
4. Configure Directory Synchronization (*You are here*)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)

1
windows/security/identity-protection/index.md
View File

@ -21,6 +21,7 @@ Learn more about identity and access management technologies in Windows 10.
| Section | Description |
|-|-|
| [Local Administrator Password Solution](/defender-for-identity/cas-isp-laps) | Local Administrator Password Solution (LAPS) provides management of local account passwords of domain-joined computers. Passwords are stored in Azure Active Directory (Azure AD) and protected by an access control list (ACL), so only eligible users can read them or request a reset.
| [Technical support policy for lost or forgotten passwords](password-support-policy.md)| Outlines the ways in which Microsoft can help you reset a lost or forgotten password, and provides links to instructions for doing so. |
| [Access control](access-control/access-control.md) | Describes access control in Windows, which is the process of authorizing users, groups, and computers to access objects on the network or computer. Key concepts that make up access control are permissions, ownership of objects, inheritance of permissions, user rights, and object auditing. |
| [Configure S/MIME for Windows 10](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. |

6
windows/security/identity-protection/user-account-control/how-user-account-control-works.md
View File

@ -60,7 +60,7 @@ With UAC enabled, Windows 10 or Windows 11 prompts for consent or prompts for
The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt.
![uac consent prompt.](images/uacconsentprompt.gif)
:::image type="content" source="images/uacconsentprompt.png" alt-text="UAC consent prompt.":::
**The credential prompt**
@ -68,7 +68,7 @@ The credential prompt is presented when a standard user attempts to perform a ta
The following is an example of the UAC credential prompt.
![uac credential prompt.](images/uaccredentialprompt.gif)
:::image type="content" source="images/uaccredentialprompt.png" alt-text="UAC credential prompt.":::
**UAC elevation prompts**
@ -85,7 +85,7 @@ The elevation prompt color-coding is as follows:
Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item.
![uac shield icon.](images/uacshieldicon.png)
:::image type="content" source="images/uacshieldicon.png" alt-text="UAC Shield Icon in Date and Time Properties":::
The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt.

BIN
windows/security/identity-protection/user-account-control/images/uacconsentprompt.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 31 KiB

BIN
windows/security/identity-protection/user-account-control/images/uacconsentprompt.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
windows/security/identity-protection/user-account-control/images/uaccredentialprompt.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 46 KiB

BIN
windows/security/identity-protection/user-account-control/images/uaccredentialprompt.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
windows/security/identity-protection/user-account-control/images/uacshieldicon.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 30 KiB

After

Width:  |  Height:  |  Size: 104 KiB

2
windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
View File

@ -77,7 +77,7 @@ Should a management tool remove or add the same profile name back and set **Alwa
## Trusted network detection
This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffices. The VPN stack will look at the DNS suffix on the physical interface and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
This feature configures the VPN such that it would not get triggered if a user is on a trusted corporate network. The value of this setting is a list of DNS suffixes. The VPN stack will look at the network name of the physical interface connection profile and if it matches any in the configured list and the network is private or provisioned by MDM, then VPN will not get triggered.
Trusted network detection can be configured using the VPNv2/*ProfileName*/TrustedNetworkDetection setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp).

12
windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
View File

@ -48,12 +48,12 @@ BitLocker encryption can be done using the following methods:
### Encrypting volumes using the BitLocker control panel
Encrypting volumes with the BitLocker control panel (select **Start**, type *Bitlocker*, select **Manage BitLocker**) is how many users will utilize BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
Encrypting volumes with the BitLocker control panel (select **Start**, type *Bitlocker*, select **Manage BitLocker**) is how many users will use BitLocker. The name of the BitLocker control panel is BitLocker Drive Encryption. The BitLocker control panel supports encrypting operating system, fixed data, and removable data volumes. The BitLocker control panel will organize available drives in the appropriate category based on how the device reports itself to Windows. Only formatted volumes with assigned drive letters will appear properly in the BitLocker control panel applet.
To start encryption for a volume, select **Turn on BitLocker** for the appropriate drive to initialize the BitLocker Drive Encryption Wizard. BitLocker Drive Encryption Wizard options vary based on volume type (operating system volume or data volume).
### Operating system volume
Wen the BitLocker Drive Encryption Wizard launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are:
When the BitLocker Drive Encryption Wizard launches, it verifies the computer meets the BitLocker system requirements for encrypting an operating system volume. By default, the system requirements are:
|Requirement|Description|
|--- |--- |
@ -74,7 +74,7 @@ When the recovery key has been properly stored, the BitLocker Drive Encryption W
- Encrypt used disk space only - Encrypts only disk space that contains data
- Encrypt entire drive - Encrypts the entire volume including free space
It's recommended that drives with little to no data utilize the **used disk space only** encryption option and that drives with data or an operating system utilize the **encrypt entire drive** option.
It's recommended that drives with little to no data use the **used disk space only** encryption option and that drives with data or an operating system use the **encrypt entire drive** option.
> [!NOTE]
> Deleted files appear as free space to the file system, which isn't encrypted by **used disk space only**. Until they are wiped or overwritten, deleted files hold information that could be recovered with common data forensic tools.
@ -99,7 +99,7 @@ Encryption status displays in the notification area or within the BitLocker cont
### <a href="" id="-onedrive-option-"></a> OneDrive option
There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts do not give the option to utilize OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren't joined to a domain.
There is a new option for storing the BitLocker recovery key using the OneDrive. This option requires that computers aren't members of a domain and that the user is using a Microsoft Account. Local accounts don't give the option to use OneDrive. Using the OneDrive option is the default, recommended recovery key storage method for computers that aren't joined to a domain.
Users can verify the recovery key was saved properly by checking their OneDrive for the BitLocker folder that is created automatically during the save process. The folder will contain two files, a readme.txt and the recovery key. For users storing more than one recovery password on their OneDrive,
they can identify the required recovery key by looking at the file name. The recovery key ID is appended to the end of the file name.
@ -257,9 +257,9 @@ $pw = Read-Host -AsSecureString
Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw
```
### Using a SID-based protector in Windows PowerShell
### Using an SID-based protector in Windows PowerShell
The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding a SID-based protector for the Cluster Name Object (CNO) that lets the disk properly fail over and be unlocked to any member computer of the cluster.
The ADAccountOrGroup protector is an Active Directory SID-based protector. This protector can be added to both operating system and data volumes, although it doesn't unlock operating system volumes in the pre-boot environment. The protector requires the SID for the domain account or group to link with the protector. BitLocker can protect a cluster-aware disk by adding an SID-based protector for the Cluster Name Object (CNO) that lets the disk properly failover and be unlocked to any member computer of the cluster.
> [!WARNING]
> The SID-based protector requires the use of an additional protector (such as TPM, PIN, recovery key, etc.) when used on operating system volumes.

2
windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
View File

@ -30,7 +30,7 @@ This article depicts the BitLocker deployment comparison chart.
| Requirements |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM) |
|---------|---------|---------|---------|
|Minimum client operating system version |Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, and Windows 10 IoT |
|Minimum client operating system version |Windows 11 and Windows 10 | Windows 11, Windows 10, and Windows 8.1 | Windows 7, Windows 8, Windows 8.1, Windows 10, Windows 10 IoT, and Windows 11 |
|Supported Windows SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise |
|Minimum Windows version |1909 | None | None |
|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined |

50
windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
View File

@ -1,6 +1,6 @@
---
title: Overview of BitLocker Device Encryption in Windows
description: This topic provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows.
description: This article provides an overview of how BitLocker Device Encryption can help protect data on devices running Windows.
ms.prod: m365-security
ms.mktglfcycl: explore
ms.sitesec: library
@ -26,28 +26,28 @@ ms.custom: bitlocker
- Windows 11
- Windows Server 2016 and above
This topic explains how BitLocker Device Encryption can help protect data on devices running Windows.
For a general overview and list of topics about BitLocker, see [BitLocker](bitlocker-overview.md).
This article explains how BitLocker Device Encryption can help protect data on devices running Windows.
For a general overview and list of articles about BitLocker, see [BitLocker](bitlocker-overview.md).
When users travel, their organizations confidential data goes with them. Wherever confidential data is stored, it must be protected against unauthorized access. Windows has a long history of providing at-rest data-protection solutions that guard against nefarious attackers, beginning with the Encrypting File System in the Windows 2000 operating system. More recently, BitLocker has provided encryption for full drives and portable drives. Windows consistently improves data protection by improving existing options and by providing new strategies.
Table 2 lists specific data-protection concerns and how they are addressed in Windows 11, Windows 10, and Windows 7.
Table 2 lists specific data-protection concerns and how they're addressed in Windows 11, Windows 10, and Windows 7.
**Table 2. Data Protection in Windows 11, Windows 10, and Windows 7**
| Windows 7 | Windows 11 and Windows 10 |
|---|---|
| When BitLocker is used with a PIN to protect startup, PCs such as kiosks cannot be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.<br><br>Network Unlock allows PCs to start automatically when connected to the internal network. |
| When BitLocker is used with a PIN to protect startup, PCs such as kiosks can't be restarted remotely. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to seamlessly protect the BitLocker encryption keys from cold boot attacks.<br><br>Network Unlock allows PCs to start automatically when connected to the internal network. |
| When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. |
| There is no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
| There's no support for using BitLocker with self-encrypting drives (SEDs). | BitLocker supports offloading encryption to encrypted hard drives. |
| Administrators have to use separate tools to manage encrypted hard drives. | BitLocker supports encrypted hard drives with onboard encryption hardware built in, which allows administrators to use the familiar BitLocker administrative tools to manage them. |
| Encrypting a new flash drive can take more than 20 minutes. | Used Space Only encryption in BitLocker To Go allows users to encrypt removable data drives in seconds. |
| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when he or she loses the PIN or password. |
| BitLocker could require users to enter a recovery key when system configuration changes occur. | BitLocker requires the user to enter a recovery key only when disk corruption occurs or when you lose the PIN or password. |
| Users need to enter a PIN to start the PC, and then their password to sign in to Windows. | Modern Windows devices are increasingly protected with BitLocker Device Encryption out of the box and support SSO to help protect the BitLocker encryption keys from cold boot attacks. |
## Prepare for drive and file encryption
The best type of security measures are transparent to the user during implementation and use. Every time there is a possible delay or difficulty because of a security feature, there is strong likelihood that users will try to bypass security. This situation is especially true for data protection, and thats a scenario that organizations need to avoid.
The best type of security measures is transparent to the user during implementation and use. Every time there's a possible delay or difficulty because of a security feature, there's strong likelihood that users will try to bypass security. This situation is especially true for data protection, and thats a scenario that organizations need to avoid.
Whether youre planning to encrypt entire volumes, removable devices, or individual files, Windows 11 and Windows 10 meet your needs by providing streamlined, usable solutions. In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth.
### TPM pre-provisioning
@ -59,13 +59,13 @@ In Windows 7, preparing the TPM for use offered a couple of challenges:
Basically, it was a big hassle. If IT staff were provisioning new PCs, they could handle all of this, but if you wanted to add BitLocker to devices that were already in users hands, those users would have struggled with the technical challenges and would either call IT for support or simply leave BitLocker disabled.
Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM. There is no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM. There's no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
## Deploy hard drive encryption
BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 11 and Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Preinstallation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows is not yet installed), it takes only a few seconds to enable BitLocker.
BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 11 and Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Pre-installation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows isn't yet installed), it takes only a few seconds to enable BitLocker.
With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which significantly delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10.
With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10.
## BitLocker Device Encryption
@ -76,8 +76,8 @@ Microsoft expects that most devices in the future will pass the testing requirem
Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
* When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
* If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
* If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
* If the device isn't domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
* If the user uses a domain account to sign in, the clear key isn't removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
* Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.
Microsoft recommends that BitLocker Device Encryption be enabled on any systems that support it, but the automatic BitLocker Device Encryption process can be prevented by changing the following registry setting:
@ -92,9 +92,9 @@ Administrators can manage domain-joined devices that have BitLocker Device Encry
## Used Disk Space Only encryption
BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused.
BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that didn't have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused.
But why encrypt a new drive when you can simply encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 11 and Windows 10 let users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent.
Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they are overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it is written to the disk.
Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they're overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it's written to the disk.
## Encrypted hard drive support
@ -105,22 +105,22 @@ For more information about encrypted hard drives, see [Encrypted Hard Drive](../
## Preboot information protection
An effective implementation of information protection, like most security controls, considers usability as well as security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
It is crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection should not be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows logon. Challenging users for input more than once should be avoided.
Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they are not as user-friendly; depending on the devices configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
It's crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection shouldn't be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows sign in. Challenging users for input more than once should be avoided.
Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they aren't as user-friendly; depending on the devices configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
## Manage passwords and PINs
When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows logon, which makes it virtually impossible for the attacker to access or modify user data and system files.
When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows sign in, which makes it virtually impossible for the attacker to access or modify user data and system files.
Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password on a regular basis.
Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices do not require a PIN for startup: They are designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password regularly.
Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices don't require a PIN for startup: They're designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md).
## Configure Network Unlock
Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs should not leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary.
Some organizations have location-specific data security requirements. This is most common in environments where high-value data is stored on PCs. The network environment may provide crucial data protection and enforce mandatory authentication; therefore, policy states that those PCs shouldn't leave the building or be disconnected from the corporate network. Safeguards like physical security locks and geofencing may help enforce this policy as reactive controls. Beyond these, a proactive security control that grants data access only when the PC is connected to the corporate network is necessary.
Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC is not connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled).
Network Unlock enables BitLocker-protected PCs to start automatically when connected to a wired corporate network on which Windows Deployment Services runs. Anytime the PC isn't connected to the corporate network, a user must type a PIN to unlock the drive (if PIN-based unlock is enabled).
Network Unlock requires the following infrastructure:
* Client PCs that have Unified Extensible Firmware Interface (UEFI) firmware version 2.3.1 or later, which supports Dynamic Host Configuration Protocol (DHCP)
@ -143,11 +143,11 @@ Part of the Microsoft Desktop Optimization Pack, Microsoft BitLocker Administrat
* Enforces the BitLocker encryption policy options that you set for your enterprise.
* Integrates with existing management tools, such as Microsoft Endpoint Configuration Manager.
* Offers an IT-customizable recovery user experience.
* Supports Windows 10.
* Supports Windows 11 and Windows 10.
> [!IMPORTANT]
> Enterprises could use MBAM to manage client computers with BitLocker that are domain-joined on-premises until mainstream support ended in July 2019, or they could receive extended support until April 2026.
Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more details, see [Features in Configuration Manager technical preview version 1909](/mem/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker).
Going forward, the functionality of MBAM will be incorporated into Configuration Manager. For more information, see [Features in Configuration Manager technical preview version 1909](/mem/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker).
Enterprises not using Configuration Manager can use the built-in features of Azure AD and Microsoft Intune in Microsoft Endpoint Manager for administration and monitoring. For more details, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).
Enterprises not using Configuration Manager can use the built-in features of Azure AD and Microsoft Intune in Microsoft Endpoint Manager for administration and monitoring. For more information, see [Monitor device encryption with Intune](/mem/intune/protect/encryption-monitor).

3
windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md
View File

@ -87,6 +87,9 @@ If you don't set or you disable this policy, the PKU2U protocol won't be used to
If you enable this policy in a hybrid environment, you allow your users to authenticate by using certificates issued by Azure AD and their online identity between the corresponding devices. This configuration allows users to share resources between such devices. Without enabling this policy, remote connections to an Azure AD joined device will not work.
### Fix/Remediation
This vulnerability was fixed on February 9, 2021, in the [CVE-2021-25195](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-25195) Security Update.
## Related topics

77
windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
View File

@ -162,3 +162,80 @@ To add this CLSID to the existing policy, follow these steps:
</Value>
</Setting>
```
### Default COM Object Allow List
| File Name | CLSID |
|--------|-----------|
| scrrun.dll | EE09B103-97E0-11CF-978F-00A02463E06F |
| scrrun.dll | 0D43FE01-F093-11CF-8940-00A0C9054228 |
| vbscript.dll | 3F4DACA4-160D-11D2-A8E9-00104B365C9F |
| WEX.Logger.Log | 70B46225-C474-4852-BB81-48E0D36F9A5A |
| TE.Common.TestData | 1d68f3c0-b5f8-4abd-806a-7bc57cdce35a |
| TE.Common.RuntimeParameters | 9f3d4048-6028-4c5b-a92d-01bc977af600 |
| TE.Common.Verify | e72cbabf-8e48-4d27-b14e-1f347f6ec71a |
| TE.Common.Interruption | 5850ba6f-ce72-46d4-a29b-0d3d9f08cc0b |
| msxml6.dll | 2933BF90-7B36-11d2-B20E-00C04F983E60 |
| msxml6.dll | ED8C108E-4349-11D2-91A4-00C04F7969E8 |
| mmcndmgr.dll | ADE6444B-C91F-4E37-92A4-5BB430A33340 |
| puiobj.dll | B021FF57-A928-459C-9D6C-14DED0C9BED2 |
| wdtf.dll | 041E868E-0C7D-48C6-965F-5FD576530E5B |
| wdtfedtaction.dll | 0438C02B-EB9C-4E42-81AD-407F6CD6CDE1 |
| wdtfioattackaction.dll | 078B1F7D-C34C-4B13-A7C3-9663901650F1 |
| wdtfmutt2tcdsimpleioaction.dll | 0ABB2961-2CC1-4F1D-BE8E-9D330D06B77D |
| wdtfdriverpackageaction.dll | 0D7237E6-930F-4682-AD0A-52EBFFD3AEE3 |
| wdtf.dll | 0D972387-817B-46E7-913F-E9993FF401EB |
| wdtf.dll | 0E770B12-7221-4A5D-86EE-77310A5506BB |
| wdtfdriversetupdeviceaction.dll | 0FA57208-5100-4CD6-955C-FE69F8898973 |
| wdtf.dll | 1080A020-2B47-4DA9-8095-DBC9CEFFFC04 |
| wdtfnetworksimpleioaction.dll | 10CF2E12-1681-4C53-ADC0-932C84832CD8 |
| wdtf.dll | 140F2286-3B39-4DE1-AF94-E083DEEA6BB9 |
| wdtfinterfaces.dll | 1A7D6D61-4FE5-42E2-8F23-4FC1731C474F |
| wdtfaudiosimpleioaction.dll | 1C658D42-4256-4743-A4C5-90BF3A3A186A |
| wdtf.dll | 2236B1F3-4A33-48C2-B22C-A1F93A626F05 |
| wdtfsystemaction.dll | 23440924-1AB0-41F2-A732-B75069E5C823 |
| wdtfdriversetupsystemaction.dll | 238C0AEB-1DFC-4575-AAF3-C67FE15C1819 |
| wdtffuzztestaction.dll | 23D0E542-0390-4873-9AC7-EF86E95E5215 |
| wdtf.dll | 240FA08C-1D70-40CB-BDB3-2CC41A45496B |
| wdtf.dll | 26CC4211-A9A6-4E5C-A30D-3C659BB4CDC9 |
| wdtf.dll | 28EE5F0B-97D8-4A59-BAC8-A8A80E11F56B |
| wdtf.dll | 2C9AF7D6-2589-4413-A2BA-9926EBCFD67C |
| wdtf.dll | 32A9798D-987F-489E-8DB6-2EFB240248BD |
| wdtfinterfaces.dll | 3C0B0D50-611A-4368-AC87-4488D6E0C4A7 |
| wdtfcdromsimpleioaction.dll | 3F2C07F3-199B-4165-A948-B8B59A97FCC5 |
| wdtf.dll | 485785D3-8820-4C3D-A532-4C0F66392A30 |
| wdtfinterfaces.dll | 5EAE59BE-6946-44B7-A7B3-1D59811B246A |
| wdtfiospyaction.dll | 698F6A82-7833-4499-8BA5-2145D604ABD4 |
| wdtfdevicesupportaction.dll | 69D94D1B-0833-40D4-9AE7-7FC6F64F2624 |
| wdtf.dll | 6EE5B280-3B0F-4358-9E20-99F169FAA700 |
| wdtfmuttsimpleioaction.dll | 7776915A-0370-49A7-90B7-20EB36E80B6D |
| wdtfcpuutilizationsystemaction.dll | 7926C7DE-299C-4B09-BB1B-649A4B917ED0 |
| wdtfwirelesssimpleioaction.dll | 7A686BCD-9203-435C-8B06-9D7E7A518F98 |
| wdtfbluetoothsimpleioaction.dll | 7E6C4615-6184-4077-A150-5D30F29993A4 |
| wdtf.dll | 9663A00A-5B72-4810-9014-C77108062949 |
| wdtfinterfaces.dll | 9C261B2B-DBD6-4087-B636-ABE1607989E8 |
| wdtfwebcamsimpleioaction.dll | A1B74619-F02D-4574-8091-2AADD46A5B2B |
| wdtf.dll | A2FD15D7-64F0-4080-AABD-884380202022 |
| wdtfvolumesimpleioaction.dll | AC91E813-B116-4676-AE33-2988B590F3C7 |
| wdtfconcurrentioaction.dll | AE278430-ABC2-49D1-AF30-910B9A88CB1E |
| wdtf.dll | B43FF7F1-629C-4DE5-9559-1D09E0A07037 |
| wdtfdriververifiersystemaction.dll | B7770265-B643-4600-A60B-93F9BA9F4B24 |
| wdtfpnpaction.dll | B8D74985-4EB9-46AA-B2ED-DD2D918849DF |
| wdtfmobilebroadbandsimpleioaction.dll | BCFBBB02-4DA5-466C-9DA7-DC672877B075 |
| wdtf.dll | BE56FAD1-A489-4508-ABB7-3348E1C2C885 |
| wdtfpnpaction.dll | C0B6C572-D37D-47CC-A89D-E6B9E0852764 |
| wdtfioattackaction.dll | C88B324E-6B26-49BC-9D05-A221F15D7E13 |
| wdtfsensorsiosimpleioaction.dll | C8BF7EC0-C746-4DE8-BA46-34528C6329FB |
| wdtfanysimpleioaction.dll | C8C574DA-367B-4130-AED6-1EA61A5C6A4B |
| simpleio_d3dtest.dll | CBC36BDB-A6BC-4383-8194-659470553488 |
| wdtfsystemaction.dll | D30E1E07-AA39-4086-A7E6-9245FBD0A730 |
| wdtf.dll | DD34E741-139D-4F4C-A1E2-D4184FCDD4F9 |
| wdtfsupaction.dll | EA48171B-4265-48C3-B56B-70B175A7FDFA |
| wdtfinterfaces.dll | EB9DB874-D23D-44D5-A988-85E966322843 |
| wdtfinterfaces.dll | ED05EF76-09A9-4409-90CA-C5D0711CA057 |
| wdtfwpdsimpleioaction.dll | EEA17F2B-8E8E-41A3-9776-A87FACD625D0 |
| wdtfinterfaces.dll | F30FC2BB-F424-4A1F-8F95-68CFEE935E92 |
| wdtfedtaction.dll | F6694E02-5AD0-476D-BD2D-43F7E5D10AF6 |
| wdtfsmartcardreadersimpleioaction.dll | FA6F7E49-76C6-490C-B50E-8B1E8E0EEE2A |
| wdtfiospyaction.dll | FE36026D-CDA8-4514-B3D9-57BDA3870D0C |

1
windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
View File

@ -62,6 +62,7 @@ Use the Set-AppLockerPolicy cmdlet with the -XMLPolicy parameter, using an .XML
<RuleCollection Type="Script" EnforcementMode="NotConfigured" />
<RuleCollection Type="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type="Appx" EnforcementMode="NotConfigured" />
<RuleCollection Type="ManagedInstaller" EnforcementMode="NotConfigured" />
</AppLockerPolicy>
```

4
windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
View File

@ -90,3 +90,7 @@ Once you've completed configuring your chosen Managed Installer, by specifying w
```
This command will show the raw XML to verify the individual rules that were set.
## Remove Managed Installer feature
To remove the Managed Installed from the device, you will need to remove the Managed Installer AppLocker policy from the device by following the instructions at [Delete an AppLocker rule - To clear AppLocker policies on a single system or remote systems](applocker/delete-an-applocker-rule.md#to-clear-applocker-policies-on-a-single-system-or-remote-systems).

6
windows/security/threat-protection/windows-defender-application-control/feature-availability.md
View File

@ -14,7 +14,7 @@ author: denisebmsft
ms.reviewer: jgeurten
ms.author: deniseb
manager: dansimp
ms.date: 07/29/2021
ms.date: 05/09/2022
ms.custom: asr
ms.technology: windows-sec
---
@ -32,7 +32,7 @@ ms.technology: windows-sec
| Capability | WDAC | AppLocker |
|-------------|------|-------------|
| Platform support | Available on Windows 10 and Windows 11 | Available on Windows 8+ |
| Platform support | Available on Windows 10, Windows 11, and Windows Server 2016 or later | Available on Windows 8 or later |
| SKU availability | Cmdlets are available on all SKUs on 1909+ builds.<br>For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs. | Policies deployed through GP are only effective on Enterprise devices.<br>Policies deployed through MDM are effective on all SKUs. |
| Management solutions | <ul><li>[Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)</li><li>[Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)</li><li>[Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md) </li><li>PowerShell</li></ul> | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>MEMCM (custom policy deployment via Software Distribution only)</li><li>[Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> |
| Per-User and Per-User group rules | Not available (policies are device-wide) | Available on Windows 8+ |
@ -45,4 +45,4 @@ ms.technology: windows-sec
| COM object configurability | [Available on 1903+](./allow-com-object-registration-in-windows-defender-application-control-policy.md) | Not available |
| Packaged app rules | [Available on RS5+](./manage-packaged-apps-with-windows-defender-application-control.md) | Available on Windows 8+ |
| Enforceable file types | <ul><li>Driver files: .sys</li><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>| <ul><li>Executable files: .exe and .com</li><li>[Optional] DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .bat, .cmd, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>|
| Application ID (AppId) Tagging | [Available on 20H1+](./AppIdTagging/windows-defender-application-control-appid-tagging-guide.md) | Not available |
| Application ID (AppId) Tagging | [Available on 20H1+](./AppIdTagging/windows-defender-application-control-appid-tagging-guide.md) | Not available |

2796
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

File diff suppressed because it is too large Load Diff

4
windows/whats-new/whats-new-windows-10-version-1709.md
View File

@ -46,9 +46,9 @@ IT Pros can use Autopilot Reset to quickly remove personal files, apps, and sett
## Update
### Windows Update for Business (WUfB)
### Windows Update for Business
WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
Windows Update for Business now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds).
### Windows Insider Program for Business

2
windows/whats-new/whats-new-windows-10-version-1803.md
View File

@ -120,7 +120,7 @@ For more information, see [Windows Setup Command-Line Options](/windows-hardware
SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 26 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available.
### Windows Update for Business (WUfB)
### Windows Update for Business
Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](/intune/windows-update-for-business-configure).

4
windows/whats-new/whats-new-windows-10-version-1909.md
View File

@ -36,9 +36,9 @@ Pre-release Windows 10 feature updates are now available to IT administrators us
The Windows 10, version 1909 enablement package will be available on WSUS as [KB4517245](https://support.microsoft.com/kb/4517245), which can be deployed on existing deployments of Windows 10, version 1903.
### Windows Update for Business (WUfB)
### Windows Update for Business
If you are using WUfB, you will receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy.
If you are using Windows Update for Business, you will receive the Windows 10, version 1909 update in the same way that you have for prior feature updates, and as defined by your feature update deferral policy.
## Security